Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Napalys/regexp unknown flags #18089

Draft
wants to merge 30 commits into
base: main
Choose a base branch
from
Draft

Napalys/regexp unknown flags #18089

wants to merge 30 commits into from
+747 −25

Conversation

Napalys
Copy link
Contributor

@Napalys Napalys commented Nov 25, 2024
edited
Loading

This pull request fixes an issue where queries were only handling regular expressions with known flags, overlooking unknown flags. Now, it correctly deals with unknown flags in regular expressions.

Additionally, some queries in the JavaScript code were only working with literal regular expressions. Now, they work with both literals and RegExp objects. Notable updates include:

  • javascript/ql/lib/semmle/javascript/security/IncompleteBlacklistSanitizer.qll
  • javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
  • javascript/ql/src/Security/CWE-116/IncompleteSanitization.ql

@github-actions github-actions bot added the JS label Nov 25, 2024
@Napalys
JS: In oprder to keep code more consistent removed predicate isGlobal…
b39a8fe 
… from RegExpCreationNode and reused RegExp::isGlobal in std
erik-krogh
erik-krogh reviewed Nov 26, 2024
View reviewed changes
javascript/ql/lib/semmle/javascript/StandardLibrary.qll Outdated
Comment on lines 122 to 125
/**
* Holds if this is a global replacement, that is, the first argument is a regular expression
* with the `g` flag, or this is a call to `.replaceAll()`.
*/
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This docstring needs to mention that the predicate also holds if the flags are unknown.
Incorporate that into the string naturally in some way.
(Actually, try to copy-paste the above sentence into Copilot as instructions, use o1-mini or o1-preview with the Copilot edit mode: Select the docstring in VSCode, press cmd + i, make sure to select the right model, and paste my above instructions).

Copy link
Contributor Author

@Napalys Napalys Nov 26, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed 56cde75

javascript/ql/lib/semmle/javascript/dataflow/Nodes.qll Outdated
Comment on lines 1685 to 1687
/** Holds if the constructed predicate has the `g` flag. */
predicate isGlobal() { RegExp::isGlobal(this.getFlags()) }

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't outright delete predicates like this. Instead keep the implementation but add a deprecated annotation, and add an explanation into the docstring as to why a predicate is deprecated.

Deprecated predicates gets deleted after a little over a year.

@Napalys
JS: UnsafeShellCommand Using unknown flags in the RegExp object is no…
2f7df2d 
… longer flagged as bad sanitization to reduce false positives.
@Napalys Napalys force-pushed the napalys/regexp-unknown-flags branch 2 times, most recently from c003a81 to b6ffc46 Compare November 27, 2024 11:12
@Napalys
JS: add test cases with unknown flags for double escaping, works as e…
e211e71 
…xpected.
@Napalys
JS: add xss test cases with unknownflags for replace using RegExp
822253f
@Napalys
JS: xss does not flag anymore replace with RegExp unknown flags
569f60c
@Napalys
JS: add test cases with RegExp object for MaskingReplacer, currently …
79da040 
…gives wrong results
@Napalys
JS: fixed issue where MaskingReplacer would work only with regexp lit…
a348e5e 
…erals but not objects
@Napalys
JS: now RegExp with unknown flags is not flagged as an issue within p…
f41e231 
…assword Clear text storage of sensitive information
@Napalys
JS: add test cases RegExp with unknown flags
6c1b25d
@Napalys
JS: now Reg Exp injection treats unknownFlags as sanitization, Metach…
5b7f498 
…arEscapeSanitizer
@Napalys
JS: brought back isGlobal predicate in RegExpCreationNode marked as d…
59c78b0 
…epricated.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@erik-krogh erik-krogh erik-krogh left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
JS
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Napalys @erik-krogh