hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-06 11:10:23 +01:00
Code Issues Packages Projects Releases Wiki Activity

JS: address review feedback

Browse Source
This commit is contained in:
Esben Sparre Andreasen
2021-01-12 08:25:16 +01:00
parent 580a24e982
commit 40cfbab335
2 changed files with 37 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
javascript/ql/src/Security/CWE-116/IncompleteMultiCharacterSanitization.ql
View File

@@ -89,13 +89,13 @@ predicate matchesDangerousPrefix(EmptyReplaceRegExpTerm t, string prefix, string
kind = "path injection" and
// upwards navigation
prefix = ["/..", "../"] and
not t.getSuccessor*().getAMatchedString().regexpMatch("(?i).*[a-z0-9_-]+.*") // explicit path name mentions make this an unlikely sanitizer
not t.getSuccessor*().getAMatchedString().regexpMatch("(?is).*[a-z0-9_-].*") // explicit path name mentions make this an unlikely sanitizer
or
kind = "HTML element injection" and
(
// comments
prefix = "<!--" and
not t.getSuccessor*().getAMatchedString().regexpMatch("(?i).*[a-z0-9_]+.*") // explicit comment content mentions make this an unlikely sanitizer
not t.getSuccessor*().getAMatchedString().regexpMatch("(?is).*[a-z0-9_].*") // explicit comment content mentions make this an unlikely sanitizer
or
// specific tags
prefix = "<" + ["iframe", "script", "cript", "scrip", "style"] // the `cript|scrip` case has been observed in the wild several times
@@ -159,6 +159,5 @@ where
not replace.getAMethodCall*().flowsTo(replace.getReceiver()) and
// avoid anchored terms
not exists(RegExpAnchor a | regexp = a.getRootTerm())
select replace,
"This string may still contain a substring that starts matching at $@, which may cause a " + kind +
" vulnerability.", dangerous, prefix
select replace, "This string may still contain $@, which may cause a " + kind + " vulnerability.",
dangerous, prefix