Merge pull request #1180 from asger-semmle/tainted-path-squashed

Approved by xiemaisi
2019-05-30 17:20:19 +01:00 · 2019-05-30 17:20:19 +01:00 · 0fa06e5c8d
--- a/change-notes/1.21/analysis-javascript.md
+++ b/change-notes/1.21/analysis-javascript.md
@ -45,6 +45,7 @@
 | Useless assignment to property | Fewer false-positive results | This rule now ignore reads of additional getters. |
 | Unreachable statement | Unreachable throws no longer give an alert | This ignores unreachable throws, as they could be intentional (for example, to placate the TS compiler). |
 | Incorrect suffix check | Fewer false-positive results | This rule now recognizes valid checks in more cases. |
+| Tainted path | More results and fewer false-positive results | This rule now analyses path manipulation code more precisely. |

 ## Changes to QL libraries

--- a/javascript/ql/src/Security/Summaries/AllConfigurations.qll
+++ b/javascript/ql/src/Security/Summaries/AllConfigurations.qll
@ -12,15 +12,10 @@ import semmle.javascript.security.dataflow.CommandInjection
 import semmle.javascript.security.dataflow.DomBasedXss as DomBasedXss
 import semmle.javascript.security.dataflow.NosqlInjection
 import semmle.javascript.security.dataflow.ReflectedXss as ReflectedXss
-import semmle.javascript.security.dataflow.RegExpInjection
-import semmle.javascript.security.dataflow.RemotePropertyInjection
 import semmle.javascript.security.dataflow.ServerSideUrlRedirect
 import semmle.javascript.security.dataflow.SqlInjection
-import semmle.javascript.security.dataflow.StackTraceExposure
 import semmle.javascript.security.dataflow.StoredXss as StoredXss
-import semmle.javascript.security.dataflow.TaintedFormatString
 import semmle.javascript.security.dataflow.TaintedPath
 import semmle.javascript.security.dataflow.UnsafeDeserialization
 import semmle.javascript.security.dataflow.XmlBomb
-import semmle.javascript.security.dataflow.XpathInjection
 import semmle.javascript.security.dataflow.Xxe
--- a/javascript/ql/src/Security/Summaries/ExtractFlowStepSummaries.ql
+++ b/javascript/ql/src/Security/Summaries/ExtractFlowStepSummaries.ql
@ -9,7 +9,7 @@
 * @id js/step-summary-extraction
 */

-import AllConfigurations
+import Configurations
 import PortalExitSource
 import PortalEntrySink

--- a/javascript/ql/src/Security/Summaries/ExtractSinkSummaries.ql
+++ b/javascript/ql/src/Security/Summaries/ExtractSinkSummaries.ql
@ -7,7 +7,7 @@
 * @id js/sink-summary-extraction
 */

-import AllConfigurations
+import Configurations
 import PortalExitSource
 import SinkFromAnnotation

--- a/javascript/ql/src/Security/Summaries/ExtractSourceSummaries.ql
+++ b/javascript/ql/src/Security/Summaries/ExtractSourceSummaries.ql
@ -7,7 +7,7 @@
 * @id js/source-summary-extraction
 */

-import AllConfigurations
+import Configurations
 import PortalEntrySink
 import SourceFromAnnotation

--- a/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
@ -242,10 +242,10 @@ module TaintTracking {
  /**
   * A taint propagating data flow edge through persistent storage.
   */
-  private class StorageTaintStep extends AdditionalTaintStep {
+  class PersistentStorageTaintStep extends AdditionalTaintStep {
    PersistentReadAccess read;

-    StorageTaintStep() { this = read }
+    PersistentStorageTaintStep() { this = read }

    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
      pred = read.getAWrite().getValue() and
--- a/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPath.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPath.qll
@ -21,23 +21,472 @@ module TaintedPath {
   */
  abstract class Sanitizer extends DataFlow::Node { }

+  module Label {
+    /**
+     * A string indicating if a path is normalized, that is, whether internal `../` components
+     * have been removed.
+     */
+    class Normalization extends string {
+      Normalization() { this = "normalized" or this = "raw" }
+    }
+
+    /**
+     * A string indicating if a path is relative or absolute.
+     */
+    class Relativeness extends string {
+      Relativeness() { this = "relative" or this = "absolute" }
+    }
+
+    /**
+     * A flow label representing a Posix path.
+     *
+     * There are currently four flow labels, representing the different combinations of
+     * normalization and absoluteness.
+     */
+    class PosixPath extends DataFlow::FlowLabel {
+      Normalization normalization;
+
+      Relativeness relativeness;
+
+      PosixPath() { this = normalization + "-" + relativeness + "-posix-path" }
+
+      /** Gets a string indicating whether this path is normalized. */
+      Normalization getNormalization() { result = normalization }
+
+      /** Gets a string indicating whether this path is relative. */
+      Relativeness getRelativeness() { result = relativeness }
+
+      /** Holds if this path is normalized. */
+      predicate isNormalized() { normalization = "normalized" }
+
+      /** Holds if this path is not normalized. */
+      predicate isNonNormalized() { normalization = "raw" }
+
+      /** Holds if this path is relative. */
+      predicate isRelative() { relativeness = "relative" }
+
+      /** Holds if this path is relative. */
+      predicate isAbsolute() { relativeness = "absolute" }
+
+      /** Gets the path label with normalized flag set to true. */
+      PosixPath toNormalized() {
+        result.isNormalized() and
+        result.getRelativeness() = this.getRelativeness()
+      }
+
+      /** Gets the path label with normalized flag set to true. */
+      PosixPath toNonNormalized() {
+        result.isNonNormalized() and
+        result.getRelativeness() = this.getRelativeness()
+      }
+
+      /** Gets the path label with absolute flag set to true. */
+      PosixPath toAbsolute() {
+        result.isAbsolute() and
+        result.getNormalization() = this.getNormalization()
+      }
+
+      /** Gets the path label with absolute flag set to true. */
+      PosixPath toRelative() {
+        result.isRelative() and
+        result.getNormalization() = this.getNormalization()
+      }
+
+      /** Holds if this path may contain `../` components. */
+      predicate canContainDotDotSlash() {
+        // Absolute normalized path is the only combination that cannot contain `../`.
+        not (isNormalized() and isAbsolute())
+      }
+    }
+  }
+
  /**
   * A taint-tracking configuration for reasoning about tainted-path vulnerabilities.
   */
-  class Configuration extends TaintTracking::Configuration {
+  class Configuration extends DataFlow::Configuration {
    Configuration() { this = "TaintedPath" }

