Skip to content

JS: Convert qlref tests to inline expectations#22126

Open
owen-mc wants to merge 2 commits into
github:mainfrom
owen-mc:js/convert-qlref-inline-expectations
Open

JS: Convert qlref tests to inline expectations#22126
owen-mc wants to merge 2 commits into
github:mainfrom
owen-mc:js/convert-qlref-inline-expectations

Conversation

@owen-mc

@owen-mc owen-mc commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

No description provided.

@github-actions github-actions Bot added the JS label Jul 5, 2026
@owen-mc owen-mc force-pushed the js/convert-qlref-inline-expectations branch from f1eda90 to de7723f Compare July 5, 2026 16:41
@owen-mc owen-mc marked this pull request as ready for review July 5, 2026 19:22
@owen-mc owen-mc requested a review from a team as a code owner July 5, 2026 19:22
Copilot AI review requested due to automatic review settings July 5, 2026 19:22

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR continues the migration of JavaScript QL tests from standalone .expected-only validation toward inline expectation annotations, by adding $ Alert / $ Source / $ Sink / $ SPURIOUS / $ MISSING markers in test code and enabling the inline-expectations postprocessor in .qlref files.

Changes:

  • Added inline expectation markers across multiple JS/security/templating test inputs (including HTML comment markers in templates).
  • Updated multiple .qlref files to use query: syntax and enable postprocess: utils/test/InlineExpectationsTestQuery.ql.
  • Performed minor formatting adjustments in some test files while adding annotations.
Show a summary per file
File Description
javascript/ql/test/query-tests/AngularJS/MissingExplicitInjection/missing-explicit-injection.js Add inline $ MISSING marker
javascript/ql/test/library-tests/frameworks/Templating/views/njk_sinks.njk Add $ Alert markers in template
javascript/ql/test/library-tests/frameworks/Templating/views/hbs_sinks.hbs Add $ Alert markers in template
javascript/ql/test/library-tests/frameworks/Templating/views/ejs_sinks.ejs Add $ Alert markers in template
javascript/ql/test/library-tests/frameworks/Templating/views/angularjs_sinks.ejs Add $ Alert markers in template
javascript/ql/test/library-tests/frameworks/Templating/views/angularjs_include.ejs Add $ Alert markers in include
javascript/ql/test/library-tests/frameworks/Templating/CodeInjection.qlref Enable inline-expectations postprocess
javascript/ql/test/library-tests/frameworks/Templating/app.js Add $ Source markers for flows
javascript/ql/test/library-tests/frameworks/HTTP-heuristics/UnpromotedRouteSetupCandidate.qlref Enable inline-expectations postprocess
javascript/ql/test/library-tests/frameworks/HTTP-heuristics/UnpromotedRouteHandlerCandidate.qlref Enable inline-expectations postprocess
javascript/ql/test/library-tests/frameworks/HTTP-heuristics/src/tst.js Add $ Alert[...] markers
javascript/ql/test/library-tests/frameworks/HTTP-heuristics/src/route-objects.js Add $ Alert[...] markers
javascript/ql/test/library-tests/frameworks/HTTP-heuristics/src/nodejs.js Add $ Alert[...] markers
javascript/ql/test/library-tests/frameworks/HTTP-heuristics/src/hapi.js Add $ Alert[...] marker
javascript/ql/test/experimental/StandardLibrary/MultipleArgumentsToSetConstructor/tst.js Add $ Alert marker
javascript/ql/test/experimental/StandardLibrary/MultipleArgumentsToSetConstructor/MultipleArgumentsToSetConstructorBad.js Add $ Alert marker
javascript/ql/test/experimental/StandardLibrary/MultipleArgumentsToSetConstructor/MultipleArgumentsToSetConstructor.qlref Enable inline-expectations postprocess
javascript/ql/test/experimental/Security/CWE-918/SsrfIpv6TransitionIncompleteGuard/SsrfIpv6TransitionIncompleteGuard.qlref Enable inline-expectations postprocess
javascript/ql/test/experimental/Security/CWE-918/SsrfIpv6TransitionIncompleteGuard/bad-rfc1918-regex.js Add $ Alert[...] marker
javascript/ql/test/experimental/Security/CWE-918/SsrfIpv6TransitionIncompleteGuard/bad-private-ip-pkg.js Add $ Alert[...] marker
javascript/ql/test/experimental/Security/CWE-918/SSRF.qlref Enable inline-expectations postprocess
javascript/ql/test/experimental/Security/CWE-918/check-validator.js Add inline markers + formatting
javascript/ql/test/experimental/Security/CWE-918/check-regex.js Add inline markers + formatting
javascript/ql/test/experimental/Security/CWE-918/check-path.js Add $ Alert markers
javascript/ql/test/experimental/Security/CWE-918/check-middleware.js Add $ SPURIOUS marker
javascript/ql/test/experimental/Security/CWE-918/check-domain.js Add $ Source/$ Alert markers
javascript/ql/test/experimental/Security/CWE-347/remotesource/jwtSimple.js Add $ Alert/$ Sink markers
javascript/ql/test/experimental/Security/CWE-347/remotesource/jwtDecode.js Add $ Alert/$ Sink markers
javascript/ql/test/experimental/Security/CWE-347/remotesource/JsonWebToken.js Add $ Alert/$ Sink markers
javascript/ql/test/experimental/Security/CWE-347/remotesource/jose.js Add $ Alert/$ Sink markers
javascript/ql/test/experimental/Security/CWE-347/remotesource/decodeJwtWithoutVerification.qlref Enable inline-expectations postprocess
javascript/ql/test/experimental/Security/CWE-347/localsource/jwtSimple.js Add $ Alert/$ Sink markers
javascript/ql/test/experimental/Security/CWE-347/localsource/jwtDecode.js Add $ Alert/$ Sink markers
javascript/ql/test/experimental/Security/CWE-347/localsource/JsonWebToken.js Add $ Alert/$ Sink markers
javascript/ql/test/experimental/Security/CWE-347/localsource/jose.js Add $ Alert/$ Sink markers
javascript/ql/test/experimental/Security/CWE-347/localsource/decodeJwtWithoutVerificationLocalSource.qlref Enable inline-expectations postprocess
javascript/ql/test/experimental/Security/CWE-099/EnvValueInjection/test.js Add $ Source/$ Alert markers
javascript/ql/test/experimental/Security/CWE-099/EnvValueInjection/EnvValueInjection.qlref Enable inline-expectations postprocess
javascript/ql/test/experimental/Security/CWE-099/EnvValueAndKeyInjection/test.js Add $ Source/$ Alert markers
javascript/ql/test/experimental/Security/CWE-099/EnvValueAndKeyInjection/EnvValueAndKeyInjection.qlref Enable inline-expectations postprocess
javascript/ql/test/experimental/Security/CWE-094-dataURL/test.js Add $ Source/$ Alert markers
javascript/ql/test/experimental/Security/CWE-094-dataURL/CodeInjection.qlref Enable inline-expectations postprocess

Review details

  • Files reviewed: 42/42 changed files
  • Comments generated: 3
  • Review effort level: Low

Comment on lines 20 to 24
const decodedURI = decodeURIComponent(req.query.url);
const { hostname } = url.parse(decodedURI);

const { hostname } = url.parse(decodedURI);


(function () {
const UserToken = aJwt()
const UserToken = aJwt() // $ Alert
Comment on lines +33 to 35
if (!isInBlacklist(req.params.tainted)) {
axios.get(baseURL + req.params.tainted); // $ Alert // SSRF
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants