-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathRegexpCheck.qll
More file actions
35 lines (32 loc) · 1.22 KB
/
RegexpCheck.qll
File metadata and controls
35 lines (32 loc) · 1.22 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
/**
* Provides an implementation of a commonly used barrier guard for sanitizing untrusted URLs.
*/
overlay[local?]
module;
import go
/**
* Holds if `resultNode` comes from a call to a regexp match function, considered as a barrier guard for sanitizing untrusted URLs.
*
* This is overapproximate: we do not attempt to reason about the correctness of the regexp.
*
* Use this if you want to define a derived `DataFlow::BarrierGuard` without
* make the type recursive. Otherwise use `RegexpCheckBarrier`.
*/
predicate regexpFunctionChecksExpr(DataFlow::Node resultNode, Expr checked, boolean branch) {
exists(RegexpMatchFunction matchfn, DataFlow::CallNode call |
matchfn.getACall() = call and
resultNode = matchfn.getResult().getNode(call).getASuccessor*() and
checked = matchfn.getValue().getNode(call).asExpr() and
(branch = false or branch = true)
)
}
/**
* A call to a regexp match function, considered as a barrier guard for sanitizing untrusted URLs.
*
* This is overapproximate: we do not attempt to reason about the correctness of the regexp.
*/
class RegexpCheckBarrier extends DataFlow::Node {
RegexpCheckBarrier() {
this = DataFlow::BarrierGuard<regexpFunctionChecksExpr/3>::getABarrierNode()
}
}