Merge pull request #2778 from erik-krogh/FalsySanitizer

Approved by asgerf
2020-02-20 11:17:03 +00:00 · 2020-02-20 11:17:03 +00:00 · f6af5da7f7
--- a/javascript/ql/src/Security/CWE-400/PrototypePollutionUtility.ql
+++ b/javascript/ql/src/Security/CWE-400/PrototypePollutionUtility.ql
@ -188,12 +188,7 @@ class PropNameTracking extends DataFlow::Configuration {
  override predicate isBarrier(DataFlow::Node node) {
    super.isBarrier(node)
    or
-    exists(ConditionGuardNode guard, SsaRefinementNode refinement |
-      node = DataFlow::ssaDefinitionNode(refinement) and
-      refinement.getGuard() = guard and
-      guard.getTest() instanceof VarAccess and
-      guard.getOutcome() = false
-    )
+    node instanceof DataFlow::VarAccessBarrier
  }

  override predicate isBarrierGuard(DataFlow::BarrierGuardNode node) {
--- a/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll
@ -1480,3 +1480,18 @@ private class AdditionalBarrierGuardCall extends AdditionalBarrierGuardNode, Dat

  override predicate appliesTo(Configuration cfg) { f.appliesTo(cfg) }
 }
+
+/**
+  * A guard node for a variable in a negative condition, such as `x` in `if(!x)`.
+  * Can be added to a `isBarrier` in a data-flow configuration to block flow through such checks.
+  */
+class VarAccessBarrier extends DataFlow::Node {
+  VarAccessBarrier() {
+    exists(ConditionGuardNode guard, SsaRefinementNode refinement |
+      this = DataFlow::ssaDefinitionNode(refinement) and
+      refinement.getGuard() = guard and
+      guard.getTest() instanceof VarAccess and
+      guard.getOutcome() = false
+    )
+  }
+}
--- a/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
@ -89,7 +89,8 @@ module TaintTracking {

    final override predicate isBarrier(DataFlow::Node node) {
      super.isBarrier(node) or
-      isSanitizer(node)
+      isSanitizer(node) or
+      node instanceof DataFlow::VarAccessBarrier
    }

    final override predicate isBarrierEdge(DataFlow::Node source, DataFlow::Node sink) {
--- a/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
@ -355,6 +355,11 @@ module TaintedPath {
    }
  }

+  /**
+   * A guard node for a variable in a negative condition, such as `x` in `if(!x)`.
+   */
+  private class VarAccessBarrier extends Sanitizer, DataFlow::VarAccessBarrier { }
+
  /**
   * A source of remote user input, considered as a flow source for
   * tainted-path vulnerabilities.
--- a/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
+++ b/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
@ -79,6 +79,8 @@ typeInferenceMismatch
 | sanitizer-guards.js:43:11:43:18 | source() | sanitizer-guards.js:45:8:45:8 | x |
 | sanitizer-guards.js:43:11:43:18 | source() | sanitizer-guards.js:48:10:48:10 | x |
 | sanitizer-guards.js:68:11:68:18 | source() | sanitizer-guards.js:75:8:75:8 | x |
+| sanitizer-guards.js:79:11:79:18 | source() | sanitizer-guards.js:81:8:81:8 | x |
+| sanitizer-guards.js:79:11:79:18 | source() | sanitizer-guards.js:84:10:84:10 | x |
 | spread.js:2:15:2:22 | source() | spread.js:4:8:4:19 | { ...taint } |
 | spread.js:2:15:2:22 | source() | spread.js:5:8:5:43 | { f: 'h ... orld' } |
 | spread.js:2:15:2:22 | source() | spread.js:7:8:7:19 | [ ...taint ] |
--- a/javascript/ql/test/library-tests/TaintTracking/DataFlowTracking.expected
+++ b/javascript/ql/test/library-tests/TaintTracking/DataFlowTracking.expected
@ -54,6 +54,9 @@
 | sanitizer-guards.js:43:11:43:18 | source() | sanitizer-guards.js:48:10:48:10 | x |
 | sanitizer-guards.js:43:11:43:18 | source() | sanitizer-guards.js:52:10:52:10 | x |
 | sanitizer-guards.js:68:11:68:18 | source() | sanitizer-guards.js:75:8:75:8 | x |
+| sanitizer-guards.js:79:11:79:18 | source() | sanitizer-guards.js:81:8:81:8 | x |
+| sanitizer-guards.js:79:11:79:18 | source() | sanitizer-guards.js:84:10:84:10 | x |
+| sanitizer-guards.js:79:11:79:18 | source() | sanitizer-guards.js:86:7:86:7 | x |
 | thisAssignments.js:4:17:4:24 | source() | thisAssignments.js:5:10:5:18 | obj.field |
 | thisAssignments.js:7:19:7:26 | source() | thisAssignments.js:8:10:8:20 | this.field2 |
 | tst.js:2:13:2:20 | source() | tst.js:4:10:4:10 | x |
--- a/javascript/ql/test/library-tests/TaintTracking/sanitizer-guards.js
+++ b/javascript/ql/test/library-tests/TaintTracking/sanitizer-guards.js
@ -74,3 +74,15 @@ function phi2() {
  }
  sink(x); // NOT OK
 }
+
+function falsy() {
+  let x = source();
+  
+  sink(x); // NOT OK
+  
+  if (x) {
+    sink(x); // OK (for taint-tracking)
+  } else {
+	sink(x); // NOT OK
+  }
+}
--- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
@ -801,92 +801,92 @@ nodes
 | TaintedPath.js:112:45:112:52 | realpath |
 | TaintedPath.js:112:45:112:52 | realpath |
 | TaintedPath.js:112:45:112:52 | realpath |
-| TaintedPath.js:119:6:119:47 | path |
