JS: Update test suite to use post-processed inline expectations #18670

asgerf · 2025-02-04T11:54:50Z

Updates all of JavaScript's query tests to use post-processed inline expectations except in a few cases where it's not possible. Overall 233 query tests consisting of 712 JavaScript files have been updated.

Inline expectations are now written as // $ Alert instead of // NOT OK. Our old NOT OK-style comments were not automatically verified for consistency except in a handful of cases, so some discrepancies have crept in over the years. This PR reviews and fixes up these discrepancies and of course prevents them from being introduced in the future.

Only query tests have been updated. Library tests have to be implemented a bit differently; that's for another PR.

This PR has the following overall structure:

Automatically translate all OK-style comments to $-style. This step tries to capture the original intent behind the test, and does not try to adhere to actual query output.
Enable post-processing in .qlref files and run the test to get a list of discrepancies.
Fix trivial/unsurprising discrepancies. There are many alerts that simply didn't have a NOT OK comment, but where it's farily easy too see from the test that it was intended to be flagged. There are many of these and I found it's probably easiest to spot check some results from a single commit than having 100+ commits with "trivial" changes.
A long tail of small but non-trivial changes in individual commits, usually with a commit message to explain the rationale for the change.

In a few cases the underlying bugs were simple enough that I went ahead and fixed them on the spot.

javascript/ql/test/query-tests/Comments/CommentedOutCode/CommentedOutCode.qlref

@@ -1 +1 @@
-Comments/CommentedOutCode.ql
+query: Comments/CommentedOutCode.ql


javascript/ql/test/query-tests/Comments/TodoComments/TodoComments.qlref

@@ -1 +1 @@
-Comments/TodoComments.ql
+query: Comments/TodoComments.ql


...pt/ql/test/query-tests/JSDoc/JSDocForNonExistentParameter/JSDocForNonExistentParameter.qlref

@@ -1 +1 @@
-JSDoc/JSDocForNonExistentParameter.ql
+query: JSDoc/JSDocForNonExistentParameter.ql


javascript/ql/test/query-tests/LanguageFeatures/ConditionalComments/ConditionalComments.qlref

@@ -1 +1 @@
-LanguageFeatures/ConditionalComments.ql
+query: LanguageFeatures/ConditionalComments.ql


javascript/ql/test/query-tests/NodeJS/UnusedDependency/UnusedDependency.qlref

@@ -1 +1 @@
-NodeJS/UnusedDependency.ql
+query: NodeJS/UnusedDependency.ql


javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/ExpressionInjection.qlref

@@ -1 +1 @@
-Security/CWE-094/ExpressionInjection.ql
+query: Security/CWE-094/ExpressionInjection.ql


javascript/ql/test/query-tests/Security/CWE-300/InsecureDependencyResolution.qlref

@@ -1 +1 @@
-Security/CWE-300/InsecureDependencyResolution.ql
+query: Security/CWE-300/InsecureDependencyResolution.ql


javascript/ql/test/query-tests/Security/CWE-312/ActionsArtifactLeak.qlref

@@ -1 +1 @@
-Security/CWE-312/ActionsArtifactLeak.ql
+query: Security/CWE-312/ActionsArtifactLeak.ql


javascript/ql/test/query-tests/Security/CWE-313/PasswordInConfigurationFile.qlref

@@ -1 +1 @@
-Security/CWE-313/PasswordInConfigurationFile.ql
+query: Security/CWE-313/PasswordInConfigurationFile.ql


javascript/ql/test/query-tests/Security/CWE-862/EmptyPasswordInConfigurationFile.qlref

@@ -1 +1 @@
-Security/CWE-862/EmptyPasswordInConfigurationFile.ql
+query: Security/CWE-862/EmptyPasswordInConfigurationFile.ql


javascript/ql/test/query-tests/JSDoc/BadParamTag/BadParamTag.qlref

@@ -1 +1 @@
-JSDoc/BadParamTag.ql
+query: JSDoc/BadParamTag.ql


javascript/ql/test/query-tests/LanguageFeatures/SyntaxError/SyntaxError.qlref

@@ -1 +1 @@
-LanguageFeatures/SyntaxError.ql
+query: LanguageFeatures/SyntaxError.ql


javascript/ql/test/query-tests/Security/CWE-312/BuildArtifactLeak.qlref

@@ -1 +1 @@
-Security/CWE-312/BuildArtifactLeak.ql
+query: Security/CWE-312/BuildArtifactLeak.ql


javascript/ql/test/query-tests/WrongExtensionJSON/WrongExtensionJSON.qlref

@@ -1 +1 @@
-LanguageFeatures/WrongExtensionJSON.ql
+query: LanguageFeatures/WrongExtensionJSON.ql


Some OK-style comments had to be moved to the following line, shifting line numbers. In selected range also included the comments themselves. Lastly, the result sets were reordered by the CLI in some cases.

