add support for String.prototype.replaceAll

Author: erik-krogh

javascript/ql/src/Expressions/StringInsteadOfRegex.ql

@@ -31,7 +31,7 @@ predicate isStringSplitOrReplace(MethodCallExpr mce) {
     mce.getMethodName() = name and
     mce.getNumArgument() = arity
   |
-    name = "replace" and arity = 2
+    name = ["replace", "replaceAll"] and arity = 2
     or
     name = "split" and
     (arity = 1 or arity = 2)

javascript/ql/src/RegExp/IdentityReplacement.ql

@@ -70,7 +70,7 @@ predicate regExpMatchesString(RegExpTerm t, string s) {
 
 from MethodCallExpr repl, string s, string friendly
 where
-  repl.getMethodName() = "replace" and
+  repl.getMethodName() = ["replace", "replaceAll"] and
   matchesString(repl.getArgument(0), s) and
   repl.getArgument(1).getStringValue() = s and
   (if s = "" then friendly = "the empty string" else friendly = "'" + s + "'")

javascript/ql/src/Security/CWE-020/IncompleteUrlSchemeCheck.ql

@@ -75,7 +75,7 @@ DataFlow::Node schemeCheck(DataFlow::Node nd, DangerousScheme scheme) {
   exists(DataFlow::MethodCallNode stringop |
     stringop.getMethodName().matches("trim%") or
     stringop.getMethodName().matches("to%Case") or
-    stringop.getMethodName() = "replace"
+    stringop.getMethodName() = ["replace", "replaceAll"]
   |
     result = schemeCheck(stringop, scheme) and
     nd = stringop.getReceiver()

javascript/ql/src/Security/CWE-116/IncompleteSanitization.ql

@@ -79,6 +79,7 @@ predicate allBackslashesEscaped(DataFlow::Node nd) {
   // flow through string methods
   exists(DataFlow::MethodCallNode mc, string m |
     m = "replace" or
+    m = "replaceAll" or
     m = "slice" or
     m = "substr" or
     m = "substring" or

javascript/ql/src/semmle/javascript/StandardLibrary.qll

@@ -102,7 +102,7 @@ private class IteratorExceptionStep extends DataFlow::MethodCallNode, DataFlow::
  */
 class StringReplaceCall extends DataFlow::MethodCallNode {
   StringReplaceCall() {
-    getMethodName() = "replace" and
+    getMethodName() = ["replace", "replaceAll"] and
     (getNumArgument() = 2 or getReceiver().mayHaveStringValue(_))
   }
 
@@ -128,9 +128,9 @@ class StringReplaceCall extends DataFlow::MethodCallNode {
 
   /**
    * Holds if this is a global replacement, that is, the first argument is a regular expression
-   * with the `g` flag.
+   * with the `g` flag, or this is a call to `.replaceAll()`.
    */
-  predicate isGlobal() { getRegExp().isGlobal() }
+  predicate isGlobal() { getRegExp().isGlobal() or getMethodName() = "replaceAll" }
 
   /**
    * Holds if this call to `replace` replaces `old` with `new`.

javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll

@@ -427,6 +427,7 @@ module TaintTracking {
         name = "padStart" or
         name = "repeat" or
         name = "replace" or
+        name = "replaceAll" or
         name = "slice" or
         name = "small" or
         name = "split" or
@@ -452,7 +453,7 @@ module TaintTracking {
       exists(int i | pred.asExpr() = succ.getAstNode().(MethodCallExpr).getArgument(i) |
         name = "concat"
         or
-        name = "replace" and i = 1
+        name = ["replace", "replaceAll"] and i = 1
       )
     )
     or
@@ -707,7 +708,8 @@ module TaintTracking {
      */
     private ControlFlowNode getACaptureSetter(DataFlow::Node input) {
       exists(DataFlow::MethodCallNode call | result = call.asExpr() |
-        call.getMethodName() = ["search", "replace", "match"] and input = call.getReceiver()
+        call.getMethodName() = ["search", "replace", "replaceAll", "match"] and
+        input = call.getReceiver()
         or
         call.getMethodName() = ["test", "exec"] and input = call.getArgument(0)
       )

javascript/ql/src/semmle/javascript/heuristics/AdditionalTaintSteps.qll

@@ -15,9 +15,7 @@ abstract class HeuristicAdditionalTaintStep extends DataFlow::ValueNode { }
  * A call to `tainted.replace(x, y)` that preserves taint.
  */
 private class HeuristicStringManipulationTaintStep extends HeuristicAdditionalTaintStep,
-  TaintTracking::AdditionalTaintStep, DataFlow::MethodCallNode {
-  HeuristicStringManipulationTaintStep() { getMethodName() = "replace" }
-
+  TaintTracking::AdditionalTaintStep, StringReplaceCall {
   override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
     pred = getReceiver() and succ = this
   }

javascript/ql/src/semmle/javascript/security/dataflow/CleartextLoggingCustomizations.qll