-    override predicate isSource(DataFlow::Node source) { source instanceof Source }
+    override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) {
+      source instanceof Source and
+      label instanceof Label::PosixPath
+    }

-    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+    override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) {
+      sink instanceof Sink and
+      label instanceof Label::PosixPath
+    }

-    override predicate isSanitizer(DataFlow::Node node) {
-      super.isSanitizer(node) or
+    override predicate isBarrier(DataFlow::Node node) {
+      super.isBarrier(node) or
      node instanceof Sanitizer
    }

-    override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) {
-      guard instanceof StrongPathCheck
+    override predicate isBarrierGuard(DataFlow::BarrierGuardNode guard) {
+      guard instanceof StartsWithDotDotSanitizer or
+      guard instanceof StartsWithDirSanitizer or
+      guard instanceof IsAbsoluteSanitizer or
+      guard instanceof ContainsDotDotSanitizer
+    }
+
+    override predicate isAdditionalFlowStep(
+      DataFlow::Node src, DataFlow::Node dst, DataFlow::FlowLabel srclabel,
+      DataFlow::FlowLabel dstlabel
+    ) {
+      isTaintedPathStep(src, dst, srclabel, dstlabel)
+      or
+      // Ignore all preliminary sanitization after decoding URI components
+      srclabel instanceof Label::PosixPath and
+      dstlabel instanceof Label::PosixPath and
+      (
+        any(UriLibraryStep step).step(src, dst)
+        or
+        exists(DataFlow::CallNode decode |
+          decode.getCalleeName() = "decodeURIComponent" or decode.getCalleeName() = "decodeURI"
+        |
+          src = decode.getArgument(0) and
+          dst = decode
+        )
+      )
+      or
+      promiseTaintStep(src, dst) and srclabel = dstlabel
+      or
+      any(TaintTracking::PersistentStorageTaintStep st).step(src, dst) and srclabel = dstlabel
+      or
+      exists(DataFlow::PropRead read | read = dst |
+        src = read.getBase() and
+        read.getPropertyName() != "length" and
+        srclabel = dstlabel
+      )
+    }
+
+    /**
+     * Holds if we should include a step from `src -> dst` with labels `srclabel -> dstlabel`, and the
+     * standard taint step `src -> dst` should be suppresesd.
+     */
+    predicate isTaintedPathStep(
+      DataFlow::Node src, DataFlow::Node dst, Label::PosixPath srclabel,
+      Label::PosixPath dstlabel
+    ) {
+      // path.normalize() and similar
+      exists(NormalizingPathCall call |
+        src = call.getInput() and
+        dst = call.getOutput() and
+        dstlabel = srclabel.toNormalized()
+      )
+      or
+      // path.resolve() and similar
+      exists(ResolvingPathCall call |
+        src = call.getInput() and
+        dst = call.getOutput() and
+        dstlabel.isAbsolute() and
+        dstlabel.isNormalized()
+      )
+      or
+      // path.relative() and similar
+      exists(NormalizingRelativePathCall call |
+        src = call.getInput() and
+        dst = call.getOutput() and
+        dstlabel.isRelative() and
+        dstlabel.isNormalized()
+      )
+      or
+      // path.dirname() and similar
+      exists(PreservingPathCall call |
+        src = call.getInput() and
+        dst = call.getOutput() and
+        srclabel = dstlabel
+      )
+      or
+      // path.join()
+      exists(DataFlow::CallNode join, int n |
+        join = DataFlow::moduleMember("path", "join").getACall()
+      |
+        src = join.getArgument(n) and
+        dst = join and
+        (
+          // If the initial argument is tainted, just normalize it. It can be relative or absolute.
+          n = 0 and
+          dstlabel = srclabel.toNormalized()
+          or
+          // For later arguments, the flow label depends on whether the first argument is absolute or relative.
+          // If in doubt, we assume it is absolute.
+          n > 0 and
+          srclabel.canContainDotDotSlash() and
+          dstlabel.isNormalized() and
+          if isRelative(join.getArgument(0).getStringValue())
+          then dstlabel.isRelative()
+          else dstlabel.isAbsolute()
+        )
+      )
+      or
+      // String concatenation - behaves like path.join() except without normalization
+      exists(DataFlow::Node operator, int n |
+        StringConcatenation::taintStep(src, dst, operator, n)
+      |
+        // use ordinary taint flow for the first operand
+        n = 0 and
+        srclabel = dstlabel
+        or
+        n > 0 and
+        srclabel.canContainDotDotSlash() and
+        dstlabel.isNonNormalized() and // The ../ is no longer at the beginning of the string.
+        (
+          if isRelative(StringConcatenation::getOperand(operator, 0).getStringValue())
+          then dstlabel.isRelative()
+          else dstlabel.isAbsolute()
+        )
+      )
+    }
+  }
+
+  /**
+   * Holds if `s` is a relative path.
+   */
+  bindingset[s]
+  private predicate isRelative(string s) { not s.charAt(0) = "/" }
+
+  /**
+   * A call that normalizes a path.
+   */
+  class NormalizingPathCall extends DataFlow::CallNode {
+    DataFlow::Node input;
+
+    DataFlow::Node output;
+
+    NormalizingPathCall() {
+      this = DataFlow::moduleMember("path", "normalize").getACall() and
+      input = getArgument(0) and
+      output = this
+    }
+
+    /**
+     * Gets the input path to be normalized.
+     */
+    DataFlow::Node getInput() { result = input }
+
+    /**
+     * Gets the normalized path.
+     */
+    DataFlow::Node getOutput() { result = output }
+  }
+
+  /**
+   * A call that converts a path to an absolute normalized path.
+   */
+  class ResolvingPathCall extends DataFlow::CallNode {
+    DataFlow::Node input;
+
+    DataFlow::Node output;
+
+    ResolvingPathCall() {
+      this = DataFlow::moduleMember("path", "resolve").getACall() and
+      input = getAnArgument() and
+      output = this
+      or
+      this = DataFlow::moduleMember("fs", "realpathSync").getACall() and
+      input = getArgument(0) and
+      output = this
+      or
+      this = DataFlow::moduleMember("fs", "realpath").getACall() and
+      input = getArgument(0) and
+      output = getCallback(1).getParameter(1)
+    }
+
+    /**