-| TaintedPath.js:119:6:119:47 | path |
-| TaintedPath.js:119:6:119:47 | path |
-| TaintedPath.js:119:6:119:47 | path |
-| TaintedPath.js:119:6:119:47 | path |
-| TaintedPath.js:119:6:119:47 | path |
-| TaintedPath.js:119:6:119:47 | path |
-| TaintedPath.js:119:6:119:47 | path |
-| TaintedPath.js:119:6:119:47 | path |
-| TaintedPath.js:119:6:119:47 | path |
-| TaintedPath.js:119:6:119:47 | path |
-| TaintedPath.js:119:6:119:47 | path |
-| TaintedPath.js:119:6:119:47 | path |
-| TaintedPath.js:119:6:119:47 | path |
-| TaintedPath.js:119:6:119:47 | path |
-| TaintedPath.js:119:6:119:47 | path |
-| TaintedPath.js:119:13:119:36 | url.par ... , true) |
-| TaintedPath.js:119:13:119:36 | url.par ... , true) |
-| TaintedPath.js:119:13:119:36 | url.par ... , true) |
-| TaintedPath.js:119:13:119:36 | url.par ... , true) |
-| TaintedPath.js:119:13:119:36 | url.par ... , true) |
-| TaintedPath.js:119:13:119:36 | url.par ... , true) |
-| TaintedPath.js:119:13:119:36 | url.par ... , true) |
-| TaintedPath.js:119:13:119:36 | url.par ... , true) |
-| TaintedPath.js:119:13:119:36 | url.par ... , true) |
-| TaintedPath.js:119:13:119:36 | url.par ... , true) |
-| TaintedPath.js:119:13:119:36 | url.par ... , true) |
-| TaintedPath.js:119:13:119:36 | url.par ... , true) |
-| TaintedPath.js:119:13:119:36 | url.par ... , true) |
-| TaintedPath.js:119:13:119:36 | url.par ... , true) |
-| TaintedPath.js:119:13:119:36 | url.par ... , true) |
-| TaintedPath.js:119:13:119:36 | url.par ... , true) |
-| TaintedPath.js:119:13:119:42 | url.par ... ).query |
-| TaintedPath.js:119:13:119:42 | url.par ... ).query |
-| TaintedPath.js:119:13:119:42 | url.par ... ).query |
-| TaintedPath.js:119:13:119:42 | url.par ... ).query |
-| TaintedPath.js:119:13:119:42 | url.par ... ).query |
-| TaintedPath.js:119:13:119:42 | url.par ... ).query |
-| TaintedPath.js:119:13:119:42 | url.par ... ).query |
-| TaintedPath.js:119:13:119:42 | url.par ... ).query |
-| TaintedPath.js:119:13:119:42 | url.par ... ).query |
-| TaintedPath.js:119:13:119:42 | url.par ... ).query |
-| TaintedPath.js:119:13:119:42 | url.par ... ).query |
-| TaintedPath.js:119:13:119:42 | url.par ... ).query |
-| TaintedPath.js:119:13:119:42 | url.par ... ).query |
-| TaintedPath.js:119:13:119:42 | url.par ... ).query |
-| TaintedPath.js:119:13:119:42 | url.par ... ).query |
-| TaintedPath.js:119:13:119:42 | url.par ... ).query |
-| TaintedPath.js:119:13:119:47 | url.par ... ry.path |
-| TaintedPath.js:119:13:119:47 | url.par ... ry.path |
-| TaintedPath.js:119:13:119:47 | url.par ... ry.path |
-| TaintedPath.js:119:13:119:47 | url.par ... ry.path |
-| TaintedPath.js:119:13:119:47 | url.par ... ry.path |
-| TaintedPath.js:119:13:119:47 | url.par ... ry.path |
-| TaintedPath.js:119:13:119:47 | url.par ... ry.path |
-| TaintedPath.js:119:13:119:47 | url.par ... ry.path |
-| TaintedPath.js:119:13:119:47 | url.par ... ry.path |
-| TaintedPath.js:119:13:119:47 | url.par ... ry.path |
-| TaintedPath.js:119:13:119:47 | url.par ... ry.path |
-| TaintedPath.js:119:13:119:47 | url.par ... ry.path |
-| TaintedPath.js:119:13:119:47 | url.par ... ry.path |
-| TaintedPath.js:119:13:119:47 | url.par ... ry.path |
-| TaintedPath.js:119:13:119:47 | url.par ... ry.path |
-| TaintedPath.js:119:13:119:47 | url.par ... ry.path |
-| TaintedPath.js:119:23:119:29 | req.url |
-| TaintedPath.js:119:23:119:29 | req.url |
-| TaintedPath.js:119:23:119:29 | req.url |
-| TaintedPath.js:119:23:119:29 | req.url |
-| TaintedPath.js:119:23:119:29 | req.url |
-| TaintedPath.js:121:23:121:26 | path |
-| TaintedPath.js:121:23:121:26 | path |
-| TaintedPath.js:121:23:121:26 | path |
-| TaintedPath.js:121:23:121:26 | path |
-| TaintedPath.js:121:23:121:26 | path |
-| TaintedPath.js:121:23:121:26 | path |
-| TaintedPath.js:121:23:121:26 | path |
-| TaintedPath.js:121:23:121:26 | path |
-| TaintedPath.js:121:23:121:26 | path |
-| TaintedPath.js:121:23:121:26 | path |
-| TaintedPath.js:121:23:121:26 | path |
-| TaintedPath.js:121:23:121:26 | path |
-| TaintedPath.js:121:23:121:26 | path |
-| TaintedPath.js:121:23:121:26 | path |
-| TaintedPath.js:121:23:121:26 | path |
-| TaintedPath.js:121:23:121:26 | path |
-| TaintedPath.js:121:23:121:26 | path |
+| TaintedPath.js:143:6:143:47 | path |
+| TaintedPath.js:143:6:143:47 | path |
+| TaintedPath.js:143:6:143:47 | path |
+| TaintedPath.js:143:6:143:47 | path |
+| TaintedPath.js:143:6:143:47 | path |
+| TaintedPath.js:143:6:143:47 | path |
+| TaintedPath.js:143:6:143:47 | path |
+| TaintedPath.js:143:6:143:47 | path |
+| TaintedPath.js:143:6:143:47 | path |
+| TaintedPath.js:143:6:143:47 | path |
+| TaintedPath.js:143:6:143:47 | path |
+| TaintedPath.js:143:6:143:47 | path |
+| TaintedPath.js:143:6:143:47 | path |
+| TaintedPath.js:143:6:143:47 | path |
