Skip to content

Commit 99e5db4

Browse files
esbenaesbena
committed
JS: address review comments
1 parent 304b013 commit 99e5db4

File tree

1 file changed

+11
-20
lines changed

1 file changed

+11
-20
lines changed

javascript/ql/src/Security/CWE-116/UnsafeHtmlExpansion.ql

Lines changed: 11 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
/**
2-
* @name Unsafe expansion of shorthand HTML tag
3-
* @description Using regular expressions to expand shorthand HTML
2+
* @name Unsafe expansion of self-closing HTML tag
3+
* @description Using regular expressions to expand self-closing HTML
44
* tags may lead to cross-site scripting vulnerabilities.
55
* @kind problem
66
* @problem.severity warning
@@ -15,14 +15,15 @@
1515
import javascript
1616

1717
/**
18-
* A regular expression that captures the name and content of a shorthand HTML tag such as `<div id='foo'/>`.
18+
* A regular expression that captures the name and content of a
19+
* self-closing HTML tag such as `<div id='foo'/>`.
1920
*/
20-
class ShorthandTagRecognizer extends RegExpLiteral {
21-
ShorthandTagRecognizer() {
21+
class SelfClosingTagRecognizer extends DataFlow::RegExpCreationNode {
22+
SelfClosingTagRecognizer() {
2223
exists(RegExpSequence seq, RegExpGroup name, RegExpGroup content |
2324
// `/.../g`
24-
this.isGlobal() and
25-
this = seq.getLiteral() and
25+
RegExp::isGlobal(this.getFlags()) and
26+
this.getRoot() = seq.getRootTerm() and
2627
// `/<.../`
2728
seq.getChild(0).getConstantValue() = "<" and
2829
// `/...\/>/`
@@ -46,22 +47,12 @@ class ShorthandTagRecognizer extends RegExpLiteral {
4647
)
4748
)
4849
}
49-
50-
/**
51-
* Gets a data flow node that may refer to this regular expression.
52-
*/
53-
DataFlow::SourceNode ref(DataFlow::TypeTracker t) {
54-
t.start() and
55-
result = this.flow()
56-
or
57-
exists(DataFlow::TypeTracker t2 | result = ref(t2).track(t2, t))
58-
}
5950
}
6051

61-
from ShorthandTagRecognizer regexp, StringReplaceCall replace
52+
from SelfClosingTagRecognizer regexp, StringReplaceCall replace
6253
where
63-
regexp.ref(DataFlow::TypeTracker::end()).flowsTo(replace.getArgument(0)) and
54+
regexp.getAReference().flowsTo(replace.getArgument(0)) and
6455
replace.getRawReplacement().mayHaveStringValue("<$1></$2>")
6556
select replace,
66-
"This HTML tag expansion may disable earlier sanitizations as $@ may match unintended strings.",
57+
"This self-closing HTML tag expansion invalidates prior sanitization as $@ may match part of an attribute value.",
6758
regexp, "this regular expression"

0 commit comments

Comments
 (0)