Markdown rendering: Display paths

shati-patel · shati-patel · commit f55f46f95bd2 · 2022-04-26T10:15:45.000+01:00
diff --git a/extensions/ql-vscode/src/remote-queries/remote-queries-markdown-generation.ts b/extensions/ql-vscode/src/remote-queries/remote-queries-markdown-generation.ts
@@ -89,8 +89,8 @@ function generateMarkdownForInterpretedResult(interpretedResult: AnalysisAlert,
       ...generateMarkdownForCodeSnippet(codeSnippet, language, highlightedRegion),
     );
   }
-  const alertMessage = buildMarkdownAlertMessage(interpretedResult);
-  lines.push(alertMessage);
+  const alertMessageLines = buildMarkdownAlertMessage(interpretedResult, language);
+  lines.push(...alertMessageLines);
 
   // Padding between results
   lines.push(
@@ -142,22 +142,67 @@ function highlightCodeLines(
   return `${partiallyHighlightedLine.plainSection1}<strong>${partiallyHighlightedLine.highlightedSection}</strong>${partiallyHighlightedLine.plainSection2}`;
 }
 
-function buildMarkdownAlertMessage(interpretedResult: AnalysisAlert): string {
+function buildMarkdownAlertMessage(
+  interpretedResult: AnalysisAlert,
+  language: string
+): string[] {
+  const hasPathResults = interpretedResult.codeFlows.length > 0;
+  if (hasPathResults) {
+    // For path-problem queries, the "alert message" is an expandable section containing the path results.
+    return buildMarkdownPathResults(interpretedResult, language);
+  } else {
+    let alertMessage = '';
+    // For regular problem queries (no paths), the alert message is just a message
+    // containing a link to the affected file.
+    for (const token of interpretedResult.message.tokens) {
+      if (token.t === 'text') {
+        alertMessage += token.text;
+      } else if (token.t === 'location') {
+        alertMessage += createMarkdownRemoteFileRef(
+          token.location.fileLink,
+          token.location.highlightedRegion?.startLine,
+          token.location.highlightedRegion?.endLine,
+          token.text
+        );
+      }
+    }
+    // Italicize the alert message
+    return [`*${alertMessage}*`];
+  }
+}
+
+function buildMarkdownPathResults(
+  interpretedResult: AnalysisAlert,
+  language: string
+): MarkdownFile {
   let alertMessage = '';
   for (const token of interpretedResult.message.tokens) {
-    if (token.t === 'text') {
-      alertMessage += token.text;
-    } else if (token.t === 'location') {
-      alertMessage += createMarkdownRemoteFileRef(
-        token.location.fileLink,
-        token.location.highlightedRegion?.startLine,
-        token.location.highlightedRegion?.endLine,
-        token.text,
+    alertMessage += token.text;
+  }
+  const pathLines: MarkdownFile = [];
+  pathLines.push('#### Paths', '');
+  for (const codeFlow of interpretedResult.codeFlows) {
+    const stepCount = codeFlow.threadFlows.length;
+    pathLines.push(`Path with ${stepCount} steps`);
+    let index = 1;
+    for (const threadFlow of codeFlow.threadFlows) {
+      const link = createMarkdownRemoteFileRef(
+        threadFlow.fileLink,
+        threadFlow.highlightedRegion?.startLine,
+        threadFlow.highlightedRegion?.endLine
+      );
+      const codeSnippet = generateMarkdownForCodeSnippet(
+        threadFlow.codeSnippet,
+        language,
+        threadFlow.highlightedRegion
       );
+      // Indent the snippet to fit with the numbered list.
+      const codeSnippetIndented = codeSnippet.map((line) => `    ${line}`);
+      pathLines.push(`${index}. ${link}`, ...codeSnippetIndented);
+      index++;
     }
   }
-  // Italicize the alert message
-  return `*${alertMessage}*`;
+  return buildExpandableMarkdownSection(`<i>${alertMessage}</i>`, pathLines);
 }
 
