introduce new syntax for built-in query suites

2025-12-24 08:10:06 +08:00 · 2020-05-26 16:02:22 +01:00
parent 8b71cf3e5f
commit 1e600686e7
6 changed files with 101 additions and 10 deletions
--- a/lib/config-utils.js
+++ b/lib/config-utils.js
@@ -21,12 +21,15 @@ class ExternalQuery {
    }
 }
 exports.ExternalQuery = ExternalQuery;
+// The set of acceptable values for built-in suites from the codeql bundle
+const builtinSuites = ['security-experimental', 'security-and-quality'];
 class Config {
    constructor() {
        this.name = "";
        this.disableDefaultQueries = false;
        this.additionalQueries = [];
        this.externalQueries = [];
+        this.additionalSuites = [];
        this.pathsIgnore = [];
        this.paths = [];
    }
@@ -39,9 +42,31 @@ class Config {
        }
        // Check for the local path case before we start trying to parse the repository name
        if (queryUses.startsWith("./")) {
-            this.additionalQueries.push(queryUses.slice(2));
+            const localQueryPath = queryUses.slice(2);
+            // Resolve the local path against the workspace so that when this is
+            // passed to codeql it resolves to exactly the path we expect it to resolve to.
+            const workspacePath = util.getRequiredEnvParam('GITHUB_WORKSPACE');
+            const absoluteQueryPath = path.join(workspacePath, localQueryPath);
+            // Check the file exists
+            if (!fs.existsSync(absoluteQueryPath)) {
+                throw new Error(getLocalPathDoesNotExist(localQueryPath));
+            }
+            // Check the local path doesn't jump outside the repo using '..' or symlinks
+            if (!(fs.realpathSync(absoluteQueryPath) + path.sep).startsWith(workspacePath + path.sep)) {
+                throw new Error(getLocalPathOutsideOfRepository(localQueryPath));
+            }
+            this.additionalQueries.push(absoluteQueryPath);
            return;
        }
+        // Check for one of the builtin suites
+        if (queryUses.indexOf('/') === -1 && queryUses.indexOf('@') === -1) {
+            if (queryUses in builtinSuites) {
+                this.additionalSuites.push(queryUses);
+            }
+            else {
+                throw new Error(getQueryUsesIncorrect(queryUses));
+            }
+        }
        let tok = queryUses.split('@');
        if (tok.length !== 2) {
            throw new Error(getQueryUsesIncorrect(queryUses));
@@ -74,9 +99,21 @@ function getQueryUsesBlank() {
 }
 exports.getQueryUsesBlank = getQueryUsesBlank;
 function getQueryUsesIncorrect(queryUses) {
-    return '"uses" value for queries must be a path, or owner/repo@ref \n Found: ' + queryUses;
+    return '"uses" value for queries must be a built-in suite (' + builtinSuites.join('or') +
+        '), a relative path, or of the form owner/repo@ref\n' +
+        'Found: ' + queryUses;
 }
 exports.getQueryUsesIncorrect = getQueryUsesIncorrect;
+function getLocalPathOutsideOfRepository(localPath) {
+    return 'Unable to use queries from local path "' + localPath +
+        '" as it is outside of the repository';
+}
+exports.getLocalPathOutsideOfRepository = getLocalPathOutsideOfRepository;
+function getLocalPathDoesNotExist(localPath) {
+    return 'Unable to use queries from local path "' + localPath +
+        '" as the path does not exist in the repository';
+}
+exports.getLocalPathDoesNotExist = getLocalPathDoesNotExist;
 function getConfigFileOutsideWorkspaceErrorMessage(configFile) {
    return 'The configuration file "' + configFile + '" is outside of the workspace';
 }