File tree Expand file tree Collapse file tree 1 file changed +8
-0
lines changed
javascript/ql/lib/semmle/javascript/security Expand file tree Collapse file tree 1 file changed +8
-0
lines changed Original file line number Diff line number Diff line change @@ -126,15 +126,23 @@ module TaintedUrlSuffix {
126126 )
127127 }
128128
129+ /** Holds if the `n`th child of `seq` contains a character indicating that everything thereafter is part of the suffix */
129130 private predicate containsSuffixIndicator ( RegExpSequence seq , int n ) {
130131 // Also include '=' as it usually only appears in the URL suffix
131132 seq .getChild ( n ) .getAChild * ( ) .( RegExpConstant ) .getValue ( ) .regexpMatch ( ".*[?#=].*" )
132133 }
133134
135+ /** Holds if the `n`th child of `seq` contains a capture group. */
134136 private predicate containsCaptureGroup ( RegExpSequence seq , int n ) {
135137 seq .getChild ( n ) .getAChild * ( ) .( RegExpGroup ) .isCapture ( )
136138 }
137139
140+ /**
141+ * Holds if `seq` contains a capture group that will likely match path of the URL suffix,
142+ * thereby extracting tainted data.
143+ *
144+ * For example, `/#(.*)/.exec(url)` will extract the tainted URL suffix from `url`.
145+ */
138146 private predicate captureAfterSuffixIndicator ( RegExpSequence seq ) {
139147 exists ( int suffix , int capture |
140148 containsSuffixIndicator ( seq , suffix ) and
You can’t perform that action at this time.
0 commit comments