JavaScript: Recognise wrapped chains of replacements.

2026-05-01 03:35:13 +02:00 · 2019-10-30 13:02:59 +00:00
parent 02d16b1dc9
commit 5349e0f881
3 changed files with 18 additions and 2 deletions
--- a/javascript/ql/src/Security/CWE-116/DoubleEscaping.ql
+++ b/javascript/ql/src/Security/CWE-116/DoubleEscaping.ql
@@ -115,6 +115,13 @@ abstract class Replacement extends DataFlow::Node {
    result.getOutput() = getASimplePredecessor*(getInput())
  }

+  /**
+   * Gets the next replacement in this chain of replacements.
+   */
+  Replacement getNextReplacement() {
+    this = result.getPreviousReplacement()
+  }
+
  /**
   * Gets an earlier replacement in this chain of replacements that
   * performs an escaping.
@@ -231,8 +238,8 @@ class WrappedReplacement extends Replacement, DataFlow::CallNode {

  WrappedReplacement() {
    exists(DataFlow::FunctionNode wrapped | wrapped.getFunction() = getACallee() |
-      wrapped.getParameter(i).flowsTo(inner.getInput()) and
-      inner.getOutput().flowsTo(wrapped.getAReturn())
+      wrapped.getParameter(i).flowsTo(inner.getPreviousReplacement*().getInput()) and
+      inner.getNextReplacement*().getOutput().flowsTo(wrapped.getAReturn())
    )
  }

--- a/javascript/ql/test/query-tests/Security/CWE-116/DoubleEscaping/DoubleEscaping.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-116/DoubleEscaping/DoubleEscaping.expected
@@ -9,3 +9,4 @@
 | tst.js:86:10:86:22 | JSON.parse(s) | This replacement may produce '\\' characters that are double-unescaped $@. | tst.js:86:10:86:47 | JSON.pa ... g, "<") | here |
 | tst.js:99:10:99:66 | s.repla ... &amp;") | This replacement may double-escape '&' characters from $@. | tst.js:99:10:99:43 | s.repla ... epl[c]) | here |
 | tst.js:107:10:107:53 | encodeD ... &amp;") | This replacement may double-escape '&' characters from $@. | tst.js:107:10:107:30 | encodeD ... otes(s) | here |
+| tst.js:115:10:115:47 | encodeQ ... &amp;") | This replacement may double-escape '&' characters from $@. | tst.js:115:10:115:24 | encodeQuotes(s) | here |
--- a/javascript/ql/test/query-tests/Security/CWE-116/DoubleEscaping/tst.js
+++ b/javascript/ql/test/query-tests/Security/CWE-116/DoubleEscaping/tst.js
@@ -106,3 +106,11 @@ function encodeDoubleQuotes(s) {
 function badWrappedEncode(s) {
  return encodeDoubleQuotes(s).replace(/&/g, "&amp;");
 }
+
+function encodeQuotes(s) {
+  return s.replace(/"/g, "&quot;").replace(/'/g, "&apos;");
+}
+
+function badWrappedEncode2(s) {
+  return encodeQuotes(s).replace(/&/g, "&amp;");
+}