Merge pull request #7076 from asgerf/js/tainted-path-regexp-guard2

Approved by erik-krogh
2026-04-30 19:26:02 +02:00 · 2021-11-09 03:40:37 -08:00
parent d9e02e83fe f14f9449ee
commit d9d304fc13
2 changed files with 4 additions and 1 deletions
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
@@ -459,7 +459,7 @@ module TaintedPath {
   * An expression of form `x.matches(/\.\./)` or similar.
   */
  class ContainsDotDotRegExpSanitizer extends BarrierGuardNode instanceof StringOps::RegExpTest {
-    ContainsDotDotRegExpSanitizer() { super.getRegExp().getConstantValue() = [".", "..", "../"] }
+    ContainsDotDotRegExpSanitizer() { super.getRegExp().getAMatchedString() = [".", "..", "../"] }

    override predicate blocks(boolean outcome, Expr e, DataFlow::FlowLabel label) {
      e = super.getStringOperand().asExpr() and
--- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js
+++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js
@@ -398,4 +398,7 @@ app.get('/dotdot-regexp', (req, res) => {
  if (!path.match(/\.\.\/foo/)) {
    fs.readFileSync(path); // NOT OK
  }
+  if (!path.match(/(\.\.\/|\.\.\\)/)) {
+    fs.readFileSync(path); // OK
+  }
 });