Go: Post-processing query for inline test expectations

hvitved · hvitved · commit 540b433f5a5a · 2024-10-29T13:35:35.000+01:00
diff --git a/go/ql/test/TestUtilities/InlineExpectationsTestQuery.ql b/go/ql/test/TestUtilities/InlineExpectationsTestQuery.ql
@@ -0,0 +1,21 @@
+/**
+ * @kind test-postprocess
+ */
+
+private import go
+private import codeql.util.test.InlineExpectationsTest as T
+private import internal.InlineExpectationsTestImpl
+import T::TestPostProcessing
+import T::TestPostProcessing::Make<Impl, Input>
+
+private module Input implements T::TestPostProcessing::InputSig<Impl> {
+  string getRelativeUrl(Location location) {
+    exists(File f, int startline, int startcolumn, int endline, int endcolumn |
+      location.hasLocationInfo(_, startline, startcolumn, endline, endcolumn) and
+      f = location.getFile()
+    |
+      result =
+        f.getRelativePath() + ":" + startline + ":" + startcolumn + ":" + endline + ":" + endcolumn
+    )
+  }
+}
diff --git a/go/ql/test/library-tests/semmle/go/frameworks/Gin/Gin.go b/go/ql/test/library-tests/semmle/go/frameworks/Gin/Gin.go
@@ -21,12 +21,12 @@ type Person struct {
 func FileSystemAccess() {
 	router := gin.Default()
 	router.POST("/FormUploads", func(c *gin.Context) {
-		filepath := c.Query("filepath")
-		c.File(filepath)                                    // $ FileSystemAccess=filepath
-		http.ServeFile(c.Writer, c.Request, filepath)       // $ FileSystemAccess=filepath
-		c.FileAttachment(filepath, "file name in response") // $ FileSystemAccess=filepath
+		filepath := c.Query("filepath")                     // $ Source=filepath
+		c.File(filepath)                                    // $ Alert=filepath $ FileSystemAccess=filepath
+		http.ServeFile(c.Writer, c.Request, filepath)       // $ Alert=filepath $ FileSystemAccess=filepath
+		c.FileAttachment(filepath, "file name in response") // $ Alert=filepath $ FileSystemAccess=filepath
 		file, _ := c.FormFile("afile")
-		_ = c.SaveUploadedFile(file, filepath) // $ FileSystemAccess=filepath
+		_ = c.SaveUploadedFile(file, filepath) // $ Alert=filepath $ FileSystemAccess=filepath
 	})
 	_ = router.Run()
 }
diff --git a/go/ql/test/library-tests/semmle/go/frameworks/Gin/TaintedPath.qlref b/go/ql/test/library-tests/semmle/go/frameworks/Gin/TaintedPath.qlref
@@ -1,2 +1,4 @@
 query: Security/CWE-022/TaintedPath.ql
-postprocess: TestUtilities/PrettyPrintModels.ql
+postprocess:
+  - TestUtilities/PrettyPrintModels.ql
+  - TestUtilities/InlineExpectationsTestQuery.ql
