Added inline test expectations for cors permissive config

Napalys · Napalys · commit 95743d710918 · 2025-07-30T10:42:55.000Z
diff --git a/javascript/ql/test/query-tests/Security/CWE-942/CorsPermissiveConfiguration.qlref b/javascript/ql/test/query-tests/Security/CWE-942/CorsPermissiveConfiguration.qlref
@@ -1 +1,2 @@
-Security/CWE-942/CorsPermissiveConfiguration.ql
+query: Security/CWE-942/CorsPermissiveConfiguration.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
diff --git a/javascript/ql/test/query-tests/Security/CWE-942/apollo-test.js b/javascript/ql/test/query-tests/Security/CWE-942/apollo-test.js
@@ -5,10 +5,10 @@ var https = require('https'),
 var server = https.createServer(function () { });
 
 server.on('request', function (req, res) {
-    let user_origin = url.parse(req.url, true).query.origin;
+    let user_origin = url.parse(req.url, true).query.origin; // $ Source
     // BAD: CORS too permissive
     const server_1 = new ApolloServer({
-        cors: { origin: true }
+        cors: { origin: true } // $ Alert
     });
 
     // GOOD: restrictive CORS 
@@ -18,11 +18,11 @@ server.on('request', function (req, res) {
 
     // BAD: CORS too permissive 
     const server_3 = new ApolloServer({
-        cors: { origin: null }
+        cors: { origin: null } // $ Alert
     });
 
     // BAD: CORS is controlled by user
     const server_4 = new ApolloServer({
-        cors: { origin: user_origin }
+        cors: { origin: user_origin } // $ Alert
     });
 });
diff --git a/javascript/ql/test/query-tests/Security/CWE-942/express-test.js b/javascript/ql/test/query-tests/Security/CWE-942/express-test.js
@@ -7,7 +7,7 @@ var https = require('https'),
 var server = https.createServer(function () { });
 
 server.on('request', function (req, res) {
-    let user_origin = url.parse(req.url, true).query.origin;
+    let user_origin = url.parse(req.url, true).query.origin; // $ Source
 
     // BAD: CORS too permissive, default value is *
     var app1 = express();
@@ -23,14 +23,14 @@ server.on('request', function (req, res) {
     // BAD: CORS too permissive 
     var app3 = express();
     var corsOption3 = {
-        origin: '*'
+        origin: '*' // $ Alert
     };
     app3.use(cors(corsOption3));
 
     // BAD: CORS is controlled by user
     var app4 = express();
     var corsOption4 = {
-        origin: user_origin
+        origin: user_origin // $ Alert
     };
     app4.use(cors(corsOption4));
 });

Original file line number	Diff line number	Diff line change
`@@ -1 +1,2 @@`
`1`		`-Security/CWE-942/CorsPermissiveConfiguration.ql`
	`1`	`+query: Security/CWE-942/CorsPermissiveConfiguration.ql`
	`2`	`+postprocess: utils/test/InlineExpectationsTestQuery.ql`