-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
False positive - Incomplete string escaping #18379
Comments
So just to be clear, it's acceptable that user input |
That is not what is happening. In this format, for Here is a code example showing that this transform is reversible without loss of information. import assert from "node:assert";
function serialize(part) {
if (part.includes(",") || part.includes('"')) {
part = `"${part.replace(/"/g, '\\"')}"`;
}
return part;
}
function deserialize(part) {
if (part[0] === '"' && part[part.length - 1] === '"') {
return part.slice(1, -1).replace(/\\"/g, '"');
}
return part;
}
const tests = [
`abcd`,
`ab","cd`,
`ab\\",\\"cd`,
`\t\"\n\\"\r\\\"\n\\\\"`,
``,
`"`,
`\"`,
`\\"`,
`\\\"`,
`""""\"\\"\\\"\\\\"""""`,
` " " " "\"\\"\\\"\\\\" " " " "`,
`"\"\\"\\\"\\\\"`,
`",\","\\"\\\,"\\,",\,\,",\,",\,\\\,""""`,
];
for (const test of tests) {
assert(test === deserialize(serialize(test)));
process.stdout.write(".");
}
console.log("ok"); |
I see. I don't think I understand how this could work -- backslash-escaping the quote to begin with seems as if it is designed for a parser seeking an unescaped end-quote to terminate a string, and if I think this scenario, where |
Putting that aside as the specifics of this format may not be the main issue, I understand you can't compromise the detection for this case. I also don't want to do any sort of trick in my code to avoid detection by codeql as a false-positive. My team does not directly use codeql and this came up as my software's downstream users are getting the alert. I will refer them to this recommendation. |
Description of the false positive
This is intentional,
actual string:
abc\"
->"abc\\""
JS:
This code is used in a client library to serialize caller input as-is from list to header value.
Code samples or links to source code
https://github.com/smithy-lang/smithy-typescript/blob/d8446cfa3bf6cbcf1187d1ad744ac5a296e442d7/packages/smithy-client/src/quote-header.ts#L8
The text was updated successfully, but these errors were encountered: