JS: Exclude client-side sources from RegExpInjection

asgerf · asgerf · commit aa1c8c041ebc · 2021-03-16T13:28:11.000Z
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/RegExpInjectionCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/RegExpInjectionCustomizations.qll
@@ -27,7 +27,10 @@ module RegExpInjection {
    * expression injection.
    */
   class RemoteFlowSourceAsSource extends Source {
-    RemoteFlowSourceAsSource() { this instanceof RemoteFlowSource }
+    RemoteFlowSourceAsSource() {
+      this instanceof RemoteFlowSource and
+      not this instanceof ClientSideRemoteFlowSource
+    }
   }
 
   /**
diff --git a/javascript/ql/test/query-tests/Security/CWE-730/client-side.js b/javascript/ql/test/query-tests/Security/CWE-730/client-side.js
@@ -0,0 +1,4 @@
+function foo() {
+    let taint = window.location.hash.substring(1);
+    new RegExp(taint); // OK - we do not flag RegExp injection on the client side as the impact is too low
+}