JSON does not support comments so we can't use inline expectations

The presence of a syntax error sometimes prevents us from parsing the inline comment correctly.

One of the diffs look confusing but: Previously parameter {2,3} where flagged, now parameter {1,2} are flagged. Note that for command injection, the SystemCommandExecution is flagged despite the test file claiming otherwise.

This adds Alert annotations for alerts that seem intentional by the test but has not been annotated with 'NOT OK', or the comment was in the wrong place. In a few cases I included 'Source' expectations to make it easier to see what happened. Other 'Source' expectations will be added in bulk a later commit.

See github/codeql-javascript-team#447

These are listed in a function called 'good' but it's difficult to say in isolation whether they should be flagged or not. Accepting the changes as they seem reasonable.

We had two 'NOT OK' comments for the same alert. The alert appears on the 'pref' object above.

Using RelatedLocations to add clarity

This file was added on main while this branch was in progress. Porting the whole file in one step.

The history of updates to this test got messed up so just squashing into one commit. Some possible regressions have been accepted, but the query is strangely opinionated so it's just hard to say what it ought to flag.

github-actions bot added the JS label Feb 4, 2025

asgerf force-pushed the js/test-suite branch 4 times, most recently from 6e464f3 to 3a86b71 Compare February 7, 2025 13:26

asgerf force-pushed the js/test-suite branch from 3a86b71 to 684fefb Compare February 25, 2025 16:30

github-actions bot added the documentation label Feb 25, 2025

github-advanced-security bot found potential problems Feb 25, 2025

View reviewed changes

github-advanced-security bot found potential problems Feb 26, 2025

View reviewed changes

asgerf force-pushed the js/test-suite branch 2 times, most recently from a456a5b to 77a27de Compare February 27, 2025 14:11

github-advanced-security bot found potential problems Feb 27, 2025

View reviewed changes

asgerf force-pushed the js/test-suite branch 3 times, most recently from bc599d1 to 9df0bf6 Compare February 28, 2025 12:21

asgerf added 15 commits February 28, 2025 13:27

JS: Allow more kinds of expectation comments

79e2a75

JS: Remove uses of old inline expectation test library

7e5c24a

JS: Update OK-style comments to $-style

9be041e

JS: Update output after line number change

426edd5

Some OK-style comments had to be moved to the following line, shifting line numbers. In selected range also included the comments themselves. Lastly, the result sets were reordered by the CLI in some cases.

JS: Enable post-processing for all .qlref files

d0ce53e

JS: Disable for comment-related alerts

ac6547f

JS: Disable for test with alerts in a JSON file

789a7bd

JSON does not support comments so we can't use inline expectations

JS: Disable for SyntaxError

795c110

The presence of a syntax error sometimes prevents us from parsing the inline comment correctly.

JS: Accept raw test output

f5911c9

JS: Move some alerts to their correct location

86932c5

One of the diffs look confusing but: Previously parameter {2,3} where flagged, now parameter {1,2} are flagged. Note that for command injection, the SystemCommandExecution is flagged despite the test file claiming otherwise.

JS: Add query ID to some alerts

0453ded

JS: Accept some alerts at the SystemCommandExecution location

07a876b

JS: Mark alert as MISSING

f395651

See github/codeql-javascript-team#447

JS: Accept some less obvious alerts

1f3c496

These are listed in a function called 'good' but it's difficult to say in isolation whether they should be flagged or not. Accepting the changes as they seem reasonable.

asgerf added 27 commits February 28, 2025 13:29

JS: Accept an alert

49274d5

JS: Accept an alert

9760965

JS: Move two alerts and add query ID

764eb98

JS: Accept to web socket-based SSRF alerts

4d7cbe6

JS: Accept some UselessConditional alerts

e634b31

JS: More alert updates in UselessConditional

507a091

JS: Accept changes in UseOfReturnlessFunction

7623ebb

Fix comment style in UnboundEventHandlerReceiver

6cf1334

JS: Remove incorrect alert marker

2b33ed3

JS: Remove alert marker that's reported on another line

a1c13f0

We had two 'NOT OK' comments for the same alert. The alert appears on the 'pref' object above.

