mrva/vscode-codeql
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

Markdown rendering: Display paths

Browse Source
This commit is contained in:
shati-patel
2022-04-22 17:09:59 +01:00
committed by Shati Patel
parent 5ee2f0efe1
commit f55f46f95b
3 changed files with 282 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

71
extensions/ql-vscode/src/remote-queries/remote-queries-markdown-generation.ts
View File

@@ -89,8 +89,8 @@ function generateMarkdownForInterpretedResult(interpretedResult: AnalysisAlert,
...generateMarkdownForCodeSnippet(codeSnippet, language, highlightedRegion),
);
}
const alertMessage = buildMarkdownAlertMessage(interpretedResult);
lines.push(alertMessage);
const alertMessageLines = buildMarkdownAlertMessage(interpretedResult, language);
lines.push(...alertMessageLines);
// Padding between results
lines.push(
@@ -142,22 +142,67 @@ function highlightCodeLines(
return `${partiallyHighlightedLine.plainSection1}<strong>${partiallyHighlightedLine.highlightedSection}</strong>${partiallyHighlightedLine.plainSection2}`;
}
function buildMarkdownAlertMessage(interpretedResult: AnalysisAlert): string {
function buildMarkdownAlertMessage(
interpretedResult: AnalysisAlert,
language: string
): string[] {
const hasPathResults = interpretedResult.codeFlows.length > 0;
if (hasPathResults) {
// For path-problem queries, the "alert message" is an expandable section containing the path results.
return buildMarkdownPathResults(interpretedResult, language);
} else {
let alertMessage = '';
// For regular problem queries (no paths), the alert message is just a message
// containing a link to the affected file.
for (const token of interpretedResult.message.tokens) {
if (token.t === 'text') {
alertMessage += token.text;
} else if (token.t === 'location') {
alertMessage += createMarkdownRemoteFileRef(
token.location.fileLink,
token.location.highlightedRegion?.startLine,
token.location.highlightedRegion?.endLine,
token.text
);
}
}
// Italicize the alert message
return [`*${alertMessage}*`];
}
}
function buildMarkdownPathResults(
interpretedResult: AnalysisAlert,
language: string
): MarkdownFile {
let alertMessage = '';
for (const token of interpretedResult.message.tokens) {
if (token.t === 'text') {
alertMessage += token.text;
} else if (token.t === 'location') {
alertMessage += createMarkdownRemoteFileRef(
token.location.fileLink,
token.location.highlightedRegion?.startLine,
token.location.highlightedRegion?.endLine,
token.text,
alertMessage += token.text;
}
const pathLines: MarkdownFile = [];
pathLines.push('#### Paths', '');
for (const codeFlow of interpretedResult.codeFlows) {
const stepCount = codeFlow.threadFlows.length;
pathLines.push(`Path with ${stepCount} steps`);
let index = 1;
for (const threadFlow of codeFlow.threadFlows) {
const link = createMarkdownRemoteFileRef(
threadFlow.fileLink,
threadFlow.highlightedRegion?.startLine,
threadFlow.highlightedRegion?.endLine
);
const codeSnippet = generateMarkdownForCodeSnippet(
threadFlow.codeSnippet,
language,
threadFlow.highlightedRegion
);
// Indent the snippet to fit with the numbered list.
const codeSnippetIndented = codeSnippet.map((line) => ` ${line}`);
pathLines.push(`${index}. ${link}`, ...codeSnippetIndented);
index++;
}
}
// Italicize the alert message
return `*${alertMessage}*`;
return buildExpandableMarkdownSection(`<i>${alertMessage}</i>`, pathLines);
}
/**

151
extensions/ql-vscode/test/pure-tests/remote-queries/markdown-generation/data/interpreted-results/path-problem/results-repo1.md
View File

