Make inline expectation comments specify query

owen-mc · owen-mc · commit dca7046d8c94 · 2026-04-18T10:35:15.000+01:00
diff --git a/java/ql/test/query-tests/security/CWE-023/semmle/tests/PartialPathTraversalTest.java b/java/ql/test/query-tests/security/CWE-023/semmle/tests/PartialPathTraversalTest.java
@@ -10,14 +10,14 @@
 
 public class PartialPathTraversalTest {
     public void esapiExample(File parent) throws IOException {
-        if (!dir().getCanonicalPath().startsWith(parent.getCanonicalPath())) { // $ Alert
+        if (!dir().getCanonicalPath().startsWith(parent.getCanonicalPath())) { // $ Alert[java/partial-path-traversal-from-remote]
             throw new IOException("Invalid directory: " + dir().getCanonicalPath());
         }
     }
 
     @SuppressWarnings("ResultOfMethodCallIgnored")
     void foo1(File parent) throws IOException {
-        (dir().getCanonicalPath()).startsWith((parent.getCanonicalPath())); // $ Alert
+        (dir().getCanonicalPath()).startsWith((parent.getCanonicalPath())); // $ Alert[java/partial-path-traversal-from-remote]
     }
 
     void foo2(File parent) throws IOException {
@@ -29,42 +29,42 @@ void foo2(File parent) throws IOException {
 
     void foo3(File parent) throws IOException {
         String parentPath = parent.getCanonicalPath();
-        if (!dir().getCanonicalPath().startsWith(parentPath)) { // $ Alert
+        if (!dir().getCanonicalPath().startsWith(parentPath)) { // $ Alert[java/partial-path-traversal-from-remote]
             throw new IOException("Invalid directory: " + dir().getCanonicalPath());
         }
     }
 
     void foo4() throws IOException {
-        if (!dir().getCanonicalPath().startsWith("/usr" + "/dir")) { // $ Alert
+        if (!dir().getCanonicalPath().startsWith("/usr" + "/dir")) { // $ Alert[java/partial-path-traversal-from-remote]
             throw new IOException("Invalid directory: " + dir().getCanonicalPath());
         }
     }
 
     void foo5(File parent) throws IOException {
         String canonicalPath = dir().getCanonicalPath();
-        if (!canonicalPath.startsWith(parent.getCanonicalPath())) { // $ Alert
+        if (!canonicalPath.startsWith(parent.getCanonicalPath())) { // $ Alert[java/partial-path-traversal-from-remote]
             throw new IOException("Invalid directory: " + dir().getCanonicalPath());
         }
     }
 
     void foo6(File parent) throws IOException {
         String canonicalPath = dir().getCanonicalPath();
-        if (!canonicalPath.startsWith(parent.getCanonicalPath())) { // $ Alert
+        if (!canonicalPath.startsWith(parent.getCanonicalPath())) { // $ Alert[java/partial-path-traversal-from-remote]
             throw new IOException("Invalid directory: " + dir().getCanonicalPath());
         }
         String canonicalPath2 = dir().getCanonicalPath();
-        if (!canonicalPath2.startsWith(parent.getCanonicalPath())) { // $ Alert
+        if (!canonicalPath2.startsWith(parent.getCanonicalPath())) { // $ Alert[java/partial-path-traversal-from-remote]
             throw new IOException("Invalid directory: " + dir().getCanonicalPath());
         }
     }
 
     void foo7(File dir, File parent) throws IOException {
         String canonicalPath = dir().getCanonicalPath();
         String canonicalPath2 = dir().getCanonicalPath();
-        if (!canonicalPath.startsWith(parent.getCanonicalPath())) { // $ Alert
+        if (!canonicalPath.startsWith(parent.getCanonicalPath())) { // $ Alert[java/partial-path-traversal-from-remote]
             throw new IOException("Invalid directory: " + dir().getCanonicalPath());
         }
-        if (!canonicalPath2.startsWith(parent.getCanonicalPath())) { // $ Alert
+        if (!canonicalPath2.startsWith(parent.getCanonicalPath())) { // $ Alert[java/partial-path-traversal-from-remote]
             throw new IOException("Invalid directory: " + dir().getCanonicalPath());
         }
     }
@@ -94,18 +94,18 @@ void foo10(File parent) throws IOException {
 
