hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 03:06:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

JavaScript: Deal with escape-unescape-escape (and similar) chains.

Browse Source
This commit is contained in:
Max Schaefer
2019-10-30 14:49:01 +00:00
parent cb54618a5d
commit 0edb70f373
2 changed files with 10 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
javascript/ql/src/Security/CWE-116/DoubleEscaping.ql
View File

@@ -128,7 +128,9 @@ abstract class Replacement extends DataFlow::Node {
exists(Replacement pred | pred = this.getPreviousReplacement() | exists(Replacement pred | pred = this.getPreviousReplacement() |
if pred.escapes(_, metachar) if pred.escapes(_, metachar)
then result = pred then result = pred
else result = pred.getAnEarlierEscaping(metachar) else (
not pred.unescapes(metachar, _) and result = pred.getAnEarlierEscaping(metachar)
)
) )
} }
@@ -140,7 +142,9 @@ abstract class Replacement extends DataFlow::Node {
exists(Replacement succ | this = succ.getPreviousReplacement() | exists(Replacement succ | this = succ.getPreviousReplacement() |
if succ.unescapes(metachar, _) if succ.unescapes(metachar, _)
then result = succ then result = succ
else result = succ.getALaterUnescaping(metachar) else (
not succ.escapes(_, metachar) and result = succ.getALaterUnescaping(metachar)
)
) )
} }
} }

4
javascript/ql/test/query-tests/Security/CWE-116/DoubleEscaping/tst.js
View File

@@ -90,3 +90,7 @@ function testWithCapturedVar(x) {
captured = captured.replace(/\\/g, "\\\\"); captured = captured.replace(/\\/g, "\\\\");
})(); })();
} }
function encodeDecodeEncode(s) {
return goodEncode(goodDecode(goodEncode(s)));
}