JS: fixed issue where MaskingReplacer would work only with regexp literals but not objects

Napalys · Napalys · commit a2c46749c672 · 2024-11-28T11:26:55.000+01:00
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/CleartextLoggingCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/CleartextLoggingCustomizations.qll
@@ -38,7 +38,10 @@ module CleartextLogging {
     MaskingReplacer() {
       this.isGlobal() and
       exists(this.getRawReplacement().getStringValue()) and
-      any(RegExpDot term).getLiteral() = this.getRegExp().asExpr()
+      exists(DataFlow::RegExpCreationNode regexpObj |
+        this.(StringReplaceCall).getRegExp() = regexpObj and
+        regexpObj.getRoot() = any(RegExpDot term)
+      )
     }
   }
 
diff --git a/javascript/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected b/javascript/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected
@@ -139,10 +139,6 @@ nodes
 | passwords.js:176:17:176:26 | myPasscode |
 | passwords.js:176:17:176:26 | myPasscode |
 | passwords.js:176:17:176:26 | myPasscode |
-| passwords.js:181:14:181:21 | password |
-| passwords.js:181:14:181:21 | password |
-| passwords.js:181:14:181:56 | passwor ... ), "*") |
-| passwords.js:181:14:181:56 | passwor ... ), "*") |
 | passwords.js:182:14:182:21 | password |
 | passwords.js:182:14:182:21 | password |
 | passwords.js:182:14:182:51 | passwor ... ), "*") |
@@ -297,10 +293,6 @@ edges
 | passwords.js:170:11:170:18 | password | passwords.js:170:11:170:39 | passwor ... g, "*") |
 | passwords.js:173:17:173:26 | myPassword | passwords.js:173:17:173:26 | myPassword |
 | passwords.js:176:17:176:26 | myPasscode | passwords.js:176:17:176:26 | myPasscode |
-| passwords.js:181:14:181:21 | password | passwords.js:181:14:181:56 | passwor ... ), "*") |
-| passwords.js:181:14:181:21 | password | passwords.js:181:14:181:56 | passwor ... ), "*") |
-| passwords.js:181:14:181:21 | password | passwords.js:181:14:181:56 | passwor ... ), "*") |
-| passwords.js:181:14:181:21 | password | passwords.js:181:14:181:56 | passwor ... ), "*") |
 | passwords.js:182:14:182:21 | password | passwords.js:182:14:182:51 | passwor ... ), "*") |
 | passwords.js:182:14:182:21 | password | passwords.js:182:14:182:51 | passwor ... ), "*") |
 | passwords.js:182:14:182:21 | password | passwords.js:182:14:182:51 | passwor ... ), "*") |
@@ -356,7 +348,6 @@ edges
 | passwords.js:170:11:170:39 | passwor ... g, "*") | passwords.js:170:11:170:18 | password | passwords.js:170:11:170:39 | passwor ... g, "*") | This logs sensitive data returned by $@ as clear text. | passwords.js:170:11:170:18 | password | an access to password |
 | passwords.js:173:17:173:26 | myPassword | passwords.js:173:17:173:26 | myPassword | passwords.js:173:17:173:26 | myPassword | This logs sensitive data returned by $@ as clear text. | passwords.js:173:17:173:26 | myPassword | an access to myPassword |
 | passwords.js:176:17:176:26 | myPasscode | passwords.js:176:17:176:26 | myPasscode | passwords.js:176:17:176:26 | myPasscode | This logs sensitive data returned by $@ as clear text. | passwords.js:176:17:176:26 | myPasscode | an access to myPasscode |
-| passwords.js:181:14:181:56 | passwor ... ), "*") | passwords.js:181:14:181:21 | password | passwords.js:181:14:181:56 | passwor ... ), "*") | This logs sensitive data returned by $@ as clear text. | passwords.js:181:14:181:21 | password | an access to password |
 | passwords.js:182:14:182:51 | passwor ... ), "*") | passwords.js:182:14:182:21 | password | passwords.js:182:14:182:51 | passwor ... ), "*") | This logs sensitive data returned by $@ as clear text. | passwords.js:182:14:182:21 | password | an access to password |
 | passwords.js:183:14:183:67 | passwor ... ), "*") | passwords.js:183:14:183:21 | password | passwords.js:183:14:183:67 | passwor ... ), "*") | This logs sensitive data returned by $@ as clear text. | passwords.js:183:14:183:21 | password | an access to password |
 | passwords_in_server_1.js:6:13:6:20 | password | passwords_in_server_1.js:6:13:6:20 | password | passwords_in_server_1.js:6:13:6:20 | password | This logs sensitive data returned by $@ as clear text. | passwords_in_server_1.js:6:13:6:20 | password | an access to password |
diff --git a/javascript/ql/test/query-tests/Security/CWE-312/passwords.js b/javascript/ql/test/query-tests/Security/CWE-312/passwords.js
@@ -178,7 +178,7 @@ const debug = require('debug')('test');
 
 (function () {
     console.log(password.replace(/./g, "*")); // OK
-	console.log(password.replace(new RegExp(".", "g"), "*")); // OK -- Currently flagged, though it shouldn't be
+	console.log(password.replace(new RegExp(".", "g"), "*")); // OK
 	console.log(password.replace(new RegExp("."), "*")); // NOT OK
 	console.log(password.replace(new RegExp(".", unknownFlags()), "*")); // OK -- Currently flagged, though maybe it should not be.
 })();

Original file line number	Diff line number	Diff line change
`@@ -38,7 +38,10 @@ module CleartextLogging {`
`38`	`38`	`MaskingReplacer() {`
`39`	`39`	`this.isGlobal() and`
`40`	`40`	`exists(this.getRawReplacement().getStringValue()) and`
`41`		`- any(RegExpDot term).getLiteral() = this.getRegExp().asExpr()`
	`41`	`+ exists(DataFlow::RegExpCreationNode regexpObj \|`
	`42`	`+ this.(StringReplaceCall).getRegExp() = regexpObj and`
	`43`	`+ regexpObj.getRoot() = any(RegExpDot term)`
	`44`	`+ )`
`42`	`45`	`}`
`43`	`46`	`}`
`44`	`47`