From bca14d7fbf280309a3678c2120318131b00d7f95 Mon Sep 17 00:00:00 2001
From: Napalys <napalys@github.com>
Date: Thu, 7 Nov 2024 11:47:36 +0100
Subject: [PATCH] Fixes false positives from commit
 42600c93ffad33fce4975542e11f32d45fd25747

---
 .../javascript/dataflow/TaintTracking.qll     |  2 +-
 .../Security/CWE-918/SSRF.expected            | 18 -------
 .../library-tests/StringOps/RegExpTest/tst.js | 51 -------------------
 3 files changed, 1 insertion(+), 70 deletions(-)
 delete mode 100644 javascript/ql/test/library-tests/StringOps/RegExpTest/tst.js

diff --git a/javascript/ql/lib/semmle/javascript/dataflow/TaintTracking.qll b/javascript/ql/lib/semmle/javascript/dataflow/TaintTracking.qll
index 11ce802ac720..d10d53b3c49b 100644
--- a/javascript/ql/lib/semmle/javascript/dataflow/TaintTracking.qll
+++ b/javascript/ql/lib/semmle/javascript/dataflow/TaintTracking.qll
@@ -998,7 +998,7 @@ module TaintTracking {
         or
         // u.match(/re/) or u.match("re")
         base = expr and
-        m = "match" and
+        m = ["match", "matchAll"] and
         RegExp::isGenericRegExpSanitizer(RegExp::getRegExpFromNode(firstArg.flow()),
           sanitizedOutcome)
       )
diff --git a/javascript/ql/test/experimental/Security/CWE-918/SSRF.expected b/javascript/ql/test/experimental/Security/CWE-918/SSRF.expected
index 0dbb00780702..b8f58cb4c785 100644
--- a/javascript/ql/test/experimental/Security/CWE-918/SSRF.expected
+++ b/javascript/ql/test/experimental/Security/CWE-918/SSRF.expected
@@ -51,18 +51,10 @@ nodes
 | check-regex.js:41:13:41:43 | "test.c ... tainted |
 | check-regex.js:41:27:41:43 | req.query.tainted |
 | check-regex.js:41:27:41:43 | req.query.tainted |
-| check-regex.js:58:15:58:42 | baseURL ... tainted |
-| check-regex.js:58:15:58:42 | baseURL ... tainted |
-| check-regex.js:58:25:58:42 | req.params.tainted |
-| check-regex.js:58:25:58:42 | req.params.tainted |
 | check-regex.js:61:15:61:42 | baseURL ... tainted |
 | check-regex.js:61:15:61:42 | baseURL ... tainted |
 | check-regex.js:61:25:61:42 | req.params.tainted |
 | check-regex.js:61:25:61:42 | req.params.tainted |
-| check-regex.js:63:15:63:42 | baseURL ... tainted |
-| check-regex.js:63:15:63:42 | baseURL ... tainted |
-| check-regex.js:63:25:63:42 | req.params.tainted |
-| check-regex.js:63:25:63:42 | req.params.tainted |
 | check-validator.js:15:15:15:45 | "test.c ... tainted |
 | check-validator.js:15:15:15:45 | "test.c ... tainted |
 | check-validator.js:15:29:15:45 | req.query.tainted |
@@ -139,18 +131,10 @@ edges
 | check-regex.js:41:27:41:43 | req.query.tainted | check-regex.js:41:13:41:43 | "test.c ... tainted |
 | check-regex.js:41:27:41:43 | req.query.tainted | check-regex.js:41:13:41:43 | "test.c ... tainted |
 | check-regex.js:41:27:41:43 | req.query.tainted | check-regex.js:41:13:41:43 | "test.c ... tainted |
-| check-regex.js:58:25:58:42 | req.params.tainted | check-regex.js:58:15:58:42 | baseURL ... tainted |
-| check-regex.js:58:25:58:42 | req.params.tainted | check-regex.js:58:15:58:42 | baseURL ... tainted |
-| check-regex.js:58:25:58:42 | req.params.tainted | check-regex.js:58:15:58:42 | baseURL ... tainted |
-| check-regex.js:58:25:58:42 | req.params.tainted | check-regex.js:58:15:58:42 | baseURL ... tainted |
 | check-regex.js:61:25:61:42 | req.params.tainted | check-regex.js:61:15:61:42 | baseURL ... tainted |
 | check-regex.js:61:25:61:42 | req.params.tainted | check-regex.js:61:15:61:42 | baseURL ... tainted |
 | check-regex.js:61:25:61:42 | req.params.tainted | check-regex.js:61:15:61:42 | baseURL ... tainted |
 | check-regex.js:61:25:61:42 | req.params.tainted | check-regex.js:61:15:61:42 | baseURL ... tainted |
-| check-regex.js:63:25:63:42 | req.params.tainted | check-regex.js:63:15:63:42 | baseURL ... tainted |
-| check-regex.js:63:25:63:42 | req.params.tainted | check-regex.js:63:15:63:42 | baseURL ... tainted |
