Merge pull request #15351 from erik-krogh/zero-to-question

erik-krogh · web-flow · commit 17466385e044 · 2024-01-17T15:51:42.000+01:00
JS/PY/JAVA/RB: mark the range [0-?] as good in the overly-large-range query
diff --git a/javascript/ql/test/query-tests/Security/CWE-020/SuspiciousRegexpRange/tst.js b/javascript/ql/test/query-tests/Security/CWE-020/SuspiciousRegexpRange/tst.js
@@ -27,4 +27,6 @@ var overlapsWithClass1 = /[0-9\d]/; // NOT OK
 var overlapsWithClass2 = /[\w,.-?:*+]/; // NOT OK
 
 var tst2 = /^([ァ-ヾ]|[ｧ-ﾝﾞﾟ])+$/; // OK
-var tst3 = /[0-9０-９]/; // OK
+var tst3 = /[0-9０-９]/; // OK
+
+var question = /[0-?]/; // OK. matches one of: 0123456789:;<=>?
diff --git a/shared/regex/codeql/regex/OverlyLargeRangeQuery.qll b/shared/regex/codeql/regex/OverlyLargeRangeQuery.qll
@@ -129,6 +129,9 @@ module Make<RegexTreeViewSig TreeImpl> {
     or
     // starting from the zero byte is a good indication that it's purposely matching a large range.
     result.isRange(0.toUnicode(), _)
+    or
+    // the range 0123456789:;<=>? is intentional
+    result.isRange("0", "?")
   }
 
   /** Gets a char between (and including) `low` and `high`. */

Original file line number	Diff line number	Diff line change
`@@ -129,6 +129,9 @@ module Make<RegexTreeViewSig TreeImpl> {`
`129`	`129`	`or`
`130`	`130`	`// starting from the zero byte is a good indication that it's purposely matching a large range.`
`131`	`131`	`result.isRange(0.toUnicode(), _)`
	`132`	`+ or`
	`133`	`+ // the range 0123456789:;<=>? is intentional`
	`134`	`+ result.isRange("0", "?")`
`132`	`135`	`}`
`133`	`136`
`134`	`137`	/** Gets a char between (and including) `low` and `high`. */