JS: add query js/useless-regexp-character-escape

[ghost]

This adds a variant of https://eslint.org/docs/rules/no-useless-escape that focuses on semantic mistakes in regular expression strings. Unlike the eslint query, you want to fix most of these alerts immediately, and not just some rainy day.

The dual of this query, which flags the truly useless escapes in strings and regular expressions can be seen in javascript/ql/test/query-tests/Security/CWE-020/UselessCharacterEscape.ql. Productising this as a query is trivial, but evaluations show that it is going to be very noisy with semantic TPs that does not really need fixing.

The alert part of this PR contains a verbose use of newtype, as it improves the comprehensiveness of the alert messages significantly when the exact bad escape is highlighted rather than the entire source string. See https://lgtm.com/query/7716308191347971287/ for some example alert renderings for ace, vscode and codemirror. One semantic drawback of this UI improvement is that each mistake counts as one alert, as seen for example in the alerts for vscode.

Performance is fine, the overhead is negligble when evaluating the query with the three other CWE-20 queries (IncompleteHostnameRegExp.ql, IncompleteUrlSubstringSanitization.ql, MissingRegExpAnchor.ql). Crucially, CharacterEscapes::getAnEscapedCharacter is in fact so fast that we can easily afford to run it on all default.slugs source code strings, paving the way for a productised UselessCharacterEscape.ql if we want it one day.

Results are plentiful. Although some of the alerts are benign in the style of https://eslint.org/docs/rules/no-useless-escape, in particular because we do not attempt to distinguish the two different mistakes in new RegExp("\\.") and new RegExp("[\\.]").

[asger-semmle]

Excellent query overall! Very nice results.

the overhead is negligble when evaluating the query with the three other CWE-20 queries (IncompleteHostnameRegExp.ql, IncompleteUrlSubstringSanitization.ql, MissingRegExpAnchor.ql)

I'm not sure negligible is the right word here. How exactly was this data produced? In particular, is the time to compute the cached layers included in the absolute numbers?

If so, what I'm seeing is that it takes upwards of 8% of the time it takes to do SSA, type inference, call graph construction, etc. Not "8% more than these other queries".

[asger-semmle]

Empty paragraph?

[asger-semmle]

Could you add line breaks here?

[asger-semmle]

Could you explain the + "\\\\" part? I understand that we don't want to treat \\ as an identity escape, but escapableChars seems to be used as a set, so why add two backslashes?

[ghost]

Good catch, I have moved "\\" into Sets::ordinaryEscapeChars(). An earlier iteration of this query used this in a regexp character class, so it had to be escaped twice in that context.

[asger-semmle]

double space before when

[asger-semmle]

Do I understand correctly that this exists is to ensure that e.g. \" is flagged inside 'Foo \"bar\" baz'.
Is this issue even worth flagging?

[ghost]

We wont flag such an issue with js/useless-regexp-character-escape, as neither quote has special regex semantics.
But getAnIdentityEscapedCharacter is intended to be complete and independent of the any query purpose, and I think it is appropriate that the dual query in javascript/ql/test/query-tests/Security/CWE-020/UselessCharacterEscape.ql flags '\"' as a useless escape.

[ghost]

I'm not sure negligible is the right word here. How exactly was this data produced? In particular, is the time to compute the cached layers included in the absolute numbers?

If so, what I'm seeing is that it takes upwards of 8% of the time it takes to do SSA, type inference, call graph construction, etc. Not "8% more than these other queries".

The data is from a standard dist-compare run, so you are right that an interpretation is that "it takes upwards of 8% of the time it takes to do SSA". Still, the absolute timing number are small for a new query, so I am not concerned about performance at all. I can do a deeper performance inspection if you insist. (The ballpark 20k seconds for a full gecko-dev run puts the relative query cost at 1.5%. The ballpark 90k seconds for a full default.slugs run puts the relative query cost at 1%.)

[xiemaisi]

Broadly LGTM, with a few suggestions.

I'm not concerned about performance, given that the absolute overhead is small in most cases (except for gecko-dev).

[xiemaisi]

I wonder whether this could be started off more naturally by first recapitulating the concept of backslash escaping in strings (which of course people will be familiar with), then move on to regular expressions, and finally explain the two layers of backslash interpretation happening in strings that are interpreted as regular expressions.

[xiemaisi]

The injectors of this type could do with qldoc.

[xiemaisi]

Could this logic be simplified by additionally keeping the (cooked) value of the string literal around?

[xiemaisi]

Perhaps also include p and P for Unicode property classes.

[xiemaisi]

I think I'd prefer the terminology "character class" over "character range" here and elsewhere.

[xiemaisi]

This again looks like it could benefit from extracting it into a new predicate.

[mchammer01]

@esben-semmle - this LGTM, just a few minor comments to aid comprehension (and one suggestion to avoid repeating a word).

[mchammer01]

Just double-checking that the white spaces before and after the second expression are deliberate here ;-)

[ghost]

Comments has been addressed. @mchammer01, can you take another look at the qhelp content? I have elaborated on the intro, as seen in eeab226.

[mchammer01]

@esben-semmle - thanks for addressing my initial comments, looks good.
I've spotted a tiny typo, and asked a question (I don't have an answer, just asking).
Hope this helps.

[ghost]

Thanks @mchammer01, I think that is it for the docreview.

[mchammer01]

@esben-semmle - Looks like you didn't apply the hyphen changes (backslashed-escaped). Is this deliberate?

[ghost]

Thanks, my push failed due to github's suggestion-commits.

[mchammer01]

Thank you @esben-semmle, good to go from my point of view 😀

[asger-semmle]

The terminology in this paragraph and the next doesn't seem right to me. It's either incorrect or a tautology depending on what it means for a character to be "escaped".

It think it would be clearer if we just stick to "escape sequence":

When a character in a string literal or regular expression is preceded by a blackslash, it is interpreted as part of an escape sequence. For example, the escape sequence \n corresponds to the newline character, not the n character.

However, not all characters change meaning when used in an escape sequence. In this case, the backslash just makes the character appear to mean something else, but the backslash actually has no effect. For example, the escape sequence \k just means k.

[asger-semmle]

The string/template literal wording seems unnecessary, string literal should be fine (here and below).

[asger-semmle]

Thanks, LGTM now

[ghost]

@mchammer01 can I get another review of the overview section of the qhelp file here? I rewrote it just now.

[xiemaisi]

A bunch of minor comments and suggestions.

[xiemaisi]

This paragraph is a little terse. What is a "dynamic regular expression source"? What is "the problem"?

[xiemaisi]

This description sounds very general, but the injector only seems to look at \b escapes.

[xiemaisi]

As mentioned above, b and B are not character classes but assertions.

[mchammer01]

@esben-semmle - I did another editorial review of this, as requested.
One minor issue (see inline comment) where you repeat a word (the backslash) and use the wrong conjunction. I've made a suggestion, feel free to ignore if you don't agree.

[mchammer01]

Suggested change

	appear to mean something else, but the backslash actually has no
	appear to mean something else, and it actually has no

[ghost]

Comments addressed.

[xiemaisi]

Just one final nit (which you could perhaps address as part of cleaning up the commit history?), otherwise lgtm.

[ghost]

Squashed and rebased.