hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

use more set literals instead of big disjunctions

Browse Source
This commit is contained in:
Erik Krogh Kristensen
2022-05-24 11:09:10 +02:00
parent b48806968c
commit a404a8c61a
4 changed files with 67 additions and 62 deletions
Download Patch File Download Diff File Expand all files Collapse all files

62
javascript/ql/lib/semmle/javascript/frameworks/ClosureLibrary.qll
View File

@@ -13,38 +13,40 @@ module ClosureLibrary {
call = Closure::moduleImport("goog.string." + name).getACall() and succ = call
|
pred = call.getAnArgument() and
(
name = "canonicalizeNewlines" or
name = "capitalize" or
name = "collapseBreakingSpaces" or
name = "collapseWhitespace" or
name = "format" or
name = "makeSafe" or // makeSafe just guards against null and undefined
name = "newLineOrBr" or
name = "normalizeSpaces" or
name = "normalizeWhitespace" or
name = "preserveSpaces" or
name = "remove" or // removes first occurrence of a substring
name = "repeat" or
name = "splitLimit" or
name = "stripNewlines" or
name = "subs" or
name = "toCamelCase" or
name = "toSelectorCase" or
name = "toTitleCase" or
name = "trim" or
name = "trimLeft" or
name = "trimRight" or
name = "unescapeEntities" or
name = "whitespaceEscape"
)
name =
[
"canonicalizeNewlines", //
"capitalize", //
"collapseBreakingSpaces", //
"collapseWhitespace", //
"format", //
"makeSafe", // makeSafe just guards against null and undefined
"newLineOrBr", //
"normalizeSpaces", //
"normalizeWhitespace", //
"preserveSpaces", //
"remove", // removes first occurrence of a substring
"repeat", //
"splitLimit", //
"stripNewlines", //
"subs", //
"toCamelCase", //
"toSelectorCase", //
"toTitleCase", //
"trim", //
"trimLeft", //
"trimRight", //
"unescapeEntities", //
"whitespaceEscape"
]
or
pred = call.getArgument(0) and
(
name = "truncate" or
name = "truncateMiddle" or
name = "unescapeEntitiesWithDocument"
)
name =
[
"truncate", //
"truncateMiddle", //
"unescapeEntitiesWithDocument", //
]
)
}
}

38
javascript/ql/lib/semmle/javascript/frameworks/UriLibraries.qll
View File

@@ -362,29 +362,31 @@ private module ClosureLibraryUri {
// static methods in goog.uri.utils
arg = 0 and
exists(string name | invoke = Closure::moduleImport("goog.uri.utils." + name).getACall() |
name = "appendParam" or // preserve taint from the original URI, but not from the appended param
name = "appendParams" or
name = "appendParamsFromMap" or
name = "appendPath" or
name = "getParamValue" or
name = "getParamValues" or
name = "getPath" or
name = "getPathAndAfter" or
name = "getQueryData" or
name = "parseQueryData" or
name = "removeFragment" or
name = "removeParam" or
name = "setParam" or
name = "setParamsFromMap" or
name = "setPath" or
name = "split"
name =
[
"appendParam", // preserve taint from the original URI, but not from the appended param
"appendParams", //
"appendParamsFromMap", //
"appendPath", //
"getParamValue", //
"getParamValues", //
"getPath", //
"getPathAndAfter", //
"getQueryData", //
"parseQueryData", //
"removeFragment", //
"removeParam", //
"setParam", //
"setParamsFromMap", //
"setPath", //
"split", //
]
)
or
// static methods in goog.string
arg = 0 and
exists(string name | invoke = Closure::moduleImport("goog.string." + name).getACall() |
name = "urlDecode" or
name = "urlEncode"
name = ["urlDecode", "urlEncode"]
)
)
}

17
javascript/ql/src/Expressions/StringInsteadOfRegex.ql
View File

@@ -14,13 +14,16 @@ import javascript
* Gets a regular expression pattern that matches the syntax of likely regular expressions.
*/
private string getALikelyRegExpPattern() {
result = "/.*/[gimuy]{1,5}" or // pattern with at least one flag: /foo/i
result = "/\\^.*/[gimuy]{0,5}" or // pattern with anchor: /^foo/
result = "/.*\\$/[gimuy]{0,5}" or // pattern with anchor: /foo$/
result = "\\^.*\\$" or // pattern body with anchors: ^foo$
result = ".*(?<!\\\\)\\\\[dDwWsSB].*" or // contains a builtin character class: \s
result = ".*(?<!\\\\)\\\\[\\[\\]()*+?{}|^$.].*" or // contains an escaped meta-character: \(
result = ".*\\[\\^?[\\p{Alnum}\\p{Blank}_-]+\\][*+].*" // contains a quantified custom character class: [^a-zA-Z123]+
result =
[
"/.*/[gimuy]{1,5}", // pattern with at least one flag: /foo/i
"/\\^.*/[gimuy]{0,5}", // pattern with anchor: /^foo/
"/.*\\$/[gimuy]{0,5}", // pattern with anchor: /foo$/
"\\^.*\\$", // pattern body with anchors: ^foo$
".*(?<!\\\\)\\\\[dDwWsSB].*", // contains a builtin character class: \s
".*(?<!\\\\)\\\\[\\[\\]()*+?{}|^$.].*", // contains an escaped meta-character: \(
".*\\[\\^?[\\p{Alnum}\\p{Blank}_-]+\\][*+].*" // contains a quantified custom character class: [^a-zA-Z123]+
]
}
/**

12
javascript/ql/src/experimental/Security/CWE-094/UntrustedCheckout.ql
View File

@@ -110,13 +110,11 @@ where
ref.getWith().getStep() = step and
step.getJob() = job and
uses.getGitHubRepository() = "actions/checkout" and
(
ref.getValue().matches("%github.event.pull_request.head.ref%") or
ref.getValue().matches("%github.event.pull_request.head.sha%") or
ref.getValue().matches("%github.event.pull_request.number%") or
ref.getValue().matches("%github.event.number%") or
ref.getValue().matches("%github.head_ref%")
) and
ref.getValue()
.matches([
"%github.event.pull_request.head.ref%", "%github.event.pull_request.head.sha%",
"%github.event.pull_request.number%", "%github.event.number%", "%github.head_ref%"
]) and
step instanceof ProbableStep and
job instanceof ProbableJob
select step, "Potential unsafe checkout of untrusted pull request on `pull_request_target`"