JS: Now BadHtmlSanitizers new RegExp with unknown flags is also flagged.

Napalys · Napalys · commit aab0f6a20554 · 2024-11-26T09:37:57.000+01:00
diff --git a/javascript/ql/lib/semmle/javascript/StandardLibrary.qll b/javascript/ql/lib/semmle/javascript/StandardLibrary.qll
@@ -119,6 +119,14 @@ class StringReplaceCall extends DataFlow::MethodCallNode {
     RegExp::isGlobal(this.getRegExp().getFlags()) or this.getMethodName() = "replaceAll"
   }
 
+  /**
+   * Holds if this is a global replacement, that is, the first argument is a regular expression
+   * with the `g` flag, or this is a call to `.replaceAll()`.
+   */
+  predicate maybeGlobal() {
+    RegExp::maybeGlobal(this.getRegExp().tryGetFlags()) or this.getMethodName() = "replaceAll"
+  }
+
   /**
    * Holds if this call to `replace` replaces `old` with `new`.
    */
diff --git a/javascript/ql/lib/semmle/javascript/security/IncompleteBlacklistSanitizer.qll b/javascript/ql/lib/semmle/javascript/security/IncompleteBlacklistSanitizer.qll
@@ -74,7 +74,7 @@ private StringReplaceCall getAStringReplaceMethodCall(StringReplaceCall n) {
 module HtmlSanitization {
   private predicate fixedGlobalReplacement(StringReplaceCallSequence chain) {
     forall(StringReplaceCall member | member = chain.getAMember() |
-      member.isGlobal() and member.getArgument(0) instanceof DataFlow::RegExpCreationNode
+      member.maybeGlobal() and member.getArgument(0) instanceof DataFlow::RegExpCreationNode
     )
   }
 
diff --git a/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/IncompleteBlacklistSanitizer.expected b/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/IncompleteBlacklistSanitizer.expected
@@ -68,3 +68,6 @@
 | tst.js:333:2:333:40 | s().rep ... g"),'') | This HTML sanitizer does not sanitize ampersands |
 | tst.js:333:2:333:40 | s().rep ... g"),'') | This HTML sanitizer does not sanitize double quotes |
 | tst.js:333:2:333:40 | s().rep ... g"),'') | This HTML sanitizer does not sanitize single quotes |
+| tst.js:337:2:337:46 | s().rep ... ()),'') | This HTML sanitizer does not sanitize ampersands |
+| tst.js:337:2:337:46 | s().rep ... ()),'') | This HTML sanitizer does not sanitize double quotes |
+| tst.js:337:2:337:46 | s().rep ... ()),'') | This HTML sanitizer does not sanitize single quotes |
diff --git a/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst.js b/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst.js
@@ -334,5 +334,5 @@ function typicalBadHtmlSanitizers(s) {
 }
 
 function typicalBadHtmlSanitizers(s) {
-	s().replace(new RegExp("[<>]", unknown()),''); // NOT OK -- should be flagged, because it is st ill a bad sanitizer
+	s().replace(new RegExp("[<>]", unknown()),''); // NOT OK
 }

Original file line number	Diff line number	Diff line change
`@@ -74,7 +74,7 @@ private StringReplaceCall getAStringReplaceMethodCall(StringReplaceCall n) {`
`74`	`74`	`module HtmlSanitization {`
`75`	`75`	`private predicate fixedGlobalReplacement(StringReplaceCallSequence chain) {`
`76`	`76`	`forall(StringReplaceCall member \| member = chain.getAMember() \|`
`77`		`- member.isGlobal() and member.getArgument(0) instanceof DataFlow::RegExpCreationNode`
	`77`	`+ member.maybeGlobal() and member.getArgument(0) instanceof DataFlow::RegExpCreationNode`
`78`	`78`	`)`
`79`	`79`	`}`
`80`	`80`
Original file line number	Diff line number	Diff line change
`@@ -334,5 +334,5 @@ function typicalBadHtmlSanitizers(s) {`
`334`	`334`	`}`
`335`	`335`
`336`	`336`	`function typicalBadHtmlSanitizers(s) {`
`337`		`- s().replace(new RegExp("[<>]", unknown()),''); // NOT OK -- should be flagged, because it is st ill a bad sanitizer`
	`337`	`+ s().replace(new RegExp("[<>]", unknown()),''); // NOT OK`
`338`	`338`	`}`