JS: Port IncompleteUrlSubstringSanitization test

asgerf · asgerf · commit c2b65b1f854e · 2025-01-10T14:18:29.000+01:00
diff --git a/javascript/ql/test/query-tests/Security/CWE-020/IncompleteUrlSubstringSanitization/IncompleteUrlSubstringSanitization.expected b/javascript/ql/test/query-tests/Security/CWE-020/IncompleteUrlSubstringSanitization/IncompleteUrlSubstringSanitization.expected
@@ -1,3 +1,4 @@
+problems
 | tst-IncompleteUrlSubstringSanitization.js:4:5:4:34 | x.index ...  !== -1 | '$@' can be anywhere in the URL, and arbitrary hosts may come before or after it. | tst-IncompleteUrlSubstringSanitization.js:4:15:4:26 | "secure.com" | secure.com |
 | tst-IncompleteUrlSubstringSanitization.js:5:5:5:34 | x.index ...  !== -1 | '$@' can be anywhere in the URL, and arbitrary hosts may come before or after it. | tst-IncompleteUrlSubstringSanitization.js:5:15:5:26 | "secure.net" | secure.net |
 | tst-IncompleteUrlSubstringSanitization.js:6:5:6:35 | x.index ...  !== -1 | '$@' can be anywhere in the URL, and arbitrary hosts may come before or after it. | tst-IncompleteUrlSubstringSanitization.js:6:15:6:27 | ".secure.com" | .secure.com |
@@ -23,3 +24,7 @@
 | tst-IncompleteUrlSubstringSanitization.js:73:5:73:48 | x.index ... ") >= 0 | '$@' can be anywhere in the URL, and arbitrary hosts may come before or after it. | tst-IncompleteUrlSubstringSanitization.js:73:15:73:42 | "https: ... oo/bar" | https://secure.com/foo/bar |
 | tst-IncompleteUrlSubstringSanitization.js:74:5:74:40 | x.index ... ") >= 0 | '$@' can be anywhere in the URL, and arbitrary hosts may come before or after it. | tst-IncompleteUrlSubstringSanitization.js:74:15:74:34 | "https://secure.com" | https://secure.com |
 | tst-IncompleteUrlSubstringSanitization.js:75:5:75:52 | x.index ... ") >= 0 | '$@' can be anywhere in the URL, and arbitrary hosts may come before or after it. | tst-IncompleteUrlSubstringSanitization.js:75:15:75:46 | "https: ... ar-baz" | https://secure.com/foo/bar-baz |
+testFailures
+| tst-IncompleteUrlSubstringSanitization.js:62:2:62:31 | '$@' can be anywhere in the URL, and arbitrary hosts may come before or after it. | Unexpected result: Alert |
+| tst-IncompleteUrlSubstringSanitization.js:63:4:63:33 | '$@' can be anywhere in the URL, and arbitrary hosts may come before or after it. | Unexpected result: Alert |
+| tst-IncompleteUrlSubstringSanitization.js:64:3:64:26 | '$@' can be anywhere in the URL, and arbitrary hosts may come before or after it. | Unexpected result: Alert |
diff --git a/javascript/ql/test/query-tests/Security/CWE-020/IncompleteUrlSubstringSanitization/IncompleteUrlSubstringSanitization.qlref b/javascript/ql/test/query-tests/Security/CWE-020/IncompleteUrlSubstringSanitization/IncompleteUrlSubstringSanitization.qlref
@@ -1 +1,2 @@
-Security/CWE-020/IncompleteUrlSubstringSanitization.ql
+query: Security/CWE-020/IncompleteUrlSubstringSanitization.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
diff --git a/javascript/ql/test/query-tests/Security/CWE-020/IncompleteUrlSubstringSanitization/tst-IncompleteUrlSubstringSanitization.js b/javascript/ql/test/query-tests/Security/CWE-020/IncompleteUrlSubstringSanitization/tst-IncompleteUrlSubstringSanitization.js
@@ -1,23 +1,23 @@
 (function(x){
-    x.indexOf("internal") !== -1; // NOT OK, but not flagged
-    x.indexOf("localhost") !== -1; // NOT OK, but not flagged
-    x.indexOf("secure.com") !== -1; // NOT OK
-    x.indexOf("secure.net") !== -1; // NOT OK
-    x.indexOf(".secure.com") !== -1; // NOT OK
-    x.indexOf("sub.secure.") !== -1; // NOT OK, but not flagged
-    x.indexOf(".sub.secure.") !== -1; // NOT OK, but not flagged
+    x.indexOf("internal") !== -1; // $ MISSING: Alert
+    x.indexOf("localhost") !== -1; // $ MISSING: Alert
+    x.indexOf("secure.com") !== -1; // $ Alert
+    x.indexOf("secure.net") !== -1; // $ Alert
+    x.indexOf(".secure.com") !== -1; // $ Alert
+    x.indexOf("sub.secure.") !== -1; // $ MISSING: Alert
+    x.indexOf(".sub.secure.") !== -1; // $ MISSING: Alert
 
