JavaScript: Deal with escape-unescape-escape (and similar) chains.

Max Schaefer · Max Schaefer · commit 0edb70f373dc · 2019-11-22T09:24:34.000Z
diff --git a/javascript/ql/src/Security/CWE-116/DoubleEscaping.ql b/javascript/ql/src/Security/CWE-116/DoubleEscaping.ql
@@ -128,7 +128,9 @@ abstract class Replacement extends DataFlow::Node {
     exists(Replacement pred | pred = this.getPreviousReplacement() |
       if pred.escapes(_, metachar)
       then result = pred
-      else result = pred.getAnEarlierEscaping(metachar)
+      else (
+        not pred.unescapes(metachar, _) and result = pred.getAnEarlierEscaping(metachar)
+      )
     )
   }
 
@@ -140,7 +142,9 @@ abstract class Replacement extends DataFlow::Node {
     exists(Replacement succ | this = succ.getPreviousReplacement() |
       if succ.unescapes(metachar, _)
       then result = succ
-      else result = succ.getALaterUnescaping(metachar)
+      else (
+        not succ.escapes(_, metachar) and result = succ.getALaterUnescaping(metachar)
+      )
     )
   }
 }
diff --git a/javascript/ql/test/query-tests/Security/CWE-116/DoubleEscaping/tst.js b/javascript/ql/test/query-tests/Security/CWE-116/DoubleEscaping/tst.js
@@ -90,3 +90,7 @@ function testWithCapturedVar(x) {
     captured = captured.replace(/\\/g, "\\\\");
   })();
 }
+
+function encodeDecodeEncode(s) {
+ return goodEncode(goodDecode(goodEncode(s)));
+}

Original file line number	Diff line number	Diff line change
`@@ -128,7 +128,9 @@ abstract class Replacement extends DataFlow::Node {`
`128`	`128`	`exists(Replacement pred \| pred = this.getPreviousReplacement() \|`
`129`	`129`	`if pred.escapes(_, metachar)`
`130`	`130`	`then result = pred`
`131`		`- else result = pred.getAnEarlierEscaping(metachar)`
	`131`	`+ else (`
	`132`	`+ not pred.unescapes(metachar, _) and result = pred.getAnEarlierEscaping(metachar)`
	`133`	`+ )`
`132`	`134`	`)`
`133`	`135`	`}`
`134`	`136`
`@@ -140,7 +142,9 @@ abstract class Replacement extends DataFlow::Node {`
`140`	`142`	`exists(Replacement succ \| this = succ.getPreviousReplacement() \|`
`141`	`143`	`if succ.unescapes(metachar, _)`
`142`	`144`	`then result = succ`
`143`		`- else result = succ.getALaterUnescaping(metachar)`
	`145`	`+ else (`
	`146`	`+ not succ.escapes(_, metachar) and result = succ.getALaterUnescaping(metachar)`
	`147`	`+ )`
`144`	`148`	`)`
`145`	`149`	`}`
`146`	`150`	`}`
Original file line number	Diff line number	Diff line change
`@@ -90,3 +90,7 @@ function testWithCapturedVar(x) {`
`90`	`90`	`captured = captured.replace(/\\/g, "\\\\");`
`91`	`91`	`})();`
`92`	`92`	`}`
	`93`	`+`
	`94`	`+function encodeDecodeEncode(s) {`
	`95`	`+ return goodEncode(goodDecode(goodEncode(s)));`
	`96`	`+}`