JavaScript: false positive with unicode sets for character classes that contain brackets

[ryzokuken]

Description of the false positive

Earlier, a colleague of mine filed #18721 regarding adding support for the v flag. That was implemented but it seems like there's some false positives without properly handling of the set operations.

More specifically, the regex below fails with the ID js/regex/duplicate-in-character-class since it believes [\S--[\[\]]] is a character class that contains brackets ([]) twice.

Code samples or links to source code

const regex = /\b(?:https?:\/\/|mailto:|www\.)(?:[\S--[\p{P}<>]]|\/|[\S--[\[\]]]+[\S--[\p{P}<>]])+|\b[\S--[@\p{Ps}\p{Pe}<>]]+@([\S--[\p{P}<>]]+(?:\.[\S--[\p{P}<>]]+)+)/gmv;

at https://github.com/mozilla/pdf.js/blob/fef706233d6870ddb01ac2131a2ee157262187a4/web/autolinker.js#L101-L101.

URL to the alert on GitHub code scanning (optional)

https://github.com/mozilla/pdf.js/security/code-scanning/1003

[aibaars]

Thanks for reporting. I suspect the regex parser gets confused by the -- class subtraction operator. I'll pass it on to the team.

[erik-krogh]

Yes, we know, and we're planning to fix it.

Our parser doesn't currently understand the -- operator in regular expressions, which is what cause the issue you observe.

[Napalys]

Thanks again for the report. I've fixed the issue as part of this PR: #18899
The fix should land as part of CodeQL 2.21.0, which will be released in about a month.