mirror of
https://github.com/github/codeql.git
synced 2026-04-29 02:35:15 +02:00
Merge pull request #1387 from esben-semmle/js/unanchored-url-regex
Approved by mc-semmle, xiemaisi
This commit is contained in:
semmle-qlci
@@ -1,24 +1,27 @@
|
||||
| tst-IncompleteHostnameRegExp.js:3:2:3:28 | /http:\\ ... le.com/ | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:3:2:3:28 | /http:\\ ... le.com/ | here |
|
||||
| tst-IncompleteHostnameRegExp.js:5:2:5:28 | /http:\\ ... le.net/ | This regular expression has an unescaped '.' before 'example.net', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:5:2:5:28 | /http:\\ ... le.net/ | here |
|
||||
| tst-IncompleteHostnameRegExp.js:6:2:6:42 | /http:\\ ... b).com/ | This regular expression has an unescaped '.' before '(example-a\|example-b).com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:6:2:6:42 | /http:\\ ... b).com/ | here |
|
||||
| tst-IncompleteHostnameRegExp.js:11:13:11:37 | "http:/ ... le.com" | This string, which is used as a regular expression $@, has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:11:13:11:37 | "http:/ ... le.com" | here |
|
||||
| tst-IncompleteHostnameRegExp.js:12:10:12:35 | "^http: ... le.com" | This string, which is used as a regular expression $@, has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:12:10:12:35 | "^http: ... le.com" | here |
|
||||
| tst-IncompleteHostnameRegExp.js:17:13:17:31 | `test.example.com$` | This string, which is used as a regular expression $@, has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:17:13:17:31 | `test.example.com$` | here |
|
||||
| tst-IncompleteHostnameRegExp.js:3:2:3:29 | /^http: ... le.com/ | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:3:2:3:29 | /^http: ... le.com/ | here |
|
||||
| tst-IncompleteHostnameRegExp.js:5:2:5:29 | /^http: ... le.net/ | This regular expression has an unescaped '.' before 'example.net', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:5:2:5:29 | /^http: ... le.net/ | here |
|
||||
| tst-IncompleteHostnameRegExp.js:6:2:6:43 | /^http: ... b).com/ | This regular expression has an unescaped '.' before '(example-a\|example-b).com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:6:2:6:43 | /^http: ... b).com/ | here |
|
||||
| tst-IncompleteHostnameRegExp.js:11:13:11:38 | "^http: ... le.com" | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:11:13:11:38 | "^http: ... le.com" | here |
|
||||
| tst-IncompleteHostnameRegExp.js:12:10:12:35 | "^http: ... le.com" | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:12:10:12:35 | "^http: ... le.com" | here |
|
||||
| tst-IncompleteHostnameRegExp.js:17:13:17:31 | `test.example.com$` | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:17:13:17:31 | `test.example.com$` | here |
|
||||
| tst-IncompleteHostnameRegExp.js:17:14:17:30 | test.example.com$ | This string, which is used as a regular expression $@, has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:17:13:17:31 | `test.example.com$` | here |
|
||||
| tst-IncompleteHostnameRegExp.js:19:17:19:34 | 'test.example.com' | This string, which is used as a regular expression $@, has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:20:13:20:26 | `${hostname}$` | here |
|
||||
| tst-IncompleteHostnameRegExp.js:22:27:22:44 | 'test.example.com' | This string, which is used as a regular expression $@, has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:23:13:23:27 | domain.hostname | here |
|
||||
| tst-IncompleteHostnameRegExp.js:28:23:28:40 | 'test.example.com' | This string, which is used as a regular expression $@, has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:26:21:26:35 | domain.hostname | here |
|
||||
| tst-IncompleteHostnameRegExp.js:30:30:30:47 | 'test.example.com' | This string, which is used as a regular expression $@, has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:32:21:32:35 | domain.hostname | here |
|
||||
| tst-IncompleteHostnameRegExp.js:19:17:19:35 | '^test.example.com' | This string, which is used as a regular expression $@, has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:20:13:20:26 | `${hostname}$` | here |
|
||||
