Skip to content

Commit 32a2930

Browse files
geoffw0geoffw0
committed
Swift: Accept bad tag filter test fixes.
1 parent d01a3e2 commit 32a2930

File tree

2 files changed

+12
-6
lines changed

2 files changed

+12
-6
lines changed

swift/ql/test/query-tests/Security/CWE-116/BadTagFilter.expected

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,18 +1,24 @@
11
| test.swift:79:26:79:48 | <script.*?>.*?<\\/script> | This regular expression does not match script end tags like </script >. |
2+
| test.swift:83:27:83:54 | (?is)<script.*?>.*?<\\/script> | This regular expression does not match script end tags like </script >. |
23
| test.swift:86:27:86:49 | <script.*?>.*?<\\/script> | This regular expression does not match script end tags like </script >. |
34
| test.swift:90:50:90:72 | <script.*?>.*?<\\/script> | This regular expression does not match script end tags like </script >. |
45
| test.swift:113:26:113:35 | <!--.*--!?> | This regular expression does not match comments containing newlines. |
56
| test.swift:117:26:117:58 | <script.*?>(.\|\\s)*?<\\/script[^>]*> | This regular expression matches <script></script>, but not <script \\n></script> |
67
| test.swift:121:26:121:56 | <script[^>]*?>.*?<\\/script[^>]*> | This regular expression matches <script>...</script>, but not <script >...\\n</script> |
78
| test.swift:125:26:125:63 | <script(\\s\|\\w\|=\|")*?>.*?<\\/script[^>]*> | This regular expression does not match script tags where the attribute uses single-quotes. |
9+
| test.swift:129:28:129:70 | (?is)<script(\\s\|\\w\|=\|')*?>.*?<\\/script[^>]*> | This regular expression does not match script tags where the attribute uses double-quotes. |
810
| test.swift:132:28:132:65 | <script(\\s\|\\w\|=\|')*?>.*?<\\/script[^>]*> | This regular expression does not match script tags where the attribute uses double-quotes. |
911
| test.swift:136:50:136:87 | <script(\\s\|\\w\|=\|')*?>.*?<\\/script[^>]*> | This regular expression does not match script tags where the attribute uses double-quotes. |
12+
| test.swift:140:28:140:74 | (?is)<script( \|\\n\|\\w\|=\|'\|")*?>.*?<\\/script[^>]*> | This regular expression does not match script tags where tabs are used between attributes. |
1013
| test.swift:143:28:143:69 | <script( \|\\n\|\\w\|=\|'\|")*?>.*?<\\/script[^>]*> | This regular expression does not match script tags where tabs are used between attributes. |
1114
| test.swift:147:50:147:91 | <script( \|\\n\|\\w\|=\|'\|")*?>.*?<\\/script[^>]*> | This regular expression does not match script tags where tabs are used between attributes. |
15+
| test.swift:151:28:151:59 | (?s)<script.*?>.*?<\\/script[^>]*> | This regular expression does not match upper case <SCRIPT> tags. |
1216
| test.swift:154:28:154:55 | <script.*?>.*?<\\/script[^>]*> | This regular expression does not match upper case <SCRIPT> tags. |
1317
| test.swift:157:50:157:77 | <script.*?>.*?<\\/script[^>]*> | This regular expression does not match upper case <SCRIPT> tags. |
18+
| test.swift:161:28:161:77 | (?s)<(script\|SCRIPT).*?>.*?<\\/(script\|SCRIPT)[^>]*> | This regular expression does not match mixed case <sCrIpT> tags. |
1419
| test.swift:164:28:164:73 | <(script\|SCRIPT).*?>.*?<\\/(script\|SCRIPT)[^>]*> | This regular expression does not match mixed case <sCrIpT> tags. |
1520
| test.swift:167:50:167:95 | <(script\|SCRIPT).*?>.*?<\\/(script\|SCRIPT)[^>]*> | This regular expression does not match mixed case <sCrIpT> tags. |
21+
| test.swift:171:28:171:64 | (?i)<script[^>]*?>[\\s\\S]*?<\\/script.*> | This regular expression does not match script end tags like </script\\t\\n bar>. |
1622
| test.swift:174:28:174:60 | <script[^>]*?>[\\s\\S]*?<\\/script.*> | This regular expression does not match script end tags like </script\\t\\n bar>. |
1723
| test.swift:177:50:177:82 | <script[^>]*?>[\\s\\S]*?<\\/script.*> | This regular expression does not match script end tags like </script\\t\\n bar>. |
1824
| test.swift:191:27:191:68 | <(?:!--([\\S\|\\s]*?)-->)\|([^\\/\\s>]+)[\\S\\s]*?> | Comments ending with --> are matched differently from comments ending with --!>. The first is matched with capture group 1 and comments ending with --!> are matched with capture group 2. |

swift/ql/test/query-tests/Security/CWE-116/test.swift

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -79,7 +79,7 @@ func myRegexpVariantsTests(myUrl: URL) throws {
7979
let re1 = try Regex(#"<script.*?>.*?<\/script>"#).ignoresCase(true)
8080
_ = try re1.firstMatch(in: tainted)
8181

