JS: generalize js/incomplete-sanitization to handle ConstantString

2026-04-28 18:25:24 +02:00 · 2018-12-10 22:52:18 +01:00
parent a4b3b1e8c8
commit a1d92bfa50
3 changed files with 36 additions and 1 deletions
--- a/javascript/ql/src/Security/CWE-116/IncompleteSanitization.ql
+++ b/javascript/ql/src/Security/CWE-116/IncompleteSanitization.ql
@@ -25,7 +25,7 @@ string metachar() {
 string getAMatchedString(Expr e) {
  result = getAMatchedConstant(e.(RegExpLiteral).getRoot()).getValue()
  or
-  result = e.(StringLiteral).getValue()
+  result = e.getStringValue()
 }

 /** Gets a constant matched by `t`. */
--- a/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/IncompleteSanitization.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/IncompleteSanitization.expected
@@ -9,3 +9,9 @@
 | tst.js:37:20:37:23 | /"/g | This does not backslash-escape the backslash character. |
 | tst.js:41:20:41:22 | "/" | This replaces only the first occurrence of "/". |
 | tst.js:45:20:45:24 | "%25" | This replaces only the first occurrence of "%25". |
+| tst.js:49:20:49:22 | `'` | This replaces only the first occurrence of `'`. |
+| tst.js:53:20:53:22 | "'" | This replaces only the first occurrence of "'". |
+| tst.js:57:20:57:22 | `'` | This replaces only the first occurrence of `'`. |
+| tst.js:61:20:61:27 | "'" + "" | This replaces only the first occurrence of "'" + "". |
+| tst.js:65:20:65:22 | "'" | This replaces only the first occurrence of "'". |
+| tst.js:69:20:69:27 | "'" + "" | This replaces only the first occurrence of "'" + "". |
--- a/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst.js
+++ b/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst.js
@@ -45,6 +45,29 @@ function bad11(s) {
  return s.replace("%25", "%"); // NOT OK
 }

+function bad12(s) {
+  return s.replace(`'`, ""); // NOT OK
+}
+
+function bad13(s) {
+  return s.replace("'", ``); // NOT OK
+}
+
+function bad14(s) {
+  return s.replace(`'`, ``); // NOT OK
+}
+
+function bad15(s) {
+  return s.replace("'" + "", ""); // NOT OK
+}
+
+function bad16(s) {
+  return s.replace("'", "" + ""); // NOT OK
+}
+
+function bad17(s) {
+  return s.replace("'" + "", "" + ""); // NOT OK
+}

 function good1(s) {
  while (s.indexOf("'") > 0)
@@ -120,6 +143,12 @@ app.get('/some/path', function(req, res) {
  bad9(untrusted);
  bad10(untrusted);
  bad11(untrusted);
+  bad12(untrusted);
+  bad13(untrusted);
+  bad14(untrusted);
+  bad15(untrusted);
+  bad16(untrusted);
+  bad17(untrusted);

  good1(untrusted);
  good2(untrusted);