JavaScript: Recognise wrapped chains of replacements.

Max Schaefer · Max Schaefer · commit 5349e0f88142 · 2019-10-30T13:14:38.000Z
diff --git a/javascript/ql/src/Security/CWE-116/DoubleEscaping.ql b/javascript/ql/src/Security/CWE-116/DoubleEscaping.ql
@@ -115,6 +115,13 @@ abstract class Replacement extends DataFlow::Node {
     result.getOutput() = getASimplePredecessor*(getInput())
   }
 
+  /**
+   * Gets the next replacement in this chain of replacements.
+   */
+  Replacement getNextReplacement() {
+    this = result.getPreviousReplacement()
+  }
+
   /**
    * Gets an earlier replacement in this chain of replacements that
    * performs an escaping.
@@ -231,8 +238,8 @@ class WrappedReplacement extends Replacement, DataFlow::CallNode {
 
   WrappedReplacement() {
     exists(DataFlow::FunctionNode wrapped | wrapped.getFunction() = getACallee() |
-      wrapped.getParameter(i).flowsTo(inner.getInput()) and
-      inner.getOutput().flowsTo(wrapped.getAReturn())
+      wrapped.getParameter(i).flowsTo(inner.getPreviousReplacement*().getInput()) and
+      inner.getNextReplacement*().getOutput().flowsTo(wrapped.getAReturn())
     )
   }
 
diff --git a/javascript/ql/test/query-tests/Security/CWE-116/DoubleEscaping/DoubleEscaping.expected b/javascript/ql/test/query-tests/Security/CWE-116/DoubleEscaping/DoubleEscaping.expected
@@ -9,3 +9,4 @@
 | tst.js:86:10:86:22 | JSON.parse(s) | This replacement may produce '\\' characters that are double-unescaped $@. | tst.js:86:10:86:47 | JSON.pa ... g, "<") | here |
 | tst.js:99:10:99:66 | s.repla ... &amp;") | This replacement may double-escape '&' characters from $@. | tst.js:99:10:99:43 | s.repla ... epl[c]) | here |
 | tst.js:107:10:107:53 | encodeD ... &amp;") | This replacement may double-escape '&' characters from $@. | tst.js:107:10:107:30 | encodeD ... otes(s) | here |
+| tst.js:115:10:115:47 | encodeQ ... &amp;") | This replacement may double-escape '&' characters from $@. | tst.js:115:10:115:24 | encodeQuotes(s) | here |
diff --git a/javascript/ql/test/query-tests/Security/CWE-116/DoubleEscaping/tst.js b/javascript/ql/test/query-tests/Security/CWE-116/DoubleEscaping/tst.js
@@ -106,3 +106,11 @@ function encodeDoubleQuotes(s) {
 function badWrappedEncode(s) {
   return encodeDoubleQuotes(s).replace(/&/g, "&amp;");
 }
+
+function encodeQuotes(s) {
+  return s.replace(/"/g, "&quot;").replace(/'/g, "&apos;");
+}
+
+function badWrappedEncode2(s) {
+  return encodeQuotes(s).replace(/&/g, "&amp;");
+}
