QL code and tests for C#/C++/JavaScript.

2026-04-29 02:35:15 +02:00 · 2018-08-02 17:53:23 +01:00
commit b55526aa58
10684 changed files with 581163 additions and 0 deletions
--- a/javascript/ql/src/Security/CWE-730/RegExpInjection.qhelp
+++ b/javascript/ql/src/Security/CWE-730/RegExpInjection.qhelp
@@ -0,0 +1,48 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+Constructing a regular expression with unsanitized user input is dangerous as a malicious user may
+be able to modify the meaning of the expression. In particular, such a user may be able to provide
+a regular expression fragment that takes exponential time in the worst case, and use that to
+perform a Denial of Service attack.
+</p>
+</overview>
+
+<recommendation>
+<p>
+Before embedding user input into a regular expression, use a sanitization function such as
+lodash's <code>_.escapeRegExp</code> to escape meta-characters that have special meaning.
+</p>
+</recommendation>
+
+<example>
+<p>
+The following example shows a HTTP request parameter that is used to construct a regular expression
+without sanitizing it first:
+</p>
+<sample src="examples/RegExpInjection.js" />
+<p>
+Instead, the request parameter should be sanitized first, for example using the function
+<code>_.escapeRegExp</code> from the lodash package. This ensures that the user cannot insert
+characters which have a special meaning in regular expressions.
+</p>
+<sample src="examples/RegExpInjectionGood.js" />
+</example>
+
+<references>
+<li>
+OWASP:
+<a href="https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS">Regular expression Denial of Service - ReDoS</a>.
+</li>
+<li>
+Wikipedia: <a href="https://en.wikipedia.org/wiki/ReDoS">ReDoS</a>.
+</li>
+<li>
+npm: <a href="https://www.npmjs.com/package/lodash">lodash</a>.
+</li>
+</references>
+</qhelp>
--- a/javascript/ql/src/Security/CWE-730/RegExpInjection.ql
+++ b/javascript/ql/src/Security/CWE-730/RegExpInjection.ql
@@ -0,0 +1,20 @@
+/**
+ * @name Regular expression injection
+ * @description User input should not be used in regular expressions without first being escaped,
+ *              otherwise a malicious user may be able to inject an expression that could require
+ *              exponential time on certain inputs.
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @id js/regex-injection
+ * @tags security
+ *       external/cwe/cwe-730
+ *       external/cwe/cwe-400
+ */
+
+import javascript
+import semmle.javascript.security.dataflow.RegExpInjection::RegExpInjection
+
+from Configuration c, DataFlow::Node source, DataFlow::Node sink
+where c.hasFlow(source, sink)
+select sink, "This regular expression is constructed from a $@.", source, "user-provided value"
--- a/javascript/ql/src/Security/CWE-730/examples/RegExpInjection.js
+++ b/javascript/ql/src/Security/CWE-730/examples/RegExpInjection.js
@@ -0,0 +1,9 @@
+var express = require('express');
+var app = express();
+
+app.get('/findKey', function(req, res) {
+  var key = req.param("key"), input = req.param("input");
+
+  // BAD: Unsanitized user input is used to construct a regular expression
+  var re = new RegExp("\\b" + key + "=(.*)\n");
+});
--- a/javascript/ql/src/Security/CWE-730/examples/RegExpInjectionGood.js
+++ b/javascript/ql/src/Security/CWE-730/examples/RegExpInjectionGood.js
@@ -0,0 +1,11 @@
+var express = require('express');
+var _ = require('lodash');
+var app = express();
+
+app.get('/findKey', function(req, res) {
+  var key = req.param("key"), input = req.param("input");
+
+  // GOOD: User input is sanitized before constructing the regex
+  var safeKey = _.escapeRegExp(key);
+  var re = new RegExp("\\b" + safeKey + "=(.*)\n");
+});