| tst-IncompleteHostnameRegExp.js:22:27:22:45 | 'test.example.com$' | This string, which is used as a regular expression $@, has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:23:13:23:27 | domain.hostname | here |
|
||||
| tst-IncompleteHostnameRegExp.js:28:23:28:41 | 'test.example.com$' | This string, which is used as a regular expression $@, has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:26:21:26:35 | domain.hostname | here |
|
||||
| tst-IncompleteHostnameRegExp.js:30:30:30:48 | 'test.example.com$' | This string, which is used as a regular expression $@, has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:32:21:32:35 | domain.hostname | here |
|
||||
| tst-IncompleteHostnameRegExp.js:37:2:37:54 | /^(http ... =$\|\\/)/ | This regular expression has an unescaped '.' before ')?example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:37:2:37:54 | /^(http ... =$\|\\/)/ | here |
|
||||
| tst-IncompleteHostnameRegExp.js:38:2:38:44 | /^(http ... p\\/f\\// | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:38:2:38:44 | /^(http ... p\\/f\\// | here |
|
||||
| tst-IncompleteHostnameRegExp.js:39:2:39:34 | /\\(http ... m\\/\\)/g | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:39:2:39:34 | /\\(http ... m\\/\\)/g | here |
|
||||
| tst-IncompleteHostnameRegExp.js:40:2:40:29 | /https? ... le.com/ | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:40:2:40:29 | /https? ... le.com/ | here |
|
||||
| tst-IncompleteHostnameRegExp.js:41:13:41:68 | '^http: ... e\\.com' | This string, which is used as a regular expression $@, has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:41:13:41:68 | '^http: ... e\\.com' | here |
|
||||
| tst-IncompleteHostnameRegExp.js:39:2:39:33 | /^(http ... om\\/)/g | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:39:2:39:33 | /^(http ... om\\/)/g | here |
|
||||
| tst-IncompleteHostnameRegExp.js:40:2:40:30 | /^https ... le.com/ | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:40:2:40:30 | /^https ... le.com/ | here |
|
||||
| tst-IncompleteHostnameRegExp.js:41:13:41:68 | '^http: ... e\\.com' | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:41:13:41:68 | '^http: ... e\\.com' | here |
|
||||
| tst-IncompleteHostnameRegExp.js:41:41:41:68 | '^https ... e\\.com' | This string, which is used as a regular expression $@, has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:41:13:41:68 | '^http: ... e\\.com' | here |
|
||||
| tst-IncompleteHostnameRegExp.js:42:13:42:61 | 'http[s ... \\/(.+)' | This string, which is used as a regular expression $@, has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:42:13:42:61 | 'http[s ... \\/(.+)' | here |
|
||||
| tst-IncompleteHostnameRegExp.js:42:13:42:62 | '^http[ ... \\/(.+)' | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:42:13:42:62 | '^http[ ... \\/(.+)' | here |
|
||||
| tst-IncompleteHostnameRegExp.js:43:2:43:33 | /^https ... e.com$/ | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:43:2:43:33 | /^https ... e.com$/ | here |
|
||||
| tst-IncompleteHostnameRegExp.js:44:9:44:100 | 'protos ... ernal)' | This string, which is used as a regular expression $@, has an unescaped '.' before 'example-b.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:44:9:44:100 | 'protos ... ernal)' | here |
|
||||
| tst-IncompleteHostnameRegExp.js:46:2:46:26 | /exampl ... le.com/ | This regular expression has an unescaped '.' before 'dev\|example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:46:2:46:26 | /exampl ... le.com/ | here |
|
||||
| tst-IncompleteHostnameRegExp.js:48:13:48:68 | '^http: ... e\\.com' | This string, which is used as a regular expression $@, has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:48:13:48:68 | '^http: ... e\\.com' | here |
|
||||
| tst-IncompleteHostnameRegExp.js:44:9:44:101 | '^proto ... ernal)' | This regular expression has an unescaped '.' before 'example-b.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:44:9:44:101 | '^proto ... ernal)' | here |
|
||||
| tst-IncompleteHostnameRegExp.js:46:2:46:29 | /^(exam ... e.com)/ | This regular expression has an unescaped '.' before 'dev\|example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:46:2:46:29 | /^(exam ... e.com)/ | here |
|
||||
