JavaScript: Deal with escape-unescape-escape (and similar) chains.

2026-04-30 03:05:15 +02:00 · 2019-10-30 14:49:01 +00:00
parent 8c133ff61d
commit bb0771b36c
2 changed files with 10 additions and 2 deletions
--- a/javascript/ql/src/Security/CWE-116/DoubleEscaping.ql
+++ b/javascript/ql/src/Security/CWE-116/DoubleEscaping.ql
@@ -135,7 +135,9 @@ abstract class Replacement extends DataFlow::Node {
    exists(Replacement pred | pred = this.getPreviousReplacement() |
      if pred.escapes(_, metachar)
      then result = pred
-      else result = pred.getAnEarlierEscaping(metachar)
+      else (
+        not pred.unescapes(metachar, _) and result = pred.getAnEarlierEscaping(metachar)
+      )
    )
  }

@@ -147,7 +149,9 @@ abstract class Replacement extends DataFlow::Node {
    exists(Replacement succ | this = succ.getPreviousReplacement() |
      if succ.unescapes(metachar, _)
      then result = succ
-      else result = succ.getALaterUnescaping(metachar)
+      else (
+        not succ.escapes(_, metachar) and result = succ.getALaterUnescaping(metachar)
+      )
    )
  }
 }
--- a/javascript/ql/test/query-tests/Security/CWE-116/DoubleEscaping/tst.js
+++ b/javascript/ql/test/query-tests/Security/CWE-116/DoubleEscaping/tst.js
@@ -130,3 +130,7 @@ function testWithCapturedVar(x) {
    captured = captured.replace(/\\/g, "\\\\");
  })();
 }
+
+function cloneAndStringify(s) {
+  return JSON.stringify(JSON.parse(JSON.stringify(s)));
+}