+| TaintedPath.js:143:6:143:47 | path |
+| TaintedPath.js:143:6:143:47 | path |
+| TaintedPath.js:143:13:143:36 | url.par ... , true) |
+| TaintedPath.js:143:13:143:36 | url.par ... , true) |
+| TaintedPath.js:143:13:143:36 | url.par ... , true) |
+| TaintedPath.js:143:13:143:36 | url.par ... , true) |
+| TaintedPath.js:143:13:143:36 | url.par ... , true) |
+| TaintedPath.js:143:13:143:36 | url.par ... , true) |
+| TaintedPath.js:143:13:143:36 | url.par ... , true) |
+| TaintedPath.js:143:13:143:36 | url.par ... , true) |
+| TaintedPath.js:143:13:143:36 | url.par ... , true) |
+| TaintedPath.js:143:13:143:36 | url.par ... , true) |
+| TaintedPath.js:143:13:143:36 | url.par ... , true) |
+| TaintedPath.js:143:13:143:36 | url.par ... , true) |
+| TaintedPath.js:143:13:143:36 | url.par ... , true) |
+| TaintedPath.js:143:13:143:36 | url.par ... , true) |
+| TaintedPath.js:143:13:143:36 | url.par ... , true) |
+| TaintedPath.js:143:13:143:36 | url.par ... , true) |
+| TaintedPath.js:143:13:143:42 | url.par ... ).query |
+| TaintedPath.js:143:13:143:42 | url.par ... ).query |
+| TaintedPath.js:143:13:143:42 | url.par ... ).query |
+| TaintedPath.js:143:13:143:42 | url.par ... ).query |
+| TaintedPath.js:143:13:143:42 | url.par ... ).query |
+| TaintedPath.js:143:13:143:42 | url.par ... ).query |
+| TaintedPath.js:143:13:143:42 | url.par ... ).query |
+| TaintedPath.js:143:13:143:42 | url.par ... ).query |
+| TaintedPath.js:143:13:143:42 | url.par ... ).query |
+| TaintedPath.js:143:13:143:42 | url.par ... ).query |
+| TaintedPath.js:143:13:143:42 | url.par ... ).query |
+| TaintedPath.js:143:13:143:42 | url.par ... ).query |
+| TaintedPath.js:143:13:143:42 | url.par ... ).query |
+| TaintedPath.js:143:13:143:42 | url.par ... ).query |
+| TaintedPath.js:143:13:143:42 | url.par ... ).query |
+| TaintedPath.js:143:13:143:42 | url.par ... ).query |
+| TaintedPath.js:143:13:143:47 | url.par ... ry.path |
+| TaintedPath.js:143:13:143:47 | url.par ... ry.path |
+| TaintedPath.js:143:13:143:47 | url.par ... ry.path |
+| TaintedPath.js:143:13:143:47 | url.par ... ry.path |
+| TaintedPath.js:143:13:143:47 | url.par ... ry.path |
+| TaintedPath.js:143:13:143:47 | url.par ... ry.path |
+| TaintedPath.js:143:13:143:47 | url.par ... ry.path |
+| TaintedPath.js:143:13:143:47 | url.par ... ry.path |
+| TaintedPath.js:143:13:143:47 | url.par ... ry.path |
+| TaintedPath.js:143:13:143:47 | url.par ... ry.path |
+| TaintedPath.js:143:13:143:47 | url.par ... ry.path |
+| TaintedPath.js:143:13:143:47 | url.par ... ry.path |
+| TaintedPath.js:143:13:143:47 | url.par ... ry.path |
+| TaintedPath.js:143:13:143:47 | url.par ... ry.path |
+| TaintedPath.js:143:13:143:47 | url.par ... ry.path |
+| TaintedPath.js:143:13:143:47 | url.par ... ry.path |
+| TaintedPath.js:143:23:143:29 | req.url |
+| TaintedPath.js:143:23:143:29 | req.url |
+| TaintedPath.js:143:23:143:29 | req.url |
+| TaintedPath.js:143:23:143:29 | req.url |
+| TaintedPath.js:143:23:143:29 | req.url |
+| TaintedPath.js:145:23:145:26 | path |
+| TaintedPath.js:145:23:145:26 | path |
+| TaintedPath.js:145:23:145:26 | path |
+| TaintedPath.js:145:23:145:26 | path |
+| TaintedPath.js:145:23:145:26 | path |
+| TaintedPath.js:145:23:145:26 | path |
+| TaintedPath.js:145:23:145:26 | path |
+| TaintedPath.js:145:23:145:26 | path |
+| TaintedPath.js:145:23:145:26 | path |
+| TaintedPath.js:145:23:145:26 | path |
+| TaintedPath.js:145:23:145:26 | path |
+| TaintedPath.js:145:23:145:26 | path |
+| TaintedPath.js:145:23:145:26 | path |
+| TaintedPath.js:145:23:145:26 | path |
+| TaintedPath.js:145:23:145:26 | path |
+| TaintedPath.js:145:23:145:26 | path |
+| TaintedPath.js:145:23:145:26 | path |
 | normalizedPaths.js:11:7:11:27 | path |
 | normalizedPaths.js:11:7:11:27 | path |
 | normalizedPaths.js:11:7:11:27 | path |
@ -3082,118 +3082,118 @@ edges
 | TaintedPath.js:111:32:111:39 | realpath | TaintedPath.js:112:45:112:52 | realpath |
 | TaintedPath.js:111:32:111:39 | realpath | TaintedPath.js:112:45:112:52 | realpath |
 | TaintedPath.js:111:32:111:39 | realpath | TaintedPath.js:112:45:112:52 | realpath |
-| TaintedPath.js:119:6:119:47 | path | TaintedPath.js:121:23:121:26 | path |
-| TaintedPath.js:119:6:119:47 | path | TaintedPath.js:121:23:121:26 | path |
-| TaintedPath.js:119:6:119:47 | path | TaintedPath.js:121:23:121:26 | path |
-| TaintedPath.js:119:6:119:47 | path | TaintedPath.js:121:23:121:26 | path |
-| TaintedPath.js:119:6:119:47 | path | TaintedPath.js:121:23:121:26 | path |
-| TaintedPath.js:119:6:119:47 | path | TaintedPath.js:121:23:121:26 | path |
-| TaintedPath.js:119:6:119:47 | path | TaintedPath.js:121:23:121:26 | path |
-| TaintedPath.js:119:6:119:47 | path | TaintedPath.js:121:23:121:26 | path |
