Merge branch 'main' into henrymercer/mergeback-3.8

2026-04-30 11:15:13 +02:00 · 2022-12-13 18:40:53 +00:00
parent 2b10e4ba04 a85de2b5f4
commit 7167f078be
2013 changed files with 99146 additions and 101594 deletions
--- a/javascript/ql/src/Performance/PolynomialReDoS.ql
+++ b/javascript/ql/src/Performance/PolynomialReDoS.ql
@@ -15,7 +15,6 @@

 import javascript
 import semmle.javascript.security.regexp.PolynomialReDoSQuery
-import semmle.javascript.security.regexp.SuperlinearBackTracking
 import DataFlow::PathGraph

 from
--- a/javascript/ql/src/Performance/ReDoS.ql
+++ b/javascript/ql/src/Performance/ReDoS.ql
@@ -15,8 +15,8 @@
 */

 import javascript
-import semmle.javascript.security.regexp.NfaUtils
-import semmle.javascript.security.regexp.ExponentialBackTracking
+private import semmle.javascript.security.regexp.RegExpTreeView::RegExpTreeView as TreeView
+import codeql.regex.nfa.ExponentialBackTracking::Make<TreeView>

 from RegExpTerm t, string pump, State s, string prefixMsg
 where hasReDoSResult(t, pump, s, prefixMsg)
--- a/javascript/ql/src/Security/CWE-020/OverlyLargeRange.ql
+++ b/javascript/ql/src/Security/CWE-020/OverlyLargeRange.ql
@@ -12,8 +12,9 @@
 *       external/cwe/cwe-020
 */

-import semmle.javascript.security.OverlyLargeRangeQuery
+private import semmle.javascript.security.regexp.RegExpTreeView::RegExpTreeView as TreeView
+import codeql.regex.OverlyLargeRangeQuery::Make<TreeView>

-from RegExpCharacterRange range, string reason
+from TreeView::RegExpCharacterRange range, string reason
 where problem(range, reason)
 select range, "Suspicious character range that " + reason + "."
--- a/javascript/ql/src/Security/CWE-116/BadTagFilter.ql
+++ b/javascript/ql/src/Security/CWE-116/BadTagFilter.ql
@@ -16,7 +16,8 @@
 *       external/cwe/cwe-186
 */

-import semmle.javascript.security.BadTagFilterQuery
+private import semmle.javascript.security.regexp.RegExpTreeView::RegExpTreeView as TreeView
+import codeql.regex.nfa.BadTagFilterQuery::Make<TreeView>

 from HtmlMatchingRegExp regexp, string msg
 where msg = min(string m | isBadRegexpFilter(regexp, m) | m order by m.length(), m) // there might be multiple, we arbitrarily pick the shortest one
--- a/javascript/ql/src/Security/CWE-178/CaseSensitiveMiddlewarePath.ql
+++ b/javascript/ql/src/Security/CWE-178/CaseSensitiveMiddlewarePath.ql
@@ -20,7 +20,8 @@ string toOtherCase(string s) {
  if s.regexpMatch(".*[a-z].*") then result = s.toUpperCase() else result = s.toLowerCase()
 }

-import semmle.javascript.security.regexp.NfaUtils as NfaUtils
+private import semmle.javascript.security.regexp.RegExpTreeView::RegExpTreeView as TreeView
+import codeql.regex.nfa.NfaUtils::Make<TreeView> as NfaUtils

 /** Holds if `s` is a relevant regexp term were we want to compute a string that matches the term (for `getCaseSensitiveBypassExample`). */
 predicate isCand(NfaUtils::State s) {
@@ -92,7 +93,7 @@ string getAnEndpointExample(Routing::RouteSetup endpoint) {
  )
 }

-import semmle.javascript.security.regexp.RegexpMatching as RegexpMatching
+import codeql.regex.nfa.RegexpMatching::Make<TreeView> as RegexpMatching

 NfaUtils::RegExpRoot getARoot(DataFlow::RegExpCreationNode creator) {
  result.getRootTerm() = creator.getRoot()
--- a/javascript/ql/src/Security/CWE-918/examples/RequestForgeryBad.js
+++ b/javascript/ql/src/Security/CWE-918/examples/RequestForgeryBad.js
@@ -1,8 +1,7 @@
 import http from 'http';
-import url from 'url';

-var server = http.createServer(function(req, res) {
-    var target = url.parse(req.url, true).query.target;
+const server = http.createServer(function(req, res) {
+    const target = new URL(req.url, "http://example.com").searchParams.get("target");

    // BAD: `target` is controlled by the attacker
    http.get('https://' + target + ".example.com/data/", res => {
--- a/javascript/ql/src/Security/CWE-918/examples/RequestForgeryGood.js
+++ b/javascript/ql/src/Security/CWE-918/examples/RequestForgeryGood.js
@@ -1,10 +1,9 @@
 import http from 'http';
-import url from 'url';

-var server = http.createServer(function(req, res) {
-    var target = url.parse(req.url, true).query.target;
+const server = http.createServer(function(req, res) {
+    const target = new URL(req.url, "http://example.com").searchParams.get("target");

-    var subdomain;
+    let subdomain;
    if (target === 'EU') {
        subdomain = "europe"
    } else {
--- a/javascript/ql/src/experimental/Security/CWE-340/TokenBuiltFromUUID.ql
+++ b/javascript/ql/src/experimental/Security/CWE-340/TokenBuiltFromUUID.ql
@@ -6,7 +6,7 @@
 * @precision medium
 * @problem.severity error
 * @security-severity 5
- * @id py/predictable-token
+ * @id js/predictable-token
 * @tags security
 *       external/cwe/cwe-340
 */