JS: add tests for improved js/missing-rate-limiting

Esben Sparre Andreasen · Esben Sparre Andreasen · commit b6951d82497c · 2018-08-06T15:15:44.000+02:00
diff --git a/javascript/ql/test/query-tests/Security/CWE-770/MissingRateLimiting.expected b/javascript/ql/test/query-tests/Security/CWE-770/MissingRateLimiting.expected
@@ -6,3 +6,4 @@
 | tst.js:36:20:36:36 | expensiveHandler2 | This route handler performs $@, but is not rate-limited. | tst.js:15:40:15:73 | fs.writ ... quest") | a file system access |
 | tst.js:37:20:37:36 | expensiveHandler3 | This route handler performs $@, but is not rate-limited. | tst.js:16:40:16:70 | child_p ... /true") | a system command |
 | tst.js:38:20:38:36 | expensiveHandler4 | This route handler performs $@, but is not rate-limited. | tst.js:17:40:17:83 | connect ... ution') | a database access |
+| tst.js:64:25:64:63 | functio ... req); } | This route handler performs $@, but is not rate-limited. | tst.js:64:46:64:60 | verifyUser(req) | authorization |
diff --git a/javascript/ql/test/query-tests/Security/CWE-770/tst.js b/javascript/ql/test/query-tests/Security/CWE-770/tst.js
@@ -60,3 +60,6 @@ app2.get('/:path', bruteforce.prevent, expensiveHandler1); // OK
 var app3 = express();
 var limiter = require('express-limiter')(app3);
 app3.get('/:path', expensiveHandler1); // OK
+
+express().get('/:path', function(req, res) { verifyUser(req); });  // NOT OK
+express().get('/:path', RateLimit(), function(req, res) { verifyUser(req); });  // OK