-| TaintedPath.js:119:6:119:47 | path | TaintedPath.js:121:23:121:26 | path |
-| TaintedPath.js:119:6:119:47 | path | TaintedPath.js:121:23:121:26 | path |
-| TaintedPath.js:119:6:119:47 | path | TaintedPath.js:121:23:121:26 | path |
-| TaintedPath.js:119:6:119:47 | path | TaintedPath.js:121:23:121:26 | path |
-| TaintedPath.js:119:6:119:47 | path | TaintedPath.js:121:23:121:26 | path |
-| TaintedPath.js:119:6:119:47 | path | TaintedPath.js:121:23:121:26 | path |
-| TaintedPath.js:119:6:119:47 | path | TaintedPath.js:121:23:121:26 | path |
-| TaintedPath.js:119:6:119:47 | path | TaintedPath.js:121:23:121:26 | path |
-| TaintedPath.js:119:6:119:47 | path | TaintedPath.js:121:23:121:26 | path |
-| TaintedPath.js:119:6:119:47 | path | TaintedPath.js:121:23:121:26 | path |
-| TaintedPath.js:119:6:119:47 | path | TaintedPath.js:121:23:121:26 | path |
-| TaintedPath.js:119:6:119:47 | path | TaintedPath.js:121:23:121:26 | path |
-| TaintedPath.js:119:6:119:47 | path | TaintedPath.js:121:23:121:26 | path |
-| TaintedPath.js:119:6:119:47 | path | TaintedPath.js:121:23:121:26 | path |
-| TaintedPath.js:119:6:119:47 | path | TaintedPath.js:121:23:121:26 | path |
-| TaintedPath.js:119:6:119:47 | path | TaintedPath.js:121:23:121:26 | path |
-| TaintedPath.js:119:6:119:47 | path | TaintedPath.js:121:23:121:26 | path |
-| TaintedPath.js:119:6:119:47 | path | TaintedPath.js:121:23:121:26 | path |
-| TaintedPath.js:119:6:119:47 | path | TaintedPath.js:121:23:121:26 | path |
-| TaintedPath.js:119:6:119:47 | path | TaintedPath.js:121:23:121:26 | path |
-| TaintedPath.js:119:6:119:47 | path | TaintedPath.js:121:23:121:26 | path |
-| TaintedPath.js:119:6:119:47 | path | TaintedPath.js:121:23:121:26 | path |
-| TaintedPath.js:119:6:119:47 | path | TaintedPath.js:121:23:121:26 | path |
-| TaintedPath.js:119:6:119:47 | path | TaintedPath.js:121:23:121:26 | path |
-| TaintedPath.js:119:13:119:36 | url.par ... , true) | TaintedPath.js:119:13:119:42 | url.par ... ).query |
-| TaintedPath.js:119:13:119:36 | url.par ... , true) | TaintedPath.js:119:13:119:42 | url.par ... ).query |
-| TaintedPath.js:119:13:119:36 | url.par ... , true) | TaintedPath.js:119:13:119:42 | url.par ... ).query |
-| TaintedPath.js:119:13:119:36 | url.par ... , true) | TaintedPath.js:119:13:119:42 | url.par ... ).query |
-| TaintedPath.js:119:13:119:36 | url.par ... , true) | TaintedPath.js:119:13:119:42 | url.par ... ).query |
-| TaintedPath.js:119:13:119:36 | url.par ... , true) | TaintedPath.js:119:13:119:42 | url.par ... ).query |
-| TaintedPath.js:119:13:119:36 | url.par ... , true) | TaintedPath.js:119:13:119:42 | url.par ... ).query |
-| TaintedPath.js:119:13:119:36 | url.par ... , true) | TaintedPath.js:119:13:119:42 | url.par ... ).query |
-| TaintedPath.js:119:13:119:36 | url.par ... , true) | TaintedPath.js:119:13:119:42 | url.par ... ).query |
-| TaintedPath.js:119:13:119:36 | url.par ... , true) | TaintedPath.js:119:13:119:42 | url.par ... ).query |
-| TaintedPath.js:119:13:119:36 | url.par ... , true) | TaintedPath.js:119:13:119:42 | url.par ... ).query |
-| TaintedPath.js:119:13:119:36 | url.par ... , true) | TaintedPath.js:119:13:119:42 | url.par ... ).query |
-| TaintedPath.js:119:13:119:36 | url.par ... , true) | TaintedPath.js:119:13:119:42 | url.par ... ).query |
-| TaintedPath.js:119:13:119:36 | url.par ... , true) | TaintedPath.js:119:13:119:42 | url.par ... ).query |
-| TaintedPath.js:119:13:119:36 | url.par ... , true) | TaintedPath.js:119:13:119:42 | url.par ... ).query |
-| TaintedPath.js:119:13:119:36 | url.par ... , true) | TaintedPath.js:119:13:119:42 | url.par ... ).query |
-| TaintedPath.js:119:13:119:42 | url.par ... ).query | TaintedPath.js:119:13:119:47 | url.par ... ry.path |
-| TaintedPath.js:119:13:119:42 | url.par ... ).query | TaintedPath.js:119:13:119:47 | url.par ... ry.path |
-| TaintedPath.js:119:13:119:42 | url.par ... ).query | TaintedPath.js:119:13:119:47 | url.par ... ry.path |
-| TaintedPath.js:119:13:119:42 | url.par ... ).query | TaintedPath.js:119:13:119:47 | url.par ... ry.path |
-| TaintedPath.js:119:13:119:42 | url.par ... ).query | TaintedPath.js:119:13:119:47 | url.par ... ry.path |
-| TaintedPath.js:119:13:119:42 | url.par ... ).query | TaintedPath.js:119:13:119:47 | url.par ... ry.path |
-| TaintedPath.js:119:13:119:42 | url.par ... ).query | TaintedPath.js:119:13:119:47 | url.par ... ry.path |
-| TaintedPath.js:119:13:119:42 | url.par ... ).query | TaintedPath.js:119:13:119:47 | url.par ... ry.path |
-| TaintedPath.js:119:13:119:42 | url.par ... ).query | TaintedPath.js:119:13:119:47 | url.par ... ry.path |
-| TaintedPath.js:119:13:119:42 | url.par ... ).query | TaintedPath.js:119:13:119:47 | url.par ... ry.path |
-| TaintedPath.js:119:13:119:42 | url.par ... ).query | TaintedPath.js:119:13:119:47 | url.par ... ry.path |
