JS: Port IncompleteHostNameRegExt test

javascript/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegExp/IncompleteHostnameRegExp.expected

@@ -1,3 +1,4 @@
+problems
 | tst-IncompleteHostnameRegExp.js:3:3:3:28 | ^http:\\/\\/test.example.com | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:3:2:3:29 | /^http: ... le.com/ | here |
 | tst-IncompleteHostnameRegExp.js:5:3:5:28 | ^http:\\/\\/test.example.net | This regular expression has an unescaped '.' before 'example.net', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:5:2:5:29 | /^http: ... le.net/ | here |
 | tst-IncompleteHostnameRegExp.js:6:3:6:42 | ^http:\\/\\/test.(example-a\|example-b).com | This regular expression has an unescaped '.' before '(example-a\|example-b).com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:6:2:6:43 | /^http: ... b).com/ | here |
@@ -26,3 +27,10 @@
 | tst-IncompleteHostnameRegExp.js:55:14:55:38 | ^http://test.example.com | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:55:13:55:39 | '^http: ... le.com' | here |
 | tst-IncompleteHostnameRegExp.js:59:5:59:20 | foo.example\\.com | This regular expression has an unescaped '.' before 'example\\.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:59:2:59:32 | /^(foo. ... ever)$/ | here |
 | tst-IncompleteHostnameRegExp.js:61:18:61:41 | ^http://test.example.com | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:61:17:61:42 | "^http: ... le.com" | here |
+testFailures
+| tst-IncompleteHostnameRegExp.js:9:45:9:54 | // $ Alert | Missing result: Alert |
+| tst-IncompleteHostnameRegExp.js:10:3:10:36 | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. | Unexpected result: Alert |
+| tst-IncompleteHostnameRegExp.js:17:35:17:44 | // $ Alert | Missing result: Alert |
+| tst-IncompleteHostnameRegExp.js:36:43:36:52 | // $ Alert | Missing result: Alert |
+| tst-IncompleteHostnameRegExp.js:42:69:42:78 | // $ Alert | Missing result: Alert |
+| tst-IncompleteHostnameRegExp.js:59:5:59:20 | This regular expression has an unescaped '.' before 'example\\.com', so it might match more hosts than expected. | Unexpected result: Alert |

javascript/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegExp/IncompleteHostnameRegExp.qlref

@@ -1 +1,2 @@
-Security/CWE-020/IncompleteHostnameRegExp.ql
+query: Security/CWE-020/IncompleteHostnameRegExp.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

javascript/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegExp/tst-IncompleteHostnameRegExp.js

@@ -1,62 +1,62 @@
 (function() {
-	/^http:\/\/example.com/; // OK
-	/^http:\/\/test.example.com/; // NOT OK
-	/^http:\/\/test\\.example.com/; // OK
-	/^http:\/\/test.example.net/; // NOT OK
-	/^http:\/\/test.(example-a|example-b).com/; // NOT OK
-	/^http:\/\/(.+).example.com\//; // NOT OK
-	/^http:\/\/(\\.+)\\.example.com/; // OK
-	/^http:\/\/(?:.+)\\.test\\.example.com\//; // NOT OK
-	/^http:\/\/test.example.com\/(?:.*)/; // OK
-	new RegExp("^http://test.example.com"); // NOT OK
-	if (s.match("^http://test.example.com")) {} // NOT OK
+	/^http:\/\/example.com/;
+	/^http:\/\/test.example.com/; // $ Alert
+	/^http:\/\/test\\.example.com/;
+	/^http:\/\/test.example.net/; // $ Alert
+	/^http:\/\/test.(example-a|example-b).com/; // $ Alert
+	/^http:\/\/(.+).example.com\//; // $ Alert
+	/^http:\/\/(\\.+)\\.example.com/;
+	/^http:\/\/(?:.+)\\.test\\.example.com\//; // $ Alert
+	/^http:\/\/test.example.com\/(?:.*)/;
+	new RegExp("^http://test.example.com"); // $ Alert
+	if (s.match("^http://test.example.com")) {} // $ Alert
 
 	function id(e) { return e; }
-	new RegExp(id(id(id("^http://test.example.com")))); // NOT OK
+	new RegExp(id(id(id("^http://test.example.com")))); // $ Alert
 
