JS: Add test case showing lack of flow through non-sanitising regexp

2026-04-25 08:45:14 +02:00 · 2025-02-28 13:56:13 +01:00
parent 93b11146d8
commit d97d67359b
2 changed files with 7 additions and 0 deletions
--- a/javascript/ql/test/library-tests/TaintTracking/DataFlowTracking.expected
+++ b/javascript/ql/test/library-tests/TaintTracking/DataFlowTracking.expected
@@ -161,6 +161,7 @@ flow
 | partialCalls.js:4:17:4:24 | source() | partialCalls.js:30:14:30:20 | x.value |
 | partialCalls.js:4:17:4:24 | source() | partialCalls.js:41:10:41:18 | id(taint) |
 | partialCalls.js:4:17:4:24 | source() | partialCalls.js:51:14:51:14 | x |
+| regexp-sanitiser.js:2:19:2:26 | source() | regexp-sanitiser.js:4:14:4:18 | taint |
 | sanitizer-function.js:12:17:12:24 | source() | sanitizer-function.js:14:10:14:14 | taint |
 | sanitizer-function.js:12:17:12:24 | source() | sanitizer-function.js:17:14:17:18 | taint |
 | sanitizer-function.js:12:17:12:24 | source() | sanitizer-function.js:21:14:21:18 | taint |
--- a/javascript/ql/test/library-tests/TaintTracking/regexp-sanitiser.js
+++ b/javascript/ql/test/library-tests/TaintTracking/regexp-sanitiser.js
@@ -0,0 +1,6 @@
+function foo() {
+    const taint = source();
+    if (/^asd[\s\S]*$/.test(taint)) {
+        sink(taint); // NOT OK [INCONSISTENCY]
+    }
+}