Merge pull request #3716 from RasmusWL/python-fix-re-escape-fp

tausbn · web-flow · commit 44637e29eec2 · 2020-06-18T16:05:50.000+02:00
Python: Fix FP in treating re.escape as regex
diff --git a/python/ql/src/semmle/python/regex.qll b/python/ql/src/semmle/python/regex.qll
@@ -28,7 +28,8 @@ predicate used_as_regex(Expr s, string mode) {
     /* Call to re.xxx(regex, ... [mode]) */
     exists(CallNode call, string name |
         call.getArg(0).refersTo(_, _, s.getAFlowNode()) and
-        call.getFunction().pointsTo(Module::named("re").attr(name))
+        call.getFunction().pointsTo(Module::named("re").attr(name)) and
+        not name = "escape"
     |
         mode = "None"
         or
diff --git a/python/ql/test/library-tests/regex/test.py b/python/ql/test/library-tests/regex/test.py
@@ -62,3 +62,7 @@
 re.compile(r"\[(?P<txt>[^[]*)\]\((?P<uri>[^)]*)")
 
 re.compile("", re.M) # ODASA-8056
+
+# FP reported in https://github.com/github/codeql/issues/3712
+# This does not define a regex (but could be used by other code to do so)
+escaped = re.escape("https://www.humblebundle.com/home/library")
diff --git a/python/ql/test/query-tests/Security/CWE-020/hosttest.py b/python/ql/test/query-tests/Security/CWE-020/hosttest.py
@@ -17,3 +17,7 @@ def safe(request):
     target = request.args.get('target', '')
     if SAFE_REGEX.match(target):
         return redirect(target)
+
+# FP reported in https://github.com/github/codeql/issues/3712
+# This does not define a regex (but could be used by other code to do so)
+escaped = re.escape("https://www.humblebundle.com/home/library")