 /**
diff --git a/extensions/ql-vscode/test/pure-tests/remote-queries/markdown-generation/data/interpreted-results/path-problem/results-repo1.md b/extensions/ql-vscode/test/pure-tests/remote-queries/markdown-generation/data/interpreted-results/path-problem/results-repo1.md
@@ -8,7 +8,54 @@
 }
 </code></pre>
 
-*This shell command depends on an uncontrolled [absolute path](https://github.com/github/codeql/blob/48015e5a2e6202131f2d1062cc066dc33ed69a9b/javascript/ql/src/Security/CWE-078/examples/shell-command-injection-from-environment.js#L4-L4).*
+<details>
+<summary><i>This shell command depends on an uncontrolled absolute path.</i></summary>
+
+#### Paths
+
+Path with 5 steps
+1. [javascript/ql/src/Security/CWE-078/examples/shell-command-injection-from-environment.js](https://github.com/github/codeql/blob/48015e5a2e6202131f2d1062cc066dc33ed69a9b/javascript/ql/src/Security/CWE-078/examples/shell-command-injection-from-environment.js#L4-L4)
+    <pre><code class="javascript">  path = require("path");
+    function cleanupTemp() {
+      let cmd = "rm -rf " + path.join(<strong>__dirname</strong>, "temp");
+      cp.execSync(cmd); // BAD
+    }
+    </code></pre>
+    
+2. [javascript/ql/src/Security/CWE-078/examples/shell-command-injection-from-environment.js](https://github.com/github/codeql/blob/48015e5a2e6202131f2d1062cc066dc33ed69a9b/javascript/ql/src/Security/CWE-078/examples/shell-command-injection-from-environment.js#L4-L4)
+    <pre><code class="javascript">  path = require("path");
+    function cleanupTemp() {
+      let cmd = "rm -rf " + <strong>path.join(__dirname, "temp")</strong>;
+      cp.execSync(cmd); // BAD
+    }
+    </code></pre>
+    
+3. [javascript/ql/src/Security/CWE-078/examples/shell-command-injection-from-environment.js](https://github.com/github/codeql/blob/48015e5a2e6202131f2d1062cc066dc33ed69a9b/javascript/ql/src/Security/CWE-078/examples/shell-command-injection-from-environment.js#L4-L4)
+    <pre><code class="javascript">  path = require("path");
+    function cleanupTemp() {
+      let cmd = <strong>"rm -rf " + path.join(__dirname, "temp")</strong>;
+      cp.execSync(cmd); // BAD
+    }
+    </code></pre>
+    
+4. [javascript/ql/src/Security/CWE-078/examples/shell-command-injection-from-environment.js](https://github.com/github/codeql/blob/48015e5a2e6202131f2d1062cc066dc33ed69a9b/javascript/ql/src/Security/CWE-078/examples/shell-command-injection-from-environment.js#L4-L4)
+    <pre><code class="javascript">  path = require("path");
+    function cleanupTemp() {
+      let <strong>cmd = "rm -rf " + path.join(__dirname, "temp")</strong>;
+      cp.execSync(cmd); // BAD
+    }
+    </code></pre>
+    
+5. [javascript/ql/src/Security/CWE-078/examples/shell-command-injection-from-environment.js](https://github.com/github/codeql/blob/48015e5a2e6202131f2d1062cc066dc33ed69a9b/javascript/ql/src/Security/CWE-078/examples/shell-command-injection-from-environment.js#L5-L5)
+    <pre><code class="javascript">function cleanupTemp() {
+      let cmd = "rm -rf " + path.join(__dirname, "temp");
+      cp.execSync(<strong>cmd</strong>); // BAD
+    }
+    </code></pre>
+    
+
+</details>
+
 
 ----------------------------------------
 
@@ -21,7 +68,39 @@
 	execa.shell('rm -rf ' + path.join(__dirname, "temp")); // NOT OK
 </code></pre>
 
