JS: add false positive test cases for hostname regex detection

Napalys · Napalys · commit 584b4f51aa87 · 2025-06-23T20:25:10.000+02:00
diff --git a/javascript/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegExp/IncompleteHostnameRegExp.expected b/javascript/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegExp/IncompleteHostnameRegExp.expected
@@ -27,3 +27,4 @@
 | tst-IncompleteHostnameRegExp.js:56:14:56:38 | ^http://test.example.com | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:56:13:56:39 | '^http: ... le.com' | here |
 | tst-IncompleteHostnameRegExp.js:60:5:60:20 | foo.example\\.com | This regular expression has an unescaped '.' before 'example\\.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:60:2:60:32 | /^(foo. ... ever)$/ | here |
 | tst-IncompleteHostnameRegExp.js:62:18:62:41 | ^http://test.example.com | This regular expression has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:62:17:62:42 | "^http: ... le.com" | here |
+| tst-IncompleteHostnameRegExp.js:65:24:65:38 | https://a.b.com | This string, which is used as a regular expression $@, has an unescaped '.' before 'b.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.js:66:58:66:69 | megacliteUrl | here |
diff --git a/javascript/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegExp/tst-IncompleteHostnameRegExp.js b/javascript/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegExp/tst-IncompleteHostnameRegExp.js
@@ -60,4 +60,8 @@
 	/^(foo.example\.com|whatever)$/; // $ Alert (but kinda OK - one disjunction doesn't even look like a hostname)
 
 	if (s.matchAll("^http://test.example.com")) {} // $ Alert
+
+	const sinon = require('sinon');
+	const megacliteUrl = "https://a.b.com"; // $SPURIOUS:Alert
+	sinon.assert.calledWith(postStub.firstCall, sinon.match(megacliteUrl));
 });
diff --git a/javascript/ql/test/query-tests/Security/CWE-020/MissingRegExpAnchor/MissingRegExpAnchor.expected b/javascript/ql/test/query-tests/Security/CWE-020/MissingRegExpAnchor/MissingRegExpAnchor.expected
@@ -68,3 +68,4 @@
 | tst-UnanchoredUrlRegExp.js:117:50:117:59 | "good.com" | When this is used as a regular expression on a URL, it may match anywhere, and arbitrary hosts may come before or after it. |
 | tst-UnanchoredUrlRegExp.js:118:50:118:68 | "https?://good.com" | When this is used as a regular expression on a URL, it may match anywhere, and arbitrary hosts may come before or after it. |
 | tst-UnanchoredUrlRegExp.js:119:50:119:73 | "https? ... m:8080" | When this is used as a regular expression on a URL, it may match anywhere, and arbitrary hosts may come before or after it. |
+| tst.js:4:24:4:40 | "https://a.b.com" | When this is used as a regular expression on a URL, it may match anywhere, and arbitrary hosts may come before or after it. |
diff --git a/javascript/ql/test/query-tests/Security/CWE-020/MissingRegExpAnchor/tst.js b/javascript/ql/test/query-tests/Security/CWE-020/MissingRegExpAnchor/tst.js
@@ -0,0 +1,6 @@
+const sinon = require('sinon');
+
+function testFunction() {
+  const megacliteUrl = "https://a.b.com"; // $SPURIOUS:Alert
+	sinon.assert.calledWith(postStub.firstCall, sinon.match(megacliteUrl));
+}