     void foo11(File parent) throws IOException {
         String parentCanonical = parent.getCanonicalPath();
-        if (!dir().getCanonicalPath().startsWith(parentCanonical)) { // $ Alert
+        if (!dir().getCanonicalPath().startsWith(parentCanonical)) { // $ Alert[java/partial-path-traversal-from-remote]
             throw new IOException("Invalid directory: " + dir().getCanonicalPath());
         }
     }
 
     void foo12(File parent) throws IOException {
         String parentCanonical = parent.getCanonicalPath();
         String parentCanonical2 = parent.getCanonicalPath();
-        if (!dir().getCanonicalPath().startsWith(parentCanonical)) { // $ Alert
+        if (!dir().getCanonicalPath().startsWith(parentCanonical)) { // $ Alert[java/partial-path-traversal-from-remote]
             throw new IOException("Invalid directory: " + dir().getCanonicalPath());
         }
-        if (!dir().getCanonicalPath().startsWith(parentCanonical2)) { // $ Alert
+        if (!dir().getCanonicalPath().startsWith(parentCanonical2)) { // $ Alert[java/partial-path-traversal-from-remote]
             throw new IOException("Invalid directory: " + dir().getCanonicalPath());
         }
     }
@@ -173,7 +173,7 @@ void foo18(File dir, File parent, boolean branch) throws IOException {
 
     void foo19(File parent) throws IOException {
         String parentCanonical = parent.getCanonicalPath() + "/potato";
-        if (!dir().getCanonicalPath().startsWith(parentCanonical)) { // $ Alert
+        if (!dir().getCanonicalPath().startsWith(parentCanonical)) { // $ Alert[java/partial-path-traversal-from-remote]
             throw new IOException("Invalid directory: " + dir().getCanonicalPath());
         }
     }
@@ -191,7 +191,7 @@ InputStream foo20() {
         String filePath = sb.toString();
         File encodedFile = new File(filePath);
         try {
-            if (!encodedFile.getCanonicalPath().startsWith(cacheDir.getCanonicalPath())) { // $ Alert
+            if (!encodedFile.getCanonicalPath().startsWith(cacheDir.getCanonicalPath())) { // $ Alert[java/partial-path-traversal-from-remote]
                 return null;
             }
             return Files.newInputStream(encodedFile.toPath());
@@ -209,7 +209,7 @@ void foo21(File parent) throws IOException {
 
     void foo22(File dir2, File parent, boolean conditional) throws IOException {
         String canonicalPath = conditional ? dir().getCanonicalPath() : dir2.getCanonicalPath();
-        if (!canonicalPath.startsWith(parent.getCanonicalPath())) { // $ Alert
+        if (!canonicalPath.startsWith(parent.getCanonicalPath())) { // $ Alert[java/partial-path-traversal-from-remote]
             throw new IOException("Invalid directory: " + dir().getCanonicalPath());
         }
     }

