Failing tests for js and ruby - MaD sanitizers not working any more.

owen-mc · owen-mc · commit 723256824057 · 2026-01-29T16:16:30.000Z
diff --git a/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/IncompleteHtmlAttributeSanitization.expected b/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/IncompleteHtmlAttributeSanitization.expected
@@ -6,13 +6,15 @@
 | tst.js:253:21:253:45 | s().rep ... /g, '') | tst.js:253:21:253:45 | s().rep ... /g, '') | tst.js:253:21:253:45 | s().rep ... /g, '') | Cross-site scripting vulnerability as the output of $@ may contain ampersands or double quotes when it reaches this attribute definition. | tst.js:253:21:253:45 | s().rep ... /g, '') | this final HTML sanitizer step |
 | tst.js:254:32:254:56 | s().rep ... /g, '') | tst.js:254:32:254:56 | s().rep ... /g, '') | tst.js:254:32:254:56 | s().rep ... /g, '') | Cross-site scripting vulnerability as the output of $@ may contain ampersands or double quotes when it reaches this attribute definition. | tst.js:254:32:254:56 | s().rep ... /g, '') | this final HTML sanitizer step |
 | tst.js:270:61:270:85 | s().rep ... /g, '') | tst.js:270:61:270:85 | s().rep ... /g, '') | tst.js:270:61:270:85 | s().rep ... /g, '') | Cross-site scripting vulnerability as the output of $@ may contain ampersands or double quotes when it reaches this attribute definition. | tst.js:270:61:270:85 | s().rep ... /g, '') | this final HTML sanitizer step |
+| tst.js:272:9:272:51 | encodeU ... /g,'')) | tst.js:272:28:272:50 | s().rep ... ]/g,'') | tst.js:272:9:272:51 | encodeU ... /g,'')) | Cross-site scripting vulnerability as the output of $@ may contain double quotes when it reaches this attribute definition. | tst.js:272:28:272:50 | s().rep ... ]/g,'') | this final HTML sanitizer step |
 | tst.js:275:9:275:21 | arr.join(" ") | tst.js:274:12:274:94 | s().val ... g , '') | tst.js:275:9:275:21 | arr.join(" ") | Cross-site scripting vulnerability as the output of $@ may contain double quotes when it reaches this attribute definition. | tst.js:274:12:274:94 | s().val ... g , '') | this final HTML sanitizer step |
 | tst.js:300:10:300:33 | s().rep ... ]/g,'') | tst.js:300:10:300:33 | s().rep ... ]/g,'') | tst.js:300:10:300:33 | s().rep ... ]/g,'') | Cross-site scripting vulnerability as the output of $@ may contain single quotes when it reaches this attribute definition. | tst.js:300:10:300:33 | s().rep ... ]/g,'') | this final HTML sanitizer step |
 | tst.js:301:10:301:32 | s().rep ... ]/g,'') | tst.js:301:10:301:32 | s().rep ... ]/g,'') | tst.js:301:10:301:32 | s().rep ... ]/g,'') | Cross-site scripting vulnerability as the output of $@ may contain single quotes when it reaches this attribute definition. | tst.js:301:10:301:32 | s().rep ... ]/g,'') | this final HTML sanitizer step |
 | tst.js:302:10:302:34 | s().rep ... ]/g,'') | tst.js:302:10:302:34 | s().rep ... ]/g,'') | tst.js:302:10:302:34 | s().rep ... ]/g,'') | Cross-site scripting vulnerability as the output of $@ may contain single quotes when it reaches this attribute definition. | tst.js:302:10:302:34 | s().rep ... ]/g,'') | this final HTML sanitizer step |
