codeql/javascript/ql/test/library-tests/TripleDot/underscore.string.js at d8e6d76b0e821d008a0f894f72e28750defb97cb · Napalys/codeql · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
var s = require("underscore.string");

function strToStr() {
  sink(s.slugify(source("s1"))); // $ hasTaintFlow=s1
  sink(s.capitalize(source("s2"))); // $ hasTaintFlow=s2
  sink(s.decapitalize(source("s3"))); // $ hasTaintFlow=s3
  sink(s.clean(source("s4"))); // $ hasTaintFlow=s4
  sink(s.cleanDiacritics(source("s5"))); // $ hasTaintFlow=s5
  sink(s.swapCase(source("s6"))); // $ hasTaintFlow=s6
  sink(s.escapeHTML(source("s7"))); // $ hasTaintFlow=s7
  sink(s.unescapeHTML(source("s8"))); // $ hasTaintFlow=s8
  sink(s.wrap(source("s9"), {})); // $ hasTaintFlow=s9
  sink(s.dedent(source("s10"), "  ")); // $ hasTaintFlow=s10
  sink(s.reverse(source("s11"))); // $ hasTaintFlow=s11 SPURIOUS: hasTaintFlow=s8
  sink(s.pred(source("s12"))); // $ hasTaintFlow=s12
  sink(s.succ(source("s13"))); // $ hasTaintFlow=s13
  sink(s.titleize(source("s14"))); // $ hasTaintFlow=s14
  sink(s.camelize(source("s15"))); // $ hasTaintFlow=s15
  sink(s.classify(source("s16"))); // $ hasTaintFlow=s16
  sink(s.underscored(source("s17"))); // $ hasTaintFlow=s17
  sink(s.dasherize(source("s18"))); // $ hasTaintFlow=s18
  sink(s.humanize(source("s19"))); // $ hasTaintFlow=s19
  sink(s.trim(source("s20"),"charsToStrim")); // $ hasTaintFlow=s20
  sink(s.ltrim(source("s21"),"charsToStrim")); // $ hasTaintFlow=s21
  sink(s.rtrim(source("s22"),"charsToStrim")); // $ hasTaintFlow=s22
  sink(s.truncate(source("s23"), 10)); // $ hasTaintFlow=s23
  sink(s.sprintf(source("s24"), 1.17)); // $ hasTaintFlow=s24
  sink(s.strRight(source("s25"), "pattern")); // $ hasTaintFlow=s25
  sink(s.strRightBack(source("s26"), "pattern")); // $ hasTaintFlow=s26
  sink(s.strLeft(source("s27"), "pattern")); // $ hasTaintFlow=s27
  sink(s.strLeftBack(source("s28"), "pattern")); // $ hasTaintFlow=s28
  sink(s.stripTags(source("s29"))); // $ hasTaintFlow=s29
  sink(s.unquote(source("s30"), "quote")); // $ hasTaintFlow=s30
  sink(s.map(source("s31"), (x) => {return x;})); // $ hasTaintFlow=s31
  sink(s.strip(source("s32"),"charsToStrim")); // $ hasTaintFlow=s32
  sink(s.lstrip(source("s33"),"charsToStrim")); // $ hasTaintFlow=s33
  sink(s.rstrip(source("s34"),"charsToStrim")); // $ hasTaintFlow=s34
  sink(s.camelcase(source("s35"))); // $ hasTaintFlow=s35
}

function strToArray() {
  sink(s.chop(source("s1"), 3)[0]); // $ hasTaintFlow=s1
  sink(s.chars(source("s2")[0])); // $ hasTaintFlow=s2
  sink(s.words(source("s3")[0])); // $ hasTaintFlow=s3
  sink(s.lines(source("s7")[0])); // $ hasTaintFlow=s7
}

function arrayToStr() {
  sink(s.toSentence([source("s1")])); // $ hasTaintFlow=s1
  sink(s.toSentenceSerial([source("s2")])); // $ hasTaintFlow=s2
}

function multiSource() {
  sink(s.insert("str", 4, source("s1"))); // $ hasTaintFlow=s1
  sink(s.insert(source("s2"), 4, "")); // $ hasTaintFlow=s2

  sink(s.replaceAll("astr", "a", source("s3"))); // $ hasTaintFlow=s3
  sink(s.replaceAll(source("s4"), "a", "")); // $ hasTaintFlow=s4

