Skip to content

JS: slightly broaden the regular expression that recognizes bad string-concats used as shell commands #11859

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jan 23, 2023
Merged

JS: slightly broaden the regular expression that recognizes bad string-concats used as shell commands #11859

merged 2 commits into from
Jan 23, 2023

Conversation

erik-krogh
Copy link
Contributor

@erik-krogh erik-krogh commented Jan 10, 2023
edited
Loading

@github-actions github-actions bot added the JS label Jan 10, 2023
@erik-krogh erik-krogh marked this pull request as ready for review January 10, 2023 11:49
@erik-krogh erik-krogh requested a review from a team as a code owner January 10, 2023 11:49
@erik-krogh erik-krogh added the no-change-note-required This PR does not need a change note label Jan 10, 2023
esbena
esbena reviewed Jan 18, 2023
View reviewed changes
.../ql/lib/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionCustomizations.qll Outdated
@@ -93,7 +93,7 @@ module UnsafeShellCommandConstruction {
this = root.getALeaf() and
root = isExecutedAsShellCommand(DataFlow::TypeBackTracker::end(), sys) and
exists(string prev | prev = this.getPreviousLeaf().getStringValue() |
prev.regexpMatch(".* ('|\")?[0-9a-zA-Z/:_-]*")
prev.regexpMatch(".*\\s*('|\")?[0-9a-zA-Z/:_-]*")
Copy link
Contributor

@esbena esbena Jan 18, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you document the intention of this entire pattern?

I note that the \\s* term is dead* due to the greedy .*. Did you perhaps mean .*\\s+?

*: dotall makes a difference, but since there's no comment about newlines here, and the new test does not contain a newline either.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've realized that in generalizing the regular expression, I had created a regular expression that matched every string.

So I've removed the regular expression, and just have a exists(this.getPreviousLeaf().getStringValue()), which I think is a good solution.

@erik-krogh erik-krogh requested a review from esbena January 23, 2023 15:38
@erik-krogh erik-krogh merged commit fc66c90 into github:main Jan 23, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@esbena esbena esbena approved these changes

Assignees
No one assigned
Labels
JS no-change-note-required This PR does not need a change note
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@erik-krogh @esbena