Merge pull request #15435 from erik-krogh/remove-at-to-z

remove an FP in overly-large-range for [@-Z]
github · Jan 25, 2024 · fb11e4e · fb11e4e
2 parents 2333b8d + 396da11
commit fb11e4e
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 1 deletion.
diff --git a/javascript/ql/test/query-tests/Security/CWE-020/SuspiciousRegexpRange/tst.js b/javascript/ql/test/query-tests/Security/CWE-020/SuspiciousRegexpRange/tst.js
@@ -29,4 +29,6 @@ var overlapsWithClass2 = /[\w,.-?:*+]/; // NOT OK
 var tst2 = /^([ァ-ヾ]|[ｧ-ﾝﾞﾟ])+$/; // OK
 var tst3 = /[0-9０-９]/; // OK
 
-var question = /[0-?]/; // OK. matches one of: 0123456789:;<=>?
+var question = /[0-?]/; // OK. matches one of: 0123456789:;<=>?
+
+var atToZ = /[@-Z]/; // OK. matches one of: @ABCDEFGHIJKLMNOPQRSTUVWXYZ
diff --git a/shared/regex/codeql/regex/OverlyLargeRangeQuery.qll b/shared/regex/codeql/regex/OverlyLargeRangeQuery.qll
@@ -132,6 +132,9 @@ module Make<RegexTreeViewSig TreeImpl> {
     or
     // the range 0123456789:;<=>? is intentional
     result.isRange("0", "?")
+    or
+    // [@-Z] is intentional, it's the same as [A-Z@]
+    result.isRange("@", "Z")
   }
 
   /** Gets a char between (and including) `low` and `high`. */