Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit aaeca32

Browse files
author
Max Schaefer
committed
JavaScript: Recognize string escaping using .replace with a callback.
1 parent bd1c99d commit aaeca32

3 files changed

Lines changed: 18 additions & 0 deletions

File tree

javascript/ql/src/Security/CWE-116/DoubleEscaping.ql

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -156,6 +156,14 @@ class GlobalStringReplacement extends Replacement, DataFlow::MethodCallNode {
156156
override predicate replaces(string input, string output) {
157157
input = getStringValue(pattern) and
158158
output = this.getArgument(1).getStringValue()
159+
or
160+
exists(DataFlow::FunctionNode replacer, DataFlow::PropRead pr, DataFlow::ObjectLiteralNode map |
161+
replacer = getCallback(1) and
162+
replacer.getParameter(0).flowsToExpr(pr.getPropertyNameExpr()) and
163+
pr = map.getAPropertyRead() and
164+
pr.flowsTo(replacer.getAReturn()) and
165+
map.asExpr().(ObjectExpr).getPropertyByName(input).getInit().getStringValue() = output
166+
)
159167
}
160168

161169
override DataFlow::Node getInput() {

javascript/ql/test/query-tests/Security/CWE-116/DoubleEscaping/DoubleEscaping.expected

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,3 +7,4 @@
77
| tst.js:68:10:70:38 | s.repla ... &") | This replacement may double-escape '&' characters from $@. | tst.js:68:10:69:39 | s.repla ... apos;") | here |
88
| tst.js:74:10:77:10 | JSON.st ... ) | This replacement may double-escape '\\' characters from $@. | tst.js:75:12:76:37 | s.repla ... u003E") | here |
99
| tst.js:86:10:86:22 | JSON.parse(s) | This replacement may produce '\\' characters that are double-unescaped $@. | tst.js:86:10:86:47 | JSON.pa ... g, "<") | here |
10+
| tst.js:99:10:99:66 | s.repla ... &amp;") | This replacement may double-escape '&' characters from $@. | tst.js:99:10:99:43 | s.repla ... epl[c]) | here |

javascript/ql/test/query-tests/Security/CWE-116/DoubleEscaping/tst.js

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -89,3 +89,12 @@ function badUnescape2(s) {
8989
function goodUnescape2(s) {
9090
return JSON.parse(s.replace(/\\u003C/g, "<").replace(/\\u003E/g, ">"));
9191
}
92+
93+
function badEncodeWithReplacer(s) {
94+
var repl = {
95+
'"': "&quot;",
96+
"'": "&apos;",
97+
"&": "&amp;"
98+
};
99+
return s.replace(/["']/g, (c) => repl[c]).replace(/&/g, "&amp;");
100+
}

0 commit comments

Comments
 (0)