codeql/javascript/ql/test/library-tests/TripleDot/underscore.string.js at 891b2b8335cd2b785b987ded03d4ae37378410e2 · asgerf/codeql · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
var s = require("underscore.string");

function strToStr() {
  sink(s.slugify(source("s1"))); // $ hasTaintFlow=s1
  sink(s.capitalize(source("s2"))); // $ hasTaintFlow=s2
  sink(s.decapitalize(source("s3"))); // $ hasTaintFlow=s3
  sink(s.clean(source("s4"))); // $ hasTaintFlow=s4
  sink(s.cleanDiacritics(source("s5"))); // $ hasTaintFlow=s5
  sink(s.swapCase(source("s6"))); // $ hasTaintFlow=s6
  sink(s.escapeHTML(source("s7"))); // $ hasTaintFlow=s7
  sink(s.unescapeHTML(source("s8"))); // $ hasTaintFlow=s8
  sink(s.wrap(source("s9"), {})); // $ hasTaintFlow=s9
  sink(s.dedent(source("s10"), "  ")); // $ hasTaintFlow=s10
  sink(s.reverse(source("s11"))); // $ hasTaintFlow=s11
  sink(s.pred(source("s12"))); // $ hasTaintFlow=s12
  sink(s.succ(source("s13"))); // $ hasTaintFlow=s13
  sink(s.titleize(source("s14"))); // $ hasTaintFlow=s14
  sink(s.camelize(source("s15"))); // $ hasTaintFlow=s15
  sink(s.classify(source("s16"))); // $ hasTaintFlow=s16
  sink(s.underscored(source("s17"))); // $ hasTaintFlow=s17
  sink(s.dasherize(source("s18"))); // $ hasTaintFlow=s18
  sink(s.humanize(source("s19"))); // $ hasTaintFlow=s19
  sink(s.trim(source("s20"),"charsToStrim")); // $ hasTaintFlow=s20
  sink(s.ltrim(source("s21"),"charsToStrim")); // $ hasTaintFlow=s21
  sink(s.rtrim(source("s22"),"charsToStrim")); // $ hasTaintFlow=s22
  sink(s.truncate(source("s23"), 10)); // $ hasTaintFlow=s23
  sink(s.sprintf(source("s24"), 1.17)); // $ hasTaintFlow=s24
  sink(s.strRight(source("s25"), "pattern")); // $ hasTaintFlow=s25
  sink(s.strRightBack(source("s26"), "pattern")); // $ hasTaintFlow=s26
  sink(s.strLeft(source("s27"), "pattern")); // $ hasTaintFlow=s27
  sink(s.strLeftBack(source("s28"), "pattern")); // $ hasTaintFlow=s28
  sink(s.stripTags(source("s29"))); // $ hasTaintFlow=s29
  sink(s.unquote(source("s30"), "quote")); // $ hasTaintFlow=s30
  sink(s.map(source("s31"), (x) => {return x;})); // $ hasTaintFlow=s31
  sink(s.strip(source("s32"),"charsToStrim")); // $ hasTaintFlow=s32
  sink(s.lstrip(source("s33"),"charsToStrim")); // $ hasTaintFlow=s33
  sink(s.rstrip(source("s34"),"charsToStrim")); // $ hasTaintFlow=s34
  sink(s.camelcase(source("s35"))); // $ hasTaintFlow=s35
}

function strToArray() {
  sink(s.chop(source("s1"), 3)); // $ hasTaintFlow=s1
  sink(s.chars(source("s2"))[0]); // $ hasTaintFlow=s2
  sink(s.words(source("s3"))[0]); // $ hasTaintFlow=s3
  sink(s.lines(source("s7"))[0]); // $ hasTaintFlow=s7
  sink(s.chop(source("s1"), 3).length);
}

function arrayToStr() {
  sink(s.toSentence([source("s1")])); // $ hasTaintFlow=s1
  sink(s.toSentenceSerial([source("s2")])); // $ hasTaintFlow=s2
}

function multiSource() {
  sink(s.insert("str", 4, source("s1"))); // $ hasTaintFlow=s1
  sink(s.insert(source("s2"), 4, "")); // $ hasTaintFlow=s2

  sink(s.replaceAll("astr", "a", source("s3"))); // $ hasTaintFlow=s3
  sink(s.replaceAll(source("s4"), "a", "")); // $ hasTaintFlow=s4

