Merge pull request #269 from RtlZeroMemory/fix/codeql-alerts

fix: reduce CodeQL noise from tests and harden scan findings

Author: RtlZeroMemory

.github/codeql/codeql-config.yml

@@ -0,0 +1,9 @@
+name: rezi-codeql
+paths-ignore:
+  - "**/__tests__/**"
+  - "**/*.test.js"
+  - "**/*.test.jsx"
+  - "**/*.test.mjs"
+  - "**/*.test.ts"
+  - "**/*.test.tsx"
+  - "**/tests.rs"

.github/workflows/codeql.yml

@@ -30,6 +30,7 @@ jobs:
         with:
           languages: javascript-typescript
           build-mode: none
+          config-file: ./.github/codeql/codeql-config.yml
 
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@v3
@@ -47,6 +48,7 @@ jobs:
         with:
           languages: rust
           build-mode: none
+          config-file: ./.github/codeql/codeql-config.yml
 
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@v3

docs/dev/testing.md

@@ -157,6 +157,9 @@ Quick scoped run:
 node scripts/run-tests.mjs --filter "codeEditor.syntax"
 ```
 
+`--filter` performs a literal substring match against discovered relative test
+file paths. It does not interpret the value as a raw regular expression.
+
 ### Manual HSR + GIF Workflow
 
 Use the built-in demos under `scripts/hsr/`:

docs/guide/testing.md

@@ -28,6 +28,9 @@ Filter to a subset:
 node scripts/run-tests.mjs --filter "layout"
 ```
 
+`--filter` matches a literal substring in the discovered relative test file
+paths.
+
 ## What to test
 
 - Unit behavior for pure helpers and validators.

packages/core/src/constraints/helpers.ts

@@ -102,7 +102,7 @@ function formatDslNumber(fn: string, value: number): string {
   }
 
   if (out.includes(".")) {
-    out = out.replace(/0+$/, "").replace(/\.$/, "");
+    out = trimTrailingZerosAfterDecimal(out);
   }
   if (out.length > 64) {
     throw invalidArg(
@@ -113,6 +113,17 @@ function formatDslNumber(fn: string, value: number): string {
   return `${sign}${out}`;
 }
 
+function trimTrailingZerosAfterDecimal(value: string): string {
+  let end = value.length;
+  while (end > 0 && value.charCodeAt(end - 1) === 48) {
+    end--;
+  }
+  if (end > 0 && value.charCodeAt(end - 1) === 46) {
+    end--;
+  }
+  return end === value.length ? value : value.slice(0, end);
+}
+
 function metricToRefProp(metric: WidgetMetric): RefProp {
   switch (metric) {
     case "width":

packages/core/src/widgets/__tests__/compositionWidgets.test.ts

@@ -71,6 +71,16 @@ describe("composition widgets", () => {
     assert.equal(sidebarBox.props.width, railWidth);
   });
 
+  test("constraint helpers format exponent inputs as trimmed decimal literals", () => {
+    const width = widthConstraints.clampedPercentOfParent({
+      ratio: 1e-7,
+      min: 2.5e-7,
+      max: 1e-6,
+    });
+
+    assert.equal(width.source, "clamp(0.00000025, parent.w * 0.0000001, 0.000001)");
+  });
+
   test("ui.card title overload includes title and body", () => {
     const renderer = createTestRenderer({ viewport: { cols: 60, rows: 10 } });
     const result = renderer.render(ui.card("Title", [ui.text("body")]));

scripts/run-tests.mjs

@@ -71,6 +71,10 @@ function collectPackageTests(root) {
   return out;
 }
 
+function escapeRegExpLiteral(value) {
+  return value.replace(/[\\^$.*+?()[\]{}|]/g, "\\$&");
+}
+
 function parseArgs(argv) {
   let scope = "all";
   let filter = null;
@@ -146,15 +150,7 @@ if (scope === "packages" && packageTests.length === 0) {
 let relFiles = files.map((f) => relative(root, f));
 
 if (typeof filter === "string") {
-  let rx;
-  try {
-    rx = new RegExp(filter);
-  } catch (err) {
-    const msg = err instanceof Error ? err.message : String(err);
-    process.stderr.write(`run-tests: invalid --filter regex: ${msg}\n`);
-    process.exit(1);
-  }
-
+  const rx = new RegExp(escapeRegExpLiteral(filter));
   relFiles = relFiles.filter((p) => rx.test(p));
   if (relFiles.length === 0) {
     process.stderr.write(`run-tests: --filter matched 0 test files (${filter})\n`);