+     * Gets the input path to be normalized.
+     */
+    DataFlow::Node getInput() { result = input }
+
+    /**
+     * Gets the normalized path.
+     */
+    DataFlow::Node getOutput() { result = output }
+  }
+
+  /**
+   * A call that normalizes a path and converts it to a relative path.
+   */
+  class NormalizingRelativePathCall extends DataFlow::CallNode {
+    DataFlow::Node input;
+
+    DataFlow::Node output;
+
+    NormalizingRelativePathCall() {
+      this = DataFlow::moduleMember("path", "relative").getACall() and
+      input = getAnArgument() and
+      output = this
+    }
+
+    /**
+     * Gets the input path to be normalized.
+     */
+    DataFlow::Node getInput() { result = input }
+
+    /**
+     * Gets the normalized path.
+     */
+    DataFlow::Node getOutput() { result = output }
+  }
+
+  /**
+   * A call that preserves taint without changing the flow label.
+   */
+  class PreservingPathCall extends DataFlow::CallNode {
+    DataFlow::Node input;
+
+    DataFlow::Node output;
+
+    PreservingPathCall() {
+      exists(string name | name = "dirname" or name = "toNamespacedPath" |
+        this = DataFlow::moduleMember("path", name).getACall() and
+        input = getAnArgument() and
+        output = this
+      )
+      or
+      // non-global replace or replace of something other than /\.\./g
+      this.getCalleeName() = "replace" and
+      input = getReceiver() and
+      output = this and
+      not exists(RegExpLiteral literal, RegExpSequence seq |
+        getArgument(0).getALocalSource().asExpr() = literal and
+        literal.isGlobal() and
+        literal.getRoot() = seq and
+        seq.getChild(0).(RegExpConstant).getValue() = "." and
+        seq.getChild(1).(RegExpConstant).getValue() = "." and
+        seq.getNumChild() = 2
+      )
+    }
+
+    /**
+     * Gets the input path to be normalized.
+     */
+    DataFlow::Node getInput() { result = input }
+
+    /**
+     * Gets the normalized path.
+     */
+    DataFlow::Node getOutput() { result = output }
+  }
+
+  /**
+   * Holds if `node` is a prefix of the string `../`.
+   */
+  private predicate isDotDotSlashPrefix(DataFlow::Node node) {
+    node.asExpr().getStringValue() + any(string s) = "../"
+    or
+    // ".." + path.sep
+    exists(StringOps::Concatenation conc | node = conc |
+      conc.getOperand(0).asExpr().getStringValue() = ".." and
+      conc.getOperand(1).getALocalSource() = DataFlow::moduleMember("path", "sep") and
+      conc.getNumOperand() = 2
+    )
+  }
+
+  /**
+   * A check of form `x.startsWith("../")` or similar.
+   *
+   * This is relevant for paths that are known to be normalized.
+   */
+  class StartsWithDotDotSanitizer extends DataFlow::LabeledBarrierGuardNode {
+    StringOps::StartsWith startsWith;
+
+    StartsWithDotDotSanitizer() {
+      this = startsWith and
+      isDotDotSlashPrefix(startsWith.getSubstring())
+    }
+
+    override predicate blocks(boolean outcome, Expr e, DataFlow::FlowLabel label) {
+      // Sanitize in the false case for:
+      //   .startsWith(".")
+      //   .startsWith("..")
+      //   .startsWith("../")
+      outcome = startsWith.getPolarity().booleanNot() and
+      e = startsWith.getBaseString().asExpr() and
+      exists(Label::PosixPath posixPath | posixPath = label |
+        posixPath.isNormalized() and
+        posixPath.isRelative()
+      )
+    }
+  }
+
+  /**
+   * A check of form `x.startsWith(dir)` that sanitizes normalized absolute paths, since it is then
+   * known to be in a subdirectory of `dir`.
+   */
+  class StartsWithDirSanitizer extends DataFlow::LabeledBarrierGuardNode {
+    StringOps::StartsWith startsWith;
+
+    StartsWithDirSanitizer() {
+      this = startsWith and
+      not isDotDotSlashPrefix(startsWith.getSubstring()) and
+      // do not confuse this with a simple isAbsolute() check
+      not startsWith.getSubstring().asExpr().getStringValue() = "/"
+    }
+
+    override predicate blocks(boolean outcome, Expr e, DataFlow::FlowLabel label) {
+      outcome = startsWith.getPolarity() and
+      e = startsWith.getBaseString().asExpr() and
+      exists(Label::PosixPath posixPath | posixPath = label |
+        posixPath.isAbsolute() and
+        posixPath.isNormalized()
+      )
+    }
+  }
+
+  /**
+   * A call to `path.isAbsolute` as a sanitizer for relative paths in true branch,
+   * and a sanitizer for absolute paths in the false branch.
+   */
+  class IsAbsoluteSanitizer extends DataFlow::LabeledBarrierGuardNode {
+    DataFlow::Node operand;
+
+    boolean polarity;
+
+    boolean negatable;
+
+    IsAbsoluteSanitizer() {
+      exists(DataFlow::CallNode call | this = call |
+        call = DataFlow::moduleMember("path", "isAbsolute").getACall() and
+        operand = call.getArgument(0) and
+        polarity = true and
+        negatable = true
+      )
+      or
+      exists(StringOps::StartsWith startsWith, string substring | this = startsWith |
+        startsWith.getSubstring().asExpr().getStringValue() = "/" + substring and
+        operand = startsWith.getBaseString() and
+        polarity = startsWith.getPolarity() and
+        if substring = "" then negatable = true else negatable = false
+      ) // !x.startsWith("/home") does not guarantee that x is not absolute
+    }
+
+    override predicate blocks(boolean outcome, Expr e, DataFlow::FlowLabel label) {
+      e = operand.asExpr() and
+      exists(Label::PosixPath posixPath | posixPath = label |
+        outcome = polarity and posixPath.isRelative()
+        or
+        negatable = true and
+        outcome = polarity.booleanNot() and
+        posixPath.isAbsolute()
+      )
+    }
+  }
+
+  /**
+   * An expression of form `x.includes("..")` or similar.
+   */
+  class ContainsDotDotSanitizer extends DataFlow::LabeledBarrierGuardNode {
+    StringOps::Includes contains;
+
+    ContainsDotDotSanitizer() {
+      this = contains and
+      isDotDotSlashPrefix(contains.getSubstring())
+    }
+
+    override predicate blocks(boolean outcome, Expr e, DataFlow::FlowLabel label) {
+      e = contains.getBaseString().asExpr() and
+      outcome = contains.getPolarity().booleanNot() and
+      label.(Label::PosixPath).canContainDotDotSlash() // can still be bypassed by normalized absolute path
    }
  }

