java inline expectations prototype with tests

Author: ginsbach

java/ql/test/TestUtilities/JavaInlineExpectations.ql

@@ -0,0 +1,88 @@
+import java
+
+external predicate queryResults(string relation, int row, int column, string data);
+
+string actualLines() {
+  exists(int i |
+    queryResults("#select", i, _, _) and
+    result =
+      " | " +
+        concat(int j, string cell | queryResults("#select", i, j, cell) | cell, " | " order by j) +
+        " | "
+  )
+}
+
+predicate parsedExpectedResults(string filename, int line, string content) {
+  exists(Javadoc doc |
+    isEolComment(doc) and
+    filename = doc.getLocation().getFile().getBaseName() and
+    line = doc.getLocation().getStartLine() and
+    line = doc.getLocation().getEndLine() and
+    content = doc.getChild(0).getText().trim()
+  )
+}
+
+predicate expectError(string filename, int line) {
+  exists(string content |
+    parsedExpectedResults(filename, line, content) and content.indexOf("NOT OK") = 0
+  )
+}
+
+predicate expectPass(string filename, int line) {
+  exists(string content |
+    parsedExpectedResults(filename, line, content) and content.indexOf("OK") = 0
+  )
+}
+
+predicate parsedActualResults(string filename, int line, int colStart, int colEnd, string content) {
+  exists(string s, string posString, string lineString |
+    s = actualLines() and
+    posString = s.substring(s.indexOf("|", 0, 0) + 1, s.indexOf("|", 1, 0)).trim() and
+    filename = posString.substring(0, posString.indexOf(":", 0, 0)) and
+    lineString = posString.substring(posString.indexOf(":", 0, 0) + 1, posString.indexOf(":", 1, 0)) and
+    lineString = posString.substring(posString.indexOf(":", 2, 0) + 1, posString.indexOf(":", 3, 0)) and
+    colStart =
+      posString.substring(posString.indexOf(":", 1, 0) + 1, posString.indexOf(":", 2, 0)).toInt() and
+    colEnd = posString.substring(posString.indexOf(":", 3, 0) + 1, posString.length()).toInt() and
+    line = lineString.toInt() and
+    content = s.substring(s.indexOf("|", 2, 0) + 1, s.indexOf("|", 3, 0)).trim()
+  )
+}
+
+predicate actualExpectedDiff(string type, string position, string error) {
+  exists(string filename, int line, int colStart, int colEnd |
+    parsedActualResults(filename, line, colStart, colEnd, error) and
+    expectPass(filename, line) and
+    type = "unexpected alert" and
+    position = filename + ":" + line + ":" + colStart + ":" + line + ":" + colEnd
+  )
+  or
+  exists(string filename, int line |
+    expectError(filename, line) and
+    not parsedActualResults(filename, line, _, _, _) and
+    type = "expected alert" and
+    position = filename + ":" + line and
+    parsedExpectedResults(filename, line, error)
+  )
+  or
+  exists(string filename, int line, string content |
+    parsedExpectedResults(filename, line, content) and
+    not expectPass(filename, line) and
+    not expectError(filename, line) and
+    type = "invalid inline expectation" and
+    position = filename + ":" + line and
+    error = content
+  )
+}
+
+from int line, string position, int column, string content
+where
+  position = rank[line](string p | actualExpectedDiff(_, p, _) | p) and
+  (
+    column = 0 and content = position
+    or
+    column = 1 and actualExpectedDiff(content, position, _)
+    or
+    column = 2 and actualExpectedDiff(_, position, content)
+  )
+select "#select", line, column, content

java/ql/test/TestUtilities/ProblematicJavaInlineExpectations1.ql

@@ -0,0 +1 @@
+query predicate resultRelations(string name) { name = "#select" }

java/ql/test/TestUtilities/ProblematicJavaInlineExpectations2.ql

@@ -0,0 +1,3 @@
+query predicate learnEdits(string name) { none() }
+
+select "#select", 1, 1, "foo"

java/ql/test/TestUtilities/ProblematicJavaInlineExpectations3.ql

@@ -0,0 +1,3 @@
+query predicate extraQuery(string name) { none() }
+
+select "#select", 1, 1, "foo"

