JS: More precise handling of .exec()

Author: asgerf

javascript/ql/lib/semmle/javascript/security/TaintedUrlSuffixCustomizations.qll

@@ -106,12 +106,29 @@ module TaintedUrlSuffix {
         read.getPropertyName() = "query"
       )
       or
-      // Assume calls to regexp.exec always extract query/fragment parameters.
-      exists(MethodCallNode call |
-        call = any(DataFlow::RegExpCreationNode re).getAMethodCall("exec") and
+      exists(MethodCallNode call, DataFlow::RegExpCreationNode re |
+        call = re.getAMethodCall("exec") and
         src = call.getArgument(0) and
-        dst = call
+        dst = call and
+        captureAfterSuffixIndicator(re.getRoot().getAChild*())
       )
     )
   }
+
+  private predicate containsSuffixIndicator(RegExpSequence seq, int n) {
+    // Also include '=' as it usually only appears in the URL suffix
+    seq.getChild(n).getAChild*().(RegExpConstant).getValue().regexpMatch(".*[?#=].*")
+  }
+
+  private predicate containsCaptureGroup(RegExpSequence seq, int n) {
+    seq.getChild(n).getAChild*().(RegExpGroup).isCapture()
+  }
+
+  private predicate captureAfterSuffixIndicator(RegExpSequence seq) {
+    exists(int suffix, int capture |
+      containsSuffixIndicator(seq, suffix) and
+      containsCaptureGroup(seq, capture) and
+      suffix < capture
+    )
+  }
 }

javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/ClientSideUrlRedirect.expected

