JS: fixed bad alert messages when it came to incomplete sanitization for new RegExp objects

Napalys · Napalys · commit 3171f38cddf8 · 2024-11-29T11:14:45.000+01:00
diff --git a/javascript/ql/src/Security/CWE-116/IncompleteSanitization.ql b/javascript/ql/src/Security/CWE-116/IncompleteSanitization.ql
@@ -143,12 +143,26 @@ predicate whitelistedRemoval(StringReplaceCall repl) {
   )
 }
 
-from StringReplaceCall repl, DataFlow::Node old, string msg
+/**
+ * Gets a nice string representation of the pattern or value of the node.
+ */
+predicate getPatternOrValueString(DataFlow::Node node, string patternOrValue) {
+  if node instanceof DataFlow::RegExpConstructorInvokeNode
+  then
+    exists(DataFlow::RegExpConstructorInvokeNode regExp |
+      node = regExp and
+      patternOrValue = "/" + regExp.getRoot() + "/"
+    )
+  else patternOrValue = node.toString()
+}
+
+from StringReplaceCall repl, DataFlow::Node old, string patternOrValue, string msg
 where
   (old = repl.getArgument(0) or old = repl.getRegExp()) and
+  getPatternOrValueString(old, patternOrValue) and
   (
     not repl.maybeGlobal() and
-    msg = "This replaces only the first occurrence of " + old + "." and
+    msg = "This replaces only the first occurrence of " + patternOrValue + "." and
     // only flag if this is likely to be a sanitizer or URL encoder or decoder
     exists(string m | m = getAMatchedString(old) |
       // sanitizer
diff --git a/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/IncompleteSanitization.expected b/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/IncompleteSanitization.expected
@@ -29,9 +29,9 @@
 | tst.js:149:2:149:24 | x.repla ... replace | This replaces only the first occurrence of "\\n". |
 | tst.js:193:9:193:17 | s.replace | This replaces only the first occurrence of /'/. |
 | tst.js:202:10:202:18 | p.replace | This replaces only the first occurrence of "/../". |
-| tst.js:341:9:341:17 | p.replace | This replaces only the first occurrence of new Reg ... .\\\\./"). |
+| tst.js:341:9:341:17 | p.replace | This replaces only the first occurrence of /\\.\\.//. |
 | tst.js:345:9:345:17 | s.replace | This does not escape backslash characters in the input. |
-| tst.js:349:9:349:17 | s.replace | This replaces only the first occurrence of new RegExp("\\'"). |
+| tst.js:349:9:349:17 | s.replace | This replaces only the first occurrence of /'/. |
 | tst.js:353:9:353:17 | s.replace | This does not escape backslash characters in the input. |
-| tst.js:362:2:362:10 | x.replace | This replaces only the first occurrence of new RegExp("\\n"). |
-| tst.js:363:2:363:24 | x.repla ... replace | This replaces only the first occurrence of new RegExp("\\n"). |
+| tst.js:362:2:362:10 | x.replace | This replaces only the first occurrence of /\n/. |
+| tst.js:363:2:363:24 | x.repla ... replace | This replaces only the first occurrence of /\n/. |
