Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JS: RegExp unknown flags support and enhanced compatibility with RegExp objects #18089

Open
wants to merge 35 commits into
base: main
Choose a base branch
from
Open

JS: RegExp unknown flags support and enhanced compatibility with RegExp objects #18089

wants to merge 35 commits into from

Conversation

Napalys
Copy link
Contributor

@Napalys Napalys commented Nov 25, 2024
edited
Loading

This pull request fixes an issue where queries were only handling regular expressions with known flags, overlooking unknown flags. Now, it correctly deals with unknown flags in regular expressions.

Additionally, some queries in the JavaScript code were only working with literal regular expressions. Now, they work with both literals and RegExp objects. Notable updates include:

  • javascript/ql/lib/semmle/javascript/security/IncompleteBlacklistSanitizer.qll
  • javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
  • javascript/ql/src/Security/CWE-116/IncompleteSanitization.ql

@github-actions github-actions bot added the JS label Nov 25, 2024
@Napalys Napalys force-pushed the napalys/regexp-unknown-flags branch 2 times, most recently from e314fef to b39a8fe Compare November 25, 2024 11:39
erik-krogh
erik-krogh reviewed Nov 26, 2024
View reviewed changes
javascript/ql/lib/semmle/javascript/StandardLibrary.qll Outdated
Comment on lines 122 to 123
/**
* Holds if this is a global replacement, that is, the first argument is a regular expression
* with the `g` flag, or this is a call to `.replaceAll()`.
*/
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This docstring needs to mention that the predicate also holds if the flags are unknown.
Incorporate that into the string naturally in some way.
(Actually, try to copy-paste the above sentence into Copilot as instructions, use o1-mini or o1-preview with the Copilot edit mode: Select the docstring in VSCode, press cmd + i, make sure to select the right model, and paste my above instructions).

Copy link
Contributor Author

@Napalys Napalys Nov 26, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed 56cde75

javascript/ql/lib/semmle/javascript/dataflow/Nodes.qll Outdated
Comment on lines 1685 to 1687
/** Holds if the constructed predicate has the `g` flag. */
predicate isGlobal() { RegExp::isGlobal(this.getFlags()) }

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't outright delete predicates like this. Instead keep the implementation but add a deprecated annotation, and add an explanation into the docstring as to why a predicate is deprecated.

Deprecated predicates gets deleted after a little over a year.

@Napalys Napalys force-pushed the napalys/regexp-unknown-flags branch 8 times, most recently from 59c78b0 to 7d2b6c9 Compare November 28, 2024 10:07
@Napalys Napalys marked this pull request as ready for review November 28, 2024 10:16
@Napalys Napalys requested a review from a team as a code owner November 28, 2024 10:16
@Napalys Napalys changed the title Napalys/regexp unknown flags JS: RegExp unknown flags support and enhanced compatibility with RegExp objects Nov 28, 2024
@Napalys
JS: imcomplete sanization now handles properly maybe global
98fd977
@Napalys
JS: add test cases with unknown flags for double escaping, works as e…
fe28657 
…xpected.
@Napalys
JS: add xss test cases with unknownflags for replace using RegExp
dbae553
@Napalys
JS: xss does not flag anymore replace with RegExp unknown flags
c71778f
@Napalys
JS: add test cases with RegExp object for MaskingReplacer, currently …
1ca57cf 
…gives wrong results
@Napalys
JS: fixed issue where MaskingReplacer would work only with regexp lit…
a2c4674 
…erals but not objects
@Napalys
JS: now RegExp with unknown flags is not flagged as an issue within p…
e673348 
…assword Clear text storage of sensitive information
@Napalys
JS: add test cases RegExp with unknown flags
62194f5
@Napalys
JS: now Reg Exp injection treats unknownFlags as sanitization, Metach…
1d2e08a 
…arEscapeSanitizer
erik-krogh
erik-krogh reviewed Nov 28, 2024
View reviewed changes
.../ql/test/query-tests/Security/CWE-116/IncompleteSanitization/IncompleteSanitization.expected Outdated Show resolved Hide resolved
javascript/ql/lib/semmle/javascript/security/dataflow/CleartextLoggingCustomizations.qll Outdated Show resolved Hide resolved
javascript/ql/lib/change-notes/2024-11-28-regexp-unknown-flags.md Outdated
---
category: majorAnalysis
---
* Queries such as `IncompleteSanitization`, `TaintedPathCustomizations`, and `IncompleteBlacklistSanitizer` are now compatible with both `RegExpLiteral` and `RegExpObject`.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe focus more on the change that users will actually see.
The change they'll see is that the queries now flag new RegExp objects, and not just regex literals.

Same with the below.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed d2de9a2 ?

@Napalys Napalys requested a review from asgerf November 29, 2024 10:09
@Napalys Napalys requested a review from asgerf November 29, 2024 10:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@erik-krogh erik-krogh Awaiting requested review from erik-krogh

@asgerf asgerf Awaiting requested review from asgerf

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
documentation JS
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Napalys @asgerf @erik-krogh