hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-12 02:09:27 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: Exclude error handling from auth calls

Browse Source
This commit is contained in:
Asger Feldthaus
2021-10-12 10:23:50 +02:00
parent 400bf10cc3
commit d0e94e655d
2 changed files with 7 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
javascript/ql/lib/semmle/javascript/security/SensitiveActions.qll
View File

@@ -147,8 +147,8 @@ class AuthorizationCall extends SensitiveAction, DataFlow::CallNode {
AuthorizationCall() {
exists(string s | s = this.getCalleeName() |
// name contains `login` or `auth`, but not as part of `loginfo` or `unauth`;
// also exclude `author`
s.regexpMatch("(?i).*(login(?!fo)|(?<!un)auth(?!or\\b)|verify).*") and
// also exclude `author` and words followed by `err` (as in `error`)
s.regexpMatch("(?i).*(login(?!fo)|(?<!un)auth(?!or\\b)|verify)(?!err).*") and
// but it does not start with `get` or `set`
not s.regexpMatch("(?i)(get|set).*")
)