From 742a1e714c6d1a9c3c4e58abbf11ea7467b51604 Mon Sep 17 00:00:00 2001 From: Napalys Klicius Date: Mon, 23 Jun 2025 09:47:03 +0200 Subject: [PATCH 1/2] JS: update `js/double-escaping` message with escaping of \ --- javascript/ql/src/Security/CWE-116/DoubleEscaping.ql | 6 ++++-- .../Security/CWE-116/DoubleEscaping/DoubleEscaping.expected | 2 +- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/javascript/ql/src/Security/CWE-116/DoubleEscaping.ql b/javascript/ql/src/Security/CWE-116/DoubleEscaping.ql index 302ffeeac702..cfc475427e55 100644 --- a/javascript/ql/src/Security/CWE-116/DoubleEscaping.ql +++ b/javascript/ql/src/Security/CWE-116/DoubleEscaping.ql @@ -125,9 +125,11 @@ from Replacement primary, Replacement supplementary, string message, string meta where primary.escapes(metachar, _) and supplementary = primary.getAnEarlierEscaping(metachar) and - message = "may double-escape '" + metachar + "' characters from $@" + message = "may double-escape '" + metachar.replaceAll("\\", "\\\\") + "' characters from $@" or primary.unescapes(_, metachar) and supplementary = primary.getALaterUnescaping(metachar) and - message = "may produce '" + metachar + "' characters that are double-unescaped $@" + message = + "may produce '" + metachar.replaceAll("\\", "\\\\") + + "' characters that are double-unescaped $@" select primary, "This replacement " + message + ".", supplementary, "here" diff --git a/javascript/ql/test/query-tests/Security/CWE-116/DoubleEscaping/DoubleEscaping.expected b/javascript/ql/test/query-tests/Security/CWE-116/DoubleEscaping/DoubleEscaping.expected index 9ec4549b7f69..1cd45b8c7b42 100644 --- a/javascript/ql/test/query-tests/Security/CWE-116/DoubleEscaping/DoubleEscaping.expected +++ b/javascript/ql/test/query-tests/Security/CWE-116/DoubleEscaping/DoubleEscaping.expected @@ -2,7 +2,7 @@ | tst.js:20:10:20:33 | s.repla ... g, "&") | This replacement may produce '&' characters that are double-unescaped $@. | tst.js:20:10:21:35 | s.repla ... , "\\"") | here | | tst.js:30:10:30:33 | s.repla ... g, "&") | This replacement may produce '&' characters that are double-unescaped $@. | tst.js:30:10:32:34 | s.repla ... g, "'") | here | | tst.js:47:7:47:30 | s.repla ... g, "&") | This replacement may produce '&' characters that are double-unescaped $@. | tst.js:48:7:48:32 | s.repla ... , "\\"") | here | -| tst.js:53:10:53:33 | s.repla ... , '\\\\') | This replacement may produce '\\' characters that are double-unescaped $@. | tst.js:53:10:54:33 | s.repla ... , '\\'') | here | +| tst.js:53:10:53:33 | s.repla ... , '\\\\') | This replacement may produce '\\\\' characters that are double-unescaped $@. | tst.js:53:10:54:33 | s.repla ... , '\\'') | here | | tst.js:60:7:60:28 | s.repla ... '%25') | This replacement may double-escape '%' characters from $@. | tst.js:59:7:59:28 | s.repla ... '%26') | here | | tst.js:68:10:70:38 | s.repla ... &") | This replacement may double-escape '&' characters from $@. | tst.js:68:10:69:39 | s.repla ... apos;") | here | | tst.js:79:10:79:66 | s.repla ... &") | This replacement may double-escape '&' characters from $@. | tst.js:79:10:79:43 | s.repla ... epl[c]) | here | From 466eac3185079f1bc2497241e979e4295564f280 Mon Sep 17 00:00:00 2001 From: Napalys Klicius Date: Mon, 23 Jun 2025 10:27:48 +0200 Subject: [PATCH 2/2] JS: add change note --- javascript/ql/src/change-notes/2025-06-23-double-escaping.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 javascript/ql/src/change-notes/2025-06-23-double-escaping.md diff --git a/javascript/ql/src/change-notes/2025-06-23-double-escaping.md b/javascript/ql/src/change-notes/2025-06-23-double-escaping.md new file mode 100644 index 000000000000..312d365fbb38 --- /dev/null +++ b/javascript/ql/src/change-notes/2025-06-23-double-escaping.md @@ -0,0 +1,4 @@ +--- +category: fix +--- +* The `js/double-escaping` query now correctly displays backslash metacharacters in alert messages.