-| TaintedPath.js:119:13:119:42 | url.par ... ).query | TaintedPath.js:119:13:119:47 | url.par ... ry.path |
-| TaintedPath.js:119:13:119:42 | url.par ... ).query | TaintedPath.js:119:13:119:47 | url.par ... ry.path |
-| TaintedPath.js:119:13:119:42 | url.par ... ).query | TaintedPath.js:119:13:119:47 | url.par ... ry.path |
-| TaintedPath.js:119:13:119:42 | url.par ... ).query | TaintedPath.js:119:13:119:47 | url.par ... ry.path |
-| TaintedPath.js:119:13:119:42 | url.par ... ).query | TaintedPath.js:119:13:119:47 | url.par ... ry.path |
-| TaintedPath.js:119:13:119:47 | url.par ... ry.path | TaintedPath.js:119:6:119:47 | path |
-| TaintedPath.js:119:13:119:47 | url.par ... ry.path | TaintedPath.js:119:6:119:47 | path |
-| TaintedPath.js:119:13:119:47 | url.par ... ry.path | TaintedPath.js:119:6:119:47 | path |
-| TaintedPath.js:119:13:119:47 | url.par ... ry.path | TaintedPath.js:119:6:119:47 | path |
-| TaintedPath.js:119:13:119:47 | url.par ... ry.path | TaintedPath.js:119:6:119:47 | path |
-| TaintedPath.js:119:13:119:47 | url.par ... ry.path | TaintedPath.js:119:6:119:47 | path |
-| TaintedPath.js:119:13:119:47 | url.par ... ry.path | TaintedPath.js:119:6:119:47 | path |
-| TaintedPath.js:119:13:119:47 | url.par ... ry.path | TaintedPath.js:119:6:119:47 | path |
-| TaintedPath.js:119:13:119:47 | url.par ... ry.path | TaintedPath.js:119:6:119:47 | path |
-| TaintedPath.js:119:13:119:47 | url.par ... ry.path | TaintedPath.js:119:6:119:47 | path |
-| TaintedPath.js:119:13:119:47 | url.par ... ry.path | TaintedPath.js:119:6:119:47 | path |
-| TaintedPath.js:119:13:119:47 | url.par ... ry.path | TaintedPath.js:119:6:119:47 | path |
-| TaintedPath.js:119:13:119:47 | url.par ... ry.path | TaintedPath.js:119:6:119:47 | path |
-| TaintedPath.js:119:13:119:47 | url.par ... ry.path | TaintedPath.js:119:6:119:47 | path |
-| TaintedPath.js:119:13:119:47 | url.par ... ry.path | TaintedPath.js:119:6:119:47 | path |
-| TaintedPath.js:119:13:119:47 | url.par ... ry.path | TaintedPath.js:119:6:119:47 | path |
-| TaintedPath.js:119:23:119:29 | req.url | TaintedPath.js:119:13:119:36 | url.par ... , true) |
-| TaintedPath.js:119:23:119:29 | req.url | TaintedPath.js:119:13:119:36 | url.par ... , true) |
-| TaintedPath.js:119:23:119:29 | req.url | TaintedPath.js:119:13:119:36 | url.par ... , true) |
-| TaintedPath.js:119:23:119:29 | req.url | TaintedPath.js:119:13:119:36 | url.par ... , true) |
-| TaintedPath.js:119:23:119:29 | req.url | TaintedPath.js:119:13:119:36 | url.par ... , true) |
-| TaintedPath.js:119:23:119:29 | req.url | TaintedPath.js:119:13:119:36 | url.par ... , true) |
-| TaintedPath.js:119:23:119:29 | req.url | TaintedPath.js:119:13:119:36 | url.par ... , true) |
-| TaintedPath.js:119:23:119:29 | req.url | TaintedPath.js:119:13:119:36 | url.par ... , true) |
-| TaintedPath.js:119:23:119:29 | req.url | TaintedPath.js:119:13:119:36 | url.par ... , true) |
-| TaintedPath.js:119:23:119:29 | req.url | TaintedPath.js:119:13:119:36 | url.par ... , true) |
-| TaintedPath.js:119:23:119:29 | req.url | TaintedPath.js:119:13:119:36 | url.par ... , true) |
-| TaintedPath.js:119:23:119:29 | req.url | TaintedPath.js:119:13:119:36 | url.par ... , true) |
-| TaintedPath.js:119:23:119:29 | req.url | TaintedPath.js:119:13:119:36 | url.par ... , true) |
-| TaintedPath.js:119:23:119:29 | req.url | TaintedPath.js:119:13:119:36 | url.par ... , true) |
-| TaintedPath.js:119:23:119:29 | req.url | TaintedPath.js:119:13:119:36 | url.par ... , true) |
-| TaintedPath.js:119:23:119:29 | req.url | TaintedPath.js:119:13:119:36 | url.par ... , true) |
-| TaintedPath.js:119:23:119:29 | req.url | TaintedPath.js:119:13:119:36 | url.par ... , true) |
-| TaintedPath.js:119:23:119:29 | req.url | TaintedPath.js:119:13:119:36 | url.par ... , true) |
-| TaintedPath.js:119:23:119:29 | req.url | TaintedPath.js:119:13:119:36 | url.par ... , true) |
-| TaintedPath.js:119:23:119:29 | req.url | TaintedPath.js:119:13:119:36 | url.par ... , true) |
-| TaintedPath.js:119:23:119:29 | req.url | TaintedPath.js:119:13:119:36 | url.par ... , true) |
-| TaintedPath.js:119:23:119:29 | req.url | TaintedPath.js:119:13:119:36 | url.par ... , true) |
-| TaintedPath.js:119:23:119:29 | req.url | TaintedPath.js:119:13:119:36 | url.par ... , true) |
-| TaintedPath.js:119:23:119:29 | req.url | TaintedPath.js:119:13:119:36 | url.par ... , true) |
-| TaintedPath.js:119:23:119:29 | req.url | TaintedPath.js:119:13:119:36 | url.par ... , true) |
-| TaintedPath.js:119:23:119:29 | req.url | TaintedPath.js:119:13:119:36 | url.par ... , true) |
-| TaintedPath.js:119:23:119:29 | req.url | TaintedPath.js:119:13:119:36 | url.par ... , true) |
-| TaintedPath.js:119:23:119:29 | req.url | TaintedPath.js:119:13:119:36 | url.par ... , true) |