-	new RegExp(`test.example.com$`); // NOT OK
+	new RegExp(`test.example.com$`); // $ Alert
 
-	let hostname = '^test.example.com'; // NOT OK
+	let hostname = '^test.example.com'; // $ Alert
 	new RegExp(`${hostname}$`);
 
-	let domain = { hostname: 'test.example.com$' }; // NOT OK
+	let domain = { hostname: 'test.example.com$' }; // $ Alert
 	new RegExp(domain.hostname);
 
 	function convert1(domain) {
 		return new RegExp(domain.hostname);
 	}
-	convert1({ hostname: 'test.example.com$' }); // NOT OK
+	convert1({ hostname: 'test.example.com$' }); // $ Alert
 
-	let domains = [ { hostname: 'test.example.com$' } ];  // NOT OK
+	let domains = [ { hostname: 'test.example.com$' } ];  // $ Alert
 	function convert2(domain) {
 		return new RegExp(domain.hostname);
 	}
 	domains.map(d => convert2(d));
 
-	/^(.+\.(?:example-a|example-b)\.com)\//; // NOT OK
-	/^(https?:)?\/\/((service|www).)?example.com(?=$|\/)/; // NOT OK
-	/^(http|https):\/\/www.example.com\/p\/f\//; // NOT OK
-	/^(http:\/\/sub.example.com\/)/g; // NOT OK
-	/^https?:\/\/api.example.com/; // NOT OK
-	new RegExp('^http://localhost:8000|' + '^https?://.+\\.example\\.com/'); // NOT OK
-	new RegExp('^http[s]?:\/\/?sub1\\.sub2\\.example\\.com\/f\/(.+)'); // NOT OK
-	/^https:\/\/[a-z]*.example.com$/; // NOT OK
-	RegExp('^protos?://(localhost|.+.example.net|.+.example-a.com|.+.example-b.com|.+.example.internal)'); // NOT OK
+	/^(.+\.(?:example-a|example-b)\.com)\//; // $ Alert
+	/^(https?:)?\/\/((service|www).)?example.com(?=$|\/)/; // $ Alert
+	/^(http|https):\/\/www.example.com\/p\/f\//; // $ Alert
+	/^(http:\/\/sub.example.com\/)/g; // $ Alert
+	/^https?:\/\/api.example.com/; // $ Alert
+	new RegExp('^http://localhost:8000|' + '^https?://.+\\.example\\.com/'); // $ Alert
+	new RegExp('^http[s]?:\/\/?sub1\\.sub2\\.example\\.com\/f\/(.+)'); // $ Alert
+	/^https:\/\/[a-z]*.example.com$/; // $ Alert
+	RegExp('^protos?://(localhost|.+.example.net|.+.example-a.com|.+.example-b.com|.+.example.internal)'); // $ Alert
 
 	/^(example.dev|example.com)/; // OK
 
-	new RegExp('^http://localhost:8000|' + '^https?://.+.example\\.com/'); // NOT OK
+	new RegExp('^http://localhost:8000|' + '^https?://.+.example\\.com/'); // $ Alert
 
 	var primary = 'example.com$';
-	new RegExp('test.' + primary); // NOT OK, but not detected
+	new RegExp('test.' + primary); // $ MISSING: Alert
 
-	new RegExp('test.' + 'example.com$'); // NOT OK
+	new RegExp('test.' + 'example.com$'); // $ Alert
 
-	new RegExp('^http://test\.example.com'); // NOT OK
+	new RegExp('^http://test\.example.com'); // $ Alert
 
 	/^http:\/\/(..|...)\.example\.com\/index\.html/; // OK, wildcards are intentional
 	/^http:\/\/.\.example\.com\/index\.html/; // OK, the wildcard is intentional
 	/^(foo.example\.com|whatever)$/; // kinda OK - one disjunction doesn't even look like a hostname
 
-	if (s.matchAll("^http://test.example.com")) {} // NOT OK
+	if (s.matchAll("^http://test.example.com")) {} // $ Alert
 });