Improve CDS extractor diagnostics and tests

Improves the diagnostic messages created by the CDS extractor
reports for the edge case where some file path is associated
with a diagnostic warning or error but is not a path within the
source root directory that the CDS extractor was configured to
scan. This change attempts to continue to prevent path injection
and path traversal attacks for any diagnostics generated by the
CDS extractor while ensuring the unlinkability of this edge case
is explained to any user viewing such diagnostics. We don't expect
to encounter situations where a diagnostic error or warning is
reported for any file outside of the scanned source root directory,
but we want to handle such situations well and we do so here by
improving the text of our diagnostic message to the user without
giving the user a link to a non-repo file.

Author: data-douser

extractors/cds/tools/dist/cds-extractor.bundle.js

@@ -79,6 +79,21 @@ function addDiagnostic(
     ? convertToRelativePath(filePath, sourceRoot)
     : resolve(filePath);
 
+  // If the file was remapped to source root due to being outside the repository,
+  // append an explanatory note to the message
+  let finalMessage = message;
+  if (sourceRoot && finalFilePath === '.' && filePath !== sourceRoot) {
+    const resolvedSourceRoot = resolve(sourceRoot);
+    const resolvedFilePath = filePath.startsWith('/')
+      ? resolve(filePath)
+      : resolve(resolvedSourceRoot, filePath);
+
+    // Only add the note if the file was actually outside the source root
+    if (resolvedFilePath !== resolvedSourceRoot) {
+      finalMessage = `${message}\n\n**Note**: The file \`${filePath}\` is located outside the scanned source directory and cannot be linked directly in this diagnostic. This diagnostic is associated with the repository root instead.`;
+    }
+  }
+
   try {
     execFileSync(codeqlExePath, [
       'database',
@@ -88,7 +103,7 @@ function addDiagnostic(
       `--source-id=${sourceId}`,
       `--source-name=${sourceName}`,
       `--severity=${severity}`,
-      `--markdown-message=${message}`,
+      `--markdown-message=${finalMessage}`,
       `--file-path=${finalFilePath}`,
       '--',
       `${process.env.CODEQL_EXTRACTOR_CDS_WIP_DATABASE ?? ''}`,

extractors/cds/tools/dist/cds-extractor.bundle.js.map

@@ -77,6 +77,13 @@ describe('diagnostics', () => {
 
         expect(result).toBe(true);
         expectRelativePathInCall(`app${sep}models${sep}schema.cds`);
+        // Should NOT include explanatory note for files inside source root
+        expect(childProcess.execFileSync).toHaveBeenCalledWith(
+          expect.any(String),
+          expect.arrayContaining([
+            expect.stringMatching(/--markdown-message=Syntax error in CDS file$/),
+          ]),
+        );
         restoreMockEnvironment(originalEnv);
       });
 
@@ -116,6 +123,15 @@ describe('diagnostics', () => {
         expect(result).toBe(true);
         // Should point to source root '.' when file is outside source root
         expectRelativePathInCall('.');
+        // Should include explanatory note in the message
+        expect(childProcess.execFileSync).toHaveBeenCalledWith(
+          expect.any(String),
+          expect.arrayContaining([
+            expect.stringMatching(
+              /--markdown-message=.*\*\*Note\*\*.*located outside the scanned source directory/s,
+            ),
+          ]),
+        );
         restoreMockEnvironment(originalEnv);
       });
 
@@ -155,6 +171,15 @@ describe('diagnostics', () => {
         expect(result).toBe(true);
         // Should point to source root '.' when path tries to escape source root
         expectRelativePathInCall('.');
+        // Should include explanatory note in the message
+        expect(childProcess.execFileSync).toHaveBeenCalledWith(
+          expect.any(String),
+          expect.arrayContaining([
+            expect.stringMatching(
+              /--markdown-message=.*\*\*Note\*\*.*located outside the scanned source directory/s,
+            ),
+          ]),
+        );
         restoreMockEnvironment(originalEnv);
       });
 
@@ -176,6 +201,15 @@ describe('diagnostics', () => {
         expect(result).toBe(true);
         // Should point to source root '.' when resolved path is outside source root
         expectRelativePathInCall('.');
+        // Should include explanatory note in the message
+        expect(childProcess.execFileSync).toHaveBeenCalledWith(
+          expect.any(String),
+          expect.arrayContaining([
+            expect.stringMatching(
+              /--markdown-message=.*\*\*Note\*\*.*located outside the scanned source directory/s,
+            ),
+          ]),
+        );
         restoreMockEnvironment(originalEnv);
       });
     });