Skip to content

Commit 15d74b7

Browse files
committed
remove FP from js/regexpinjection where no regexp was constructed
1 parent 5a6a2e8 commit 15d74b7

File tree

3 files changed

+17
-1
lines changed

3 files changed

+17
-1
lines changed

javascript/ql/src/semmle/javascript/Regexp.qll

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -810,7 +810,8 @@ predicate isInterpretedAsRegExp(DataFlow::Node source) {
810810
// The argument of a call that coerces the argument to a regular expression.
811811
exists(MethodCallExpr mce, string methodName |
812812
mce.getReceiver().analyze().getAType() = TTString() and
813-
mce.getMethodName() = methodName
813+
mce.getMethodName() = methodName and
814+
not exists(DataFlow::FunctionNode func | func = DataFlow::valueNode(mce.getCallee()).getAFunctionValue() | not func.getFunction().inExternsFile())
814815
|
815816
methodName = "match" and source.asExpr() = mce.getArgument(0) and mce.getNumArgument() = 1
816817
or

javascript/ql/test/query-tests/Security/CWE-730/RegExpInjection.js

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -50,4 +50,13 @@ app.get('/findKey', function(req, res) {
5050
URI(`${protocol}://${host}${path}`).search(input); // OK, but still flagged
5151
URI(`${protocol}://${host}${path}`).search(input).href(); // OK
5252
unknown.search(input).unknown; // OK
53+
54+
});
55+
56+
import * as Search from './search';
57+
58+
app.get('/findKey', function(req, res) {
59+
var key = req.param("key"), input = req.param("input");
60+
61+
Search.search(input); // OK!
5362
});
Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
module.someOtherExport = true;
2+
3+
4+
export function search(query) {
5+
// Do nothing!
6+
}

0 commit comments

Comments
 (0)