Closed
Description
Here is the code(sorry I spent hours reducing the code but failed):
{
function n(t, e) {
var r = "undefined" != typeof Symbol && t[Symbol.iterator] || t["@@iterator"];
if (!r) {
if (Array.isArray(t) || (r = function (t, e) {
if (t) {
if ("string" == typeof t) return o(t, e);
var r = {}.toString.call(t).slice(8, -1);
"Object" === r && t.constructor && (r = t.constructor.name);
return "Map" === r || "Set" === r ? Array.from(t) : "Arguments" === r || /^(?:Ui|I)nt(?:8|16|32)(?:Clamped)?Array$/.test(r) ? o(t, e) : void 0;
}
}(t)) || e && t && "number" == typeof t.length) {
r && (t = r);
var n = 0;
var i = function () {
};
return {
s: i,
n: function () {
return n >= t.length ? {
done: !0
} : {
done: !1,
value: t[n++]
};
},
e: function (t) {
throw t;
},
f: i
};
}
}
var a;
var s = !0;
var c = !1;
return {
s: function () {
r = r.call(t);
},
n: function () {
var t = r.next();
s = t.done;
return t;
},
e: function (t) {
c = !0;
a = t;
},
f: function () {
try {
s || null == r.return || r.return();
} finally {
if (c) throw a;
}
}
};
}
function o(t, e) {
(null == e || e > t.length) && (e = t.length);
for (var r = 0, n = Array(e); r < e; r++) n[r] = t[r];
return n;
}
exports.KV = A;
var i;
var a = "undefined" != typeof process && process.env && process.env.DEBUG || void 0;
var s = [];
var c = [];
var u = [];
a && d(a);
function d(t) {
i = t;
s = [];
c = [];
var e;
var r = /\*/g;
var o = t.split(",").map(function (t) {
return t.trim().replace(r, ".*?");
});
var a = n(o);
e = a.n()
var l = e.value;
new RegExp("^".concat(l.substr(1), "$"));
}
}If I directly build a database and scan that, I get nothing. But if I comment out the first line and last line, I get a vulnerability:
"Regular expression injection","User input should not be used in regular expressions without first being escaped, otherwise a malicious user may be able to inject an expression that could require exponential time on certain inputs.","error","This regular expression is constructed from a [[""environment variable""|""relative:///52181.js:68:61:68:71""]].","/52181.js","86","20","86","47"
The way I run codeql is like
$TARGET_DIR="./test"
codeql database create --language=javascript codeql-database --source-root="$TARGET_DIR" --overwrite
codeql database analyze ./codeql-database/ /codeql/codeql-repo/javascript/ql/src/Security/CWE-730/RegExpInjection.ql --format=csv --output="$OUTPUT_FILE" --threads=10