github · asgerf · Jan 24, 2025 · Jan 24, 2025 · Jan 24, 2025 · Jan 24, 2025
@@ -4,9 +4,9 @@ import { IsIn } from 'class-validator';
 export class Controller {
   @Get()
   route1(@Query('x') validatedObj: Struct, @Query('y') unvalidated: string) {
-    if (Math.random()) return unvalidated; // NOT OK
-    return validatedObj.key; // OK
-  }
+    if (Math.random()) return unvalidated; // $ Alert responseSendArgument
+    return validatedObj.key;  // $ responseSendArgument
+  } // $ routeHandler
 }
 
 class Struct {

@@ -2,7 +2,7 @@ import { Get, createParamDecorator, ExecutionContext } from '@nestjs/common';
 
 export const SneakyQueryParam = createParamDecorator(
   (data: unknown, ctx: ExecutionContext) => {
-    const request = ctx.switchToHttp().getRequest();
+    const request = ctx.switchToHttp().getRequest(); // $ requestSource
     return request.query.sneakyQueryParam;
   },
 );
@@ -16,11 +16,11 @@ export const SafeParam = createParamDecorator(
 export class Controller {
   @Get()
   sneaky(@SneakyQueryParam() value) {
-    return value; // NOT OK
-  }
+    return value; // $ Alert responseSendArgument
+  } // $ routeHandler
 
   @Get()
   safe(@SafeParam() value) {
-    return value; // OK
-  }
+    return value;  // $ responseSendArgument
+  } // $ routeHandler
 }
@@ -18,33 +18,33 @@ export class CustomPropagatingPipe implements PipeTransform {
 export class Controller {
     @Get()
     sanitizingPipe1(@Query('x', CustomSanitizingPipe) sanitized: number): string {
-        return '' + sanitized; // OK
-    }
+        return '' + sanitized;  // $ responseSendArgument
+    } // $ routeHandler
 
     @Get()
     sanitizingPipe2(@Query('x', new CustomSanitizingPipe()) sanitized: number): string {
-        return '' + sanitized; // OK
-    }
+        return '' + sanitized;  // $ responseSendArgument
+    } // $ routeHandler
 
     @Get()
     @UsePipes(CustomSanitizingPipe)
     sanitizingPipe3(@Query('x') sanitized: number): string {
-        return '' + sanitized; // OK
-    }
+        return '' + sanitized;  // $ responseSendArgument
+    } // $ routeHandler
 
     @Get()
     propagatingPipe1(@Query('x', CustomPropagatingPipe) unsanitized: string): string {
-        return '' + unsanitized; // NOT OK
-    }
+        return '' + unsanitized; // $ Alert responseSendArgument
+    } // $ routeHandler
 
     @Get()
     propagatingPipe2(@Query('x', new CustomPropagatingPipe()) unsanitized: string): string {
-        return '' + unsanitized; // NOT OK
-    }
+        return '' + unsanitized; // $ Alert responseSendArgument
+    } // $ routeHandler
 
     @Get()
     @UsePipes(CustomPropagatingPipe)
     propagatingPipe3(@Query('x') unsanitized: string): string {
-        return '' + unsanitized; // NOT OK
-    }
+        return '' + unsanitized; // $ Alert responseSendArgument
+    } // $ routeHandler
 }
@@ -5,70 +5,70 @@ export class TestController {
   @Get('foo')
   getFoo() {
     return 'foo';
-  }
+  } // $ routeHandler
 
   @Post('foo')
   postFoo() {
     return 'foo';
-  }
+  } // $ routeHandler
 
   @Get()
   getRoot() {
     return 'foo';
-  }
+  } // $ routeHandler
 
   @All('bar')
   bar() {
     return 'bar';
-  }
+  } // $ routeHandler
 
   @Get('requestInputs/:x')
   requestInputs(
     @Param('x') x,
     @Query() queryObj,
     @Query('name') name,
-    @Req() req
+    @Req() req // $ requestSource
   ) {
-    if (Math.random()) return x; // NOT OK
-    if (Math.random()) return queryObj; // NOT OK
-    if (Math.random()) return name; // NOT OK
-    if (Math.random()) return req.query.abc; // NOT OK
+    if (Math.random()) return x; // $ Alert responseSendArgument
+    if (Math.random()) return queryObj; // $ Alert responseSendArgument
+    if (Math.random()) return name; // $ Alert responseSendArgument
+    if (Math.random()) return req.query.abc; // $ Alert responseSendArgument
     return;
-  }
+  } // $ routeHandler
 
   @Post('post')
   post(@Body() body) {
-    return body.x; // NOT OK
-  }
+    return body.x; // $ Alert responseSendArgument
+  } // $ routeHandler
 
   @Get('redir')
   @Redirect('https://example.com')
   redir() {
     return {
-      url: '//other.example.com' // OK
+      url: '//other.example.com'  // $ redirectSink
     };
-  }
+  } // $ routeHandler
 