| tst-IncompleteHostnameRegExp.js:48:13:48:68 | '^http: ... e\\.com' | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:48:13:48:68 | '^http: ... e\\.com' | here |
|
||||
| tst-IncompleteHostnameRegExp.js:48:41:48:68 | '^https ... e\\.com' | This string, which is used as a regular expression $@, has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:48:13:48:68 | '^http: ... e\\.com' | here |
|
||||
| tst-IncompleteHostnameRegExp.js:53:13:53:35 | 'test.' ... le.com' | This string, which is used as a regular expression $@, has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:53:13:53:35 | 'test.' ... le.com' | here |
|
||||
| tst-IncompleteHostnameRegExp.js:53:13:53:36 | 'test.' ... e.com$' | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:53:13:53:36 | 'test.' ... e.com$' | here |
|
||||
| tst-SemiAnchoredRegExp.js:30:2:30:23 | /^good. ... er.com/ | This regular expression has an unescaped '.' before 'com\|better.com', so it might match more hosts than expected. | tst-SemiAnchoredRegExp.js:30:2:30:23 | /^good. ... er.com/ | here |
|
||||
| tst-SemiAnchoredRegExp.js:66:13:66:34 | '^good. ... er.com' | This regular expression has an unescaped '.' before 'com\|better.com', so it might match more hosts than expected. | tst-SemiAnchoredRegExp.js:66:13:66:34 | '^good. ... er.com' | here |
|
||||
| tst-SemiAnchoredRegExp.js:67:13:67:36 | '^good\\ ... r\\.com' | This regular expression has an unescaped '.' before 'com\|better.com', so it might match more hosts than expected. | tst-SemiAnchoredRegExp.js:67:13:67:36 | '^good\\ ... r\\.com' | here |
|
||||
|
||||
@@ -0,0 +1,49 @@
|
||||
| tst-SemiAnchoredRegExp.js:3:2:3:7 | /^a\|b/ | Misleading operator precedence. The subexpression '^a' is anchored, but the other parts of this regular expression are not |
|
||||
| tst-SemiAnchoredRegExp.js:6:2:6:9 | /^a\|b\|c/ | Misleading operator precedence. The subexpression '^a' is anchored, but the other parts of this regular expression are not |
|
||||
| tst-SemiAnchoredRegExp.js:12:2:12:9 | /^a\|(b)/ | Misleading operator precedence. The subexpression '^a' is anchored, but the other parts of this regular expression are not |
|
||||
| tst-SemiAnchoredRegExp.js:14:2:14:11 | /^(a)\|(b)/ | Misleading operator precedence. The subexpression '^(a)' is anchored, but the other parts of this regular expression are not |
|
||||
| tst-SemiAnchoredRegExp.js:17:2:17:7 | /a\|b$/ | Misleading operator precedence. The subexpression 'b$' is anchored, but the other parts of this regular expression are not |
|
||||
| tst-SemiAnchoredRegExp.js:20:2:20:9 | /a\|b\|c$/ | Misleading operator precedence. The subexpression 'c$' is anchored, but the other parts of this regular expression are not |
|
||||
| tst-SemiAnchoredRegExp.js:26:2:26:9 | /(a)\|b$/ | Misleading operator precedence. The subexpression 'b$' is anchored, but the other parts of this regular expression are not |
|
||||
| tst-SemiAnchoredRegExp.js:28:2:28:11 | /(a)\|(b)$/ | Misleading operator precedence. The subexpression '(b)$' is anchored, but the other parts of this regular expression are not |
|
||||
| tst-SemiAnchoredRegExp.js:30:2:30:23 | /^good. ... er.com/ | Misleading operator precedence. The subexpression '^good.com' is anchored, but the other parts of this regular expression are not |
|
||||
| tst-SemiAnchoredRegExp.js:31:2:31:25 | /^good\\ ... r\\.com/ | Misleading operator precedence. The subexpression '^good\\.com' is anchored, but the other parts of this regular expression are not |
|
||||
| tst-SemiAnchoredRegExp.js:39:13:39:18 | "^a\|b" | Misleading operator precedence. The subexpression '^a' is anchored, but the other parts of this regular expression are not |
|
||||
| tst-SemiAnchoredRegExp.js:42:13:42:20 | "^a\|b\|c" | Misleading operator precedence. The subexpression '^a' is anchored, but the other parts of this regular expression are not |
|
||||
| tst-SemiAnchoredRegExp.js:48:13:48:20 | "^a\|(b)" | Misleading operator precedence. The subexpression '^a' is anchored, but the other parts of this regular expression are not |
|
||||
| tst-SemiAnchoredRegExp.js:50:13:50:22 | "^(a)\|(b)" | Misleading operator precedence. The subexpression '^(a)' is anchored, but the other parts of this regular expression are not |
|
||||
