JavaScript: Fix regexes for escaping schemes.

Max Schaefer · Max Schaefer · commit 61aa075e8dc3 · 2019-11-22T09:24:34.000Z
diff --git a/javascript/ql/src/Security/CWE-116/DoubleEscaping.ql b/javascript/ql/src/Security/CWE-116/DoubleEscaping.ql
@@ -54,11 +54,11 @@ DataFlow::Node getASimplePredecessor(DataFlow::Node nd) {
  * into a form described by regular expression `regex`.
  */
 predicate escapingScheme(string metachar, string regex) {
-  metachar = "&" and regex = "&.*;"
+  metachar = "&" and regex = "&.+;"
   or
-  metachar = "%" and regex = "%.*"
+  metachar = "%" and regex = "%.+"
   or
-  metachar = "\\" and regex = "\\\\.*"
+  metachar = "\\" and regex = "\\\\.+"
 }
 
 /**
diff --git a/javascript/ql/test/query-tests/Security/CWE-116/DoubleEscaping/tst.js b/javascript/ql/test/query-tests/Security/CWE-116/DoubleEscaping/tst.js
@@ -78,3 +78,8 @@ function badEncodeWithReplacer(s) {
   };
   return s.replace(/["']/g, (c) => repl[c]).replace(/&/g, "&amp;");
 }
+
+// dubious, but out of scope for this query
+function badRoundtrip(s) {
+  return s.replace(/\\\\/g, "\\").replace(/\\/g, "\\\\");
+}

Original file line number	Diff line number	Diff line change
`@@ -78,3 +78,8 @@ function badEncodeWithReplacer(s) {`
`78`	`78`	`};`
`79`	`79`	`return s.replace(/["']/g, (c) => repl[c]).replace(/&/g, "&");`
`80`	`80`	`}`
	`81`	`+`
	`82`	`+// dubious, but out of scope for this query`
	`83`	`+function badRoundtrip(s) {`
	`84`	`+ return s.replace(/\\\\/g, "\\").replace(/\\/g, "\\\\");`
	`85`	`+}`