Skip to content

JS: fix js/double-escaping displaying empty metachar #19840

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 2 commits into from

Conversation

Napalys
Copy link
Contributor

@Napalys Napalys commented Jun 23, 2025

This pull request resolves an issue where js/double-escaping would display an empty metachar in the alert message, potentially causing confusion.

I have verified the fix in this repository:

@Napalys Napalys force-pushed the js/double_escaping_msg branch from 21981a5 to 466eac3 Compare June 23, 2025 09:29
@Napalys Napalys marked this pull request as ready for review June 23, 2025 10:30
@Copilot Copilot AI review requested due to automatic review settings June 23, 2025 10:30
@Napalys Napalys requested a review from a team as a code owner June 23, 2025 10:30
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR fixes how backslash metacharacters are displayed in the js/double-escaping query alerts to prevent empty output.

  • Update alert message construction to escape backslashes before concatenation
  • Adjust test expectations to match the new escaped output
  • Add a change note documenting the backslash display fix

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
javascript/ql/test/query-tests/Security/CWE-116/DoubleEscaping/DoubleEscaping.expected Updated expected alert output to show \\ as \\\\ in test harness
javascript/ql/src/change-notes/2025-06-23-double-escaping.md Added note about correct backslash display in alerts
javascript/ql/src/Security/CWE-116/DoubleEscaping.ql Changed message construction to call metachar.replaceAll("\\", "\\\\") before concatenation

Comment on lines 126 to +134
primary.escapes(metachar, _) and
supplementary = primary.getAnEarlierEscaping(metachar) and
message = "may double-escape '" + metachar + "' characters from $@"
message = "may double-escape '" + metachar.replaceAll("\\", "\\\\") + "' characters from $@"
or
primary.unescapes(_, metachar) and
supplementary = primary.getALaterUnescaping(metachar) and
message = "may produce '" + metachar + "' characters that are double-unescaped $@"
message =
"may produce '" + metachar.replaceAll("\\", "\\\\") +
"' characters that are double-unescaped $@"
Copy link
Preview

Copilot AI Jun 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[nitpick] Consider extracting the metachar.replaceAll("\\", "\\\\") call into a local variable (e.g. displayMetachar) to improve readability and avoid repeating this expression in both message branches.

Copilot uses AI. Check for mistakes.

Copy link
Contributor

@asgerf asgerf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The bug is either in code scanning or the SARIF exporter, not in the CodeQL query. Backslashes have no special meaning in the message generated from QL.

@Napalys Napalys closed this Jun 23, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants