don't report every non-ascii range in js/overly-large-range

Author: erik-krogh

javascript/ql/lib/semmle/javascript/security/OverlyLargeRangeQuery.qll

@@ -96,7 +96,10 @@ class OverlyWideRange extends RegExpCharacterRange {
       toCodePoint("A") <= high
       or
       // a non-alphanumeric char as part of the range boundaries
-      exists(int bound | bound = [low, high] | not isAlphanumeric(bound.toUnicode()))
+      exists(int bound | bound = [low, high] | not isAlphanumeric(bound.toUnicode())) and
+      // while still being ascii
+      low < 128 and
+      high < 128
     ) and
     // allowlist for known ranges
     not this = allowedWideRanges()

javascript/ql/test/query-tests/Security/CWE-020/SuspiciousRegexpRange/tst.js

@@ -25,3 +25,6 @@ var numberToLetter = /[7-F]/; // NOT OK
 var overlapsWithClass1 = /[0-9\d]/; // NOT OK
 
 var overlapsWithClass2 = /[\w,.-?:*+]/; // NOT OK
+
+var tst2 = /^([ァ-ヾ]|[ｧ-ﾝﾞﾟ])+$/; // OK
+var tst3 = /[0-9０-９]/; // OK