Swift: Add a few more variant test cases.

geoffw0 · geoffw0 · commit f45b89a3ccf3 · 2023-07-11T09:26:37.000+01:00
diff --git a/swift/ql/test/query-tests/Security/CWE-116/BadTagFilter.expected b/swift/ql/test/query-tests/Security/CWE-116/BadTagFilter.expected
@@ -1,30 +1,31 @@
 | test.swift:79:26:79:48 | <script.*?>.*?<\\/script> | This regular expression does not match upper case <SCRIPT> tags. |
-| test.swift:87:26:87:53 | <script.*?>.*?<\\/script[^>]*> | This regular expression does not match upper case <SCRIPT> tags. |
-| test.swift:91:26:91:33 | <!--.*--> | This regular expression does not match comments containing newlines. |
-| test.swift:95:26:95:35 | <!--.*--!?> | This regular expression does not match comments containing newlines. |
-| test.swift:99:26:99:35 | <!--.*--!?> | This regular expression does not match comments containing newlines. |
-| test.swift:103:26:103:58 | <script.*?>(.\|\\s)*?<\\/script[^>]*> | This regular expression does not match upper case <SCRIPT> tags. |
-| test.swift:107:26:107:56 | <script[^>]*?>.*?<\\/script[^>]*> | This regular expression does not match upper case <SCRIPT> tags. |
-| test.swift:111:26:111:63 | <script(\\s\|\\w\|=\|")*?>.*?<\\/script[^>]*> | This regular expression does not match upper case <SCRIPT> tags. |
-| test.swift:118:28:118:65 | <script(\\s\|\\w\|=\|')*?>.*?<\\/script[^>]*> | This regular expression does not match upper case <SCRIPT> tags. |
-| test.swift:122:50:122:87 | <script(\\s\|\\w\|=\|')*?>.*?<\\/script[^>]*> | This regular expression does not match upper case <SCRIPT> tags. |
-| test.swift:129:28:129:69 | <script( \|\\n\|\\w\|=\|'\|")*?>.*?<\\/script[^>]*> | This regular expression does not match upper case <SCRIPT> tags. |
-| test.swift:133:50:133:91 | <script( \|\\n\|\\w\|=\|'\|")*?>.*?<\\/script[^>]*> | This regular expression does not match upper case <SCRIPT> tags. |
-| test.swift:140:28:140:55 | <script.*?>.*?<\\/script[^>]*> | This regular expression does not match upper case <SCRIPT> tags. |
-| test.swift:143:50:143:77 | <script.*?>.*?<\\/script[^>]*> | This regular expression does not match upper case <SCRIPT> tags. |
-| test.swift:150:28:150:73 | <(script\|SCRIPT).*?>.*?<\\/(script\|SCRIPT)[^>]*> | This regular expression does not match mixed case <sCrIpT> tags. |
-| test.swift:153:50:153:95 | <(script\|SCRIPT).*?>.*?<\\/(script\|SCRIPT)[^>]*> | This regular expression does not match mixed case <sCrIpT> tags. |
-| test.swift:160:28:160:60 | <script[^>]*?>[\\s\\S]*?<\\/script.*> | This regular expression does not match upper case <SCRIPT> tags. |
-| test.swift:163:50:163:82 | <script[^>]*?>[\\s\\S]*?<\\/script.*> | This regular expression does not match upper case <SCRIPT> tags. |
-| test.swift:170:28:170:64 | <script[^>]*?>[\\s\\S]*?<\\/script[^>]*?> | This regular expression does not match upper case <SCRIPT> tags. |
-| test.swift:173:50:173:86 | <script[^>]*?>[\\s\\S]*?<\\/script[^>]*?> | This regular expression does not match upper case <SCRIPT> tags. |
