use regexp term instead of char class

erik-krogh · erik-krogh · commit 622a2fcfdc2c · 2020-03-03T12:24:13.000+01:00
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
@@ -227,9 +227,9 @@ module TaintedPath {
           seq.getNumChild() = 2
         )
         or
-        exists(RegExpCharacterClass choice | literal.getRoot() = choice |
-          choice.getAMatchedString() = "/" or
-          choice.getAMatchedString() = "."
+        exists(RegExpTerm term | literal.getRoot() = term |
+          term.getAMatchedString() = "/" or
+          term.getAMatchedString() = "."
         )
       )
     }
diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js
@@ -179,4 +179,6 @@ var server = http.createServer(function(req, res) {
   res.write(fs.readFileSync(path.replace(/[..]/g, ''))); // OK
   res.write(fs.readFileSync(path.replace(/[./]/g, ''))); // OK
   res.write(fs.readFileSync(path.replace(/[foobar/foobar]/g, ''))); // OK
+  res.write(fs.readFileSync(path.replace(/\//g, ''))); // OK
+  res.write(fs.readFileSync(path.replace(/\./g, ''))); // OK
 });

Original file line number	Diff line number	Diff line change
`@@ -227,9 +227,9 @@ module TaintedPath {`
`227`	`227`	`seq.getNumChild() = 2`
`228`	`228`	`)`
`229`	`229`	`or`
`230`		`- exists(RegExpCharacterClass choice \| literal.getRoot() = choice \|`
`231`		`- choice.getAMatchedString() = "/" or`
`232`		`- choice.getAMatchedString() = "."`
	`230`	`+ exists(RegExpTerm term \| literal.getRoot() = term \|`
	`231`	`+ term.getAMatchedString() = "/" or`
	`232`	`+ term.getAMatchedString() = "."`
`233`	`233`	`)`
`234`	`234`	`)`
`235`	`235`	`}`