Make regular expression for format strings more precise.

2026-01-29 14:23:03 +01:00 · 2020-02-06 12:28:49 +00:00
parent 8b0d271717
commit 69edfe08df
1 changed files with 7 additions and 3 deletions
--- a/ql/src/semmle/go/StringOps.qll
+++ b/ql/src/semmle/go/StringOps.qll
@@ -214,13 +214,17 @@ module StringOps {
     * width and precision specifiers, but not including `*` specifiers or explicit argument
     * indices.
     */
+    pragma[noinline]
    private string getFormatComponentRegex() {
-      exists(string literal, string opt_flag, string opt_width, string operator, string verb |
+      exists(string literal, string opt_flag, string width, string prec, string opt_width_and_prec, string operator, string verb |
        literal = "([^%]|%%)+" and
        opt_flag = "[-+ #0]?" and
-        opt_width = "((\\d*|\\*)(\\.(\\d*|\\*))?)?" and
+        width = "\\d+|\\*" and
+        prec = "\\.(\\d+|\\*)" and
+        // either a width followed by an optional prec, or just a prec, or nothing
+        opt_width_and_prec = "((" + width + ")(" + prec + ")?|(" + prec + "))?" and
        operator = "[bcdeEfFgGoOpqstTxXUv]" and
-        verb = "(%" + opt_flag + opt_width + operator + ")"
+        verb = "(%" + opt_flag + opt_width_and_prec + operator + ")"
      |
        result = "(" + literal + "|" + verb + ")"
      )