JavaScript: Deal with escape-unescape-escape (and similar) chains.

2025-12-20 10:46:30 +01:00 · 2019-10-30 14:49:01 +00:00
parent cb54618a5d
commit 0edb70f373
2 changed files with 10 additions and 2 deletions
--- a/javascript/ql/src/Security/CWE-116/DoubleEscaping.ql
+++ b/javascript/ql/src/Security/CWE-116/DoubleEscaping.ql
@@ -128,7 +128,9 @@ abstract class Replacement extends DataFlow::Node {
    exists(Replacement pred | pred = this.getPreviousReplacement() |
      if pred.escapes(_, metachar)
      then result = pred
-      else result = pred.getAnEarlierEscaping(metachar)
+      else (
+        not pred.unescapes(metachar, _) and result = pred.getAnEarlierEscaping(metachar)
+      )
    )
  }

@@ -140,7 +142,9 @@ abstract class Replacement extends DataFlow::Node {
    exists(Replacement succ | this = succ.getPreviousReplacement() |
      if succ.unescapes(metachar, _)
      then result = succ
-      else result = succ.getALaterUnescaping(metachar)
+      else (
+        not succ.escapes(_, metachar) and result = succ.getALaterUnescaping(metachar)
+      )
    )
  }
 }
--- a/javascript/ql/test/query-tests/Security/CWE-116/DoubleEscaping/tst.js
+++ b/javascript/ql/test/query-tests/Security/CWE-116/DoubleEscaping/tst.js
@@ -90,3 +90,7 @@ function testWithCapturedVar(x) {
    captured = captured.replace(/\\/g, "\\\\");
  })();
 }
+
+function encodeDecodeEncode(s) {
+ return goodEncode(goodDecode(goodEncode(s)));
+}