mirror of
https://github.com/github/codeql.git
synced 2026-05-05 21:55:19 +02:00
Merge branch 'main' into js/shared-dataflow-merge-main
This commit is contained in:
Asger F
@@ -74,7 +74,7 @@ private StringReplaceCall getAStringReplaceMethodCall(StringReplaceCall n) {
|
||||
module HtmlSanitization {
|
||||
private predicate fixedGlobalReplacement(StringReplaceCallSequence chain) {
|
||||
forall(StringReplaceCall member | member = chain.getAMember() |
|
||||
member.isGlobal() and member.getArgument(0) instanceof DataFlow::RegExpLiteralNode
|
||||
member.maybeGlobal() and member.getArgument(0) instanceof DataFlow::RegExpCreationNode
|
||||
)
|
||||
}
|
||||
|
||||
|
||||
@@ -42,9 +42,12 @@ module CleartextLogging {
|
||||
*/
|
||||
class MaskingReplacer extends Barrier, StringReplaceCall {
|
||||
MaskingReplacer() {
|
||||
this.isGlobal() and
|
||||
this.maybeGlobal() and
|
||||
exists(this.getRawReplacement().getStringValue()) and
|
||||
any(RegExpDot term).getLiteral() = this.getRegExp().asExpr()
|
||||
exists(DataFlow::RegExpCreationNode regexpObj |
|
||||
this.(StringReplaceCall).getRegExp() = regexpObj and
|
||||
regexpObj.getRoot() = any(RegExpDot term).getRootTerm()
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -47,7 +47,7 @@ module PrototypePollutingAssignmentConfig implements DataFlow::StateConfigSig {
|
||||
// Replacing with "_" is likely to be exploitable
|
||||
not replace.getRawReplacement().getStringValue() = "_" and
|
||||
(
|
||||
replace.isGlobal()
|
||||
replace.maybeGlobal()
|
||||
or
|
||||
// Non-global replace with a non-empty string can also prevent __proto__ by
|
||||
// inserting a chunk of text that doesn't fit anywhere in __proto__
|
||||
|
||||
@@ -76,7 +76,7 @@ module RegExpInjection {
|
||||
*/
|
||||
class MetacharEscapeSanitizer extends Sanitizer, StringReplaceCall {
|
||||
MetacharEscapeSanitizer() {
|
||||
this.isGlobal() and
|
||||
this.maybeGlobal() and
|
||||
(
|
||||
RegExp::alwaysMatchesMetaCharacter(this.getRegExp().getRoot(), ["{", "[", "+"])
|
||||
or
|
||||
|
||||
@@ -360,10 +360,10 @@ module TaintedPath {
|
||||
this instanceof StringReplaceCall and
|
||||
input = this.getReceiver() and
|
||||
output = this and
|
||||
not exists(RegExpLiteral literal, RegExpTerm term |
|
||||
this.(StringReplaceCall).getRegExp().asExpr() = literal and
|
||||
this.(StringReplaceCall).isGlobal() and
|
||||
literal.getRoot() = term
|
||||
not exists(DataFlow::RegExpCreationNode regexp, RegExpTerm term |
|
||||
this.(StringReplaceCall).getRegExp() = regexp and
|
||||
this.(StringReplaceCall).maybeGlobal() and
|
||||
regexp.getRoot() = term
|
||||
|
|
||||
term.getAMatchedString() = "/" or
|
||||
term.getAMatchedString() = "." or
|
||||
@@ -444,9 +444,9 @@ module TaintedPath {
|
||||
input = this.getReceiver() and
|
||||
output = this and
|
||||
this.isGlobal() and
|
||||
exists(RegExpLiteral literal, RegExpTerm term |
|
||||
this.getRegExp().asExpr() = literal and
|
||||
literal.getRoot() = term and
|
||||
exists(DataFlow::RegExpCreationNode regexp, RegExpTerm term |
|
||||
this.getRegExp() = regexp and
|
||||
regexp.getRoot() = term and
|
||||
not term.getAMatchedString() = "/"
|
||||
|
|
||||
term.getAMatchedString() = "." or
|
||||
|
||||
@@ -266,7 +266,7 @@ module UnsafeShellCommandConstruction {
|
||||
class ReplaceQuotesSanitizer extends Sanitizer, StringReplaceCall {
|
||||
ReplaceQuotesSanitizer() {
|
||||
this.getAReplacedString() = "'" and
|
||||
this.isGlobal() and
|
||||
this.maybeGlobal() and
|
||||
this.getRawReplacement().mayHaveStringValue(["'\\''", ""])
|
||||
}
|
||||
}
|
||||
|
||||
@@ -36,7 +36,7 @@ module Shared {
|
||||
*/
|
||||
class MetacharEscapeSanitizer extends Sanitizer, StringReplaceCall {
|
||||
MetacharEscapeSanitizer() {
|
||||
this.isGlobal() and
|
||||
this.maybeGlobal() and
|
||||
(
|
||||
RegExp::alwaysMatchesMetaCharacter(this.getRegExp().getRoot(), ["<", "'", "\""])
|
||||
or
|
||||
|
||||
Reference in New Issue
Block a user