From f52f5b63e67fce53c64fd9e3b25a588d197fbcb5 Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 26 Nov 2025 10:30:58 +0100 Subject: [PATCH 1/7] JS: Add test with route.ts outside 'api' --- .../Security/CWE-079/ReflectedXss/app/blah/route.ts | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/app/blah/route.ts diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/app/blah/route.ts b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/app/blah/route.ts new file mode 100644 index 000000000000..292accde9d75 --- /dev/null +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/app/blah/route.ts @@ -0,0 +1,4 @@ +export async function GET(req: Request) { + const url = req.url; // $ MISSING: Source + return new Response(url, { headers: { "Content-Type": "text/html" } }); // $ MISSING: Alert +} From e54789d1bdf33d3200b380d373ce60a910d317c5 Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 26 Nov 2025 10:33:20 +0100 Subject: [PATCH 2/7] JS: Recognise route.ts outside api folder --- .../ql/lib/semmle/javascript/frameworks/Next.qll | 15 +++++++++++++-- .../CWE-079/ReflectedXss/ReflectedXss.expected | 6 ++++++ .../ReflectedXssWithCustomSanitizer.expected | 1 + .../CWE-079/ReflectedXss/app/blah/route.ts | 4 ++-- 4 files changed, 22 insertions(+), 4 deletions(-) diff --git a/javascript/ql/lib/semmle/javascript/frameworks/Next.qll b/javascript/ql/lib/semmle/javascript/frameworks/Next.qll index a65fcdce44db..bdbc18d30f35 100644 --- a/javascript/ql/lib/semmle/javascript/frameworks/Next.qll +++ b/javascript/ql/lib/semmle/javascript/frameworks/Next.qll @@ -32,6 +32,12 @@ module NextJS { private Folder apiRoot() { result = [pagesRoot(), appRoot()].getFolder("api") } + private Folder appFolder() { + result = appRoot() + or + result = appFolder().getAFolder() + } + /** * Gets a "pages" folder in a `Next.js` application. * JavaScript files inside these folders are mapped to routes. @@ -300,8 +306,13 @@ module NextJS { class NextAppRouteHandler extends DataFlow::FunctionNode, Http::Servers::StandardRouteHandler { NextAppRouteHandler() { exists(Module mod | - mod.getFile().getParentContainer() = apiFolder() or - mod.getFile().getStem() = "middleware" + ( + mod.getFile().getParentContainer() = apiFolder() + or + mod.getFile().getStem() = "middleware" + or + mod.getFile().getStem() = "route" and mod.getFile().getParentContainer() = appFolder() + ) | this = mod.getAnExportedValue([any(Http::RequestMethodName m), "middleware"]).getAFunctionValue() diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected index b488018d09d1..123ceaecf798 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected @@ -35,6 +35,7 @@ | app/api/routeNextRequest.ts:15:20:15:23 | body | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | app/api/routeNextRequest.ts:15:20:15:23 | body | Cross-site scripting vulnerability due to a $@. | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | user-provided value | | app/api/routeNextRequest.ts:27:20:27:23 | body | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | app/api/routeNextRequest.ts:27:20:27:23 | body | Cross-site scripting vulnerability due to a $@. | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | user-provided value | | app/api/routeNextRequest.ts:31:27:31:30 | body | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | app/api/routeNextRequest.ts:31:27:31:30 | body | Cross-site scripting vulnerability due to a $@. | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | user-provided value | +| app/blah/route.ts:3:25:3:27 | url | app/blah/route.ts:2:17:2:23 | req.url | app/blah/route.ts:3:25:3:27 | url | Cross-site scripting vulnerability due to a $@. | app/blah/route.ts:2:17:2:23 | req.url | user-provided value | | app/pages/Next2.jsx:8:13:8:19 | req.url | app/pages/Next2.jsx:8:13:8:19 | req.url | app/pages/Next2.jsx:8:13:8:19 | req.url | Cross-site scripting vulnerability due to a $@. | app/pages/Next2.jsx:8:13:8:19 | req.url | user-provided value | | app/pages/Next2.jsx:15:13:15:19 | req.url | app/pages/Next2.jsx:15:13:15:19 | req.url | app/pages/Next2.jsx:15:13:15:19 | req.url | Cross-site scripting vulnerability due to a $@. | app/pages/Next2.jsx:15:13:15:19 | req.url | user-provided value | | etherpad.js:11:12:11:19 | response | etherpad.js:9:16:9:30 | req.query.jsonp | etherpad.js:11:12:11:19 | response | Cross-site scripting vulnerability due to a $@. | etherpad.js:9:16:9:30 | req.query.jsonp | user-provided value | @@ -154,6 +155,8 @@ edges | app/api/routeNextRequest.ts:4:9:4:12 | body | app/api/routeNextRequest.ts:31:27:31:30 | body | provenance | | | app/api/routeNextRequest.ts:4:16:4:31 | await req.json() | app/api/routeNextRequest.ts:4:9:4:12 | body | provenance | | | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | app/api/routeNextRequest.ts:4:16:4:31 | await req.json() | provenance | | +| app/blah/route.ts:2:11:2:13 | url | app/blah/route.ts:3:25:3:27 | url | provenance | | +| app/blah/route.ts:2:17:2:23 | req.url | app/blah/route.ts:2:11:2:13 | url | provenance | | | etherpad.js:9:5:9:12 | response | etherpad.js:11:12:11:19 | response | provenance | | | etherpad.js:9:16:9:30 | req.query.jsonp | etherpad.js:9:5:9:12 | response | provenance | | | formatting.js:4:9:4:12 | evil | formatting.js:6:43:6:46 | evil | provenance | | @@ -367,6 +370,9 @@ nodes | app/api/routeNextRequest.ts:15:20:15:23 | body | semmle.label | body | | app/api/routeNextRequest.ts:27:20:27:23 | body | semmle.label | body | | app/api/routeNextRequest.ts:31:27:31:30 | body | semmle.label | body | +| app/blah/route.ts:2:11:2:13 | url | semmle.label | url | +| app/blah/route.ts:2:17:2:23 | req.url | semmle.label | req.url | +| app/blah/route.ts:3:25:3:27 | url | semmle.label | url | | app/pages/Next2.jsx:8:13:8:19 | req.url | semmle.label | req.url | | app/pages/Next2.jsx:15:13:15:19 | req.url | semmle.label | req.url | | etherpad.js:9:5:9:12 | response | semmle.label | response | diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected index 2dceb5fa8071..b130f70a22f7 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected @@ -34,6 +34,7 @@ | app/api/routeNextRequest.ts:15:20:15:23 | body | Cross-site scripting vulnerability due to $@. | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | user-provided value | | app/api/routeNextRequest.ts:27:20:27:23 | body | Cross-site scripting vulnerability due to $@. | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | user-provided value | | app/api/routeNextRequest.ts:31:27:31:30 | body | Cross-site scripting vulnerability due to $@. | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | user-provided value | +| app/blah/route.ts:3:25:3:27 | url | Cross-site scripting vulnerability due to $@. | app/blah/route.ts:2:17:2:23 | req.url | user-provided value | | app/pages/Next2.jsx:8:13:8:19 | req.url | Cross-site scripting vulnerability due to $@. | app/pages/Next2.jsx:8:13:8:19 | req.url | user-provided value | | app/pages/Next2.jsx:15:13:15:19 | req.url | Cross-site scripting vulnerability due to $@. | app/pages/Next2.jsx:15:13:15:19 | req.url | user-provided value | | formatting.js:6:14:6:47 | util.fo ... , evil) | Cross-site scripting vulnerability due to $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value | diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/app/blah/route.ts b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/app/blah/route.ts index 292accde9d75..0410915513f5 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/app/blah/route.ts +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/app/blah/route.ts @@ -1,4 +1,4 @@ export async function GET(req: Request) { - const url = req.url; // $ MISSING: Source - return new Response(url, { headers: { "Content-Type": "text/html" } }); // $ MISSING: Alert + const url = req.url; // $ Source + return new Response(url, { headers: { "Content-Type": "text/html" } }); // $ Alert } From f0ecf1599c417da9996889cd5cff9721c4e4770c Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 26 Nov 2025 10:49:12 +0100 Subject: [PATCH 3/7] JS: Add test with file named 'page' --- .../lib/semmle/javascript/frameworks/Next.qll | 16 ++++++++++------ .../ReflectedXss/ReflectedXss.expected | 4 ++++ .../ReflectedXssWithCustomSanitizer.expected | 2 ++ .../CWE-079/ReflectedXss/app/blah/page.jsx | 19 +++++++++++++++++++ 4 files changed, 35 insertions(+), 6 deletions(-) create mode 100644 javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/app/blah/page.jsx diff --git a/javascript/ql/lib/semmle/javascript/frameworks/Next.qll b/javascript/ql/lib/semmle/javascript/frameworks/Next.qll index bdbc18d30f35..8c826f903687 100644 --- a/javascript/ql/lib/semmle/javascript/frameworks/Next.qll +++ b/javascript/ql/lib/semmle/javascript/frameworks/Next.qll @@ -38,20 +38,24 @@ module NextJS { result = appFolder().getAFolder() } + private Folder pagesFolder() { + result = pagesRoot() + or + result = pagesFolder().getAFolder() + } + /** * Gets a "pages" folder in a `Next.js` application. * JavaScript files inside these folders are mapped to routes. */ - Folder getAPagesFolder() { - result = pagesRoot() - or - result = getAPagesFolder().getAFolder() - } + deprecated predicate getAPagesFolder = pagesFolder/0; /** * Gets a module corrosponding to a `Next.js` page. */ - Module getAPagesModule() { result.getFile().getParentContainer() = getAPagesFolder() } + Module getAPagesModule() { + result.getFile() = [pagesFolder().getAFile(), appFolder().getJavaScriptFile("page")] + } /** * Gets a module inside a "pages" folder where `fallback` from `getStaticPaths` is not set to false. diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected index 123ceaecf798..74c8de4686c8 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected @@ -35,6 +35,8 @@ | app/api/routeNextRequest.ts:15:20:15:23 | body | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | app/api/routeNextRequest.ts:15:20:15:23 | body | Cross-site scripting vulnerability due to a $@. | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | user-provided value | | app/api/routeNextRequest.ts:27:20:27:23 | body | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | app/api/routeNextRequest.ts:27:20:27:23 | body | Cross-site scripting vulnerability due to a $@. | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | user-provided value | | app/api/routeNextRequest.ts:31:27:31:30 | body | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | app/api/routeNextRequest.ts:31:27:31:30 | body | Cross-site scripting vulnerability due to a $@. | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | user-provided value | +| app/blah/page.jsx:10:13:10:19 | req.url | app/blah/page.jsx:10:13:10:19 | req.url | app/blah/page.jsx:10:13:10:19 | req.url | Cross-site scripting vulnerability due to a $@. | app/blah/page.jsx:10:13:10:19 | req.url | user-provided value | +| app/blah/page.jsx:17:13:17:19 | req.url | app/blah/page.jsx:17:13:17:19 | req.url | app/blah/page.jsx:17:13:17:19 | req.url | Cross-site scripting vulnerability due to a $@. | app/blah/page.jsx:17:13:17:19 | req.url | user-provided value | | app/blah/route.ts:3:25:3:27 | url | app/blah/route.ts:2:17:2:23 | req.url | app/blah/route.ts:3:25:3:27 | url | Cross-site scripting vulnerability due to a $@. | app/blah/route.ts:2:17:2:23 | req.url | user-provided value | | app/pages/Next2.jsx:8:13:8:19 | req.url | app/pages/Next2.jsx:8:13:8:19 | req.url | app/pages/Next2.jsx:8:13:8:19 | req.url | Cross-site scripting vulnerability due to a $@. | app/pages/Next2.jsx:8:13:8:19 | req.url | user-provided value | | app/pages/Next2.jsx:15:13:15:19 | req.url | app/pages/Next2.jsx:15:13:15:19 | req.url | app/pages/Next2.jsx:15:13:15:19 | req.url | Cross-site scripting vulnerability due to a $@. | app/pages/Next2.jsx:15:13:15:19 | req.url | user-provided value | @@ -370,6 +372,8 @@ nodes | app/api/routeNextRequest.ts:15:20:15:23 | body | semmle.label | body | | app/api/routeNextRequest.ts:27:20:27:23 | body | semmle.label | body | | app/api/routeNextRequest.ts:31:27:31:30 | body | semmle.label | body | +| app/blah/page.jsx:10:13:10:19 | req.url | semmle.label | req.url | +| app/blah/page.jsx:17:13:17:19 | req.url | semmle.label | req.url | | app/blah/route.ts:2:11:2:13 | url | semmle.label | url | | app/blah/route.ts:2:17:2:23 | req.url | semmle.label | req.url | | app/blah/route.ts:3:25:3:27 | url | semmle.label | url | diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected index b130f70a22f7..e55d11371cfe 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected @@ -34,6 +34,8 @@ | app/api/routeNextRequest.ts:15:20:15:23 | body | Cross-site scripting vulnerability due to $@. | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | user-provided value | | app/api/routeNextRequest.ts:27:20:27:23 | body | Cross-site scripting vulnerability due to $@. | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | user-provided value | | app/api/routeNextRequest.ts:31:27:31:30 | body | Cross-site scripting vulnerability due to $@. | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | user-provided value | +| app/blah/page.jsx:10:13:10:19 | req.url | Cross-site scripting vulnerability due to $@. | app/blah/page.jsx:10:13:10:19 | req.url | user-provided value | +| app/blah/page.jsx:17:13:17:19 | req.url | Cross-site scripting vulnerability due to $@. | app/blah/page.jsx:17:13:17:19 | req.url | user-provided value | | app/blah/route.ts:3:25:3:27 | url | Cross-site scripting vulnerability due to $@. | app/blah/route.ts:2:17:2:23 | req.url | user-provided value | | app/pages/Next2.jsx:8:13:8:19 | req.url | Cross-site scripting vulnerability due to $@. | app/pages/Next2.jsx:8:13:8:19 | req.url | user-provided value | | app/pages/Next2.jsx:15:13:15:19 | req.url | Cross-site scripting vulnerability due to $@. | app/pages/Next2.jsx:15:13:15:19 | req.url | user-provided value | diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/app/blah/page.jsx b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/app/blah/page.jsx new file mode 100644 index 000000000000..7df532806365 --- /dev/null +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/app/blah/page.jsx @@ -0,0 +1,19 @@ +export default function Page() { + return ; +} + +Page.getInitialProps = async (ctx) => { + const req = ctx.req; + const res = ctx.res; + res.end(req.url); // $ Alert + return {} +} + +export async function getServerSideProps(ctx) { + const req = ctx.req; + const res = ctx.res; + res.end(req.url); // $ Alert + return { + props: {} + } +} From f9033f2abd3bf25143adcdbfc1afc5ff746d5f80 Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 26 Nov 2025 11:16:40 +0100 Subject: [PATCH 4/7] JS: Look for special folders in root, even if 'src' exists --- .../ql/lib/semmle/javascript/frameworks/Next.qll | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/javascript/ql/lib/semmle/javascript/frameworks/Next.qll b/javascript/ql/lib/semmle/javascript/frameworks/Next.qll index 8c826f903687..9c661b7f91d6 100644 --- a/javascript/ql/lib/semmle/javascript/frameworks/Next.qll +++ b/javascript/ql/lib/semmle/javascript/frameworks/Next.qll @@ -13,18 +13,9 @@ module NextJS { */ PackageJson getANextPackage() { result.getDependencies().getADependency("next", _) } - bindingset[base, name] - pragma[inline_late] - private Folder getOptionalFolder(Folder base, string