JS: Restrict RegExp queries to actual regular expressions

2026-05-02 20:25:13 +02:00 · 2019-10-22 13:52:02 +01:00
parent b8711fc642
commit c21d095d38
12 changed files with 83 additions and 40 deletions
--- a/javascript/ql/src/RegExp/IdentityReplacement.ql
+++ b/javascript/ql/src/RegExp/IdentityReplacement.ql
@@ -31,36 +31,39 @@ predicate matchesString(Expr e, string s) {
 */
 language[monotonicAggregates]
 predicate regExpMatchesString(RegExpTerm t, string s) {
-  // constants match themselves
-  s = t.(RegExpConstant).getValue()
-  or
-  // assertions match the empty string
+  t.isPartOfRegExpLiteral() and
  (
-    t instanceof RegExpCaret or
-    t instanceof RegExpDollar or
-    t instanceof RegExpWordBoundary or
-    t instanceof RegExpNonWordBoundary or
-    t instanceof RegExpLookahead or
-    t instanceof RegExpLookbehind
-  ) and
-  s = ""
-  or
-  // groups match their content
-  regExpMatchesString(t.(RegExpGroup).getAChild(), s)
-  or
-  // single-character classes match that character
-  exists(RegExpCharacterClass recc | recc = t and not recc.isInverted() |
-    recc.getNumChild() = 1 and
-    regExpMatchesString(recc.getChild(0), s)
-  )
-  or
-  // sequences match the concatenation of their elements
-  exists(RegExpSequence seq | seq = t |
-    s = concat(int i, RegExpTerm child |
-        child = seq.getChild(i)
-      |
-        any(string subs | regExpMatchesString(child, subs)) order by i
-      )
+    // constants match themselves
+    s = t.(RegExpConstant).getValue()
+    or
+    // assertions match the empty string
+    (
+      t instanceof RegExpCaret or
+      t instanceof RegExpDollar or
+      t instanceof RegExpWordBoundary or
+      t instanceof RegExpNonWordBoundary or
+      t instanceof RegExpLookahead or
+      t instanceof RegExpLookbehind
+    ) and
+    s = ""
+    or
+    // groups match their content
+    regExpMatchesString(t.(RegExpGroup).getAChild(), s)
+    or
+    // single-character classes match that character
+    exists(RegExpCharacterClass recc | recc = t and not recc.isInverted() |
+      recc.getNumChild() = 1 and
+      regExpMatchesString(recc.getChild(0), s)
+    )
+    or
+    // sequences match the concatenation of their elements
+    exists(RegExpSequence seq | seq = t |
+      s = concat(int i, RegExpTerm child |
+          child = seq.getChild(i)
+        |
+          any(string subs | regExpMatchesString(child, subs)) order by i
+        )
+    )
  )
 }