| tst-SemiAnchoredRegExp.js:53:13:53:18 | "a\|b$" | Misleading operator precedence. The subexpression 'b$' is anchored, but the other parts of this regular expression are not |
|
||||
| tst-SemiAnchoredRegExp.js:56:13:56:20 | "a\|b\|c$" | Misleading operator precedence. The subexpression 'c$' is anchored, but the other parts of this regular expression are not |
|
||||
| tst-SemiAnchoredRegExp.js:62:13:62:20 | "(a)\|b$" | Misleading operator precedence. The subexpression 'b$' is anchored, but the other parts of this regular expression are not |
|
||||
| tst-SemiAnchoredRegExp.js:64:13:64:22 | "(a)\|(b)$" | Misleading operator precedence. The subexpression '(b)$' is anchored, but the other parts of this regular expression are not |
|
||||
| tst-SemiAnchoredRegExp.js:66:13:66:34 | '^good. ... er.com' | Misleading operator precedence. The subexpression '^good.com' is anchored, but the other parts of this regular expression are not |
|
||||
| tst-SemiAnchoredRegExp.js:67:13:67:36 | '^good\\ ... r\\.com' | Misleading operator precedence. The subexpression '^good.com' is anchored, but the other parts of this regular expression are not |
|
||||
| tst-SemiAnchoredRegExp.js:68:13:68:38 | '^good\\ ... \\\\.com' | Misleading operator precedence. The subexpression '^good\\.com' is anchored, but the other parts of this regular expression are not |
|
||||
| tst-SemiAnchoredRegExp.js:69:13:69:40 | '^good\\ ... \\\\.com' | Misleading operator precedence. The subexpression '^good\\.com' is anchored, but the other parts of this regular expression are not |
|
||||
| tst-SemiAnchoredRegExp.js:79:2:79:27 | /(\\.xxx ... .zzz)$/ | Misleading operator precedence. The subexpression '(\\.zzz)$' is anchored, but the other parts of this regular expression are not |
|
||||
| tst-SemiAnchoredRegExp.js:81:2:81:23 | /\\.xxx\| ... zzz$/ig | Misleading operator precedence. The subexpression '\\.zzz$' is anchored, but the other parts of this regular expression are not |
|
||||
| tst-SemiAnchoredRegExp.js:82:2:82:19 | /\\.xxx\|\\.yyy\|zzz$/ | Misleading operator precedence. The subexpression 'zzz$' is anchored, but the other parts of this regular expression are not |
|
||||
| tst-SemiAnchoredRegExp.js:85:2:85:28 | /^(xxx ... yyy)/i | Misleading operator precedence. The subexpression '^(xxx yyy zzz)' is anchored, but the other parts of this regular expression are not |
|
||||
| tst-SemiAnchoredRegExp.js:87:2:87:24 | /^(xxx: ... (zzz:)/ | Misleading operator precedence. The subexpression '^(xxx:)' is anchored, but the other parts of this regular expression are not |
|
||||
| tst-SemiAnchoredRegExp.js:88:2:88:23 | /^(xxx? ... zzz\\/)/ | Misleading operator precedence. The subexpression '^(xxx?:)' is anchored, but the other parts of this regular expression are not |
|
||||
| tst-SemiAnchoredRegExp.js:89:2:89:16 | /^@media\|@page/ | Misleading operator precedence. The subexpression '^@media' is anchored, but the other parts of this regular expression are not |
|
||||
| tst-SemiAnchoredRegExp.js:91:2:91:21 | /^click\|mouse\|touch/ | Misleading operator precedence. The subexpression '^click' is anchored, but the other parts of this regular expression are not |
|
||||
| tst-SemiAnchoredRegExp.js:92:2:92:43 | /^http: ... r\\.com/ | Misleading operator precedence. The subexpression '^http://good\\.com' is anchored, but the other parts of this regular expression are not |
|
||||
| tst-SemiAnchoredRegExp.js:93:2:93:47 | /^https ... r\\.com/ | Misleading operator precedence. The subexpression '^https?://good\\.com' is anchored, but the other parts of this regular expression are not |
|
||||
| tst-SemiAnchoredRegExp.js:94:2:94:55 | /^mouse ... ragend/ | Misleading operator precedence. The subexpression '^mouse' is anchored, but the other parts of this regular expression are not |
|
||||
| tst-SemiAnchoredRegExp.js:95:2:95:14 | /^xxx:\|yyy:/i | Misleading operator precedence. The subexpression '^xxx:' is anchored, but the other parts of this regular expression are not |
|
||||
| tst-SemiAnchoredRegExp.js:96:2:96:18 | /_xxx\|_yyy\|_zzz$/ | Misleading operator precedence. The subexpression '_zzz$' is anchored, but the other parts of this regular expression are not |
|
||||