@@ -8,7 +8,54 @@
}
</code></pre>
*This shell command depends on an uncontrolled [absolute path](https://github.com/github/codeql/blob/48015e5a2e6202131f2d1062cc066dc33ed69a9b/javascript/ql/src/Security/CWE-078/examples/shell-command-injection-from-environment.js#L4-L4).*
<details>
<summary><i>This shell command depends on an uncontrolled absolute path.</i></summary>
#### Paths
Path with 5 steps
1. [javascript/ql/src/Security/CWE-078/examples/shell-command-injection-from-environment.js](https://github.com/github/codeql/blob/48015e5a2e6202131f2d1062cc066dc33ed69a9b/javascript/ql/src/Security/CWE-078/examples/shell-command-injection-from-environment.js#L4-L4)
<pre><code class="javascript"> path = require("path");
function cleanupTemp() {
let cmd = "rm -rf " + path.join(<strong>__dirname</strong>, "temp");
cp.execSync(cmd); // BAD
}
</code></pre>
2. [javascript/ql/src/Security/CWE-078/examples/shell-command-injection-from-environment.js](https://github.com/github/codeql/blob/48015e5a2e6202131f2d1062cc066dc33ed69a9b/javascript/ql/src/Security/CWE-078/examples/shell-command-injection-from-environment.js#L4-L4)
<pre><code class="javascript"> path = require("path");
function cleanupTemp() {
let cmd = "rm -rf " + <strong>path.join(__dirname, "temp")</strong>;
cp.execSync(cmd); // BAD
}
</code></pre>
3. [javascript/ql/src/Security/CWE-078/examples/shell-command-injection-from-environment.js](https://github.com/github/codeql/blob/48015e5a2e6202131f2d1062cc066dc33ed69a9b/javascript/ql/src/Security/CWE-078/examples/shell-command-injection-from-environment.js#L4-L4)
<pre><code class="javascript"> path = require("path");
function cleanupTemp() {
let cmd = <strong>"rm -rf " + path.join(__dirname, "temp")</strong>;
cp.execSync(cmd); // BAD
}
</code></pre>
4. [javascript/ql/src/Security/CWE-078/examples/shell-command-injection-from-environment.js](https://github.com/github/codeql/blob/48015e5a2e6202131f2d1062cc066dc33ed69a9b/javascript/ql/src/Security/CWE-078/examples/shell-command-injection-from-environment.js#L4-L4)
<pre><code class="javascript"> path = require("path");
function cleanupTemp() {
let <strong>cmd = "rm -rf " + path.join(__dirname, "temp")</strong>;
cp.execSync(cmd); // BAD
}
</code></pre>
5. [javascript/ql/src/Security/CWE-078/examples/shell-command-injection-from-environment.js](https://github.com/github/codeql/blob/48015e5a2e6202131f2d1062cc066dc33ed69a9b/javascript/ql/src/Security/CWE-078/examples/shell-command-injection-from-environment.js#L5-L5)
<pre><code class="javascript">function cleanupTemp() {
let cmd = "rm -rf " + path.join(__dirname, "temp");
cp.execSync(<strong>cmd</strong>); // BAD
}
</code></pre>
</details>
----------------------------------------
@@ -21,7 +68,39 @@
execa.shell('rm -rf ' + path.join(__dirname, "temp")); // NOT OK
</code></pre>
*This shell command depends on an uncontrolled [absolute path](https://github.com/github/codeql/blob/48015e5a2e6202131f2d1062cc066dc33ed69a9b/javascript/ql/test/query-tests/Security/CWE-078/tst_shell-command-injection-from-environment.js#L6-L6).*
<details>
<summary><i>This shell command depends on an uncontrolled absolute path.</i></summary>
#### Paths
Path with 3 steps
1. [javascript/ql/test/query-tests/Security/CWE-078/tst_shell-command-injection-from-environment.js](https://github.com/github/codeql/blob/48015e5a2e6202131f2d1062cc066dc33ed69a9b/javascript/ql/test/query-tests/Security/CWE-078/tst_shell-command-injection-from-environment.js#L6-L6)
<pre><code class="javascript">(function() {
cp.execFileSync('rm', ['-rf', path.join(__dirname, "temp")]); // GOOD
cp.execSync('rm -rf ' + path.join(<strong>__dirname</strong>, "temp")); // BAD
execa.shell('rm -rf ' + path.join(__dirname, "temp")); // NOT OK
</code></pre>
2. [javascript/ql/test/query-tests/Security/CWE-078/tst_shell-command-injection-from-environment.js](https://github.com/github/codeql/blob/48015e5a2e6202131f2d1062cc066dc33ed69a9b/javascript/ql/test/query-tests/Security/CWE-078/tst_shell-command-injection-from-environment.js#L6-L6)
<pre><code class="javascript">(function() {
cp.execFileSync('rm', ['-rf', path.join(__dirname, "temp")]); // GOOD
cp.execSync('rm -rf ' + <strong>path.join(__dirname, "temp")</strong>); // BAD
execa.shell('rm -rf ' + path.join(__dirname, "temp")); // NOT OK
</code></pre>
3. [javascript/ql/test/query-tests/Security/CWE-078/tst_shell-command-injection-from-environment.js](https://github.com/github/codeql/blob/48015e5a2e6202131f2d1062cc066dc33ed69a9b/javascript/ql/test/query-tests/Security/CWE-078/tst_shell-command-injection-from-environment.js#L6-L6)
