hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 19:26:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

add suspicious-regexp-range query

Browse Source
This commit is contained in:
Erik Krogh Kristensen
2022-06-27 08:42:20 +02:00
parent 0346b6b67a
commit a343ceaf8b
29 changed files with 1736 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
javascript/ql/test/query-tests/Security/CWE-020/SuspiciousRegexpRange/SuspiciousRegexpRange.expected Normal file
View File

@@ -0,0 +1,10 @@
| tst.js:1:19:1:21 | 0-9 | Suspicious character range that overlaps with 3-5 in the same character class. |
| tst.js:3:21:3:23 | A-z | Suspicious character range that overlaps with A-Z in the same character class, and is equivalent to [A-Z\\[\\\\\\]^_`a-z]. |
| tst.js:5:18:5:20 | z-a | Suspicious character range that is empty. |
| tst.js:15:28:15:30 | A-f | Suspicious character range that overlaps with a-f in the same character class, and is equivalent to [A-Z\\[\\\\\\]^_`a-f]. |
| tst.js:17:20:17:22 | $-` | Suspicious character range that is equivalent to [$%&'()*+,\\-.\\/0-9:;<=>?@A-Z\\[\\\\\\]^_`]. |
| tst.js:19:33:19:35 | +-< | Suspicious character range that is equivalent to [+,\\-.\\/0-9:;<]. |
| tst.js:21:37:21:39 | .-_ | Suspicious character range that overlaps with 1-9 in the same character class, and is equivalent to [.\\/0-9:;<=>?@A-Z\\[\\\\\\]^_]. |
| tst.js:23:24:23:26 | 7-F | Suspicious character range that is equivalent to [7-9:;<=>?@A-F]. |
| tst.js:25:28:25:30 | 0-9 | Suspicious character range that overlaps with \\d in the same character class. |
| tst.js:27:31:27:33 | .-? | Suspicious character range that overlaps with \\w in the same character class, and is equivalent to [.\\/0-9:;<=>?]. |

1
javascript/ql/test/query-tests/Security/CWE-020/SuspiciousRegexpRange/SuspiciousRegexpRange.qlref Normal file
View File

@@ -0,0 +1 @@
Security/CWE-020/SuspiciousRegexpRange.ql

27
javascript/ql/test/query-tests/Security/CWE-020/SuspiciousRegexpRange/tst.js Normal file
View File

@@ -0,0 +1,27 @@
var overlap1 = /^[0-93-5]$/; // NOT OK
var overlap2 = /[A-ZA-z]/; // NOT OK
var isEmpty = /^[z-a]$/; // NOT OK
var isAscii = /^[\x00-\x7F]*$/; // OK
var printable = /[!-~]/; // OK - used to select most printable ASCII characters
var codePoints = /[^\x21-\x7E]|[[\](){}<>/%]/g; // OK
const NON_ALPHANUMERIC_REGEXP = /([^\#-~| |!])/g; // OK
var smallOverlap = /[0-9a-fA-f]/; // NOT OK
var weirdRange = /[$-`]/; // NOT OK
var keywordOperator = /[!\~\*\/%+-<>\^|=&]/; // NOT OK
var notYoutube = /youtu\.be\/[a-z1-9.-_]+/; // NOT OK
var numberToLetter = /[7-F]/; // NOT OK
var overlapsWithClass1 = /[0-9\d]/; // NOT OK
var overlapsWithClass2 = /[\w,.-?:*+]/; // NOT OK