use RegExpTerm to generalize predicate

erik-krogh · erik-krogh · commit 95819c8731b3 · 2020-03-03T12:34:18.000+01:00
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
@@ -217,20 +217,14 @@ module TaintedPath {
       this.getCalleeName() = "replace" and
       input = getReceiver() and
       output = this and
-      not exists(RegExpLiteral literal |
+      not exists(RegExpLiteral literal, RegExpTerm term |
         getArgument(0).getALocalSource().asExpr() = literal and
-        literal.isGlobal()
+        literal.isGlobal() and
+        literal.getRoot() = term
       |
-        exists(RegExpSequence seq | literal.getRoot() = seq |
-          seq.getChild(0).(RegExpConstant).getValue() = "." and
-          seq.getChild(1).(RegExpConstant).getValue() = "." and
-          seq.getNumChild() = 2
-        )
-        or
-        exists(RegExpTerm term | literal.getRoot() = term |
-          term.getAMatchedString() = "/" or
-          term.getAMatchedString() = "."
-        )
+        term.getAMatchedString() = "/" or
+        term.getAMatchedString() = "." or
+        term.getAMatchedString() = ".."
       )
     }
 
diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js
@@ -172,7 +172,7 @@ var server = http.createServer(function(req, res) {
 var server = http.createServer(function(req, res) {
   let path = url.parse(req.url, true).query.path;
   
-  // Removal of forward-slash.
+  // Removal of forward-slash or dots.
   res.write(fs.readFileSync(path.replace(/[\]\[*,;'"`<>\\?\/]/g, ''))); // OK.
   res.write(fs.readFileSync(path.replace(/[abcd]/g, ''))); // NOT OK
   res.write(fs.readFileSync(path.replace(/[.]/g, ''))); // OK (can still be absolute)
@@ -181,4 +181,6 @@ var server = http.createServer(function(req, res) {
   res.write(fs.readFileSync(path.replace(/[foobar/foobar]/g, ''))); // OK
   res.write(fs.readFileSync(path.replace(/\//g, ''))); // OK
   res.write(fs.readFileSync(path.replace(/\./g, ''))); // OK
+  res.write(fs.readFileSync(path.replace(/\.|\//g, ''))); // OK
+  res.write(fs.readFileSync(path.replace(/\.\.|BLA/g, ''))); // OK
 });
