-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Napalys/regexp unknown flags #18089
base: main
Are you sure you want to change the base?
Napalys/regexp unknown flags #18089
Conversation
javascript/ql/src/Security/CWE-178/CaseSensitiveMiddlewarePath.ql
Outdated
Show resolved
Hide resolved
Co-authored-by: Erik Krogh Kristensen <[email protected]>
ef0eb2c
to
d6372ae
Compare
… from RegExpCreationNode and reused RegExp::isGlobal in std
e314fef
to
b39a8fe
Compare
…gExp with global flag
…protytpe pulluting
/** | ||
* Holds if this is a global replacement, that is, the first argument is a regular expression | ||
* with the `g` flag, or this is a call to `.replaceAll()`. | ||
*/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This docstring needs to mention that the predicate also holds if the flags are unknown.
Incorporate that into the string naturally in some way.
(Actually, try to copy-paste the above sentence into Copilot as instructions, use o1-mini
or o1-preview
with the Copilot edit mode: Select the docstring in VSCode, press cmd + i
, make sure to select the right model, and paste my above instructions).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed 8b64f17
/** Holds if the constructed predicate has the `g` flag. */ | ||
predicate isGlobal() { RegExp::isGlobal(this.getFlags()) } | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't outright delete predicates like this. Instead keep the implementation but add a deprecated
annotation, and add an explanation into the docstring as to why a predicate is deprecated.
Deprecated predicates gets deleted after a little over a year.
8b64f17
to
56cde75
Compare
…pr Object, instead of literal
70a1645
to
f320ce5
Compare
… longer flagged as bad sanitization to reduce false positives.
f320ce5
to
2f7df2d
Compare
143f1b8
to
0c937cd
Compare
c003a81
to
b6ffc46
Compare
6e16778
to
57d542f
Compare
…gives wrong results
…erals but not objects
…assword Clear text storage of sensitive information
…arEscapeSanitizer
Pull Request checklist
All query authors
.qhelp
. See the documentation in this repository.Internal query authors only
.ql
,.qll
, or.qhelp
files. See the documentation (internal access required).