hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-25 16:55:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: fixed bad alert messages when it came to incomplete sanitization for new RegExp objects

Browse Source
This commit is contained in:
Napalys
2024-11-29 11:05:31 +01:00
parent 13afd6310b
commit 3171f38cdd
2 changed files with 20 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
javascript/ql/src/Security/CWE-116/IncompleteSanitization.ql
View File

@@ -143,12 +143,26 @@ predicate whitelistedRemoval(StringReplaceCall repl) {
)
}
from StringReplaceCall repl, DataFlow::Node old, string msg
/**
* Gets a nice string representation of the pattern or value of the node.
*/
predicate getPatternOrValueString(DataFlow::Node node, string patternOrValue) {
if node instanceof DataFlow::RegExpConstructorInvokeNode
then
exists(DataFlow::RegExpConstructorInvokeNode regExp |
node = regExp and
patternOrValue = "/" + regExp.getRoot() + "/"
)
else patternOrValue = node.toString()
}
from StringReplaceCall repl, DataFlow::Node old, string patternOrValue, string msg
where
(old = repl.getArgument(0) or old = repl.getRegExp()) and
getPatternOrValueString(old, patternOrValue) and
(
not repl.maybeGlobal() and
msg = "This replaces only the first occurrence of " + old + "." and
msg = "This replaces only the first occurrence of " + patternOrValue + "." and
// only flag if this is likely to be a sanitizer or URL encoder or decoder
exists(string m | m = getAMatchedString(old) |
// sanitizer

8
javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/IncompleteSanitization.expected
View File

@@ -29,9 +29,9 @@
| tst.js:149:2:149:24 | x.repla ... replace | This replaces only the first occurrence of "\\n". |
| tst.js:193:9:193:17 | s.replace | This replaces only the first occurrence of /'/. |
| tst.js:202:10:202:18 | p.replace | This replaces only the first occurrence of "/../". |
| tst.js:341:9:341:17 | p.replace | This replaces only the first occurrence of new Reg ... .\\\\./"). |
| tst.js:341:9:341:17 | p.replace | This replaces only the first occurrence of /\\.\\.//. |
| tst.js:345:9:345:17 | s.replace | This does not escape backslash characters in the input. |
| tst.js:349:9:349:17 | s.replace | This replaces only the first occurrence of new RegExp("\\'"). |
| tst.js:349:9:349:17 | s.replace | This replaces only the first occurrence of /'/. |
| tst.js:353:9:353:17 | s.replace | This does not escape backslash characters in the input. |
| tst.js:362:2:362:10 | x.replace | This replaces only the first occurrence of new RegExp("\\n"). |
| tst.js:363:2:363:24 | x.repla ... replace | This replaces only the first occurrence of new RegExp("\\n"). |
| tst.js:362:2:362:10 | x.replace | This replaces only the first occurrence of /\n/. |
| tst.js:363:2:363:24 | x.repla ... replace | This replaces only the first occurrence of /\n/. |