Skip to content

JS: Exclude environment variables from js/regex-injection query by default #20148

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

JS: Exclude environment variables from js/regex-injection query by default #20148

wants to merge 4 commits into from

Conversation

Napalys
Copy link
Contributor

@Napalys Napalys commented Jul 31, 2025

Removes environment variables as default sources for the js/regex-injection query while allowing them to be re-enabled via the "environment" threat model.

@Napalys Napalys force-pushed the js/reg-exp-env-variable-threat-model branch from f980d9a to b820cb5 Compare July 31, 2025 10:51
@Napalys Napalys force-pushed the js/reg-exp-env-variable-threat-model branch from b820cb5 to 3f9061a Compare July 31, 2025 11:20
@Napalys Napalys marked this pull request as ready for review July 31, 2025 12:02
@Napalys Napalys requested a review from a team as a code owner July 31, 2025 12:02
@Napalys Napalys requested review from Copilot and removed request for a team July 31, 2025 12:02
Copilot
Copilot AI reviewed Jul 31, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR modifies the js/regex-injection query to exclude environment variables as default sources while allowing them to be re-enabled via the "environment" threat model. The change reduces false positives for scenarios where environment variables are considered trusted input.

  • Removes environment variables from default sources in the RegExp injection query
  • Adds support for re-enabling environment variables through the "environment" threat model
  • Updates test cases to verify the new behavior with both enabled and disabled threat models

Reviewed Changes

Copilot reviewed 8 out of 16 changed files in this pull request and generated no comments.

Show a summary per file
File Description
RegExpInjectionCustomizations.qll Refactors source detection to exclude environment variables by default and adds conditional environment variable sources
Threat-models-enabled/* New test files to verify environment variables are detected when threat model is enabled
Threat-models-disabled/RegExpInjection.js Updates test to reflect that environment variables should not be detected by default
Threat-models-disabled/RegExpInjection.expected Updates expected results removing environment variable alerts
2025-07-31-regexp-injection-threat-model.md Documents the change in behavior

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
documentation JS
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@Napalys