diff --git a/javascript/ql/lib/semmle/javascript/dataflow/TaintTracking.qll b/javascript/ql/lib/semmle/javascript/dataflow/TaintTracking.qll index 11ce802ac720..d10d53b3c49b 100644 --- a/javascript/ql/lib/semmle/javascript/dataflow/TaintTracking.qll +++ b/javascript/ql/lib/semmle/javascript/dataflow/TaintTracking.qll @@ -998,7 +998,7 @@ module TaintTracking { or // u.match(/re/) or u.match("re") base = expr and - m = "match" and + m = ["match", "matchAll"] and RegExp::isGenericRegExpSanitizer(RegExp::getRegExpFromNode(firstArg.flow()), sanitizedOutcome) ) diff --git a/javascript/ql/test/experimental/Security/CWE-918/SSRF.expected b/javascript/ql/test/experimental/Security/CWE-918/SSRF.expected index 0dbb00780702..b8f58cb4c785 100644 --- a/javascript/ql/test/experimental/Security/CWE-918/SSRF.expected +++ b/javascript/ql/test/experimental/Security/CWE-918/SSRF.expected @@ -51,18 +51,10 @@ nodes | check-regex.js:41:13:41:43 | "test.c ... tainted | | check-regex.js:41:27:41:43 | req.query.tainted | | check-regex.js:41:27:41:43 | req.query.tainted | -| check-regex.js:58:15:58:42 | baseURL ... tainted | -| check-regex.js:58:15:58:42 | baseURL ... tainted | -| check-regex.js:58:25:58:42 | req.params.tainted | -| check-regex.js:58:25:58:42 | req.params.tainted | | check-regex.js:61:15:61:42 | baseURL ... tainted | | check-regex.js:61:15:61:42 | baseURL ... tainted | | check-regex.js:61:25:61:42 | req.params.tainted | | check-regex.js:61:25:61:42 | req.params.tainted | -| check-regex.js:63:15:63:42 | baseURL ... tainted | -| check-regex.js:63:15:63:42 | baseURL ... tainted | -| check-regex.js:63:25:63:42 | req.params.tainted | -| check-regex.js:63:25:63:42 | req.params.tainted | | check-validator.js:15:15:15:45 | "test.c ... tainted | | check-validator.js:15:15:15:45 | "test.c ... tainted | | check-validator.js:15:29:15:45 | req.query.tainted | @@ -139,18 +131,10 @@ edges | check-regex.js:41:27:41:43 | req.query.tainted | check-regex.js:41:13:41:43 | "test.c ... tainted | | check-regex.js:41:27:41:43 | req.query.tainted | check-regex.js:41:13:41:43 | "test.c ... tainted | | check-regex.js:41:27:41:43 | req.query.tainted | check-regex.js:41:13:41:43 | "test.c ... tainted | -| check-regex.js:58:25:58:42 | req.params.tainted | check-regex.js:58:15:58:42 | baseURL ... tainted | -| check-regex.js:58:25:58:42 | req.params.tainted | check-regex.js:58:15:58:42 | baseURL ... tainted | -| check-regex.js:58:25:58:42 | req.params.tainted | check-regex.js:58:15:58:42 | baseURL ... tainted | -| check-regex.js:58:25:58:42 | req.params.tainted | check-regex.js:58:15:58:42 | baseURL ... tainted | | check-regex.js:61:25:61:42 | req.params.tainted | check-regex.js:61:15:61:42 | baseURL ... tainted | | check-regex.js:61:25:61:42 | req.params.tainted | check-regex.js:61:15:61:42 | baseURL ... tainted | | check-regex.js:61:25:61:42 | req.params.tainted | check-regex.js:61:15:61:42 | baseURL ... tainted | | check-regex.js:61:25:61:42 | req.params.tainted | check-regex.js:61:15:61:42 | baseURL ... tainted | -| check-regex.js:63:25:63:42 | req.params.tainted | check-regex.js:63:15:63:42 | baseURL ... tainted | -| check-regex.js:63:25:63:42 | req.params.tainted | check-regex.js:63:15:63:42 | baseURL ... tainted | -| check-regex.js:63:25:63:42 | req.params.tainted | check-regex.js:63:15:63:42 | baseURL ... tainted | -| check-regex.js:63:25:63:42 | req.params.tainted | check-regex.js:63:15:63:42 | baseURL ... tainted | | check-validator.js:15:29:15:45 | req.query.tainted | check-validator.js:15:15:15:45 | "test.c ... tainted | | check-validator.js:15:29:15:45 | req.query.tainted | check-validator.js:15:15:15:45 | "test.c ... tainted | | check-validator.js:15:29:15:45 | req.query.tainted | check-validator.js:15:15:15:45 | "test.c ... tainted | @@ -190,9 +174,7 @@ edges | check-regex.js:31:15:31:45 | "test.c ... tainted | check-regex.js:31:29:31:45 | req.query.tainted | check-regex.js:31:15:31:45 | "test.c ... tainted | The URL of this request depends on a user-provided value. | | check-regex.js:34:15:34:42 | baseURL ... tainted | check-regex.js:34:25:34:42 | req.params.tainted | check-regex.js:34:15:34:42 | baseURL ... tainted | The URL of this request depends on a user-provided value. | | check-regex.js:41:13:41:43 | "test.c ... tainted | check-regex.js:41:27:41:43 | req.query.tainted | check-regex.js:41:13:41:43 | "test.c ... tainted | The URL of this request depends on a user-provided value. | -| check-regex.js:58:15:58:42 | baseURL ... tainted | check-regex.js:58:25:58:42 | req.params.tainted | check-regex.js:58:15:58:42 | baseURL ... tainted | The URL of this request depends on a user-provided value. | | check-regex.js:61:15:61:42 | baseURL ... tainted | check-regex.js:61:25:61:42 | req.params.tainted | check-regex.js:61:15:61:42 | baseURL ... tainted | The URL of this request depends on a user-provided value. | -| check-regex.js:63:15:63:42 | baseURL ... tainted | check-regex.js:63:25:63:42 | req.params.tainted | check-regex.js:63:15:63:42 | baseURL ... tainted | The URL of this request depends on a user-provided value. | | check-validator.js:15:15:15:45 | "test.c ... tainted | check-validator.js:15:29:15:45 | req.query.tainted | check-validator.js:15:15:15:45 | "test.c ... tainted | The URL of this request depends on a user-provided value. | | check-validator.js:27:15:27:45 | "test.c ... tainted | check-validator.js:27:29:27:45 | req.query.tainted | check-validator.js:27:15:27:45 | "test.c ... tainted | The URL of this request depends on a user-provided value. | | check-validator.js:50:15:50:45 | "test.c ... tainted | check-validator.js:50:29:50:45 | req.query.tainted | check-validator.js:50:15:50:45 | "test.c ... tainted | The URL of this request depends on a user-provided value. | diff --git a/javascript/ql/test/library-tests/StringOps/RegExpTest/tst.js b/javascript/ql/test/library-tests/StringOps/RegExpTest/tst.js deleted file mode 100644 index 18907f1e5fa6..000000000000 --- a/javascript/ql/test/library-tests/StringOps/RegExpTest/tst.js +++ /dev/null @@ -1,51 +0,0 @@ -import 'dummy'; - -const regexp = /^[a-z]+$/; - -function f(str) { - if (/^[a-z]+$/.test(str)) {} - if (/^[a-z]+$/.exec(str) != null) {} - if (/^[a-z]+$/.exec(str)) {} - if (str.match(/^[a-z]+$/)) {} - if (str.match("^[a-z]+$")) {} - - if (regexp.test(str)) {} - if (regexp.exec(str) != null) {} - if (regexp.exec(str)) {} - if (str.match(regexp)) {} - - let match = regexp.exec(str); - if (match) {} - if (!match) {} - if (match == null) {} - if (match != null) {} - if (match && match[1] == "") {} - - something({ - someOption: !!match - }); - - something({ - someOption: regexp.test(str) - }); - - something({ - someOption: !!str.match(regexp) - }); - - something({ - someOption: regexp.exec(str) // not recognized as RegExpTest - }) - - if (regexp.exec(str) == undefined) {} - if (regexp.exec(str) === undefined) {} // not recognized as RegExpTest - - let match2 = str.match(regexp); - if (match2) {} - if (!match2) {} -} - -function something() {} - -f("some string"); -f("someotherstring");