hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-25 08:45:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: Added more qldoc

Browse Source
This commit is contained in:
Asger F
2024-12-12 13:10:52 +01:00
parent 66eb458134
commit 97b78e752b
1 changed files with 8 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
javascript/ql/lib/semmle/javascript/security/TaintedUrlSuffixCustomizations.qll
View File

@@ -126,15 +126,23 @@ module TaintedUrlSuffix {
)
}
/** Holds if the `n`th child of `seq` contains a character indicating that everything thereafter is part of the suffix */
private predicate containsSuffixIndicator(RegExpSequence seq, int n) {
// Also include '=' as it usually only appears in the URL suffix
seq.getChild(n).getAChild*().(RegExpConstant).getValue().regexpMatch(".*[?#=].*")
}
/** Holds if the `n`th child of `seq` contains a capture group. */
private predicate containsCaptureGroup(RegExpSequence seq, int n) {
seq.getChild(n).getAChild*().(RegExpGroup).isCapture()
}
/**
* Holds if `seq` contains a capture group that will likely match path of the URL suffix,
* thereby extracting tainted data.
*
* For example, `/#(.*)/.exec(url)` will extract the tainted URL suffix from `url`.
*/
private predicate captureAfterSuffixIndicator(RegExpSequence seq) {
exists(int suffix, int capture |
containsSuffixIndicator(seq, suffix) and