JS: Whitelist one more FP case

2026-04-24 16:25:15 +02:00 · 2019-10-22 16:40:37 +01:00
parent 2b151cd587
commit 3e37950170
2 changed files with 23 additions and 1 deletions
--- a/javascript/ql/src/Security/CWE-020/MissingRegExpAnchor.ql
+++ b/javascript/ql/src/Security/CWE-020/MissingRegExpAnchor.ql
@@ -90,6 +90,28 @@ predicate containsLetters(RegExpTerm term) {
  term.getAChild*().(RegExpConstant).getValue().regexpMatch(".*[a-zA-Z].*")
 }

+/**
+ * Holds if `term` consists only of an anchor and a parenthesized term,
+ * such as the left side of `^(foo|bar)|baz`.
+ *
+ * The precedence of the anchor is likely to be intentional in this case,
+ * as the group wouldn't be needed otherwise.
+ */
+predicate isAnchoredGroup(RegExpSequence term) {
+  term.getNumChild() = 2 and
+  term.getAChild() instanceof RegExpAnchor and
+  term.getAChild() instanceof RegExpGroup
+}
+
+/**
+ * Holds if `alt` has an explicitly anchored group, such as `^(foo|bar)|baz`
+ * and doesn't have any unnecessary groups, such as in `^(foo)|(bar)`.
+ */
+predicate hasExplicitAnchorPrecedence(RegExpAlt alt) {
+  isAnchoredGroup(alt.getAChild()) and
+  not alt.getAChild() instanceof RegExpGroup
+}
+
 /**
 * Holds if `src` is a pattern for a collection of alternatives where
 * only the first or last alternative is anchored, indicating a
@@ -103,6 +125,7 @@ predicate isInterestingSemiAnchoredRegExpString(RegExpPatternSource src, string
    root = src.getRegExpTerm() and
    not containsInteriorAnchor(root) and
    not isEmpty(root.getAChild()) and
+    not hasExplicitAnchorPrecedence(root) and
    containsLetters(anchoredTerm) and
    (
      anchoredTerm = root.getChild(0) and