Merge pull request #1182 from esben-semmle/js/sourcenode-regexp-literals

Approved by xiemaisi
2026-04-29 18:55:14 +02:00 · 2019-04-01 21:58:58 +01:00
parent a4de82de06 6908c54df6
commit 54b4e59d12
16 changed files with 53 additions and 9 deletions
--- a/javascript/ql/src/RegExp/IdentityReplacement.ql
+++ b/javascript/ql/src/RegExp/IdentityReplacement.ql
@@ -18,7 +18,7 @@ import javascript
 */
 predicate matchesString(Expr e, string s) {
  exists(RegExpLiteral rl |
-    rl = e and
+    rl.flow().(DataFlow::SourceNode).flowsToExpr(e) and
    not rl.isIgnoreCase() and
    regExpMatchesString(rl.getRoot(), s)
  )
--- a/javascript/ql/src/Security/CWE-116/DoubleEscaping.ql
+++ b/javascript/ql/src/Security/CWE-116/DoubleEscaping.ql
@@ -70,7 +70,7 @@ class Replacement extends DataFlow::Node {
  Replacement() {
    exists(DataFlow::MethodCallNode mcn | this = mcn |
      mcn.getMethodName() = "replace" and
-      mcn.getArgument(0).asExpr() = pattern and
+      pattern.flow().(DataFlow::SourceNode).flowsTo(mcn.getArgument(0))and
      mcn.getNumArgument() = 2 and
      pattern.isGlobal()
    )
--- a/javascript/ql/src/Security/CWE-116/IncompleteSanitization.ql
+++ b/javascript/ql/src/Security/CWE-116/IncompleteSanitization.ql
@@ -59,7 +59,7 @@ predicate isSimple(RegExpTerm t) {
 */
 predicate isBackslashEscape(MethodCallExpr mce, RegExpLiteral re) {
  mce.getMethodName() = "replace" and
-  re = mce.getArgument(0) and
+  re.flow().(DataFlow::SourceNode).flowsToExpr(mce.getArgument(0)) and
  re.isGlobal() and
  exists(string new | new = mce.getArgument(1).getStringValue() |
    // `new` is `\$&`, `\$1` or similar
@@ -104,7 +104,7 @@ predicate allBackslashesEscaped(DataFlow::Node nd) {
 from MethodCallExpr repl, Expr old, string msg
 where
  repl.getMethodName() = "replace" and
-  old = repl.getArgument(0) and
+  (old = repl.getArgument(0) or old.flow().(DataFlow::SourceNode).flowsToExpr(repl.getArgument(0))) and
  (
    not old.(RegExpLiteral).isGlobal() and
    msg = "This replaces only the first occurrence of " + old + "." and
--- a/javascript/ql/src/semmle/javascript/dataflow/Sources.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/Sources.qll
@@ -211,6 +211,7 @@ module SourceNode {
   *   - object expressions
   *   - array expressions
   *   - JSX literals
+   *   - regular expression literals
   *
   * This class is for internal use only and should not normally be used directly.
   */
@@ -224,7 +225,8 @@ module SourceNode {
        astNode instanceof ArrayExpr or
        astNode instanceof JSXNode or
        astNode instanceof GlobalVarAccess or
-        astNode instanceof ExternalModuleReference
+        astNode instanceof ExternalModuleReference or
+        astNode instanceof RegExpLiteral
      )
      or
      exists(SsaExplicitDefinition ssa, VarDef def |
--- a/javascript/ql/src/semmle/javascript/security/dataflow/ClientSideUrlRedirect.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/ClientSideUrlRedirect.qll
@@ -100,7 +100,7 @@ module ClientSideUrlRedirect {
    or
    exists(MethodCallExpr mce |
      queryAccess.asExpr() = mce and
-      mce.calls(any(RegExpLiteral re), "exec") and
+      mce = any(RegExpLiteral re).flow().(DataFlow::SourceNode).getAMethodCall("exec").asExpr() and
      nd.asExpr() = mce.getArgument(0)
    )
  }