@ -71,7 +520,8 @@ module TaintedPath {
        not exists(fs.getRootPathArgument())
        or
        this = fs.getRootPathArgument()
-      )
+      ) and
+      not this = any(ResolvingPathCall call).getInput()
    }
  }

@ -94,59 +544,4 @@ module TaintedPath {
  class AngularJSTemplateUrlSink extends Sink, DataFlow::ValueNode {
    AngularJSTemplateUrlSink() { this = any(AngularJS::CustomDirective d).getMember("templateUrl") }
  }
-
-  /**
-   * Holds if `check` evaluating to `outcome` is not sufficient to sanitize `path`.
-   */
-  predicate weakCheck(Expr check, boolean outcome, VarAccess path) {
-    // `path.startsWith`, `path.endsWith`, `fs.existsSync(path)`
-    exists(Expr base, string m | check.(MethodCallExpr).calls(base, m) |
-      path = base and
-      (m = "startsWith" or m = "endsWith")
-      or
-      path = check.(MethodCallExpr).getArgument(0) and
-      m.regexpMatch("exists(Sync)?")
-    ) and
-    (outcome = true or outcome = false)
-    or
-    // `path.indexOf` comparisons
-    check.(Comparison).getAnOperand().(MethodCallExpr).calls(path, "indexOf") and
-    (outcome = true or outcome = false)
-    or
-    // `path != null`, `path != undefined`, `path != "somestring"`
-    exists(EqualityTest eq, Expr op |
-      eq = check and eq.hasOperands(path, op) and outcome = eq.getPolarity().booleanNot()
-    |
-      op instanceof NullLiteral or
-      op instanceof SyntacticConstants::UndefinedConstant or
-      exists(op.getStringValue())
-    )
-    or
-    // `path`
-    check = path and
-    (outcome = true or outcome = false)
-  }
-
-  /**
-   * A conditional involving the path, that is not considered to be a weak check.
-   */
-  class StrongPathCheck extends TaintTracking::SanitizerGuardNode {
-    VarAccess path;
-
-    boolean sanitizedOutcome;
-
-    StrongPathCheck() {
-      exists(ConditionGuardNode cgg | asExpr() = cgg.getTest() |
-        asExpr() = path.getParentExpr*() and
-        path = any(SsaVariable v).getAUse() and
-        (sanitizedOutcome = true or sanitizedOutcome = false) and
-        not weakCheck(asExpr(), sanitizedOutcome, path)
-      )
-    }
-
-    override predicate sanitizes(boolean outcome, Expr e) {
-      path = e and
-      outcome = sanitizedOutcome
-    }
-  }
 }
--- a/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
+++ b/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
@ -8,6 +8,10 @@ typeInferenceMismatch
 | addexpr.js:4:10:4:17 | source() | addexpr.js:7:8:7:8 | x |
 | addexpr.js:11:15:11:22 | source() | addexpr.js:21:8:21:12 | value |
 | advanced-callgraph.js:2:13:2:20 | source() | advanced-callgraph.js:6:22:6:22 | v |
+| booleanOps.js:2:11:2:18 | source() | booleanOps.js:4:8:4:8 | x |
+| booleanOps.js:2:11:2:18 | source() | booleanOps.js:13:10:13:10 | x |
+| booleanOps.js:2:11:2:18 | source() | booleanOps.js:19:10:19:10 | x |
+| booleanOps.js:2:11:2:18 | source() | booleanOps.js:22:10:22:10 | x |
 | callbacks.js:4:6:4:13 | source() | callbacks.js:34:27:34:27 | x |
 | callbacks.js:4:6:4:13 | source() | callbacks.js:35:27:35:27 | x |
 | callbacks.js:5:6:5:13 | source() | callbacks.js:34:27:34:27 | x |
--- a/javascript/ql/test/library-tests/TaintTracking/DataFlowTracking.expected
+++ b/javascript/ql/test/library-tests/TaintTracking/DataFlowTracking.expected
@ -1,5 +1,11 @@
 | access-path-sanitizer.js:2:18:2:25 | source() | access-path-sanitizer.js:4:8:4:12 | obj.x |
 | advanced-callgraph.js:2:13:2:20 | source() | advanced-callgraph.js:6:22:6:22 | v |
+| booleanOps.js:2:11:2:18 | source() | booleanOps.js:4:8:4:8 | x |
+| booleanOps.js:2:11:2:18 | source() | booleanOps.js:7:10:7:10 | x |
+| booleanOps.js:2:11:2:18 | source() | booleanOps.js:10:10:10:10 | x |
+| booleanOps.js:2:11:2:18 | source() | booleanOps.js:13:10:13:10 | x |
+| booleanOps.js:2:11:2:18 | source() | booleanOps.js:19:10:19:10 | x |
+| booleanOps.js:2:11:2:18 | source() | booleanOps.js:22:10:22:10 | x |
 | callbacks.js:4:6:4:13 | source() | callbacks.js:34:27:34:27 | x |
 | callbacks.js:4:6:4:13 | source() | callbacks.js:35:27:35:27 | x |
 | callbacks.js:5:6:5:13 | source() | callbacks.js:34:27:34:27 | x |
--- a/javascript/ql/test/library-tests/TaintTracking/booleanOps.js
+++ b/javascript/ql/test/library-tests/TaintTracking/booleanOps.js
@ -0,0 +1,23 @@
+function test() {
+  let x = source();
+  
+  sink(x); // NOT OK
+  
+  if (x === 'a')
+    sink(x); // OK
+  
+  if (x === 'a' || x === 'b')
+    sink(x); // OK
+  
+  if (x === 'a' || 1 === 1)
+    sink(x); // NOT OK
+
+  if (isSafe(x))
+    sink(x); // OK
+  
+  if (isSafe(x, y) || isSafe(x, z))
+    sink(x); // OK
+  
+  if (isSafe(x) || 1 === 1)
+    sink(x); // NOT OK
+}
--- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/Consistency.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/Consistency.expected
@ -0,0 +1 @@
+| normalizedPaths.js:208:35:208:60 | // OK - ...  anyway | Spurious alert |
--- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/Consistency.ql
+++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/Consistency.ql
@ -0,0 +1,31 @@
+import javascript
+import semmle.javascript.security.dataflow.TaintedPath::TaintedPath
+
+class Assertion extends LineComment {
+  boolean shouldHaveAlert;
+  Assertion() {
+    if getText().matches("%NOT OK%") then
+      shouldHaveAlert = true
+    else
+      (getText().matches("%OK%") and shouldHaveAlert = false)
+  }
+
+  predicate shouldHaveAlert() { shouldHaveAlert = true }
+
+  predicate hasAlert() {
+    exists(Configuration cfg, DataFlow::Node src, DataFlow::Node sink, Location loc |
+      cfg.hasFlow(src, sink) and
+      loc = sink.getAstNode().getLocation() and
+      loc.getFile() = getFile() and
+      loc.getEndLine() = getLocation().getEndLine()
+    )
+  }
+}
+
+from Assertion assertion, string message
+where
+  (assertion.shouldHaveAlert() and not assertion.hasAlert() and message = "Missing alert")
+  or
