Fixes for test db extraction on windows

Author: data-douser

client/src/lib/integration-test-runner.js

@@ -739,10 +739,11 @@ export class IntegrationTestRunner {
             if (!fs.existsSync(absoluteDbPath) && dbPath.endsWith(".testproj")) {
               // For paths like "test/ExpressSqlInjection/ExpressSqlInjection.testproj",
               // the test source directory is "test/ExpressSqlInjection"
-              const parts = dbPath.split(path.sep);
+              // Always split on "/" because fixture paths use forward slashes regardless of OS.
+              const parts = dbPath.split("/");
               const lastPart = parts[parts.length - 1];
               const testName = lastPart.replace(".testproj", "");
-              const parentDir = parts.slice(0, -1).join(path.sep);
+              const parentDir = parts.slice(0, -1).join("/");
 
               // Check if the parent directory name matches the test name
               const parentDirName = parts[parts.length - 2];
@@ -788,10 +789,22 @@ export class IntegrationTestRunner {
       // Clean up stale interpretedOutput from prior test runs so that
       // directory comparisons only see output from this invocation.
       if (toolName === "codeql_query_run" && params.interpretedOutput) {
-        try {
-          fs.rmSync(params.interpretedOutput, { recursive: true, force: true });
-        } catch {
-          // Ignore — path may not exist yet
+        const outputPath = String(params.interpretedOutput);
+        const normalizedOutput = path.normalize(outputPath);
+        // Safety: reject absolute paths and directory traversals to prevent
+        // accidental deletion of files outside the working directory (CWE-22).
+        if (
+          path.isAbsolute(normalizedOutput) ||
+          normalizedOutput.startsWith("..") ||
+          normalizedOutput.includes(`${path.sep}..`)
+        ) {
+          this.logger.log(`  Skipping interpretedOutput cleanup: unsafe path "${outputPath}"`);
+        } else {
+          try {
+            fs.rmSync(outputPath, { recursive: true, force: true });
+          } catch {
+            // Ignore — path may not exist yet
+          }
         }
       }
 

server/scripts/extract-test-databases.sh

@@ -11,9 +11,10 @@ Usage: $0 [OPTIONS]
 
 Extract test databases for CodeQL queries associated with the MCP server.
 
-By default, only databases needed by client integration tests are extracted
-(currently: javascript/examples only). Query unit tests (codeql test run)
-auto-extract their own databases, so full extraction is rarely needed.
+By default, only a minimal set of databases for client integration tests is
+pre-extracted (currently: javascript/examples only). This is not an
+exhaustive list of databases the integration test suite may use; additional
+databases may be extracted on demand, so full extraction is rarely needed.
 
 OPTIONS:
     --scope <scope>    Extract databases for a specific use case