-| TaintedPath.js:119:23:119:29 | req.url | TaintedPath.js:119:13:119:36 | url.par ... , true) |
-| TaintedPath.js:119:23:119:29 | req.url | TaintedPath.js:119:13:119:36 | url.par ... , true) |
-| TaintedPath.js:119:23:119:29 | req.url | TaintedPath.js:119:13:119:36 | url.par ... , true) |
-| TaintedPath.js:119:23:119:29 | req.url | TaintedPath.js:119:13:119:36 | url.par ... , true) |
+| TaintedPath.js:143:6:143:47 | path | TaintedPath.js:145:23:145:26 | path |
+| TaintedPath.js:143:6:143:47 | path | TaintedPath.js:145:23:145:26 | path |
+| TaintedPath.js:143:6:143:47 | path | TaintedPath.js:145:23:145:26 | path |
+| TaintedPath.js:143:6:143:47 | path | TaintedPath.js:145:23:145:26 | path |
+| TaintedPath.js:143:6:143:47 | path | TaintedPath.js:145:23:145:26 | path |
+| TaintedPath.js:143:6:143:47 | path | TaintedPath.js:145:23:145:26 | path |
+| TaintedPath.js:143:6:143:47 | path | TaintedPath.js:145:23:145:26 | path |
+| TaintedPath.js:143:6:143:47 | path | TaintedPath.js:145:23:145:26 | path |
+| TaintedPath.js:143:6:143:47 | path | TaintedPath.js:145:23:145:26 | path |
+| TaintedPath.js:143:6:143:47 | path | TaintedPath.js:145:23:145:26 | path |
+| TaintedPath.js:143:6:143:47 | path | TaintedPath.js:145:23:145:26 | path |
+| TaintedPath.js:143:6:143:47 | path | TaintedPath.js:145:23:145:26 | path |
+| TaintedPath.js:143:6:143:47 | path | TaintedPath.js:145:23:145:26 | path |
+| TaintedPath.js:143:6:143:47 | path | TaintedPath.js:145:23:145:26 | path |
+| TaintedPath.js:143:6:143:47 | path | TaintedPath.js:145:23:145:26 | path |
+| TaintedPath.js:143:6:143:47 | path | TaintedPath.js:145:23:145:26 | path |
+| TaintedPath.js:143:6:143:47 | path | TaintedPath.js:145:23:145:26 | path |
+| TaintedPath.js:143:6:143:47 | path | TaintedPath.js:145:23:145:26 | path |
+| TaintedPath.js:143:6:143:47 | path | TaintedPath.js:145:23:145:26 | path |
+| TaintedPath.js:143:6:143:47 | path | TaintedPath.js:145:23:145:26 | path |
+| TaintedPath.js:143:6:143:47 | path | TaintedPath.js:145:23:145:26 | path |
+| TaintedPath.js:143:6:143:47 | path | TaintedPath.js:145:23:145:26 | path |
+| TaintedPath.js:143:6:143:47 | path | TaintedPath.js:145:23:145:26 | path |
+| TaintedPath.js:143:6:143:47 | path | TaintedPath.js:145:23:145:26 | path |
+| TaintedPath.js:143:6:143:47 | path | TaintedPath.js:145:23:145:26 | path |
+| TaintedPath.js:143:6:143:47 | path | TaintedPath.js:145:23:145:26 | path |
+| TaintedPath.js:143:6:143:47 | path | TaintedPath.js:145:23:145:26 | path |
+| TaintedPath.js:143:6:143:47 | path | TaintedPath.js:145:23:145:26 | path |
+| TaintedPath.js:143:6:143:47 | path | TaintedPath.js:145:23:145:26 | path |
+| TaintedPath.js:143:6:143:47 | path | TaintedPath.js:145:23:145:26 | path |
+| TaintedPath.js:143:6:143:47 | path | TaintedPath.js:145:23:145:26 | path |
+| TaintedPath.js:143:6:143:47 | path | TaintedPath.js:145:23:145:26 | path |
+| TaintedPath.js:143:13:143:36 | url.par ... , true) | TaintedPath.js:143:13:143:42 | url.par ... ).query |
+| TaintedPath.js:143:13:143:36 | url.par ... , true) | TaintedPath.js:143:13:143:42 | url.par ... ).query |
+| TaintedPath.js:143:13:143:36 | url.par ... , true) | TaintedPath.js:143:13:143:42 | url.par ... ).query |
+| TaintedPath.js:143:13:143:36 | url.par ... , true) | TaintedPath.js:143:13:143:42 | url.par ... ).query |
+| TaintedPath.js:143:13:143:36 | url.par ... , true) | TaintedPath.js:143:13:143:42 | url.par ... ).query |
+| TaintedPath.js:143:13:143:36 | url.par ... , true) | TaintedPath.js:143:13:143:42 | url.par ... ).query |
+| TaintedPath.js:143:13:143:36 | url.par ... , true) | TaintedPath.js:143:13:143:42 | url.par ... ).query |
+| TaintedPath.js:143:13:143:36 | url.par ... , true) | TaintedPath.js:143:13:143:42 | url.par ... ).query |
+| TaintedPath.js:143:13:143:36 | url.par ... , true) | TaintedPath.js:143:13:143:42 | url.par ... ).query |
+| TaintedPath.js:143:13:143:36 | url.par ... , true) | TaintedPath.js:143:13:143:42 | url.par ... ).query |
+| TaintedPath.js:143:13:143:36 | url.par ... , true) | TaintedPath.js:143:13:143:42 | url.par ... ).query |
+| TaintedPath.js:143:13:143:36 | url.par ... , true) | TaintedPath.js:143:13:143:42 | url.par ... ).query |
+| TaintedPath.js:143:13:143:36 | url.par ... , true) | TaintedPath.js:143:13:143:42 | url.par ... ).query |
+| TaintedPath.js:143:13:143:36 | url.par ... , true) | TaintedPath.js:143:13:143:42 | url.par ... ).query |
+| TaintedPath.js:143:13:143:36 | url.par ... , true) | TaintedPath.js:143:13:143:42 | url.par ... ).query |
+| TaintedPath.js:143:13:143:36 | url.par ... , true) | TaintedPath.js:143:13:143:42 | url.par ... ).query |
+| TaintedPath.js:143:13:143:42 | url.par ... ).query | TaintedPath.js:143:13:143:47 | url.par ... ry.path |