-| test.swift:177:27:177:68 | <(?:!--([\\S\|\\s]*?)-->)\|([^\\/\\s>]+)[\\S\\s]*?> | Comments ending with --> are matched differently from comments ending with --!>. The first is matched with capture group 1 and comments ending with --!> are matched with capture group 2. |
-| test.swift:180:50:180:91 | <(?:!--([\\S\|\\s]*?)-->)\|([^\\/\\s>]+)[\\S\\s]*?> | Comments ending with --> are matched differently from comments ending with --!>. The first is matched with capture group 1 and comments ending with --!> are matched with capture group 2. |
-| test.swift:184:27:184:167 | <(?:(?:\\/([^>]+)>)\|(?:!--([\\S\|\\s]*?)-->)\|(?:([^\\/\\s>]+)((?:\\s+[\\w\\-:.]+(?:\\s*=\\s*?(?:(?:"[^"]*")\|(?:'[^']*')\|[^\\s"'\\/>]+))?)*)[\\S\\s]*?(\\/?)>)) | Comments ending with --> are matched differently from comments ending with --!>. The first is matched with capture group 2 and comments ending with --!> are matched with capture group 3, 4. |
-| test.swift:187:50:187:190 | <(?:(?:\\/([^>]+)>)\|(?:!--([\\S\|\\s]*?)-->)\|(?:([^\\/\\s>]+)((?:\\s+[\\w\\-:.]+(?:\\s*=\\s*?(?:(?:"[^"]*")\|(?:'[^']*')\|[^\\s"'\\/>]+))?)*)[\\S\\s]*?(\\/?)>)) | Comments ending with --> are matched differently from comments ending with --!>. The first is matched with capture group 2 and comments ending with --!> are matched with capture group 3, 4. |
-| test.swift:191:51:191:84 | <script\\b[^>]*>([\\s\\S]*?)<\\/script> | This regular expression does not match upper case <SCRIPT> tags. |
-| test.swift:195:51:195:104 | (<[a-z\\/!$]("[^"]*"\|'[^']*'\|[^'">])*>\|<!(--.*?--\\s*)+>) | Comments ending with --> are matched differently from comments ending with --!>. The first is matched with capture group 3 and comments ending with --!> are matched with capture group 1. |
-| test.swift:199:51:199:293 | <(?:(?:!--([\\w\\W]*?)-->)\|(?:!\\[CDATA\\[([\\w\\W]*?)\\]\\]>)\|(?:!DOCTYPE([\\w\\W]*?)>)\|(?:\\?([^\\s\\/<>]+) ?([\\w\\W]*?)[?/]>)\|(?:\\/([A-Za-z][A-Za-z0-9\\-_\\:\\.]*)>)\|(?:([A-Za-z][A-Za-z0-9\\-_\\:\\.]*)((?:\\s+[^"'>]+(?:(?:"[^"]*")\|(?:'[^']*')\|[^>]*))*\|\\/\|\\s+)>)) | This regular expression only parses --> (capture group 1) and not --!> as an HTML comment end tag. |
-| test.swift:203:51:203:77 | <!--([\\w\\W]*?)-->\|<([^>]*?)> | Comments ending with --> are matched differently from comments ending with --!>. The first is matched with capture group 1 and comments ending with --!> are matched with capture group 2. |
-| test.swift:207:51:207:93 | <script([^>]*)>([\\\\S\\\\s]*?)<\\/script([^>]*)> | This regular expression does not match script end tags like </script >. |
-| test.swift:211:51:211:52 | --> | This regular expression only parses --> and not --!> as a HTML comment end tag. |
+| test.swift:90:27:90:54 | <script.*?>.*?<\\/script[^>]*> | This regular expression does not match upper case <SCRIPT> tags. |
+| test.swift:94:50:94:77 | <script.*?>.*?<\\/script[^>]*> | This regular expression does not match upper case <SCRIPT> tags. |
+| test.swift:98:26:98:33 | <!--.*--> | This regular expression does not match comments containing newlines. |
+| test.swift:102:26:102:35 | <!--.*--!?> | This regular expression does not match comments containing newlines. |
