Merge pull request #243 from sauyon/incomplete-hostname-fix

IncompleteHostnameRegexp: Use a reluctant regexp
2026-01-29 14:23:03 +01:00 · 2020-02-20 20:33:56 +00:00
parent b851fe0c05 3e6a96d21b
commit 044def4e1f
2 changed files with 5 additions and 4 deletions
--- a/ql/src/Security/CWE-020/IncompleteHostnameRegexp.ql
+++ b/ql/src/Security/CWE-020/IncompleteHostnameRegexp.ql
@@ -20,8 +20,9 @@ import DataFlow::PathGraph
 */
 bindingset[pattern]
 predicate isIncompleteHostNameRegexpPattern(string pattern, string hostPart) {
-  hostPart = pattern
-        .regexpCapture("(?i).*" +
+  hostPart =
+    pattern
+        .regexpCapture("(?i).*?" +
            // an unescaped single `.`
            "(?<!\\\\)[.]" +
            // immediately followed by a sequence of subdomains, perhaps with some regex characters mixed in,
--- a/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegexp/IncompleteHostnameRegexp.expected
+++ b/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegexp/IncompleteHostnameRegexp.expected
@@ -5,5 +5,5 @@ nodes
 | IncompleteHostnameRegexp.go:12:38:12:39 | re | semmle.label | re |
 | main.go:12:15:12:39 | `https://www.example.com` | semmle.label | `https://www.example.com` |
 #select
-| IncompleteHostnameRegexp.go:11:8:11:36 | "^((www\|beta).)?example.com/" : string | IncompleteHostnameRegexp.go:11:8:11:36 | "^((www\|beta).)?example.com/" : string | IncompleteHostnameRegexp.go:12:38:12:39 | re | This regular expression has an unescaped dot before 'com', so it might match more hosts than expected when used $@. | IncompleteHostnameRegexp.go:12:38:12:39 | re | here |
-| main.go:12:15:12:39 | `https://www.example.com` | main.go:12:15:12:39 | `https://www.example.com` | main.go:12:15:12:39 | `https://www.example.com` | This regular expression has an unescaped dot before 'com', so it might match more hosts than expected when used $@. | main.go:12:15:12:39 | `https://www.example.com` | here |
+| IncompleteHostnameRegexp.go:11:8:11:36 | "^((www\|beta).)?example.com/" : string | IncompleteHostnameRegexp.go:11:8:11:36 | "^((www\|beta).)?example.com/" : string | IncompleteHostnameRegexp.go:12:38:12:39 | re | This regular expression has an unescaped dot before ')?example.com', so it might match more hosts than expected when used $@. | IncompleteHostnameRegexp.go:12:38:12:39 | re | here |
+| main.go:12:15:12:39 | `https://www.example.com` | main.go:12:15:12:39 | `https://www.example.com` | main.go:12:15:12:39 | `https://www.example.com` | This regular expression has an unescaped dot before 'example.com', so it might match more hosts than expected when used $@. | main.go:12:15:12:39 | `https://www.example.com` | here |