Improved path traversal detection and enhanced sink classification logic

tests/benchmark/corpus/javascript/safe/safe_canonicalise_rooted_startsWith.js

@@ -0,0 +1,20 @@
+// js-safe-canonicalise-rooted: path.resolve + .startsWith with a
+// non-literal root variable (an opaque prefix-lock).  Combined with
+// path.resolve's dotdot=No proof, is_path_traversal_safe should suppress
+// the FILE_IO sink even though the canonicalised path is absolute.
+const fs = require("fs");
+const path = require("path");
+
+const UPLOAD_ROOT = path.resolve("/srv/uploads");
+
+function serveFile(req, res) {
+  const name = req.query.name;
+  const target = path.resolve(path.join(UPLOAD_ROOT, name));
+  if (!target.startsWith(UPLOAD_ROOT)) {
+    res.status(403).end();
+    return;
+  }
+  fs.readFile(target, (err, data) => res.send(data));
+}
+
+module.exports = { serveFile };

tests/benchmark/corpus/javascript/safe/safe_env_empty_fallback.js

@@ -0,0 +1,9 @@
+// Empty-string fallback on a secret-named env var is not a hardcoded
+// secret — `js.secrets.fallback_secret` must not fire on this shape.
+
+const stripeApiKey = process.env.STRIPE_API_KEY || "";
+const sendgridKey = process.env.SENDGRID_API_KEY || '';
+const sessionSecret = process.env.SESSION_SECRET || "";
+const vapidPrivateKey = process.env.VAPID_PRIVATE_KEY || "";
+
+module.exports = { stripeApiKey, sendgridKey, sessionSecret, vapidPrivateKey };