JS: Port IncompleteUrlSchemeCheck test

asgerf · asgerf · commit 95e20a045ba6 · 2025-01-10T14:18:26.000+01:00
diff --git a/javascript/ql/test/query-tests/Security/CWE-020/IncompleteUrlSchemeCheck/IncompleteUrlSchemeCheck.expected b/javascript/ql/test/query-tests/Security/CWE-020/IncompleteUrlSchemeCheck/IncompleteUrlSchemeCheck.expected
@@ -1,3 +1,4 @@
+#select
 | IncompleteUrlSchemeCheck.js:5:9:5:35 | u.start ... ript:") | This check does not consider data: and vbscript:. |
 | IncompleteUrlSchemeCheck.js:16:9:16:39 | badProt ... otocol) | This check does not consider vbscript:. |
 | IncompleteUrlSchemeCheck.js:23:9:23:43 | badProt ... scheme) | This check does not consider vbscript:. |
@@ -13,3 +14,8 @@
 | IncompleteUrlSchemeCheck.js:104:6:104:39 | /^(java ... scheme) | This check does not consider vbscript:. |
 | IncompleteUrlSchemeCheck.js:110:12:112:29 | url  // ... :/, "") | This check does not consider vbscript:. |
 | IncompleteUrlSchemeCheck.js:124:11:124:34 | url.rep ... :/, "") | This check does not consider vbscript:. |
+testFailures
+| IncompleteUrlSchemeCheck.js:94:10:94:15 | This check does not consider vbscript:. | Unexpected result: Alert |
+| IncompleteUrlSchemeCheck.js:95:25:95:34 | // $ Alert | Missing result: Alert |
+| IncompleteUrlSchemeCheck.js:110:12:112:29 | This check does not consider vbscript:. | Unexpected result: Alert |
+| IncompleteUrlSchemeCheck.js:110:17:110:26 | // $ Alert | Missing result: Alert |
diff --git a/javascript/ql/test/query-tests/Security/CWE-020/IncompleteUrlSchemeCheck/IncompleteUrlSchemeCheck.js b/javascript/ql/test/query-tests/Security/CWE-020/IncompleteUrlSchemeCheck/IncompleteUrlSchemeCheck.js
@@ -2,7 +2,7 @@ import * as dummy from 'dummy';
 
 function sanitizeUrl(url) {
     let u = decodeURI(url).trim().toLowerCase();
-    if (u.startsWith("javascript:")) // NOT OK
+    if (u.startsWith("javascript:")) // $ Alert
         return "about:blank";
     return url;
 }
@@ -13,28 +13,28 @@ let badProtocolsGood = ['javascript:', 'data:', 'vbscript:'];
 
 function test2(url) {
     let protocol = new URL(url).protocol;
-    if (badProtocols.includes(protocol)) // NOT OK
+    if (badProtocols.includes(protocol)) // $ Alert
         return "about:blank";
     return url;
 }
 
 function test3(url) {
     let scheme = goog.uri.utils.getScheme(url);
-    if (badProtocolNoColon.includes(scheme)) // NOT OK
+    if (badProtocolNoColon.includes(scheme)) // $ Alert
         return "about:blank";
     return url;
 }
 
 function test4(url) {
     let scheme = url.split(':')[0];
-    if (badProtocolNoColon.includes(scheme)) // NOT OK
+    if (badProtocolNoColon.includes(scheme)) // $ Alert
         return "about:blank";
     return url;
 }
 
 function test5(url) {
     let scheme = url.split(':')[0];
-    if (scheme === "javascript") // NOT OK
+    if (scheme === "javascript") // $ Alert
         return "about:blank";
     return url;
 }
@@ -48,51 +48,51 @@ function test6(url) {
 
 function test7(url) {
     let scheme = url.split(/:/)[0];
-    if (scheme === "javascript") // NOT OK
+    if (scheme === "javascript") // $ Alert
         return "about:blank";
     return url;
 }
 
 function test8(url) {
     let scheme = goog.uri.utils.getScheme(url);
-	if ("javascript|data".split("|").indexOf(scheme) !== -1) // NOT OK
+	if ("javascript|data".split("|").indexOf(scheme) !== -1) // $ Alert
         return "about:blank";
     return url;
 }
 
 function test9(url) {
     let scheme = goog.uri.utils.getScheme(url);
-	if ("javascript" === scheme || "data" === scheme) // NOT OK
+	if ("javascript" === scheme || "data" === scheme) // $ Alert
         return "about:blank";
     return url;
 }
 
 function test10(url) {
     let scheme = goog.uri.utils.getScheme(url);
-	if (/^(javascript|data)$/.exec(scheme) !== null) // NOT OK
+	if (/^(javascript|data)$/.exec(scheme) !== null) // $ Alert
         return "about:blank";
     return url;
 }
 
 function test11(url) {
     let scheme = goog.uri.utils.getScheme(url);
-	if (/^(javascript|data)$/.exec(scheme) === null) // NOT OK
+	if (/^(javascript|data)$/.exec(scheme) === null) // $ Alert
 		return url;
 	return "about:blank";
 }
 
 
 function test12(url) {
     let scheme = goog.uri.utils.getScheme(url);
-	if (!/^(javascript|data)$/.exec(scheme)) // NOT OK
+	if (!/^(javascript|data)$/.exec(scheme)) // $ Alert
 		return url;
 	return "about:blank";
 }
 
 function test13(url) {
 	let scheme = goog.uri.utils.getScheme(url);
 	switch (scheme) {
-    	case "javascript": // NOT OK
+    	case "javascript": // $ Alert
 	    case "data":
 		    return "about:blank";
 	    default:
@@ -101,13 +101,13 @@ function test13(url) {
 }
 function test14(url) {
     let scheme = goog.uri.utils.getScheme(url);
-	if (/^(javascript|data)$/.exec(scheme)) // NOT OK
+	if (/^(javascript|data)$/.exec(scheme)) // $ Alert
         return "about:blank";
     return url;
 }
 
 function chain1(url) {
-    return url  // NOT OK
+    return url  // $ Alert
         .replace(/javascript:/, "")
         .replace(/data:/, "");
 }
@@ -121,10 +121,10 @@ function chain2(url) {
 
 function chain3(url) {
     url = url.replace(/javascript:/, "")
-    url = url.replace(/data:/, ""); // NOT OK
+    url = url.replace(/data:/, ""); // $ Alert
     return url;
 }
 
 function chain4(url) {
-    return url.replace(/(javascript|data):/, ""); // NOT OK - but not flagged [INCONSISTENCY]
-}
+    return url.replace(/(javascript|data):/, ""); // $ MISSING: Alert
+}
diff --git a/javascript/ql/test/query-tests/Security/CWE-020/IncompleteUrlSchemeCheck/IncompleteUrlSchemeCheck.qlref b/javascript/ql/test/query-tests/Security/CWE-020/IncompleteUrlSchemeCheck/IncompleteUrlSchemeCheck.qlref
@@ -1 +1,2 @@
-Security/CWE-020/IncompleteUrlSchemeCheck.ql
+query: Security/CWE-020/IncompleteUrlSchemeCheck.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

Original file line number	Diff line number	Diff line change
`@@ -1 +1,2 @@`
`1`		`-Security/CWE-020/IncompleteUrlSchemeCheck.ql`
	`1`	`+query: Security/CWE-020/IncompleteUrlSchemeCheck.ql`
	`2`	`+postprocess: utils/test/InlineExpectationsTestQuery.ql`