From 9e78c71f21ab9c9f44f5ef88b7735ac15c791f64 Mon Sep 17 00:00:00 2001 From: Kiro Agent <244629292+kiro-agent@users.noreply.github.com> Date: Sun, 28 Jun 2026 16:35:46 +0000 Subject: [PATCH] JavaScript: Exclude parsed URL host/hostname checks from incomplete URL substring sanitization --- .../CWE-020/IncompleteUrlSubstringSanitization.qll | 13 +++++++++++++ .../2025-06-28-url-substring-host-check.md | 4 ++++ 2 files changed, 17 insertions(+) create mode 100644 javascript/ql/src/change-notes/2025-06-28-url-substring-host-check.md diff --git a/javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.qll b/javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.qll index 8718bff5963e..dded484ec7cc 100644 --- a/javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.qll +++ b/javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.qll @@ -57,5 +57,18 @@ query predicate problems( // the trailing port or slash makes the prefix-check safe check instanceof StringOps::StartsWith and target.regexpMatch(".*(:[0-9]+|/)") + or + // Checks on a parsed URL's host or hostname property are safe, + // since the host is already isolated from path/query components. + exists(DataFlow::PropRead hostRead | + hostRead.getPropertyName() in ["host", "hostname"] and + ( + check.(StringOps::EndsWith).getBaseString().getALocalSource() = hostRead + or + check.(StringOps::Includes).getBaseString().getALocalSource() = hostRead + or + check.(StringOps::StartsWith).getBaseString().getALocalSource() = hostRead + ) + ) ) } diff --git a/javascript/ql/src/change-notes/2025-06-28-url-substring-host-check.md b/javascript/ql/src/change-notes/2025-06-28-url-substring-host-check.md new file mode 100644 index 000000000000..3bda7932c540 --- /dev/null +++ b/javascript/ql/src/change-notes/2025-06-28-url-substring-host-check.md @@ -0,0 +1,4 @@ +--- +category: majorAnalysis +--- +* The `js/incomplete-url-substring-sanitization` query no longer flags substring checks performed on a parsed URL's `.host` or `.hostname` property (e.g., `new URL(x).host.endsWith("github.com")`), since the hostname is already isolated from path and query components, making such checks safe.