| tst-UnanchoredUrlRegExp.js:3:43:3:61 | "https?://good.com" | When this is used as a regular expression on a URL, it may match anywhere, and arbitrary hosts may come before or after it. |
|
||||
| tst-UnanchoredUrlRegExp.js:4:54:4:72 | "https?://good.com" | When this is used as a regular expression on a URL, it may match anywhere, and arbitrary hosts may come before or after it. |
|
||||
| tst-UnanchoredUrlRegExp.js:10:2:10:22 | /https? ... od.com/ | When this is used as a regular expression on a URL, it may match anywhere, and arbitrary hosts may come before or after it. |
|
||||
| tst-UnanchoredUrlRegExp.js:11:13:11:31 | "https?://good.com" | When this is used as a regular expression on a URL, it may match anywhere, and arbitrary hosts may come before or after it. |
|
||||
| tst-UnanchoredUrlRegExp.js:13:44:13:62 | "https?://good.com" | When this is used as a regular expression on a URL, it may match anywhere, and arbitrary hosts may come before or after it. |
|
||||
| tst-UnanchoredUrlRegExp.js:15:13:15:31 | "https?://good.com" | When this is used as a regular expression on a URL, it may match anywhere, and arbitrary hosts may come before or after it. |
|
||||
| tst-UnanchoredUrlRegExp.js:19:43:19:62 | "https?://good.com/" | When this is used as a regular expression on a URL, it may match anywhere, and arbitrary hosts may come before or after it. |
|
||||
| tst-UnanchoredUrlRegExp.js:20:43:20:66 | "https? ... m:8080" | When this is used as a regular expression on a URL, it may match anywhere, and arbitrary hosts may come before or after it. |
|
||||
| tst-UnanchoredUrlRegExp.js:23:3:23:21 | "https?://good.com" | When this is used as a regular expression on a URL, it may match anywhere, and arbitrary hosts may come before or after it. |
|
||||
| tst-UnanchoredUrlRegExp.js:24:3:24:23 | /https? ... od.com/ | When this is used as a regular expression on a URL, it may match anywhere, and arbitrary hosts may come before or after it. |
|
||||
| tst-UnanchoredUrlRegExp.js:25:14:25:32 | "https?://good.com" | When this is used as a regular expression on a URL, it may match anywhere, and arbitrary hosts may come before or after it. |
|
||||
| tst-UnanchoredUrlRegExp.js:35:2:35:32 | /https? ... 0-9]+)/ | When this is used as a regular expression on a URL, it may match anywhere, and arbitrary hosts may come before or after it. |
|
||||
| tst-UnanchoredUrlRegExp.js:49:11:49:51 | /youtub ... -_]+)/i | When this is used as a regular expression on a URL, it may match anywhere, and arbitrary hosts may come before or after it. |
|
||||
| tst-UnanchoredUrlRegExp.js:77:11:77:32 | /vimeo\\ ... 0-9]+)/ | When this is used as a regular expression on a URL, it may match anywhere, and arbitrary hosts may come before or after it. |
|
||||
@@ -0,0 +1 @@
|
||||
Security/CWE-020/MissingRegExpAnchor.ql
|
||||
@@ -1,54 +1,54 @@
|
||||
(function() {
|
||||
/http:\/\/example.com/; // OK
|
||||
/http:\/\/test.example.com/; // NOT OK
|
||||
/http:\/\/test\\.example.com/; // OK
|
||||
/http:\/\/test.example.net/; // NOT OK
|
||||
/http:\/\/test.(example-a|example-b).com/; // NOT OK
|
||||
/http:\/\/(.+)\\.example.com/; // NOT OK, but not yet supported with enough precision
|
||||
/http:\/\/(\\.+)\\.example.com/; // OK
|
||||
/http:\/\/(?:.+)\\.test\\.example.com/; // NOT OK, but not yet supported with enough precision
|
||||
/http:\/\/test.example.com\/(?:.*)/; // OK
|
||||
new RegExp("http://test.example.com"); // NOT OK
|
||||
/^http:\/\/example.com/; // OK
|
||||
/^http:\/\/test.example.com/; // NOT OK
|
||||
/^http:\/\/test\\.example.com/; // OK
|
||||
/^http:\/\/test.example.net/; // NOT OK
|
||||
/^http:\/\/test.(example-a|example-b).com/; // NOT OK
|
||||
/^http:\/\/(.+)\\.example.com/; // NOT OK, but not yet supported with enough precision
|
||||
/^http:\/\/(\\.+)\\.example.com/; // OK
|
||||
/^http:\/\/(?:.+)\\.test\\.example.com/; // NOT OK, but not yet supported with enough precision
|
||||
/^http:\/\/test.example.com\/(?:.*)/; // OK
|
||||
new RegExp("^http://test.example.com"); // NOT OK
|
||||
s.match("^http://test.example.com"); // NOT OK
|
||||
|
||||
function id(e) { return e; }
|
||||
new RegExp(id(id(id("http://test.example.com")))); // NOT OK, but not supported by type tracking
|
||||
