Update RegExp handling and add test case

Napalys · erik-krogh · Napalys · commit 9ca0fe4cbf06 · 2024-11-28T14:13:40.000+01:00
Co-authored-by: erik-krogh &lt;erik-krogh@github.com&gt;
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/CleartextLoggingCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/CleartextLoggingCustomizations.qll
@@ -40,7 +40,7 @@ module CleartextLogging {
       exists(this.getRawReplacement().getStringValue()) and
       exists(DataFlow::RegExpCreationNode regexpObj |
         this.(StringReplaceCall).getRegExp() = regexpObj and
-        regexpObj.getRoot() = any(RegExpDot term)
+        regexpObj.getRoot() = any(RegExpDot term).getRootTerm()
       )
     }
   }
diff --git a/javascript/ql/test/query-tests/Security/CWE-312/passwords.js b/javascript/ql/test/query-tests/Security/CWE-312/passwords.js
@@ -181,4 +181,5 @@ const debug = require('debug')('test');
 	console.log(password.replace(new RegExp(".", "g"), "*")); // OK
 	console.log(password.replace(new RegExp("."), "*")); // NOT OK
 	console.log(password.replace(new RegExp(".", unknownFlags()), "*")); // OK -- Most likely not a problem.
+    console.log(password.replace(new RegExp("pre_._suf", "g"), "*")); // OK
 })();

Original file line number	Diff line number	Diff line change
`@@ -40,7 +40,7 @@ module CleartextLogging {`
`40`	`40`	`exists(this.getRawReplacement().getStringValue()) and`
`41`	`41`	`exists(DataFlow::RegExpCreationNode regexpObj \|`
`42`	`42`	`this.(StringReplaceCall).getRegExp() = regexpObj and`
`43`		`- regexpObj.getRoot() = any(RegExpDot term)`
	`43`	`+ regexpObj.getRoot() = any(RegExpDot term).getRootTerm()`
`44`	`44`	`)`
`45`	`45`	`}`
`46`	`46`	`}`