forked from github/codeql
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathSuspiciousCharacterInRegexp.ql
More file actions
58 lines (50 loc) · 2.07 KB
/
SuspiciousCharacterInRegexp.ql
File metadata and controls
58 lines (50 loc) · 2.07 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
/**
* @name Suspicious characters in a regular expression
* @description If a literal bell character or backspace appears in a regular expression, the start of text or word boundary may have been intended.
* @kind path-problem
* @problem.severity warning
* @security-severity 7.8
* @precision high
* @id go/suspicious-character-in-regex
* @tags correctness
* security
* external/cwe/cwe-020
*/
import go
/**
* Holds if `source` corresponds to a string literal that contains an escaped `character`.
*
* `character` must be `"a"` or `"b"`, the only interesting escapes for this query.
*/
predicate containsEscapedCharacter(DataFlow::Node source, string character) {
character in ["a", "b"] and
exists(StringLit s | s = source.asExpr() |
// Search for `character` preceded by an odd number of backslashes:
exists(s.getText().regexpFind("(?<=(^|[^\\\\])\\\\(\\\\{2}){0,10})" + character, _, _)) and
not s.isRaw()
)
}
module SuspiciousCharacterInRegexpConfig implements DataFlow::ConfigSig {
additional predicate isSourceString(DataFlow::Node source, string report) {
containsEscapedCharacter(source, "a") and
report =
"the bell character \\a; did you mean \\\\a, the Vim alphabetic character class (use [[:alpha:]] instead) or \\\\A, the beginning of text?"
or
containsEscapedCharacter(source, "b") and
report = "a literal backspace \\b; did you mean \\\\b, a word boundary?"
}
predicate isSource(DataFlow::Node source) { isSourceString(source, _) }
predicate isSink(DataFlow::Node sink) { sink instanceof RegexpPattern }
}
/**
* Tracks data flow from strings containing suspicious escape sequences to a
* use as a regular expression.
*/
module Flow = DataFlow::Global<SuspiciousCharacterInRegexpConfig>;
import Flow::PathGraph
from Flow::PathNode source, Flow::PathNode sink, string report
where
Flow::flowPath(source, sink) and
SuspiciousCharacterInRegexpConfig::isSourceString(source.getNode(), report)
select source, source, sink, "This string literal that is $@ contains " + report, sink,
"used as a regular expression"