Merge pull request #7076 from asgerf/js/tainted-path-regexp-guard2

Approved by erik-krogh

Author: codeql-ci

javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll

@@ -459,7 +459,7 @@ module TaintedPath {
    * An expression of form `x.matches(/\.\./)` or similar.
    */
   class ContainsDotDotRegExpSanitizer extends BarrierGuardNode instanceof StringOps::RegExpTest {
-    ContainsDotDotRegExpSanitizer() { super.getRegExp().getConstantValue() = [".", "..", "../"] }
+    ContainsDotDotRegExpSanitizer() { super.getRegExp().getAMatchedString() = [".", "..", "../"] }
 
     override predicate blocks(boolean outcome, Expr e, DataFlow::FlowLabel label) {
       e = super.getStringOperand().asExpr() and

javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/normalizedPaths.js

@@ -398,4 +398,7 @@ app.get('/dotdot-regexp', (req, res) => {
   if (!path.match(/\.\.\/foo/)) {
     fs.readFileSync(path); // NOT OK
   }
+  if (!path.match(/(\.\.\/|\.\.\\)/)) {
+    fs.readFileSync(path); // OK
+  }
 });