diff --git a/javascript/ql/test/query-tests/Security/CWE-117/logInjectionGood.js b/javascript/ql/test/query-tests/Security/CWE-117/logInjectionGood.js
index 92707931399c0..57b4728441f2d 100644
--- a/javascript/ql/test/query-tests/Security/CWE-117/logInjectionGood.js
+++ b/javascript/ql/test/query-tests/Security/CWE-117/logInjectionGood.js
@@ -27,3 +27,9 @@ const server = http.createServer((req, res) => {
         console.error(`[ERROR] Error: "${error}"`);
     }
 });
+
+const serverMatchAll = http.createServer((req, res) => {
+    let username = url.parse(req.url, true).query.username;
+    let otherStr = username.matchAll(/.*/g)[0]; // BAD - this is suppose to be cought by Taint Tracking, works for match but not matchAll
+    console.log(otherStr);
+});