name) { - result = base.getFolder(name) - or - not exists(base.getFolder(name)) and - result = base - } - private Folder packageRoot() { result = getANextPackage().getFile().getParentContainer() } - private Folder srcRoot() { result = getOptionalFolder(packageRoot(), "src") } + private Folder srcRoot() { result = [packageRoot(), packageRoot().getFolder("src")] } private Folder appRoot() { result = srcRoot().getFolder("app") } From 7848369f775c614a4dcfae4ddd94f0c07b9bce65 Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 26 Nov 2025 11:20:42 +0100 Subject: [PATCH 5/7] JS: Change note --- .../src/change-notes/2025-11-26-nextjs-page-route-files.md | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 javascript/ql/src/change-notes/2025-11-26-nextjs-page-route-files.md diff --git a/javascript/ql/src/change-notes/2025-11-26-nextjs-page-route-files.md b/javascript/ql/src/change-notes/2025-11-26-nextjs-page-route-files.md new file mode 100644 index 000000000000..b1f87b63d316 --- /dev/null +++ b/javascript/ql/src/change-notes/2025-11-26-nextjs-page-route-files.md @@ -0,0 +1,5 @@ +--- +category: minorAnalysis +--- +* Fixed a bug in the Next.js model that would cause the analysis to miss server-side taint sources in files + named `route` or `page` appearing outside `api` and `pages` folders. From 7bd19854076285130e8e1e9d49c4c9d83d5aabe8 Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 26 Nov 2025 11:22:08 +0100 Subject: [PATCH 6/7] JS: Add proxy as a route handler name --- javascript/ql/lib/semmle/javascript/frameworks/Next.qll | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/javascript/ql/lib/semmle/javascript/frameworks/Next.qll b/javascript/ql/lib/semmle/javascript/frameworks/Next.qll index 9c661b7f91d6..bd45d8c048f1 100644 --- a/javascript/ql/lib/semmle/javascript/frameworks/Next.qll +++ b/javascript/ql/lib/semmle/javascript/frameworks/Next.qll @@ -310,7 +310,8 @@ module NextJS { ) | this = - mod.getAnExportedValue([any(Http::RequestMethodName m), "middleware"]).getAFunctionValue() + mod.getAnExportedValue([any(Http::RequestMethodName m), "middleware", "proxy"]) + .getAFunctionValue() ) } From 037f354abf376adce3e340e8eb2599642c8b3f22 Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 26 Nov 2025 11:42:39 +0100 Subject: [PATCH 7/7] JS: Update another expected file --- .../Security/CWE-079/ReflectedXss/ReflectedXss.expected | 8 ++++---- .../ReflectedXss/ReflectedXssWithCustomSanitizer.expected | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected index 74c8de4686c8..c93f155b5d0d 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected @@ -35,8 +35,8 @@ | app/api/routeNextRequest.ts:15:20:15:23 | body | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | app/api/routeNextRequest.ts:15:20:15:23 | body | Cross-site scripting vulnerability due to a $@. | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | user-provided value | | app/api/routeNextRequest.ts:27:20:27:23 | body | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | app/api/routeNextRequest.ts:27:20:27:23 | body | Cross-site scripting vulnerability due to a $@. | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | user-provided value | | app/api/routeNextRequest.ts:31:27:31:30 | body | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | app/api/routeNextRequest.ts:31:27:31:30 | body | Cross-site scripting vulnerability due to a $@. | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | user-provided value | -| app/blah/page.jsx:10:13:10:19 | req.url | app/blah/page.jsx:10:13:10:19 | req.url | app/blah/page.jsx:10:13:10:19 | req.url | Cross-site scripting vulnerability due to a $@. | app/blah/page.jsx:10:13:10:19 | req.url | user-provided value | -| app/blah/page.jsx:17:13:17:19 | req.url | app/blah/page.jsx:17:13:17:19 | req.url | app/blah/page.jsx:17:13:17:19 | req.url | Cross-site scripting vulnerability due to a $@. | app/blah/page.jsx:17:13:17:19 | req.url | user-provided value | +| app/blah/page.jsx:8:13:8:19 | req.url | app/blah/page.jsx:8:13:8:19 | req.url | app/blah/page.jsx:8:13:8:19 | req.url | Cross-site scripting vulnerability due to a $@. | app/blah/page.jsx:8:13:8:19 | req.url | user-provided value | +| app/blah/page.jsx:15:13:15:19 | req.url | app/blah/page.jsx:15:13:15:19 | req.url | app/blah/page.jsx:15:13:15:19 | req.url | Cross-site scripting vulnerability due to a $@. | app/blah/page.jsx:15:13:15:19 | req.url | user-provided value | | app/blah/route.ts:3:25:3:27 | url | app/blah/route.ts:2:17:2:23 | req.url | app/blah/route.ts:3:25:3:27 | url | Cross-site scripting vulnerability due to a $@. | app/blah/route.ts:2:17:2:23 | req.url | user-provided value | | app/pages/Next2.jsx:8:13:8:19 | req.url | app/pages/Next2.jsx:8:13:8:19 | req.url | app/pages/Next2.jsx:8:13:8:19 | req.url | Cross-site scripting vulnerability due to a $@. | app/pages/Next2.jsx:8:13:8:19 | req.url | user-provided value | | app/pages/Next2.jsx:15:13:15:19 | req.url | app/pages/Next2.jsx:15:13:15:19 | req.url | app/pages/Next2.jsx:15:13:15:19 | req.url | Cross-site scripting vulnerability due to a $@. | app/pages/Next2.jsx:15:13:15:19 | req.url | user-provided value | @@ -372,8 +372,8 @@ nodes | app/api/routeNextRequest.ts:15:20:15:23 | body | semmle.label | body | | app/api/routeNextRequest.ts:27:20:27:23 | body | semmle.label | body | | app/api/routeNextRequest.ts:31:27:31:30 | body | semmle.label | body | -| app/blah/page.jsx:10:13:10:19 | req.url | semmle.label | req.url | -| app/blah/page.jsx:17:13:17:19 | req.url | semmle.label | req.url | +| app/blah/page.jsx:8:13:8:19 | req.url | semmle.label | req.url | +| app/blah/page.jsx:15:13:15:19 | req.url | semmle.label | req.url | | app/blah/route.ts:2:11:2:13 | url | semmle.label | url | | app/blah/route.ts:2:17:2:23 | req.url | semmle.label | req.url | | app/blah/route.ts:3:25:3:27 | url | semmle.label | url | diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected index e55d11371cfe..402cd74cc12e 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected @@ -34,8 +34,8 @@ | app/api/routeNextRequest.ts:15:20:15:23 | body | Cross-site scripting vulnerability due to $@. | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | user-provided value | | app/api/routeNextRequest.ts:27:20:27:23 | body | Cross-site scripting vulnerability due to $@. | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | user-provided value | | app/api/routeNextRequest.ts:31:27:31:30 | body | Cross-site scripting vulnerability due to $@. | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | user-provided value | -| app/blah/page.jsx:10:13:10:19 | req.url | Cross-site scripting vulnerability due to $@. | app/blah/page.jsx:10:13:10:19 | req.url | user-provided value | -| app/blah/page.jsx:17:13:17:19 | req.url | Cross-site scripting vulnerability due to $@. | app/blah/page.jsx:17:13:17:19 | req.url | user-provided value | +| app/blah/page.jsx:8:13:8:19 | req.url | Cross-site scripting vulnerability due to $@. | app/blah/page.jsx:8:13:8:19 | req.url | user-provided value | +| app/blah/page.jsx:15:13:15:19 | req.url | Cross-site scripting vulnerability due to $@. | app/blah/page.jsx:15:13:15:19 | req.url | user-provided value | | app/blah/route.ts:3:25:3:27 | url | Cross-site scripting vulnerability due to $@. | app/blah/route.ts:2:17:2:23 | req.url | user-provided value | | app/pages/Next2.jsx:8:13:8:19 | req.url | Cross-site scripting vulnerability due to $@. | app/pages/Next2.jsx:8:13:8:19 | req.url | user-provided value | | app/pages/Next2.jsx:15:13:15:19 | req.url | Cross-site scripting vulnerability due to $@. | app/pages/Next2.jsx:15:13:15:19 | req.url | user-provided value |