JS: now Reg Exp injection treats unknownFlags as sanitization, MetacharEscapeSanitizer

Napalys · Napalys · commit 1d2e08a3b6c9 · 2024-11-28T11:26:58.000+01:00
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/RegExpInjectionCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/RegExpInjectionCustomizations.qll
@@ -76,7 +76,7 @@ module RegExpInjection {
    */
   class MetacharEscapeSanitizer extends Sanitizer, StringReplaceCall {
     MetacharEscapeSanitizer() {
-      this.isGlobal() and
+      this.maybeGlobal() and
       (
         RegExp::alwaysMatchesMetaCharacter(this.getRegExp().getRoot(), ["{", "[", "+"])
         or
diff --git a/javascript/ql/test/query-tests/Security/CWE-730/RegExpInjection.expected b/javascript/ql/test/query-tests/Security/CWE-730/RegExpInjection.expected
@@ -72,11 +72,6 @@ nodes
 | RegExpInjection.js:99:19:99:106 | input.r ... "\\\\$&") |
 | RegExpInjection.js:100:14:100:22 | sanitized |
 | RegExpInjection.js:100:14:100:22 | sanitized |
-| RegExpInjection.js:105:7:105:122 | sanitized |
-| RegExpInjection.js:105:19:105:23 | input |
-| RegExpInjection.js:105:19:105:122 | input.r ... "\\\\$&") |
-| RegExpInjection.js:106:14:106:22 | sanitized |
-| RegExpInjection.js:106:14:106:22 | sanitized |
 | tst.js:5:9:5:29 | data |
 | tst.js:5:16:5:29 | req.query.data |
 | tst.js:5:16:5:29 | req.query.data |
@@ -147,17 +142,12 @@ edges
 | RegExpInjection.js:93:20:93:34 | process.argv[1] | RegExpInjection.js:93:16:93:49 | `^${pro ... r.app$` |
 | RegExpInjection.js:93:20:93:34 | process.argv[1] | RegExpInjection.js:93:16:93:49 | `^${pro ... r.app$` |
 | RegExpInjection.js:97:7:97:32 | input | RegExpInjection.js:99:19:99:23 | input |
-| RegExpInjection.js:97:7:97:32 | input | RegExpInjection.js:105:19:105:23 | input |
 | RegExpInjection.js:97:15:97:32 | req.param("input") | RegExpInjection.js:97:7:97:32 | input |
 | RegExpInjection.js:97:15:97:32 | req.param("input") | RegExpInjection.js:97:7:97:32 | input |
 | RegExpInjection.js:99:7:99:106 | sanitized | RegExpInjection.js:100:14:100:22 | sanitized |
 | RegExpInjection.js:99:7:99:106 | sanitized | RegExpInjection.js:100:14:100:22 | sanitized |
 | RegExpInjection.js:99:19:99:23 | input | RegExpInjection.js:99:19:99:106 | input.r ... "\\\\$&") |
 | RegExpInjection.js:99:19:99:106 | input.r ... "\\\\$&") | RegExpInjection.js:99:7:99:106 | sanitized |
-| RegExpInjection.js:105:7:105:122 | sanitized | RegExpInjection.js:106:14:106:22 | sanitized |
-| RegExpInjection.js:105:7:105:122 | sanitized | RegExpInjection.js:106:14:106:22 | sanitized |
-| RegExpInjection.js:105:19:105:23 | input | RegExpInjection.js:105:19:105:122 | input.r ... "\\\\$&") |
-| RegExpInjection.js:105:19:105:122 | input.r ... "\\\\$&") | RegExpInjection.js:105:7:105:122 | sanitized |
 | tst.js:5:9:5:29 | data | tst.js:6:21:6:24 | data |
 | tst.js:5:16:5:29 | req.query.data | tst.js:5:9:5:29 | data |
 | tst.js:5:16:5:29 | req.query.data | tst.js:5:9:5:29 | data |
@@ -183,5 +173,4 @@ edges
 | RegExpInjection.js:91:16:91:50 | `^${pro ... r.app$` | RegExpInjection.js:91:20:91:30 | process.env | RegExpInjection.js:91:16:91:50 | `^${pro ... r.app$` | This regular expression is constructed from a $@. | RegExpInjection.js:91:20:91:30 | process.env | environment variable |
 | RegExpInjection.js:93:16:93:49 | `^${pro ... r.app$` | RegExpInjection.js:93:20:93:31 | process.argv | RegExpInjection.js:93:16:93:49 | `^${pro ... r.app$` | This regular expression is constructed from a $@. | RegExpInjection.js:93:20:93:31 | process.argv | command-line argument |
 | RegExpInjection.js:100:14:100:22 | sanitized | RegExpInjection.js:97:15:97:32 | req.param("input") | RegExpInjection.js:100:14:100:22 | sanitized | This regular expression is constructed from a $@. | RegExpInjection.js:97:15:97:32 | req.param("input") | user-provided value |
-| RegExpInjection.js:106:14:106:22 | sanitized | RegExpInjection.js:97:15:97:32 | req.param("input") | RegExpInjection.js:106:14:106:22 | sanitized | This regular expression is constructed from a $@. | RegExpInjection.js:97:15:97:32 | req.param("input") | user-provided value |
 | tst.js:6:16:6:35 | "^"+ data.name + "$" | tst.js:5:16:5:29 | req.query.data | tst.js:6:16:6:35 | "^"+ data.name + "$" | This regular expression is constructed from a $@. | tst.js:5:16:5:29 | req.query.data | user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-730/RegExpInjection.js b/javascript/ql/test/query-tests/Security/CWE-730/RegExpInjection.js
@@ -103,5 +103,5 @@ app.get("argv", function(req, res) {
   new RegExp(sanitized); // OK
 
   var sanitized = input.replace(new RegExp("[\\-\\[\\]\\/\\{\\}\\(\\)\\*\\+\\?\\.\\\\\\^\\$\\|]", unknownFlags()), "\\$&");
-  new RegExp(sanitized); // OK -- Currently flagged, but most likely should not be.
+  new RegExp(sanitized); // OK -- Most likely not a problem.
 });

Original file line number	Diff line number	Diff line change
`@@ -76,7 +76,7 @@ module RegExpInjection {`
`76`	`76`	`*/`
`77`	`77`	`class MetacharEscapeSanitizer extends Sanitizer, StringReplaceCall {`
`78`	`78`	`MetacharEscapeSanitizer() {`
`79`		`- this.isGlobal() and`
	`79`	`+ this.maybeGlobal() and`
`80`	`80`	`(`
`81`	`81`	`RegExp::alwaysMatchesMetaCharacter(this.getRegExp().getRoot(), ["{", "[", "+"])`
`82`	`82`	`or`