JavaScript: Reduce false positives in js/regex/missing-regexp-anchor for non-URL patterns#6
Open
mrigankpawagi wants to merge 1 commit into
Open
JavaScript: Reduce false positives in js/regex/missing-regexp-anchor for non-URL patterns#6mrigankpawagi wants to merge 1 commit into
mrigankpawagi wants to merge 1 commit into
Conversation
…for non-URL patterns Filter hasMisleadingAnchorPrecedence results to only flag patterns that contain a dot character (escaped or unescaped), since hostname/URL patterns inherently contain dots. This eliminates false positives for patterns matching simple strings, module names, CLI arguments, event names, and CSS properties that do not relate to URL/hostname validation.
github-actions
Bot
added
documentation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Reduces false positives in the
js/regex/missing-regexp-anchorquery by filtering outhasMisleadingAnchorPrecedenceresults where the regex clearly does not match URLs or hostnames.Problem
MRVA on top-100 JavaScript repositories showed 42 misleading anchor precedence alerts. Many of these are false positives for patterns that are clearly not hostname/URL-related:
/\.tsx?$|\.mjs$//^ast|spidermonkey$|code$//^BrowserAnimationsModule|NoopAnimationsModule$//^click|mouse|touch//^@media|@page/The query is classified under CWE-020 (Improper Input Validation) and targets URL/hostname validation bypasses, but was over-reporting on any regex with anchored alternatives.
Fix
Added a filter requiring that
hasMisleadingAnchorPrecedencealerts have at least one dot character (either escaped\.or unescaped.) in the regex pattern. Hostnames inherently contain dots (e.g.,example.com), while patterns matching simple strings, module names, event names, or CLI arguments typically do not use dots. This eliminates the majority of false positives while preserving all true positives.MRVA Validation
Test Changes
Updated the test expectations in
tst-SemiAnchoredRegExp.jsto reflect the intentional reduction in alerts for non-hostname patterns.