  sink(s.join(",", source("s5"), "str")); // $ hasTaintFlow=s5
  sink(s.join(",", "str", source("s6"))); // $ hasTaintFlow=s6

  sink(s.splice(source("s7"), 1, 2, "str")); // $ hasTaintFlow=s7 SPURIOUS: hasTaintFlow=s8
  sink(s.splice("str", 1, 2, source("s8"))); // $ hasTaintFlow=s8

  sink(s.prune(source("s9"), 1, "additional")); // $ hasTaintFlow=s9
  sink(s.prune("base", 1, source("s10"))); // $ hasTaintFlow=s10

  sink(s.pad(source("s11"), 10, "charsToPad", "right")); // $ hasTaintFlow=s11
  sink(s.pad("base", 10, source("s12"), "right")); // $ hasTaintFlow=s12

  sink(s.lpad(source("s13"), 10, "charsToPad")); // $ hasTaintFlow=s13
  sink(s.lpad("base", 10, source("s14"))); // $ hasTaintFlow=s14

  sink(s.rpad(source("s15"), 10, "charsToPad")); // $ hasTaintFlow=s15
  sink(s.rpad("base", 10, source("s16"))); // $ hasTaintFlow=s16

  sink(s.repeat(source("s17"), 3, "seperator")); // $ hasTaintFlow=s17
  sink(s.repeat("base", 3, source("s18"))); // $ hasTaintFlow=s18

  sink(s.surround(source("s19"), "wrap")); // $ hasTaintFlow=s19
  sink(s.surround("base", source("s20"))); // $ hasTaintFlow=s20

  sink(s.quote(source("s21"), "quote")); // $ hasTaintFlow=s21
  sink(s.quote("base", source("s22"))); // $ hasTaintFlow=s22

  sink(s.q(source("s23"), "quote")); // $ hasTaintFlow=s23
  sink(s.q("base", source("s24"))); // $ hasTaintFlow=s24

  sink(s.rjust(source("s25"), 10, "charsToPad")); // $ hasTaintFlow=s25
  sink(s.rjust("base", 10, source("s26"))); // $ hasTaintFlow=s26

  sink(s.ljust(source("s27"), 10, "charsToPad")); // $ hasTaintFlow=s27
  sink(s.ljust("base", 10, source("s28"))); // $ hasTaintFlow=s28
}

function chaining() {
  sink(s(source("s1"))
      .slugify().capitalize().decapitalize().clean().cleanDiacritics()
      .swapCase().escapeHTML().unescapeHTML().wrap().dedent()
      .reverse().pred().succ().titleize().camelize().classify()
      .underscored().dasherize().humanize().trim().ltrim().rtrim()
      .truncate().sprintf().strRight().strRightBack()
      .strLeft().strLeftBack().stripTags().unquote().value()); // $ hasTaintFlow=s1

  sink(s(source("s2"))
      .insert(4, source("s3")).replaceAll("a", source("s4"))
      .join(",", source("s5")).splice(1, 2, source("s6"))
      .prune(1, source("s7")).pad(10, source("s8"), "right")
      .lpad(10, source("s9")).rpad(10, source("s10"))
      .repeat(3, source("s11")).surround(source("s12"))
      .quote(source("s13")).value()); // $ hasTaintFlow=s2 hasTaintFlow=s3 hasTaintFlow=s4 hasTaintFlow=s5 hasTaintFlow=s6 hasTaintFlow=s7 hasTaintFlow=s8 hasTaintFlow=s9 hasTaintFlow=s10 hasTaintFlow=s11 hasTaintFlow=s12 hasTaintFlow=s13

  sink(s(source("s14")).toUpperCase().toLowerCase().replace().slice(1).substring(1).substr(1).concat(source("s15")).split()); // $ hasTaintFlow=s14 hasTaintFlow=s15

  sink(s(source("s16"))
  .strip().lstrip().rstrip().camelcase()
  .q(source("s17")).ljust(10, source("s18"))
  .rjust(10, source("s19"))); // $ hasTaintFlow=s16 hasTaintFlow=s17 hasTaintFlow=s18 hasTaintFlow=s19

  sink(s(source("s20")).tap(function(value) {
    return value + source("s21");
  }).value()); // $ hasTaintFlow=s20 hasTaintFlow=s21
}