mirror of
https://github.com/github/codeql.git
synced 2025-12-17 17:23:36 +01:00
46 lines
1.1 KiB
JavaScript
46 lines
1.1 KiB
JavaScript
function test(x) {
|
|
let taint = source();
|
|
|
|
if (/Hello (.*)/.exec(taint)) {
|
|
sink(RegExp.$1); // NOT OK
|
|
}
|
|
|
|
if (/Foo (.*)/.exec(x)) {
|
|
sink(RegExp.$1); // OK
|
|
} else {
|
|
sink(RegExp.$1); // NOT OK [INCONSISTENCY] - previous capture group remains
|
|
}
|
|
|
|
if (/Hello ([a-zA-Z]+)/.exec(taint)) {
|
|
sink(RegExp.$1); // OK [INCONSISTENCY] - capture group is sanitized
|
|
} else {
|
|
sink(RegExp.$1); // NOT OK [found but for the wrong reason] - original capture group possibly remains
|
|
}
|
|
|
|
if (/Hello (.*)/.exec(taint) && something()) {
|
|
sink(RegExp.$1); // NOT OK
|
|
}
|
|
if (something() && /Hello (.*)/.exec(taint)) {
|
|
sink(RegExp.$1); // NOT OK
|
|
}
|
|
if (/First (.*)/.exec(taint) || /Second (.*)/.exec(taint)) {
|
|
sink(RegExp.$1); // NOT OK
|
|
}
|
|
}
|
|
|
|
function test2(x) {
|
|
var taint = source();
|
|
if (something()) {
|
|
if (/Hello (.*)/.exec(taint)) {
|
|
something();
|
|
}
|
|
}
|
|
sink(RegExp.$1); // NOT OK
|
|
}
|
|
|
|
function replaceCallback() {
|
|
return source().replace(/(\w+)/, () => {
|
|
sink(RegExp.$1); // NOT OK
|
|
});
|
|
}
|