-*This shell command depends on an uncontrolled [absolute path](https://github.com/github/codeql/blob/48015e5a2e6202131f2d1062cc066dc33ed69a9b/javascript/ql/test/query-tests/Security/CWE-078/tst_shell-command-injection-from-environment.js#L6-L6).*
+<details>
+<summary><i>This shell command depends on an uncontrolled absolute path.</i></summary>
+
+#### Paths
+
+Path with 3 steps
+1. [javascript/ql/test/query-tests/Security/CWE-078/tst_shell-command-injection-from-environment.js](https://github.com/github/codeql/blob/48015e5a2e6202131f2d1062cc066dc33ed69a9b/javascript/ql/test/query-tests/Security/CWE-078/tst_shell-command-injection-from-environment.js#L6-L6)
+    <pre><code class="javascript">(function() {
+    	cp.execFileSync('rm',  ['-rf', path.join(__dirname, "temp")]); // GOOD
+    	cp.execSync('rm -rf ' + path.join(<strong>__dirname</strong>, "temp")); // BAD
+    
+    	execa.shell('rm -rf ' + path.join(__dirname, "temp")); // NOT OK
+    </code></pre>
+    
+2. [javascript/ql/test/query-tests/Security/CWE-078/tst_shell-command-injection-from-environment.js](https://github.com/github/codeql/blob/48015e5a2e6202131f2d1062cc066dc33ed69a9b/javascript/ql/test/query-tests/Security/CWE-078/tst_shell-command-injection-from-environment.js#L6-L6)
+    <pre><code class="javascript">(function() {
+    	cp.execFileSync('rm',  ['-rf', path.join(__dirname, "temp")]); // GOOD
+    	cp.execSync('rm -rf ' + <strong>path.join(__dirname, "temp")</strong>); // BAD
+    
+    	execa.shell('rm -rf ' + path.join(__dirname, "temp")); // NOT OK
+    </code></pre>
+    
+3. [javascript/ql/test/query-tests/Security/CWE-078/tst_shell-command-injection-from-environment.js](https://github.com/github/codeql/blob/48015e5a2e6202131f2d1062cc066dc33ed69a9b/javascript/ql/test/query-tests/Security/CWE-078/tst_shell-command-injection-from-environment.js#L6-L6)
+    <pre><code class="javascript">(function() {
+    	cp.execFileSync('rm',  ['-rf', path.join(__dirname, "temp")]); // GOOD
+    	cp.execSync(<strong>'rm -rf ' + path.join(__dirname, "temp")</strong>); // BAD
+    
+    	execa.shell('rm -rf ' + path.join(__dirname, "temp")); // NOT OK
+    </code></pre>
+    
+
+</details>
+
 
 ----------------------------------------
 
@@ -34,7 +113,39 @@
 
 </code></pre>
 
-*This shell command depends on an uncontrolled [absolute path](https://github.com/github/codeql/blob/48015e5a2e6202131f2d1062cc066dc33ed69a9b/javascript/ql/test/query-tests/Security/CWE-078/tst_shell-command-injection-from-environment.js#L8-L8).*
+<details>
+<summary><i>This shell command depends on an uncontrolled absolute path.</i></summary>
+
+#### Paths
+
+Path with 3 steps
+1. [javascript/ql/test/query-tests/Security/CWE-078/tst_shell-command-injection-from-environment.js](https://github.com/github/codeql/blob/48015e5a2e6202131f2d1062cc066dc33ed69a9b/javascript/ql/test/query-tests/Security/CWE-078/tst_shell-command-injection-from-environment.js#L8-L8)
+    <pre><code class="javascript">	cp.execSync('rm -rf ' + path.join(__dirname, "temp")); // BAD
+    
+    	execa.shell('rm -rf ' + path.join(<strong>__dirname</strong>, "temp")); // NOT OK
+    	execa.shellSync('rm -rf ' + path.join(__dirname, "temp")); // NOT OK
+    
+    </code></pre>
+    
+2. [javascript/ql/test/query-tests/Security/CWE-078/tst_shell-command-injection-from-environment.js](https://github.com/github/codeql/blob/48015e5a2e6202131f2d1062cc066dc33ed69a9b/javascript/ql/test/query-tests/Security/CWE-078/tst_shell-command-injection-from-environment.js#L8-L8)
+    <pre><code class="javascript">	cp.execSync('rm -rf ' + path.join(__dirname, "temp")); // BAD
+    
+    	execa.shell('rm -rf ' + <strong>path.join(__dirname, "temp")</strong>); // NOT OK
+    	execa.shellSync('rm -rf ' + path.join(__dirname, "temp")); // NOT OK
+    
+    </code></pre>
+    
+3. [javascript/ql/test/query-tests/Security/CWE-078/tst_shell-command-injection-from-environment.js](https://github.com/github/codeql/blob/48015e5a2e6202131f2d1062cc066dc33ed69a9b/javascript/ql/test/query-tests/Security/CWE-078/tst_shell-command-injection-from-environment.js#L8-L8)
+    <pre><code class="javascript">	cp.execSync('rm -rf ' + path.join(__dirname, "temp")); // BAD
+    
+    	execa.shell(<strong>'rm -rf ' + path.join(__dirname, "temp")</strong>); // NOT OK
+    	execa.shellSync('rm -rf ' + path.join(__dirname, "temp")); // NOT OK
+    
+    </code></pre>
+    
+
+</details>
+
 