new RegExp(id(id(id("^http://test.example.com")))); // NOT OK, but not supported by type tracking
|
||||
|
||||
new RegExp(`test.example.com$`); // NOT OK
|
||||
|
||||
let hostname = 'test.example.com'; // NOT OK
|
||||
let hostname = '^test.example.com'; // NOT OK
|
||||
new RegExp(`${hostname}$`);
|
||||
|
||||
let domain = { hostname: 'test.example.com' };
|
||||
let domain = { hostname: 'test.example.com$' };
|
||||
new RegExp(domain.hostname);
|
||||
|
||||
function convert1(domain) {
|
||||
return new RegExp(domain.hostname);
|
||||
}
|
||||
convert1({ hostname: 'test.example.com' }); // NOT OK
|
||||
convert1({ hostname: 'test.example.com$' }); // NOT OK
|
||||
|
||||
let domains = [ { hostname: 'test.example.com' } ]; // NOT OK
|
||||
let domains = [ { hostname: 'test.example.com$' } ]; // NOT OK
|
||||
function convert2(domain) {
|
||||
return new RegExp(domain.hostname);
|
||||
}
|
||||
domains.map(d => convert2(d));
|
||||
|
||||
/(.+\.(?:example-a|example-b)\.com)/; // NOT OK, but not yet supported with enough precision
|
||||
/^(.+\.(?:example-a|example-b)\.com)/; // NOT OK, but not yet supported with enough precision
|
||||
/^(https?:)?\/\/((service|www).)?example.com(?=$|\/)/; // NOT OK
|
||||
/^(http|https):\/\/www.example.com\/p\/f\//; // NOT OK
|
||||
/\(http:\/\/sub.example.com\/\)/g; // NOT OK
|
||||
/https?:\/\/api.example.com/; // NOT OK
|
||||
/^(http:\/\/sub.example.com\/)/g; // NOT OK
|
||||
/^https?:\/\/api.example.com/; // NOT OK
|
||||
new RegExp('^http://localhost:8000|' + '^https?://.+\.example\.com'); // NOT OK
|
||||
new RegExp('http[s]?:\/\/?sub1\.sub2\.example\.com\/f\/(.+)'); // NOT OK
|
||||
new RegExp('^http[s]?:\/\/?sub1\.sub2\.example\.com\/f\/(.+)'); // NOT OK
|
||||
/^https:\/\/[a-z]*.example.com$/; // NOT OK
|
||||
RegExp('protos?://(localhost|.+.example.net|.+.example-a.com|.+.example-b.com|.+.example.internal)'); // NOT OK
|
||||
RegExp('^protos?://(localhost|.+.example.net|.+.example-a.com|.+.example-b.com|.+.example.internal)'); // NOT OK
|
||||
|
||||
/example.dev|example.com/; // OK, but still flagged
|
||||
/^(example.dev|example.com)/; // OK, but still flagged
|
||||
|
||||
new RegExp('^http://localhost:8000|' + '^https?://.+\.example\.com'); // NOT OK
|
||||
|
||||
var primary = 'example.com';
|
||||
var primary = 'example.com$';
|
||||
new RegExp('test.' + primary); // NOT OK, but not detected
|
||||
|
||||
new RegExp('test.' + 'example.com'); // NOT OK
|
||||
new RegExp('test.' + 'example.com$'); // NOT OK
|
||||
});
|
||||
|
||||
@@ -0,0 +1,126 @@
|
||||
(function coreRegExp() {
|
||||
/^a|/;
|
||||
/^a|b/; // NOT OK
|
||||
/a|^b/;
|
||||
/^a|^b/;
|
||||
/^a|b|c/; // NOT OK
|
||||
/a|^b|c/;
|
||||
/a|b|^c/;
|
||||
/^a|^b|c/;
|
||||
|
||||
/(^a)|b/;
|
||||
/^a|(b)/; // NOT OK
|
||||
/^a|(^b)/;
|
||||
/^(a)|(b)/; // NOT OK
|
||||
|
||||
|
||||
/a|b$/; // NOT OK
|
||||
/a$|b/;
|
||||
/a$|b$/;
|
||||
/a|b|c$/; // NOT OK
|
||||
/a|b$|c/;
|
||||
/a$|b|c/;
|
||||
/a|b$|c$/;
|
||||
|
||||
/a|(b$)/;
|
||||
/(a)|b$/; // NOT OK
|
||||
/(a$)|b$/;
|
||||
/(a)|(b)$/; // NOT OK
|
||||
|
||||
/^good.com|better.com/; // NOT OK
|
||||
/^good\.com|better\.com/; // NOT OK
|
||||
/^good\\.com|better\\.com/;
|
||||
/^good\\\.com|better\\\.com/;
|
||||
/^good\\\\.com|better\\\\.com/;
|
||||
});
|
||||
|
||||
(function coreString() {
|
||||
new RegExp("^a|");
|
||||
new RegExp("^a|b"); // NOT OK
|
||||
new RegExp("a|^b");
|
||||
new RegExp("^a|^b");
|
||||
new RegExp("^a|b|c"); // NOT OK
|
||||
new RegExp("a|^b|c");
|
||||
new RegExp("a|b|^c");
|
||||
new RegExp("^a|^b|c");
|
||||
|
||||
new RegExp("(^a)|b");
|
||||
new RegExp("^a|(b)"); // NOT OK
|
||||
new RegExp("^a|(^b)");
|
||||
new RegExp("^(a)|(b)"); // NOT OK
|
||||
|
||||
|
||||
new RegExp("a|b$"); // NOT OK
|
||||
new RegExp("a$|b");
|
||||
new RegExp("a$|b$");
|
||||
new RegExp("a|b|c$"); // NOT OK
|
||||
new RegExp("a|b$|c");
|
||||
new RegExp("a$|b|c");
|
||||
new RegExp("a|b$|c$");
|
||||
|
||||
new RegExp("a|(b$)");
|
||||
new RegExp("(a)|b$"); // NOT OK
|
||||
new RegExp("(a$)|b$");
|
||||
new RegExp("(a)|(b)$"); // NOT OK
|
||||
|
||||
new RegExp('^good.com|better.com'); // NOT OK
|
||||
new RegExp('^good\.com|better\.com'); // NOT OK
|
||||
