JavaScript: Address review comments.

2026-04-29 10:45:15 +02:00 · 2018-11-29 10:48:44 +00:00
parent 5f16406ad7
commit 8637eaf100
4 changed files with 17 additions and 8 deletions
--- a/javascript/ql/src/semmle/javascript/security/dataflow/HardcodedDataInterpretedAsCode.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/HardcodedDataInterpretedAsCode.qll
@@ -51,18 +51,21 @@ module HardcodedDataInterpretedAsCode {
    }

    override predicate isSanitizer(DataFlow::Node node) {
-      super.isSanitizer(node) or
      node instanceof Sanitizer
    }
  }

  /**
-   * A constant string consisting of eight or more hexadecimal characters, viewed
-   * as a source of hard-coded data that should not be interpreted as code.
+   * A constant string consisting of eight or more hexadecimal characters (including at
+   * least one digit), viewed as a source of hard-coded data that should not be
+   * interpreted as code.
   */
  private class DefaultSource extends Source, DataFlow::ValueNode {
    DefaultSource() {
-      astNode.(Expr).getStringValue().regexpMatch("[0-9a-fA-F]{8,}")
+      exists (string val | val = astNode.(Expr).getStringValue() |
+        val.regexpMatch("[0-9a-fA-F]{8,}") and
+        val.regexpMatch(".*[0-9].*")
+      )
    }
  }

--- a/javascript/ql/test/query-tests/Security/CWE-506/HardcodedDataInterpretedAsCode.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-506/HardcodedDataInterpretedAsCode.expected
@@ -3,20 +3,24 @@ nodes
 | event-stream-orig.js:2:1115:2:1138 | "2e2f74 ... 617461" |
 | event-stream.js:9:11:9:37 | e("2e2f ... 17461") |
 | event-stream.js:9:13:9:36 | "2e2f74 ... 617461" |
+| tst.js:1:5:1:88 | totallyHarmlessString |
 | tst.js:1:29:1:88 | '636f6e ... 6e2729' |
 | tst.js:2:6:2:46 | Buffer. ...  'hex') |
 | tst.js:2:6:2:57 | Buffer. ... tring() |
 | tst.js:2:18:2:38 | totally ... sString |
+| tst.js:5:5:5:23 | test |
 | tst.js:5:12:5:23 | "0123456789" |
 | tst.js:7:8:7:11 | test |
 | tst.js:7:8:7:15 | test+"n" |
 edges
 | event-stream-orig.js:2:1115:2:1138 | "2e2f74 ... 617461" | event-stream-orig.js:2:1113:2:1139 | e("2e2f ... 17461") |
 | event-stream.js:9:13:9:36 | "2e2f74 ... 617461" | event-stream.js:9:11:9:37 | e("2e2f ... 17461") |
-| tst.js:1:29:1:88 | '636f6e ... 6e2729' | tst.js:2:18:2:38 | totally ... sString |
+| tst.js:1:5:1:88 | totallyHarmlessString | tst.js:2:18:2:38 | totally ... sString |
+| tst.js:1:29:1:88 | '636f6e ... 6e2729' | tst.js:1:5:1:88 | totallyHarmlessString |
 | tst.js:2:6:2:46 | Buffer. ...  'hex') | tst.js:2:6:2:57 | Buffer. ... tring() |
 | tst.js:2:18:2:38 | totally ... sString | tst.js:2:6:2:46 | Buffer. ...  'hex') |
-| tst.js:5:12:5:23 | "0123456789" | tst.js:7:8:7:11 | test |
+| tst.js:5:5:5:23 | test | tst.js:7:8:7:11 | test |
+| tst.js:5:12:5:23 | "0123456789" | tst.js:5:5:5:23 | test |
 | tst.js:7:8:7:11 | test | tst.js:7:8:7:15 | test+"n" |
 #select
 | event-stream-orig.js:2:1113:2:1139 | e("2e2f ... 17461") | event-stream-orig.js:2:1115:2:1138 | "2e2f74 ... 617461" | event-stream-orig.js:2:1113:2:1139 | e("2e2f ... 17461") | Hard-coded data from $@ is interpreted as an import path. | event-stream-orig.js:2:1115:2:1138 | "2e2f74 ... 617461" | here |
--- a/javascript/ql/test/query-tests/Security/CWE-506/tst.js
+++ b/javascript/ql/test/query-tests/Security/CWE-506/tst.js
@@ -8,4 +8,6 @@ try {
  console.log("Bigints supported.");
 } catch(e) {
  console.log("Bigints not supported.");
-}
+}
+
+require('babeface'); // OK