 ----------------------------------------
 
@@ -47,6 +158,38 @@
 	const safe = "\"" + path.join(__dirname, "temp") + "\"";
 </code></pre>
 
-*This shell command depends on an uncontrolled [absolute path](https://github.com/github/codeql/blob/48015e5a2e6202131f2d1062cc066dc33ed69a9b/javascript/ql/test/query-tests/Security/CWE-078/tst_shell-command-injection-from-environment.js#L9-L9).*
+<details>
+<summary><i>This shell command depends on an uncontrolled absolute path.</i></summary>
+
+#### Paths
+
+Path with 3 steps
+1. [javascript/ql/test/query-tests/Security/CWE-078/tst_shell-command-injection-from-environment.js](https://github.com/github/codeql/blob/48015e5a2e6202131f2d1062cc066dc33ed69a9b/javascript/ql/test/query-tests/Security/CWE-078/tst_shell-command-injection-from-environment.js#L9-L9)
+    <pre><code class="javascript">
+    	execa.shell('rm -rf ' + path.join(__dirname, "temp")); // NOT OK
+    	execa.shellSync('rm -rf ' + path.join(<strong>__dirname</strong>, "temp")); // NOT OK
+    
+    	const safe = "\"" + path.join(__dirname, "temp") + "\"";
+    </code></pre>
+    
+2. [javascript/ql/test/query-tests/Security/CWE-078/tst_shell-command-injection-from-environment.js](https://github.com/github/codeql/blob/48015e5a2e6202131f2d1062cc066dc33ed69a9b/javascript/ql/test/query-tests/Security/CWE-078/tst_shell-command-injection-from-environment.js#L9-L9)
+    <pre><code class="javascript">
+    	execa.shell('rm -rf ' + path.join(__dirname, "temp")); // NOT OK
+    	execa.shellSync('rm -rf ' + <strong>path.join(__dirname, "temp")</strong>); // NOT OK
+    
+    	const safe = "\"" + path.join(__dirname, "temp") + "\"";
+    </code></pre>
+    
+3. [javascript/ql/test/query-tests/Security/CWE-078/tst_shell-command-injection-from-environment.js](https://github.com/github/codeql/blob/48015e5a2e6202131f2d1062cc066dc33ed69a9b/javascript/ql/test/query-tests/Security/CWE-078/tst_shell-command-injection-from-environment.js#L9-L9)
+    <pre><code class="javascript">
+    	execa.shell('rm -rf ' + path.join(__dirname, "temp")); // NOT OK
+    	execa.shellSync(<strong>'rm -rf ' + path.join(__dirname, "temp")</strong>); // NOT OK
+    
+    	const safe = "\"" + path.join(__dirname, "temp") + "\"";
+    </code></pre>
+    
+
+</details>
+
 
 ----------------------------------------
diff --git a/extensions/ql-vscode/test/pure-tests/remote-queries/markdown-generation/data/interpreted-results/path-problem/results-repo2.md b/extensions/ql-vscode/test/pure-tests/remote-queries/markdown-generation/data/interpreted-results/path-problem/results-repo2.md
@@ -9,6 +9,82 @@
   }
 </code></pre>
 
