feat: trace assignation in ObjectExpression

NodeSecure · May 16, 2024 · c5ed7b9 · c5ed7b9
1 parent a1972cf
commit c5ed7b9
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 4 deletions.
diff --git a/src/probes/isRegexObject.js b/src/probes/isRegexObject.js
@@ -1,5 +1,5 @@
 // Import Third-party Dependencies
-import { isLiteralRegex } from "@nodesecure/estree-ast-utils";
+import { getMemberExpressionIdentifier, isLiteralRegex } from "@nodesecure/estree-ast-utils";
 import safeRegex from "safe-regex";
 
 /**
@@ -34,15 +34,24 @@ function main(node, options) {
 }
 
 function isRegexConstructor(node, tracer) {
-  if (node.type !== "NewExpression" || node.callee.type !== "Identifier") {
+  if (node.type !== "NewExpression") {
     return false;
   }
 
-  if (node.callee.name === "RegExp") {
+  let name = "";
+  if (node.callee.type === "Identifier") {
+    name = node.callee.name;
+  }
+  else {
+    name = [...getMemberExpressionIdentifier(node.callee)].join(".");
+  }
+
+  if (name === "RegExp") {
     return true;
   }
 
-  const data = tracer.getDataFromIdentifier(node.callee.name);
+  const data = tracer.getDataFromIdentifier(name);
+
 
   return data?.superClassMemory.includes("RegExp");
 }

diff --git a/test/probes/isRegexObject.spec.js b/test/probes/isRegexObject.spec.js
@@ -27,6 +27,13 @@ test("should throw a 'unsafe-regex' warning because the given RegExp Object is u
       class MyRegExp2 extends MyRegExp {}
       const d = MyRegExp2;
       new d('(a+){10}');
+    `,
+    `
+      class MyRegExp extends RegExp {}
+
+      const y = { d: { z: MyRegExp } }
+
+      new y.d.z('(a+){10}');
     `
   ];