JS: Exclude client-side sources from RegExpInjection

2026-04-30 11:15:13 +02:00 · 2021-03-08 11:15:47 +00:00
parent 2e57a7d3e9
commit aa1c8c041e
2 changed files with 8 additions and 1 deletions
--- a/javascript/ql/src/semmle/javascript/security/dataflow/RegExpInjectionCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/RegExpInjectionCustomizations.qll
@@ -27,7 +27,10 @@ module RegExpInjection {
   * expression injection.
   */
  class RemoteFlowSourceAsSource extends Source {
-    RemoteFlowSourceAsSource() { this instanceof RemoteFlowSource }
+    RemoteFlowSourceAsSource() {
+      this instanceof RemoteFlowSource and
+      not this instanceof ClientSideRemoteFlowSource
+    }
  }

  /**
--- a/javascript/ql/test/query-tests/Security/CWE-730/client-side.js
+++ b/javascript/ql/test/query-tests/Security/CWE-730/client-side.js
@@ -0,0 +1,4 @@
+function foo() {
+    let taint = window.location.hash.substring(1);
+    new RegExp(taint); // OK - we do not flag RegExp injection on the client side as the impact is too low
+}