JavaScript: Track taint through RegExp.prototype.replace.

2026-04-30 19:26:02 +02:00 · 2019-02-06 11:00:22 +00:00
parent 25d06ad0cf
commit b314c546e1
2 changed files with 22 additions and 0 deletions
--- a/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
@@ -473,6 +473,27 @@ module TaintTracking {
    }
  }

+  /**
+   * A taint-propagating data flow edge from the first (and only) argument in a call to
+   * `RegExp.prototype.exec` to its result.
+   */
+  private class RegExpExecTaintStep extends AdditionalTaintStep {
+    DataFlow::MethodCallNode self;
+
+    RegExpExecTaintStep() {
+      this = self and
+      self.getReceiver().analyze().getAType() = TTRegExp() and
+      self.getMethodName() = "exec" and
+      self.getNumArgument() = 1
+    }
+
+
+    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+      pred = self.getArgument(0) and
+      succ = this
+    }
+  }
+
  /**
   * A taint propagating data flow edge arising from JSON unparsing.
   */
--- a/javascript/ql/test/library-tests/InterProceduralFlow/TaintTracking.expected
+++ b/javascript/ql/test/library-tests/InterProceduralFlow/TaintTracking.expected
@@ -50,6 +50,7 @@
 | tst.js:2:17:2:22 | "src1" | tst.js:4:15:4:29 | RegExp(source1) |
 | tst.js:2:17:2:22 | "src1" | tst.js:5:15:5:33 | new String(source1) |
 | tst.js:2:17:2:22 | "src1" | tst.js:6:15:6:33 | new String(source1) |
+| tst.js:2:17:2:22 | "src1" | tst.js:11:17:11:20 | m[0] |
 | tst.js:2:17:2:22 | "src1" | tst.js:14:15:14:32 | decodeURI(source1) |
 | tst.js:2:17:2:22 | "src1" | tst.js:15:15:15:41 | decodeU ... ource1) |
 | tst.js:2:17:2:22 | "src1" | tst.js:16:15:16:32 | encodeURI(source1) |