   @Get('redir')
   @Redirect('https://example.com')
   redir2(@Query('redirect') target) {
     return {
-      url: target // NOT OK
+      url: target // $ Alert redirectSink
     };
-  }
+  } // $ routeHandler
 
   @Get()
-  explicitSend(@Req() req, @Res() res) {
-    res.send(req.query.x) // NOT OK
-  }
+  explicitSend(@Req() req, @Res() res) { // $ requestSource responseSource
+    res.send(req.query.x) // $ Alert responseSource responseSendArgument
+  } // $ routeHandler
 
   @Post()
   upload(@UploadedFile() file) {
-    return file.originalname; // NOT OK
-  }
+    return file.originalname; // $ Alert responseSendArgument
+  } // $ routeHandler
 
   @Post()
   uploadMany(@UploadedFiles() files) {
-    return files[0].originalname; // NOT OK
-  }
+    return files[0].originalname; // $ Alert responseSendArgument
+  } // $ routeHandler
 }
@@ -4,45 +4,45 @@ import { IsIn } from 'class-validator';
 export class Controller {
   @Get()
   route1(@Query('x', new ValidationPipe()) validatedObj: Struct) {
-    return validatedObj.key; // OK
-  }
+    return validatedObj.key;  // $ responseSendArgument
+  } // $ routeHandler
 
   @Get()
   route2(@Query('x', ValidationPipe) validatedObj: Struct) {
-    return validatedObj.key; // OK
-  }
+    return validatedObj.key;  // $ responseSendArgument
+  } // $ routeHandler
 
   @Get()
   @UsePipes(new ValidationPipe())
   route3(@Query('x') validatedObj: Struct, @Query('y') unvalidated: string) {
-    if (Math.random()) return validatedObj.key; // OK
-    return unvalidated; // NOT OK
-  }
+    if (Math.random()) return validatedObj.key;  // $ responseSendArgument
+    return unvalidated; // $ Alert responseSendArgument
+  } // $ routeHandler
 
   @Get()
   @UsePipes(ValidationPipe)
   route4(@Query('x') validatedObj: Struct, @Query('y') unvalidated: string) {
-    if (Math.random()) return validatedObj.key; // OK
-    return unvalidated; // NOT OK
-  }
+    if (Math.random()) return validatedObj.key;  // $ responseSendArgument
+    return unvalidated; // $ Alert responseSendArgument
+  } // $ routeHandler
 }
 
 @UsePipes(new ValidationPipe())
 export class Controller2 {
   @Get()
   route5(@Query('x') validatedObj: Struct, @Query('y') unvalidated: string) {
-    if (Math.random()) return validatedObj.key; // OK
-    return unvalidated; // NOT OK
-  }
+    if (Math.random()) return validatedObj.key;  // $ responseSendArgument
+    return unvalidated; // $ Alert responseSendArgument
+  } // $ routeHandler
 }
 
 @UsePipes(ValidationPipe)
 export class Controller3 {
   @Get()
   route6(@Query('x') validatedObj: Struct, @Query('y') unvalidated: string) {
-    if (Math.random()) return validatedObj.key; // OK
-    return unvalidated; // NOT OK
-  }
+    if (Math.random()) return validatedObj.key;  // $ responseSendArgument
+    return unvalidated; // $ Alert responseSendArgument
+  } // $ routeHandler
 }
 
