Ruby: Ignore results inside here-docs in inline expectations

Author: hvitved

ruby/ql/lib/utils/test/InlineExpectationsTestQuery.ql

@@ -18,4 +18,12 @@ private module Input implements T::TestPostProcessing::InputSig<Impl> {
         f.getRelativePath() + ":" + startline + ":" + startcolumn + ":" + endline + ":" + endcolumn
     )
   }
+
+  predicate ignoreResult(string filePath, int startLine, int startColumn, int endLine, int endColumn) {
+    exists(Ast::HereDoc doc |
+      doc.getAChild*()
+          .getLocation()
+          .hasLocationInfo(filePath, startLine, startColumn, endLine, endColumn)
+    )
+  }
 }

ruby/ql/test/query-tests/security/cwe-094/UnsafeCodeConstruction/UnsafeCodeConstruction.expected

@@ -73,5 +73,3 @@ nodes
 | impl/unsafeCode.rb:63:30:63:30 | y | semmle.label | y |
 | impl/unsafeCode.rb:64:10:64:13 | arr2 | semmle.label | arr2 |
 subpaths
-testFailures
-| impl/unsafeCode.rb:49:9:49:12 | #{...} | Unexpected result: Alert |

shared/util/codeql/util/test/InlineExpectationsTest.qll

@@ -635,6 +635,19 @@ module TestPostProcessing {
 
   signature module InputSig<InlineExpectationsTestSig Input> {
     string getRelativeUrl(Input::Location location);
+
+    /**
+     * Holds if results at the given location should be ignored.
+     *
+     * This is useful when it is impossible to insert expectation comments, for example
+     * inside Ruby here-docs.
+     */
+    bindingset[filePath, startLine, startColumn, endLine, endColumn]
+    default predicate ignoreResult(
+      string filePath, int startLine, int startColumn, int endLine, int endColumn
+    ) {
+      none()
+    }
   }
 
   module Make<InlineExpectationsTestSig Input, InputSig<Input> Input2> {
@@ -744,7 +757,11 @@ module TestPostProcessing {
 
     pragma[nomagic]
     private predicate mainQueryResult(int row, int column, TestLocation loc) {
-      queryResults(mainResultSet(), row, column, loc.getRelativeUrl())
+      queryResults(mainResultSet(), row, column, loc.getRelativeUrl()) and
+      not exists(string filePath, int startLine, int startColumn, int endLine, int endColumn |
+        loc.hasLocationInfo(filePath, startLine, startColumn, endLine, endColumn) and
+        Input2::ignoreResult(filePath, startLine, startColumn, endLine, endColumn)
+      )
     }
 
     /**
@@ -755,10 +772,14 @@ module TestPostProcessing {
      */
     private string getSourceTag(int row) {
       getQueryKind() = "path-problem" and
-      exists(TestLocation sourceLoc, TestLocation selectLoc |
-        mainQueryResult(row, 0, selectLoc) and
+      exists(TestLocation sourceLoc |
         mainQueryResult(row, 2, sourceLoc) and
-        if sameLineInfo(selectLoc, sourceLoc) then result = "Alert" else result = "Source"
+        if
+          exists(TestLocation selectLoc |
+            mainQueryResult(row, 0, selectLoc) and sameLineInfo(selectLoc, sourceLoc)
+          )
+        then result = "Alert"
+        else result = "Source"
       )
     }
 
@@ -770,10 +791,14 @@ module TestPostProcessing {
      */
     private string getSinkTag(int row) {
       getQueryKind() = "path-problem" and
-      exists(TestLocation sinkLoc, TestLocation selectLoc |
-        mainQueryResult(row, 0, selectLoc) and
+      exists(TestLocation sinkLoc |
         mainQueryResult(row, 4, sinkLoc) and
-        if sameLineInfo(selectLoc, sinkLoc) then result = "Alert" else result = "Sink"
+        if
+          exists(TestLocation selectLoc |
+            mainQueryResult(row, 0, selectLoc) and sameLineInfo(selectLoc, sinkLoc)
+          )
+        then result = "Alert"
+        else result = "Sink"
       )
     }