<pre><code class="javascript">(function() {
cp.execFileSync('rm', ['-rf', path.join(__dirname, "temp")]); // GOOD
cp.execSync(<strong>'rm -rf ' + path.join(__dirname, "temp")</strong>); // BAD
execa.shell('rm -rf ' + path.join(__dirname, "temp")); // NOT OK
</code></pre>
</details>
----------------------------------------
@@ -34,7 +113,39 @@
</code></pre>
*This shell command depends on an uncontrolled [absolute path](https://github.com/github/codeql/blob/48015e5a2e6202131f2d1062cc066dc33ed69a9b/javascript/ql/test/query-tests/Security/CWE-078/tst_shell-command-injection-from-environment.js#L8-L8).*
<details>
<summary><i>This shell command depends on an uncontrolled absolute path.</i></summary>
#### Paths
Path with 3 steps
1. [javascript/ql/test/query-tests/Security/CWE-078/tst_shell-command-injection-from-environment.js](https://github.com/github/codeql/blob/48015e5a2e6202131f2d1062cc066dc33ed69a9b/javascript/ql/test/query-tests/Security/CWE-078/tst_shell-command-injection-from-environment.js#L8-L8)
<pre><code class="javascript"> cp.execSync('rm -rf ' + path.join(__dirname, "temp")); // BAD
execa.shell('rm -rf ' + path.join(<strong>__dirname</strong>, "temp")); // NOT OK
execa.shellSync('rm -rf ' + path.join(__dirname, "temp")); // NOT OK
</code></pre>
2. [javascript/ql/test/query-tests/Security/CWE-078/tst_shell-command-injection-from-environment.js](https://github.com/github/codeql/blob/48015e5a2e6202131f2d1062cc066dc33ed69a9b/javascript/ql/test/query-tests/Security/CWE-078/tst_shell-command-injection-from-environment.js#L8-L8)
<pre><code class="javascript"> cp.execSync('rm -rf ' + path.join(__dirname, "temp")); // BAD
execa.shell('rm -rf ' + <strong>path.join(__dirname, "temp")</strong>); // NOT OK
execa.shellSync('rm -rf ' + path.join(__dirname, "temp")); // NOT OK
</code></pre>
3. [javascript/ql/test/query-tests/Security/CWE-078/tst_shell-command-injection-from-environment.js](https://github.com/github/codeql/blob/48015e5a2e6202131f2d1062cc066dc33ed69a9b/javascript/ql/test/query-tests/Security/CWE-078/tst_shell-command-injection-from-environment.js#L8-L8)
<pre><code class="javascript"> cp.execSync('rm -rf ' + path.join(__dirname, "temp")); // BAD
execa.shell(<strong>'rm -rf ' + path.join(__dirname, "temp")</strong>); // NOT OK
execa.shellSync('rm -rf ' + path.join(__dirname, "temp")); // NOT OK
</code></pre>
</details>
----------------------------------------
@@ -47,6 +158,38 @@
const safe = "\"" + path.join(__dirname, "temp") + "\"";
</code></pre>
*This shell command depends on an uncontrolled [absolute path](https://github.com/github/codeql/blob/48015e5a2e6202131f2d1062cc066dc33ed69a9b/javascript/ql/test/query-tests/Security/CWE-078/tst_shell-command-injection-from-environment.js#L9-L9).*
<details>
<summary><i>This shell command depends on an uncontrolled absolute path.</i></summary>
#### Paths
Path with 3 steps
1. [javascript/ql/test/query-tests/Security/CWE-078/tst_shell-command-injection-from-environment.js](https://github.com/github/codeql/blob/48015e5a2e6202131f2d1062cc066dc33ed69a9b/javascript/ql/test/query-tests/Security/CWE-078/tst_shell-command-injection-from-environment.js#L9-L9)
<pre><code class="javascript">
execa.shell('rm -rf ' + path.join(__dirname, "temp")); // NOT OK
execa.shellSync('rm -rf ' + path.join(<strong>__dirname</strong>, "temp")); // NOT OK
const safe = "\"" + path.join(__dirname, "temp") + "\"";
</code></pre>
2. [javascript/ql/test/query-tests/Security/CWE-078/tst_shell-command-injection-from-environment.js](https://github.com/github/codeql/blob/48015e5a2e6202131f2d1062cc066dc33ed69a9b/javascript/ql/test/query-tests/Security/CWE-078/tst_shell-command-injection-from-environment.js#L9-L9)
<pre><code class="javascript">
execa.shell('rm -rf ' + path.join(__dirname, "temp")); // NOT OK
execa.shellSync('rm -rf ' + <strong>path.join(__dirname, "temp")</strong>); // NOT OK
const safe = "\"" + path.join(__dirname, "temp") + "\"";
</code></pre>
3. [javascript/ql/test/query-tests/Security/CWE-078/tst_shell-command-injection-from-environment.js](https://github.com/github/codeql/blob/48015e5a2e6202131f2d1062cc066dc33ed69a9b/javascript/ql/test/query-tests/Security/CWE-078/tst_shell-command-injection-from-environment.js#L9-L9)
<pre><code class="javascript">
execa.shell('rm -rf ' + path.join(__dirname, "temp")); // NOT OK
execa.shellSync(<strong>'rm -rf ' + path.join(__dirname, "temp")</strong>); // NOT OK
const safe = "\"" + path.join(__dirname, "temp") + "\"";
</code></pre>
</details>
----------------------------------------