java/ql/test/TestUtilities/ProblematicJavaInlineExpectations4.ql

@@ -0,0 +1,3 @@
+query predicate resultRelations(string name, int arity) { name = "#select" and arity = 5 }
+
+select "#select", 1, 1, "foo"

java/ql/test/TestUtilities/ProblematicJavaInlineExpectations5.ql

@@ -0,0 +1 @@
+select "#select", "1", 1, "foo"

java/ql/test/TestUtilities/ProblematicJavaInlineExpectations6.ql

@@ -0,0 +1 @@
+select "#select", 1, 1, ["foo", "bar"]

java/ql/test/TestUtilities/ProblematicJavaInlineExpectations7.ql

@@ -0,0 +1,6 @@
+from int i, int j
+where
+  i in [1, 2] and
+  j in [1, 2] and
+  not (i = 2 and j = 2)
+select "#select", i, j, "foo"

java/ql/test/query-tests/Postprocessing/failing/OverlyLargeRangeQuery.expected

@@ -0,0 +1,2 @@
+query: Security/CWE/CWE-020/OverlyLargeRange.ql
+postprocess: TestUtilities/JavaInlineExpectations.ql

java/ql/test/query-tests/Postprocessing/failing/OverlyLargeRangeQuery.qlref

@@ -0,0 +1,37 @@
+import java.util.regex.Pattern;
+
+class SuspiciousRegexpRange {
+    void test() {
+        Pattern overlap1 = Pattern.compile("^[0-93-5]*$"); // NOT OK
+
+        Pattern overlap2 = Pattern.compile("[A-ZA-z]*"); // OK
+
+        Pattern isEmpty = Pattern.compile("^[z-a]*$"); // NOT OK
+
+        Pattern isAscii = Pattern.compile("^[\\x00-\\x7F]*$"); // NOT OK
+
+        Pattern printable = Pattern.compile("[!-~]*"); // OK - used to select most printable ASCII characters
+
+        Pattern codePoints = Pattern.compile("[^\\x21-\\x7E]|[[\\](){}<>/%]*"); // OK
+
+        Pattern NON_ALPHANUMERIC_REGEXP = Pattern.compile("([^\\#-~| |!])*"); // OK
+
+        Pattern smallOverlap = Pattern.compile("[0-9a-fA-f]*"); // NOT OK
+
+        Pattern weirdRange = Pattern.compile("[$-`]*"); // NOT OK
+
+        Pattern keywordOperator = Pattern.compile("[!\\~\\*\\/%+-<>\\^|=&]*"); // NOT OK
+
+        Pattern notYoutube = Pattern.compile("youtu.be/[a-z1-9.-_]+"); // NOT OK
+
+        Pattern numberToLetter = Pattern.compile("[7-F]*"); // NOT OK
+
+        Pattern overlapsWithClass1 = Pattern.compile("[0-9\\d]*"); // NOT OK
+
+        Pattern overlapsWithClass2 = Pattern.compile("[\\w,.-?:*+]*"); // NOT OK
+
+        Pattern nested = Pattern.compile("[[A-Za-z_][A-Za-z0-9._-]]*"); // OK, the dash it at the end
+
+        Pattern octal = Pattern.compile("[\000-\037\040-\045]*"); // OK
+    }
+}

java/ql/test/query-tests/Postprocessing/failing/SuspiciousRegexpRange.java

@@ -0,0 +1,2 @@
+query: Security/CWE/CWE-020/OverlyLargeRange.ql
+postprocess: TestUtilities/JavaInlineExpectations.ql

