Merge pull request github#13380 from asgerf/js/fix-sink-kind

asgerf · web-flow · commit f737054216c7 · 2023-06-14T12:56:58.000+02:00
JS: Fix invalid source kind in test
diff --git a/javascript/ql/test/library-tests/DataExtensions/Test.expected b/javascript/ql/test/library-tests/DataExtensions/Test.expected
diff --git a/javascript/ql/test/library-tests/DataExtensions/Test.ql b/javascript/ql/test/library-tests/DataExtensions/Test.ql
diff --git a/javascript/ql/test/library-tests/DataExtensions/connection.expected b/javascript/ql/test/library-tests/DataExtensions/connection.expected
@@ -0,0 +1,2 @@
+| connection.example.ts:4:20:4:20 | q |
+| connection.example.ts:9:18:9:18 | q |
diff --git a/javascript/ql/test/library-tests/DataExtensions/connection.ext.yml b/javascript/ql/test/library-tests/DataExtensions/connection.ext.yml
diff --git a/javascript/ql/test/library-tests/DataExtensions/connection.ql b/javascript/ql/test/library-tests/DataExtensions/connection.ql
@@ -0,0 +1,4 @@
+import javascript
+private import semmle.javascript.security.dataflow.SqlInjectionCustomizations
+
+query predicate sqlInjectionSinks(DataFlow::Node node) { node instanceof SqlInjection::Sink }
diff --git a/javascript/ql/test/library-tests/DataExtensions/execa.expected b/javascript/ql/test/library-tests/DataExtensions/execa.expected
@@ -0,0 +1 @@
+| execa.example.js:2:7:2:9 | cmd |
diff --git a/javascript/ql/test/library-tests/DataExtensions/execa.ext.yml b/javascript/ql/test/library-tests/DataExtensions/execa.ext.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/javascript-all
+      extensible: sinkModel
+    data:
+      - ["@example/execa", "Member[shell].Argument[0]", "command-injection"]
diff --git a/javascript/ql/test/library-tests/DataExtensions/execa.model.yml b/javascript/ql/test/library-tests/DataExtensions/execa.model.yml
diff --git a/javascript/ql/test/library-tests/DataExtensions/execa.ql b/javascript/ql/test/library-tests/DataExtensions/execa.ql
@@ -0,0 +1,6 @@
+import javascript
+private import semmle.javascript.security.dataflow.CommandInjectionCustomizations
+
+query predicate commandInjectionSinks(DataFlow::Node node) {
+  node instanceof CommandInjection::Sink
+}
diff --git a/javascript/ql/test/library-tests/DataExtensions/message.expected b/javascript/ql/test/library-tests/DataExtensions/message.expected
@@ -0,0 +1,2 @@
+| message.example.js:1:46:1:50 | event |
+| message.example.js:2:16:2:25 | event.data |
diff --git a/javascript/ql/test/library-tests/DataExtensions/message.ext.yml b/javascript/ql/test/library-tests/DataExtensions/message.ext.yml
@@ -6,5 +6,5 @@ extensions:
       - [
           "global",
           "Member[addEventListener].WithStringArgument[0=message].Argument[1].Parameter[0].Member[data]",
-          "remote-flow",
+          "remote",
         ]
diff --git a/javascript/ql/test/library-tests/DataExtensions/message.ql b/javascript/ql/test/library-tests/DataExtensions/message.ql
@@ -0,0 +1,3 @@
+import javascript
+
+query predicate remoteFlowSources(RemoteFlowSource node) { any() }
diff --git a/javascript/ql/test/qlpack.yml b/javascript/ql/test/qlpack.yml
@@ -5,6 +5,4 @@ dependencies:
   codeql/javascript-queries: ${workspace}
 extractor: javascript
 tests: .
-dataExtensions:
-  - library-tests/DataExtensions/*.model.yml
 warnOnImplicitThis: true

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+\| connection.example.ts:4:20:4:20 \| q \|`
	`2`	`+\| connection.example.ts:9:18:9:18 \| q \|`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+\| message.example.js:1:46:1:50 \| event \|`
	`2`	`+\| message.example.js:2:16:2:25 \| event.data \|`