JS: Post-processing query for inline test expectations

hvitved · hvitved · commit 1259b7e8e773 · 2024-10-29T13:35:38.000+01:00
diff --git a/javascript/ql/test/query-tests/Security/CWE-611/Xxe.qlref b/javascript/ql/test/query-tests/Security/CWE-611/Xxe.qlref
@@ -1 +1,2 @@
-Security/CWE-611/Xxe.ql
+query: Security/CWE-611/Xxe.ql
+postprocess: testUtilities/InlineExpectationsTestQuery.ql
diff --git a/javascript/ql/test/query-tests/Security/CWE-611/domparser.js b/javascript/ql/test/query-tests/Security/CWE-611/domparser.js
@@ -1,5 +1,5 @@
 function test() {
-  var src = document.location.search;
+  var src = document.location.search; // $ Source=search
 
   if (window.DOMParser) {
     // OK: DOMParser only expands internal general entities
@@ -8,10 +8,10 @@ function test() {
     var parser;
     try {
       // NOT OK: XMLDOM expands external entities by default
-      (new ActiveXObject("Microsoft.XMLDOM")).loadXML(src);
+      (new ActiveXObject("Microsoft.XMLDOM")).loadXML(src); // $ Alert=search
     } catch (e) {
       // NOT OK: MSXML expands external entities by default
-      (new ActiveXObject("Msxml2.DOMDocument")).loadXML(src);
+      (new ActiveXObject("Msxml2.DOMDocument")).loadXML(src); // $ Alert=search
     }
   }
 }
diff --git a/javascript/ql/test/query-tests/Security/CWE-611/libxml.noent.js b/javascript/ql/test/query-tests/Security/CWE-611/libxml.noent.js
@@ -1,20 +1,20 @@
 const express = require('express');
 const libxmljs = require('libxmljs');
 
-express().get('/some/path', function(req) {
+express().get('/some/path', function (req) {
   // NOT OK: unguarded entity expansion
-  libxmljs.parseXml(req.param("some-xml"), { noent: true });
+  libxmljs.parseXml(req.param("some-xml"), { noent: true }); // $ Alert
 });
 
-express().post('/some/path', function(req, res) {
+express().post('/some/path', function (req, res) {
   // NOT OK: unguarded entity expansion
-  libxmljs.parseXml(req.param("some-xml"), { noent: true });
+  libxmljs.parseXml(req.param("some-xml"), { noent: true }); // $ Alert
 
   // NOT OK: unguarded entity expansion
-  libxmljs.parseXmlString(req.param("some-xml"), {noent:true})
+  libxmljs.parseXmlString(req.param("some-xml"), { noent: true }) // $ Alert
   // NOT OK: unguarded entity expansion
-  libxmljs.parseXmlString(req.files.products.data.toString('utf8'), {noent:true})
-  
+  libxmljs.parseXmlString(req.files.products.data.toString('utf8'), { noent: true })// $ Source=files $ Alert=files
+
   // OK - no entity expansion
-  libxmljs.parseXmlString(req.files.products.data.toString('utf8'), {noent:false})
+  libxmljs.parseXmlString(req.files.products.data.toString('utf8'), { noent: false })
 });
diff --git a/javascript/ql/test/query-tests/Security/CWE-611/libxml.sax.js b/javascript/ql/test/query-tests/Security/CWE-611/libxml.sax.js
@@ -1,7 +1,7 @@
 const express = require('express');
 const libxmljs = require('libxmljs');
 
-express().get('/some/path', function(req) {
+express().get('/some/path', function (req) {
   const parser = new libxmljs.SaxParser();
-  parser.parseString(req.param("some-xml")); // NOT OK: the SAX parser expands external entities by default
+  parser.parseString(req.param("some-xml")); // $ Alert: the SAX parser expands external entities by default
 });
diff --git a/javascript/ql/test/query-tests/Security/CWE-611/libxml.saxpush.js b/javascript/ql/test/query-tests/Security/CWE-611/libxml.saxpush.js
@@ -1,7 +1,7 @@
 const express = require('express');
 const libxmljs = require('libxmljs');
 
-express().get('/some/path', function(req) {
+express().get('/some/path', function (req) {
   const parser = new libxmljs.SaxPushParser();
-  parser.push(req.param("some-xml"));  // NOT OK: the SAX parser expands external entities by default
+  parser.push(req.param("some-xml")); // $ Alert: the SAX parser expands external entities by default
 });
diff --git a/javascript/ql/test/testUtilities/InlineExpectationsTestQuery.ql b/javascript/ql/test/testUtilities/InlineExpectationsTestQuery.ql
@@ -0,0 +1,21 @@
+/**
+ * @kind test-postprocess
+ */
+
+private import javascript
+private import codeql.util.test.InlineExpectationsTest as T
+private import internal.InlineExpectationsTestImpl
+import T::TestPostProcessing
+import T::TestPostProcessing::Make<Impl, Input>
+
+private module Input implements T::TestPostProcessing::InputSig<Impl> {
+  string getRelativeUrl(Location location) {
+    exists(File f, int startline, int startcolumn, int endline, int endcolumn |
+      location.hasLocationInfo(_, startline, startcolumn, endline, endcolumn) and
+      f = location.getFile()
+    |
+      result =
+        f.getRelativePath() + ":" + startline + ":" + startcolumn + ":" + endline + ":" + endcolumn
+    )
+  }
+}

Original file line number	Diff line number	Diff line change
`@@ -1 +1,2 @@`
`1`		`-Security/CWE-611/Xxe.ql`
	`1`	`+query: Security/CWE-611/Xxe.ql`
	`2`	`+postprocess: testUtilities/InlineExpectationsTestQuery.ql`
Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`function test() {`
`2`		`- var src = document.location.search;`
	`2`	`+ var src = document.location.search; // $ Source=search`
`3`	`3`
`4`	`4`	`if (window.DOMParser) {`
`5`	`5`	`// OK: DOMParser only expands internal general entities`
`@@ -8,10 +8,10 @@ function test() {`
`8`	`8`	`var parser;`
`9`	`9`	`try {`
`10`	`10`	`// NOT OK: XMLDOM expands external entities by default`
`11`		`- (new ActiveXObject("Microsoft.XMLDOM")).loadXML(src);`
	`11`	`+ (new ActiveXObject("Microsoft.XMLDOM")).loadXML(src); // $ Alert=search`
`12`	`12`	`} catch (e) {`
`13`	`13`	`// NOT OK: MSXML expands external entities by default`
`14`		`- (new ActiveXObject("Msxml2.DOMDocument")).loadXML(src);`
	`14`	`+ (new ActiveXObject("Msxml2.DOMDocument")).loadXML(src); // $ Alert=search`
`15`	`15`	`}`
`16`	`16`	`}`
`17`	`17`	`}`