more precise heuristic to identify allowed call targets

erik-krogh · erik-krogh · commit a0b5aa5ae450 · 2019-12-20T10:51:39.000+01:00
diff --git a/javascript/ql/src/semmle/javascript/Regexp.qll b/javascript/ql/src/semmle/javascript/Regexp.qll
@@ -798,6 +798,16 @@ class RegExpParseError extends Error, @regexp_parse_error {
   override string toString() { result = getMessage() }
 }
 
+/**
+ * Holds if `func` is a method defined on `String.prototype` with name `name`. 
+ */
+private predicate isNativeStringMethod(Function func, string name) {
+  exists(ExternalInstanceMemberDecl decl |
+    decl.hasQualifiedName("String", name) and
+    func = decl.getInit()
+  )
+}
+
 /**
  * Holds if `source` may be interpreted as a regular expression.
  */
@@ -811,7 +821,11 @@ predicate isInterpretedAsRegExp(DataFlow::Node source) {
     exists(MethodCallExpr mce, string methodName |
       mce.getReceiver().analyze().getAType() = TTString() and
       mce.getMethodName() = methodName and
-      not exists(DataFlow::FunctionNode func | func = DataFlow::valueNode(mce.getCallee()).getAFunctionValue() | not func.getFunction().inExternsFile())
+      not exists(Function func |
+        func = any(DataFlow::MethodCallNode call | call.getEnclosingExpr() = mce).getACallee()
+      |
+        not isNativeStringMethod(func, methodName)
+      )
     |
       methodName = "match" and source.asExpr() = mce.getArgument(0) and mce.getNumArgument() = 1
       or
