JS: remove FP from js/regexpinjection where no regexp was constructed#2556
JS: remove FP from js/regexpinjection where no regexp was constructed#2556semmle-qlci merged 3 commits intogithub:masterfrom
Conversation
|
What's the rationale for going with this criterion rather than the simpler one suggested in the issue (ignore |
Because I don't it as the problem that the result from The particular FP was flagged as a function that interpreted its input as a RegExp, but looking into the source code revealed that the function does not interpret its input as a RegExp. And this criterion can also fix other instances where a |
Sure, it's a heuristic. Your proposed heuristic is less syntactic, but it risks false positives in cases where we cannot resolve a call to a non-regexp It's nice that it fixes this particular false positive, but I'd like to get some more confidence that it also helps in the other cases we have previously observed. Your experimental results provide some evidence for this, but of course mis-classifying a call to One possible experiment we could do would be to look for |
|
Interestingly, most (all?) results from the above query seem to be about Angular I think it would be good to rephrase it in terms of Also, you may want to be a little more precise about the allowed call targets. Rather than saying "anything in an externs file", you should be able to use the classes in |
|
I ran a query testing what sinks a call-target heuristic excludes compared to a void-context heuristic: https://lgtm.com/query/2775226574270607788/ And I think I still prefer a call-target based heuristic.
There are exceptions, but it looks like those exceptions are unlikely to receive tainted data-flow. |
| mce.getMethodName() = methodName and | ||
| not exists(DataFlow::FunctionNode func | func = DataFlow::valueNode(mce.getCallee()).getAFunctionValue() | not func.getFunction().inExternsFile()) | ||
| not exists(Function func | | ||
| func = any(DataFlow::MethodCallNode call | call.getEnclosingExpr() = mce).getACallee() |
There was a problem hiding this comment.
Can we avoid the getEnclosingExpr dance by making mce a MethodCallNode straight away and rephrasing the code relating it to source below?
Fixes this FP: https://gist.github.com/esbena/9906d698fe8b8e0bc53128af36e01c5f#file-changes-results-unclassified_added-md-L5076
The FP happened because our heuristic for
isInterpretedAsRegExpwas a little to broad.Search.search(..)does not interpret its arguments as RegExp.isInterpretedAsRegExpflaggedSearch.search(..)because the method was calledsearch, andSearchcould maybe be a string becauseSearchis a global variable.My proposed fix is to check whether there exists a callee that is a non-extern function.
Because if such a function exists, then it's likely not a call to a native API, which is what the heuristic is looking for.
An evaluation on our
defaults.slugsshow no change in results, except for the FP mentioned.And performance also seems OK.
I did a re-run of the slowest benchmarks (gecko-dev in particular). And it seems the performance slowdowns in the first run was just a fluke.