JS: Fix FP from word boundaries

asgerf · asgerf · commit 9f6e04887b64 · 2020-01-07T10:09:17.000Z
diff --git a/javascript/ql/src/RegExp/RegExpAlwaysMatches.ql b/javascript/ql/src/RegExp/RegExpAlwaysMatches.ql
@@ -98,10 +98,19 @@ class RegExpSearchCall extends DataFlow::MethodCallNode, RegExpQuery {
   }
 }
 
+/**
+ * Holds if `t` is a zero-width assertion other than an anchor.
+ */
+predicate isAssertion(RegExpTerm t) {
+  t instanceof RegExpSubPattern or
+  t instanceof RegExpWordBoundary or
+  t instanceof RegExpNonWordBoundary
+}
+
 from RegExpTerm term, RegExpQuery call, string message
 where
   term.isNullable() and
-  not term.getAChild() instanceof RegExpSubPattern and
+  not isAssertion(term.getAChild*()) and
   not isUniversalRegExp(term) and
   term = getEffectiveRoot(call.getRegExp()) and
   (
@@ -111,7 +120,6 @@ where
     or
     call instanceof RegExpSearchCall and
     not term.getAChild*() instanceof RegExpDollar and
-    not term.getAChild*() instanceof RegExpSubPattern and
     message = "This regular expression always the matches at index 0 when used $@, as it matches the empty substring."
   )
 select term, message, call, "here"
diff --git a/javascript/ql/test/query-tests/RegExp/RegExpAlwaysMatches/tst.js b/javascript/ql/test/query-tests/RegExp/RegExpAlwaysMatches/tst.js
@@ -73,3 +73,11 @@ function searchPrefix(x) {
 function searchSuffix(x) {
   return /foo?$/.search(x); // OK - `foo?` affects the returned index
 }
+
+function wordBoundary(x) {
+  return /\b/.test(x); // OK - some strings don't have word boundaries
+}
+
+function nonWordBoundary(x) {
+  return /\B/.test(x); // OK - some strings don't have non-word boundaries
+}
