dont sanitize global replacements where the regexp is a char class

2026-04-24 16:25:15 +02:00 · 2021-01-12 18:15:59 +01:00
parent 0a17b04650
commit d71adff079
4 changed files with 30 additions and 1 deletions
--- a/javascript/ql/src/semmle/javascript/security/performance/PolynomialReDoSCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/performance/PolynomialReDoSCustomizations.qll
@@ -84,7 +84,13 @@ module PolynomialReDoS {
   */
  class StringLengthLimiter extends Sanitizer {
    StringLengthLimiter() {
-      this.(StringReplaceCall).isGlobal()
+      this.(StringReplaceCall).isGlobal() and
+      // not char classes - they don't remove any repeated pattern.
+      not exists(RegExpTerm root | root = this.(StringReplaceCall).getRegExp().getRoot() |
+        root instanceof RegExpCharacterClass
+        or
+        root instanceof RegExpCharacterClassEscape
+      )
      or
      exists(string name | name = "slice" or name = "substring" or name = "substr" |
        this.(DataFlow::MethodCallNode).getMethodName() = name