making it more explicit what character class matching is used for

2026-03-06 15:49:08 +01:00 · 2021-08-23 08:30:50 +02:00
parent 4cc2ac9d35
commit 5fe6671cc5
1 changed files with 3 additions and 0 deletions
--- a/javascript/ql/src/Security/CWE-116/IncompleteMultiCharacterSanitization.ql
+++ b/javascript/ql/src/Security/CWE-116/IncompleteMultiCharacterSanitization.ql
@@ -67,9 +67,12 @@ DangerousPrefixSubstring getADangerousMatchedChar(EmptyReplaceRegExpTerm t) {
  or
  t.getAMatchedString() = result
  or
+  // A substring matched by some character class. This is only used to match the "word" part of a HTML tag (e.g. "iframe" in "<iframe").
  exists(ReDoSUtil::CharacterClass cc |
    cc = ReDoSUtil::getCanonicalCharClass(t) and
    cc.matches(result) and
+    result.regexpMatch("\\w") and
+    // excluding character classes that match ">" (e.g. /<[^<]*>/), as these might consume nested HTML tags, and thus prevent the dangerous pattern this query is looking for.
    not cc.matches(">")
  )
  or