hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-01 03:35:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #158 from esben-semmle/js/sharpen-regexp-injection

Browse Source 
Approved by xiemaisi
This commit is contained in:
semmle-qlci
2018-09-05 12:45:59 +01:00
committed by GitHub
parent 2d4f664be8 b9d825b379
commit 5fcd663e9f
4 changed files with 31 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
javascript/ql/src/semmle/javascript/security/dataflow/RegExpInjection.qll
View File

@@ -69,7 +69,13 @@ module RegExpInjection {
mce.getReceiver().analyze().getAType() = TTString() and
mce.getMethodName() = methodName |
(methodName = "match" and this.asExpr() = mce.getArgument(0) and mce.getNumArgument() = 1) or
(methodName = "search" and this.asExpr() = mce.getArgument(0) and mce.getNumArgument() = 1)
(
methodName = "search" and
this.asExpr() = mce.getArgument(0) and
mce.getNumArgument() = 1 and
// `String.prototype.search` returns a number, so exclude chained accesses
not exists(PropAccess p | p.getBase() = mce)
)
)
}

1
javascript/ql/test/query-tests/Security/CWE-730/RegExpInjection.expected
View File

@@ -10,4 +10,5 @@
| RegExpInjection.js:45:20:45:24 | input | This regular expression is constructed from a $@. | RegExpInjection.js:5:39:5:56 | req.param("input") | user-provided value |
| RegExpInjection.js:46:23:46:27 | input | This regular expression is constructed from a $@. | RegExpInjection.js:5:39:5:56 | req.param("input") | user-provided value |
| RegExpInjection.js:47:22:47:26 | input | This regular expression is constructed from a $@. | RegExpInjection.js:5:39:5:56 | req.param("input") | user-provided value |
| RegExpInjection.js:50:46:50:50 | input | This regular expression is constructed from a $@. | RegExpInjection.js:5:39:5:56 | req.param("input") | user-provided value |
| tst.js:3:16:3:35 | "^"+ data.name + "$" | This regular expression is constructed from a $@. | tst.js:1:46:1:46 | e | user-provided value |

6
javascript/ql/test/query-tests/Security/CWE-730/RegExpInjection.js
View File

@@ -1,6 +1,6 @@
var express = require('express');
var app = express();
var URI = reuires("urijs");
app.get('/findKey', function(req, res) {
var key = req.param("key"), input = req.param("input");
@@ -46,4 +46,8 @@ app.get('/findKey', function(req, res) {
likelyString.search(input); // NOT OK
maybeString.search(input); // NOT OK
notString.search(input); // OK
URI(`${protocol}://${host}${path}`).search(input); // OK, but still flagged
URI(`${protocol}://${host}${path}`).search(input).href(); // OK
unknown.search(input).unknown; // OK
});