Test: Add support for RelatedLocation tag and use in a JS query #18810
+85
−59
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This query flags the cookie-parsing middleware in order to consolidate huge numbers of alerts into a single alert, which is more manageable. But simply annotating the cookie-parsing middleware with 'Alert' isn't a very useful, we want to annotate which middlewares are vulnerable.
Source tags should no longer be used when on the same line as the Alert. The ones in this file went unnoticed however because *all* of them were on the same line as an Alert, which made the test library ignore all Source tags.
asgerf
force-pushed
the
js/test-related-locations
branch
from
a7e9dd1 to
cd0fd02
Compare
There was a problem hiding this comment.
PR Overview
This PR migrates several JavaScript and Rust security query tests to use inline expectations for indicating alerts and related location annotations, thereby standardizing test annotations. Key changes include:
- Adding inline comments (e.g. “// $ Alert”, “// $ RelatedLocation”) to annotate test expectations.
- Removing “NOT OK” markers in favor of inline annotations for clarity.
- Switching alert tags in Rust tests from “$ Source Alert” to “$ Alert” for consistency.
Reviewed Changes
| File | Description |
|---|---|
| javascript/ql/test/query-tests/Security/CWE-352/fastify2.js | Adds inline alert and related location annotations for the Fastify-based test. |
| javascript/ql/test/query-tests/Security/CWE-352/fastify.js | Applies similar inline annotation changes as fastify2.js. |
| javascript/ql/test/query-tests/Security/CWE-352/tst.js | Updates inline annotations on cookie usage and related locations. |
| javascript/ql/test/query-tests/Security/CWE-352/MissingCsrfMiddlewareBad.js | Migrates inline expectations in the missing CSRF middleware test. |
| javascript/ql/test/query-tests/Security/CWE-352/csurf_example.js | Adds inline alert and related annotations for csurf examples. |
| javascript/ql/test/query-tests/Security/CWE-352/csurf_api_example.js | Standardizes inline comments for API examples regarding cookie usage. |
| javascript/ql/test/query-tests/Security/CWE-352/unused_cookies.js | Updates inline annotations to reflect cookie-related vulnerability expectations. |
| javascript/ql/test/query-tests/Security/CWE-352/lusca_example.js | Aligns annotations for lusca examples with the new inline expectation style. |
| rust/ql/test/query-tests/security/CWE-328/test.rs | Adjusts alert annotations for weak-sensitive-data-hashing tests to use unified tags. |
Copilot reviewed 11 out of 11 changed files in this pull request and generated no comments.
Comments suppressed due to low confidence (1)
rust/ql/test/query-tests/security/CWE-328/test.rs:74
- The inline expectation tag here is marked as '$ MISSING: Alert'. Consider updating it to '$ Alert' to maintain consistency with the rest of the changes.
_ = md5::Md5::new().chain_update(harmless).chain_update(password).chain_update(harmless).finalize(); // $ MISSING: Alert[rust/weak-sensitive-data-hashing]
Tip: If you use Visual Studio Code, you can request a review from Copilot before you push from the "Source Control" tab. Learn more
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This adds support for marking related locations with
// $ RelatedLocationinline comments. They are only expected if at least one such comment exists in the test; and if so then all related locations must be annotated.Some queries use a primary alert location such that a large number of alerts get consolidated into a single alert. For such queries simply putting
$ Alerton the consolidated alert line isn't a good choice. For path problems this is rarely a problem as we haveSourceandSinktags, but for non-path problems it can be an issue.This PR migrates the JS
MissingCsrfMiddlewaretest to inline expectations so the behaviour is exercised. This query flags the cookie-parsing middleware function, as opposed to the vulnerable route handler function, because there can be a huge number of vulnerable route handlers that are all far away from the root cause of the vulnerability.