don't report every non-ascii range in js/overly-large-range

2026-04-29 18:55:14 +02:00 · 2022-09-13 20:43:52 +02:00
parent 74eb6b2b98
commit e7aef17d30
2 changed files with 7 additions and 1 deletions
--- a/javascript/ql/lib/semmle/javascript/security/OverlyLargeRangeQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/OverlyLargeRangeQuery.qll
@@ -96,7 +96,10 @@ class OverlyWideRange extends RegExpCharacterRange {
      toCodePoint("A") <= high
      or
      // a non-alphanumeric char as part of the range boundaries
-      exists(int bound | bound = [low, high] | not isAlphanumeric(bound.toUnicode()))
+      exists(int bound | bound = [low, high] | not isAlphanumeric(bound.toUnicode())) and
+      // while still being ascii
+      low < 128 and
+      high < 128
    ) and
    // allowlist for known ranges
    not this = allowedWideRanges()
--- a/javascript/ql/test/query-tests/Security/CWE-020/SuspiciousRegexpRange/tst.js
+++ b/javascript/ql/test/query-tests/Security/CWE-020/SuspiciousRegexpRange/tst.js
@@ -25,3 +25,6 @@ var numberToLetter = /[7-F]/; // NOT OK
 var overlapsWithClass1 = /[0-9\d]/; // NOT OK

 var overlapsWithClass2 = /[\w,.-?:*+]/; // NOT OK
+
+var tst2 = /^([ァ-ヾ]|[ｧ-ﾝﾞﾟ])+$/; // OK
+var tst3 = /[0-9０-９]/; // OK