Merge pull request #375 from esben-semmle/js/limit-directive-sizes

Approved by xiemaisi
2026-04-29 02:35:15 +02:00 · 2018-10-29 09:59:03 +00:00
parent 47096bbc5f 8f635e6493
commit 72012a93cb
6 changed files with 28 additions and 7 deletions
--- a/javascript/ql/src/Expressions/UnknownDirective.ql
+++ b/javascript/ql/src/Expressions/UnknownDirective.ql
@@ -14,4 +14,4 @@ from Directive d
 where not d instanceof KnownDirective and
      // but exclude attribute top-levels: `<a href="javascript:'some-attribute-string'">`
      not (d.getParent() instanceof CodeInAttribute)
-select d, "Unknown directive: '" + d.getDirectiveText() + "'."
+select d, "Unknown directive: '" + truncate(d.getDirectiveText(), 20, " ... (truncated)")  + "'."
--- a/javascript/ql/src/semmle/javascript/Util.qll
+++ b/javascript/ql/src/semmle/javascript/Util.qll
@@ -12,15 +12,25 @@ string capitalize(string s) {
  result = s.charAt(0).toUpperCase() + s.suffix(1)
 }

- /**
-  * Gets the pluralization for `n` occurrences of `noun`.
-  *
-  * For example, the pluralization of `"function"` for `n = 2` is `"functions"`.
-  */
+/**
+ * Gets the pluralization for `n` occurrences of `noun`.
+ *
+ * For example, the pluralization of `"function"` for `n = 2` is `"functions"`.
+ */
 bindingset[noun, n]
 string pluralize(string noun, int n) {
  if n = 1 then
    result = noun
  else
    result = noun + "s"
-}
+}
+
+/**
+ * Gets `str` or a truncated version of `str` with `explanation` appended if its length exceeds `maxLength`.
+ *
+ * For example, the truncation of `"long_string"` for `maxLength = 5` and explanation `" ..."` is `"long_ ..."`.
+ */
+bindingset[str, maxLength, explanation]
+string truncate(string str, int maxLength, string explanation) {
+  if str.length() > maxLength then result = str.prefix(maxLength) + explanation else result = str
+}
--- a/javascript/ql/test/library-tests/Util/truncate.expected
+++ b/javascript/ql/test/library-tests/Util/truncate.expected
@@ -0,0 +1 @@
+| y |  | X | XX | XXy |
--- a/javascript/ql/test/library-tests/Util/truncate.ql
+++ b/javascript/ql/test/library-tests/Util/truncate.ql
@@ -0,0 +1,3 @@
+import semmle.javascript.Util
+
+select truncate("X", 0, "y"), truncate("", 2, "y"), truncate("X", 2, "y"), truncate("XX", 2, "y"), truncate("XXX", 2, "y")
--- a/javascript/ql/test/query-tests/Expressions/UnknownDirective/UnknownDirective.expected
+++ b/javascript/ql/test/query-tests/Expressions/UnknownDirective/UnknownDirective.expected
@@ -11,3 +11,5 @@
 | UnknownDirective.js:12:5:12:17 | "use struct;" | Unknown directive: 'use struct;'. |
 | UnknownDirective.js:13:5:13:17 | "Use Strict"; | Unknown directive: 'Use Strict'. |
 | UnknownDirective.js:14:5:14:14 | "use bar"; | Unknown directive: 'use bar'. |
+| UnknownDirective.js:38:5:38:17 | "[0, 0, 0];"; | Unknown directive: '[0, 0, 0];'. |
+| UnknownDirective.js:39:5:39:65 | "[0, 0, ... , 0];"; | Unknown directive: '[0, 0, 0, 0, 0, 0, 0 ... (truncated)'. |
--- a/javascript/ql/test/query-tests/Expressions/UnknownDirective/UnknownDirective.js
+++ b/javascript/ql/test/query-tests/Expressions/UnknownDirective/UnknownDirective.js
@@ -33,3 +33,8 @@ function good() {
    "deps foo"; // OK
    "deps bar"; // OK
 }
+
+function data() {
+    "[0, 0, 0];"; // NOT OK
+    "[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0];"; // NOT OK
+}