Original file line number	Diff line number	Diff line change
`@@ -10,14 +10,14 @@`
`10`	`10`
`11`	`11`	`public class PartialPathTraversalTest {`
`12`	`12`	`public void esapiExample(File parent) throws IOException {`
`13`		`- if (!dir().getCanonicalPath().startsWith(parent.getCanonicalPath())) { // $ Alert`
	`13`	`+ if (!dir().getCanonicalPath().startsWith(parent.getCanonicalPath())) { // $ Alert[java/partial-path-traversal-from-remote]`
`14`	`14`	`throw new IOException("Invalid directory: " + dir().getCanonicalPath());`
`15`	`15`	`}`
`16`	`16`	`}`
`17`	`17`
`18`	`18`	`@SuppressWarnings("ResultOfMethodCallIgnored")`
`19`	`19`	`void foo1(File parent) throws IOException {`
`20`		`- (dir().getCanonicalPath()).startsWith((parent.getCanonicalPath())); // $ Alert`
	`20`	`+ (dir().getCanonicalPath()).startsWith((parent.getCanonicalPath())); // $ Alert[java/partial-path-traversal-from-remote]`
`21`	`21`	`}`
`22`	`22`
`23`	`23`	`void foo2(File parent) throws IOException {`
`@@ -29,42 +29,42 @@ void foo2(File parent) throws IOException {`
`29`	`29`
`30`	`30`	`void foo3(File parent) throws IOException {`
`31`	`31`	`String parentPath = parent.getCanonicalPath();`
`32`		`- if (!dir().getCanonicalPath().startsWith(parentPath)) { // $ Alert`
	`32`	`+ if (!dir().getCanonicalPath().startsWith(parentPath)) { // $ Alert[java/partial-path-traversal-from-remote]`
`33`	`33`	`throw new IOException("Invalid directory: " + dir().getCanonicalPath());`
`34`	`34`	`}`
`35`	`35`	`}`
`36`	`36`
`37`	`37`	`void foo4() throws IOException {`
`38`		`- if (!dir().getCanonicalPath().startsWith("/usr" + "/dir")) { // $ Alert`
	`38`	`+ if (!dir().getCanonicalPath().startsWith("/usr" + "/dir")) { // $ Alert[java/partial-path-traversal-from-remote]`
`39`	`39`	`throw new IOException("Invalid directory: " + dir().getCanonicalPath());`
`40`	`40`	`}`
`41`	`41`	`}`
`42`	`42`
`43`	`43`	`void foo5(File parent) throws IOException {`
`44`	`44`	`String canonicalPath = dir().getCanonicalPath();`
`45`		`- if (!canonicalPath.startsWith(parent.getCanonicalPath())) { // $ Alert`
	`45`	`+ if (!canonicalPath.startsWith(parent.getCanonicalPath())) { // $ Alert[java/partial-path-traversal-from-remote]`
`46`	`46`	`throw new IOException("Invalid directory: " + dir().getCanonicalPath());`
`47`	`47`	`}`
`48`	`48`	`}`
`49`	`49`
`50`	`50`	`void foo6(File parent) throws IOException {`
`51`	`51`	`String canonicalPath = dir().getCanonicalPath();`
`52`		`- if (!canonicalPath.startsWith(parent.getCanonicalPath())) { // $ Alert`
	`52`	`+ if (!canonicalPath.startsWith(parent.getCanonicalPath())) { // $ Alert[java/partial-path-traversal-from-remote]`
`53`	`53`	`throw new IOException("Invalid directory: " + dir().getCanonicalPath());`
`54`	`54`	`}`
`55`	`55`	`String canonicalPath2 = dir().getCanonicalPath();`
`56`		`- if (!canonicalPath2.startsWith(parent.getCanonicalPath())) { // $ Alert`
	`56`	`+ if (!canonicalPath2.startsWith(parent.getCanonicalPath())) { // $ Alert[java/partial-path-traversal-from-remote]`
`57`	`57`	`throw new IOException("Invalid directory: " + dir().getCanonicalPath());`
`58`	`58`	`}`
`59`	`59`	`}`
`60`	`60`
`61`	`61`	`void foo7(File dir, File parent) throws IOException {`
`62`	`62`	`String canonicalPath = dir().getCanonicalPath();`
`63`	`63`	`String canonicalPath2 = dir().getCanonicalPath();`
`64`		`- if (!canonicalPath.startsWith(parent.getCanonicalPath())) { // $ Alert`
	`64`	`+ if (!canonicalPath.startsWith(parent.getCanonicalPath())) { // $ Alert[java/partial-path-traversal-from-remote]`
