hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-29 10:45:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Update for rename of ReDoSUtil to NfaUtils

Browse Source
This commit is contained in:
Harry Maclean
2022-08-17 16:02:18 +12:00
parent f1a546c4d6
commit 1f4dad4167
4 changed files with 6 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
javascript/ql/lib/semmle/javascript/security/IncompleteMultiCharacterSanitizationQuery.qll
View File

@@ -36,8 +36,8 @@ private DangerousPrefixSubstring getADangerousMatchedChar(EmptyReplaceRegExpTerm
result = t.getAMatchedString()
or
// A substring matched by some character class. This is only used to match the "word" part of a HTML tag (e.g. "iframe" in "<iframe").
exists(ReDoSUtil::CharacterClass cc |
cc = ReDoSUtil::getCanonicalCharClass(t) and
exists(NfaUtils::CharacterClass cc |
cc = NfaUtils::getCanonicalCharClass(t) and
cc.matches(result) and
result.regexpMatch("\\w") and
// excluding character classes that match ">" (e.g. /<[^<]*>/), as these might consume nested HTML tags, and thus prevent the dangerous pattern this query is looking for.

2
javascript/ql/lib/semmle/javascript/security/IncompleteMultiCharacterSanitizationSpecific.qll
View File

@@ -3,7 +3,7 @@
*/
import javascript
import semmle.javascript.security.performance.ReDoSUtil as ReDoSUtil
import semmle.javascript.security.regexp.NfaUtils as NfaUtils
class StringSubstitutionCall = StringReplaceCall;