JS: Fix alert location and use RelatedLocation in InsecureUrlWhitelist

dc28bb5

JS: Accept more results in SpuriousArguments

6059994

JS: Update UnusedOrUndefinedStateProperty

87ed86e

Using RelatedLocations to add clarity

JS: Fix wrong expectation in UnusedOrUndefinedStateProperty

8ef51c4

JS: Add a related location in UnusedOrUndefinedStateProperty

aade1e8

JS: Accept alerts in UselessCharacterEscape

0496de6

JS: Remove outdated comment

bb67a0e

JS: Update tainted-sendFile.js

87518ba

This file was added on main while this branch was in progress. Porting the whole file in one step.

JS: Add a query ID

b4ac2f7

JS: Accept an alert

fd6a9c6

JS: Migrate a new file from OK-style comments

19cada3

JS: Accept Sources/Sink tags

64d39da

JS: Bulk update in UnneededDefensiveProgramming test

7bd01bf

The history of updates to this test got messed up so just squashing into one commit. Some possible regressions have been accepted, but the query is strangely opinionated so it's just hard to say what it ought to flag.

Disable for more queries with alerts in JSON

c67c585

JS: Convert some comments to JSX

33602ee

JS: Add query IDs

193b26e

raw test output

2a194a5

asgerf force-pushed the js/test-suite branch from 9df0bf6 to 2a194a5 Compare February 28, 2025 12:29

asgerf marked this pull request as ready for review February 28, 2025 13:41

asgerf requested a review from a team as a code owner February 28, 2025 13:41

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

JS: Update test suite to use post-processed inline expectations #18670

JS: Update test suite to use post-processed inline expectations #18670

asgerf commented Feb 4, 2025 •

edited

Loading

		@@ -1 +1 @@
		Comments/CommentedOutCode.ql
		query: Comments/CommentedOutCode.ql

		@@ -1 +1 @@
		Comments/TodoComments.ql
		query: Comments/TodoComments.ql

		@@ -1 +1 @@
		JSDoc/JSDocForNonExistentParameter.ql
		query: JSDoc/JSDocForNonExistentParameter.ql

		@@ -1 +1 @@
		LanguageFeatures/ConditionalComments.ql
		query: LanguageFeatures/ConditionalComments.ql

		@@ -1 +1 @@
		NodeJS/UnusedDependency.ql
		query: NodeJS/UnusedDependency.ql

		@@ -1 +1 @@
		Security/CWE-094/ExpressionInjection.ql
		query: Security/CWE-094/ExpressionInjection.ql

		@@ -1 +1 @@
		Security/CWE-300/InsecureDependencyResolution.ql
		query: Security/CWE-300/InsecureDependencyResolution.ql

		@@ -1 +1 @@
		Security/CWE-312/ActionsArtifactLeak.ql
		query: Security/CWE-312/ActionsArtifactLeak.ql

		@@ -1 +1 @@
		Security/CWE-313/PasswordInConfigurationFile.ql
		query: Security/CWE-313/PasswordInConfigurationFile.ql

		@@ -1 +1 @@
		Security/CWE-862/EmptyPasswordInConfigurationFile.ql
		query: Security/CWE-862/EmptyPasswordInConfigurationFile.ql

		@@ -1 +1 @@
		LanguageFeatures/SyntaxError.ql
		query: LanguageFeatures/SyntaxError.ql

		@@ -1 +1 @@
		Security/CWE-312/BuildArtifactLeak.ql
		query: Security/CWE-312/BuildArtifactLeak.ql

		@@ -1 +1 @@
		LanguageFeatures/WrongExtensionJSON.ql
		query: LanguageFeatures/WrongExtensionJSON.ql

JS: Update test suite to use post-processed inline expectations #18670

Are you sure you want to change the base?

JS: Update test suite to use post-processed inline expectations #18670

Conversation

asgerf commented Feb 4, 2025 • edited Loading

asgerf commented Feb 4, 2025 •

edited

Loading