英文:
How do I display full string in a CodeQL exported result?
问题
Converting a.getChild(1) to a string using toString():
将 a.getChild(1) 转换为字符串使用 toString():
英文:
Converting a.getChild(1) to a string using toString()
test.ql
/**
* @id custom
* @kind problem
* @problem.severity warning
*
*/
import javascript
from ObjectExpr oe, Property p1, int i, AstNode a
where p1 = oe.getProperty(i) and
p1.getName() = "fragment" and
a = p1.getAChild().getAChild() and
a.toString().indexOf("name") > -1
select a, a.getChild(1).toString()
Here is the codeql command used for generating a csv result file:
codeql database analyze ~/test.com ./test.ql --format=csv --output=results.csv
For example:
a.getChild(1).toString() = PageLoadablePageWrapperQuery
will be saved in the csv file like
PageLo ... rQuery instead of the full string.
How do I have the full string in the exported csv result?
答案1
得分: 1
For the JavaScript library in CodeQL, the shortening of long names in .toString() is hardcoded. You can modify the source code to skip this part of the string sanitation. Here are the steps:
- Download
TextualExtractor.javafrom the URL mentioned and comment or remove the if-statement. - Find the location of
extractor-javascript.jarin the installation of CodeQL, typically something likecodeql/javascript/tools/. - Compile the modified file using this command:
javac -cp ".:/path/to/codeql/javascript/tools/extractor-javascript.jar" TextualExtractor.java
- Extract the jar file, replace
TextualExtractor.classin the directorycom/semmle/js/extractor/, and re-compress the jar file. - Reinstall the JavaScript pack with
codeql pack install --forcefrom the directory that containsqlpack.yml, i.e., the project root. - Regenerate your CodeQL project database with:
codeql database create dbname --overwrite --language=javascript --source-root=/path/to/project
- Run the query again.
Tested with the following JavaScript file and query, resulting in a CSV:
JavaScript File:
var PageLoadablePageWrapperQuery = "some query";
var p = {
longtobetruncatedfragment: PageLoadablePageWrapperQuery,
y: 1,
diag: function() { return this.x - this.y; },
get area() { return this.x * this.y; },
set area(a) { this.x = Math.sqrt(a); this.y = Math.sqrt(a); }
};
Query:
import javascript
from ObjectExpr oe, Property p1, int i, AstNode a
where p1 = oe.getProperty(i) and
p1.getName() = "longtobetruncatedfragment" and
a = p1.getAChild()
select a, a.toString()
Resulting CSV:
,, "warning", "longtobetruncatedfragment", "/testfile.js", "4", "3", "4", "27"
,, "warning", "PageLoadablePageWrapperQuery", "/testfile.js", "4", "30", "4", "57"
Interestingly, for other languages like the Python library, the sanitation step is not implemented.
英文:
For the JavaScript library in CodeQL the shortening of long names in .toString() is hardcoded*. See https://github.com/github/codeql/blob/7361ad977a5dd5252d21f5fd23de47d75b763651/javascript/extractor/src/com/semmle/js/extractor/TextualExtractor.java#L121:
public static String sanitiseToString(String str) {
if (str.length() > 20) str = str.substring(0, 7) + " ... " + str.substring(str.length() - 7);
However, it is not very difficult to modify the source code such that codeql database analyze skips this part of the string sanitation. This can be done using the following steps:
- download
TextualExtractor.javafrom the url above and comment or remove the mentioned if-statement - find the location of
extractor-javascript.jarin the installation of CodeQL, which is something likecodeql/javascript/tools/ - compile the modified file using the following line:
javac -cp ".:/path/to/codeql/javascript/tools/extractor-javascript.jar" TextualExtractor.java`
- extract the jar file, replace
TextualExtractor.classin the directorycom/semmle/js/extractor/, and re-compress the jar file - re-install the javascript pack with
codeql pack install --forcefrom the directory that containsqlpack.yml, i.e., the project root - regenerate your CodeQL project database with
codeql database create dbname --overwrite --language=javascript --source-root=/path/to/project
- run the query again.
Tested with the following JavaScript file:
var PageLoadablePageWrapperQuery = "some query";
var p = { // object literal containing five property definitions
longtobetruncatedfragment: PageLoadablePageWrapperQuery,
y: 1,
diag: function() { return this.x - this.y; },
get area() { return this.x * this.y; },
set area(a) { this.x = Math.sqrt(a); this.y = Math.sqrt(a); }
};
and the following query:
/**
* @id custom
* @kind problem
* @problem.severity warning
*
*/
import javascript
from ObjectExpr oe, Property p1, int i, AstNode a
where p1 = oe.getProperty(i) and
p1.getName() = "longtobetruncatedfragment" and
a = p1.getAChild()
select a, a.toString()
Resulting csv:
,,"warning","longtobetruncatedfragment","/testfile.js","4","3","4","27"
,,"warning","PageLoadablePageWrapperQuery","/testfile.js","4","30","4","57"
*Interestingly for other languages, for example the Python library, the sanitation step is not implemented.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论