JS: Review comments

Author: asger-semmle

javascript/ql/src/semmle/javascript/Regexp.qll

@@ -990,7 +990,7 @@ module RegExp {
   }
 
   /**
-   * Holds if `term` is matches any character except for explicitly listed exceptions.
+   * Holds if `term` matches any character except for explicitly listed exceptions.
    *
    * For example, holds for `.`, `[^<>]`, or `\W`, but not for `[a-z]`, `\w`, or `[^\W\S]`.
    */
@@ -999,11 +999,13 @@ module RegExp {
     or
     term.(RegExpCharacterClassEscape).getValue().isUppercase()
     or
+    // [^a-z]
     exists(RegExpCharacterClass cls | term = cls |
       cls.isInverted() and
       not cls.getAChild().(RegExpCharacterClassEscape).getValue().isUppercase()
     )
     or
+    // [\W]
     exists(RegExpCharacterClass cls | term = cls |
       not cls.isInverted() and
       cls.getAChild().(RegExpCharacterClassEscape).getValue().isUppercase()
@@ -1024,6 +1026,7 @@ module RegExp {
       isFullyAnchoredTerm(term) and
       not isWildcardLike(term.getAChild*())
       or
+      // Character set restrictions like `/[^a-z]/.test(x)` sanitize in the false case
       outcome = false and
       exists(RegExpTerm root |
         root = term
@@ -1043,7 +1046,7 @@ module RegExp {
   RegExpTerm getRegExpObjectFromNode(DataFlow::Node node) {
     exists(DataFlow::RegExpCreationNode regexp |
       regexp.getAReference().flowsTo(node) and
-      result = regexp.getRegExpTerm()
+      result = regexp.getRoot()
     )
   }
 

javascript/ql/src/semmle/javascript/dataflow/Nodes.qll

@@ -546,6 +546,11 @@ class RegExpLiteralNode extends DataFlow::ValueNode, DataFlow::SourceNode {
 
   /** Gets the root term of this regular expression. */
   RegExpTerm getRoot() { result = astNode.getRoot() }
+
+  /** Gets the flags of this regular expression literal. */
+  string getFlags() {
+    result = astNode.getFlags()
+  }
 }
 
 /**
@@ -1331,9 +1336,10 @@ class RegExpConstructorInvokeNode extends DataFlow::InvokeNode {
   }
 
   /**
-   * Gets the AST of the regular expression created here, if it is constant.
+   * Gets the AST of the regular expression created here, provided that the
+   * first argument is a string literal.
    */
-  RegExpTerm getRegExpTerm() {
+  RegExpTerm getRoot() {
     result = getArgument(0).asExpr().(StringLiteral).asRegExp()
   }
 
@@ -1362,28 +1368,6 @@ class RegExpConstructorInvokeNode extends DataFlow::InvokeNode {
   }
 }
 
-/**
- * A data flow node corresponding to a regular expression literal.
- *
- * Example:
- * ```js
- * /[a-z]+/i
- * ```
- */
-class RegExpLiteralNode extends DataFlow::SourceNode, DataFlow::ValueNode {
-  override RegExpLiteral astNode;
-
-  /** Gets the root term of this regular expression literal. */
-  RegExpTerm getRegExpTerm() {
-    result = astNode.getRoot()
-  }
-
-  /** Gets the flags of this regular expression literal. */
-  string getFlags() {
-    result = astNode.getFlags()
-  }
-}
-
 /**
  * A data flow node corresponding to a regular expression literal or
  * an invocation of the `RegExp` constructor.
@@ -1406,9 +1390,9 @@ class RegExpCreationNode extends DataFlow::SourceNode {
    *
    * Has no result for calls to `RegExp` with a non-constant argument.
    */
-  RegExpTerm getRegExpTerm() {
-    result = this.(RegExpConstructorInvokeNode).getRegExpTerm() or
-    result = this.(RegExpLiteralNode).getRegExpTerm()
+  RegExpTerm getRoot() {
+    result = this.(RegExpConstructorInvokeNode).getRoot() or
+    result = this.(RegExpLiteralNode).getRoot()
   }
 
