JS: Extract RegExp ASTs from string literals

asger-semmle · asger-semmle · commit 0e1246c0e5d3 · 2019-11-15T09:27:18.000Z
diff --git a/javascript/extractor/src/com/semmle/js/ast/Literal.java b/javascript/extractor/src/com/semmle/js/ast/Literal.java
@@ -59,6 +59,11 @@ public boolean isRegExp() {
     return tokenType == TokenType.regexp;
   }
 
+  /** Is this a string literal? */
+  public boolean isStringLiteral() {
+    return tokenType == TokenType.string;
+  }
+
   /** The value of this literal expressed as a string. */
   public String getStringValue() {
     // regular expressions may have a null value; use the raw value instead
diff --git a/javascript/extractor/src/com/semmle/js/extractor/ASTExtractor.java b/javascript/extractor/src/com/semmle/js/extractor/ASTExtractor.java
@@ -516,7 +516,11 @@ public Label visit(Literal nd, Context c) {
       String valueString = nd.getStringValue();
 
       trapwriter.addTuple("literals", valueString, source, key);
-      if (nd.isRegExp()) regexpExtractor.extract(source.substring(1, source.lastIndexOf('/')), nd);
+      if (nd.isRegExp()) {
+        regexpExtractor.extract(source.substring(1, source.lastIndexOf('/')), nd, false);
+      } else if (nd.isStringLiteral()) {
+        regexpExtractor.extract(valueString, nd, true);
+      }
       return key;
     }
 
diff --git a/javascript/extractor/src/com/semmle/js/extractor/RegExpExtractor.java b/javascript/extractor/src/com/semmle/js/extractor/RegExpExtractor.java
@@ -341,9 +341,14 @@ public void visit(CharacterClassRange nd) {
     }
   }
 
-  public void extract(String src, Node parent) {
-    this.literalStart = parent.getLoc().getStart();
+  public void extract(String src, Node parent, boolean isSpeculativeParsing) {
     Result res = parser.parse(src);
+
+    if (isSpeculativeParsing && res.getErrors().size() > 0) {
+      return;
+    }
+
+    this.literalStart = parent.getLoc().getStart();
     RegExpTerm ast = res.getAST();
     new V().visit(ast, trapwriter.localID(parent), 0);
 
diff --git a/javascript/ql/src/semmlecode.javascript.dbscheme b/javascript/ql/src/semmlecode.javascript.dbscheme
@@ -815,7 +815,7 @@ regexpterm (unique int id: @regexpterm,
         int idx: int ref,
         varchar(900) tostring: string ref);
         
-@regexpparent = @regexpterm | @regexpliteral;
+@regexpparent = @regexpterm | @regexpliteral | @stringliteral;
 
 case @regexpterm.kind of
    0 = @regexp_alt
