cache isInterpretedAsRegExp

erik-krogh · erik-krogh · commit 60993214d5ab · 2021-09-21T12:13:37.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/Regexp.qll b/javascript/ql/lib/semmle/javascript/Regexp.qll
@@ -7,6 +7,7 @@
 
 import javascript
 private import semmle.javascript.dataflow.InferredTypes
+private import semmle.javascript.internal.CachedStages
 
 /**
  * An element containing a regular expression term, that is, either
@@ -955,7 +956,9 @@ private predicate isUsedAsNonMatchObject(DataFlow::MethodCallNode call) {
 /**
  * Holds if `source` may be interpreted as a regular expression.
  */
+cached
 predicate isInterpretedAsRegExp(DataFlow::Node source) {
+  Stages::Taint::ref() and
   source.analyze().getAType() = TTString() and
   (
     // The first argument to an invocation of `RegExp` (with or without `new`).
diff --git a/javascript/ql/lib/semmle/javascript/internal/CachedStages.qll b/javascript/ql/lib/semmle/javascript/internal/CachedStages.qll
@@ -260,6 +260,8 @@ module Stages {
       exists(RemoteFlowSource r)
       or
       exists(Exports::getALibraryInputParameter())
+      or
+      any(RegExpTerm t).isUsedAsRegExp()
     }
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -260,6 +260,8 @@ module Stages {`
`260`	`260`	`exists(RemoteFlowSource r)`
`261`	`261`	`or`
`262`	`262`	`exists(Exports::getALibraryInputParameter())`
	`263`	`+ or`
	`264`	`+ any(RegExpTerm t).isUsedAsRegExp()`
`263`	`265`	`}`
`264`	`266`	`}`
`265`	`267`	`}`