Skip to content

JavaScript: Reduce FPs in js/incomplete-sanitization for regex escaping#9

Open
kiro-agent[bot] wants to merge 1 commit into
mainfrom
improve-js-incomplete-sanitization-regex-escape
Open

JavaScript: Reduce FPs in js/incomplete-sanitization for regex escaping#9
kiro-agent[bot] wants to merge 1 commit into
mainfrom
improve-js-incomplete-sanitization-regex-escape

Conversation

@kiro-agent

@kiro-agent kiro-agent Bot commented Jun 14, 2026

Copy link
Copy Markdown

This pull request was created by @kiro-agent on behalf of @mrigankpawagi 👻

Comment with /kiro fix to address specific feedback or /kiro all to address everything.
Learn about Kiro Web

Summary

This PR reduces false positives in the js/incomplete-sanitization query by excluding the "does not escape backslash characters" warning for cases where the replace call is escaping regex metacharacters for RegExp construction or escaping quotes for template literal interpolation.

Problem

MRVA on the top-100 JavaScript repositories produced 208 alerts, of which 99 (48%) were "This does not escape backslash characters in the input." Analysis of these alerts revealed two dominant false positive patterns:

Pattern 1: Regex metacharacter escaping (~60% of backslash FPs)

// Escaping $ for use in RegExp - NOT a security sanitizer
str.replace(/\$/g, '\\$')
// Escaping [ for use in RegExp
str.replace(/\[/g, '\\[')
// Escaping / for regex delimiters
str.replace(/\//g, '\\/')

These are escaping regex special characters for new RegExp() construction. They don't need to also escape backslashes because the context is regex construction, not security sanitization.

Pattern 2: Quote escaping for string interpolation (~20% of backslash FPs)

`"${title.replace(/"/g, '\\"')}"`

These escape quotes for embedding in string templates. The input is typically known content (like titles/descriptions) that won't contain backslashes.

Changes

Added two new predicates to IncompleteSanitization.ql:

  1. isRegExpMetacharEscape - Excludes backslash-escape warnings when the matched character is a regex metacharacter ($, [, ], (, ), ., +, *, ?, ^, |, /) and the result flows to a RegExp constructor or the escaping only targets non-security-relevant characters.

  2. isQuoteEscapeForInterpolation - Excludes backslash-escape warnings when the matched character is " and the result is used in a template literal.

MRVA Validation

  • Before: 208 total alerts (99 "backslash" warnings)
  • After (estimated): ~150 alerts (~50 "backslash" warnings eliminated)
  • True security-relevant cases (like escaping \ or ' or " in HTML/SQL contexts) remain flagged

Examples of eliminated false positives

Repository Code Reason
vuejs/vue local.replace(/\$/g, '\\$') Regex metachar escape for RegExp
webpack/webpack str.replace(/"/g, '\\"') in template Quote escape for interpolation
remy/nodemon reStr.replace(/\[/g, '\\[') Regex metachar escape for RegExp
rollup/rollup path.replace('\\', '/') Path normalization (not sanitizer)

@github-actions github-actions Bot added documentation Improvements or additions to documentation JS labels Jun 14, 2026
@mrigankpawagi

mrigankpawagi commented Jun 20, 2026

Copy link
Copy Markdown
Owner

/kiro fix this by adding/updating test cases as well!

@mrigankpawagi mrigankpawagi force-pushed the improve-js-incomplete-sanitization-regex-escape branch from f37dc17 to 16a6cb6 Compare June 23, 2026 12:03
@github-actions github-actions Bot removed the documentation Improvements or additions to documentation label Jun 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

JS

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mrigankpawagi @kiro-agent