recognize sanitizing string replace call for regexp-injection

2026-04-28 18:25:24 +02:00 · 2021-05-14 11:58:27 +02:00
parent 9b0c24abc2
commit 33641c84f6
3 changed files with 72 additions and 0 deletions
--- a/javascript/ql/src/semmle/javascript/security/dataflow/RegExpInjectionCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/RegExpInjectionCustomizations.qll
@@ -55,4 +55,27 @@ module RegExpInjection {
      )
    }
  }
+
+  /**
+   * A global regexp replacement involving the `{`, `[`, or `+` meta-character, viewed as a sanitizer for
+   * regexp-injection vulnerabilities.
+   */
+  class MetacharEscapeSanitizer extends Sanitizer, StringReplaceCall {
+    MetacharEscapeSanitizer() {
+      isGlobal() and
+      (
+        RegExp::alwaysMatchesMetaCharacter(getRegExp().getRoot(), ["{", "[", "+"])
+        or
+        // or it's like a wild-card.
+        RegExp::isWildcardLike(getRegExp().getRoot())
+      )
+    }
+  }
+
+  /**
+   * Meta characters used in the above sanitizer.
+   */
+  private class RegexpMetaChars extends RegExp::MetaCharacter {
+    RegexpMetaChars() { this = ["{", "[", "+"] }
+  }
 }