JS: support sanitizers that remove all forward slashes#2962
JS: support sanitizers that remove all forward slashes#2962semmle-qlci merged 4 commits intogithub:masterfrom
Conversation
erik-krogh
added
JS
Awaiting evaluation
| or | ||
| exists(RegExpCharacterClass choice | literal.getRoot() = choice | | ||
| choice.getAMatchedString() = "/" or | ||
| choice.getAMatchedString() = "." |
There was a problem hiding this comment.
Do we need to restrict this to character classes? If we declared choice to be RegExpTerm instead it seems like it would work for /\./g and /\//g as well.
It's a bit sad that we block normalized absolute paths here. Wouldn't it be worth adding that as a step?
There was a problem hiding this comment.
Do we need to restrict this to character classes? If we declared choice to be RegExpTerm instead it seems like it would work for /./g and ///g as well.
👍
The same works for the existing RegExpSequence in the predicate.
There was a problem hiding this comment.
It's a bit sad that we block normalized absolute paths here. Wouldn't it be worth adding that as a step?
I think it could be.
I added a taint-step for replace calls that remove only dots, and not forward slash.
|
Evaluation looks good. |
3 participants
Flow for
js/tainted-pathno longer flow though replace calls that replace all forward slahes or dots.Gets us a TN for CVE-2019-10767.
This kind of regexp seems quite common.
No evaluation yet.