JS: Fix offsets in regexes parsed from strings with escapes

asger-semmle · asger-semmle · commit d3302c39c01c · 2019-11-15T09:27:19.000Z
diff --git a/javascript/extractor/src/com/semmle/js/extractor/ASTExtractor.java b/javascript/extractor/src/com/semmle/js/extractor/ASTExtractor.java
@@ -517,13 +517,81 @@ public Label visit(Literal nd, Context c) {
 
       trapwriter.addTuple("literals", valueString, source, key);
       if (nd.isRegExp()) {
-        regexpExtractor.extract(source.substring(1, source.lastIndexOf('/')), nd, false);
+        OffsetTranslation offsets = new OffsetTranslation();
+        offsets.set(0, 1); // skip the initial '/'
+        regexpExtractor.extract(source.substring(1, source.lastIndexOf('/')), offsets, nd, false);
       } else if (nd.isStringLiteral()) {
-        regexpExtractor.extract(valueString, nd, true);
+        regexpExtractor.extract(valueString, makeStringLiteralOffsets(nd.getRaw()), nd, true);
       }
       return key;
     }
 
+    /**
+     * Builds a translation from offsets in a string value back to its original raw literal text
+     * (including quotes).
+     *
+     * <p>This is not a 1:1 mapping since escape sequences take up more characters in the raw
+     * literal than in the resulting string value. This mapping includes the surrounding quotes.
+     *
+     * <p>For example: for the raw literal value <code>'x\.y'</code> (quotes included), the <code>y
+     * </code> at index 2 in <code>x.y</code> maps to index 4 in the raw literal.
+     */
+    public OffsetTranslation makeStringLiteralOffsets(String rawLiteral) {
+      OffsetTranslation offsets = new OffsetTranslation();
+      offsets.set(0, 1); // Skip the initial quote
+      // Invariant: raw character at 'pos' corresponds to decoded character at 'pos - delta'
+      int pos = 1;
+      int delta = 1;
+      while (pos < rawLiteral.length() - 1) {
+        if (rawLiteral.charAt(pos) != '\\') {
+          ++pos;
+          continue;
+        }
+        final int length; // Length of the escape sequence, including slash.
+        int outputLength = 1; // Number characters the sequence expands to.
+        char ch = rawLiteral.charAt(pos + 1);
+        if ('0' <= ch && ch <= '7') {
+          // Octal escape: \NNN
+          length = 4;
+        } else if (ch == 'x') {
+          // Hex escape: \xNN
+          length = 4;
+        } else if (ch == 'u' && pos + 2 < rawLiteral.length()) {
+          if (rawLiteral.charAt(pos + 2) == '{') {
+            // Variable-length unicode escape: \U{N...}
+            // Scan for the ending '}'
+            int firstDigit = pos + 3;
+            int end = firstDigit;
+            while (end < rawLiteral.length() && rawLiteral.charAt(end) != '}') {
+              ++end;
+            }
+            int numDigits = end - firstDigit;
+            if (numDigits > 4) {
+              outputLength = 2; // Encoded as a surrogate pair
+            }
+            ++end; // Include '}' character
+            length = end - pos;
+          } else {
+            // Fixed-length unicode escape: \UNNNN
+            length = 6;
+          }
+        } else {
+          // Simple escape: \n or similar.
+          length = 2;
+        }
+        int end = pos + length;
+        if (end > rawLiteral.length()) {
+          end = rawLiteral.length();
+        }
+        int outputPos = pos - delta;
+        // Map the next character to the adjusted offset.
+        offsets.set(outputPos + outputLength, end);
+        delta += length - outputLength;
+        pos = end;
+      }
+      return offsets;
+    }
+
     @Override
     public Label visit(MemberExpression nd, Context c) {
       Label key = super.visit(nd, c);
diff --git a/javascript/extractor/src/com/semmle/js/extractor/RegExpExtractor.java b/javascript/extractor/src/com/semmle/js/extractor/RegExpExtractor.java
@@ -120,11 +120,11 @@ private Label extractTerm(RegExpTerm term, Label parent, int idx) {
   }
 
   public void emitLocation(SourceElement term, Label lbl) {
+    int col = literalStart.getColumn();
     int sl, sc, el, ec;
     sl = el = literalStart.getLine();
-    // the offset table accounts for the position on the line and for skipping the initial '/'
-    sc = offsets.get(term.getLoc().getStart().getColumn());
-    ec = offsets.get(term.getLoc().getEnd().getColumn());
+    sc = col + offsets.get(term.getLoc().getStart().getColumn());
+    ec = col + offsets.get(term.getLoc().getEnd().getColumn());
     sc += 1; // convert to 1-based
     ec += 1; // convert to 1-based
     ec -= 1; // convert to inclusive
@@ -346,16 +346,16 @@ public void visit(CharacterClassRange nd) {
     }
   }
 
-  public void extract(String src, Node parent, boolean isSpeculativeParsing) {
+  public void extract(
+      String src, OffsetTranslation offsets, Node parent, boolean isSpeculativeParsing) {
     Result res = parser.parse(src);
 
     if (isSpeculativeParsing && res.getErrors().size() > 0) {
       return;
     }
 
     this.literalStart = parent.getLoc().getStart();
-    offsets = new OffsetTranslation();
-    offsets.set(0, literalStart.getColumn() + 1); // add 1 to skip the leading '/' or quote
+    this.offsets = offsets;
     RegExpTerm ast = res.getAST();
     new V().visit(ast, trapwriter.localID(parent), 0);
 
