hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-02 04:05:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: Add test for taint propagating into RegExp.$1

Browse Source
This commit is contained in:
Asger Feldthaus
2020-06-24 15:49:23 +01:00
parent 3aefb7fad9
commit 17af8f7650
1 changed files with 45 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
javascript/ql/test/library-tests/TaintTracking/static-capture-groups.js Normal file
View File

@@ -0,0 +1,45 @@
function test(x) {
let taint = source();
if (/Hello (.*)/.exec(taint)) {
sink(RegExp.$1); // NOT OK
}
if (/Foo (.*)/.exec(x)) {
sink(RegExp.$1); // OK
} else {
sink(RegExp.$1); // NOT OK - previous capture group remains
}
if (/Hello ([a-zA-Z]+)/.exec(taint)) {
sink(RegExp.$1); // OK - capture group is sanitized
} else {
sink(RegExp.$1); // NOT OK - original capture group possibly remains
}
if (/Hello (.*)/.exec(taint) && something()) {
sink(RegExp.$1); // NOT OK
}
if (something() && /Hello (.*)/.exec(taint)) {
sink(RegExp.$1); // NOT OK
}
if (/First (.*)/.exec(taint) || /Second (.*)/.exec(taint)) {
sink(RegExp.$1); // NOT OK
}
}
function test2(x) {
var taint = source();
if (something()) {
if (/Hello (.*)/.exec(taint)) {
something();
}
}
sink(RegExp.$1); // NOT OK
}
function replaceCallback() {
return source().replace(/(\w+)/, () => {
sink(RegExp.$1); // NOT OK
});
}