Merge pull request #1004 from asger-semmle/suffix-check-bug

Max Schaefer · web-flow · commit 2ecabad55355 · 2019-02-28T14:23:26.000Z
JS: Recognize '+' in suffix check
diff --git a/javascript/ql/src/Security/CWE-020/IncorrectSuffixCheck.ql b/javascript/ql/src/Security/CWE-020/IncorrectSuffixCheck.ql
@@ -95,9 +95,9 @@ predicate isDerivedFromLength(DataFlow::Node length, DataFlow::Node operand) {
   or
   isDerivedFromLength(length.getAPredecessor(), operand)
   or
-  exists(SubExpr sub |
-    isDerivedFromLength(sub.getAnOperand().flow(), operand) and
-    length = sub.flow()
+  exists(BinaryExpr expr | expr instanceof SubExpr or expr instanceof AddExpr |
+    isDerivedFromLength(expr.getAnOperand().flow(), operand) and
+    length = expr.flow()
   )
 }
 
diff --git a/javascript/ql/test/query-tests/Security/CWE-020/IncorrectSuffixCheck.expected b/javascript/ql/test/query-tests/Security/CWE-020/IncorrectSuffixCheck.expected
@@ -8,3 +8,4 @@
 | tst.js:55:32:55:71 | x.index ... gth - 1 | This suffix check is missing a length comparison to correctly handle indexOf returning -1. |
 | tst.js:67:32:67:71 | x.index ... gth - 1 | This suffix check is missing a length comparison to correctly handle indexOf returning -1. |
 | tst.js:76:25:76:57 | index = ... gth - 1 | This suffix check is missing a length comparison to correctly handle indexOf returning -1. |
+| tst.js:80:10:80:57 | x.index ... th + 1) | This suffix check is missing a length comparison to correctly handle indexOf returning -1. |
diff --git a/javascript/ql/test/query-tests/Security/CWE-020/tst.js b/javascript/ql/test/query-tests/Security/CWE-020/tst.js
@@ -75,3 +75,7 @@ function withIndexOfCheckBad(x, y) {
   let index = x.indexOf(y);
   return index !== 0 && index === x.length - y.length - 1; // NOT OK
 }
+
+function plus(x, y) {
+  return x.indexOf("." + y) === x.length - (y.length + 1); // NOT OK
+}

Original file line number	Diff line number	Diff line change
`@@ -95,9 +95,9 @@ predicate isDerivedFromLength(DataFlow::Node length, DataFlow::Node operand) {`
`95`	`95`	`or`
`96`	`96`	`isDerivedFromLength(length.getAPredecessor(), operand)`
`97`	`97`	`or`
`98`		`- exists(SubExpr sub \|`
`99`		`- isDerivedFromLength(sub.getAnOperand().flow(), operand) and`
`100`		`- length = sub.flow()`
	`98`	`+ exists(BinaryExpr expr \| expr instanceof SubExpr or expr instanceof AddExpr \|`
	`99`	`+ isDerivedFromLength(expr.getAnOperand().flow(), operand) and`
	`100`	`+ length = expr.flow()`
`101`	`101`	`)`
`102`	`102`	`}`
`103`	`103`
Original file line number	Diff line number	Diff line change
`@@ -75,3 +75,7 @@ function withIndexOfCheckBad(x, y) {`
`75`	`75`	`let index = x.indexOf(y);`
`76`	`76`	`return index !== 0 && index === x.length - y.length - 1; // NOT OK`
`77`	`77`	`}`
	`78`	`+`
	`79`	`+function plus(x, y) {`
	`80`	`+ return x.indexOf("." + y) === x.length - (y.length + 1); // NOT OK`
	`81`	`+}`