java/ql/test/query-tests/Postprocessing/passing/OverlyLargeRangeQuery.expected

@@ -0,0 +1,37 @@
+import java.util.regex.Pattern;
+
+class SuspiciousRegexpRange {
+    void test() {
+        Pattern overlap1 = Pattern.compile("^[0-93-5]*$"); // NOT OK
+
+        Pattern overlap2 = Pattern.compile("[A-ZA-z]*"); // NOT OK
+
+        Pattern isEmpty = Pattern.compile("^[z-a]*$"); // NOT OK
+
+        Pattern isAscii = Pattern.compile("^[\\x00-\\x7F]*$"); // OK
+
+        Pattern printable = Pattern.compile("[!-~]*"); // OK - used to select most printable ASCII characters
+
+        Pattern codePoints = Pattern.compile("[^\\x21-\\x7E]|[[\\](){}<>/%]*"); // OK
+
+        Pattern NON_ALPHANUMERIC_REGEXP = Pattern.compile("([^\\#-~| |!])*"); // OK
+
+        Pattern smallOverlap = Pattern.compile("[0-9a-fA-f]*"); // NOT OK
+
+        Pattern weirdRange = Pattern.compile("[$-`]*"); // NOT OK
+
+        Pattern keywordOperator = Pattern.compile("[!\\~\\*\\/%+-<>\\^|=&]*"); // NOT OK
+
+        Pattern notYoutube = Pattern.compile("youtu.be/[a-z1-9.-_]+"); // NOT OK
+
+        Pattern numberToLetter = Pattern.compile("[7-F]*"); // NOT OK
+
+        Pattern overlapsWithClass1 = Pattern.compile("[0-9\\d]*"); // NOT OK
+
+        Pattern overlapsWithClass2 = Pattern.compile("[\\w,.-?:*+]*"); // NOT OK
+
+        Pattern nested = Pattern.compile("[[A-Za-z_][A-Za-z0-9._-]]*"); // OK, the dash it at the end
+
+        Pattern octal = Pattern.compile("[\000-\037\040-\045]*"); // OK
+    }
+}

java/ql/test/query-tests/Postprocessing/passing/OverlyLargeRangeQuery.qlref

@@ -0,0 +1,2 @@
+| SuspiciousRegexpRange.java:11 | expected alert | NOT OK |
+| SuspiciousRegexpRange.java:7:49:7:51 | unexpected alert | Suspicious character range that overlaps with A-Z in the same character class, and is equivalent to [A-Z\\[\\\\\\]^_`a-z]. |

java/ql/test/query-tests/Postprocessing/passing/SuspiciousRegexpRange.java

@@ -0,0 +1,2 @@
+query: Security/CWE/CWE-020/OverlyLargeRange.ql
+postprocess: TestUtilities/JavaInlineExpectations.ql

java/ql/test/query-tests/Postprocessing/passingWithDiff/OverlyLargeRangeQuery.expected

@@ -0,0 +1,37 @@
+import java.util.regex.Pattern;
+
+class SuspiciousRegexpRange {
+    void test() {
+        Pattern overlap1 = Pattern.compile("^[0-93-5]*$"); // NOT OK
+
+        Pattern overlap2 = Pattern.compile("[A-ZA-z]*"); // OK
+
+        Pattern isEmpty = Pattern.compile("^[z-a]*$"); // NOT OK
+
+        Pattern isAscii = Pattern.compile("^[\\x00-\\x7F]*$"); // NOT OK
+
+        Pattern printable = Pattern.compile("[!-~]*"); // OK - used to select most printable ASCII characters
+
+        Pattern codePoints = Pattern.compile("[^\\x21-\\x7E]|[[\\](){}<>/%]*"); // OK
+
+        Pattern NON_ALPHANUMERIC_REGEXP = Pattern.compile("([^\\#-~| |!])*"); // OK
+
+        Pattern smallOverlap = Pattern.compile("[0-9a-fA-f]*"); // NOT OK
+
+        Pattern weirdRange = Pattern.compile("[$-`]*"); // NOT OK
+
+        Pattern keywordOperator = Pattern.compile("[!\\~\\*\\/%+-<>\\^|=&]*"); // NOT OK
+
+        Pattern notYoutube = Pattern.compile("youtu.be/[a-z1-9.-_]+"); // NOT OK
+
+        Pattern numberToLetter = Pattern.compile("[7-F]*"); // NOT OK
+
+        Pattern overlapsWithClass1 = Pattern.compile("[0-9\\d]*"); // NOT OK
+
+        Pattern overlapsWithClass2 = Pattern.compile("[\\w,.-?:*+]*"); // NOT OK
+
+        Pattern nested = Pattern.compile("[[A-Za-z_][A-Za-z0-9._-]]*"); // OK, the dash it at the end
+
+        Pattern octal = Pattern.compile("[\000-\037\040-\045]*"); // OK
+    }
+}

java/ql/test/query-tests/Postprocessing/passingWithDiff/OverlyLargeRangeQuery.qlref