82-
// BAD - doesn't match `</script >` [NOT DETECTED - all regexs with mode flags are currently missed by the query]
82+
// BAD - doesn't match `</script >`
8383
let re2a = try Regex(#"(?is)<script.*?>.*?<\/script>"#)
8484
_ = try re2a.firstMatch(in: tainted)
8585
// BAD - doesn't match `</script >`
@@ -125,7 +125,7 @@ func myRegexpVariantsTests(myUrl: URL) throws {
125125
let re9 = try Regex(#"<script(\s|\w|=|")*?>.*?<\/script[^>]*>"#).ignoresCase(true).dotMatchesNewlines(true)
126126
_ = try re9.firstMatch(in: tainted)
127127

128-
// BAD - does not match double quotes for attribute values [NOT DETECTED]
128+
// BAD - does not match double quotes for attribute values
129129
let re10a = try Regex(#"(?is)<script(\s|\w|=|')*?>.*?<\/script[^>]*>"#)
130130
_ = try re10a.firstMatch(in: tainted)
131131
// BAD - does not match double quotes for attribute values
@@ -136,7 +136,7 @@ func myRegexpVariantsTests(myUrl: URL) throws {
136136
let ns10 = try NSRegularExpression(pattern: #"<script(\s|\w|=|')*?>.*?<\/script[^>]*>"#, options: options10)
137137
_ = ns10.firstMatch(in: tainted, range: NSMakeRange(0, tainted.utf16.count))
138138

139-
// BAD - does not match tabs between attributes [NOT DETECTED]
139+
// BAD - does not match tabs between attributes
140140
let re11a = try Regex(#"(?is)<script( |\n|\w|=|'|")*?>.*?<\/script[^>]*>"#)
141141
_ = try re11a.firstMatch(in: tainted)
142142
// BAD - does not match tabs between attributes
@@ -147,7 +147,7 @@ func myRegexpVariantsTests(myUrl: URL) throws {
147147
let ns11 = try NSRegularExpression(pattern: #"<script( |\n|\w|=|'|")*?>.*?<\/script[^>]*>"#, options: options11)
148148
_ = ns11.firstMatch(in: tainted, range: NSMakeRange(0, tainted.utf16.count))
149149

150-
// BAD - does not match uppercase SCRIPT tags [NOT DETECTED]
150+
// BAD - does not match uppercase SCRIPT tags
151151
let re12a = try Regex(#"(?s)<script.*?>.*?<\/script[^>]*>"#)
152152
_ = try re12a.firstMatch(in: tainted)
153153
// BAD - does not match uppercase SCRIPT tags
@@ -157,7 +157,7 @@ func myRegexpVariantsTests(myUrl: URL) throws {
157157
let ns12 = try NSRegularExpression(pattern: #"<script.*?>.*?<\/script[^>]*>"#, options: .dotMatchesLineSeparators)
158158
_ = ns12.firstMatch(in: tainted, range: NSMakeRange(0, tainted.utf16.count))
159159

160-
// BAD - does not match mixed case script tags [NOT DETECTED]
160+
// BAD - does not match mixed case script tags
161161
let re13a = try Regex(#"(?s)<(script|SCRIPT).*?>.*?<\/(script|SCRIPT)[^>]*>"#)
162162
_ = try re13a.firstMatch(in: tainted)
163163
// BAD - does not match mixed case script tags
@@ -167,7 +167,7 @@ func myRegexpVariantsTests(myUrl: URL) throws {
167167
let ns13 = try NSRegularExpression(pattern: #"<(script|SCRIPT).*?>.*?<\/(script|SCRIPT)[^>]*>"#, options: .dotMatchesLineSeparators)
168168
_ = ns13.firstMatch(in: tainted, range: NSMakeRange(0, tainted.utf16.count))
169169

170-
// BAD - doesn't match newlines in the end tag [NOT DETECTED]
170+
// BAD - doesn't match newlines in the end tag
171171
let re14a = try Regex(#"(?i)<script[^>]*?>[\s\S]*?<\/script.*>"#)
172172
_ = try re14a.firstMatch(in: tainted)
173173
// BAD - doesn't match newlines in the end tag

0 commit comments

Comments
 (0)