JS: now RegExp with unknown flags is not flagged as an issue within password Clear text storage of sensitive information

Napalys · Napalys · commit e673348ed3ed · 2024-11-28T11:26:56.000+01:00
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/CleartextLoggingCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/CleartextLoggingCustomizations.qll
@@ -36,7 +36,7 @@ module CleartextLogging {
    */
   class MaskingReplacer extends Barrier, StringReplaceCall {
     MaskingReplacer() {
-      this.isGlobal() and
+      this.maybeGlobal() and
       exists(this.getRawReplacement().getStringValue()) and
       exists(DataFlow::RegExpCreationNode regexpObj |
         this.(StringReplaceCall).getRegExp() = regexpObj and
diff --git a/javascript/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected b/javascript/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected
@@ -143,10 +143,6 @@ nodes
 | passwords.js:182:14:182:21 | password |
 | passwords.js:182:14:182:51 | passwor ... ), "*") |
 | passwords.js:182:14:182:51 | passwor ... ), "*") |
-| passwords.js:183:14:183:21 | password |
-| passwords.js:183:14:183:21 | password |
-| passwords.js:183:14:183:67 | passwor ... ), "*") |
-| passwords.js:183:14:183:67 | passwor ... ), "*") |
 | passwords_in_browser1.js:2:13:2:20 | password |
 | passwords_in_browser1.js:2:13:2:20 | password |
 | passwords_in_browser1.js:2:13:2:20 | password |
@@ -297,10 +293,6 @@ edges
 | passwords.js:182:14:182:21 | password | passwords.js:182:14:182:51 | passwor ... ), "*") |
 | passwords.js:182:14:182:21 | password | passwords.js:182:14:182:51 | passwor ... ), "*") |
 | passwords.js:182:14:182:21 | password | passwords.js:182:14:182:51 | passwor ... ), "*") |
-| passwords.js:183:14:183:21 | password | passwords.js:183:14:183:67 | passwor ... ), "*") |
-| passwords.js:183:14:183:21 | password | passwords.js:183:14:183:67 | passwor ... ), "*") |
-| passwords.js:183:14:183:21 | password | passwords.js:183:14:183:67 | passwor ... ), "*") |
-| passwords.js:183:14:183:21 | password | passwords.js:183:14:183:67 | passwor ... ), "*") |
 | passwords_in_browser1.js:2:13:2:20 | password | passwords_in_browser1.js:2:13:2:20 | password |
 | passwords_in_browser2.js:2:13:2:20 | password | passwords_in_browser2.js:2:13:2:20 | password |
 | passwords_in_server_1.js:6:13:6:20 | password | passwords_in_server_1.js:6:13:6:20 | password |
@@ -349,7 +341,6 @@ edges
 | passwords.js:173:17:173:26 | myPassword | passwords.js:173:17:173:26 | myPassword | passwords.js:173:17:173:26 | myPassword | This logs sensitive data returned by $@ as clear text. | passwords.js:173:17:173:26 | myPassword | an access to myPassword |
 | passwords.js:176:17:176:26 | myPasscode | passwords.js:176:17:176:26 | myPasscode | passwords.js:176:17:176:26 | myPasscode | This logs sensitive data returned by $@ as clear text. | passwords.js:176:17:176:26 | myPasscode | an access to myPasscode |
 | passwords.js:182:14:182:51 | passwor ... ), "*") | passwords.js:182:14:182:21 | password | passwords.js:182:14:182:51 | passwor ... ), "*") | This logs sensitive data returned by $@ as clear text. | passwords.js:182:14:182:21 | password | an access to password |
-| passwords.js:183:14:183:67 | passwor ... ), "*") | passwords.js:183:14:183:21 | password | passwords.js:183:14:183:67 | passwor ... ), "*") | This logs sensitive data returned by $@ as clear text. | passwords.js:183:14:183:21 | password | an access to password |
 | passwords_in_server_1.js:6:13:6:20 | password | passwords_in_server_1.js:6:13:6:20 | password | passwords_in_server_1.js:6:13:6:20 | password | This logs sensitive data returned by $@ as clear text. | passwords_in_server_1.js:6:13:6:20 | password | an access to password |
 | passwords_in_server_2.js:3:13:3:20 | password | passwords_in_server_2.js:3:13:3:20 | password | passwords_in_server_2.js:3:13:3:20 | password | This logs sensitive data returned by $@ as clear text. | passwords_in_server_2.js:3:13:3:20 | password | an access to password |
 | passwords_in_server_3.js:2:13:2:20 | password | passwords_in_server_3.js:2:13:2:20 | password | passwords_in_server_3.js:2:13:2:20 | password | This logs sensitive data returned by $@ as clear text. | passwords_in_server_3.js:2:13:2:20 | password | an access to password |
diff --git a/javascript/ql/test/query-tests/Security/CWE-312/passwords.js b/javascript/ql/test/query-tests/Security/CWE-312/passwords.js
@@ -180,5 +180,5 @@ const debug = require('debug')('test');
     console.log(password.replace(/./g, "*")); // OK
 	console.log(password.replace(new RegExp(".", "g"), "*")); // OK
 	console.log(password.replace(new RegExp("."), "*")); // NOT OK
-	console.log(password.replace(new RegExp(".", unknownFlags()), "*")); // OK -- Currently flagged, though maybe it should not be.
+	console.log(password.replace(new RegExp(".", unknownFlags()), "*")); // OK -- Most likely not a problem.
 })();