  sink(s.join(",", source("s5"), "str")); // $ hasTaintFlow=s5
  sink(s.join(",", "str", source("s6"))); // $ hasTaintFlow=s6

  sink(s.splice(source("s7"), 1, 2, "str")); // $ hasTaintFlow=s7
  sink(s.splice("str", 1, 2, source("s8"))); // $ hasTaintFlow=s8

  sink(s.prune(source("s9"), 1, "additional")); // $ hasTaintFlow=s9
  sink(s.prune("base", 1, source("s10"))); // $ hasTaintFlow=s10

  sink(s.pad(source("s11"), 10, "charsToPad", "right")); // $ hasTaintFlow=s11
  sink(s.pad("base", 10, source("s12"), "right")); // $ hasTaintFlow=s12

  sink(s.lpad(source("s13"), 10, "charsToPad")); // $ hasTaintFlow=s13
  sink(s.lpad("base", 10, source("s14"))); // $ hasTaintFlow=s14

  sink(s.rpad(source("s15"), 10, "charsToPad")); // $ hasTaintFlow=s15
  sink(s.rpad("base", 10, source("s16"))); // $ hasTaintFlow=s16

  sink(s.repeat(source("s17"), 3, "seperator")); // $ hasTaintFlow=s17
  sink(s.repeat("base", 3, source("s18"))); // $ hasTaintFlow=s18

  sink(s.surround(source("s19"), "wrap")); // $ hasTaintFlow=s19
  sink(s.surround("base", source("s20"))); // $ hasTaintFlow=s20

  sink(s.quote(source("s21"), "quote")); // $ hasTaintFlow=s21
  sink(s.quote("base", source("s22"))); // $ hasTaintFlow=s22

  sink(s.q(source("s23"), "quote")); // $ hasTaintFlow=s23
  sink(s.q("base", source("s24"))); // $ hasTaintFlow=s24

  sink(s.rjust(source("s25"), 10, "charsToPad")); // $ hasTaintFlow=s25
  sink(s.rjust("base", 10, source("s26"))); // $ hasTaintFlow=s26

  sink(s.ljust(source("s27"), 10, "charsToPad")); // $ hasTaintFlow=s27
  sink(s.ljust("base", 10, source("s28"))); // $ hasTaintFlow=s28
}

function chaining() {
  sink(s(source("s1"))
      .slugify().capitalize().decapitalize().clean().cleanDiacritics()
      .swapCase().escapeHTML().unescapeHTML().wrap().dedent()
      .reverse().pred().succ().titleize().camelize().classify()
      .underscored().dasherize().humanize().trim().ltrim().rtrim()
      .truncate().sprintf().strRight().strRightBack()
      .strLeft().strLeftBack().stripTags().unquote().value()); // $ hasTaintFlow=s1

  sink(s(source("s2"))
      .insert(4, source("s3")).replaceAll("a", source("s4"))
      .join(",", source("s5")).splice(1, 2, source("s6"))
      .prune(1, source("s7")).pad(10, source("s8"), "right")
      .lpad(10, source("s9")).rpad(10, source("s10"))
      .repeat(3, source("s11")).surround(source("s12"))
      .quote(source("s13")).value()); // $ hasTaintFlow=s2 hasTaintFlow=s3 hasTaintFlow=s4 hasTaintFlow=s5 hasTaintFlow=s6 hasTaintFlow=s7 hasTaintFlow=s8 hasTaintFlow=s9 hasTaintFlow=s10 hasTaintFlow=s11 hasTaintFlow=s12 hasTaintFlow=s13

  sink(s(source("s14")).toUpperCase().toLowerCase().replace().slice(1).substring(1).substr(1).concat(source("s15")).split()); // $ hasTaintFlow=s14 hasTaintFlow=s15

  sink(s(source("s16"))
  .strip().lstrip().rstrip().camelcase()
  .q(source("s17")).ljust(10, source("s18"))
  .rjust(10, source("s19"))); // $ hasTaintFlow=s16 hasTaintFlow=s17 hasTaintFlow=s18 hasTaintFlow=s19

  sink(s(source("s20")).tap(function(value) {
    return value + source("s21");
  }).value()); // $ hasTaintFlow=s20 hasTaintFlow=s21
}

function mapTests(){
  sink(s.map(source("s1"), (x) => {return x + source("s2");})); // $ hasTaintFlow=s1 hasTaintFlow=s2
  s.map(source("s1"), (x) => { sink(x); return x;}); // $ hasTaintFlow=s1
}