@@ -0,0 +1 @@
+| SuspiciousRegexpRange.java:13 | invalid inline expectation | IS OK - used to select most printable ASCII characters |

java/ql/test/query-tests/Postprocessing/passingWithDiff/SuspiciousRegexpRange.java

@@ -0,0 +1,2 @@
+query: Security/CWE/CWE-020/OverlyLargeRange.ql
+postprocess: TestUtilities/JavaInlineExpectations.ql

java/ql/test/query-tests/Postprocessing/passingWithUnrecognised/OverlyLargeRangeQuery.expected

@@ -0,0 +1,37 @@
+import java.util.regex.Pattern;
+
+class SuspiciousRegexpRange {
+    void test() {
+        Pattern overlap1 = Pattern.compile("^[0-93-5]*$"); // NOT OK
+
+        Pattern overlap2 = Pattern.compile("[A-ZA-z]*"); // NOT OK
+
+        Pattern isEmpty = Pattern.compile("^[z-a]*$"); // NOT OK
+
+        Pattern isAscii = Pattern.compile("^[\\x00-\\x7F]*$"); // OK
+
+        Pattern printable = Pattern.compile("[!-~]*"); // IS OK - used to select most printable ASCII characters
+
+        Pattern codePoints = Pattern.compile("[^\\x21-\\x7E]|[[\\](){}<>/%]*"); // OK
+
+        Pattern NON_ALPHANUMERIC_REGEXP = Pattern.compile("([^\\#-~| |!])*"); // OK
+
+        Pattern smallOverlap = Pattern.compile("[0-9a-fA-f]*"); // NOT OK
+
+        Pattern weirdRange = Pattern.compile("[$-`]*"); // NOT OK
+
+        Pattern keywordOperator = Pattern.compile("[!\\~\\*\\/%+-<>\\^|=&]*"); // NOT OK
+
+        Pattern notYoutube = Pattern.compile("youtu.be/[a-z1-9.-_]+"); // NOT OK
+
+        Pattern numberToLetter = Pattern.compile("[7-F]*"); // NOT OK
+
+        Pattern overlapsWithClass1 = Pattern.compile("[0-9\\d]*"); // NOT OK
+
+        Pattern overlapsWithClass2 = Pattern.compile("[\\w,.-?:*+]*"); // NOT OK
+
+        Pattern nested = Pattern.compile("[[A-Za-z_][A-Za-z0-9._-]]*"); // OK, the dash it at the end
+
+        Pattern octal = Pattern.compile("[\000-\037\040-\045]*"); // OK
+    }
+}

java/ql/test/query-tests/Postprocessing/passingWithUnrecognised/OverlyLargeRangeQuery.qlref

@@ -0,0 +1,2 @@
+query: Security/CWE/CWE-020/OverlyLargeRange.ql
+postprocess: TestUtilities/ProblematicJavaInlineExpectations1.ql

java/ql/test/query-tests/Postprocessing/passingWithUnrecognised/SuspiciousRegexpRange.java

@@ -0,0 +1,37 @@
+import java.util.regex.Pattern;
+
+class SuspiciousRegexpRange {
+    void test() {
+        Pattern overlap1 = Pattern.compile("^[0-93-5]*$"); // NOT OK
+
+        Pattern overlap2 = Pattern.compile("[A-ZA-z]*"); // NOT OK
+
+        Pattern isEmpty = Pattern.compile("^[z-a]*$"); // NOT OK
+
+        Pattern isAscii = Pattern.compile("^[\\x00-\\x7F]*$"); // OK
+
+        Pattern printable = Pattern.compile("[!-~]*"); // OK - used to select most printable ASCII characters
+
+        Pattern codePoints = Pattern.compile("[^\\x21-\\x7E]|[[\\](){}<>/%]*"); // OK
+
+        Pattern NON_ALPHANUMERIC_REGEXP = Pattern.compile("([^\\#-~| |!])*"); // OK
+
+        Pattern smallOverlap = Pattern.compile("[0-9a-fA-f]*"); // NOT OK
+
+        Pattern weirdRange = Pattern.compile("[$-`]*"); // NOT OK
+
+        Pattern keywordOperator = Pattern.compile("[!\\~\\*\\/%+-<>\\^|=&]*"); // NOT OK
+
+        Pattern notYoutube = Pattern.compile("youtu.be/[a-z1-9.-_]+"); // NOT OK
+
+        Pattern numberToLetter = Pattern.compile("[7-F]*"); // NOT OK
+
+        Pattern overlapsWithClass1 = Pattern.compile("[0-9\\d]*"); // NOT OK
+
+        Pattern overlapsWithClass2 = Pattern.compile("[\\w,.-?:*+]*"); // NOT OK
+
+        Pattern nested = Pattern.compile("[[A-Za-z_][A-Za-z0-9._-]]*"); // OK, the dash it at the end
+
+        Pattern octal = Pattern.compile("[\000-\037\040-\045]*"); // OK
+    }
+}

java/ql/test/query-tests/Postprocessing/postprocessingBug1/OverlyLargeRangeQuery.expected

@@ -0,0 +1,2 @@
+query: Security/CWE/CWE-020/OverlyLargeRange.ql
+postprocess: TestUtilities/ProblematicJavaInlineExpectations2.ql

java/ql/test/query-tests/Postprocessing/postprocessingBug1/OverlyLargeRangeQuery.qlref

@@ -0,0 +1,37 @@
+import java.util.regex.Pattern;
+
+class SuspiciousRegexpRange {
+    void test() {
+        Pattern overlap1 = Pattern.compile("^[0-93-5]*$"); // NOT OK
+
+        Pattern overlap2 = Pattern.compile("[A-ZA-z]*"); // NOT OK
+
+        Pattern isEmpty = Pattern.compile("^[z-a]*$"); // NOT OK
+
+        Pattern isAscii = Pattern.compile("^[\\x00-\\x7F]*$"); // OK
+
+        Pattern printable = Pattern.compile("[!-~]*"); // OK - used to select most printable ASCII characters
+
+        Pattern codePoints = Pattern.compile("[^\\x21-\\x7E]|[[\\](){}<>/%]*"); // OK
+
+        Pattern NON_ALPHANUMERIC_REGEXP = Pattern.compile("([^\\#-~| |!])*"); // OK
+
+        Pattern smallOverlap = Pattern.compile("[0-9a-fA-f]*"); // NOT OK
+
+        Pattern weirdRange = Pattern.compile("[$-`]*"); // NOT OK
+
+        Pattern keywordOperator = Pattern.compile("[!\\~\\*\\/%+-<>\\^|=&]*"); // NOT OK
+
+        Pattern notYoutube = Pattern.compile("youtu.be/[a-z1-9.-_]+"); // NOT OK
+
+        Pattern numberToLetter = Pattern.compile("[7-F]*"); // NOT OK
+
+        Pattern overlapsWithClass1 = Pattern.compile("[0-9\\d]*"); // NOT OK
+
+        Pattern overlapsWithClass2 = Pattern.compile("[\\w,.-?:*+]*"); // NOT OK
+
+        Pattern nested = Pattern.compile("[[A-Za-z_][A-Za-z0-9._-]]*"); // OK, the dash it at the end
+
+        Pattern octal = Pattern.compile("[\000-\037\040-\045]*"); // OK
+    }
+}

java/ql/test/query-tests/Postprocessing/postprocessingBug1/SuspiciousRegexpRange.java

@@ -0,0 +1,2 @@
+query: Security/CWE/CWE-020/OverlyLargeRange.ql
+postprocess: TestUtilities/ProblematicJavaInlineExpectations3.ql