JS: Factor out StringOps::substringMethodName

2026-04-29 18:55:14 +02:00 · 2021-08-09 10:57:48 +02:00
parent 1074d409fb
commit a3e56dea5e
5 changed files with 13 additions and 14 deletions
--- a/javascript/ql/src/semmle/javascript/StringOps.qll
+++ b/javascript/ql/src/semmle/javascript/StringOps.qll
@@ -802,4 +802,11 @@ module StringOps {
      override boolean getPolarity() { result = polarity }
    }
  }
+
+  /**
+   * Gets the name of a string method which performs substring extraction.
+   *
+   * These are `substring`, `substr`, and `slice`.
+   */
+  string substringMethodName() { result = ["substring", "substr", "slice"] }
 }
--- a/javascript/ql/src/semmle/javascript/security/TaintedUrlSuffix.qll
+++ b/javascript/ql/src/semmle/javascript/security/TaintedUrlSuffix.qll
@@ -67,7 +67,7 @@ module TaintedUrlSuffix {
        name = call.getMethodName()
      |
        // Substring that is not a prefix
-        name = ["substring", "substr", "slice"] and
+        name = StringOps::substringMethodName() and
        not call.getArgument(0).getIntValue() = 0
        or
        // Split around '#' or '?' and extract the suffix
--- a/javascript/ql/src/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll
@@ -69,7 +69,7 @@ module ClientSideUrlRedirect {
      // exclude all splits where only the prefix is accessed, which is safe for url-redirects.
      not exists(PropAccess pacc | mce = pacc.getBase() | pacc.getPropertyName() = "0")
      or
-      (methodName = "substring" or methodName = "substr" or methodName = "slice") and
+      methodName = StringOps::substringMethodName() and
      // exclude `location.href.substring(0, ...)` and similar, which can
      // never refer to the query string
      not mce.getArgument(0).(NumberLiteral).getIntValue() = 0
--- a/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
@@ -734,15 +734,9 @@ module TaintedPath {
    exists(DataFlow::MethodCallNode mcn, string name |
      srclabel = dstlabel and dst = mcn and mcn.calls(src, name)
    |
-      exists(string substringMethodName |
-        substringMethodName = "substr" or
-        substringMethodName = "substring" or
-        substringMethodName = "slice"
-      |
-        name = substringMethodName and
-        // to avoid very dynamic transformations, require at least one fixed index
-        exists(mcn.getAnArgument().asExpr().getIntValue())
-      )
+      name = StringOps::substringMethodName() and
+      // to avoid very dynamic transformations, require at least one fixed index
+      exists(mcn.getAnArgument().asExpr().getIntValue())
      or
      exists(string argumentlessMethodName |
        argumentlessMethodName = "toLocaleLowerCase" or
--- a/javascript/ql/src/semmle/javascript/security/performance/PolynomialReDoSCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/performance/PolynomialReDoSCustomizations.qll
@@ -100,9 +100,7 @@ module PolynomialReDoS {
        root instanceof RegExpCharacterClassEscape
      )
      or
-      exists(string name | name = "slice" or name = "substring" or name = "substr" |
-        this.(DataFlow::MethodCallNode).getMethodName() = name
-      )
+      this.(DataFlow::MethodCallNode).getMethodName() = StringOps::substringMethodName()
    }
  }