From 811c175556b50a731782825e6d9f4d37e635b91a Mon Sep 17 00:00:00 2001 From: erik-krogh Date: Mon, 15 Apr 2024 16:31:14 +0200 Subject: [PATCH 1/2] add example for domain names with sub-domains to missing-regexp-anchor --- .../CWE-020/MissingRegexpAnchor.qhelp | 6 ++++++ .../CWE-020/MissingRegexpAnchorGoodDomain.go | 20 +++++++++++++++++++ 2 files changed, 26 insertions(+) create mode 100644 go/ql/src/Security/CWE-020/MissingRegexpAnchorGoodDomain.go diff --git a/go/ql/src/Security/CWE-020/MissingRegexpAnchor.qhelp b/go/ql/src/Security/CWE-020/MissingRegexpAnchor.qhelp index df238e10ee6d..cac3c7268c78 100644 --- a/go/ql/src/Security/CWE-020/MissingRegexpAnchor.qhelp +++ b/go/ql/src/Security/CWE-020/MissingRegexpAnchor.qhelp @@ -45,6 +45,12 @@ one of the alternatives. As an example, the regular expression (^www\.example\.com)|(beta\.example\.com)/, so the second alternative beta\.example\.com is not anchored at the beginning of the string.

+ +

+When checking for a domain name with subdomains, it is important to anchor the regular expression +or ensure that the domain name is prefixed with a dot. +

+ diff --git a/go/ql/src/Security/CWE-020/MissingRegexpAnchorGoodDomain.go b/go/ql/src/Security/CWE-020/MissingRegexpAnchorGoodDomain.go new file mode 100644 index 000000000000..6e5ec1b24dc6 --- /dev/null +++ b/go/ql/src/Security/CWE-020/MissingRegexpAnchorGoodDomain.go @@ -0,0 +1,20 @@ +package main + +import ( + "regexp" +) + +func checkSubdomain(domain String) { + // Checking strictly that the domain is `example.com`. + re := "^example\\.com$" + if matched, _ := regexp.MatchString(re, domain); matched { + // domain is good. + } + + // GOOD: Alternatively, check the domain is `example.com` or a subdomain of `example.com`. + re2 := "(^|\\.)example\\.com$" + + if matched, _ := regexp.MatchString(re2, domain); matched { + // domain is good. + } +} From 462e564c191022088c54c9f2d83c6f93918758f9 Mon Sep 17 00:00:00 2001 From: Erik Krogh Kristensen Date: Fri, 10 May 2024 18:59:55 +0200 Subject: [PATCH 2/2] apply suggestion from code review Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com> --- go/ql/src/Security/CWE-020/MissingRegexpAnchor.qhelp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go/ql/src/Security/CWE-020/MissingRegexpAnchor.qhelp b/go/ql/src/Security/CWE-020/MissingRegexpAnchor.qhelp index cac3c7268c78..a947f93836be 100644 --- a/go/ql/src/Security/CWE-020/MissingRegexpAnchor.qhelp +++ b/go/ql/src/Security/CWE-020/MissingRegexpAnchor.qhelp @@ -47,7 +47,7 @@ one of the alternatives. As an example, the regular expression

-When checking for a domain name with subdomains, it is important to anchor the regular expression +When checking for a domain name that may have subdomains, it is important to anchor the regular expression or ensure that the domain name is prefixed with a dot.