+  (not assertion.shouldHaveAlert() and assertion.hasAlert() and message = "Spurious alert")
+select
+  assertion, message
--- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
--- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js
+++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js
@ -0,0 +1,233 @@
+var fs = require('fs'),
+    express = require('express'),
+    url = require('url'),
+    sanitize = require('sanitize-filename'),
+    pathModule = require('path')
+    ;
+
+let app = express();
+
+app.get('/basic', (req, res) => {
+  let path = req.query.path;
+
+  res.sendFile(path); // NOT OK
+  res.sendFile('./' + path); // NOT OK
+  res.sendFile(path + '/index.html'); // NOT OK
+  res.sendFile(pathModule.join(path, 'index.html')); // NOT OK
+  res.sendFile(pathModule.join('/home/user/www', path)); // NOT OK
+});
+
+app.get('/normalize', (req, res) => {
+  let path = pathModule.normalize(req.query.path);
+
+  res.sendFile(path); // NOT OK
+  res.sendFile('./' + path); // NOT OK
+  res.sendFile(path + '/index.html'); // NOT OK
+  res.sendFile(pathModule.join(path, 'index.html')); // NOT OK
+  res.sendFile(pathModule.join('/home/user/www', path)); // NOT OK
+});
+
+app.get('/normalize-notAbsolute', (req, res) => {
+  let path = pathModule.normalize(req.query.path);
+
+  if (pathModule.isAbsolute(path))
+    return;
+   
+  res.sendFile(path); // NOT OK
+
+  if (!path.startsWith("."))
+    res.sendFile(path); // OK
+  else
+    res.sendFile(path); // NOT OK - wrong polarity
+  
+  if (!path.startsWith(".."))
+    res.sendFile(path); // OK
+  
+  if (!path.startsWith("../"))
+    res.sendFile(path); // OK
+
+  if (!path.startsWith(".." + pathModule.sep))
+    res.sendFile(path); // OK
+});
+
+app.get('/normalize-noInitialDotDot', (req, res) => {
+  let path = pathModule.normalize(req.query.path);
+  
+  if (path.startsWith(".."))
+    return;
+
+  res.sendFile(path); // NOT OK - could be absolute
+
+  res.sendFile("./" + path); // OK - coerced to relative
+
+  res.sendFile(path + "/index.html"); // NOT OK - not coerced
+
+  if (!pathModule.isAbsolute(path))
+    res.sendFile(path); // OK
+  else
+    res.sendFile(path); // NOT OK
+});
+
+app.get('/prepend-normalize', (req, res) => {
+  // Coerce to relative prior to normalization
+  let path = pathModule.normalize('./' + req.query.path);
+
+  if (!path.startsWith(".."))
+    res.sendFile(path); // OK
+  else
+     res.sendFile(path); // NOT OK
+});
+
+app.get('/absolute', (req, res) => {
+  let path = req.query.path;
+  
+  if (!pathModule.isAbsolute(path))
+    return;
+
+  res.write(fs.readFileSync(path)); // NOT OK
+
+  if (path.startsWith('/home/user/www'))
+    res.write(fs.readFileSync(path)); // NOT OK - can still contain '../'
+});
+
+app.get('/normalized-absolute', (req, res) => {
+  let path = pathModule.normalize(req.query.path);
+  
+  if (!pathModule.isAbsolute(path))
+    return;
+  
+  res.write(fs.readFileSync(path)); // NOT OK
+
+  if (path.startsWith('/home/user/www'))
+    res.write(fs.readFileSync(path)); // OK
+});
+
+app.get('/combined-check', (req, res) => {
+  let path = pathModule.normalize(req.query.path);
+  
+  // Combined absoluteness and folder check in one startsWith call
+  if (path.startsWith("/home/user/www"))
+    res.sendFile(path); // OK
+
+  if (path[0] !== "/" && path[0] !== ".")
+    res.sendFile(path); // OK
+});
+
+app.get('/realpath', (req, res) => {
+  let path = fs.realpathSync(req.query.path);
+
+  res.sendFile(path); // NOT OK
+  res.sendFile(pathModule.join(path, 'index.html')); // NOT OK
+
+  if (path.startsWith("/home/user/www"))
+    res.sendFile(path); // OK - both absolute and normalized before check
+    
+  res.sendFile(pathModule.join('.', path)); // OK - normalized and coerced to relative
+  res.sendFile(pathModule.join('/home/user/www', path)); // OK
+});
+
+app.get('/coerce-relative', (req, res) => {
+  let path = pathModule.join('.', req.query.path);
+
+  if (!path.startsWith('..'))
+    res.sendFile(path); // OK
+  else
+    res.sendFile(path); // NOT OK
+});
+
+app.get('/coerce-absolute', (req, res) => {
+  let path = pathModule.join('/home/user/www', req.query.path);
+
+  if (path.startsWith('/home/user/www'))
+    res.sendFile(path); // OK
+  else
+    res.sendFile(path); // NOT OK
+});
+
+app.get('/concat-after-normalization', (req, res) => {
+  let path = 'foo/' + pathModule.normalize(req.query.path);
+
+  if (!path.startsWith('..'))
+    res.sendFile(path); // NOT OK - prefixing foo/ invalidates check
+  else
+    res.sendFile(path); // NOT OK
+
+  if (!path.includes('..'))
+    res.sendFile(path); // OK
+});
+
+app.get('/noDotDot', (req, res) => {
+  let path = pathModule.normalize(req.query.path);
+
+  if (path.includes('..'))
+    return;
+
+  res.sendFile(path); // NOT OK - can still be absolute
+
+  if (!pathModule.isAbsolute(path))
+    res.sendFile(path); // OK
+  else
+    res.sendFile(path); // NOT OK
+});
+
+app.get('/join-regression', (req, res) => {
+  let path = req.query.path;
+
+  // Regression test for a specific corner case:
+  // Some guard nodes sanitize both branches, but for a different set of flow labels.
+  // Verify that this does not break anything.
+  if (pathModule.isAbsolute(path)) {path;} else {path;}
+  if (path.startsWith('/')) {path;} else {path;}
+  if (path.startsWith('/x')) {path;} else {path;}
+  if (path.startsWith('.')) {path;} else {path;}
+
+  res.sendFile(path); // NOT OK
+
+  if (pathModule.isAbsolute(path))
+    res.sendFile(path); // NOT OK
+  else
+    res.sendFile(path); // NOT OK
+
+  if (path.includes('..'))
+    res.sendFile(path); // NOT OK
+  else
+    res.sendFile(path); // NOT OK
+
+  if (!path.includes('..') && !pathModule.isAbsolute(path))
+    res.sendFile(path); // OK
+  else
+    res.sendFile(path); // NOT OK
+
+  let normalizedPath = pathModule.normalize(path);
+  if (normalizedPath.startsWith('/home/user/www'))
+    res.sendFile(normalizedPath); // OK
+  else
