[JS]: Regex Global Flag in Test Function

[aydinnyunus]

Query PR

github/codeql#15163

Language

Javascript

CVE(s) ID list

CVE-2018-3737 uses global flag for parsing ssh public key.

• CVE-2018-3737

Other incorrect regular expressions.

• CVE-2020-2288
• CVE-2018-11615

CWE

CWE-20: Improper Input Validation
CWE-185: Incorrect Regular Expression

Report

Overview

This pull request adds a new CodeQL query designed to detect issues related to the use of the global flag (g) in regular expressions within JavaScript and TypeScript codebases. This query focuses on identifying instances where the global flag might lead to inconsistent or erroneous behavior, particularly when used in conjunction with the test method of RegExp objects. The goal is to help developers identify and rectify potential bugs in their code related to global regular expressions.

Changes Introduced

• New Query Added: RegexValidation.ql - Identifies potentially problematic uses of the global flag in regular expressions, especially when used in test method calls.
• Code Examples: Provided in the /CWE-020 directory, showcasing both problematic (bad) and corrected (good) usage scenarios.
• Documentation: Comprehensive documentation detailing the query's purpose, how it works, and the specific issue it addresses, including examples and best practices.

const forbidden = /['|]/g;
forbidden.test("'")

Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).

• Yes
• No

Blog post link

No response

[sylwia-budzynska]

Hi @aydinnyunus - for a query to be accepted for bounty, it has to detect a real CVE, which will also show the impact of the vulnerability. See rule 4 in the rules. Can you provide a CVE and a CodeQL database containing that CVE?

[aydinnyunus]

Hi @sylwia-budzynska ,

I updated the description with new CVEs. Should I upload the CodeQL database ? I upload the example codes in PR.

[sylwia-budzynska]

Hello @aydinnyunus

Similarly to your other bounty issue I chatted about this internally. I looked at the CVE that you linked, but from the looks of it, it doesn’t use a global flag, and its result is a ReDoS. The idea of providing a CVE linked to the query is for the query to be able to find precisely that CVE. I encourage you to find a CVE to model this query against, as this is one of our requirements.

Moreover, I looked at the query and ran it against one of our lists - for around 800 repositories, it produced 1.2 million results of which most are false positives. The idea behind the program is for bug bounty hunters to create queries, that would be added to the default CodeQL query suite. Adding this query to the suite would produce too many false positives.

[aydinnyunus]

Hi @sylwia-budzynska,

I think we can close the report because I did not match exact CVE id.

[ghsecuritylab]

Your submission is now in status Closed.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed