mirror of
https://github.com/github/codeql.git
synced 2025-12-19 18:33:16 +01:00
10a7294327
This adds Alert annotations for alerts that seem intentional by the test but has not been annotated with 'NOT OK', or the comment was in the wrong place. In a few cases I included 'Source' expectations to make it easier to see what happened. Other 'Source' expectations will be added in bulk a later commit.
115 lines
2.7 KiB
JavaScript
115 lines
2.7 KiB
JavaScript
function badEncode(s) {
|
|
return s.replace(/"/g, """)
|
|
.replace(/'/g, "'")
|
|
.replace(/&/g, "&"); // $ Alert
|
|
}
|
|
|
|
function goodEncode(s) {
|
|
return s.replace(/&/g, "&")
|
|
.replace(/"/g, """)
|
|
.replace(/'/g, "'");
|
|
}
|
|
|
|
function goodDecode(s) {
|
|
return s.replace(/"/g, "\"")
|
|
.replace(/'/g, "'")
|
|
.replace(/&/g, "&");
|
|
}
|
|
|
|
function badDecode(s) {
|
|
return s.replace(/&/g, "&") // $ Alert
|
|
.replace(/"/g, "\"")
|
|
.replace(/'/g, "'");
|
|
}
|
|
|
|
function cleverEncode(code) {
|
|
return code.replace(/</g, '<').replace(/>/g, '>').replace(/&(?![\w\#]+;)/g, '&');
|
|
}
|
|
|
|
function badDecode2(s) {
|
|
return s.replace(/&/g, "&") // $ Alert
|
|
.replace(/s?ome|thin*g/g, "else")
|
|
.replace(/'/g, "'");
|
|
}
|
|
|
|
function goodDecodeInLoop(ss) {
|
|
var res = [];
|
|
for (var s of ss) {
|
|
s = s.replace(/"/g, "\"")
|
|
.replace(/'/g, "'")
|
|
.replace(/&/g, "&");
|
|
res.push(s);
|
|
}
|
|
return res;
|
|
}
|
|
|
|
function badDecode3(s) {
|
|
s = s.replace(/&/g, "&"); // $ Alert
|
|
s = s.replace(/"/g, "\"");
|
|
return s.replace(/'/g, "'");
|
|
}
|
|
|
|
function badUnescape(s) {
|
|
return s.replace(/\\\\/g, '\\') // $ Alert
|
|
.replace(/\\'/g, '\'')
|
|
.replace(/\\"/g, '\"');
|
|
}
|
|
|
|
function badPercentEscape(s) {
|
|
s = s.replace(/&/g, '%26');
|
|
s = s.replace(/%/g, '%25'); // $ Alert
|
|
return s;
|
|
}
|
|
|
|
function badEncode(s) {
|
|
var indirect1 = /"/g;
|
|
var indirect2 = /'/g;
|
|
var indirect3 = /&/g;
|
|
return s.replace(indirect1, """)
|
|
.replace(indirect2, "'")
|
|
.replace(indirect3, "&"); // $ Alert
|
|
}
|
|
|
|
function badEncodeWithReplacer(s) {
|
|
var repl = {
|
|
'"': """,
|
|
"'": "'",
|
|
"&": "&"
|
|
};
|
|
return s.replace(/["']/g, (c) => repl[c]).replace(/&/g, "&"); // $ Alert
|
|
}
|
|
|
|
// dubious, but out of scope for this query
|
|
function badRoundtrip(s) {
|
|
return s.replace(/\\\\/g, "\\").replace(/\\/g, "\\\\");
|
|
}
|
|
|
|
function testWithCapturedVar(x) {
|
|
var captured = x;
|
|
(function() {
|
|
captured = captured.replace(/\\/g, "\\\\");
|
|
})();
|
|
}
|
|
|
|
function encodeDecodeEncode(s) {
|
|
return goodEncode(goodDecode(goodEncode(s)));
|
|
}
|
|
|
|
function badEncode(s) {
|
|
return s.replace(new RegExp("\"", "g"), """)
|
|
.replace(new RegExp("\'", "g"), "'")
|
|
.replace(new RegExp("&", "g"), "&"); // $ Alert
|
|
}
|
|
|
|
function goodEncode(s) {
|
|
return s.replace(new RegExp("\"", ""), """)
|
|
.replace(new RegExp("\'", ""), "'")
|
|
.replace(new RegExp("&", ""), "&");
|
|
}
|
|
|
|
function goodEncode(s) {
|
|
return s.replace(new RegExp("\"", unknownFlags()), """)
|
|
.replace(new RegExp("\'", unknownFlags()), "'")
|
|
.replace(new RegExp("&", unknownFlags()), "&");
|
|
}
|