JS: Port IncompleteUrlSubstringSanitization test

2026-04-27 09:45:15 +02:00 · 2025-01-10 14:14:31 +01:00
parent 6b4be13a8e
commit c2b65b1f85
3 changed files with 37 additions and 31 deletions
--- a/javascript/ql/test/query-tests/Security/CWE-020/IncompleteUrlSubstringSanitization/IncompleteUrlSubstringSanitization.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-020/IncompleteUrlSubstringSanitization/IncompleteUrlSubstringSanitization.expected
@@ -1,3 +1,4 @@
+problems
 | tst-IncompleteUrlSubstringSanitization.js:4:5:4:34 | x.index ...  !== -1 | '$@' can be anywhere in the URL, and arbitrary hosts may come before or after it. | tst-IncompleteUrlSubstringSanitization.js:4:15:4:26 | "secure.com" | secure.com |
 | tst-IncompleteUrlSubstringSanitization.js:5:5:5:34 | x.index ...  !== -1 | '$@' can be anywhere in the URL, and arbitrary hosts may come before or after it. | tst-IncompleteUrlSubstringSanitization.js:5:15:5:26 | "secure.net" | secure.net |
 | tst-IncompleteUrlSubstringSanitization.js:6:5:6:35 | x.index ...  !== -1 | '$@' can be anywhere in the URL, and arbitrary hosts may come before or after it. | tst-IncompleteUrlSubstringSanitization.js:6:15:6:27 | ".secure.com" | .secure.com |
@@ -23,3 +24,7 @@
 | tst-IncompleteUrlSubstringSanitization.js:73:5:73:48 | x.index ... ") >= 0 | '$@' can be anywhere in the URL, and arbitrary hosts may come before or after it. | tst-IncompleteUrlSubstringSanitization.js:73:15:73:42 | "https: ... oo/bar" | https://secure.com/foo/bar |
 | tst-IncompleteUrlSubstringSanitization.js:74:5:74:40 | x.index ... ") >= 0 | '$@' can be anywhere in the URL, and arbitrary hosts may come before or after it. | tst-IncompleteUrlSubstringSanitization.js:74:15:74:34 | "https://secure.com" | https://secure.com |
 | tst-IncompleteUrlSubstringSanitization.js:75:5:75:52 | x.index ... ") >= 0 | '$@' can be anywhere in the URL, and arbitrary hosts may come before or after it. | tst-IncompleteUrlSubstringSanitization.js:75:15:75:46 | "https: ... ar-baz" | https://secure.com/foo/bar-baz |
+testFailures
+| tst-IncompleteUrlSubstringSanitization.js:62:2:62:31 | '$@' can be anywhere in the URL, and arbitrary hosts may come before or after it. | Unexpected result: Alert |
+| tst-IncompleteUrlSubstringSanitization.js:63:4:63:33 | '$@' can be anywhere in the URL, and arbitrary hosts may come before or after it. | Unexpected result: Alert |
+| tst-IncompleteUrlSubstringSanitization.js:64:3:64:26 | '$@' can be anywhere in the URL, and arbitrary hosts may come before or after it. | Unexpected result: Alert |
--- a/javascript/ql/test/query-tests/Security/CWE-020/IncompleteUrlSubstringSanitization/IncompleteUrlSubstringSanitization.qlref
+++ b/javascript/ql/test/query-tests/Security/CWE-020/IncompleteUrlSubstringSanitization/IncompleteUrlSubstringSanitization.qlref
@@ -1 +1,2 @@
-Security/CWE-020/IncompleteUrlSubstringSanitization.ql
+query: Security/CWE-020/IncompleteUrlSubstringSanitization.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/javascript/ql/test/query-tests/Security/CWE-020/IncompleteUrlSubstringSanitization/tst-IncompleteUrlSubstringSanitization.js
+++ b/javascript/ql/test/query-tests/Security/CWE-020/IncompleteUrlSubstringSanitization/tst-IncompleteUrlSubstringSanitization.js
@@ -1,23 +1,23 @@
 (function(x){
-    x.indexOf("internal") !== -1; // NOT OK, but not flagged
-    x.indexOf("localhost") !== -1; // NOT OK, but not flagged
-    x.indexOf("secure.com") !== -1; // NOT OK
-    x.indexOf("secure.net") !== -1; // NOT OK
-    x.indexOf(".secure.com") !== -1; // NOT OK
-    x.indexOf("sub.secure.") !== -1; // NOT OK, but not flagged
-    x.indexOf(".sub.secure.") !== -1; // NOT OK, but not flagged
+    x.indexOf("internal") !== -1; // $ MISSING: Alert
+    x.indexOf("localhost") !== -1; // $ MISSING: Alert
+    x.indexOf("secure.com") !== -1; // $ Alert
+    x.indexOf("secure.net") !== -1; // $ Alert
+    x.indexOf(".secure.com") !== -1; // $ Alert
+    x.indexOf("sub.secure.") !== -1; // $ MISSING: Alert
+    x.indexOf(".sub.secure.") !== -1; // $ MISSING: Alert