-| check-regex.js:63:25:63:42 | req.params.tainted | check-regex.js:63:15:63:42 | baseURL ... tainted |
-| check-regex.js:63:25:63:42 | req.params.tainted | check-regex.js:63:15:63:42 | baseURL ... tainted |
 | check-validator.js:15:29:15:45 | req.query.tainted | check-validator.js:15:15:15:45 | "test.c ... tainted |
 | check-validator.js:15:29:15:45 | req.query.tainted | check-validator.js:15:15:15:45 | "test.c ... tainted |
 | check-validator.js:15:29:15:45 | req.query.tainted | check-validator.js:15:15:15:45 | "test.c ... tainted |
@@ -190,9 +174,7 @@ edges
 | check-regex.js:31:15:31:45 | "test.c ... tainted | check-regex.js:31:29:31:45 | req.query.tainted | check-regex.js:31:15:31:45 | "test.c ... tainted | The URL of this request depends on a user-provided value. |
 | check-regex.js:34:15:34:42 | baseURL ... tainted | check-regex.js:34:25:34:42 | req.params.tainted | check-regex.js:34:15:34:42 | baseURL ... tainted | The URL of this request depends on a user-provided value. |
 | check-regex.js:41:13:41:43 | "test.c ... tainted | check-regex.js:41:27:41:43 | req.query.tainted | check-regex.js:41:13:41:43 | "test.c ... tainted | The URL of this request depends on a user-provided value. |
-| check-regex.js:58:15:58:42 | baseURL ... tainted | check-regex.js:58:25:58:42 | req.params.tainted | check-regex.js:58:15:58:42 | baseURL ... tainted | The URL of this request depends on a user-provided value. |
 | check-regex.js:61:15:61:42 | baseURL ... tainted | check-regex.js:61:25:61:42 | req.params.tainted | check-regex.js:61:15:61:42 | baseURL ... tainted | The URL of this request depends on a user-provided value. |
-| check-regex.js:63:15:63:42 | baseURL ... tainted | check-regex.js:63:25:63:42 | req.params.tainted | check-regex.js:63:15:63:42 | baseURL ... tainted | The URL of this request depends on a user-provided value. |
 | check-validator.js:15:15:15:45 | "test.c ... tainted | check-validator.js:15:29:15:45 | req.query.tainted | check-validator.js:15:15:15:45 | "test.c ... tainted | The URL of this request depends on a user-provided value. |
 | check-validator.js:27:15:27:45 | "test.c ... tainted | check-validator.js:27:29:27:45 | req.query.tainted | check-validator.js:27:15:27:45 | "test.c ... tainted | The URL of this request depends on a user-provided value. |
 | check-validator.js:50:15:50:45 | "test.c ... tainted | check-validator.js:50:29:50:45 | req.query.tainted | check-validator.js:50:15:50:45 | "test.c ... tainted | The URL of this request depends on a user-provided value. |
diff --git a/javascript/ql/test/library-tests/StringOps/RegExpTest/tst.js b/javascript/ql/test/library-tests/StringOps/RegExpTest/tst.js
deleted file mode 100644
index 18907f1e5fa6..000000000000
--- a/javascript/ql/test/library-tests/StringOps/RegExpTest/tst.js
+++ /dev/null
@@ -1,51 +0,0 @@
-import 'dummy';
-
-const regexp = /^[a-z]+$/;
-
-function f(str) {
-    if (/^[a-z]+$/.test(str)) {}
-    if (/^[a-z]+$/.exec(str) != null) {}
-    if (/^[a-z]+$/.exec(str)) {}
-    if (str.match(/^[a-z]+$/)) {}
-    if (str.match("^[a-z]+$")) {}
-
-    if (regexp.test(str)) {}
-    if (regexp.exec(str) != null) {}
-    if (regexp.exec(str)) {}
-    if (str.match(regexp)) {}
-
-    let match = regexp.exec(str);
-    if (match) {}
-    if (!match) {}
-    if (match == null) {}
-    if (match != null) {}
-    if (match && match[1] == "") {}
-
-    something({
-        someOption: !!match
-    });
-
-    something({
-        someOption: regexp.test(str)
-    });
-
-    something({
-        someOption: !!str.match(regexp)
-    });
-
-    something({
-        someOption: regexp.exec(str) // not recognized as RegExpTest
-    })
-
-    if (regexp.exec(str) == undefined) {}
-    if (regexp.exec(str) === undefined) {} // not recognized as RegExpTest
-
-    let match2 = str.match(regexp);
-    if (match2) {}
-    if (!match2) {}
-}
-
-function something() {}
-
-f("some string");
-f("someotherstring");