Fix test cases to work with Semgrep constant propagation (!25) · Merge requests · GitLab.org / security-products / Tests / js

Clara McCreery requested to merge chmccreery/js:chmccreery-jsx-FREEZE-patch-95683 into jsx-FREEZE May 10, 2021

Semgrep will propagate string constants (docs), so we must use actual variables or user input to trigger rules that detect non-hardcoded-string inputs.

For example, eslint.detect-non-literal-regexp has the following definition

patterns:
- pattern: |
    new RegExp(...)
- pattern-not: |
    new RegExp("...", ...)

To see this rule fire, we must change the test case from

var myregexpText = "/abcd/";
var myregexp = new RegExp(myregexpText);

function dangerous_regexp(myregexpText) {
  var myregexp = new RegExp(myregexpText);
}

Fix test cases to work with Semgrep constant propagation

Merge request reports