JS: add more tests for js/incomplete-url-substring-sanitization

Esben Sparre Andreasen · Esben Sparre Andreasen · commit cfc53ade6927 · 2019-01-30T12:57:03.000+01:00
diff --git a/javascript/ql/test/query-tests/Security/CWE-020/IncompleteUrlSubstringSanitization.expected b/javascript/ql/test/query-tests/Security/CWE-020/IncompleteUrlSubstringSanitization.expected
@@ -11,3 +11,8 @@
 | tst-IncompleteUrlSubstringSanitization.js:33:5:33:39 | x.index ... m:443") | '$@' may be at an arbitrary position in the sanitized URL. | tst-IncompleteUrlSubstringSanitization.js:33:15:33:38 | "https: ... om:443" | https://secure.com:443 |
 | tst-IncompleteUrlSubstringSanitization.js:34:5:34:36 | x.index ... .com/") | '$@' may be at an arbitrary position in the sanitized URL. | tst-IncompleteUrlSubstringSanitization.js:34:15:34:35 | "https: ... e.com/" | https://secure.com/ |
 | tst-IncompleteUrlSubstringSanitization.js:52:5:52:41 | x.index ... ernal") | '$@' may be at an arbitrary position in the sanitized URL. | tst-IncompleteUrlSubstringSanitization.js:52:15:52:40 | "https: ... ternal" | https://example.internal |
+| tst-IncompleteUrlSubstringSanitization.js:55:5:55:44 | x.start ... ernal") | '$@' may be at an arbitrary position in the sanitized URL. | tst-IncompleteUrlSubstringSanitization.js:55:18:55:43 | "https: ... ternal" | https://example.internal |
+| tst-IncompleteUrlSubstringSanitization.js:56:5:56:45 | x.index ... l.org') | '$@' may be at an arbitrary position in the sanitized URL. | tst-IncompleteUrlSubstringSanitization.js:56:15:56:44 | 'https: ... al.org' | https://example.internal.org |
+| tst-IncompleteUrlSubstringSanitization.js:57:5:57:45 | x.index ... l.org') | '$@' may be at an arbitrary position in the sanitized URL. | tst-IncompleteUrlSubstringSanitization.js:57:15:57:44 | 'https: ... al.org' | https://example.internal.org |
+| tst-IncompleteUrlSubstringSanitization.js:58:5:58:30 | x.endsW ... l.com") | '$@' may be at an arbitrary position in the sanitized URL. | tst-IncompleteUrlSubstringSanitization.js:58:16:58:29 | "internal.com" | internal.com |
+| tst-IncompleteUrlSubstringSanitization.js:61:2:61:24 | x.index ... e.com") | '$@' may be at an arbitrary position in the sanitized URL. | tst-IncompleteUrlSubstringSanitization.js:61:12:61:23 | "secure.com" | secure.com |
diff --git a/javascript/ql/test/query-tests/Security/CWE-020/tst-IncompleteUrlSubstringSanitization.js b/javascript/ql/test/query-tests/Security/CWE-020/tst-IncompleteUrlSubstringSanitization.js
@@ -51,4 +51,12 @@
 
     x.indexOf("https://example.internal"); // NOT OK
     x.indexOf("https://"); // OK
+
+    x.startsWith("https://example.internal"); // NOT OK
+    x.indexOf('https://example.internal.org') !== 0; // NOT OK
+    x.indexOf('https://example.internal.org') === 0; // NOT OK
+    x.endsWith("internal.com"); // NOT OK
+    x.startsWith("https://example.internal:80"); // OK
+
+	x.indexOf("secure.com") !== -1; // NOT OK
 });
