JS: add test cases with RegExp object for MaskingReplacer, currently gives wrong results

2026-04-25 00:35:20 +02:00 · 2024-11-27 14:42:23 +01:00
parent c71778f1aa
commit 1ca57cfb9d
2 changed files with 35 additions and 1 deletions
--- a/javascript/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected
@@ -139,6 +139,18 @@ nodes
 | passwords.js:176:17:176:26 | myPasscode |
 | passwords.js:176:17:176:26 | myPasscode |
 | passwords.js:176:17:176:26 | myPasscode |
+| passwords.js:181:14:181:21 | password |
+| passwords.js:181:14:181:21 | password |
+| passwords.js:181:14:181:56 | passwor ... ), "*") |
+| passwords.js:181:14:181:56 | passwor ... ), "*") |
+| passwords.js:182:14:182:21 | password |
+| passwords.js:182:14:182:21 | password |
+| passwords.js:182:14:182:51 | passwor ... ), "*") |
+| passwords.js:182:14:182:51 | passwor ... ), "*") |
+| passwords.js:183:14:183:21 | password |
+| passwords.js:183:14:183:21 | password |
+| passwords.js:183:14:183:67 | passwor ... ), "*") |
+| passwords.js:183:14:183:67 | passwor ... ), "*") |
 | passwords_in_browser1.js:2:13:2:20 | password |
 | passwords_in_browser1.js:2:13:2:20 | password |
 | passwords_in_browser1.js:2:13:2:20 | password |
@@ -285,6 +297,18 @@ edges
 | passwords.js:170:11:170:18 | password | passwords.js:170:11:170:39 | passwor ... g, "*") |
 | passwords.js:173:17:173:26 | myPassword | passwords.js:173:17:173:26 | myPassword |
 | passwords.js:176:17:176:26 | myPasscode | passwords.js:176:17:176:26 | myPasscode |
+| passwords.js:181:14:181:21 | password | passwords.js:181:14:181:56 | passwor ... ), "*") |
+| passwords.js:181:14:181:21 | password | passwords.js:181:14:181:56 | passwor ... ), "*") |
+| passwords.js:181:14:181:21 | password | passwords.js:181:14:181:56 | passwor ... ), "*") |
+| passwords.js:181:14:181:21 | password | passwords.js:181:14:181:56 | passwor ... ), "*") |
+| passwords.js:182:14:182:21 | password | passwords.js:182:14:182:51 | passwor ... ), "*") |
+| passwords.js:182:14:182:21 | password | passwords.js:182:14:182:51 | passwor ... ), "*") |
+| passwords.js:182:14:182:21 | password | passwords.js:182:14:182:51 | passwor ... ), "*") |
+| passwords.js:182:14:182:21 | password | passwords.js:182:14:182:51 | passwor ... ), "*") |
+| passwords.js:183:14:183:21 | password | passwords.js:183:14:183:67 | passwor ... ), "*") |
+| passwords.js:183:14:183:21 | password | passwords.js:183:14:183:67 | passwor ... ), "*") |
+| passwords.js:183:14:183:21 | password | passwords.js:183:14:183:67 | passwor ... ), "*") |
+| passwords.js:183:14:183:21 | password | passwords.js:183:14:183:67 | passwor ... ), "*") |
 | passwords_in_browser1.js:2:13:2:20 | password | passwords_in_browser1.js:2:13:2:20 | password |
 | passwords_in_browser2.js:2:13:2:20 | password | passwords_in_browser2.js:2:13:2:20 | password |
 | passwords_in_server_1.js:6:13:6:20 | password | passwords_in_server_1.js:6:13:6:20 | password |
@@ -332,6 +356,9 @@ edges
 | passwords.js:170:11:170:39 | passwor ... g, "*") | passwords.js:170:11:170:18 | password | passwords.js:170:11:170:39 | passwor ... g, "*") | This logs sensitive data returned by $@ as clear text. | passwords.js:170:11:170:18 | password | an access to password |
 | passwords.js:173:17:173:26 | myPassword | passwords.js:173:17:173:26 | myPassword | passwords.js:173:17:173:26 | myPassword | This logs sensitive data returned by $@ as clear text. | passwords.js:173:17:173:26 | myPassword | an access to myPassword |
 | passwords.js:176:17:176:26 | myPasscode | passwords.js:176:17:176:26 | myPasscode | passwords.js:176:17:176:26 | myPasscode | This logs sensitive data returned by $@ as clear text. | passwords.js:176:17:176:26 | myPasscode | an access to myPasscode |
+| passwords.js:181:14:181:56 | passwor ... ), "*") | passwords.js:181:14:181:21 | password | passwords.js:181:14:181:56 | passwor ... ), "*") | This logs sensitive data returned by $@ as clear text. | passwords.js:181:14:181:21 | password | an access to password |
+| passwords.js:182:14:182:51 | passwor ... ), "*") | passwords.js:182:14:182:21 | password | passwords.js:182:14:182:51 | passwor ... ), "*") | This logs sensitive data returned by $@ as clear text. | passwords.js:182:14:182:21 | password | an access to password |
+| passwords.js:183:14:183:67 | passwor ... ), "*") | passwords.js:183:14:183:21 | password | passwords.js:183:14:183:67 | passwor ... ), "*") | This logs sensitive data returned by $@ as clear text. | passwords.js:183:14:183:21 | password | an access to password |
 | passwords_in_server_1.js:6:13:6:20 | password | passwords_in_server_1.js:6:13:6:20 | password | passwords_in_server_1.js:6:13:6:20 | password | This logs sensitive data returned by $@ as clear text. | passwords_in_server_1.js:6:13:6:20 | password | an access to password |
 | passwords_in_server_2.js:3:13:3:20 | password | passwords_in_server_2.js:3:13:3:20 | password | passwords_in_server_2.js:3:13:3:20 | password | This logs sensitive data returned by $@ as clear text. | passwords_in_server_2.js:3:13:3:20 | password | an access to password |
 | passwords_in_server_3.js:2:13:2:20 | password | passwords_in_server_3.js:2:13:2:20 | password | passwords_in_server_3.js:2:13:2:20 | password | This logs sensitive data returned by $@ as clear text. | passwords_in_server_3.js:2:13:2:20 | password | an access to password |
--- a/javascript/ql/test/query-tests/Security/CWE-312/passwords.js
+++ b/javascript/ql/test/query-tests/Security/CWE-312/passwords.js
@@ -174,4 +174,11 @@ const debug = require('debug')('test');

    const myPasscode = foo();
    console.log(myPasscode); // NOT OK
-});
+});
+
+(function () {
+    console.log(password.replace(/./g, "*")); // OK
+	console.log(password.replace(new RegExp(".", "g"), "*")); // OK -- Currently flagged, though it shouldn't be
+	console.log(password.replace(new RegExp("."), "*")); // NOT OK
+	console.log(password.replace(new RegExp(".", unknownFlags()), "*")); // OK -- Currently flagged, though maybe it should not be.
+})();