+| TaintedPath.js:143:13:143:42 | url.par ... ).query | TaintedPath.js:143:13:143:47 | url.par ... ry.path |
+| TaintedPath.js:143:13:143:42 | url.par ... ).query | TaintedPath.js:143:13:143:47 | url.par ... ry.path |
+| TaintedPath.js:143:13:143:42 | url.par ... ).query | TaintedPath.js:143:13:143:47 | url.par ... ry.path |
+| TaintedPath.js:143:13:143:42 | url.par ... ).query | TaintedPath.js:143:13:143:47 | url.par ... ry.path |
+| TaintedPath.js:143:13:143:42 | url.par ... ).query | TaintedPath.js:143:13:143:47 | url.par ... ry.path |
+| TaintedPath.js:143:13:143:42 | url.par ... ).query | TaintedPath.js:143:13:143:47 | url.par ... ry.path |
+| TaintedPath.js:143:13:143:42 | url.par ... ).query | TaintedPath.js:143:13:143:47 | url.par ... ry.path |
+| TaintedPath.js:143:13:143:42 | url.par ... ).query | TaintedPath.js:143:13:143:47 | url.par ... ry.path |
+| TaintedPath.js:143:13:143:42 | url.par ... ).query | TaintedPath.js:143:13:143:47 | url.par ... ry.path |
+| TaintedPath.js:143:13:143:42 | url.par ... ).query | TaintedPath.js:143:13:143:47 | url.par ... ry.path |
+| TaintedPath.js:143:13:143:42 | url.par ... ).query | TaintedPath.js:143:13:143:47 | url.par ... ry.path |
+| TaintedPath.js:143:13:143:42 | url.par ... ).query | TaintedPath.js:143:13:143:47 | url.par ... ry.path |
+| TaintedPath.js:143:13:143:42 | url.par ... ).query | TaintedPath.js:143:13:143:47 | url.par ... ry.path |
+| TaintedPath.js:143:13:143:42 | url.par ... ).query | TaintedPath.js:143:13:143:47 | url.par ... ry.path |
+| TaintedPath.js:143:13:143:42 | url.par ... ).query | TaintedPath.js:143:13:143:47 | url.par ... ry.path |
+| TaintedPath.js:143:13:143:47 | url.par ... ry.path | TaintedPath.js:143:6:143:47 | path |
+| TaintedPath.js:143:13:143:47 | url.par ... ry.path | TaintedPath.js:143:6:143:47 | path |
+| TaintedPath.js:143:13:143:47 | url.par ... ry.path | TaintedPath.js:143:6:143:47 | path |
+| TaintedPath.js:143:13:143:47 | url.par ... ry.path | TaintedPath.js:143:6:143:47 | path |
+| TaintedPath.js:143:13:143:47 | url.par ... ry.path | TaintedPath.js:143:6:143:47 | path |
+| TaintedPath.js:143:13:143:47 | url.par ... ry.path | TaintedPath.js:143:6:143:47 | path |
+| TaintedPath.js:143:13:143:47 | url.par ... ry.path | TaintedPath.js:143:6:143:47 | path |
+| TaintedPath.js:143:13:143:47 | url.par ... ry.path | TaintedPath.js:143:6:143:47 | path |
+| TaintedPath.js:143:13:143:47 | url.par ... ry.path | TaintedPath.js:143:6:143:47 | path |
+| TaintedPath.js:143:13:143:47 | url.par ... ry.path | TaintedPath.js:143:6:143:47 | path |
+| TaintedPath.js:143:13:143:47 | url.par ... ry.path | TaintedPath.js:143:6:143:47 | path |
+| TaintedPath.js:143:13:143:47 | url.par ... ry.path | TaintedPath.js:143:6:143:47 | path |
+| TaintedPath.js:143:13:143:47 | url.par ... ry.path | TaintedPath.js:143:6:143:47 | path |
+| TaintedPath.js:143:13:143:47 | url.par ... ry.path | TaintedPath.js:143:6:143:47 | path |
+| TaintedPath.js:143:13:143:47 | url.par ... ry.path | TaintedPath.js:143:6:143:47 | path |
+| TaintedPath.js:143:13:143:47 | url.par ... ry.path | TaintedPath.js:143:6:143:47 | path |
+| TaintedPath.js:143:23:143:29 | req.url | TaintedPath.js:143:13:143:36 | url.par ... , true) |
+| TaintedPath.js:143:23:143:29 | req.url | TaintedPath.js:143:13:143:36 | url.par ... , true) |
+| TaintedPath.js:143:23:143:29 | req.url | TaintedPath.js:143:13:143:36 | url.par ... , true) |
+| TaintedPath.js:143:23:143:29 | req.url | TaintedPath.js:143:13:143:36 | url.par ... , true) |
+| TaintedPath.js:143:23:143:29 | req.url | TaintedPath.js:143:13:143:36 | url.par ... , true) |
+| TaintedPath.js:143:23:143:29 | req.url | TaintedPath.js:143:13:143:36 | url.par ... , true) |
+| TaintedPath.js:143:23:143:29 | req.url | TaintedPath.js:143:13:143:36 | url.par ... , true) |
+| TaintedPath.js:143:23:143:29 | req.url | TaintedPath.js:143:13:143:36 | url.par ... , true) |
+| TaintedPath.js:143:23:143:29 | req.url | TaintedPath.js:143:13:143:36 | url.par ... , true) |
+| TaintedPath.js:143:23:143:29 | req.url | TaintedPath.js:143:13:143:36 | url.par ... , true) |
+| TaintedPath.js:143:23:143:29 | req.url | TaintedPath.js:143:13:143:36 | url.par ... , true) |
+| TaintedPath.js:143:23:143:29 | req.url | TaintedPath.js:143:13:143:36 | url.par ... , true) |
+| TaintedPath.js:143:23:143:29 | req.url | TaintedPath.js:143:13:143:36 | url.par ... , true) |
+| TaintedPath.js:143:23:143:29 | req.url | TaintedPath.js:143:13:143:36 | url.par ... , true) |
+| TaintedPath.js:143:23:143:29 | req.url | TaintedPath.js:143:13:143:36 | url.par ... , true) |
+| TaintedPath.js:143:23:143:29 | req.url | TaintedPath.js:143:13:143:36 | url.par ... , true) |
+| TaintedPath.js:143:23:143:29 | req.url | TaintedPath.js:143:13:143:36 | url.par ... , true) |