`65`	`65`	`throw new IOException("Invalid directory: " + dir().getCanonicalPath());`
`66`	`66`	`}`
`67`		`- if (!canonicalPath2.startsWith(parent.getCanonicalPath())) { // $ Alert`
	`67`	`+ if (!canonicalPath2.startsWith(parent.getCanonicalPath())) { // $ Alert[java/partial-path-traversal-from-remote]`
`68`	`68`	`throw new IOException("Invalid directory: " + dir().getCanonicalPath());`
`69`	`69`	`}`
`70`	`70`	`}`
`@@ -94,18 +94,18 @@ void foo10(File parent) throws IOException {`
`94`	`94`
`95`	`95`	`void foo11(File parent) throws IOException {`
`96`	`96`	`String parentCanonical = parent.getCanonicalPath();`
`97`		`- if (!dir().getCanonicalPath().startsWith(parentCanonical)) { // $ Alert`
	`97`	`+ if (!dir().getCanonicalPath().startsWith(parentCanonical)) { // $ Alert[java/partial-path-traversal-from-remote]`
`98`	`98`	`throw new IOException("Invalid directory: " + dir().getCanonicalPath());`
`99`	`99`	`}`
`100`	`100`	`}`
`101`	`101`
`102`	`102`	`void foo12(File parent) throws IOException {`
`103`	`103`	`String parentCanonical = parent.getCanonicalPath();`
`104`	`104`	`String parentCanonical2 = parent.getCanonicalPath();`
`105`		`- if (!dir().getCanonicalPath().startsWith(parentCanonical)) { // $ Alert`
	`105`	`+ if (!dir().getCanonicalPath().startsWith(parentCanonical)) { // $ Alert[java/partial-path-traversal-from-remote]`
`106`	`106`	`throw new IOException("Invalid directory: " + dir().getCanonicalPath());`
`107`	`107`	`}`
`108`		`- if (!dir().getCanonicalPath().startsWith(parentCanonical2)) { // $ Alert`
	`108`	`+ if (!dir().getCanonicalPath().startsWith(parentCanonical2)) { // $ Alert[java/partial-path-traversal-from-remote]`
`109`	`109`	`throw new IOException("Invalid directory: " + dir().getCanonicalPath());`
`110`	`110`	`}`
`111`	`111`	`}`
`@@ -173,7 +173,7 @@ void foo18(File dir, File parent, boolean branch) throws IOException {`
`173`	`173`
`174`	`174`	`void foo19(File parent) throws IOException {`
`175`	`175`	`String parentCanonical = parent.getCanonicalPath() + "/potato";`
`176`		`- if (!dir().getCanonicalPath().startsWith(parentCanonical)) { // $ Alert`
	`176`	`+ if (!dir().getCanonicalPath().startsWith(parentCanonical)) { // $ Alert[java/partial-path-traversal-from-remote]`
`177`	`177`	`throw new IOException("Invalid directory: " + dir().getCanonicalPath());`
`178`	`178`	`}`
`179`	`179`	`}`
`@@ -191,7 +191,7 @@ InputStream foo20() {`
`191`	`191`	`String filePath = sb.toString();`
`192`	`192`	`File encodedFile = new File(filePath);`
`193`	`193`	`try {`
`194`		`- if (!encodedFile.getCanonicalPath().startsWith(cacheDir.getCanonicalPath())) { // $ Alert`
	`194`	`+ if (!encodedFile.getCanonicalPath().startsWith(cacheDir.getCanonicalPath())) { // $ Alert[java/partial-path-traversal-from-remote]`
`195`	`195`	`return null;`
`196`	`196`	`}`
`197`	`197`	`return Files.newInputStream(encodedFile.toPath());`
`@@ -209,7 +209,7 @@ void foo21(File parent) throws IOException {`
`209`	`209`
`210`	`210`	`void foo22(File dir2, File parent, boolean conditional) throws IOException {`
`211`	`211`	`String canonicalPath = conditional ? dir().getCanonicalPath() : dir2.getCanonicalPath();`
`212`		`- if (!canonicalPath.startsWith(parent.getCanonicalPath())) { // $ Alert`
	`212`	`+ if (!canonicalPath.startsWith(parent.getCanonicalPath())) { // $ Alert[java/partial-path-traversal-from-remote]`
`213`	`213`	`throw new IOException("Invalid directory: " + dir().getCanonicalPath());`
`214`	`214`	`}`
`215`	`215`	`}`