@@ -34,15 +34,11 @@ module CleartextLogging {
   /**
    * A call to `.replace()` that seems to mask sensitive information.
    */
-  class MaskingReplacer extends Barrier, DataFlow::MethodCallNode {
+  class MaskingReplacer extends Barrier, StringReplaceCall {
     MaskingReplacer() {
-      this.getCalleeName() = "replace" and
-      exists(RegExpLiteral reg |
-        reg = this.getArgument(0).getALocalSource().asExpr() and
-        reg.isGlobal() and
-        any(RegExpDot term).getLiteral() = reg
-      ) and
-      exists(this.getArgument(1).getStringValue())
+      this.isGlobal() and
+      exists(this.getRawReplacement().getStringValue()) and
+      any(RegExpDot term).getLiteral() = getRegExp().asExpr()
     }
   }
 

javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll

@@ -218,12 +218,12 @@ module TaintedPath {
       output = this
       or
       // non-global replace or replace of something other than /\.\./g, /[/]/g, or /[\.]/g.
-      this.getCalleeName() = "replace" and
+      this instanceof StringReplaceCall and
       input = getReceiver() and
       output = this and
       not exists(RegExpLiteral literal, RegExpTerm term |
-        getArgument(0).getALocalSource().asExpr() = literal and
-        literal.isGlobal() and
+        this.(StringReplaceCall).getRegExp().asExpr() = literal and
+        this.(StringReplaceCall).isGlobal() and
         literal.getRoot() = term
       |
         term.getAMatchedString() = "/" or
@@ -247,16 +247,15 @@ module TaintedPath {
   /**
    * A call that removes all instances of "../" in the prefix of the string.
    */
-  class DotDotSlashPrefixRemovingReplace extends DataFlow::CallNode {
+  class DotDotSlashPrefixRemovingReplace extends StringReplaceCall {
     DataFlow::Node input;
     DataFlow::Node output;
 
     DotDotSlashPrefixRemovingReplace() {
-      this.getCalleeName() = "replace" and
       input = getReceiver() and
       output = this and
       exists(RegExpLiteral literal, RegExpTerm term |
-        getArgument(0).getALocalSource().asExpr() = literal and
+        getRegExp().asExpr() = literal and
         (term instanceof RegExpStar or term instanceof RegExpPlus) and
         term.getChild(0) = getADotDotSlashMatcher()
       |
@@ -298,17 +297,16 @@ module TaintedPath {
   /**
    * A call that removes all "." or ".." from a path, without also removing all forward slashes.
    */
-  class DotRemovingReplaceCall extends DataFlow::CallNode {
+  class DotRemovingReplaceCall extends StringReplaceCall {
     DataFlow::Node input;
     DataFlow::Node output;
 
     DotRemovingReplaceCall() {
-      this.getCalleeName() = "replace" and
       input = getReceiver() and
       output = this and
+      isGlobal() and
       exists(RegExpLiteral literal, RegExpTerm term |
-        getArgument(0).getALocalSource().asExpr() = literal and
-        literal.isGlobal() and
+        getRegExp().asExpr() = literal and
         literal.getRoot() = term and
         not term.getAMatchedString() = "/"
       |

javascript/ql/src/semmle/javascript/security/dataflow/UnsafeJQueryPlugin.qll

@@ -39,10 +39,9 @@ module UnsafeJQueryPlugin {
       StringConcatenation::taintStep(pred, succ, _, any(int i | i >= 1))
       or
       // prefixing through a poor-mans templating system:
-      exists(DataFlow::MethodCallNode replace |
+      exists(StringReplaceCall replace |
         replace = succ and
-        pred = replace.getArgument(1) and
-        replace.getMethodName() = "replace"
+        pred = replace.getRawReplacement()
       )
     }