 | tst.js:303:10:303:34 | s().rep ... /g, '') | tst.js:303:10:303:34 | s().rep ... /g, '') | tst.js:303:10:303:34 | s().rep ... /g, '') | Cross-site scripting vulnerability as the output of $@ may contain single quotes when it reaches this attribute definition. | tst.js:303:10:303:34 | s().rep ... /g, '') | this final HTML sanitizer step |
 | tst.js:309:10:318:3 | s().rep ... ;";\\n\\t}) | tst.js:309:10:318:3 | s().rep ... ;";\\n\\t}) | tst.js:309:10:318:3 | s().rep ... ;";\\n\\t}) | Cross-site scripting vulnerability as the output of $@ may contain single quotes when it reaches this attribute definition. | tst.js:309:10:318:3 | s().rep ... ;";\\n\\t}) | this final HTML sanitizer step |
 edges
+| tst.js:272:28:272:50 | s().rep ... ]/g,'') | tst.js:272:9:272:51 | encodeU ... /g,'')) | provenance |  |
 | tst.js:274:6:274:8 | arr | tst.js:275:9:275:11 | arr | provenance |  |
 | tst.js:274:12:274:94 | s().val ... g , '') | tst.js:274:6:274:8 | arr | provenance |  |
 | tst.js:275:9:275:11 | arr | tst.js:275:9:275:21 | arr.join(" ") | provenance |  |
@@ -24,6 +26,8 @@ nodes
 | tst.js:253:21:253:45 | s().rep ... /g, '') | semmle.label | s().rep ... /g, '') |
 | tst.js:254:32:254:56 | s().rep ... /g, '') | semmle.label | s().rep ... /g, '') |
 | tst.js:270:61:270:85 | s().rep ... /g, '') | semmle.label | s().rep ... /g, '') |
+| tst.js:272:9:272:51 | encodeU ... /g,'')) | semmle.label | encodeU ... /g,'')) |
+| tst.js:272:28:272:50 | s().rep ... ]/g,'') | semmle.label | s().rep ... ]/g,'') |
 | tst.js:274:6:274:8 | arr | semmle.label | arr |
 | tst.js:274:12:274:94 | s().val ... g , '') | semmle.label | s().val ... g , '') |
 | tst.js:275:9:275:11 | arr | semmle.label | arr |
@@ -34,3 +38,6 @@ nodes
 | tst.js:303:10:303:34 | s().rep ... /g, '') | semmle.label | s().rep ... /g, '') |
 | tst.js:309:10:318:3 | s().rep ... ;";\\n\\t}) | semmle.label | s().rep ... ;";\\n\\t}) |
 subpaths
+testFailures
+| tst.js:272:9:272:51 | encodeU ... /g,'')) | Unexpected result: Alert |
+| tst.js:272:28:272:50 | s().rep ... ]/g,'') | Unexpected result: Alert |
diff --git a/ruby/ql/test/query-tests/security/cwe-1333-regexp-injection/RegExpInjection.expected b/ruby/ql/test/query-tests/security/cwe-1333-regexp-injection/RegExpInjection.expected
@@ -13,6 +13,14 @@ edges
 | RegExpInjection.rb:22:12:22:17 | call to params | RegExpInjection.rb:22:12:22:24 | ...[...] | provenance |  |
 | RegExpInjection.rb:22:12:22:24 | ...[...] | RegExpInjection.rb:22:5:22:8 | name | provenance |  |
 | RegExpInjection.rb:23:30:23:33 | name | RegExpInjection.rb:23:24:23:33 | ... + ... | provenance |  |
+| RegExpInjection.rb:42:5:42:8 | name | RegExpInjection.rb:43:38:43:41 | name | provenance |  |
+| RegExpInjection.rb:42:12:42:17 | call to params | RegExpInjection.rb:42:12:42:24 | ...[...] | provenance |  |
+| RegExpInjection.rb:42:12:42:24 | ...[...] | RegExpInjection.rb:42:5:42:8 | name | provenance |  |
+| RegExpInjection.rb:43:38:43:41 | name | RegExpInjection.rb:43:24:43:42 | call to escape | provenance | MaD:21 |
+| RegExpInjection.rb:48:5:48:8 | name | RegExpInjection.rb:49:37:49:40 | name | provenance |  |
+| RegExpInjection.rb:48:12:48:17 | call to params | RegExpInjection.rb:48:12:48:24 | ...[...] | provenance |  |
+| RegExpInjection.rb:48:12:48:24 | ...[...] | RegExpInjection.rb:48:5:48:8 | name | provenance |  |
