JS: Add test case showing lack of flow through non-sanitising regexp

asgerf · asgerf · commit d97d67359bf9 · 2025-02-28T13:58:08.000+01:00
diff --git a/javascript/ql/test/library-tests/TaintTracking/DataFlowTracking.expected b/javascript/ql/test/library-tests/TaintTracking/DataFlowTracking.expected
@@ -161,6 +161,7 @@ flow
 | partialCalls.js:4:17:4:24 | source() | partialCalls.js:30:14:30:20 | x.value |
 | partialCalls.js:4:17:4:24 | source() | partialCalls.js:41:10:41:18 | id(taint) |
 | partialCalls.js:4:17:4:24 | source() | partialCalls.js:51:14:51:14 | x |
+| regexp-sanitiser.js:2:19:2:26 | source() | regexp-sanitiser.js:4:14:4:18 | taint |
 | sanitizer-function.js:12:17:12:24 | source() | sanitizer-function.js:14:10:14:14 | taint |
 | sanitizer-function.js:12:17:12:24 | source() | sanitizer-function.js:17:14:17:18 | taint |
 | sanitizer-function.js:12:17:12:24 | source() | sanitizer-function.js:21:14:21:18 | taint |
diff --git a/javascript/ql/test/library-tests/TaintTracking/regexp-sanitiser.js b/javascript/ql/test/library-tests/TaintTracking/regexp-sanitiser.js
@@ -0,0 +1,6 @@
+function foo() {
+    const taint = source();
+    if (/^asd[\s\S]*$/.test(taint)) {
+        sink(taint); // NOT OK [INCONSISTENCY]
+    }
+}
