hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 12:46:34 +01:00
Code Issues Packages Projects Releases Wiki Activity

JS: Fix a FP

Browse Source
This commit is contained in:
Asger F
2019-10-29 09:42:29 +00:00
parent 8c5b9b9195
commit 153d34638b
2 changed files with 7 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
javascript/ql/src/Security/CWE-020/IncompleteHostnameRegExp.ql
View File

@@ -37,14 +37,15 @@ predicate isLikelyCaptureGroup(RegExpGroup group) {
}
/**
* Holds if `seq` contains two consecutive wildcards `..`.
* Holds if `seq` contains two consecutive dots `..` or escaped dots.
*
* Such wildcards are clearly not intended to be subdomain separators.
* At least one of these dots is not intended to be a subdomain separator,
* so we avoid flagging the pattenr in this case.
*/
predicate hasConsecutiveWildcards(RegExpSequence seq) {
predicate hasConsecutiveDots(RegExpSequence seq) {
exists(int i |
seq.getChild(i) instanceof RegExpDot and
seq.getChild(i + 1) instanceof RegExpDot
isDotLike(seq.getChild(i)) and
isDotLike(seq.getChild(i + 1))
)
}
@@ -56,7 +57,7 @@ predicate isIncompleteHostNameRegExpPattern(RegExpTerm regexp, RegExpSequence se
not isLikelyCaptureGroup(seq.getChild([i .. seq.getNumChild() - 1]).getAChild*()) and
unescapedDot = seq.getChild([0 .. i - 1]).getAChild*() and
unescapedDot != seq.getChild(i - 1) and // Should not be the '.' immediately before the TLD
not hasConsecutiveWildcards(unescapedDot.getParent()) and
not hasConsecutiveDots(unescapedDot.getParent()) and
hostname = seq.getChild(i - 2).getRawValue() + seq.getChild(i - 1).getRawValue() + seq.getChild(i).getRawValue()
|
if unescapedDot.getParent() instanceof RegExpQuantifier then (

1
javascript/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegExp.expected
View File

@@ -22,5 +22,4 @@
| tst-IncompleteHostnameRegExp.js:44:64:44:79 | .+.example-b.com | This regular expression has an unescaped '.' before 'example-b.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:44:9:44:101 | '^proto ... ernal)' | here |
| tst-IncompleteHostnameRegExp.js:48:42:48:68 | ^https?://.+.example\\.com/ | This string, which is used as a regular expression $@, has an unescaped '.' before 'example\\.com/', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:48:13:48:69 | '^http: ... \\.com/' | here |
| tst-IncompleteHostnameRegExp.js:48:42:48:68 | ^https?://.+.example\\.com/ | This string, which is used as a regular expression $@, has an unrestricted wildcard '.+' which may cause 'example\\.com/' to be matched anywhere in the URL, outside the hostname. | tst-IncompleteHostnameRegExp.js:48:13:48:69 | '^http: ... \\.com/' | here |
| tst-IncompleteHostnameRegExp.js:58:3:58:40 | ^http:\\/\\/.\\.example\\.com\\/index\\.html | This regular expression has an unescaped '.' before 'example\\.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:58:2:58:41 | /^http: ... \\.html/ | here |
| tst-IncompleteHostnameRegExp.js:59:5:59:20 | foo.example\\.com | This regular expression has an unescaped '.' before 'example\\.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:59:2:59:32 | /^(foo. ... ever)$/ | here |