Convert OpenUrlRedirect tests to InlineExpectations

2025-12-16 16:53:25 +01:00 · 2025-09-25 16:13:31 +01:00
parent 7b426186aa
commit 1144bb99b4
3 changed files with 23 additions and 21 deletions
--- a/go/ql/test/query-tests/Security/CWE-601/OpenUrlRedirect/OpenUrlRedirect.go
+++ b/go/ql/test/query-tests/Security/CWE-601/OpenUrlRedirect/OpenUrlRedirect.go
@@ -7,6 +7,6 @@ import (
 func serve() {
 	http.HandleFunc("/redir", func(w http.ResponseWriter, r *http.Request) {
 		r.ParseForm()
-		http.Redirect(w, r, r.Form.Get("target"), 302)
+		http.Redirect(w, r, r.Form.Get("target"), 302) // $ Alert
 	})
 }
--- a/go/ql/test/query-tests/Security/CWE-601/OpenUrlRedirect/OpenUrlRedirect.qlref
+++ b/go/ql/test/query-tests/Security/CWE-601/OpenUrlRedirect/OpenUrlRedirect.qlref
@@ -1,2 +1,4 @@
 query: Security/CWE-601/OpenUrlRedirect.ql
-postprocess: utils/test/PrettyPrintModels.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql
--- a/go/ql/test/query-tests/Security/CWE-601/OpenUrlRedirect/stdlib.go
+++ b/go/ql/test/query-tests/Security/CWE-601/OpenUrlRedirect/stdlib.go
@@ -10,18 +10,18 @@ func serveStdlib() {
 	http.HandleFunc("/ex", func(w http.ResponseWriter, r *http.Request) {
 		r.ParseForm()

-		target := r.Form.Get("target")
+		target := r.Form.Get("target") // $ Source
 		// BAD: a request parameter is incorporated without validation into a URL redirect
-		w.Header().Set("Location", target)
+		w.Header().Set("Location", target) // $ Alert
 		w.WriteHeader(302)
 	})

 	http.HandleFunc("/ex1", func(w http.ResponseWriter, r *http.Request) {
 		r.ParseForm()

-		target := r.Form.Get("target")
+		target := r.Form.Get("target") // $ Source
 		// Probably OK because the status is set to 500, but we catch it anyway
-		w.Header().Set("Location", target)
+		w.Header().Set("Location", target) // $ Alert
 		w.WriteHeader(500)
 	})

@@ -30,13 +30,13 @@ func serveStdlib() {

 		// Taking gratuitous copies of target so that sanitizing the use in
 		// the first request doesn't also sanitize other uses
-		target := r.Form.Get("target")
+		target := r.Form.Get("target") // $ Source
 		target2 := target
 		target3 := target
 		// GOOD: local redirects are unproblematic
 		w.Header().Set("Location", "/local"+target)
 		// BAD: this could be a non-local redirect
-		w.Header().Set("Location", "/"+target2)
+		w.Header().Set("Location", "/"+target2) // $ Alert
 		// GOOD: localhost redirects are unproblematic
 		w.Header().Set("Location", "//localhost/"+target3)
 		w.WriteHeader(302)
@@ -45,9 +45,9 @@ func serveStdlib() {
 	http.HandleFunc("/ex3", func(w http.ResponseWriter, r *http.Request) {
 		r.ParseForm()

-		target := r.Form.Get("target")
+		target := r.Form.Get("target") // $ Source
 		// BAD: using the utility function
-		http.Redirect(w, r, target, 301)
+		http.Redirect(w, r, target, 301) // $ Alert
 	})

 	http.HandleFunc("/ex4", func(w http.ResponseWriter, r *http.Request) {
@@ -65,10 +65,10 @@ func serveStdlib() {
 	http.HandleFunc("/ex5", func(w http.ResponseWriter, r *http.Request) {
 		r.ParseForm()

-		target := r.Form.Get("target")
+		target := r.Form.Get("target") // $ Source
 		me := "me"
 		// BAD: may be a global redirection
-		http.Redirect(w, r, target+"?from="+me, 301)
+		http.Redirect(w, r, target+"?from="+me, 301) // $ Alert
 	})

 	http.HandleFunc("/ex6", func(w http.ResponseWriter, r *http.Request) {
@@ -90,10 +90,10 @@ func serveStdlib() {
 	http.HandleFunc("/ex7", func(w http.ResponseWriter, r *http.Request) {
 		r.ParseForm()

-		target := r.Form.Get("target")
+		target := r.Form.Get("target") // $ Source
 		target += "/index.html"
 		// BAD
-		http.Redirect(w, r, target, 302)
+		http.Redirect(w, r, target, 302) // $ Alert
 	})

 	http.HandleFunc("/ex7", func(w http.ResponseWriter, r *http.Request) {
@@ -147,13 +147,13 @@ func serveStdlib() {
 	http.HandleFunc("/ex9", func(w http.ResponseWriter, r *http.Request) {
 		r.ParseForm()

-		target := r.Form.Get("target")
+		target := r.Form.Get("target") // $ Source
 		// GOOD, but we catch this anyway: a check is done on the URL
 		if !isValidRedirect(target) {
 			target = "/"
 		}

-		http.Redirect(w, r, target, 302)
+		http.Redirect(w, r, target, 302) // $ SPURIOUS: Alert
 	})

 	http.HandleFunc("/ex8", func(w http.ResponseWriter, r *http.Request) {
@@ -183,19 +183,19 @@ func serveStdlib() {
 	http.HandleFunc("/ex9", func(w http.ResponseWriter, r *http.Request) {
 		r.ParseForm()

-		target := r.FormValue("target")
+		target := r.FormValue("target") // $ Source
 		// BAD: a request parameter is incorporated without validation into a URL redirect
-		http.Redirect(w, r, target, 301)
+		http.Redirect(w, r, target, 301) // $ Alert
 	})

 	http.HandleFunc("/ex10", func(w http.ResponseWriter, r *http.Request) {
 		r.ParseForm()

-		target, _ := url.ParseRequestURI(r.FormValue("target"))
+		target, _ := url.ParseRequestURI(r.FormValue("target")) // $ Source
 		// BAD: Path could start with `//`
-		http.Redirect(w, r, target.Path, 301)
+		http.Redirect(w, r, target.Path, 301) // $ Alert
 		// BAD: EscapedPath() does not help with that
-		http.Redirect(w, r, target.EscapedPath(), 301)
+		http.Redirect(w, r, target.EscapedPath(), 301) // $ Alert
 	})

 	http.HandleFunc("/ex11", func(w http.ResponseWriter, r *http.Request) {