apply suggestions from review

erik-krogh · erik-krogh · commit 26fcf6b25be2 · 2022-08-18T15:00:57.000+02:00
diff --git a/javascript/ql/src/Security/CWE-178/CaseSensitiveMiddlewarePath.ql b/javascript/ql/src/Security/CWE-178/CaseSensitiveMiddlewarePath.ql
@@ -104,13 +104,13 @@ predicate isGuardedCaseInsensitiveEndpoint(
 }
 
 /**
- * Gets an byPassExample path that will hit `endpoint`.
- * Query parameters (e.g. the ":param" in "/foo/:param") have been replaced with byPassExample values.
+ * Gets an example path that will hit `endpoint`.
+ * Query parameters (e.g. the ":param" in "/foo/:param") have been replaced with example values.
  */
 string getAnEndpointExample(Routing::RouteSetup endpoint) {
   exists(string raw |
     raw = endpoint.getRelativePath().toLowerCase() and
-    result = raw.regexpReplaceAll(":\\w+\\b", ["a", "1"])
+    result = raw.regexpReplaceAll(":\\w+\\b|\\*", ["a", "1"])
   )
 }
 
diff --git a/javascript/ql/test/query-tests/Security/CWE-178/CaseSensitiveMiddlewarePath.expected b/javascript/ql/test/query-tests/Security/CWE-178/CaseSensitiveMiddlewarePath.expected
@@ -1,3 +1,4 @@
 | tst.js:8:9:8:19 | /\\/foo\\/.*/ | This route uses a case-sensitive path $@, but is guarding a case-insensitive path $@. A path such as '/FOO/' will bypass the middleware. | tst.js:8:9:8:19 | /\\/foo\\/.*/ | pattern | tst.js:60:1:61:2 | app.get ... ware\\n}) | here |
 | tst.js:14:5:14:28 | new Reg ... (.*)?') | This route uses a case-sensitive path $@, but is guarding a case-insensitive path $@. A path such as '/FOO' will bypass the middleware. | tst.js:14:5:14:28 | new Reg ... (.*)?') | pattern | tst.js:60:1:61:2 | app.get ... ware\\n}) | here |
 | tst.js:41:9:41:25 | /\\/foo\\/([0-9]+)/ | This route uses a case-sensitive path $@, but is guarding a case-insensitive path $@. A path such as '/FOO/0' will bypass the middleware. | tst.js:41:9:41:25 | /\\/foo\\/([0-9]+)/ | pattern | tst.js:60:1:61:2 | app.get ... ware\\n}) | here |
+| tst.js:64:5:64:28 | new Reg ... (.*)?') | This route uses a case-sensitive path $@, but is guarding a case-insensitive path $@. A path such as '/BAR' will bypass the middleware. | tst.js:64:5:64:28 | new Reg ... (.*)?') | pattern | tst.js:73:1:74:2 | app.get ... ware\\n}) | here |
diff --git a/javascript/ql/test/query-tests/Security/CWE-178/tst.js b/javascript/ql/test/query-tests/Security/CWE-178/tst.js
@@ -59,3 +59,16 @@ app.use(/\/foo\/([0-9]+)/i, (req, res) => { // OK - not middleware (also case in
 
 app.get('/foo/:param', (req, res) => { // OK - not a middleware
 });
+
+app.get(
+    new RegExp('^/bar(.*)?'), // NOT OK - case sensitive
+    unknown(),
+    function(req, res, next) {
+        if (req.params.blah) {
+            next();
+        }
+    }
+);
+
+app.get('/bar/*', (req, res) => { // OK - not a middleware
+});

Original file line number	Diff line number	Diff line change
`@@ -104,13 +104,13 @@ predicate isGuardedCaseInsensitiveEndpoint(`
`104`	`104`	`}`
`105`	`105`
`106`	`106`	`/**`
`107`		- * Gets an byPassExample path that will hit `endpoint`.
`108`		`- * Query parameters (e.g. the ":param" in "/foo/:param") have been replaced with byPassExample values.`
	`107`	+ * Gets an example path that will hit `endpoint`.
	`108`	`+ * Query parameters (e.g. the ":param" in "/foo/:param") have been replaced with example values.`
`109`	`109`	`*/`
`110`	`110`	`string getAnEndpointExample(Routing::RouteSetup endpoint) {`
`111`	`111`	`exists(string raw \|`
`112`	`112`	`raw = endpoint.getRelativePath().toLowerCase() and`
`113`		`- result = raw.regexpReplaceAll(":\\w+\\b", ["a", "1"])`
	`113`	`+ result = raw.regexpReplaceAll(":\\w+\\b\|\\*", ["a", "1"])`
`114`	`114`	`)`
`115`	`115`	`}`
`116`	`116`