JS: use ports to sharpen js/incomplete-url-substring-sanitization

Esben Sparre Andreasen · Esben Sparre Andreasen · commit 321b3f1ab596 · 2019-01-30T10:18:00.000+01:00
diff --git a/javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.ql b/javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.ql
@@ -51,7 +51,7 @@ where
     name = "endsWith" and
     target.regexpMatch("(?i)\\.([a-z0-9-]+)(\\.[a-z0-9-]+)+")
     or
-    // the trailing slash makes the prefix-check safe
+    // the trailing port or slash makes the prefix-check safe
     (
       name = "startsWith"
       or
@@ -61,6 +61,6 @@ where
         n.getIntValue() = 0
       )
     ) and
-    target.regexpMatch(".*/")
+    target.regexpMatch(".*(:[0-9]+|/)")
   )
 select call, "'$@' may be at an arbitrary position in the sanitized URL.", substring, target

Original file line number	Diff line number	Diff line change
`@@ -51,7 +51,7 @@ where`
`51`	`51`	`name = "endsWith" and`
`52`	`52`	`target.regexpMatch("(?i)\\.([a-z0-9-]+)(\\.[a-z0-9-]+)+")`
`53`	`53`	`or`
`54`		`- // the trailing slash makes the prefix-check safe`
	`54`	`+ // the trailing port or slash makes the prefix-check safe`
`55`	`55`	`(`
`56`	`56`	`name = "startsWith"`
`57`	`57`	`or`
`@@ -61,6 +61,6 @@ where`
`61`	`61`	`n.getIntValue() = 0`
`62`	`62`	`)`
`63`	`63`	`) and`
`64`		`- target.regexpMatch(".*/")`
	`64`	`+ target.regexpMatch(".*(:[0-9]+\|/)")`
`65`	`65`	`)`
`66`	`66`	`select call, "'$@' may be at an arbitrary position in the sanitized URL.", substring, target`