moment icon indicating copy to clipboard operation
moment copied to clipboard

Published 20 hours ago verified publisher icon moment

'Incomplete string escaping or encoding warning' from CodeQL

Open rajbos opened this issue 3 years ago • 2 comments

I'm running CodeQL on one of my GitHub Actions repositories that found a hit in the moment.js code for Incomplete string escaping or encoding on this function:

https://github.com/moment/moment/blob/e96809208c9d1b1bbe22d605e76985770024de42/moment.js#L806

I think it is hitting the first string replace, since that is only escaping the first instance of the \\ characters, instead of all of them, but I wasn't sure. Is this something that needs to be fixed?

Reference to CodeQL query here

Referenced CodeQL message: image

I'm not that well versed into Javascript, and wanted to let you know nevertheless :-).

rajbos avatar Oct 13 '21 12:10 rajbos

Also curious about the best fix for this. Upgrading fixed 5 issues, but left this new one remaining which CodeQL is considering high severity.

shotop avatar Dec 01 '21 20:12 shotop

I think this is a false positive, and does not need any action.

The method that does regex-escaping is this one, which CodeQL does not have any issues with:

export function regexEscape(s) {
    return s.replace(/[-\/\\^$*+?.()|[\]{}]/g, '\\$&');
}

ashsearle avatar Dec 03 '21 17:12 ashsearle