Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 02d16b1

Browse files
author
Max Schaefer
committed
JavaScript: Recognise wrapped string replacement functions.
1 parent aaeca32 commit 02d16b1

3 files changed

Lines changed: 37 additions & 0 deletions

File tree

javascript/ql/src/Security/CWE-116/DoubleEscaping.ql

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -221,6 +221,34 @@ class JsonParseReplacement extends Replacement {
221221
}
222222
}
223223

224+
/**
225+
* A string replacement wrapped in a utility function.
226+
*/
227+
class WrappedReplacement extends Replacement, DataFlow::CallNode {
228+
int i;
229+
230+
Replacement inner;
231+
232+
WrappedReplacement() {
233+
exists(DataFlow::FunctionNode wrapped | wrapped.getFunction() = getACallee() |
234+
wrapped.getParameter(i).flowsTo(inner.getInput()) and
235+
inner.getOutput().flowsTo(wrapped.getAReturn())
236+
)
237+
}
238+
239+
override predicate replaces(string input, string output) {
240+
inner.replaces(input, output)
241+
}
242+
243+
override DataFlow::Node getInput() {
244+
result = getArgument(i)
245+
}
246+
247+
override DataFlow::SourceNode getOutput() {
248+
result = this
249+
}
250+
}
251+
224252
from Replacement primary, Replacement supplementary, string message, string metachar
225253
where
226254
primary.escapes(metachar, _) and

javascript/ql/test/query-tests/Security/CWE-116/DoubleEscaping/DoubleEscaping.expected

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,3 +8,4 @@
88
| tst.js:74:10:77:10 | JSON.st ... ) | This replacement may double-escape '\\' characters from $@. | tst.js:75:12:76:37 | s.repla ... u003E") | here |
99
| tst.js:86:10:86:22 | JSON.parse(s) | This replacement may produce '\\' characters that are double-unescaped $@. | tst.js:86:10:86:47 | JSON.pa ... g, "<") | here |
1010
| tst.js:99:10:99:66 | s.repla ... &amp;") | This replacement may double-escape '&' characters from $@. | tst.js:99:10:99:43 | s.repla ... epl[c]) | here |
11+
| tst.js:107:10:107:53 | encodeD ... &amp;") | This replacement may double-escape '&' characters from $@. | tst.js:107:10:107:30 | encodeD ... otes(s) | here |

javascript/ql/test/query-tests/Security/CWE-116/DoubleEscaping/tst.js

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -98,3 +98,11 @@ function badEncodeWithReplacer(s) {
9898
};
9999
return s.replace(/["']/g, (c) => repl[c]).replace(/&/g, "&amp;");
100100
}
101+
102+
function encodeDoubleQuotes(s) {
103+
return s.replace(/"/g, "&quot;");
104+
}
105+
106+
function badWrappedEncode(s) {
107+
return encodeDoubleQuotes(s).replace(/&/g, "&amp;");
108+
}

0 commit comments

Comments
 (0)