+| test.swift:106:26:106:35 | <!--.*--!?> | This regular expression does not match comments containing newlines. |
+| test.swift:110:26:110:58 | <script.*?>(.\|\\s)*?<\\/script[^>]*> | This regular expression does not match upper case <SCRIPT> tags. |
+| test.swift:114:26:114:56 | <script[^>]*?>.*?<\\/script[^>]*> | This regular expression does not match upper case <SCRIPT> tags. |
+| test.swift:118:26:118:63 | <script(\\s\|\\w\|=\|")*?>.*?<\\/script[^>]*> | This regular expression does not match upper case <SCRIPT> tags. |
+| test.swift:125:28:125:65 | <script(\\s\|\\w\|=\|')*?>.*?<\\/script[^>]*> | This regular expression does not match upper case <SCRIPT> tags. |
+| test.swift:129:50:129:87 | <script(\\s\|\\w\|=\|')*?>.*?<\\/script[^>]*> | This regular expression does not match upper case <SCRIPT> tags. |
+| test.swift:136:28:136:69 | <script( \|\\n\|\\w\|=\|'\|")*?>.*?<\\/script[^>]*> | This regular expression does not match upper case <SCRIPT> tags. |
+| test.swift:140:50:140:91 | <script( \|\\n\|\\w\|=\|'\|")*?>.*?<\\/script[^>]*> | This regular expression does not match upper case <SCRIPT> tags. |
+| test.swift:147:28:147:55 | <script.*?>.*?<\\/script[^>]*> | This regular expression does not match upper case <SCRIPT> tags. |
+| test.swift:150:50:150:77 | <script.*?>.*?<\\/script[^>]*> | This regular expression does not match upper case <SCRIPT> tags. |
+| test.swift:157:28:157:73 | <(script\|SCRIPT).*?>.*?<\\/(script\|SCRIPT)[^>]*> | This regular expression does not match mixed case <sCrIpT> tags. |
+| test.swift:160:50:160:95 | <(script\|SCRIPT).*?>.*?<\\/(script\|SCRIPT)[^>]*> | This regular expression does not match mixed case <sCrIpT> tags. |
+| test.swift:167:28:167:60 | <script[^>]*?>[\\s\\S]*?<\\/script.*> | This regular expression does not match upper case <SCRIPT> tags. |
+| test.swift:170:50:170:82 | <script[^>]*?>[\\s\\S]*?<\\/script.*> | This regular expression does not match upper case <SCRIPT> tags. |
+| test.swift:177:28:177:64 | <script[^>]*?>[\\s\\S]*?<\\/script[^>]*?> | This regular expression does not match upper case <SCRIPT> tags. |
+| test.swift:180:50:180:86 | <script[^>]*?>[\\s\\S]*?<\\/script[^>]*?> | This regular expression does not match upper case <SCRIPT> tags. |
+| test.swift:184:27:184:68 | <(?:!--([\\S\|\\s]*?)-->)\|([^\\/\\s>]+)[\\S\\s]*?> | Comments ending with --> are matched differently from comments ending with --!>. The first is matched with capture group 1 and comments ending with --!> are matched with capture group 2. |
+| test.swift:187:50:187:91 | <(?:!--([\\S\|\\s]*?)-->)\|([^\\/\\s>]+)[\\S\\s]*?> | Comments ending with --> are matched differently from comments ending with --!>. The first is matched with capture group 1 and comments ending with --!> are matched with capture group 2. |
+| test.swift:191:27:191:167 | <(?:(?:\\/([^>]+)>)\|(?:!--([\\S\|\\s]*?)-->)\|(?:([^\\/\\s>]+)((?:\\s+[\\w\\-:.]+(?:\\s*=\\s*?(?:(?:"[^"]*")\|(?:'[^']*')\|[^\\s"'\\/>]+))?)*)[\\S\\s]*?(\\/?)>)) | Comments ending with --> are matched differently from comments ending with --!>. The first is matched with capture group 2 and comments ending with --!> are matched with capture group 3, 4. |