@@ -21,21 +21,6 @@ nodes
 | regexp-exec.js:9:24:9:58 | /\\?(.*) ... n.href) | semmle.label | /\\?(.*) ... n.href) |
 | regexp-exec.js:9:38:9:57 | window.location.href | semmle.label | window.location.href |
 | regexp-exec.js:10:28:10:33 | group1 | semmle.label | group1 |
-| regexp-exec.js:14:11:14:20 | [, group1] | semmle.label | [, group1] |
-| regexp-exec.js:14:11:14:62 | group1 | semmle.label | group1 |
-| regexp-exec.js:14:24:14:62 | /^([a-z ... n.href) | semmle.label | /^([a-z ... n.href) |
-| regexp-exec.js:14:42:14:61 | window.location.href | semmle.label | window.location.href |
-| regexp-exec.js:15:28:15:33 | group1 | semmle.label | group1 |
-| regexp-exec.js:19:11:19:20 | [, group1] | semmle.label | [, group1] |
-| regexp-exec.js:19:11:19:56 | group1 | semmle.label | group1 |
-| regexp-exec.js:19:24:19:56 | /(.*)/. ... n.href) | semmle.label | /(.*)/. ... n.href) |
-| regexp-exec.js:19:36:19:55 | window.location.href | semmle.label | window.location.href |
-| regexp-exec.js:20:28:20:33 | group1 | semmle.label | group1 |
-| regexp-exec.js:24:11:24:20 | [, group1] | semmle.label | [, group1] |
-| regexp-exec.js:24:11:24:60 | group1 | semmle.label | group1 |
-| regexp-exec.js:24:24:24:60 | /blah#b ... n.href) | semmle.label | /blah#b ... n.href) |
-| regexp-exec.js:24:40:24:59 | window.location.href | semmle.label | window.location.href |
-| regexp-exec.js:25:28:25:33 | group1 | semmle.label | group1 |
 | sanitizer.js:2:9:2:25 | url | semmle.label | url |
 | sanitizer.js:2:15:2:25 | window.name | semmle.label | window.name |
 | sanitizer.js:4:27:4:29 | url | semmle.label | url |
@@ -159,15 +144,6 @@ nodes
 | tst.js:14:20:14:56 | indirec ... n.href) | semmle.label | indirec ... n.href) |
 | tst.js:14:20:14:59 | indirec ... ref)[1] | semmle.label | indirec ... ref)[1] |
 | tst.js:14:34:14:55 | documen ... on.href | semmle.label | documen ... on.href |
-| tst.js:18:19:18:81 | new Reg ... n.href) | semmle.label | new Reg ... n.href) |
-| tst.js:18:19:18:84 | new Reg ... ref)[1] | semmle.label | new Reg ... ref)[1] |
-| tst.js:18:59:18:80 | documen ... on.href | semmle.label | documen ... on.href |
-| tst.js:22:20:22:56 | indirec ... n.href) | semmle.label | indirec ... n.href) |
-| tst.js:22:20:22:59 | indirec ... ref)[1] | semmle.label | indirec ... ref)[1] |
-| tst.js:22:34:22:55 | documen ... on.href | semmle.label | documen ... on.href |
-| tst.js:26:22:26:79 | new Reg ... n.href) | semmle.label | new Reg ... n.href) |
-| tst.js:26:22:26:82 | new Reg ... ref)[1] | semmle.label | new Reg ... ref)[1] |
-| tst.js:26:62:26:78 | win.location.href | semmle.label | win.location.href |
 | typed.ts:4:13:4:49 | params | semmle.label | params |
 | typed.ts:4:22:4:36 | location.search | semmle.label | location.search |
 | typed.ts:4:22:4:49 | locatio ... ring(1) | semmle.label | locatio ... ring(1) |
@@ -201,18 +177,6 @@ edges
 | regexp-exec.js:9:11:9:58 | group1 | regexp-exec.js:10:28:10:33 | group1 | provenance |  |
 | regexp-exec.js:9:24:9:58 | /\\?(.*) ... n.href) | regexp-exec.js:9:11:9:20 | [, group1] | provenance |  |
 | regexp-exec.js:9:38:9:57 | window.location.href | regexp-exec.js:9:24:9:58 | /\\?(.*) ... n.href) | provenance | Config |
-| regexp-exec.js:14:11:14:20 | [, group1] | regexp-exec.js:14:11:14:62 | group1 | provenance |  |
-| regexp-exec.js:14:11:14:62 | group1 | regexp-exec.js:15:28:15:33 | group1 | provenance |  |
-| regexp-exec.js:14:24:14:62 | /^([a-z ... n.href) | regexp-exec.js:14:11:14:20 | [, group1] | provenance |  |
-| regexp-exec.js:14:42:14:61 | window.location.href | regexp-exec.js:14:24:14:62 | /^([a-z ... n.href) | provenance | Config |
-| regexp-exec.js:19:11:19:20 | [, group1] | regexp-exec.js:19:11:19:56 | group1 | provenance |  |
-| regexp-exec.js:19:11:19:56 | group1 | regexp-exec.js:20:28:20:33 | group1 | provenance |  |
-| regexp-exec.js:19:24:19:56 | /(.*)/. ... n.href) | regexp-exec.js:19:11:19:20 | [, group1] | provenance |  |
-| regexp-exec.js:19:36:19:55 | window.location.href | regexp-exec.js:19:24:19:56 | /(.*)/. ... n.href) | provenance | Config |
-| regexp-exec.js:24:11:24:20 | [, group1] | regexp-exec.js:24:11:24:60 | group1 | provenance |  |
-| regexp-exec.js:24:11:24:60 | group1 | regexp-exec.js:25:28:25:33 | group1 | provenance |  |
-| regexp-exec.js:24:24:24:60 | /blah#b ... n.href) | regexp-exec.js:24:11:24:20 | [, group1] | provenance |  |
-| regexp-exec.js:24:40:24:59 | window.location.href | regexp-exec.js:24:24:24:60 | /blah#b ... n.href) | provenance | Config |
 | sanitizer.js:2:9:2:25 | url | sanitizer.js:4:27:4:29 | url | provenance |  |
 | sanitizer.js:2:9:2:25 | url | sanitizer.js:16:27:16:29 | url | provenance |  |
 | sanitizer.js:2:9:2:25 | url | sanitizer.js:19:27:19:29 | url | provenance |  |
@@ -311,12 +275,6 @@ edges
 | tst.js:10:59:10:80 | documen ... on.href | tst.js:10:19:10:81 | new Reg ... n.href) | provenance | Config |
 | tst.js:14:20:14:56 | indirec ... n.href) | tst.js:14:20:14:59 | indirec ... ref)[1] | provenance |  |
 | tst.js:14:34:14:55 | documen ... on.href | tst.js:14:20:14:56 | indirec ... n.href) | provenance | Config |
