Java: fix 'matches' false branch

2025-12-16 16:53:25 +01:00 · 2025-03-17 18:48:44 -04:00
parent 49d37c517d
commit 0d2e9ae469
2 changed files with 24 additions and 6 deletions
--- a/java/ql/lib/semmle/code/java/security/PathSanitizer.qll
+++ b/java/ql/lib/semmle/code/java/security/PathSanitizer.qll
@@ -497,9 +497,9 @@ private predicate isMatchesCall(StringMatchesCall matchesCall, Expr checkedExpr,
    target.getStringValue() = targetValue and
    checkedExpr = matchesCall.getQualifier()
  |
-    targetValue.matches(["[%]*", "[%]+", "[%]{%}"]) and
    (
      // Allow anything except `.`, '/', '\'
+      targetValue.matches(["[%]*", "[%]+", "[%]{%}"]) and
      (
        // Note: we do not account for when '.', '/', '\' are inside a character range
        not targetValue.matches("[%" + [".", "/", "\\\\\\\\"] + "%]%") and
@@ -512,9 +512,10 @@ private predicate isMatchesCall(StringMatchesCall matchesCall, Expr checkedExpr,
      branch = true
      or
      // Disallow `.`, '/', '\'
-      targetValue.matches("[%.%]%") and
-      targetValue.matches("[%/%]%") and
-      targetValue.matches("[%\\\\\\\\%]%") and
+      targetValue.matches([".*[%].*", ".+[%].+"]) and
+      targetValue.matches("%[%.%]%") and
+      targetValue.matches("%[%/%]%") and
+      targetValue.matches("%[%\\\\\\\\%]%") and
      not targetValue.matches("%[^%]%") and
      branch = false
    )
--- a/java/ql/test/library-tests/pathsanitizer/Test.java
+++ b/java/ql/test/library-tests/pathsanitizer/Test.java
@@ -684,16 +684,33 @@ public class Test {
        // branch = false
        {
            String source = (String) source();
+            if (source.matches(".*[\\./\\\\].*")) {
+                sink(source); // $ hasTaintFlow
+            } else {
+                sink(source); // Safe
+            }
+        }
+        {
+            String source = (String) source();
+            if (source.matches(".+[\\./\\\\].+")) {
+                sink(source); // $ hasTaintFlow
+            } else {
+                sink(source); // Safe
+            }
+        }
+        {
+            String source = (String) source();
+            // does not match whole string
            if (source.matches("[\\./\\\\]+")) {
                sink(source); // $ hasTaintFlow
            } else {
-                sink(source); // $ Safe
+                sink(source); // $ hasTaintFlow
            }
        }
        {
            String source = (String) source();
            // not a complete sanitizer since it doesn't protect against absolute path injection
-            if (source.matches("[\\.]+")) {
+            if (source.matches(".+[\\.].+")) {
                sink(source); // $ hasTaintFlow
            } else {
                sink(source); // $ hasTaintFlow