+| RegExpInjection.rb:49:37:49:40 | name | RegExpInjection.rb:49:24:49:41 | call to quote | provenance | MaD:21 |
 | RegExpInjection.rb:54:5:54:8 | name | RegExpInjection.rb:55:28:55:37 | ... + ... | provenance |  |
 | RegExpInjection.rb:54:5:54:8 | name | RegExpInjection.rb:55:34:55:37 | name | provenance |  |
 | RegExpInjection.rb:54:12:54:17 | call to params | RegExpInjection.rb:54:12:54:24 | ...[...] | provenance |  |
@@ -36,6 +44,16 @@ nodes
 | RegExpInjection.rb:22:12:22:24 | ...[...] | semmle.label | ...[...] |
 | RegExpInjection.rb:23:24:23:33 | ... + ... | semmle.label | ... + ... |
 | RegExpInjection.rb:23:30:23:33 | name | semmle.label | name |
+| RegExpInjection.rb:42:5:42:8 | name | semmle.label | name |
+| RegExpInjection.rb:42:12:42:17 | call to params | semmle.label | call to params |
+| RegExpInjection.rb:42:12:42:24 | ...[...] | semmle.label | ...[...] |
+| RegExpInjection.rb:43:24:43:42 | call to escape | semmle.label | call to escape |
+| RegExpInjection.rb:43:38:43:41 | name | semmle.label | name |
+| RegExpInjection.rb:48:5:48:8 | name | semmle.label | name |
+| RegExpInjection.rb:48:12:48:17 | call to params | semmle.label | call to params |
+| RegExpInjection.rb:48:12:48:24 | ...[...] | semmle.label | ...[...] |
+| RegExpInjection.rb:49:24:49:41 | call to quote | semmle.label | call to quote |
+| RegExpInjection.rb:49:37:49:40 | name | semmle.label | name |
 | RegExpInjection.rb:54:5:54:8 | name | semmle.label | name |
 | RegExpInjection.rb:54:12:54:17 | call to params | semmle.label | call to params |
 | RegExpInjection.rb:54:12:54:24 | ...[...] | semmle.label | ...[...] |
@@ -47,4 +65,6 @@ subpaths
 | RegExpInjection.rb:11:13:11:27 | /foo#{...}bar/ | RegExpInjection.rb:10:12:10:17 | call to params | RegExpInjection.rb:11:13:11:27 | /foo#{...}bar/ | This regular expression depends on a $@. | RegExpInjection.rb:10:12:10:17 | call to params | user-provided value |
 | RegExpInjection.rb:17:24:17:27 | name | RegExpInjection.rb:16:12:16:17 | call to params | RegExpInjection.rb:17:24:17:27 | name | This regular expression depends on a $@. | RegExpInjection.rb:16:12:16:17 | call to params | user-provided value |
 | RegExpInjection.rb:23:24:23:33 | ... + ... | RegExpInjection.rb:22:12:22:17 | call to params | RegExpInjection.rb:23:24:23:33 | ... + ... | This regular expression depends on a $@. | RegExpInjection.rb:22:12:22:17 | call to params | user-provided value |
+| RegExpInjection.rb:43:24:43:42 | call to escape | RegExpInjection.rb:42:12:42:17 | call to params | RegExpInjection.rb:43:24:43:42 | call to escape | This regular expression depends on a $@. | RegExpInjection.rb:42:12:42:17 | call to params | user-provided value |
+| RegExpInjection.rb:49:24:49:41 | call to quote | RegExpInjection.rb:48:12:48:17 | call to params | RegExpInjection.rb:49:24:49:41 | call to quote | This regular expression depends on a $@. | RegExpInjection.rb:48:12:48:17 | call to params | user-provided value |
 | RegExpInjection.rb:55:28:55:37 | ... + ... | RegExpInjection.rb:54:12:54:17 | call to params | RegExpInjection.rb:55:28:55:37 | ... + ... | This regular expression depends on a $@. | RegExpInjection.rb:54:12:54:17 | call to params | user-provided value |
