move String.prototype.match taint step to a general AdditionalTaintStep

2026-04-25 00:35:20 +02:00 · 2019-11-15 12:52:54 +01:00
parent e49b5e4afc
commit 8d2ae136b0
4 changed files with 32 additions and 13 deletions
--- a/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
@@ -558,6 +558,23 @@ module TaintTracking {
      succ = this
    }
  }
+  
+
+  /**
+   * A taint propagating data flow edge arising from calling `String.prototype.match()`.
+   */
+  private class StringMatchTaintStep extends AdditionalTaintStep, DataFlow::MethodCallNode {
+    StringMatchTaintStep() {
+      this.getMethodName() = "match" and
+      this.getNumArgument() = 1 and
+      this.getArgument(0) .analyze().getAType() = TTRegExp()
+    }
+
+    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+      pred = this.getReceiver() and
+      succ = this
+    }
+  }

  /**
   * A taint propagating data flow edge arising from JSON unparsing.
--- a/javascript/ql/src/semmle/javascript/security/dataflow/ExceptionXss.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/ExceptionXss.qll
@@ -75,19 +75,6 @@ module ExceptionXss {
        or
        pred = any(DataFlow::FunctionNode func).getExceptionalReturn()
      )
-      or
-      // String.prototype.match()
-      exists(DataFlow::MethodCallNode call |
-        call = succ and
-        pred = call.getReceiver() and
-        call.getMethodName() = "match" and
-        call.getNumArgument() = 1 and
-        // TODO: Better way of detecting regExp / String.prototype.match() calls?
-        (
-          call.getArgument(0).getALocalSource().asExpr() instanceof RegExpLiteral or
-          call.getArgument(0).getALocalSource().(DataFlow::NewNode).getCalleeName() = "RegExp"
-        )
-      )
    }
  }