 class Struct {

@@ -1,30 +1,30 @@
 routeHandler
-| global/validation.ts:6:3:9:3 | route1( ...  OK\\n  } |
-| local/customDecorator.ts:18:3:20:3 | sneaky( ...  OK\\n  } |
-| local/customDecorator.ts:23:3:25:3 | safe(@S ...  OK\\n  } |
-| local/customPipe.ts:20:5:22:5 | sanitiz ... K\\n    } |
-| local/customPipe.ts:25:5:27:5 | sanitiz ... K\\n    } |
-| local/customPipe.ts:31:5:33:5 | sanitiz ... K\\n    } |
-| local/customPipe.ts:36:5:38:5 | propaga ... K\\n    } |
-| local/customPipe.ts:41:5:43:5 | propaga ... K\\n    } |
-| local/customPipe.ts:47:5:49:5 | propaga ... K\\n    } |
+| global/validation.ts:6:3:9:3 | route1( ... ent\\n  } |
+| local/customDecorator.ts:18:3:20:3 | sneaky( ... ent\\n  } |
+| local/customDecorator.ts:23:3:25:3 | safe(@S ... ent\\n  } |
+| local/customPipe.ts:20:5:22:5 | sanitiz ... t\\n    } |
+| local/customPipe.ts:25:5:27:5 | sanitiz ... t\\n    } |
+| local/customPipe.ts:31:5:33:5 | sanitiz ... t\\n    } |
+| local/customPipe.ts:36:5:38:5 | propaga ... t\\n    } |
+| local/customPipe.ts:41:5:43:5 | propaga ... t\\n    } |
+| local/customPipe.ts:47:5:49:5 | propaga ... t\\n    } |
 | local/routes.ts:6:3:8:3 | getFoo( ... o';\\n  } |
 | local/routes.ts:11:3:13:3 | postFoo ... o';\\n  } |
 | local/routes.ts:16:3:18:3 | getRoot ... o';\\n  } |
 | local/routes.ts:21:3:23:3 | bar() { ... r';\\n  } |
 | local/routes.ts:26:3:37:3 | request ... rn;\\n  } |
-| local/routes.ts:40:3:42:3 | post(@B ...  OK\\n  } |
+| local/routes.ts:40:3:42:3 | post(@B ... ent\\n  } |
 | local/routes.ts:46:3:50:3 | redir() ...  };\\n  } |
 | local/routes.ts:54:3:58:3 | redir2( ...  };\\n  } |
-| local/routes.ts:61:3:63:3 | explici ...  OK\\n  } |
-| local/routes.ts:66:3:68:3 | upload( ...  OK\\n  } |
-| local/routes.ts:71:3:73:3 | uploadM ...  OK\\n  } |
-| local/validation.ts:6:3:8:3 | route1( ...  OK\\n  } |
-| local/validation.ts:11:3:13:3 | route2( ...  OK\\n  } |
-| local/validation.ts:17:3:20:3 | route3( ...  OK\\n  } |
-| local/validation.ts:24:3:27:3 | route4( ...  OK\\n  } |
-| local/validation.ts:33:3:36:3 | route5( ...  OK\\n  } |
-| local/validation.ts:42:3:45:3 | route6( ...  OK\\n  } |
+| local/routes.ts:61:3:63:3 | explici ... ent\\n  } |
+| local/routes.ts:66:3:68:3 | upload( ... ent\\n  } |
+| local/routes.ts:71:3:73:3 | uploadM ... ent\\n  } |
+| local/validation.ts:6:3:8:3 | route1( ... ent\\n  } |
+| local/validation.ts:11:3:13:3 | route2( ... ent\\n  } |
+| local/validation.ts:17:3:20:3 | route3( ... ent\\n  } |
+| local/validation.ts:24:3:27:3 | route4( ... ent\\n  } |
+| local/validation.ts:33:3:36:3 | route5( ... ent\\n  } |
+| local/validation.ts:42:3:45:3 | route6( ... ent\\n  } |
 requestSource
 | local/customDecorator.ts:5:21:5:51 | ctx.swi ... quest() |
 | local/routes.ts:30:12:30:14 | req |

@@ -0,0 +1,2 @@
+query: test.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
diff --git a/shared/util/codeql/util/test/InlineExpectationsTest.qll b/shared/util/codeql/util/test/InlineExpectationsTest.qll
@@ -739,7 +739,13 @@ module TestPostProcessing {
       bindingset[result]
       string getARelevantTag() { any() }
 
-      predicate tagMatches = PathProblemSourceTestInput::tagMatches/2;
+      bindingset[expectedTag, actualTag]
+      predicate tagMatches(string expectedTag, string actualTag) {
+        PathProblemSourceTestInput::tagMatches(expectedTag, actualTag)
+        or
+        not exists(getQueryKind()) and
+        expectedTag = actualTag
+      }
 
       bindingset[expectedTag]
       predicate tagIsOptional(string expectedTag) {
@@ -751,6 +757,9 @@ module TestPostProcessing {
           queryId = expectedTag.regexpCapture(getTagRegex(), 3) and
           queryId != getQueryId()
         )
+        or
+        not exists(getQueryKind()) and
+        expectedTag = ["Alert", "Source", "Sink"]
       }
 
       private predicate hasPathProblemSource = PathProblemSourceTestInput::hasPathProblemSource/5;
@@ -779,6 +788,22 @@ module TestPostProcessing {
         )
       }
 
+      private predicate hasCustomQueryPredicateResult(
+        Input::Location location, string tag, string value
+      ) {
+        not exists(getQueryKind()) and
+        exists(int row |
+          queryResults(tag, row, 0, Input2::getRelativeUrl(location)) and
+          not tag = [mainResultSet(), "nodes", "edges", "subpaths"] and
+          (
+            queryResults(tag, row, 2, value)
+            or
+            not queryResults(tag, row, 2, _) and
+            value = ""
+          )
+        )
+      }
+
       /**
        * Gets the expected value for result row `row`, if any. This value must
        * match the value at the corresponding path-problem source (if it is
@@ -805,6 +830,9 @@ module TestPostProcessing {
           or
           value = getValue(row)
         )
+        or
+        hasCustomQueryPredicateResult(location, tag, value) and
+        element = ""
       }
     }
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		query: test.ql
		postprocess: utils/test/InlineExpectationsTestQuery.ql