hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-27 17:55:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: only select non-nullable terms in the broken sanitizer

Browse Source
This commit is contained in:
Esben Sparre Andreasen
2021-01-12 08:50:19 +01:00
parent 40cfbab335
commit 847687974f
2 changed files with 8 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
javascript/ql/src/Security/CWE-116/IncompleteMultiCharacterSanitization.ql
View File

@@ -147,13 +147,16 @@ from
where
regexp = replace.getRegExp().getRoot() and
dangerous.getRootTerm() = regexp and
// skip leading optional elements
not dangerous.isNullable() and
// only warn about the longest match (presumably the most descriptive)
prefix = max(string m | matchesDangerousPrefix(dangerous, m, kind) | m order by m.length()) and
// only warn once per kind
not exists(EmptyReplaceRegExpTerm other |
other = dangerous.getAChild+() or other = dangerous.getPredecessor+()
|
matchesDangerousPrefix(other, _, kind)
matchesDangerousPrefix(other, _, kind) and
not other.isNullable()
) and
// don't flag replace operations in a loop
not replace.getAMethodCall*().flowsTo(replace.getReceiver()) and