Added tests for regex sanitization to identify false positives matchAll

Napalys · Napalys · commit 4106663d89b3 · 2024-11-07T10:27:58.000+01:00
diff --git a/javascript/ql/test/experimental/Security/CWE-918/SSRF.expected b/javascript/ql/test/experimental/Security/CWE-918/SSRF.expected
@@ -51,6 +51,14 @@ nodes
 | check-regex.js:41:13:41:43 | "test.c ... tainted |
 | check-regex.js:41:27:41:43 | req.query.tainted |
 | check-regex.js:41:27:41:43 | req.query.tainted |
+| check-regex.js:44:15:44:45 | "test.c ... tainted |
+| check-regex.js:44:15:44:45 | "test.c ... tainted |
+| check-regex.js:44:29:44:45 | req.query.tainted |
+| check-regex.js:44:29:44:45 | req.query.tainted |
+| check-regex.js:47:15:47:45 | "test.c ... tainted |
+| check-regex.js:47:15:47:45 | "test.c ... tainted |
+| check-regex.js:47:29:47:45 | req.query.tainted |
+| check-regex.js:47:29:47:45 | req.query.tainted |
 | check-validator.js:15:15:15:45 | "test.c ... tainted |
 | check-validator.js:15:15:15:45 | "test.c ... tainted |
 | check-validator.js:15:29:15:45 | req.query.tainted |
@@ -127,6 +135,14 @@ edges
 | check-regex.js:41:27:41:43 | req.query.tainted | check-regex.js:41:13:41:43 | "test.c ... tainted |
 | check-regex.js:41:27:41:43 | req.query.tainted | check-regex.js:41:13:41:43 | "test.c ... tainted |
 | check-regex.js:41:27:41:43 | req.query.tainted | check-regex.js:41:13:41:43 | "test.c ... tainted |
+| check-regex.js:44:29:44:45 | req.query.tainted | check-regex.js:44:15:44:45 | "test.c ... tainted |
+| check-regex.js:44:29:44:45 | req.query.tainted | check-regex.js:44:15:44:45 | "test.c ... tainted |
+| check-regex.js:44:29:44:45 | req.query.tainted | check-regex.js:44:15:44:45 | "test.c ... tainted |
+| check-regex.js:44:29:44:45 | req.query.tainted | check-regex.js:44:15:44:45 | "test.c ... tainted |
+| check-regex.js:47:29:47:45 | req.query.tainted | check-regex.js:47:15:47:45 | "test.c ... tainted |
+| check-regex.js:47:29:47:45 | req.query.tainted | check-regex.js:47:15:47:45 | "test.c ... tainted |
+| check-regex.js:47:29:47:45 | req.query.tainted | check-regex.js:47:15:47:45 | "test.c ... tainted |
+| check-regex.js:47:29:47:45 | req.query.tainted | check-regex.js:47:15:47:45 | "test.c ... tainted |
 | check-validator.js:15:29:15:45 | req.query.tainted | check-validator.js:15:15:15:45 | "test.c ... tainted |
 | check-validator.js:15:29:15:45 | req.query.tainted | check-validator.js:15:15:15:45 | "test.c ... tainted |
 | check-validator.js:15:29:15:45 | req.query.tainted | check-validator.js:15:15:15:45 | "test.c ... tainted |
@@ -166,6 +182,8 @@ edges
 | check-regex.js:31:15:31:45 | "test.c ... tainted | check-regex.js:31:29:31:45 | req.query.tainted | check-regex.js:31:15:31:45 | "test.c ... tainted | The URL of this request depends on a user-provided value. |
 | check-regex.js:34:15:34:42 | baseURL ... tainted | check-regex.js:34:25:34:42 | req.params.tainted | check-regex.js:34:15:34:42 | baseURL ... tainted | The URL of this request depends on a user-provided value. |
 | check-regex.js:41:13:41:43 | "test.c ... tainted | check-regex.js:41:27:41:43 | req.query.tainted | check-regex.js:41:13:41:43 | "test.c ... tainted | The URL of this request depends on a user-provided value. |
+| check-regex.js:44:15:44:45 | "test.c ... tainted | check-regex.js:44:29:44:45 | req.query.tainted | check-regex.js:44:15:44:45 | "test.c ... tainted | The URL of this request depends on a user-provided value. |
+| check-regex.js:47:15:47:45 | "test.c ... tainted | check-regex.js:47:29:47:45 | req.query.tainted | check-regex.js:47:15:47:45 | "test.c ... tainted | The URL of this request depends on a user-provided value. |
 | check-validator.js:15:15:15:45 | "test.c ... tainted | check-validator.js:15:29:15:45 | req.query.tainted | check-validator.js:15:15:15:45 | "test.c ... tainted | The URL of this request depends on a user-provided value. |
 | check-validator.js:27:15:27:45 | "test.c ... tainted | check-validator.js:27:29:27:45 | req.query.tainted | check-validator.js:27:15:27:45 | "test.c ... tainted | The URL of this request depends on a user-provided value. |
 | check-validator.js:50:15:50:45 | "test.c ... tainted | check-validator.js:50:29:50:45 | req.query.tainted | check-validator.js:50:15:50:45 | "test.c ... tainted | The URL of this request depends on a user-provided value. |
diff --git a/javascript/ql/test/experimental/Security/CWE-918/check-regex.js b/javascript/ql/test/experimental/Security/CWE-918/check-regex.js
@@ -25,7 +25,7 @@ app.get('/check-with-axios', req => {
   } else {
     axios.get(baseURL + req.params.tainted); // OK
   }
-  
+
   // Blacklists are not safe
   if (!req.query.tainted.match(/^[/\.%]+$/)) {
     axios.get("test.com/" + req.query.tainted); // SSRF
@@ -39,6 +39,13 @@ app.get('/check-with-axios', req => {
   }
 
   axios.get("test.com/" + req.query.tainted); // OK - False Positive
+
+  if (req.query.tainted.matchAll(/^[0-9a-z]+$/g)) { // letters and numbers
+    axios.get("test.com/" + req.query.tainted); // OK
+  }
+  if (req.query.tainted.matchAll(/^[0-9a-z\-_]+$/g)) { // letters, numbers, - and _
+    axios.get("test.com/" + req.query.tainted); // OK
+  }
 });
 
 const isValidPath = path =>  path.match(/^[0-9a-z]+$/);