+    res.sendFile(normalizedPath); // NOT OK
+
+  if (normalizedPath.startsWith('/home/user/www') || normalizedPath.startsWith('/home/user/public'))
+    res.sendFile(normalizedPath); // OK - but flagged anyway
+  else
+    res.sendFile(normalizedPath); // NOT OK
+});
+
+app.get('/decode-after-normalization', (req, res) => {
+  let path = pathModule.normalize(req.query.path);
+  
+  if (!pathModule.isAbsolute(path) && !path.startsWith('..'))
+    res.sendFile(path); // OK
+
+  path = decodeURIComponent(path);
+
+  if (!pathModule.isAbsolute(path) && !path.startsWith('..'))
+    res.sendFile(path); // NOT OK - not normalized
+});
+
+app.get('/replace', (req, res) => {
+  let path = pathModule.normalize(req.query.path).replace(/%20/g, ' ');
+  if (!pathModule.isAbsolute(path)) {
+    res.sendFile(path); // NOT OK
+
+    path = path.replace(/\.\./g, '');
+    res.sendFile(path); // OK
+  }
+});
--- a/javascript/ql/test/query-tests/Security/Summaries/ExtractFlowStepSummaries.expected
+++ b/javascript/ql/test/query-tests/Security/Summaries/ExtractFlowStepSummaries.expected
@ -4,17 +4,11 @@
 | (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | data | (return (member h (root https://www.npmjs.com/package/infer-sources))) | data | DomBasedXss |
 | (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | data | (return (member h (root https://www.npmjs.com/package/infer-sources))) | data | NosqlInjection |
 | (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | data | (return (member h (root https://www.npmjs.com/package/infer-sources))) | data | ReflectedXss |
-| (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | data | (return (member h (root https://www.npmjs.com/package/infer-sources))) | data | RegExpInjection |
-| (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | data | (return (member h (root https://www.npmjs.com/package/infer-sources))) | data | RemotePropertyInjection |
 | (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | data | (return (member h (root https://www.npmjs.com/package/infer-sources))) | data | ServerSideUrlRedirect |
 | (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | data | (return (member h (root https://www.npmjs.com/package/infer-sources))) | data | SqlInjection |
-| (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | data | (return (member h (root https://www.npmjs.com/package/infer-sources))) | data | StackTraceExposure |
 | (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | data | (return (member h (root https://www.npmjs.com/package/infer-sources))) | data | StoredXss |
-| (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | data | (return (member h (root https://www.npmjs.com/package/infer-sources))) | data | TaintedFormatString |
-| (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | data | (return (member h (root https://www.npmjs.com/package/infer-sources))) | data | TaintedPath |
 | (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | data | (return (member h (root https://www.npmjs.com/package/infer-sources))) | data | UnsafeDeserialization |
 | (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | data | (return (member h (root https://www.npmjs.com/package/infer-sources))) | data | XmlBomb |
-| (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | data | (return (member h (root https://www.npmjs.com/package/infer-sources))) | data | XpathInjection |
 | (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | data | (return (member h (root https://www.npmjs.com/package/infer-sources))) | data | Xxe |
 | (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member h (root https://www.npmjs.com/package/infer-sources))) | taint | ClientSideUrlRedirect |
 | (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member h (root https://www.npmjs.com/package/infer-sources))) | taint | CodeInjection |
@ -22,17 +16,11 @@
 | (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member h (root https://www.npmjs.com/package/infer-sources))) | taint | DomBasedXss |
 | (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member h (root https://www.npmjs.com/package/infer-sources))) | taint | NosqlInjection |
 | (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member h (root https://www.npmjs.com/package/infer-sources))) | taint | ReflectedXss |
-| (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member h (root https://www.npmjs.com/package/infer-sources))) | taint | RegExpInjection |
-| (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member h (root https://www.npmjs.com/package/infer-sources))) | taint | RemotePropertyInjection |
 | (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member h (root https://www.npmjs.com/package/infer-sources))) | taint | ServerSideUrlRedirect |
 | (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member h (root https://www.npmjs.com/package/infer-sources))) | taint | SqlInjection |
-| (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member h (root https://www.npmjs.com/package/infer-sources))) | taint | StackTraceExposure |
 | (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member h (root https://www.npmjs.com/package/infer-sources))) | taint | StoredXss |
-| (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member h (root https://www.npmjs.com/package/infer-sources))) | taint | TaintedFormatString |
-| (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member h (root https://www.npmjs.com/package/infer-sources))) | taint | TaintedPath |
 | (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member h (root https://www.npmjs.com/package/infer-sources))) | taint | UnsafeDeserialization |
 | (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member h (root https://www.npmjs.com/package/infer-sources))) | taint | XmlBomb |
-| (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member h (root https://www.npmjs.com/package/infer-sources))) | taint | XpathInjection |
