JS: generalize js/incomplete-sanitization to handle ConstantString

Esben Sparre Andreasen · Esben Sparre Andreasen · commit a1d92bfa50a9 · 2018-12-11T13:39:15.000+01:00
diff --git a/javascript/ql/src/Security/CWE-116/IncompleteSanitization.ql b/javascript/ql/src/Security/CWE-116/IncompleteSanitization.ql
@@ -25,7 +25,7 @@ string metachar() {
 string getAMatchedString(Expr e) {
   result = getAMatchedConstant(e.(RegExpLiteral).getRoot()).getValue()
   or
-  result = e.(StringLiteral).getValue()
+  result = e.getStringValue()
 }
 
 /** Gets a constant matched by `t`. */
diff --git a/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/IncompleteSanitization.expected b/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/IncompleteSanitization.expected
@@ -9,3 +9,9 @@
 | tst.js:37:20:37:23 | /"/g | This does not backslash-escape the backslash character. |
 | tst.js:41:20:41:22 | "/" | This replaces only the first occurrence of "/". |
 | tst.js:45:20:45:24 | "%25" | This replaces only the first occurrence of "%25". |
+| tst.js:49:20:49:22 | `'` | This replaces only the first occurrence of `'`. |
+| tst.js:53:20:53:22 | "'" | This replaces only the first occurrence of "'". |
+| tst.js:57:20:57:22 | `'` | This replaces only the first occurrence of `'`. |
+| tst.js:61:20:61:27 | "'" + "" | This replaces only the first occurrence of "'" + "". |
+| tst.js:65:20:65:22 | "'" | This replaces only the first occurrence of "'". |
+| tst.js:69:20:69:27 | "'" + "" | This replaces only the first occurrence of "'" + "". |
diff --git a/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst.js b/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst.js
@@ -45,6 +45,29 @@ function bad11(s) {
   return s.replace("%25", "%"); // NOT OK
 }
 
+function bad12(s) {
+  return s.replace(`'`, ""); // NOT OK
+}
+
+function bad13(s) {
+  return s.replace("'", ``); // NOT OK
+}
+
+function bad14(s) {
+  return s.replace(`'`, ``); // NOT OK
+}
+
+function bad15(s) {
+  return s.replace("'" + "", ""); // NOT OK
+}
+
+function bad16(s) {
+  return s.replace("'", "" + ""); // NOT OK
+}
+
+function bad17(s) {
+  return s.replace("'" + "", "" + ""); // NOT OK
+}
 
 function good1(s) {
   while (s.indexOf("'") > 0)
@@ -120,6 +143,12 @@ app.get('/some/path', function(req, res) {
   bad9(untrusted);
   bad10(untrusted);
   bad11(untrusted);
+  bad12(untrusted);
+  bad13(untrusted);
+  bad14(untrusted);
+  bad15(untrusted);
+  bad16(untrusted);
+  bad17(untrusted);
 
   good1(untrusted);
   good2(untrusted);

Original file line number	Diff line number	Diff line change
`@@ -25,7 +25,7 @@ string metachar() {`
`25`	`25`	`string getAMatchedString(Expr e) {`
`26`	`26`	`result = getAMatchedConstant(e.(RegExpLiteral).getRoot()).getValue()`
`27`	`27`	`or`
`28`		`- result = e.(StringLiteral).getValue()`
	`28`	`+ result = e.getStringValue()`
`29`	`29`	`}`
`30`	`30`
`31`	`31`	/** Gets a constant matched by `t`. */