-| tst.js:18:19:18:81 | new Reg ... n.href) | tst.js:18:19:18:84 | new Reg ... ref)[1] | provenance |  |
-| tst.js:18:59:18:80 | documen ... on.href | tst.js:18:19:18:81 | new Reg ... n.href) | provenance | Config |
-| tst.js:22:20:22:56 | indirec ... n.href) | tst.js:22:20:22:59 | indirec ... ref)[1] | provenance |  |
-| tst.js:22:34:22:55 | documen ... on.href | tst.js:22:20:22:56 | indirec ... n.href) | provenance | Config |
-| tst.js:26:22:26:79 | new Reg ... n.href) | tst.js:26:22:26:82 | new Reg ... ref)[1] | provenance |  |
-| tst.js:26:62:26:78 | win.location.href | tst.js:26:22:26:79 | new Reg ... n.href) | provenance | Config |
 | typed.ts:4:13:4:49 | params | typed.ts:5:25:5:30 | params | provenance |  |
 | typed.ts:4:22:4:36 | location.search | typed.ts:4:22:4:49 | locatio ... ring(1) | provenance | Config |
 | typed.ts:4:22:4:49 | locatio ... ring(1) | typed.ts:4:13:4:49 | params | provenance |  |
@@ -341,9 +299,6 @@ subpaths
 | react.js:43:19:43:50 | documen ... bstr(1) | react.js:43:19:43:40 | documen ... on.hash | react.js:43:19:43:50 | documen ... bstr(1) | Untrusted URL redirection depends on a $@. | react.js:43:19:43:40 | documen ... on.hash | user-provided value |
 | regexp-exec.js:5:28:5:33 | group1 | regexp-exec.js:4:37:4:56 | window.location.href | regexp-exec.js:5:28:5:33 | group1 | Untrusted URL redirection depends on a $@. | regexp-exec.js:4:37:4:56 | window.location.href | user-provided value |
 | regexp-exec.js:10:28:10:33 | group1 | regexp-exec.js:9:38:9:57 | window.location.href | regexp-exec.js:10:28:10:33 | group1 | Untrusted URL redirection depends on a $@. | regexp-exec.js:9:38:9:57 | window.location.href | user-provided value |
-| regexp-exec.js:15:28:15:33 | group1 | regexp-exec.js:14:42:14:61 | window.location.href | regexp-exec.js:15:28:15:33 | group1 | Untrusted URL redirection depends on a $@. | regexp-exec.js:14:42:14:61 | window.location.href | user-provided value |
-| regexp-exec.js:20:28:20:33 | group1 | regexp-exec.js:19:36:19:55 | window.location.href | regexp-exec.js:20:28:20:33 | group1 | Untrusted URL redirection depends on a $@. | regexp-exec.js:19:36:19:55 | window.location.href | user-provided value |
-| regexp-exec.js:25:28:25:33 | group1 | regexp-exec.js:24:40:24:59 | window.location.href | regexp-exec.js:25:28:25:33 | group1 | Untrusted URL redirection depends on a $@. | regexp-exec.js:24:40:24:59 | window.location.href | user-provided value |
 | sanitizer.js:4:27:4:29 | url | sanitizer.js:2:15:2:25 | window.name | sanitizer.js:4:27:4:29 | url | Untrusted URL redirection depends on a $@. | sanitizer.js:2:15:2:25 | window.name | user-provided value |
 | sanitizer.js:16:27:16:29 | url | sanitizer.js:2:15:2:25 | window.name | sanitizer.js:16:27:16:29 | url | Untrusted URL redirection depends on a $@. | sanitizer.js:2:15:2:25 | window.name | user-provided value |
 | sanitizer.js:19:27:19:29 | url | sanitizer.js:2:15:2:25 | window.name | sanitizer.js:19:27:19:29 | url | Untrusted URL redirection depends on a $@. | sanitizer.js:2:15:2:25 | window.name | user-provided value |
@@ -396,9 +351,6 @@ subpaths
 | tst.js:6:20:6:59 | indirec ... ref)[1] | tst.js:6:34:6:55 | documen ... on.href | tst.js:6:20:6:59 | indirec ... ref)[1] | Untrusted URL redirection depends on a $@. | tst.js:6:34:6:55 | documen ... on.href | user-provided value |
 | tst.js:10:19:10:84 | new Reg ... ref)[1] | tst.js:10:59:10:80 | documen ... on.href | tst.js:10:19:10:84 | new Reg ... ref)[1] | Untrusted URL redirection depends on a $@. | tst.js:10:59:10:80 | documen ... on.href | user-provided value |
 | tst.js:14:20:14:59 | indirec ... ref)[1] | tst.js:14:34:14:55 | documen ... on.href | tst.js:14:20:14:59 | indirec ... ref)[1] | Untrusted URL redirection depends on a $@. | tst.js:14:34:14:55 | documen ... on.href | user-provided value |
-| tst.js:18:19:18:84 | new Reg ... ref)[1] | tst.js:18:59:18:80 | documen ... on.href | tst.js:18:19:18:84 | new Reg ... ref)[1] | Untrusted URL redirection depends on a $@. | tst.js:18:59:18:80 | documen ... on.href | user-provided value |
-| tst.js:22:20:22:59 | indirec ... ref)[1] | tst.js:22:34:22:55 | documen ... on.href | tst.js:22:20:22:59 | indirec ... ref)[1] | Untrusted URL redirection depends on a $@. | tst.js:22:34:22:55 | documen ... on.href | user-provided value |
-| tst.js:26:22:26:82 | new Reg ... ref)[1] | tst.js:26:62:26:78 | win.location.href | tst.js:26:22:26:82 | new Reg ... ref)[1] | Untrusted URL redirection depends on a $@. | tst.js:26:62:26:78 | win.location.href | user-provided value |
 | typed.ts:8:33:8:43 | redirectUri | typed.ts:4:22:4:36 | location.search | typed.ts:8:33:8:43 | redirectUri | Untrusted URL redirection depends on a $@. | typed.ts:4:22:4:36 | location.search | user-provided value |
 | typed.ts:29:33:29:43 | redirectUri | typed.ts:25:25:25:34 | loc.search | typed.ts:29:33:29:43 | redirectUri | Untrusted URL redirection depends on a $@. | typed.ts:25:25:25:34 | loc.search | user-provided value |
 | typed.ts:52:33:52:43 | redirectUri | typed.ts:47:25:47:34 | loc.search | typed.ts:52:33:52:43 | redirectUri | Untrusted URL redirection depends on a $@. | typed.ts:47:25:47:34 | loc.search | user-provided value |

javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/regexp-exec.js

@@ -12,15 +12,15 @@ function extractFromQuery() {
 
 function extractFromProtocol() {
     const [, group1] = /^([a-z]+:)/.exec(window.location.href);
-    window.location.href = group1; // OK [INCONSISTENCY]
+    window.location.href = group1; // OK
 }
 
 function extractTooMuch() {
     const [, group1] = /(.*)/.exec(window.location.href);
-    window.location.href = group1; // OK [INCONSISTENCY]
+    window.location.href = group1; // OK
 }
 
 function extractNothing() {
     const [, group1] = /blah#baz/.exec(window.location.href);
-    window.location.href = group1; // OK [INCONSISTENCY]
+    window.location.href = group1; // OK
 }

javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/tst.js

@@ -14,7 +14,7 @@ window.location = new RegExp('.*redirect=([^&]*).*').exec(document.location.href
 	window.location = indirect.exec(document.location.href)[1];
 });
 
-// NOT OK
+// NOT OK [INCONSISTENCY]
 window.location = new RegExp(/.*redirect=([^&]*).*/).exec(document.location.href)[1];
 
 (function(){
@@ -23,7 +23,7 @@ window.location = new RegExp(/.*redirect=([^&]*).*/).exec(document.location.href
 });
 
 function foo(win) {
-	win.location.assign(new RegExp(/.*redirect=([^&]*).*/).exec(win.location.href)[1]); // NOT OK
+	win.location.assign(new RegExp(/.*redirect=([^&]*).*/).exec(win.location.href)[1]); // NOT OK [INCONSISTENCY]
 }
 
 foo(window);