mirror of
https://github.com/github/codeql.git
synced 2026-03-17 04:56:58 +01:00
JavaScript: Recognize string escaping using .replace with a callback.
This commit is contained in:
Max Schaefer
@@ -156,6 +156,14 @@ class GlobalStringReplacement extends Replacement, DataFlow::MethodCallNode {
|
||||
override predicate replaces(string input, string output) {
|
||||
input = getStringValue(pattern) and
|
||||
output = this.getArgument(1).getStringValue()
|
||||
or
|
||||
exists(DataFlow::FunctionNode replacer, DataFlow::PropRead pr, DataFlow::ObjectLiteralNode map |
|
||||
replacer = getCallback(1) and
|
||||
replacer.getParameter(0).flowsToExpr(pr.getPropertyNameExpr()) and
|
||||
pr = map.getAPropertyRead() and
|
||||
pr.flowsTo(replacer.getAReturn()) and
|
||||
map.asExpr().(ObjectExpr).getPropertyByName(input).getInit().getStringValue() = output
|
||||
)
|
||||
}
|
||||
|
||||
override DataFlow::Node getInput() {
|
||||
|
||||
@@ -7,3 +7,4 @@
|
||||
| tst.js:68:10:70:38 | s.repla ... &") | This replacement may double-escape '&' characters from $@. | tst.js:68:10:69:39 | s.repla ... apos;") | here |
|
||||
| tst.js:74:10:77:10 | JSON.st ... ) | This replacement may double-escape '\\' characters from $@. | tst.js:75:12:76:37 | s.repla ... u003E") | here |
|
||||
| tst.js:86:10:86:22 | JSON.parse(s) | This replacement may produce '\\' characters that are double-unescaped $@. | tst.js:86:10:86:47 | JSON.pa ... g, "<") | here |
|
||||
| tst.js:99:10:99:66 | s.repla ... &") | This replacement may double-escape '&' characters from $@. | tst.js:99:10:99:43 | s.repla ... epl[c]) | here |
|
||||
|
||||
@@ -89,3 +89,12 @@ function badUnescape2(s) {
|
||||
function goodUnescape2(s) {
|
||||
return JSON.parse(s.replace(/\\u003C/g, "<").replace(/\\u003E/g, ">"));
|
||||
}
|
||||
|
||||
function badEncodeWithReplacer(s) {
|
||||
var repl = {
|
||||
'"': """,
|
||||
"'": "'",
|
||||
"&": "&"
|
||||
};
|
||||
return s.replace(/["']/g, (c) => repl[c]).replace(/&/g, "&");
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user