8000 JS: exclude `sinon` module from regexp match calls · github/codeql@ef51ab1 · GitHub
[go: up one dir, main page]
Skip to content
8000

Commit ef51ab1

Browse files
NapalysNapalys
committed
JS: exclude sinon module from regexp match calls
1 parent 584b4f5 commit ef51ab1

File tree

5 files changed

+4
-4
lines changed

5 files changed

+4
-4
lines changed

javascript/ql/lib/semmle/javascript/Regexp.qll

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -998,6 +998,8 @@ private predicate isUsedAsNonMatchObject(DataFlow::MethodCallNode call) {
998998
or
999999
// Result is obviously unused
10001000
call.asExpr() = any(ExprStmt stmt).getExpr()
1001+
or
1002+
call = API::moduleImport("sinon").getMember("match").getACall()
10011003
)
10021004
}
10031005

javascript/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegExp/IncompleteHostnameRegExp.expected

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -27,4 +27,3 @@
2727
| tst-IncompleteHostnameRegExp.js:56:14:56:38 | ^http://test.example.com | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:56:13:56:39 | '^http: ... le.com' | here |
2828
| tst-IncompleteHostnameRegExp.js:60:5:60:20 | foo.example\\.com | This regular expression has an unescaped '.' before 'example\\.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:60:2:60:32 | /^(foo. ... ever)$/ | here |
2929
| tst-IncompleteHostnameRegExp.js:62:18:62:41 | ^http://test.example.com | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:62:17:62:42 | "^http: ... le.com" | here |
30-
| tst-IncompleteHostnameRegExp.js:65:24:65:38 | https://a.b.com | This string, which is used as a regular expression $@, has an unescaped '.' before 'b.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:66:58:66:69 | megacliteUrl | here |

javascript/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegExp/tst-IncompleteHostnameRegExp.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -62,6 +62,6 @@
6262
if (s.matchAll("^http://test.example.com")) {} // $ Alert
6363

6464
const sinon = require('sinon');
65-
const megacliteUrl = "https://a.b.com"; // $SPURIOUS:Alert
65+
const megacliteUrl = "https://a.b.com";
6666
sinon.assert.calledWith(postStub.firstCall, sinon.match(megacliteUrl));
6767
});

javascript/ql/test/query-tests/Security/CWE-020/MissingRegExpAnchor/MissingRegExpAnchor.expected

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -68,4 +68,3 @@
6868
| tst-UnanchoredUrlRegExp.js:117:50:117:59 | "good.com" | When this is used as a regular expression on a URL, it may match anywhere, and arbitrary hosts may come before or after it. |
6969
| tst-UnanchoredUrlRegExp.js:118:50:118:68 | "https?://good.com" | When this is used as a regular expression on a URL, it may match anywhere, and arbitrary hosts may come before or after it. |
7070
| tst-UnanchoredUrlRegExp.js:119:50:119:73 | "https? ... m:8080" | When this is used as a regular expression on a URL, it may match anywhere, and arbitrary hosts may come before or after it. |
71-
| tst.js:4:24:4:40 | "https://a.b.com" | When this is used as a regular expression on a URL, it may match anywhere, and arbitrary hosts may come before or after it. |

javascript/ql/test/query-tests/Security/CWE-020/MissingRegExpAnchor/tst.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
const sinon = require('sinon');
22

33
function testFunction() {
4-
const megacliteUrl = "https://a.b.com"; // $SPURIOUS:Alert
4+
const megacliteUrl = "https://a.b.com";
55
sinon.assert.calledWith(postStub.firstCall, sinon.match(megacliteUrl));
66
}

0 commit comments

Comments
 (0)
0