diff --git a/javascript/extractor/tests/encoding/output/trap/surrogates.js.trap b/javascript/extractor/tests/encoding/output/trap/surrogates.js.trap
@@ -221,8 +221,8 @@ exprContainers(#20075,#20001)
 literals("?","'\ud800'",#20075)
 #20076=*
 regexpterm(#20076,14,#20075,0,"?")
-#20077=@"loc,{#10000},2,2,2,2"
-locations_default(#20077,#10000,2,2,2,2)
+#20077=@"loc,{#10000},2,2,2,7"
+locations_default(#20077,#10000,2,2,2,7)
 hasLocation(#20076,#20077)
 regexpConstValue(#20076,"?")
 #20078=*
@@ -237,8 +237,8 @@ exprContainers(#20079,#20001)
 literals("foo?","'foo\ud800'",#20079)
 #20080=*
 regexpterm(#20080,14,#20079,0,"foo?")
-#20081=@"loc,{#10000},3,2,3,5"
-locations_default(#20081,#10000,3,2,3,5)
+#20081=@"loc,{#10000},3,2,3,10"
+locations_default(#20081,#10000,3,2,3,10)
 hasLocation(#20080,#20081)
 regexpConstValue(#20080,"foo?")
 #20082=*
@@ -253,8 +253,8 @@ exprContainers(#20083,#20001)
 literals("?bar","'\ud800bar'",#20083)
 #20084=*
 regexpterm(#20084,14,#20083,0,"?bar")
-#20085=@"loc,{#10000},4,2,4,5"
-locations_default(#20085,#10000,4,2,4,5)
+#20085=@"loc,{#10000},4,2,4,10"
+locations_default(#20085,#10000,4,2,4,10)
 hasLocation(#20084,#20085)
 regexpConstValue(#20084,"?bar")
 #20086=*
@@ -269,8 +269,8 @@ exprContainers(#20087,#20001)
 literals("foo?bar","'foo\ud800bar'",#20087)
 #20088=*
 regexpterm(#20088,14,#20087,0,"foo?bar")
-#20089=@"loc,{#10000},5,2,5,8"
-locations_default(#20089,#10000,5,2,5,8)
+#20089=@"loc,{#10000},5,2,5,13"
+locations_default(#20089,#10000,5,2,5,13)
 hasLocation(#20088,#20089)
 regexpConstValue(#20088,"foo?bar")
 #20090=*
@@ -388,8 +388,8 @@ exprContainers(#20121,#20001)
 literals("??","'\udc00\ud800'",#20121)
 #20122=*
 regexpterm(#20122,14,#20121,0,"??")
-#20123=@"loc,{#10000},11,2,11,3"
-locations_default(#20123,#10000,11,2,11,3)
+#20123=@"loc,{#10000},11,2,11,13"
+locations_default(#20123,#10000,11,2,11,13)
 hasLocation(#20122,#20123)
 regexpConstValue(#20122,"??")
 #20124=*
@@ -404,8 +404,8 @@ exprContainers(#20125,#20001)
 literals("𝌆","'\uD834\uDF06'",#20125)
 #20126=*
 regexpterm(#20126,14,#20125,0,"𝌆")
-#20127=@"loc,{#10000},13,2,13,3"
-locations_default(#20127,#10000,13,2,13,3)
+#20127=@"loc,{#10000},13,2,13,13"
+locations_default(#20127,#10000,13,2,13,13)
 hasLocation(#20126,#20127)
 regexpConstValue(#20126,"𝌆")
 #20128=*
diff --git a/javascript/extractor/tests/exprs/output/trap/primaries.js.trap b/javascript/extractor/tests/exprs/output/trap/primaries.js.trap
@@ -988,8 +988,8 @@ literals("'what?'
 #20353=*
 regexpterm(#20353,1,#20352,0,"'what?'
 ")
-#20354=@"loc,{#10000},12,2,12,9"
-locations_default(#20354,#10000,12,2,12,9)
+#20354=@"loc,{#10000},12,2,12,12"
+locations_default(#20354,#10000,12,2,12,12)
 hasLocation(#20353,#20354)
 #20355=*
 regexpterm(#20355,14,#20353,0,"'wha")
@@ -1012,8 +1012,8 @@ regexpConstValue(#20359,"t")
 #20361=*
 regexpterm(#20361,14,#20353,2,"'
 ")
-#20362=@"loc,{#10000},12,8,12,9"
-locations_default(#20362,#10000,12,8,12,9)
+#20362=@"loc,{#10000},12,8,12,12"
+locations_default(#20362,#10000,12,8,12,12)
 hasLocation(#20361,#20362)
 regexpConstValue(#20361,"'
 ")
@@ -1031,8 +1031,8 @@ literals("""why?""
 #20365=*
 regexpterm(#20365,1,#20364,0,"""why?""
 ")
-#20366=@"loc,{#10000},13,2,13,8"
-locations_default(#20366,#10000,13,2,13,8)
+#20366=@"loc,{#10000},13,2,13,9"
+locations_default(#20366,#10000,13,2,13,9)
 hasLocation(#20365,#20366)
 #20367=*
 regexpterm(#20367,14,#20365,0,"""wh")
@@ -1055,8 +1055,8 @@ regexpConstValue(#20371,"y")
 #20373=*
 regexpterm(#20373,14,#20365,2,"""
 ")
-#20374=@"loc,{#10000},13,7,13,8"
-locations_default(#20374,#10000,13,7,13,8)
+#20374=@"loc,{#10000},13,7,13,9"
+locations_default(#20374,#10000,13,7,13,9)
 hasLocation(#20373,#20374)
 regexpConstValue(#20373,"""
 ")
diff --git a/javascript/extractor/tests/html/output/trap/tst.html.trap b/javascript/extractor/tests/html/output/trap/tst.html.trap
@@ -302,8 +302,8 @@ exprContainers(#20090,#20074)
 literals("I said don't click!","'I said don\'t click!'",#20090)
 #20091=*
 regexpterm(#20091,14,#20090,0,"I said don't click!")
-#20092=@"loc,{#10000},12,30,12,48"
-locations_default(#20092,#10000,12,30,12,48)
+#20092=@"loc,{#10000},12,30,12,49"
+locations_default(#20092,#10000,12,30,12,49)
 hasLocation(#20091,#20092)
 regexpConstValue(#20091,"I said don't click!")
 #20093=*