   /**

javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss.expected

@@ -59,16 +59,16 @@ nodes
 | exception-xss.js:129:10:129:10 | e |
 | exception-xss.js:130:18:130:18 | e |
 | exception-xss.js:130:18:130:18 | e |
-| tst.js:298:9:298:16 | location |
-| tst.js:298:9:298:16 | location |
-| tst.js:299:10:299:10 | e |
-| tst.js:300:20:300:20 | e |
-| tst.js:300:20:300:20 | e |
-| tst.js:305:10:305:17 | location |
-| tst.js:305:10:305:17 | location |
-| tst.js:307:10:307:10 | e |
-| tst.js:308:20:308:20 | e |
-| tst.js:308:20:308:20 | e |
+| tst.js:304:9:304:16 | location |
+| tst.js:304:9:304:16 | location |
+| tst.js:305:10:305:10 | e |
+| tst.js:306:20:306:20 | e |
+| tst.js:306:20:306:20 | e |
+| tst.js:311:10:311:17 | location |
+| tst.js:311:10:311:17 | location |
+| tst.js:313:10:313:10 | e |
+| tst.js:314:20:314:20 | e |
+| tst.js:314:20:314:20 | e |
 edges
 | exception-xss.js:2:9:2:31 | foo | exception-xss.js:9:11:9:13 | foo |
 | exception-xss.js:2:9:2:31 | foo | exception-xss.js:15:9:15:11 | foo |
@@ -127,14 +127,14 @@ edges
 | exception-xss.js:128:11:128:52 | session ... ssion') | exception-xss.js:129:10:129:10 | e |
 | exception-xss.js:129:10:129:10 | e | exception-xss.js:130:18:130:18 | e |
 | exception-xss.js:129:10:129:10 | e | exception-xss.js:130:18:130:18 | e |
-| tst.js:298:9:298:16 | location | tst.js:299:10:299:10 | e |
-| tst.js:298:9:298:16 | location | tst.js:299:10:299:10 | e |
-| tst.js:299:10:299:10 | e | tst.js:300:20:300:20 | e |
-| tst.js:299:10:299:10 | e | tst.js:300:20:300:20 | e |
-| tst.js:305:10:305:17 | location | tst.js:307:10:307:10 | e |
-| tst.js:305:10:305:17 | location | tst.js:307:10:307:10 | e |
-| tst.js:307:10:307:10 | e | tst.js:308:20:308:20 | e |
-| tst.js:307:10:307:10 | e | tst.js:308:20:308:20 | e |
+| tst.js:304:9:304:16 | location | tst.js:305:10:305:10 | e |
+| tst.js:304:9:304:16 | location | tst.js:305:10:305:10 | e |
+| tst.js:305:10:305:10 | e | tst.js:306:20:306:20 | e |
+| tst.js:305:10:305:10 | e | tst.js:306:20:306:20 | e |
+| tst.js:311:10:311:17 | location | tst.js:313:10:313:10 | e |
+| tst.js:311:10:311:17 | location | tst.js:313:10:313:10 | e |
+| tst.js:313:10:313:10 | e | tst.js:314:20:314:20 | e |
+| tst.js:313:10:313:10 | e | tst.js:314:20:314:20 | e |
 #select
 | exception-xss.js:11:18:11:18 | e | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:11:18:11:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:15:2:31 | document.location | user-provided value |
 | exception-xss.js:17:18:17:18 | e | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:17:18:17:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:15:2:31 | document.location | user-provided value |
@@ -147,5 +147,5 @@ edges
 | exception-xss.js:107:18:107:18 | e | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:107:18:107:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:15:2:31 | document.location | user-provided value |
 | exception-xss.js:119:14:119:30 | "Exception: " + e | exception-xss.js:117:13:117:25 | req.params.id | exception-xss.js:119:14:119:30 | "Exception: " + e | Cross-site scripting vulnerability due to $@. | exception-xss.js:117:13:117:25 | req.params.id | user-provided value |
 | exception-xss.js:130:18:130:18 | e | exception-xss.js:125:48:125:64 | document.location | exception-xss.js:130:18:130:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:125:48:125:64 | document.location | user-provided value |
-| tst.js:300:20:300:20 | e | tst.js:298:9:298:16 | location | tst.js:300:20:300:20 | e | Cross-site scripting vulnerability due to $@. | tst.js:298:9:298:16 | location | user-provided value |
-| tst.js:308:20:308:20 | e | tst.js:305:10:305:17 | location | tst.js:308:20:308:20 | e | Cross-site scripting vulnerability due to $@. | tst.js:305:10:305:17 | location | user-provided value |
+| tst.js:306:20:306:20 | e | tst.js:304:9:304:16 | location | tst.js:306:20:306:20 | e | Cross-site scripting vulnerability due to $@. | tst.js:304:9:304:16 | location | user-provided value |
+| tst.js:314:20:314:20 | e | tst.js:311:10:311:17 | location | tst.js:314:20:314:20 | e | Cross-site scripting vulnerability due to $@. | tst.js:311:10:311:17 | location | user-provided value |