 | (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member h (root https://www.npmjs.com/package/infer-sources))) | taint | Xxe |
 | (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | ClientSideUrlRedirect |
 | (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | CodeInjection |
@ -40,17 +28,11 @@
 | (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | DomBasedXss |
 | (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | NosqlInjection |
 | (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | ReflectedXss |
-| (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | RegExpInjection |
-| (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | RemotePropertyInjection |
 | (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | ServerSideUrlRedirect |
 | (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | SqlInjection |
-| (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | StackTraceExposure |
 | (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | StoredXss |
-| (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | TaintedFormatString |
-| (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | TaintedPath |
 | (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | UnsafeDeserialization |
 | (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | XmlBomb |
-| (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | XpathInjection |
 | (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | Xxe |
 | (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | ClientSideUrlRedirect |
 | (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | CodeInjection |
@ -58,17 +40,11 @@
 | (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | DomBasedXss |
 | (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | NosqlInjection |
 | (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | ReflectedXss |
-| (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | RegExpInjection |
-| (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | RemotePropertyInjection |
 | (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | ServerSideUrlRedirect |
 | (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | SqlInjection |
-| (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | StackTraceExposure |
 | (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | StoredXss |
-| (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | TaintedFormatString |
-| (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | TaintedPath |
 | (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | UnsafeDeserialization |
 | (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | XmlBomb |
-| (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | XpathInjection |
 | (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | Xxe |
 | (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | ClientSideUrlRedirect |
 | (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | CodeInjection |
@ -76,17 +52,11 @@
 | (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | DomBasedXss |
 | (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | NosqlInjection |
 | (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | ReflectedXss |
-| (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | RegExpInjection |
-| (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | RemotePropertyInjection |
 | (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | ServerSideUrlRedirect |
 | (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | SqlInjection |
-| (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | StackTraceExposure |
 | (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | StoredXss |
-| (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | TaintedFormatString |
-| (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | TaintedPath |
 | (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | UnsafeDeserialization |
 | (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | XmlBomb |
-| (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | XpathInjection |
 | (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | Xxe |
 | (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | ClientSideUrlRedirect |
 | (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | CodeInjection |
@ -94,15 +64,9 @@
 | (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | DomBasedXss |
 | (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | NosqlInjection |
 | (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | ReflectedXss |
-| (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | RegExpInjection |
-| (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | RemotePropertyInjection |
 | (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | ServerSideUrlRedirect |
 | (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | SqlInjection |
-| (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | StackTraceExposure |
 | (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | StoredXss |
-| (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | TaintedFormatString |
-| (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | TaintedPath |
 | (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | UnsafeDeserialization |
 | (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | XmlBomb |
-| (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | XpathInjection |
 | (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | Xxe |
--- a/javascript/ql/test/query-tests/Security/Summaries/ExtractSinkSummaries.expected
+++ b/javascript/ql/test/query-tests/Security/Summaries/ExtractSinkSummaries.expected
@ -1,12 +1,9 @@
-| (member name (parameter 0 (member regexpInj (root https://www.npmjs.com/package/infer-sources)))) | data | RegExpInjection |
-| (member name (parameter 0 (member regexpInj (root https://www.npmjs.com/package/infer-sources)))) | taint | RegExpInjection |
 | (parameter 0 (member codeInjection (root https://www.npmjs.com/package/infer-sources))) | data | CodeInjection |
