JS: protyte poluting now treats unknownFlags as potentially good sanitization.

Author: Napalys

javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutingAssignmentQuery.qll

@@ -46,7 +46,7 @@ class Configuration extends TaintTracking::Configuration {
       // Replacing with "_" is likely to be exploitable
       not replace.getRawReplacement().getStringValue() = "_" and
       (
-        replace.isGlobal()
+        replace.maybeGlobal()
         or
         // Non-global replace with a non-empty string can also prevent __proto__ by
         // inserting a chunk of text that doesn't fit anywhere in __proto__

javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/PrototypePollutingAssignment.expected

@@ -195,11 +195,6 @@ nodes
 | tst.js:130:9:130:19 | req.query.x |
 | tst.js:130:9:130:19 | req.query.x |
 | tst.js:130:9:130:52 | req.que ... '), '') |
-| tst.js:131:5:131:65 | obj[req ... ), '')] |
-| tst.js:131:5:131:65 | obj[req ... ), '')] |
-| tst.js:131:9:131:19 | req.query.x |
-| tst.js:131:9:131:19 | req.query.x |
-| tst.js:131:9:131:64 | req.que ... )), '') |
 edges
 | lib.js:1:38:1:40 | obj | lib.js:6:7:6:9 | obj |
 | lib.js:1:38:1:40 | obj | lib.js:6:7:6:9 | obj |
@@ -380,10 +375,6 @@ edges
 | tst.js:130:9:130:19 | req.query.x | tst.js:130:9:130:52 | req.que ... '), '') |
 | tst.js:130:9:130:52 | req.que ... '), '') | tst.js:130:5:130:53 | obj[req ... ), '')] |
 | tst.js:130:9:130:52 | req.que ... '), '') | tst.js:130:5:130:53 | obj[req ... ), '')] |
-| tst.js:131:9:131:19 | req.query.x | tst.js:131:9:131:64 | req.que ... )), '') |
-| tst.js:131:9:131:19 | req.query.x | tst.js:131:9:131:64 | req.que ... )), '') |
-| tst.js:131:9:131:64 | req.que ... )), '') | tst.js:131:5:131:65 | obj[req ... ), '')] |
-| tst.js:131:9:131:64 | req.que ... )), '') | tst.js:131:5:131:65 | obj[req ... ), '')] |
 #select
 | lib.js:6:7:6:9 | obj | lib.js:1:43:1:46 | path | lib.js:6:7:6:9 | obj | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:1:43:1:46 | path | library input |
 | lib.js:15:3:15:14 | obj[path[0]] | lib.js:14:38:14:41 | path | lib.js:15:3:15:14 | obj[path[0]] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:14:38:14:41 | path | library input |
@@ -413,4 +404,3 @@ edges
 | tst.js:97:5:97:46 | obj[req ... g, '')] | tst.js:97:9:97:19 | req.query.x | tst.js:97:5:97:46 | obj[req ... g, '')] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:97:9:97:19 | req.query.x | user controlled input |
 | tst.js:105:5:105:17 | object[taint] | tst.js:102:24:102:37 | req.query.data | tst.js:105:5:105:17 | object[taint] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:102:24:102:37 | req.query.data | user controlled input |
 | tst.js:130:5:130:53 | obj[req ... ), '')] | tst.js:130:9:130:19 | req.query.x | tst.js:130:5:130:53 | obj[req ... ), '')] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:130:9:130:19 | req.query.x | user controlled input |
-| tst.js:131:5:131:65 | obj[req ... ), '')] | tst.js:131:9:131:19 | req.query.x | tst.js:131:5:131:65 | obj[req ... ), '')] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:131:9:131:19 | req.query.x | user controlled input |

javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/tst.js

@@ -128,5 +128,5 @@ app.get('/foo', (req, res) => {
     let obj = {};
     obj[req.query.x.replace(new RegExp('_', 'g'), '')].x = 'foo'; // OK
     obj[req.query.x.replace(new RegExp('_', ''), '')].x = 'foo'; // NOT OK
-    obj[req.query.x.replace(new RegExp('_', unknownFlags()), '')].x = 'foo'; // OK -- Might be okay but it is currently flagged as a problem
+    obj[req.query.x.replace(new RegExp('_', unknownFlags()), '')].x = 'foo'; // OK
 });