JS: address non-semantic review comments

2026-04-28 10:15:14 +02:00 · 2018-12-06 22:10:59 +01:00
parent d4e4bc6a0b
commit 994fe1bea5
3 changed files with 36 additions and 36 deletions
--- a/javascript/ql/src/Security/CWE-020/IncompleteUrlRegExp.qhelp
+++ b/javascript/ql/src/Security/CWE-020/IncompleteUrlRegExp.qhelp
@@ -11,17 +11,17 @@
 			redirections. Usually, this is done by checking that the host of a URL
 			is in a set of allowed hosts.

-        </p>
+		</p>

-        <p>
+		<p>

-	        If a regular expression implements such a check, it is
-	        easy to accidentally make the check too permissive by not escaping the
-	        <code>.</code> meta-characters appropriately.
+			If a regular expression implements such a check, it is
+			easy to accidentally make the check too permissive by not escaping the
+			<code>.</code> meta-characters appropriately.

-	        Even if the check is not used in a security-critical
-	        context, the incomplete check may still cause undesirable behaviors
-	        when the check succeeds accidentally.
+			Even if the check is not used in a security-critical
+			context, the incomplete check may still cause undesirable behaviors
+			when the check succeeds accidentally.

 		</p>
 	</overview>
@@ -63,7 +63,7 @@
 	</example>

 	<references>
-        <li>OWASP: <a href="https://www.owasp.org/index.php/Server_Side_Request_Forgery">SSRF</a></li>
-        <li>OWASP: <a href="https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet">XSS Unvalidated Redirects and Forwards Cheat Sheet</a>.</li>
+		<li>OWASP: <a href="https://www.owasp.org/index.php/Server_Side_Request_Forgery">SSRF</a></li>
+		<li>OWASP: <a href="https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet">XSS Unvalidated Redirects and Forwards Cheat Sheet</a>.</li>
 	</references>
 </qhelp>
--- a/javascript/ql/src/Security/CWE-020/IncompleteUrlRegExp.ql
+++ b/javascript/ql/src/Security/CWE-020/IncompleteUrlRegExp.ql
@@ -1,6 +1,6 @@
 /**
 * @name Incomplete URL regular expression
- * @description Security checks on URLs using regular expressions are sometimes vulnerable to bypassing.
+ * @description Using a regular expression that contains an 'any character' may match more URLs than expected.
 * @kind problem
 * @problem.severity error
 * @precision high
@@ -23,7 +23,7 @@ module IncompleteUrlRegExpTracking {

    override
    predicate isSource(DataFlow::Node source) {
-      isIncompleteHostNameRegExpPattern(source.asExpr().(ConstantString).getStringValue(), _)
+      isIncompleteHostNameRegExpPattern(source.asExpr().getStringValue(), _)
    }

    override
@@ -50,7 +50,7 @@ predicate isIncompleteHostNameRegExpPattern(string pattern, string hostPart) {
    ".*", 1)
 }

-from Expr e, string pattern, string intendedHost
+from Expr e, string pattern, string hostPart
 where
      (
        e.(RegExpLiteral).getValue() = pattern or
@@ -59,10 +59,10 @@ where
          e.mayHaveStringValue(pattern)
        )
      ) and
-      isIncompleteHostNameRegExpPattern(pattern, intendedHost)
+      isIncompleteHostNameRegExpPattern(pattern, hostPart)
      and
      // ignore patterns with capture groups after the TLD
      not pattern.regexpMatch("(?i).*[.](com|org|edu|gov|uk|net).*[(][?]:.*[)].*")


-select e, "This regular expression has an unescaped '.', which means that '" + intendedHost + "' might not match the intended host of a matched URL."
+select e, "This regular expression has an unescaped '.' before '" + hostPart + "', so it might match more hosts than expected."