+| TaintedPath.js:143:23:143:29 | req.url | TaintedPath.js:143:13:143:36 | url.par ... , true) |
+| TaintedPath.js:143:23:143:29 | req.url | TaintedPath.js:143:13:143:36 | url.par ... , true) |
+| TaintedPath.js:143:23:143:29 | req.url | TaintedPath.js:143:13:143:36 | url.par ... , true) |
+| TaintedPath.js:143:23:143:29 | req.url | TaintedPath.js:143:13:143:36 | url.par ... , true) |
+| TaintedPath.js:143:23:143:29 | req.url | TaintedPath.js:143:13:143:36 | url.par ... , true) |
+| TaintedPath.js:143:23:143:29 | req.url | TaintedPath.js:143:13:143:36 | url.par ... , true) |
+| TaintedPath.js:143:23:143:29 | req.url | TaintedPath.js:143:13:143:36 | url.par ... , true) |
+| TaintedPath.js:143:23:143:29 | req.url | TaintedPath.js:143:13:143:36 | url.par ... , true) |
+| TaintedPath.js:143:23:143:29 | req.url | TaintedPath.js:143:13:143:36 | url.par ... , true) |
+| TaintedPath.js:143:23:143:29 | req.url | TaintedPath.js:143:13:143:36 | url.par ... , true) |
+| TaintedPath.js:143:23:143:29 | req.url | TaintedPath.js:143:13:143:36 | url.par ... , true) |
+| TaintedPath.js:143:23:143:29 | req.url | TaintedPath.js:143:13:143:36 | url.par ... , true) |
+| TaintedPath.js:143:23:143:29 | req.url | TaintedPath.js:143:13:143:36 | url.par ... , true) |
+| TaintedPath.js:143:23:143:29 | req.url | TaintedPath.js:143:13:143:36 | url.par ... , true) |
+| TaintedPath.js:143:23:143:29 | req.url | TaintedPath.js:143:13:143:36 | url.par ... , true) |
 | normalizedPaths.js:11:7:11:27 | path | normalizedPaths.js:13:19:13:22 | path |
 | normalizedPaths.js:11:7:11:27 | path | normalizedPaths.js:13:19:13:22 | path |
 | normalizedPaths.js:11:7:11:27 | path | normalizedPaths.js:13:19:13:22 | path |
@ -4369,7 +4369,7 @@ edges
 | TaintedPath.js:94:48:94:60 | req.params[0] | TaintedPath.js:94:48:94:60 | req.params[0] | TaintedPath.js:94:48:94:60 | req.params[0] | This path depends on $@. | TaintedPath.js:94:48:94:60 | req.params[0] | a user-provided value |
 | TaintedPath.js:109:28:109:48 | fs.real ... c(path) | TaintedPath.js:107:23:107:29 | req.url | TaintedPath.js:109:28:109:48 | fs.real ... c(path) | This path depends on $@. | TaintedPath.js:107:23:107:29 | req.url | a user-provided value |
 | TaintedPath.js:112:45:112:52 | realpath | TaintedPath.js:107:23:107:29 | req.url | TaintedPath.js:112:45:112:52 | realpath | This path depends on $@. | TaintedPath.js:107:23:107:29 | req.url | a user-provided value |
-| TaintedPath.js:121:23:121:26 | path | TaintedPath.js:119:23:119:29 | req.url | TaintedPath.js:121:23:121:26 | path | This path depends on $@. | TaintedPath.js:119:23:119:29 | req.url | a user-provided value |
+| TaintedPath.js:145:23:145:26 | path | TaintedPath.js:143:23:143:29 | req.url | TaintedPath.js:145:23:145:26 | path | This path depends on $@. | TaintedPath.js:143:23:143:29 | req.url | a user-provided value |
 | normalizedPaths.js:13:19:13:22 | path | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:13:19:13:22 | path | This path depends on $@. | normalizedPaths.js:11:14:11:27 | req.query.path | a user-provided value |
 | normalizedPaths.js:14:19:14:29 | './' + path | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:14:19:14:29 | './' + path | This path depends on $@. | normalizedPaths.js:11:14:11:27 | req.query.path | a user-provided value |
 | normalizedPaths.js:15:19:15:38 | path + '/index.html' | normalizedPaths.js:11:14:11:27 | req.query.path | normalizedPaths.js:15:19:15:38 | path + '/index.html' | This path depends on $@. | normalizedPaths.js:11:14:11:27 | req.query.path | a user-provided value |
--- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js
+++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js
@ -115,9 +115,32 @@ var server = http.createServer(function(req, res) {

 });

+var server = http.createServer(function(req, res) {
+  let path = url.parse(req.url, true).query.path;
+  
+  if (path) { // sanitization
+    path = path.replace(/[\]\[*,;'"`<>\\?\/]/g, ''); // remove all invalid characters from states plus slashes
+    path = path.replace(/\.\./g, ''); // remove all ".."
+  }
+  
+  res.write(fs.readFileSync(path));  // OK. Is sanitized above.
+});
+
+var server = http.createServer(function(req, res) {
+  let path = url.parse(req.url, true).query.path;
+  
+  if (!path) {
+    
+  } else { // sanitization
+	  path = path.replace(/[\]\[*,;'"`<>\\?\/]/g, ''); // remove all invalid characters from states plus slashes
+    path = path.replace(/\.\./g, ''); // remove all ".."
+  }
+  
+  res.write(fs.readFileSync(path));  // OK. Is sanitized above.
+});
+
 var server = http.createServer(function(req, res) {
 	let path = url.parse(req.url, true).query.path;

 	require('send')(req, path); // NOT OK
-
 });