Update RegExp handling and add test case

github · Nov 28, 2024 · 051ff39 · 051ff39
1 parent fd77360
commit 051ff39
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 1 deletion.
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/CleartextLoggingCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/CleartextLoggingCustomizations.qll
@@ -40,7 +40,7 @@ module CleartextLogging {
       exists(this.getRawReplacement().getStringValue()) and
       exists(DataFlow::RegExpCreationNode regexpObj |
         this.(StringReplaceCall).getRegExp() = regexpObj and
-        regexpObj.getRoot() = any(RegExpDot term)
+        regexpObj.getRoot() = any(RegExpDot term).getRootTerm()
       )
     }
   }

diff --git a/javascript/ql/test/query-tests/Security/CWE-312/passwords.js b/javascript/ql/test/query-tests/Security/CWE-312/passwords.js
@@ -181,4 +181,5 @@ const debug = require('debug')('test');
 	console.log(password.replace(new RegExp(".", "g"), "*")); // OK
 	console.log(password.replace(new RegExp("."), "*")); // NOT OK
 	console.log(password.replace(new RegExp(".", unknownFlags()), "*")); // OK -- Most likely not a problem.
+    console.log(password.replace(new RegExp("pre_._suf", "g"), "*")); // OK
 })();