From 3e6a96d21b51a2ea03792df78430accc57f11252 Mon Sep 17 00:00:00 2001
From: Sauyon Lee <sauyon@github.com>
Date: Wed, 19 Feb 2020 13:04:16 -0800
Subject: [PATCH] IncompleteHostnameRegexp: Use a reluctant regexp

This should help make results more comprehensible by including the
maximal string after an unescaped dot.
---
 ql/src/Security/CWE-020/IncompleteHostnameRegexp.ql          | 5 +++--
 .../IncompleteHostnameRegexp.expected                        | 4 ++--
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/ql/src/Security/CWE-020/IncompleteHostnameRegexp.ql b/ql/src/Security/CWE-020/IncompleteHostnameRegexp.ql
index a9109e6a5ca..8aa7dae4c27 100644
--- a/ql/src/Security/CWE-020/IncompleteHostnameRegexp.ql
+++ b/ql/src/Security/CWE-020/IncompleteHostnameRegexp.ql
@@ -20,8 +20,9 @@ import DataFlow::PathGraph
  */
 bindingset[pattern]
 predicate isIncompleteHostNameRegexpPattern(string pattern, string hostPart) {
-  hostPart = pattern
-        .regexpCapture("(?i).*" +
+  hostPart =
+    pattern
+        .regexpCapture("(?i).*?" +
             // an unescaped single `.`
             "(?<!\\\\)[.]" +
             // immediately followed by a sequence of subdomains, perhaps with some regex characters mixed in,
diff --git a/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegexp/IncompleteHostnameRegexp.expected b/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegexp/IncompleteHostnameRegexp.expected
index c0bdf6b96d1..73231e52340 100644
--- a/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegexp/IncompleteHostnameRegexp.expected
+++ b/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegexp/IncompleteHostnameRegexp.expected
@@ -5,5 +5,5 @@ nodes
 | IncompleteHostnameRegexp.go:12:38:12:39 | re | semmle.label | re |
 | main.go:12:15:12:39 | `https://www.example.com` | semmle.label | `https://www.example.com` |
 #select
-| IncompleteHostnameRegexp.go:11:8:11:36 | "^((www\|beta).)?example.com/" : string | IncompleteHostnameRegexp.go:11:8:11:36 | "^((www\|beta).)?example.com/" : string | IncompleteHostnameRegexp.go:12:38:12:39 | re | This regular expression has an unescaped dot before 'com', so it might match more hosts than expected when used $@. | IncompleteHostnameRegexp.go:12:38:12:39 | re | here |
-| main.go:12:15:12:39 | `https://www.example.com` | main.go:12:15:12:39 | `https://www.example.com` | main.go:12:15:12:39 | `https://www.example.com` | This regular expression has an unescaped dot before 'com', so it might match more hosts than expected when used $@. | main.go:12:15:12:39 | `https://www.example.com` | here |
+| IncompleteHostnameRegexp.go:11:8:11:36 | "^((www\|beta).)?example.com/" : string | IncompleteHostnameRegexp.go:11:8:11:36 | "^((www\|beta).)?example.com/" : string | IncompleteHostnameRegexp.go:12:38:12:39 | re | This regular expression has an unescaped dot before ')?example.com', so it might match more hosts than expected when used $@. | IncompleteHostnameRegexp.go:12:38:12:39 | re | here |
+| main.go:12:15:12:39 | `https://www.example.com` | main.go:12:15:12:39 | `https://www.example.com` | main.go:12:15:12:39 | `https://www.example.com` | This regular expression has an unescaped dot before 'example.com', so it might match more hosts than expected when used $@. | main.go:12:15:12:39 | `https://www.example.com` | here |