new capacity bits (#67)

tests/fixtures/xpath_injection/javascript/baseline_constant_xpath.js

@@ -0,0 +1,12 @@
+// Baseline: expression is a compile-time constant.  No taint reaches
+// xpath.select so no XPATH_INJECTION finding fires.
+const xpath = require('xpath');
+const { DOMParser } = require('xmldom');
+
+function lookup(req, res) {
+    const doc = new DOMParser().parseFromString('<root/>');
+    const nodes = xpath.select("//user[@role='admin']", doc);
+    res.json(nodes);
+}
+
+module.exports = lookup;

tests/fixtures/xpath_injection/javascript/safe_xpath_query.js

@@ -0,0 +1,20 @@
+// Safe: user-supplied substring routed through the project-local
+// `escapeXpath` helper before concatenation.  The sanitizer clears the
+// XPATH_INJECTION cap so the sink does not fire.
+const xpath = require('xpath');
+const { DOMParser } = require('xmldom');
+
+function escapeXpath(raw) {
+    return raw.replace(/'/g, ''').replace(/"/g, '"');
+}
+
+function lookup(req, res) {
+    const doc = new DOMParser().parseFromString('<root/>');
+    const user = req.query.user;
+    const safe = escapeXpath(user);
+    const expr = "//user[name='" + safe + "']";
+    const nodes = xpath.select(expr, doc);
+    res.json(nodes);
+}
+
+module.exports = lookup;

tests/fixtures/xpath_injection/javascript/unsafe_xpath_query.js

@@ -0,0 +1,14 @@
+// Unsafe: npm `xpath` package's `select` receives an expression assembled
+// from req.query.  XPATH_INJECTION fires on the expression argument.
+const xpath = require('xpath');
+const { DOMParser } = require('xmldom');
+
+function lookup(req, res) {
+    const doc = new DOMParser().parseFromString('<root/>');
+    const user = req.query.user;
+    const expr = "//user[name='" + user + "']";
+    const nodes = xpath.select(expr, doc);
+    res.json(nodes);
+}
+
+module.exports = lookup;