JS: use RegExpLiteral as a SourceNode

2026-04-30 19:26:02 +02:00 · 2019-03-22 08:02:39 +01:00
parent 7923c9d77c
commit 364ba1b4ac
8 changed files with 16 additions and 5 deletions
--- a/javascript/ql/src/Security/CWE-116/DoubleEscaping.ql
+++ b/javascript/ql/src/Security/CWE-116/DoubleEscaping.ql
@@ -70,7 +70,7 @@ class Replacement extends DataFlow::Node {
  Replacement() {
    exists(DataFlow::MethodCallNode mcn | this = mcn |
      mcn.getMethodName() = "replace" and
-      mcn.getArgument(0).asExpr() = pattern and
+      pattern.flow().(DataFlow::SourceNode).flowsTo(mcn.getArgument(0))and
      mcn.getNumArgument() = 2 and
      pattern.isGlobal()
    )
--- a/javascript/ql/src/Security/CWE-116/IncompleteSanitization.ql
+++ b/javascript/ql/src/Security/CWE-116/IncompleteSanitization.ql
@@ -59,7 +59,7 @@ predicate isSimple(RegExpTerm t) {
 */
 predicate isBackslashEscape(MethodCallExpr mce, RegExpLiteral re) {
  mce.getMethodName() = "replace" and
-  re = mce.getArgument(0) and
+  re.flow().(DataFlow::SourceNode).flowsToExpr(mce.getArgument(0)) and
  re.isGlobal() and
  exists(string new | new = mce.getArgument(1).getStringValue() |
    // `new` is `\$&`, `\$1` or similar
@@ -104,7 +104,7 @@ predicate allBackslashesEscaped(DataFlow::Node nd) {
 from MethodCallExpr repl, Expr old, string msg
 where
  repl.getMethodName() = "replace" and
-  old = repl.getArgument(0) and
+  (old = repl.getArgument(0) or old.flow().(DataFlow::SourceNode).flowsToExpr(repl.getArgument(0))) and
  (
    not old.(RegExpLiteral).isGlobal() and
    msg = "This replaces only the first occurrence of " + old + "." and