new RegExp('^good\\.com|better\\.com'); // NOT OK
|
||||
new RegExp('^good\\\.com|better\\\.com'); // NOT OK
|
||||
new RegExp('^good\\\\.com|better\\\\.com');
|
||||
});
|
||||
|
||||
(function realWorld() {
|
||||
// real-world examples that have been anonymized a bit
|
||||
|
||||
/*
|
||||
* NOT OK: flagged
|
||||
*/
|
||||
/(\.xxx)|(\.yyy)|(\.zzz)$/;
|
||||
/(^left|right|center)\sbottom$/; // not flagged at the moment due to multiple anchors
|
||||
/\.xxx|\.yyy|\.zzz$/ig;
|
||||
/\.xxx|\.yyy|zzz$/;
|
||||
/^(?:mouse|contextmenu)|click/; // not flagged at the moment due to nested alternatives
|
||||
/^([A-Z]|xxx[XY]$)/; // not flagged at the moment due to multiple anchors
|
||||
/^(xxx yyy zzz)|(xxx yyy)/i;
|
||||
/^(xxx yyy zzz)|(xxx yyy)|(1st( xxx)? yyy)|xxx|1st/i; // not flagged at the moment due to nested parens
|
||||
/^(xxx:)|(yyy:)|(zzz:)/;
|
||||
/^(xxx?:)|(yyy:zzz\/)/;
|
||||
/^@media|@page/;
|
||||
/^\s*(xxx?|yyy|zzz):|xxx:yyy\//; // not flagged at the moment due to quantifiers
|
||||
/^click|mouse|touch/;
|
||||
/^http:\/\/good\.com|http:\/\/better\.com/;
|
||||
/^https?:\/\/good\.com|https?:\/\/better\.com/;
|
||||
/^mouse|touch|click|contextmenu|drop|dragover|dragend/;
|
||||
/^xxx:|yyy:/i;
|
||||
/_xxx|_yyy|_zzz$/;
|
||||
/em|%$/; // not flagged at the moment due to the anchor not being for letters
|
||||
|
||||
/*
|
||||
* MAYBE OK due to apparent complexity: not flagged
|
||||
*/
|
||||
/(?:^[#?]?|&)([^=&]+)(?:=([^&]*))?/g;
|
||||
/(^\s*|;\s*)\*.*;/m;
|
||||
/(^\s*|\[)(?:xxx|yyy_(?:xxx|yyy)|xxx|yyy(?:xxx|yyy)?|xxx|yyy)\b/m;
|
||||
/\s\S| \t|\t |\s$/;
|
||||
/\{[^}{]*\{|\}[^}{]*\}|\{[^}]*$/g;
|
||||
/^((\+|\-)\s*\d\d\d\d)|((\+|\-)\d\d\:?\d\d)/;
|
||||
/^(\/\/)|([a-z]+:(\/\/)?)/;
|
||||
/^[=?!#%@$]|!(?=[:}])/;
|
||||
/^[\[\]!:]|[<>]/;
|
||||
/^for\b|\b(?:xxx|yyy)\b/i;
|
||||
/^if\b|\b(?:xxx|yyy|zzz)\b/i;
|
||||
|
||||
/*
|
||||
* OK: not flagged
|
||||
*/
|
||||
/$^|only-match/g;
|
||||
/(#.+)|#$/;
|
||||
/(NaN| {2}|^$)/;
|
||||
/[^\n]*(?:\n|[^\n]$)/g;
|
||||
/^$|\/(?:xxx|yyy)zzz/i;
|
||||
/^(\/|(xxx|yyy|zzz)$)/;
|
||||
/^9$|27/;
|
||||
/^\+|\s*/g;
|
||||
/xxx_yyy=\w+|^$/;
|
||||
});
|
||||
@@ -0,0 +1,106 @@
|
||||
(function(x){
|
||||
|
||||
"http://evil.com/?http://good.com".match("https?://good.com"); // NOT OK
|
||||
"http://evil.com/?http://good.com".match(new RegExp("https?://good.com")); // NOT OK
|
||||
"http://evil.com/?http://good.com".match("^https?://good.com"); // OK
|
||||
"http://evil.com/?http://good.com".match(/^https?:\/\/good.com/); // OK
|
||||
"http://evil.com/?http://good.com".match("(^https?://good1.com)|(^https?://good2.com)"); // OK
|
||||
"http://evil.com/?http://good.com".match("(https?://good.com)|(^https?://goodie.com)"); // NOT OK, but not detected
|
||||
|
||||
/https?:\/\/good.com/.exec("http://evil.com/?http://good.com"); // NOT OK
|
||||
new RegExp("https?://good.com").exec("http://evil.com/?http://good.com"); // NOT OK
|
||||
|
||||
"http://evil.com/?http://good.com".search("https?://good.com"); // NOT OK
|
||||
|
||||
new RegExp("https?://good.com").test("http://evil.com/?http://good.com"); // NOT OK
|
||||
|
||||
"something".match("other"); // OK
|
||||
"something".match("x.commissary"); // OK
|
||||
"http://evil.com/?http://good.com".match("https?://good.com/"); // NOT OK
|
||||
"http://evil.com/?http://good.com".match("https?://good.com:8080"); // NOT OK
|
||||
|
||||
let trustedUrls = [
|
||||
"https?://good.com", // NOT OK, referenced below
|
||||
/https?:\/\/good.com/, // NOT OK, referenced below
|
||||
new RegExp("https?://good.com"), // NOT OK, referenced below
|
||||
"^https?://good.com"
|
||||
];
|
||||
function isTrustedUrl(url) {
|
||||
for (let trustedUrl of trustedUrls) {
|
||||
if (url.match(trustedUrl)) return true;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
/https?:\/\/good.com\/([0-9]+)/.exec(url); // NOT OK
|
||||
"https://verygood.com/?id=" + /https?:\/\/good.com\/([0-9]+)/.exec(url)[0]; // OK
|
||||
"http" + (secure? "s": "") + "://" + "verygood.com/?id=" + /https?:\/\/good.com\/([0-9]+)/.exec(url)[0]; // OK
|
||||
"http" + (secure? "s": "") + "://" + ("verygood.com/?id=" + /https?:\/\/good.com\/([0-9]+)/.exec(url)[0]); // OK
|
||||
|
||||
// g or .replace?
