hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-27 09:45:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: improve tests for fixup js/incomplete-hostname-regexp

Browse Source
This commit is contained in:
Esben Sparre Andreasen
2019-04-03 13:00:07 +02:00
parent cf7d0a7ea5
commit d643904faf
2 changed files with 18 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
javascript/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegExp.expected
View File

@@ -2,13 +2,13 @@
| tst-IncompleteHostnameRegExp.js:5:2:5:28 | /http:\\ ... le.net/ | This regular expression has an unescaped '.' before 'example.net', so it might match more hosts than expected. |
| tst-IncompleteHostnameRegExp.js:6:2:6:42 | /http:\\ ... b).com/ | This regular expression has an unescaped '.' before '(example-a\|example-b).com', so it might match more hosts than expected. |
| tst-IncompleteHostnameRegExp.js:11:13:11:37 | "http:/ ... le.com" | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. |
| tst-IncompleteHostnameRegExp.js:12:10:12:34 | "http:/ ... le.com" | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. |
| tst-IncompleteHostnameRegExp.js:12:10:12:35 | "^http: ... le.com" | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. |
| tst-IncompleteHostnameRegExp.js:15:22:15:46 | "http:/ ... le.com" | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. |
| tst-IncompleteHostnameRegExp.js:17:13:17:31 | `test.example.com$` | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. |
| tst-IncompleteHostnameRegExp.js:17:14:17:30 | test.example.com$ | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. |
| tst-IncompleteHostnameRegExp.js:19:17:19:34 | 'test.example.com' | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. |
| tst-IncompleteHostnameRegExp.js:22:27:22:44 | 'test.example.com' | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. |
| tst-IncompleteHostnameRegExp.js:28:22:28:39 | 'test.example.com' | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. |
| tst-IncompleteHostnameRegExp.js:28:23:28:40 | 'test.example.com' | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. |
| tst-IncompleteHostnameRegExp.js:37:2:37:54 | /^(http ... =$\|\\/)/ | This regular expression has an unescaped '.' before ')?example.com', so it might match more hosts than expected. |
| tst-IncompleteHostnameRegExp.js:38:2:38:44 | /^(http ... p\\/f\\// | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. |
| tst-IncompleteHostnameRegExp.js:39:2:39:34 | /\\(http ... m\\/\\)/g | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. |
@@ -19,3 +19,6 @@
| tst-IncompleteHostnameRegExp.js:43:2:43:33 | /^https ... e.com$/ | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. |
| tst-IncompleteHostnameRegExp.js:44:9:44:100 | 'protos ... ernal)' | This regular expression has an unescaped '.' before 'example-b.com', so it might match more hosts than expected. |
| tst-IncompleteHostnameRegExp.js:46:2:46:26 | /exampl ... le.com/ | This regular expression has an unescaped '.' before 'dev\|example.com', so it might match more hosts than expected. |
| tst-IncompleteHostnameRegExp.js:48:13:48:68 | '^http: ... e\\.com' | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. |
| tst-IncompleteHostnameRegExp.js:48:41:48:68 | '^https ... e\\.com' | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. |
| tst-IncompleteHostnameRegExp.js:53:13:53:35 | 'test.' ... le.com' | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. |

19
javascript/ql/test/query-tests/Security/CWE-020/tst-IncompleteHostnameRegExp.js
View File

@@ -9,7 +9,7 @@
/http:\/\/(?:.+)\\.test\\.example.com/; // NOT OK, but not yet supported with enough precision
/http:\/\/test.example.com\/(?:.*)/; // OK
new RegExp("http://test.example.com"); // NOT OK
s.match("http://test.example.com"); // NOT OK
s.match("^http://test.example.com"); // NOT OK
function id(e) { return e; }
new RegExp(id(id(id("http://test.example.com")))); // NOT OK
@@ -22,16 +22,16 @@
let domain = { hostname: 'test.example.com' };
new RegExp(domain.hostname);
function convert(domain) {
function convert1(domain) {
return new RegExp(domain.hostname);
}
convert({ hostname: 'test.example.com' }); // NOT OK
convert1({ hostname: 'test.example.com' }); // NOT OK
let domains = [ { hostname: 'test.example.com' } ]; // NOT OK, but not yet supported
function convert(domain) {
let domains = [ { hostname: 'test.example.com' } ]; // NOT OK
function convert2(domain) {
return new RegExp(domain.hostname);
}
domains.map(d => convert(d));
domains.map(d => convert2(d));
/(.+\.(?:example-a|example-b)\.com)/; // NOT OK, but not yet supported with enough precision
/^(https?:)?\/\/((service|www).)?example.com(?=$|\/)/; // NOT OK
@@ -44,4 +44,11 @@
RegExp('protos?://(localhost|.+.example.net|.+.example-a.com|.+.example-b.com|.+.example.internal)'); // NOT OK
/example.dev|example.com/; // OK, but still flagged
new RegExp('^http://localhost:8000|' + '^https?://.+\.example\.com'); // NOT OK
var primary = 'example.com';
new RegExp('test.' + primary); // NOT OK, but not detected
new RegExp('test.' + 'example.com'); // NOT OK
});