Merge pull request github#5782 from erik-krogh/domFP

Approved by esbena

Author: codeql-ci

javascript/ql/src/semmle/javascript/Regexp.qll

@@ -191,6 +191,19 @@ class RegExpQuantifier extends RegExpTerm, @regexp_quantifier {
   predicate isGreedy() { is_greedy(this) }
 }
 
+/**
+ * A regular expression term that permits unlimited repetitions.
+ */
+class InfiniteRepetitionQuantifier extends RegExpQuantifier {
+  InfiniteRepetitionQuantifier() {
+    this instanceof RegExpPlus
+    or
+    this instanceof RegExpStar
+    or
+    this instanceof RegExpRange and not exists(this.(RegExpRange).getUpperBound())
+  }
+}
+
 /**
  * An escaped regular expression term, that is, a regular expression
  * term starting with a backslash.
@@ -1065,6 +1078,12 @@ module RegExp {
       not cls.isInverted() and
       cls.getAChild().(RegExpCharacterClassEscape).getValue().isUppercase()
     )
+    or
+    // an unlimited number of wildcards, is also a wildcard.
+    exists(InfiniteRepetitionQuantifier q |
+      term = q and
+      isWildcardLike(q.getAChild())
+    )
   }
 
   /**

javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll

@@ -34,7 +34,12 @@ module Shared {
   class MetacharEscapeSanitizer extends Sanitizer, StringReplaceCall {
     MetacharEscapeSanitizer() {
       isGlobal() and
-      RegExp::alwaysMatchesMetaCharacter(getRegExp().getRoot(), ["<", "'", "\""])
+      (
+        RegExp::alwaysMatchesMetaCharacter(getRegExp().getRoot(), ["<", "'", "\""])
+        or
+        // or it's like a wild-card.
+        RegExp::isWildcardLike(getRegExp().getRoot())
+      )
     }
   }
 

javascript/ql/src/semmle/javascript/security/performance/ReDoSUtil.qll

@@ -53,19 +53,6 @@ private predicate isReDoSCandidate(State state, string pump) {
   )
 }
 
-/**
- * A regular expression term that permits unlimited repetitions.
- */
-class InfiniteRepetitionQuantifier extends RegExpQuantifier {
-  InfiniteRepetitionQuantifier() {
-    this instanceof RegExpPlus
-    or
-    this instanceof RegExpStar
-    or
-    this instanceof RegExpRange and not exists(this.(RegExpRange).getUpperBound())
-  }
-}
-
 /**
  * Gets the char after `c` (from a simplified ASCII table).
  */

javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/xss-through-dom.js

@@ -85,4 +85,8 @@
 
 	$("#id").html(anser.ansiToHtml(text)); // NOT OK
 	$("#id").html(new anser().process(text)); // NOT OK
+	
+	$("section h1").each(function(){
+		$("nav ul").append("<a href='#" + $(this).text().toLowerCase().replace(/ /g, '-').replace(/[^\w-]+/g,'') + "'>Section</a>"); // OK
+	});
 })();