hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 19:26:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

JavaScript: Deal with (un-)escaping on captured variables.

Browse Source
This commit is contained in:
Max Schaefer
2019-10-30 14:46:50 +00:00
parent 61aa075e8d
commit cb54618a5d
2 changed files with 13 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
javascript/ql/src/Security/CWE-116/DoubleEscaping.ql
View File

@@ -46,7 +46,12 @@ string getStringValue(RegExpLiteral rl) {
*/
DataFlow::Node getASimplePredecessor(DataFlow::Node nd) {
result = nd.getAPredecessor() and
not nd.(DataFlow::SsaDefinitionNode).getSsaVariable().getDefinition() instanceof SsaPhiNode
not exists(SsaDefinition ssa |
ssa = nd.(DataFlow::SsaDefinitionNode).getSsaVariable().getDefinition()
|
ssa instanceof SsaPhiNode or
ssa instanceof SsaVariableCapture
)
}
/**

7
javascript/ql/test/query-tests/Security/CWE-116/DoubleEscaping/tst.js
View File

@@ -83,3 +83,10 @@ function badEncodeWithReplacer(s) {
function badRoundtrip(s) {
return s.replace(/\\\\/g, "\\").replace(/\\/g, "\\\\");
}
function testWithCapturedVar(x) {
var captured = x;
(function() {
captured = captured.replace(/\\/g, "\\\\");
})();
}