78
extensions/ql-vscode/test/pure-tests/remote-queries/markdown-generation/data/interpreted-results/path-problem/results-repo2.md
View File

@@ -9,6 +9,82 @@
}
</code></pre>
*This shell command depends on an uncontrolled [absolute path](https://github.com/meteor/meteor/blob/73b538fe201cbfe89dd0c709689023f9b3eab1ec/npm-packages/meteor-installer/config.js#L39-L39).*
<details>
<summary><i>This shell command depends on an uncontrolled absolute path.</i></summary>
#### Paths
Path with 7 steps
1. [npm-packages/meteor-installer/config.js](https://github.com/meteor/meteor/blob/73b538fe201cbfe89dd0c709689023f9b3eab1ec/npm-packages/meteor-installer/config.js#L39-L39)
<pre><code class="javascript">
const meteorLocalFolder = '.meteor';
const meteorPath = <strong>path.resolve(rootPath, meteorLocalFolder)</strong>;
module.exports = {
</code></pre>
2. [npm-packages/meteor-installer/config.js](https://github.com/meteor/meteor/blob/73b538fe201cbfe89dd0c709689023f9b3eab1ec/npm-packages/meteor-installer/config.js#L39-L39)
<pre><code class="javascript">
const meteorLocalFolder = '.meteor';
const <strong>meteorPath = path.resolve(rootPath, meteorLocalFolder)</strong>;
module.exports = {
</code></pre>
3. [npm-packages/meteor-installer/config.js](https://github.com/meteor/meteor/blob/73b538fe201cbfe89dd0c709689023f9b3eab1ec/npm-packages/meteor-installer/config.js#L44-L44)
<pre><code class="javascript"> METEOR_LATEST_VERSION,
extractPath: rootPath,
<strong>meteorPath</strong>,
release: process.env.INSTALL_METEOR_VERSION || METEOR_LATEST_VERSION,
rootPath,
</code></pre>
4. [npm-packages/meteor-installer/install.js](https://github.com/meteor/meteor/blob/73b538fe201cbfe89dd0c709689023f9b3eab1ec/npm-packages/meteor-installer/install.js#L12-L12)
<pre><code class="javascript">const os = require('os');
const {
<strong>meteorPath</strong>,
release,
startedPath,
</code></pre>
5. [npm-packages/meteor-installer/install.js](https://github.com/meteor/meteor/blob/73b538fe201cbfe89dd0c709689023f9b3eab1ec/npm-packages/meteor-installer/install.js#L11-L23)
<pre><code class="javascript">const tmp = require('tmp');
const os = require('os');
const <strong>{</strong>
<strong> meteorPath,</strong>
<strong> release,</strong>
<strong> startedPath,</strong>
<strong> extractPath,</strong>
<strong> isWindows,</strong>
<strong> rootPath,</strong>
<strong> sudoUser,</strong>
<strong> isSudo,</strong>
<strong> isMac,</strong>
<strong> METEOR_LATEST_VERSION,</strong>
<strong> shouldSetupExecPath,</strong>
<strong>} = require('./config.js')</strong>;
const { uninstall } = require('./uninstall');
const {
</code></pre>
6. [npm-packages/meteor-installer/install.js](https://github.com/meteor/meteor/blob/73b538fe201cbfe89dd0c709689023f9b3eab1ec/npm-packages/meteor-installer/install.js#L259-L259)
<pre><code class="javascript"> if (isWindows()) {
//set for the current session and beyond
child_process.execSync(`setx path "${<strong>meteorPath</strong>}/;%path%`);
return;
}
</code></pre>
7. [npm-packages/meteor-installer/install.js](https://github.com/meteor/meteor/blob/73b538fe201cbfe89dd0c709689023f9b3eab1ec/npm-packages/meteor-installer/install.js#L259-L259)
<pre><code class="javascript"> if (isWindows()) {
//set for the current session and beyond
child_process.execSync(<strong>`setx path "${meteorPath}/;%path%`</strong>);
return;
}
</code></pre>
</details>
----------------------------------------