JavaScript: Track taint through RegExp.prototype.replace.

Max Schaefer · Max Schaefer · commit b314c546e15d · 2019-02-08T09:57:07.000Z
diff --git a/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll b/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
@@ -473,6 +473,27 @@ module TaintTracking {
     }
   }
 
+  /**
+   * A taint-propagating data flow edge from the first (and only) argument in a call to
+   * `RegExp.prototype.exec` to its result.
+   */
+  private class RegExpExecTaintStep extends AdditionalTaintStep {
+    DataFlow::MethodCallNode self;
+
+    RegExpExecTaintStep() {
+      this = self and
+      self.getReceiver().analyze().getAType() = TTRegExp() and
+      self.getMethodName() = "exec" and
+      self.getNumArgument() = 1
+    }
+
+
+    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+      pred = self.getArgument(0) and
+      succ = this
+    }
+  }
+
   /**
    * A taint propagating data flow edge arising from JSON unparsing.
    */
diff --git a/javascript/ql/test/library-tests/InterProceduralFlow/TaintTracking.expected b/javascript/ql/test/library-tests/InterProceduralFlow/TaintTracking.expected
@@ -50,6 +50,7 @@
 | tst.js:2:17:2:22 | "src1" | tst.js:4:15:4:29 | RegExp(source1) |
 | tst.js:2:17:2:22 | "src1" | tst.js:5:15:5:33 | new String(source1) |
 | tst.js:2:17:2:22 | "src1" | tst.js:6:15:6:33 | new String(source1) |
+| tst.js:2:17:2:22 | "src1" | tst.js:11:17:11:20 | m[0] |
 | tst.js:2:17:2:22 | "src1" | tst.js:14:15:14:32 | decodeURI(source1) |
 | tst.js:2:17:2:22 | "src1" | tst.js:15:15:15:41 | decodeU ... ource1) |
 | tst.js:2:17:2:22 | "src1" | tst.js:16:15:16:32 | encodeURI(source1) |
