JS: Post-processing query for inline test expectations

javascript/ql/test/query-tests/Security/CWE-611/Xxe.qlref

@@ -1 +1,2 @@
-Security/CWE-611/Xxe.ql
+query: Security/CWE-611/Xxe.ql
+postprocess: TestUtilities/InlineExpectationsTestQuery.ql

javascript/ql/test/query-tests/Security/CWE-611/domparser.js

@@ -8,10 +8,10 @@ function test() {
     var parser;
     try {
       // NOT OK: XMLDOM expands external entities by default
-      (new ActiveXObject("Microsoft.XMLDOM")).loadXML(src);
+      (new ActiveXObject("Microsoft.XMLDOM")).loadXML(src); // $ BAD
     } catch (e) {
       // NOT OK: MSXML expands external entities by default
-      (new ActiveXObject("Msxml2.DOMDocument")).loadXML(src);
+      (new ActiveXObject("Msxml2.DOMDocument")).loadXML(src); // $ BAD
     }
   }
 }

javascript/ql/test/query-tests/Security/CWE-611/libxml.noent.js

@@ -1,20 +1,20 @@
 const express = require('express');
 const libxmljs = require('libxmljs');
 
-express().get('/some/path', function(req) {
+express().get('/some/path', function (req) {
   // NOT OK: unguarded entity expansion
-  libxmljs.parseXml(req.param("some-xml"), { noent: true });
+  libxmljs.parseXml(req.param("some-xml"), { noent: true }); // $ BAD
 });
 
-express().post('/some/path', function(req, res) {
+express().post('/some/path', function (req, res) {
   // NOT OK: unguarded entity expansion
-  libxmljs.parseXml(req.param("some-xml"), { noent: true });
+  libxmljs.parseXml(req.param("some-xml"), { noent: true }); // $ BAD
 
   // NOT OK: unguarded entity expansion
-  libxmljs.parseXmlString(req.param("some-xml"), {noent:true})
+  libxmljs.parseXmlString(req.param("some-xml"), { noent: true }) // $ BAD
   // NOT OK: unguarded entity expansion
-  libxmljs.parseXmlString(req.files.products.data.toString('utf8'), {noent:true})
-  
+  libxmljs.parseXmlString(req.files.products.data.toString('utf8'), { noent: true }) // $ BAD
+
   // OK - no entity expansion
-  libxmljs.parseXmlString(req.files.products.data.toString('utf8'), {noent:false})
+  libxmljs.parseXmlString(req.files.products.data.toString('utf8'), { noent: false })
 });

javascript/ql/test/query-tests/Security/CWE-611/libxml.sax.js

@@ -1,7 +1,7 @@
 const express = require('express');
 const libxmljs = require('libxmljs');
 
-express().get('/some/path', function(req) {
+express().get('/some/path', function (req) {
   const parser = new libxmljs.SaxParser();
-  parser.parseString(req.param("some-xml")); // NOT OK: the SAX parser expands external entities by default
+  parser.parseString(req.param("some-xml")); // $ BAD: the SAX parser expands external entities by default
 });

javascript/ql/test/query-tests/Security/CWE-611/libxml.saxpush.js

@@ -1,7 +1,7 @@
 const express = require('express');
 const libxmljs = require('libxmljs');
 
-express().get('/some/path', function(req) {
+express().get('/some/path', function (req) {
   const parser = new libxmljs.SaxPushParser();
-  parser.push(req.param("some-xml"));  // NOT OK: the SAX parser expands external entities by default
+  parser.push(req.param("some-xml")); // $ BAD: the SAX parser expands external entities by default
 });

javascript/ql/test/testUtilities/InlineExpectationsTestQuery.ql

@@ -0,0 +1,21 @@
+/**
+ * @kind test-postprocess
+ */
+
+private import javascript
+private import codeql.util.test.InlineExpectationsTest as T
+private import internal.InlineExpectationsTestImpl
+import T::TestPostProcessing
+import T::TestPostProcessing::Make<Impl, Input>
+
+private module Input implements T::TestPostProcessing::InputSig<Impl> {
+  string getRelativeUrl(Location location) {
+    exists(File f, int startline, int startcolumn, int endline, int endcolumn |
+      location.hasLocationInfo(_, startline, startcolumn, endline, endcolumn) and
+      f = location.getFile()
+    |
+      result =
+        f.getRelativePath() + ":" + startline + ":" + startcolumn + ":" + endline + ":" + endcolumn
+    )
+  }
+}