hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-22 03:36:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

JS: Move hasWildcardReplaceRegExp to a shared place

Browse Source
This commit is contained in:
Asger F
2024-03-13 09:19:26 +01:00
parent 4043bc13ab
commit e66f27cfe3
3 changed files with 12 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
javascript/ql/lib/semmle/javascript/StandardLibrary.qll
View File

@@ -154,6 +154,15 @@ class StringReplaceCall extends DataFlow::MethodCallNode {
new = ret.getStringValue() new = ret.getStringValue()
) )
} }
/**
* Holds if this call takes a regexp containing a wildcard-like term such as `.`.
*
* Also see `RegExp::isWildcardLike`.
*/
final predicate hasRegExpContainingWildcard() {
RegExp::isWildcardLike(this.getRegExp().getRoot().getAChild*())
}
} }
/** /**

8
javascript/ql/lib/semmle/javascript/dataflow/TaintTracking.qll
View File

@@ -424,7 +424,7 @@ module TaintTracking {
// In and out of .replace callbacks // In and out of .replace callbacks
exists(StringReplaceCall call | exists(StringReplaceCall call |
// Into the callback if the regexp does not sanitize matches // Into the callback if the regexp does not sanitize matches
hasWildcardReplaceRegExp(call) and call.hasRegExpContainingWildcard() and
pred = call.getReceiver() and pred = call.getReceiver() and
succ = call.getReplacementCallback().getParameter(0) succ = call.getReplacementCallback().getParameter(0)
or or
@@ -435,12 +435,6 @@ module TaintTracking {
} }
} }
/** Holds if the given call takes a regexp containing a wildcard. */
pragma[noinline]
private predicate hasWildcardReplaceRegExp(StringReplaceCall call) {
RegExp::isWildcardLike(call.getRegExp().getRoot().getAChild*())
}
/** /**
* A taint propagating data flow edge arising from string formatting. * A taint propagating data flow edge arising from string formatting.
*/ */

10
javascript/ql/lib/semmle/javascript/internal/flow_summaries/Strings.qll
View File

@@ -5,12 +5,6 @@
private import javascript private import javascript
private import semmle.javascript.dataflow.FlowSummary private import semmle.javascript.dataflow.FlowSummary
/** Holds if the given call takes a regexp containing a wildcard. */
pragma[noinline]
private predicate hasWildcardReplaceRegExp(StringReplaceCall call) {
RegExp::isWildcardLike(call.getRegExp().getRoot().getAChild*())
}
/** /**
* Summary for calls to `.replace` or `.replaceAll` (without a regexp pattern containing a wildcard). * Summary for calls to `.replace` or `.replaceAll` (without a regexp pattern containing a wildcard).
*/ */
@@ -19,7 +13,7 @@ private class StringReplaceNoWildcard extends SummarizedCallable {
this = "String#replace / String#replaceAll (without wildcard pattern)" this = "String#replace / String#replaceAll (without wildcard pattern)"
} }
override StringReplaceCall getACall() { not hasWildcardReplaceRegExp(result) } override StringReplaceCall getACall() { not result.hasRegExpContainingWildcard() }
override predicate propagatesFlowExt(string input, string output, boolean preservesValue) { override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
preservesValue = false and preservesValue = false and
@@ -43,7 +37,7 @@ private class StringReplaceWithWildcard extends SummarizedCallable {
this = "String#replace / String#replaceAll (with wildcard pattern)" this = "String#replace / String#replaceAll (with wildcard pattern)"
} }
override StringReplaceCall getACall() { hasWildcardReplaceRegExp(result) } override StringReplaceCall getACall() { result.hasRegExpContainingWildcard() }
override predicate propagatesFlowExt(string input, string output, boolean preservesValue) { override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
preservesValue = false and preservesValue = false and