-    x.indexOf("secure.com") === -1; // NOT OK
-    x.indexOf("secure.com") === 0; // NOT OK
-    x.indexOf("secure.com") >= 0; // NOT OK
+    x.indexOf("secure.com") === -1; // $ Alert
+    x.indexOf("secure.com") === 0; // $ Alert
+    x.indexOf("secure.com") >= 0; // $ Alert

-    x.startsWith("https://secure.com"); // NOT OK
-    x.endsWith("secure.com"); // NOT OK
+    x.startsWith("https://secure.com"); // $ Alert
+    x.endsWith("secure.com"); // $ Alert
    x.endsWith(".secure.com"); // OK
    x.startsWith("secure.com/"); // OK
    x.indexOf("secure.com/") === 0; // OK

-    x.includes("secure.com"); // NOT OK
+    x.includes("secure.com"); // $ Alert

    x.indexOf("#") !== -1; // OK
    x.indexOf(":") !== -1; // OK
@@ -29,11 +29,11 @@
    x.indexOf("some/path") !== -1; // OK
    x.indexOf("/index.html") !== -1; // OK
    x.indexOf(":template:") !== -1; // OK
-    x.indexOf("https://secure.com") !== -1; // NOT OK
-    x.indexOf("https://secure.com:443") !== -1; // NOT OK
-    x.indexOf("https://secure.com/") !== -1; // NOT OK
+    x.indexOf("https://secure.com") !== -1; // $ Alert
+    x.indexOf("https://secure.com:443") !== -1; // $ Alert
+    x.indexOf("https://secure.com/") !== -1; // $ Alert

-    x.indexOf(".cn") !== -1; // NOT OK, but not flagged
+    x.indexOf(".cn") !== -1; // $ MISSING: Alert
    x.indexOf(".jpg") !== -1; // OK
    x.indexOf("index.html") !== -1; // OK
    x.indexOf("index.js") !== -1; // OK
@@ -43,34 +43,34 @@
    x.indexOf("secure=true") !== -1; // OK (query param)
    x.indexOf("&auth=") !== -1; // OK (query param)

-    x.indexOf(getCurrentDomain()) !== -1; // NOT OK, but not flagged
-    x.indexOf(location.origin) !== -1; // NOT OK, but not flagged
+    x.indexOf(getCurrentDomain()) !== -1; // $ MISSING: Alert
+    x.indexOf(location.origin) !== -1; // $ MISSING: Alert

 	x.indexOf("tar.gz") + offset; // OK
 	x.indexOf("tar.gz") - offset; // OK

-    x.indexOf("https://example.internal") !== -1; // NOT OK
+    x.indexOf("https://example.internal") !== -1; // $ Alert
    x.indexOf("https://") !== -1; // OK

-    x.startsWith("https://example.internal"); // NOT OK
-    x.indexOf('https://example.internal.org') !== 0; // NOT OK
-    x.indexOf('https://example.internal.org') === 0; // NOT OK
-    x.endsWith("internal.com"); // NOT OK
+    x.startsWith("https://example.internal"); // $ Alert
+    x.indexOf('https://example.internal.org') !== 0; // $ Alert
+    x.indexOf('https://example.internal.org') === 0; // $ Alert
+    x.endsWith("internal.com"); // $ Alert
    x.startsWith("https://example.internal:80"); // OK

-	x.indexOf("secure.com") !== -1; // NOT OK
+	x.indexOf("secure.com") !== -1; // $ Alert
 	x.indexOf("secure.com") === -1; // OK
 	!(x.indexOf("secure.com") !== -1); // OK
 	!x.includes("secure.com"); // OK

-	if(!x.includes("secure.com")) { // NOT OK
+	if(!x.includes("secure.com")) { // $ Alert

 	} else {
 		doSomeThingWithTrustedURL(x);
    }
-    
+
    x.startsWith("https://secure.com/foo/bar"); // OK - a forward slash after the domain makes prefix checks safe.
-    x.indexOf("https://secure.com/foo/bar") >= 0 // NOT OK - the url can be anywhere in the string.
-    x.indexOf("https://secure.com") >= 0 // NOT OK
-    x.indexOf("https://secure.com/foo/bar-baz") >= 0 // NOT OK - the url can be anywhere in the string.
+    x.indexOf("https://secure.com/foo/bar") >= 0 // $ Alert - the url can be anywhere in the string.
+    x.indexOf("https://secure.com") >= 0 // $ Alert
+    x.indexOf("https://secure.com/foo/bar-baz") >= 0 // $ Alert - the url can be anywhere in the string.
 });