don't filter away templated URLs in RemoteServerResponse

erik-krogh · erik-krogh · commit ae805eb93909 · 2021-03-11T23:52:24.000+01:00
diff --git a/javascript/ql/src/semmle/javascript/heuristics/AdditionalSources.qll b/javascript/ql/src/semmle/javascript/heuristics/AdditionalSources.qll
@@ -44,7 +44,8 @@ class RemoteServerResponse extends HeuristicSource, RemoteFlowSource {
         // exclude URLs to the current host
         r.getUrl().mayHaveStringValue(url) and
         protocolPattern = "(?[a-z+]{3,10}:)" and
-        not url.regexpMatch(protocolPattern + "?//.*")
+        not url.regexpMatch(protocolPattern + "?//.*") and
+        not url.prefix(2) = ["{{", "{%"] // look like templating
       )
     )
   }

Original file line number	Diff line number	Diff line change
`@@ -44,7 +44,8 @@ class RemoteServerResponse extends HeuristicSource, RemoteFlowSource {`
`44`	`44`	`// exclude URLs to the current host`
`45`	`45`	`r.getUrl().mayHaveStringValue(url) and`
`46`	`46`	`protocolPattern = "(?[a-z+]{3,10}:)" and`
`47`		`- not url.regexpMatch(protocolPattern + "?//.*")`
	`47`	`+ not url.regexpMatch(protocolPattern + "?//.*") and`
	`48`	`+ not url.prefix(2) = ["{{", "{%"] // look like templating`
`48`	`49`	`)`
`49`	`50`	`)`
`50`	`51`	`}`