-    x.indexOf("secure.com") === -1; // NOT OK
-    x.indexOf("secure.com") === 0; // NOT OK
-    x.indexOf("secure.com") >= 0; // NOT OK
+    x.indexOf("secure.com") === -1; // $ Alert
+    x.indexOf("secure.com") === 0; // $ Alert
+    x.indexOf("secure.com") >= 0; // $ Alert
 
-    x.startsWith("https://secure.com"); // NOT OK
-    x.endsWith("secure.com"); // NOT OK
+    x.startsWith("https://secure.com"); // $ Alert
+    x.endsWith("secure.com"); // $ Alert
     x.endsWith(".secure.com"); // OK
     x.startsWith("secure.com/"); // OK
     x.indexOf("secure.com/") === 0; // OK
 
-    x.includes("secure.com"); // NOT OK
+    x.includes("secure.com"); // $ Alert
 
     x.indexOf("#") !== -1; // OK
     x.indexOf(":") !== -1; // OK
@@ -29,11 +29,11 @@
     x.indexOf("some/path") !== -1; // OK
     x.indexOf("/index.html") !== -1; // OK
     x.indexOf(":template:") !== -1; // OK
-    x.indexOf("https://secure.com") !== -1; // NOT OK
-    x.indexOf("https://secure.com:443") !== -1; // NOT OK
-    x.indexOf("https://secure.com/") !== -1; // NOT OK
+    x.indexOf("https://secure.com") !== -1; // $ Alert
+    x.indexOf("https://secure.com:443") !== -1; // $ Alert
+    x.indexOf("https://secure.com/") !== -1; // $ Alert
 
-    x.indexOf(".cn") !== -1; // NOT OK, but not flagged
+    x.indexOf(".cn") !== -1; // $ MISSING: Alert
     x.indexOf(".jpg") !== -1; // OK
     x.indexOf("index.html") !== -1; // OK
     x.indexOf("index.js") !== -1; // OK
@@ -43,34 +43,34 @@
     x.indexOf("secure=true") !== -1; // OK (query param)
     x.indexOf("&auth=") !== -1; // OK (query param)
 
-    x.indexOf(getCurrentDomain()) !== -1; // NOT OK, but not flagged
-    x.indexOf(location.origin) !== -1; // NOT OK, but not flagged
+    x.indexOf(getCurrentDomain()) !== -1; // $ MISSING: Alert
+    x.indexOf(location.origin) !== -1; // $ MISSING: Alert
 
 	x.indexOf("tar.gz") + offset; // OK
 	x.indexOf("tar.gz") - offset; // OK
 
-    x.indexOf("https://example.internal") !== -1; // NOT OK
+    x.indexOf("https://example.internal") !== -1; // $ Alert
     x.indexOf("https://") !== -1; // OK
 
-    x.startsWith("https://example.internal"); // NOT OK
-    x.indexOf('https://example.internal.org') !== 0; // NOT OK
-    x.indexOf('https://example.internal.org') === 0; // NOT OK
-    x.endsWith("internal.com"); // NOT OK
+    x.startsWith("https://example.internal"); // $ Alert
+    x.indexOf('https://example.internal.org') !== 0; // $ Alert
+    x.indexOf('https://example.internal.org') === 0; // $ Alert
+    x.endsWith("internal.com"); // $ Alert
     x.startsWith("https://example.internal:80"); // OK
 
-	x.indexOf("secure.com") !== -1; // NOT OK
+	x.indexOf("secure.com") !== -1; // $ Alert
 	x.indexOf("secure.com") === -1; // OK
 	!(x.indexOf("secure.com") !== -1); // OK
 	!x.includes("secure.com"); // OK
 
-	if(!x.includes("secure.com")) { // NOT OK
+	if(!x.includes("secure.com")) { // $ Alert
 
 	} else {
 		doSomeThingWithTrustedURL(x);
     }
-    
+
     x.startsWith("https://secure.com/foo/bar"); // OK - a forward slash after the domain makes prefix checks safe.
-    x.indexOf("https://secure.com/foo/bar") >= 0 // NOT OK - the url can be anywhere in the string.
-    x.indexOf("https://secure.com") >= 0 // NOT OK
-    x.indexOf("https://secure.com/foo/bar-baz") >= 0 // NOT OK - the url can be anywhere in the string.
+    x.indexOf("https://secure.com/foo/bar") >= 0 // $ Alert - the url can be anywhere in the string.
+    x.indexOf("https://secure.com") >= 0 // $ Alert
+    x.indexOf("https://secure.com/foo/bar-baz") >= 0 // $ Alert - the url can be anywhere in the string.
 });

Original file line number	Diff line number	Diff line change
`@@ -1 +1,2 @@`
`1`		`-Security/CWE-020/IncompleteUrlSubstringSanitization.ql`
	`1`	`+query: Security/CWE-020/IncompleteUrlSubstringSanitization.ql`
	`2`	`+postprocess: utils/test/InlineExpectationsTestQuery.ql`