remove regular expression that did nothing

2026-04-30 03:05:15 +02:00 · 2023-01-23 16:38:09 +01:00
parent 79e161e046
commit 11894144aa
1 changed files with 1 additions and 3 deletions
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionCustomizations.qll
@@ -92,9 +92,7 @@ module UnsafeShellCommandConstruction {
    StringConcatEndingInCommandExecutionSink() {
      this = root.getALeaf() and
      root = isExecutedAsShellCommand(DataFlow::TypeBackTracker::end(), sys) and
-      exists(string prev | prev = this.getPreviousLeaf().getStringValue() |
-        prev.regexpMatch(".*\\s*('|\")?[0-9a-zA-Z/:_-]*")
-      )
+      exists(this.getPreviousLeaf().getStringValue()) // looks like a shell command construction that could be done safer, it has a known prefix
    }

    override string getSinkType() { result = "string concatenation" }