 | (parameter 0 (member codeInjection (root https://www.npmjs.com/package/infer-sources))) | taint | CodeInjection |
 | (parameter 0 (member commandInjection (root https://www.npmjs.com/package/infer-sources))) | data | CommandInjection |
 | (parameter 0 (member commandInjection (root https://www.npmjs.com/package/infer-sources))) | taint | CommandInjection |
 | (parameter 0 (member hashPass (root https://www.npmjs.com/package/infer-sources))) | data | CodeInjection |
 | (parameter 0 (member hashPass (root https://www.npmjs.com/package/infer-sources))) | taint | CodeInjection |
-| (parameter 0 (member mkdirp (root https://www.npmjs.com/package/infer-sources))) | taint | TaintedPath |
 | (parameter 0 (member multiple (root https://www.npmjs.com/package/infer-sources))) | data | CodeInjection |
 | (parameter 0 (member multiple (root https://www.npmjs.com/package/infer-sources))) | data | CommandInjection |
 | (parameter 0 (member multiple (root https://www.npmjs.com/package/infer-sources))) | taint | CodeInjection |
@ -17,21 +14,13 @@
 | (parameter 0 (member reflected (root https://www.npmjs.com/package/infer-sources))) | data | StoredXss |
 | (parameter 0 (member reflected (root https://www.npmjs.com/package/infer-sources))) | taint | ReflectedXss |
 | (parameter 0 (member reflected (root https://www.npmjs.com/package/infer-sources))) | taint | StoredXss |
-| (parameter 0 (member regexpInj (root https://www.npmjs.com/package/infer-sources))) | data | RegExpInjection |
-| (parameter 0 (member regexpInj (root https://www.npmjs.com/package/infer-sources))) | taint | RegExpInjection |
 | (parameter 0 (member sqlInj (root https://www.npmjs.com/package/infer-sources))) | data | SqlInjection |
 | (parameter 0 (member sqlInj (root https://www.npmjs.com/package/infer-sources))) | taint | SqlInjection |
-| (parameter 0 (member taintedPath (root https://www.npmjs.com/package/infer-sources))) | data | TaintedPath |
-| (parameter 0 (member taintedPath (root https://www.npmjs.com/package/infer-sources))) | taint | TaintedPath |
 | (parameter 0 (member unsafeDes (root https://www.npmjs.com/package/infer-sources))) | data | UnsafeDeserialization |
 | (parameter 0 (member unsafeDes (root https://www.npmjs.com/package/infer-sources))) | taint | UnsafeDeserialization |
 | (parameter 0 (member xmlBomb (root https://www.npmjs.com/package/infer-sources))) | data | XmlBomb |
 | (parameter 0 (member xmlBomb (root https://www.npmjs.com/package/infer-sources))) | data | Xxe |
 | (parameter 0 (member xmlBomb (root https://www.npmjs.com/package/infer-sources))) | taint | XmlBomb |
 | (parameter 0 (member xmlBomb (root https://www.npmjs.com/package/infer-sources))) | taint | Xxe |
-| (parameter 0 (member xpathInj (root https://www.npmjs.com/package/infer-sources))) | data | XpathInjection |
-| (parameter 0 (member xpathInj (root https://www.npmjs.com/package/infer-sources))) | taint | XpathInjection |
 | (parameter 0 (member xxe (root https://www.npmjs.com/package/infer-sources))) | data | XmlBomb |
 | (parameter 0 (member xxe (root https://www.npmjs.com/package/infer-sources))) | taint | XmlBomb |
-| (parameter 1 (member remotePropeInjection (root https://www.npmjs.com/package/infer-sources))) | data | RemotePropertyInjection |
-| (parameter 1 (member remotePropeInjection (root https://www.npmjs.com/package/infer-sources))) | taint | RemotePropertyInjection |
--- a/javascript/ql/test/query-tests/Security/Summaries/ExtractSourceSummaries.expected
+++ b/javascript/ql/test/query-tests/Security/Summaries/ExtractSourceSummaries.expected
@ -4,19 +4,13 @@
 | (parameter 0 (parameter 0 (member listen (root https://www.npmjs.com/package/infer-sources)))) | taint | DomBasedXss |
 | (parameter 0 (parameter 0 (member listen (root https://www.npmjs.com/package/infer-sources)))) | taint | NosqlInjection |
 | (parameter 0 (parameter 0 (member listen (root https://www.npmjs.com/package/infer-sources)))) | taint | ReflectedXss |
-| (parameter 0 (parameter 0 (member listen (root https://www.npmjs.com/package/infer-sources)))) | taint | RegExpInjection |
-| (parameter 0 (parameter 0 (member listen (root https://www.npmjs.com/package/infer-sources)))) | taint | RemotePropertyInjection |
 | (parameter 0 (parameter 0 (member listen (root https://www.npmjs.com/package/infer-sources)))) | taint | ServerSideUrlRedirect |
 | (parameter 0 (parameter 0 (member listen (root https://www.npmjs.com/package/infer-sources)))) | taint | SqlInjection |
-| (parameter 0 (parameter 0 (member listen (root https://www.npmjs.com/package/infer-sources)))) | taint | TaintedFormatString |
-| (parameter 0 (parameter 0 (member listen (root https://www.npmjs.com/package/infer-sources)))) | taint | TaintedPath |
 | (parameter 0 (parameter 0 (member listen (root https://www.npmjs.com/package/infer-sources)))) | taint | UnsafeDeserialization |
 | (parameter 0 (parameter 0 (member listen (root https://www.npmjs.com/package/infer-sources)))) | taint | XmlBomb |
-| (parameter 0 (parameter 0 (member listen (root https://www.npmjs.com/package/infer-sources)))) | taint | XpathInjection |
 | (parameter 0 (parameter 0 (member listen (root https://www.npmjs.com/package/infer-sources)))) | taint | Xxe |
 | (return (member taintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | ClientSideUrlRedirect |
 | (return (member taintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | CodeInjection |
 | (return (member taintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | DomBasedXss |
 | (return (member taintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | XmlBomb |
-| (return (member taintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | XpathInjection |
 | (return (member taintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | Xxe |
				`@ -0,0 +1 @@`
				`\| normalizedPaths.js:208:35:208:60 \| // OK - ... anyway \| Spurious alert \|`