+| test.swift:194:50:194:190 | <(?:(?:\\/([^>]+)>)\|(?:!--([\\S\|\\s]*?)-->)\|(?:([^\\/\\s>]+)((?:\\s+[\\w\\-:.]+(?:\\s*=\\s*?(?:(?:"[^"]*")\|(?:'[^']*')\|[^\\s"'\\/>]+))?)*)[\\S\\s]*?(\\/?)>)) | Comments ending with --> are matched differently from comments ending with --!>. The first is matched with capture group 2 and comments ending with --!> are matched with capture group 3, 4. |
+| test.swift:198:51:198:84 | <script\\b[^>]*>([\\s\\S]*?)<\\/script> | This regular expression does not match upper case <SCRIPT> tags. |
+| test.swift:202:51:202:104 | (<[a-z\\/!$]("[^"]*"\|'[^']*'\|[^'">])*>\|<!(--.*?--\\s*)+>) | Comments ending with --> are matched differently from comments ending with --!>. The first is matched with capture group 3 and comments ending with --!> are matched with capture group 1. |
+| test.swift:206:51:206:293 | <(?:(?:!--([\\w\\W]*?)-->)\|(?:!\\[CDATA\\[([\\w\\W]*?)\\]\\]>)\|(?:!DOCTYPE([\\w\\W]*?)>)\|(?:\\?([^\\s\\/<>]+) ?([\\w\\W]*?)[?/]>)\|(?:\\/([A-Za-z][A-Za-z0-9\\-_\\:\\.]*)>)\|(?:([A-Za-z][A-Za-z0-9\\-_\\:\\.]*)((?:\\s+[^"'>]+(?:(?:"[^"]*")\|(?:'[^']*')\|[^>]*))*\|\\/\|\\s+)>)) | This regular expression only parses --> (capture group 1) and not --!> as an HTML comment end tag. |
+| test.swift:210:51:210:77 | <!--([\\w\\W]*?)-->\|<([^>]*?)> | Comments ending with --> are matched differently from comments ending with --!>. The first is matched with capture group 1 and comments ending with --!> are matched with capture group 2. |
+| test.swift:214:51:214:93 | <script([^>]*)>([\\\\S\\\\s]*?)<\\/script([^>]*)> | This regular expression does not match script end tags like </script >. |
+| test.swift:218:51:218:52 | --> | This regular expression only parses --> and not --!> as a HTML comment end tag. |
diff --git a/swift/ql/test/query-tests/Security/CWE-116/test.swift b/swift/ql/test/query-tests/Security/CWE-116/test.swift
@@ -83,9 +83,16 @@ func myRegexpVariantsTests(myUrl: URL) throws {
     let re2 = try Regex(#"<script.*?>.*?<\/script>/is"#).ignoresCase(true)
     _ = try re2.firstMatch(in: tainted)
 
+    // GOOD
+    let re3a = try Regex(#"(?is)<script.*?>.*?<\/script[^>]*>"#)
+    _ = try re3a.firstMatch(in: tainted)
+    // GOOD [FALSE POSITIVE]
+    let re3b = try Regex(#"<script.*?>.*?<\/script[^>]*>"#).ignoresCase(true).dotMatchesNewlines(true)
+    _ = try re3b.firstMatch(in: tainted)
     // GOOD [FALSE POSITIVE]
-    let re3 = try Regex(#"<script.*?>.*?<\/script[^>]*>"#).ignoresCase(true).dotMatchesNewlines(true)
-    _ = try re3.firstMatch(in: tainted)
+    let options3b: NSRegularExpression.Options = [.caseInsensitive, .dotMatchesLineSeparators]
+    let ns3b = try NSRegularExpression(pattern: #"<script.*?>.*?<\/script[^>]*>"#, options: options3b)
+    _ = ns3b.firstMatch(in: tainted, range: NSMakeRange(0, tainted.utf16.count))
 
     // GOOD - we don't care regexps that only match comments [FALSE POSITIVE]
     let re4 = try Regex(#"<!--.*-->"#).ignoresCase(true).dotMatchesNewlines(true)
