support another String.prototype.replace pattern

erik-krogh · erik-krogh · commit 1bf259beef48 · 2021-03-16T13:25:13.000+01:00
diff --git a/javascript/ql/src/semmle/javascript/StandardLibrary.qll b/javascript/ql/src/semmle/javascript/StandardLibrary.qll
@@ -149,6 +149,19 @@ class StringReplaceCall extends DataFlow::MethodCallNode {
       pr.flowsTo(replacer.getAReturn()) and
       map.hasPropertyWrite(old, any(DataFlow::Node repl | repl.getStringValue() = new))
     )
+    or
+    exists(
+      DataFlow::FunctionNode replacer, ConditionGuardNode guard, EqualityTest test,
+      DataFlow::Node ret
+    |
+      replacer = getCallback(1) and
+      guard.getTest() = test and
+      replacer.getParameter(0).flowsToExpr(test.getAnOperand()) and
+      test.getAnOperand().getStringValue() = old and
+      ret = replacer.getAReturn() and
+      guard.dominates(ret.getBasicBlock()) and
+      new = ret.getStringValue()
+    )
   }
 }
 
diff --git a/javascript/ql/src/semmle/javascript/security/IncompleteBlacklistSanitizer.qll b/javascript/ql/src/semmle/javascript/security/IncompleteBlacklistSanitizer.qll
@@ -51,7 +51,9 @@ class StringReplaceCallSequence extends DataFlow::CallNode {
 
   /** Gets a string that is the replacement of this call. */
   string getAReplacementString() {
-    // this is more restrictive than `StringReplaceCall::replaces/2`, in the name of precision
+    getAMember().replaces(_, result)
+    or
+    // StringReplaceCall::replaces/2 can't always find the `old` string, so this is added as a falback.
     getAMember().getRawReplacement().getStringValue() = result
   }
 

Original file line number	Diff line number	Diff line change
`@@ -149,6 +149,19 @@ class StringReplaceCall extends DataFlow::MethodCallNode {`
`149`	`149`	`pr.flowsTo(replacer.getAReturn()) and`
`150`	`150`	`map.hasPropertyWrite(old, any(DataFlow::Node repl \| repl.getStringValue() = new))`
`151`	`151`	`)`
	`152`	`+ or`
	`153`	`+ exists(`
	`154`	`+ DataFlow::FunctionNode replacer, ConditionGuardNode guard, EqualityTest test,`
	`155`	`+ DataFlow::Node ret`
	`156`	`+ \|`
	`157`	`+ replacer = getCallback(1) and`
	`158`	`+ guard.getTest() = test and`
	`159`	`+ replacer.getParameter(0).flowsToExpr(test.getAnOperand()) and`
	`160`	`+ test.getAnOperand().getStringValue() = old and`
	`161`	`+ ret = replacer.getAReturn() and`
	`162`	`+ guard.dominates(ret.getBasicBlock()) and`
	`163`	`+ new = ret.getStringValue()`
	`164`	`+ )`
`152`	`165`	`}`
`153`	`166`	`}`
`154`	`167`
Original file line number	Diff line number	Diff line change
`@@ -51,7 +51,9 @@ class StringReplaceCallSequence extends DataFlow::CallNode {`
`51`	`51`
`52`	`52`	`/** Gets a string that is the replacement of this call. */`
`53`	`53`	`string getAReplacementString() {`
`54`		- // this is more restrictive than `StringReplaceCall::replaces/2`, in the name of precision
	`54`	`+ getAMember().replaces(_, result)`
	`55`	`+ or`
	`56`	+ // StringReplaceCall::replaces/2 can't always find the `old` string, so this is added as a falback.
`55`	`57`	`getAMember().getRawReplacement().getStringValue() = result`
`56`	`58`	`}`
`57`	`59`