JS: Handle match/matchAll and unknown regexps

2026-04-26 17:25:19 +02:00 · 2024-12-09 15:38:36 +01:00
parent 6e7c5a3707
commit 66eb458134
3 changed files with 59 additions and 3 deletions
--- a/javascript/ql/lib/semmle/javascript/security/TaintedUrlSuffixCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/TaintedUrlSuffixCustomizations.qll
@@ -107,10 +107,21 @@ module TaintedUrlSuffix {
      )
      or
      exists(MethodCallNode call, DataFlow::RegExpCreationNode re |
-        call = re.getAMethodCall("exec") and
-        src = call.getArgument(0) and
-        dst = call and
+        (
+          call = re.getAMethodCall("exec") and
+          src = call.getArgument(0) and
+          dst = call
+          or
+          call.getMethodName() = ["match", "matchAll"] and
+          re.flowsTo(call.getArgument(0)) and
+          src = call.getReceiver() and
+          dst = call
+        )
+      |
        captureAfterSuffixIndicator(re.getRoot().getAChild*())
+        or
+        // If the regexp is unknown, assume it will extract the URL suffix
+        not exists(re.getRoot())
      )
    )
  }