JS: Reworked CWE-643 test cases

javascript/ql/test/query-tests/Security/CWE-643/XpathInjection.qlref

@@ -1 +1,2 @@
-Security/CWE-643/XpathInjection.ql
+query: Security/CWE-643/XpathInjection.ql
+postprocess: testUtilities/InlineExpectationsTestQuery.ql

javascript/ql/test/query-tests/Security/CWE-643/XpathInjectionBad.js

@@ -3,10 +3,10 @@ const xpath = require('xpath');
 const app = express();
 
 app.get('/some/route', function(req, res) {
-  let userName = req.param("userName");
+  let userName = req.param("userName"); // $ Source
 
   // BAD: Use user-provided data directly in an XPath expression
-  let badXPathExpr = xpath.parse("//users/user[login/text()='" + userName + "']/home_dir/text()");
+  let badXPathExpr = xpath.parse("//users/user[login/text()='" + userName + "']/home_dir/text()"); //  $ Alert
   badXPathExpr.select({
     node: root
   });

javascript/ql/test/query-tests/Security/CWE-643/tst.js

@@ -3,10 +3,10 @@ const xpath = require('xpath');
 const app = express();
 
 app.get('/some/route', function(req, res) {
-  let tainted = req.param("userName");
-  xpath.parse(tainted); // NOT OK
-  xpath.select(tainted); // NOT OK
-  xpath.select1(tainted); // NOT OK
+  let tainted = req.param("userName"); // $ Source
+  xpath.parse(tainted); // $ Alert
+  xpath.select(tainted); // $ Alert
+  xpath.select1(tainted); // $ Alert
   let expr = xpath.useNamespaces(map);
-  expr(tainted); // NOT OK
+  expr(tainted); // $ Alert
 });

javascript/ql/test/query-tests/Security/CWE-643/tst2.js

@@ -1,3 +1,3 @@
-let query = document.location.hash.substring(1);
-document.createExpression(query); // NOT OK
-document.evaluate(query);         // NOT OK
+let query = document.location.hash.substring(1); // $ Source
+document.createExpression(query); // $ Alert
+document.evaluate(query); // $ Alert