JavaScript: Address review comments.

Author: Max Schaefer

change-notes/1.19/analysis-javascript.md

@@ -2,7 +2,7 @@
 
 ## General improvements
 
-* Modelling of taint flow through array operations has been improved. This may give additional results for the security queries.
+* Modelling of taint flow through array and buffer operations has been improved. This may give additional results for the security queries.
 
 * Support for AMD modules has been improved. This may give additional results for the security queries as well as any queries that use type inference on code bases that use such modules.
 

javascript/ql/src/semmle/javascript/security/dataflow/HardcodedDataInterpretedAsCode.qll

@@ -51,18 +51,21 @@ module HardcodedDataInterpretedAsCode {
     }
 
     override predicate isSanitizer(DataFlow::Node node) {
-      super.isSanitizer(node) or
       node instanceof Sanitizer
     }
   }
 
   /**
-   * A constant string consisting of eight or more hexadecimal characters, viewed
-   * as a source of hard-coded data that should not be interpreted as code.
+   * A constant string consisting of eight or more hexadecimal characters (including at
+   * least one digit), viewed as a source of hard-coded data that should not be
+   * interpreted as code.
    */
   private class DefaultSource extends Source, DataFlow::ValueNode {
     DefaultSource() {
-      astNode.(Expr).getStringValue().regexpMatch("[0-9a-fA-F]{8,}")
+      exists (string val | val = astNode.(Expr).getStringValue() |
+        val.regexpMatch("[0-9a-fA-F]{8,}") and
+        val.regexpMatch(".*[0-9].*")
+      )
     }
   }
 

javascript/ql/test/query-tests/Security/CWE-506/HardcodedDataInterpretedAsCode.expected

@@ -3,20 +3,24 @@ nodes
 | event-stream-orig.js:2:1115:2:1138 | "2e2f74 ... 617461" |
 | event-stream.js:9:11:9:37 | e("2e2f ... 17461") |
 | event-stream.js:9:13:9:36 | "2e2f74 ... 617461" |
+| tst.js:1:5:1:88 | totallyHarmlessString |
 | tst.js:1:29:1:88 | '636f6e ... 6e2729' |
 | tst.js:2:6:2:46 | Buffer. ...  'hex') |
 | tst.js:2:6:2:57 | Buffer. ... tring() |
 | tst.js:2:18:2:38 | totally ... sString |
+| tst.js:5:5:5:23 | test |
 | tst.js:5:12:5:23 | "0123456789" |
 | tst.js:7:8:7:11 | test |
 | tst.js:7:8:7:15 | test+"n" |
 edges
 | event-stream-orig.js:2:1115:2:1138 | "2e2f74 ... 617461" | event-stream-orig.js:2:1113:2:1139 | e("2e2f ... 17461") |
 | event-stream.js:9:13:9:36 | "2e2f74 ... 617461" | event-stream.js:9:11:9:37 | e("2e2f ... 17461") |
-| tst.js:1:29:1:88 | '636f6e ... 6e2729' | tst.js:2:18:2:38 | totally ... sString |
+| tst.js:1:5:1:88 | totallyHarmlessString | tst.js:2:18:2:38 | totally ... sString |
+| tst.js:1:29:1:88 | '636f6e ... 6e2729' | tst.js:1:5:1:88 | totallyHarmlessString |
 | tst.js:2:6:2:46 | Buffer. ...  'hex') | tst.js:2:6:2:57 | Buffer. ... tring() |
 | tst.js:2:18:2:38 | totally ... sString | tst.js:2:6:2:46 | Buffer. ...  'hex') |
-| tst.js:5:12:5:23 | "0123456789" | tst.js:7:8:7:11 | test |
+| tst.js:5:5:5:23 | test | tst.js:7:8:7:11 | test |
+| tst.js:5:12:5:23 | "0123456789" | tst.js:5:5:5:23 | test |
 | tst.js:7:8:7:11 | test | tst.js:7:8:7:15 | test+"n" |
 #select
 | event-stream-orig.js:2:1113:2:1139 | e("2e2f ... 17461") | event-stream-orig.js:2:1115:2:1138 | "2e2f74 ... 617461" | event-stream-orig.js:2:1113:2:1139 | e("2e2f ... 17461") | Hard-coded data from $@ is interpreted as an import path. | event-stream-orig.js:2:1115:2:1138 | "2e2f74 ... 617461" | here |

javascript/ql/test/query-tests/Security/CWE-506/tst.js

@@ -8,4 +8,6 @@ try {
   console.log("Bigints supported.");
 } catch(e) {
   console.log("Bigints not supported.");
-}
+}
+
+require('babeface'); // OK