hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-26 17:25:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: now Reg Exp injection treats unknownFlags as sanitization, MetacharEscapeSanitizer

Browse Source
This commit is contained in:
Napalys
2024-11-27 17:30:53 +01:00
parent 62194f5337
commit 1d2e08a3b6
3 changed files with 2 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
javascript/ql/lib/semmle/javascript/security/dataflow/RegExpInjectionCustomizations.qll
View File

@@ -76,7 +76,7 @@ module RegExpInjection {
*/
class MetacharEscapeSanitizer extends Sanitizer, StringReplaceCall {
MetacharEscapeSanitizer() {
this.isGlobal() and
this.maybeGlobal() and
(
RegExp::alwaysMatchesMetaCharacter(this.getRegExp().getRoot(), ["{", "[", "+"])
or

11
javascript/ql/test/query-tests/Security/CWE-730/RegExpInjection.expected
View File

@@ -72,11 +72,6 @@ nodes
| RegExpInjection.js:99:19:99:106 | input.r ... "\\\\$&") |
| RegExpInjection.js:100:14:100:22 | sanitized |
| RegExpInjection.js:100:14:100:22 | sanitized |
| RegExpInjection.js:105:7:105:122 | sanitized |
| RegExpInjection.js:105:19:105:23 | input |
| RegExpInjection.js:105:19:105:122 | input.r ... "\\\\$&") |
| RegExpInjection.js:106:14:106:22 | sanitized |
| RegExpInjection.js:106:14:106:22 | sanitized |
| tst.js:5:9:5:29 | data |
| tst.js:5:16:5:29 | req.query.data |
| tst.js:5:16:5:29 | req.query.data |
@@ -147,17 +142,12 @@ edges
| RegExpInjection.js:93:20:93:34 | process.argv[1] | RegExpInjection.js:93:16:93:49 | `^${pro ... r.app$` |
| RegExpInjection.js:93:20:93:34 | process.argv[1] | RegExpInjection.js:93:16:93:49 | `^${pro ... r.app$` |
| RegExpInjection.js:97:7:97:32 | input | RegExpInjection.js:99:19:99:23 | input |
| RegExpInjection.js:97:7:97:32 | input | RegExpInjection.js:105:19:105:23 | input |
| RegExpInjection.js:97:15:97:32 | req.param("input") | RegExpInjection.js:97:7:97:32 | input |
| RegExpInjection.js:97:15:97:32 | req.param("input") | RegExpInjection.js:97:7:97:32 | input |
| RegExpInjection.js:99:7:99:106 | sanitized | RegExpInjection.js:100:14:100:22 | sanitized |
| RegExpInjection.js:99:7:99:106 | sanitized | RegExpInjection.js:100:14:100:22 | sanitized |
| RegExpInjection.js:99:19:99:23 | input | RegExpInjection.js:99:19:99:106 | input.r ... "\\\\$&") |
| RegExpInjection.js:99:19:99:106 | input.r ... "\\\\$&") | RegExpInjection.js:99:7:99:106 | sanitized |
| RegExpInjection.js:105:7:105:122 | sanitized | RegExpInjection.js:106:14:106:22 | sanitized |
| RegExpInjection.js:105:7:105:122 | sanitized | RegExpInjection.js:106:14:106:22 | sanitized |
| RegExpInjection.js:105:19:105:23 | input | RegExpInjection.js:105:19:105:122 | input.r ... "\\\\$&") |
| RegExpInjection.js:105:19:105:122 | input.r ... "\\\\$&") | RegExpInjection.js:105:7:105:122 | sanitized |
| tst.js:5:9:5:29 | data | tst.js:6:21:6:24 | data |
| tst.js:5:16:5:29 | req.query.data | tst.js:5:9:5:29 | data |
| tst.js:5:16:5:29 | req.query.data | tst.js:5:9:5:29 | data |
@@ -183,5 +173,4 @@ edges
| RegExpInjection.js:91:16:91:50 | `^${pro ... r.app$` | RegExpInjection.js:91:20:91:30 | process.env | RegExpInjection.js:91:16:91:50 | `^${pro ... r.app$` | This regular expression is constructed from a $@. | RegExpInjection.js:91:20:91:30 | process.env | environment variable |
| RegExpInjection.js:93:16:93:49 | `^${pro ... r.app$` | RegExpInjection.js:93:20:93:31 | process.argv | RegExpInjection.js:93:16:93:49 | `^${pro ... r.app$` | This regular expression is constructed from a $@. | RegExpInjection.js:93:20:93:31 | process.argv | command-line argument |
| RegExpInjection.js:100:14:100:22 | sanitized | RegExpInjection.js:97:15:97:32 | req.param("input") | RegExpInjection.js:100:14:100:22 | sanitized | This regular expression is constructed from a $@. | RegExpInjection.js:97:15:97:32 | req.param("input") | user-provided value |
| RegExpInjection.js:106:14:106:22 | sanitized | RegExpInjection.js:97:15:97:32 | req.param("input") | RegExpInjection.js:106:14:106:22 | sanitized | This regular expression is constructed from a $@. | RegExpInjection.js:97:15:97:32 | req.param("input") | user-provided value |
| tst.js:6:16:6:35 | "^"+ data.name + "$" | tst.js:5:16:5:29 | req.query.data | tst.js:6:16:6:35 | "^"+ data.name + "$" | This regular expression is constructed from a $@. | tst.js:5:16:5:29 | req.query.data | user-provided value |

2
javascript/ql/test/query-tests/Security/CWE-730/RegExpInjection.js
View File

@@ -103,5 +103,5 @@ app.get("argv", function(req, res) {
new RegExp(sanitized); // OK
var sanitized = input.replace(new RegExp("[\\-\\[\\]\\/\\{\\}\\(\\)\\*\\+\\?\\.\\\\\\^\\$\\|]", unknownFlags()), "\\$&");
new RegExp(sanitized); // OK -- Currently flagged, but most likely should not be.
new RegExp(sanitized); // OK -- Most likely not a problem.
});