Merge pull request #15435 from erik-krogh/remove-at-to-z

erik-krogh · web-flow · commit fb11e4e14f3f · 2024-01-25T14:43:12.000+01:00
remove an FP in overly-large-range for [@-Z]
diff --git a/javascript/ql/test/query-tests/Security/CWE-020/SuspiciousRegexpRange/tst.js b/javascript/ql/test/query-tests/Security/CWE-020/SuspiciousRegexpRange/tst.js
@@ -29,4 +29,6 @@ var overlapsWithClass2 = /[\w,.-?:*+]/; // NOT OK
 var tst2 = /^([ァ-ヾ]|[ｧ-ﾝﾞﾟ])+$/; // OK
 var tst3 = /[0-9０-９]/; // OK
 
-var question = /[0-?]/; // OK. matches one of: 0123456789:;<=>?
+var question = /[0-?]/; // OK. matches one of: 0123456789:;<=>?
+
+var atToZ = /[@-Z]/; // OK. matches one of: @ABCDEFGHIJKLMNOPQRSTUVWXYZ
diff --git a/shared/regex/codeql/regex/OverlyLargeRangeQuery.qll b/shared/regex/codeql/regex/OverlyLargeRangeQuery.qll
@@ -132,6 +132,9 @@ module Make<RegexTreeViewSig TreeImpl> {
     or
     // the range 0123456789:;<=>? is intentional
     result.isRange("0", "?")
+    or
+    // [@-Z] is intentional, it's the same as [A-Z@]
+    result.isRange("@", "Z")
   }
 
   /** Gets a char between (and including) `low` and `high`. */

Original file line number	Diff line number	Diff line change
`@@ -132,6 +132,9 @@ module Make<RegexTreeViewSig TreeImpl> {`
`132`	`132`	`or`
`133`	`133`	`// the range 0123456789:;<=>? is intentional`
`134`	`134`	`result.isRange("0", "?")`
	`135`	`+ or`
	`136`	`+ // [@-Z] is intentional, it's the same as [A-Z@]`
	`137`	`+ result.isRange("@", "Z")`
`135`	`138`	`}`
`136`	`139`
`137`	`140`	/** Gets a char between (and including) `low` and `high`. */