-*This shell command depends on an uncontrolled [absolute path](https://github.com/meteor/meteor/blob/73b538fe201cbfe89dd0c709689023f9b3eab1ec/npm-packages/meteor-installer/config.js#L39-L39).*
+<details>
+<summary><i>This shell command depends on an uncontrolled absolute path.</i></summary>
+
+#### Paths
+
+Path with 7 steps
+1. [npm-packages/meteor-installer/config.js](https://github.com/meteor/meteor/blob/73b538fe201cbfe89dd0c709689023f9b3eab1ec/npm-packages/meteor-installer/config.js#L39-L39)
+    <pre><code class="javascript">
+    const meteorLocalFolder = '.meteor';
+    const meteorPath = <strong>path.resolve(rootPath, meteorLocalFolder)</strong>;
+    
+    module.exports = {
+    </code></pre>
+    
+2. [npm-packages/meteor-installer/config.js](https://github.com/meteor/meteor/blob/73b538fe201cbfe89dd0c709689023f9b3eab1ec/npm-packages/meteor-installer/config.js#L39-L39)
+    <pre><code class="javascript">
+    const meteorLocalFolder = '.meteor';
+    const <strong>meteorPath = path.resolve(rootPath, meteorLocalFolder)</strong>;
+    
+    module.exports = {
+    </code></pre>
+    
+3. [npm-packages/meteor-installer/config.js](https://github.com/meteor/meteor/blob/73b538fe201cbfe89dd0c709689023f9b3eab1ec/npm-packages/meteor-installer/config.js#L44-L44)
+    <pre><code class="javascript">  METEOR_LATEST_VERSION,
+      extractPath: rootPath,
+      <strong>meteorPath</strong>,
+      release: process.env.INSTALL_METEOR_VERSION || METEOR_LATEST_VERSION,
+      rootPath,
+    </code></pre>
+    
+4. [npm-packages/meteor-installer/install.js](https://github.com/meteor/meteor/blob/73b538fe201cbfe89dd0c709689023f9b3eab1ec/npm-packages/meteor-installer/install.js#L12-L12)
+    <pre><code class="javascript">const os = require('os');
+    const {
+      <strong>meteorPath</strong>,
+      release,
+      startedPath,
+    </code></pre>
+    
+5. [npm-packages/meteor-installer/install.js](https://github.com/meteor/meteor/blob/73b538fe201cbfe89dd0c709689023f9b3eab1ec/npm-packages/meteor-installer/install.js#L11-L23)
+    <pre><code class="javascript">const tmp = require('tmp');
+    const os = require('os');
+    const <strong>{</strong>
+    <strong>  meteorPath,</strong>
+    <strong>  release,</strong>
+    <strong>  startedPath,</strong>
+    <strong>  extractPath,</strong>
+    <strong>  isWindows,</strong>
+    <strong>  rootPath,</strong>
+    <strong>  sudoUser,</strong>
+    <strong>  isSudo,</strong>
+    <strong>  isMac,</strong>
+    <strong>  METEOR_LATEST_VERSION,</strong>
+    <strong>  shouldSetupExecPath,</strong>
+    <strong>} = require('./config.js')</strong>;
+    const { uninstall } = require('./uninstall');
+    const {
+    </code></pre>
+    
+6. [npm-packages/meteor-installer/install.js](https://github.com/meteor/meteor/blob/73b538fe201cbfe89dd0c709689023f9b3eab1ec/npm-packages/meteor-installer/install.js#L259-L259)
+    <pre><code class="javascript">  if (isWindows()) {
+        //set for the current session and beyond
+        child_process.execSync(`setx path "${<strong>meteorPath</strong>}/;%path%`);
+        return;
+      }
+    </code></pre>
+    
+7. [npm-packages/meteor-installer/install.js](https://github.com/meteor/meteor/blob/73b538fe201cbfe89dd0c709689023f9b3eab1ec/npm-packages/meteor-installer/install.js#L259-L259)
+    <pre><code class="javascript">  if (isWindows()) {
+        //set for the current session and beyond
+        child_process.execSync(<strong>`setx path "${meteorPath}/;%path%`</strong>);
+        return;
+      }
+    </code></pre>
+    
+
+</details>
+
 
 ----------------------------------------
