address review feedback on MaskingReplacer

Author: erik-krogh

javascript/ql/src/semmle/javascript/security/dataflow/CleartextLoggingCustomizations.qll

@@ -34,19 +34,19 @@ module CleartextLogging {
   abstract class Barrier extends DataFlow::Node { }
 
   /**
-   * A call to `.replace()` that seems to mask 
+   * A call to `.replace()` that seems to mask sensitive information.
    */
   class MaskingReplacer extends Barrier, DataFlow::MethodCallNode {
-  	MaskingReplacer() {
-  	  this.getCalleeName() = "replace" and
-  	  exists(RegExpLiteral reg| 
-  	    reg = this.getArgument(0).getALocalSource().asExpr() and
-  	    reg.getFlags().regexpMatch("(?i).*g.*") and
-  	    reg.getRoot().getRawValue().regexpMatch(".*\\..*")
-  	  ) 
-  	  and
-  	  this.getArgument(1).asExpr() instanceof StringLiteral
-  	}
+    MaskingReplacer() {
+      this.getCalleeName() = "replace" and
+      exists(RegExpLiteral reg |
+        reg = this.getArgument(0).getALocalSource().asExpr() and
+        reg.isGlobal() and
+        any(RegExpDot term).getLiteral() = reg
+      )
+      and
+      exists(this.getArgument(1).getStringValue())
+    }
   }
 
   /**

javascript/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected

@@ -120,10 +120,14 @@ nodes
 | passwords.js:156:17:156:27 | process.env |
 | passwords.js:156:17:156:27 | process.env |
 | passwords.js:156:17:156:27 | process.env |
-| passwords.js:158:17:158:27 | process.env |
-| passwords.js:158:17:158:27 | process.env |
-| passwords.js:158:17:158:42 | process ...  "bar"] |
-| passwords.js:158:17:158:42 | process ...  "bar"] |
+| passwords.js:163:14:163:21 | password |
+| passwords.js:163:14:163:21 | password |
+| passwords.js:163:14:163:41 | passwor ... g, "*") |
+| passwords.js:163:14:163:41 | passwor ... g, "*") |
+| passwords.js:164:14:164:21 | password |
+| passwords.js:164:14:164:21 | password |
+| passwords.js:164:14:164:42 | passwor ... g, "*") |
+| passwords.js:164:14:164:42 | passwor ... g, "*") |
 | passwords_in_browser1.js:2:13:2:20 | password |
 | passwords_in_browser1.js:2:13:2:20 | password |
 | passwords_in_browser1.js:2:13:2:20 | password |
@@ -260,6 +264,14 @@ edges
 | passwords.js:154:21:154:28 | procdesc | passwords.js:142:26:142:34 | arguments |
 | passwords.js:154:21:154:28 | procdesc | passwords.js:142:26:142:34 | arguments |
 | passwords.js:156:17:156:27 | process.env | passwords.js:156:17:156:27 | process.env |
+| passwords.js:163:14:163:21 | password | passwords.js:163:14:163:41 | passwor ... g, "*") |
+| passwords.js:163:14:163:21 | password | passwords.js:163:14:163:41 | passwor ... g, "*") |
+| passwords.js:163:14:163:21 | password | passwords.js:163:14:163:41 | passwor ... g, "*") |
+| passwords.js:163:14:163:21 | password | passwords.js:163:14:163:41 | passwor ... g, "*") |
+| passwords.js:164:14:164:21 | password | passwords.js:164:14:164:42 | passwor ... g, "*") |
+| passwords.js:164:14:164:21 | password | passwords.js:164:14:164:42 | passwor ... g, "*") |
+| passwords.js:164:14:164:21 | password | passwords.js:164:14:164:42 | passwor ... g, "*") |
+| passwords.js:164:14:164:21 | password | passwords.js:164:14:164:42 | passwor ... g, "*") |
 | passwords_in_browser1.js:2:13:2:20 | password | passwords_in_browser1.js:2:13:2:20 | password |
 | passwords_in_browser2.js:2:13:2:20 | password | passwords_in_browser2.js:2:13:2:20 | password |
 | passwords_in_server_1.js:6:13:6:20 | password | passwords_in_server_1.js:6:13:6:20 | password |
@@ -301,6 +313,8 @@ edges
 | passwords.js:142:26:142:34 | arguments | passwords.js:150:21:150:31 | process.env | passwords.js:142:26:142:34 | arguments | Sensitive data returned by $@ is logged here. | passwords.js:150:21:150:31 | process.env | process environment |
 | passwords.js:142:26:142:34 | arguments | passwords.js:152:33:152:43 | process.env | passwords.js:142:26:142:34 | arguments | Sensitive data returned by $@ is logged here. | passwords.js:152:33:152:43 | process.env | process environment |
 | passwords.js:156:17:156:27 | process.env | passwords.js:156:17:156:27 | process.env | passwords.js:156:17:156:27 | process.env | Sensitive data returned by $@ is logged here. | passwords.js:156:17:156:27 | process.env | process environment |
+| passwords.js:163:14:163:41 | passwor ... g, "*") | passwords.js:163:14:163:21 | password | passwords.js:163:14:163:41 | passwor ... g, "*") | Sensitive data returned by $@ is logged here. | passwords.js:163:14:163:21 | password | an access to password |
+| passwords.js:164:14:164:42 | passwor ... g, "*") | passwords.js:164:14:164:21 | password | passwords.js:164:14:164:42 | passwor ... g, "*") | Sensitive data returned by $@ is logged here. | passwords.js:164:14:164:21 | password | an access to password |
 | passwords_in_server_1.js:6:13:6:20 | password | passwords_in_server_1.js:6:13:6:20 | password | passwords_in_server_1.js:6:13:6:20 | password | Sensitive data returned by $@ is logged here. | passwords_in_server_1.js:6:13:6:20 | password | an access to password |
 | passwords_in_server_2.js:3:13:3:20 | password | passwords_in_server_2.js:3:13:3:20 | password | passwords_in_server_2.js:3:13:3:20 | password | Sensitive data returned by $@ is logged here. | passwords_in_server_2.js:3:13:3:20 | password | an access to password |
 | passwords_in_server_3.js:2:13:2:20 | password | passwords_in_server_3.js:2:13:2:20 | password | passwords_in_server_3.js:2:13:2:20 | password | Sensitive data returned by $@ is logged here. | passwords_in_server_3.js:2:13:2:20 | password | an access to password |

javascript/ql/test/query-tests/Security/CWE-312/passwords.js

@@ -156,4 +156,10 @@ var Util = require('util');
     console.log(process.env); // NOT OK
     console.log(process.env.PATH); // OK.
     console.log(process.env["foo" + "bar"]); // OK.
-});
+});
+
+(function () {
+	console.log(password.replace(/./g, "*")); // OK!
+	console.log(password.replace(/\./g, "*")); // NOT OK!
+	console.log(password.replace(/foo/g, "*")); // NOT OK!
+})();