Merge pull request #375 from esben-semmle/js/limit-directive-sizes

semmle-qlci · web-flow · commit 72012a93cb98 · 2018-10-29T09:59:03.000Z
Approved by xiemaisi
diff --git a/javascript/ql/src/Expressions/UnknownDirective.ql b/javascript/ql/src/Expressions/UnknownDirective.ql
@@ -14,4 +14,4 @@ from Directive d
 where not d instanceof KnownDirective and
       // but exclude attribute top-levels: `<a href="javascript:'some-attribute-string'">`
       not (d.getParent() instanceof CodeInAttribute)
-select d, "Unknown directive: '" + d.getDirectiveText() + "'."
+select d, "Unknown directive: '" + truncate(d.getDirectiveText(), 20, " ... (truncated)")  + "'."
diff --git a/javascript/ql/src/semmle/javascript/Util.qll b/javascript/ql/src/semmle/javascript/Util.qll
@@ -12,15 +12,25 @@ string capitalize(string s) {
   result = s.charAt(0).toUpperCase() + s.suffix(1)
 }
 
- /**
-  * Gets the pluralization for `n` occurrences of `noun`.
-  *
-  * For example, the pluralization of `"function"` for `n = 2` is `"functions"`.
-  */
+/**
+ * Gets the pluralization for `n` occurrences of `noun`.
+ *
+ * For example, the pluralization of `"function"` for `n = 2` is `"functions"`.
+ */
 bindingset[noun, n]
 string pluralize(string noun, int n) {
   if n = 1 then
     result = noun
   else
     result = noun + "s"
-}
+}
+
+/**
+ * Gets `str` or a truncated version of `str` with `explanation` appended if its length exceeds `maxLength`.
+ *
+ * For example, the truncation of `"long_string"` for `maxLength = 5` and explanation `" ..."` is `"long_ ..."`.
+ */
+bindingset[str, maxLength, explanation]
+string truncate(string str, int maxLength, string explanation) {
+  if str.length() > maxLength then result = str.prefix(maxLength) + explanation else result = str
+}
diff --git a/javascript/ql/test/library-tests/Util/truncate.expected b/javascript/ql/test/library-tests/Util/truncate.expected
@@ -0,0 +1 @@
+| y |  | X | XX | XXy |
diff --git a/javascript/ql/test/library-tests/Util/truncate.ql b/javascript/ql/test/library-tests/Util/truncate.ql
@@ -0,0 +1,3 @@
+import semmle.javascript.Util
+
+select truncate("X", 0, "y"), truncate("", 2, "y"), truncate("X", 2, "y"), truncate("XX", 2, "y"), truncate("XXX", 2, "y")
diff --git a/javascript/ql/test/query-tests/Expressions/UnknownDirective/UnknownDirective.expected b/javascript/ql/test/query-tests/Expressions/UnknownDirective/UnknownDirective.expected
@@ -11,3 +11,5 @@
 | UnknownDirective.js:12:5:12:17 | "use struct;" | Unknown directive: 'use struct;'. |
 | UnknownDirective.js:13:5:13:17 | "Use Strict"; | Unknown directive: 'Use Strict'. |
 | UnknownDirective.js:14:5:14:14 | "use bar"; | Unknown directive: 'use bar'. |
+| UnknownDirective.js:38:5:38:17 | "[0, 0, 0];"; | Unknown directive: '[0, 0, 0];'. |
+| UnknownDirective.js:39:5:39:65 | "[0, 0, ... , 0];"; | Unknown directive: '[0, 0, 0, 0, 0, 0, 0 ... (truncated)'. |
diff --git a/javascript/ql/test/query-tests/Expressions/UnknownDirective/UnknownDirective.js b/javascript/ql/test/query-tests/Expressions/UnknownDirective/UnknownDirective.js
@@ -33,3 +33,8 @@ function good() {
     "deps foo"; // OK
     "deps bar"; // OK
 }
+
+function data() {
+    "[0, 0, 0];"; // NOT OK
+    "[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0];"; // NOT OK
+}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+import semmle.javascript.Util`
	`2`	`+`
	`3`	`+select truncate("X", 0, "y"), truncate("", 2, "y"), truncate("X", 2, "y"), truncate("XX", 2, "y"), truncate("XXX", 2, "y")`
Original file line number	Diff line number	Diff line change
`@@ -33,3 +33,8 @@ function good() {`
`33`	`33`	`"deps foo"; // OK`
`34`	`34`	`"deps bar"; // OK`
`35`	`35`	`}`
	`36`	`+`
	`37`	`+function data() {`
	`38`	`+ "[0, 0, 0];"; // NOT OK`
	`39`	`+ "[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0];"; // NOT OK`
	`40`	`+}`