more precise getChild for matching "../"

erik-krogh · erik-krogh · commit e47575ce5b3c · 2020-04-14T10:24:08.000+02:00
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
@@ -285,7 +285,7 @@ module TaintedPath {
     exists(RegExpSequence seq | seq = result |
       seq.getChild(0).getConstantValue() = "." and
       seq.getChild(1).getConstantValue() = "." and
-      seq.getAChild().getAMatchedString() = "/"
+      seq.getChild(2).getAMatchedString() = "/"
     )
     or
     exists(RegExpGroup group | result = group | group.getChild(0) = getADotDotSlashMatcher())

Original file line number	Diff line number	Diff line change
`@@ -285,7 +285,7 @@ module TaintedPath {`
`285`	`285`	`exists(RegExpSequence seq \| seq = result \|`
`286`	`286`	`seq.getChild(0).getConstantValue() = "." and`
`287`	`287`	`seq.getChild(1).getConstantValue() = "." and`
`288`		`- seq.getAChild().getAMatchedString() = "/"`
	`288`	`+ seq.getChild(2).getAMatchedString() = "/"`
`289`	`289`	`)`
`290`	`290`	`or`
`291`	`291`	`exists(RegExpGroup group \| result = group \| group.getChild(0) = getADotDotSlashMatcher())`