Java: fix 'matches' false branch

2026-04-27 17:55:19 +02:00 · 2025-03-17 18:48:44 -04:00
parent 49d37c517d
commit 0d2e9ae469
2 changed files with 24 additions and 6 deletions
--- a/java/ql/lib/semmle/code/java/security/PathSanitizer.qll
+++ b/java/ql/lib/semmle/code/java/security/PathSanitizer.qll
@@ -497,9 +497,9 @@ private predicate isMatchesCall(StringMatchesCall matchesCall, Expr checkedExpr,
    target.getStringValue() = targetValue and
    checkedExpr = matchesCall.getQualifier()
  |
-    targetValue.matches(["[%]*", "[%]+", "[%]{%}"]) and
    (
      // Allow anything except `.`, '/', '\'
+      targetValue.matches(["[%]*", "[%]+", "[%]{%}"]) and
      (
        // Note: we do not account for when '.', '/', '\' are inside a character range
        not targetValue.matches("[%" + [".", "/", "\\\\\\\\"] + "%]%") and
@@ -512,9 +512,10 @@ private predicate isMatchesCall(StringMatchesCall matchesCall, Expr checkedExpr,
      branch = true
      or
      // Disallow `.`, '/', '\'
-      targetValue.matches("[%.%]%") and
-      targetValue.matches("[%/%]%") and
-      targetValue.matches("[%\\\\\\\\%]%") and
+      targetValue.matches([".*[%].*", ".+[%].+"]) and
+      targetValue.matches("%[%.%]%") and
+      targetValue.matches("%[%/%]%") and
+      targetValue.matches("%[%\\\\\\\\%]%") and
      not targetValue.matches("%[^%]%") and
      branch = false
    )