JS: add tests for missing flow of regular expressions

Esben Sparre Andreasen · Esben Sparre Andreasen · commit 7923c9d77cc6 · 2019-04-01T09:19:25.000+02:00
diff --git a/javascript/ql/test/query-tests/RegExp/IdentityReplacement/IdentityReplacement.js b/javascript/ql/test/query-tests/RegExp/IdentityReplacement/IdentityReplacement.js
@@ -1 +1,5 @@
 var escaped = raw.replace(/"/g, '\"');
+(function() {
+	var indirect = /"/g;
+	raw.replace(indirect, '\"');
+});
diff --git a/javascript/ql/test/query-tests/Security/CWE-116/DoubleEscaping/tst.js b/javascript/ql/test/query-tests/Security/CWE-116/DoubleEscaping/tst.js
@@ -60,3 +60,12 @@ function badPercentEscape(s) {
   s = s.replace(/%/g, '%25');
   return s;
 }
+
+function badEncode(s) {
+  var indirect1 = /"/g;
+  var indirect2 = /'/g;
+  var indirect3 = /&/g;
+  return s.replace(indirect1, "&quot;")
+          .replace(indirect2, "&apos;")
+          .replace(indirect3, "&amp;");
+}
diff --git a/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst.js b/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst.js
@@ -163,3 +163,8 @@ app.get('/some/path', function(req, res) {
   flowifyComments(untrusted);
   good11(untrusted);
 });
+
+(function (s) {
+	var indirect = /'/;
+	return s.replace(indirect, ""); // NOT OK
+});
diff --git a/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/tst.js b/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/tst.js
@@ -1,2 +1,7 @@
 // NOT OK
 window.location = /.*redirect=([^&]*).*/.exec(document.location.href)[1];
+
+(function(){
+	var indirect = /.*redirect=([^&]*).*/;
+	window.location = indirect.exec(document.location.href)[1];
+});
