javascript:S4784 Using regular expressions is security-sensitive should acknowledge literal characters

Sonar version 7.9.
I’m unaware of other versions in use as I dont have control over them.

Example code

const expr = /\*+/g;
inputStr.replace(expr, '*');

Expected behavior: the rule is not triggered because the asterisk is a literal character.

Current behavior: the rule is triggered because the * asterisk AND + both appear in the expression, raising the rule’s counter to the threshold of 2.

hello @wjaspers ,

indeed, this hotspot rule was a bit noisy, that’s why it’s deprecated now. We plan to bring new rules about regexp in JavaScript in the future versions.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.