Merge pull request #19854 from Napalys/js/sinon

JS: Explicitly Mark `Sinon` Package as Non RegExp
2025-12-17 01:03:14 +01:00 · 2025-06-24 10:24:13 +02:00
parent e8a08a6b96 33f42444d5
commit 2218a981f6
4 changed files with 16 additions and 0 deletions
--- a/javascript/ql/lib/change-notes/2025-06-20-sinon.md
+++ b/javascript/ql/lib/change-notes/2025-06-20-sinon.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Calls to `sinon.match()` are no longer incorrectly identified as regular expression operations.
--- a/javascript/ql/lib/semmle/javascript/Regexp.qll
+++ b/javascript/ql/lib/semmle/javascript/Regexp.qll
@@ -998,6 +998,8 @@ private predicate isUsedAsNonMatchObject(DataFlow::MethodCallNode call) {
    or
    // Result is obviously unused
    call.asExpr() = any(ExprStmt stmt).getExpr()
+    or
+    call = API::moduleImport("sinon").getMember("match").getACall()
  )
 }

--- a/javascript/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegExp/tst-IncompleteHostnameRegExp.js
+++ b/javascript/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegExp/tst-IncompleteHostnameRegExp.js
@@ -60,4 +60,8 @@
 	/^(foo.example\.com|whatever)$/; // $ Alert (but kinda OK - one disjunction doesn't even look like a hostname)

 	if (s.matchAll("^http://test.example.com")) {} // $ Alert
+
+	const sinon = require('sinon');
+	const megacliteUrl = "https://a.b.com";
+	sinon.assert.calledWith(postStub.firstCall, sinon.match(megacliteUrl));
 });
--- a/javascript/ql/test/query-tests/Security/CWE-020/MissingRegExpAnchor/tst.js
+++ b/javascript/ql/test/query-tests/Security/CWE-020/MissingRegExpAnchor/tst.js
@@ -0,0 +1,6 @@
+const sinon = require('sinon');
+
+function testFunction() {
+  const megacliteUrl = "https://a.b.com";
+	sinon.assert.calledWith(postStub.firstCall, sinon.match(megacliteUrl));
+}