|
||||
file = file.replace(
|
||||
/https:\/\/cdn\.ampproject\.org\/v0\/amp-story-0\.1\.js/g,
|
||||
hostName + '/dist/v0/amp-story-1.0.max.js'
|
||||
);
|
||||
|
||||
// missing context of use
|
||||
const urlPatterns = [
|
||||
{
|
||||
regex: /youtube.com\/embed\/([a-z0-9\?&=\-_]+)/i,
|
||||
type: 'iframe', w: 560, h: 314,
|
||||
url: '//www.youtube.com/embed/$1',
|
||||
allowFullscreen: true
|
||||
}];
|
||||
|
||||
// ditto
|
||||
F.helpers.media = {
|
||||
defaults : {
|
||||
youtube : {
|
||||
matcher : /(youtube\.com|youtu\.be)\/(watch\?v=|v\/|u\/|embed\/?)?(videoseries\?list=(.*)|[\w-]{11}|\?listType=(.*)&list=(.*)).*/i,
|
||||
params : {
|
||||
autoplay : 1,
|
||||
autohide : 1,
|
||||
fs : 1,
|
||||
rel : 0,
|
||||
hd : 1,
|
||||
wmode : 'opaque',
|
||||
enablejsapi : 1
|
||||
},
|
||||
type : 'iframe',
|
||||
url : '//www.youtube.com/embed/$3'
|
||||
}}}
|
||||
|
||||
// ditto
|
||||
var urlPatterns = [
|
||||
{regex: /youtu\.be\/([\w\-.]+)/, type: 'iframe', w: 425, h: 350, url: '//www.youtube.com/embed/$1'},
|
||||
{regex: /youtube\.com(.+)v=([^&]+)/, type: 'iframe', w: 425, h: 350, url: '//www.youtube.com/embed/$2'},
|
||||
{regex: /vimeo\.com\/([0-9]+)/, type: 'iframe', w: 425, h: 350, url: '//player.vimeo.com/video/$1?title=0&byline=0&portrait=0&color=8dc7dc'},
|
||||
];
|
||||
|
||||
// check optional successsor to TLD
|
||||
new RegExp("(Pingdom.com_bot_version_)(\\d+)\\.(\\d+)")
|
||||
|
||||
// replace and spaces
|
||||
error.replace(/See https:\/\/github\.com\/Squirrel\/Squirrel\.Mac\/issues\/182 for more information/, 'See [this link](https://github.com/Microsoft/vscode/issues/7426#issuecomment-425093469) for more information');
|
||||
|
||||
// not a url
|
||||
var sharedScript = /<script\s.*src="(app:\/\/.+\.gaiamobile\.org)?\/?(shared\/.+)".*>/;
|
||||
|
||||
// replace
|
||||
const repo = repoURL.replace(/http(s)?:\/\/(\d+\.)?github.com\//gi, '')
|
||||
|
||||
// replace and space
|
||||
cmp.replace(/<option value="http:\/\/codemirror.net\/">HEAD<\/option>/,
|
||||
"<option value=\"http://codemirror.net/\">HEAD</option>\n <option value=\"http://marijnhaverbeke.nl/git/codemirror?a=blob_plain;hb=" + number + ";f=\">" + number + "</option>");
|
||||
|
||||
// replace and space
|
||||
const helpMsg = /For help see https:\/\/nodejs.org\/en\/docs\/inspector\s*/;
|
||||
msg = msg.replace(helpMsg, '');
|
||||
|
||||
// not a url
|
||||
pkg.source.match(/<a:skin.*?\s+xmlns:a="http:\/\/ajax.org\/2005\/aml"/m)
|
||||
|
||||
// replace
|
||||
path.replace(/engine.io/, "$&-client")
|
||||
|
||||
});
|
||||
Reference in New Issue
Block a user