filter out potential misparses from rb/suspicious-regexp-range

ruby/ql/src/queries/security/cwe-020/SuspiciousRegexpRange.ql

@@ -13,6 +13,16 @@
 
 import codeql.ruby.security.SuspiciousRegexpRangeQuery
 
+RegExpCharacterClass potentialMisparsedCharClass() {
+  // some escapes, e.g. [\000-\037] are currently misparsed.
+  result.getAChild().(RegExpNormalChar).getValue() = "\\"
+  or
+  // nested char classes are currently misparsed
+  result.getAChild().(RegExpNormalChar).getValue() = "["
+}
+
 from RegExpCharacterRange range, string reason
-where problem(range, reason)
+where
+  problem(range, reason) and
+  not range.getParent() = potentialMisparsedCharClass()
 select range, "Suspicious character range that " + reason + "."

ruby/ql/test/query-tests/security/cwe-020/SuspiciousRegexpRange/suspicous_regexp_range.rb

@@ -8,9 +8,9 @@ isAscii = /^[\x00-\x7F]*$/ # OK
 
 printable = /[!-~]/ # OK - used to select most printable ASCII characters
 
-codePoints = /[^\x21-\x7E]|[[\](){}<>/%]/g # OK
+codePoints = /[^\x21-\x7E]|[\[\](){}<>\/%]/ # OK
 
-NON_ALPHANUMERIC_REGEXP = /([^\#-~| |!])/g # OK
+NON_ALPHANUMERIC_REGEXP = /([^\#-~| |!])/ # OK
 
 smallOverlap = /[0-9a-fA-f]/ # NOT OK
 
@@ -25,3 +25,7 @@ numberToLetter = /[7-F]/ # NOT OK
 overlapsWithClass1 = /[0-9\d]/ # NOT OK
 
 overlapsWithClass2 = /[\w,.-?:*+]/ # NOT OK
+
+escapes = /[\000-\037\047\134\177-\377]/n # OK - they are escapes
+
+nested = /[a-z&&[^a-c]]/ # OK