hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-26 01:05:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add RegExUtils

Browse Source
This commit is contained in:
edvraa
2021-04-21 13:08:35 +03:00
parent 29e320627f
commit 13655b5d80
4 changed files with 138 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

96
java/ql/test/experimental/query-tests/security/CWE-730/RegexInjection.expected
View File

@@ -1,39 +1,63 @@
edges
| RegexInjection.java:11:22:11:52 | getParameter(...) : String | RegexInjection.java:14:26:14:47 | ... + ... |
| RegexInjection.java:18:22:18:52 | getParameter(...) : String | RegexInjection.java:21:24:21:30 | pattern |
| RegexInjection.java:25:22:25:52 | getParameter(...) : String | RegexInjection.java:28:31:28:37 | pattern |
| RegexInjection.java:32:22:32:52 | getParameter(...) : String | RegexInjection.java:35:29:35:35 | pattern |
| RegexInjection.java:39:22:39:52 | getParameter(...) : String | RegexInjection.java:42:34:42:40 | pattern |
| RegexInjection.java:49:22:49:52 | getParameter(...) : String | RegexInjection.java:52:28:52:34 | pattern |
| RegexInjection.java:56:22:56:52 | getParameter(...) : String | RegexInjection.java:59:28:59:34 | pattern |
| RegexInjection.java:63:22:63:52 | getParameter(...) : String | RegexInjection.java:66:36:66:42 | pattern : String |
| RegexInjection.java:66:32:66:43 | foo(...) : String | RegexInjection.java:66:26:66:52 | ... + ... |
| RegexInjection.java:66:36:66:42 | pattern : String | RegexInjection.java:66:32:66:43 | foo(...) : String |
| RegexInjection.java:13:22:13:52 | getParameter(...) : String | RegexInjection.java:16:26:16:47 | ... + ... |
| RegexInjection.java:20:22:20:52 | getParameter(...) : String | RegexInjection.java:23:24:23:30 | pattern |
| RegexInjection.java:27:22:27:52 | getParameter(...) : String | RegexInjection.java:30:31:30:37 | pattern |
| RegexInjection.java:34:22:34:52 | getParameter(...) : String | RegexInjection.java:37:29:37:35 | pattern |
| RegexInjection.java:41:22:41:52 | getParameter(...) : String | RegexInjection.java:44:34:44:40 | pattern |
| RegexInjection.java:51:22:51:52 | getParameter(...) : String | RegexInjection.java:54:28:54:34 | pattern |
| RegexInjection.java:58:22:58:52 | getParameter(...) : String | RegexInjection.java:61:28:61:34 | pattern |
| RegexInjection.java:65:22:65:52 | getParameter(...) : String | RegexInjection.java:68:36:68:42 | pattern : String |
| RegexInjection.java:68:32:68:43 | foo(...) : String | RegexInjection.java:68:26:68:52 | ... + ... |
| RegexInjection.java:68:36:68:42 | pattern : String | RegexInjection.java:68:32:68:43 | foo(...) : String |
| RegexInjection.java:90:22:90:52 | getParameter(...) : String | RegexInjection.java:93:40:93:46 | pattern |
| RegexInjection.java:97:22:97:52 | getParameter(...) : String | RegexInjection.java:100:42:100:48 | pattern |
| RegexInjection.java:104:22:104:52 | getParameter(...) : String | RegexInjection.java:107:44:107:50 | pattern |
| RegexInjection.java:111:22:111:52 | getParameter(...) : String | RegexInjection.java:114:41:114:47 | pattern |
| RegexInjection.java:118:22:118:52 | getParameter(...) : String | RegexInjection.java:121:43:121:49 | pattern |
| RegexInjection.java:133:22:133:52 | getParameter(...) : String | RegexInjection.java:136:45:136:51 | pattern |
nodes
| RegexInjection.java:11:22:11:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| RegexInjection.java:14:26:14:47 | ... + ... | semmle.label | ... + ... |
| RegexInjection.java:18:22:18:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| RegexInjection.java:21:24:21:30 | pattern | semmle.label | pattern |
| RegexInjection.java:25:22:25:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| RegexInjection.java:28:31:28:37 | pattern | semmle.label | pattern |
| RegexInjection.java:32:22:32:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| RegexInjection.java:35:29:35:35 | pattern | semmle.label | pattern |
| RegexInjection.java:39:22:39:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| RegexInjection.java:42:34:42:40 | pattern | semmle.label | pattern |
| RegexInjection.java:49:22:49:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| RegexInjection.java:52:28:52:34 | pattern | semmle.label | pattern |
| RegexInjection.java:56:22:56:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| RegexInjection.java:59:28:59:34 | pattern | semmle.label | pattern |
| RegexInjection.java:63:22:63:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| RegexInjection.java:66:26:66:52 | ... + ... | semmle.label | ... + ... |
| RegexInjection.java:66:32:66:43 | foo(...) : String | semmle.label | foo(...) : String |
| RegexInjection.java:66:36:66:42 | pattern : String | semmle.label | pattern : String |
| RegexInjection.java:13:22:13:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| RegexInjection.java:16:26:16:47 | ... + ... | semmle.label | ... + ... |
| RegexInjection.java:20:22:20:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| RegexInjection.java:23:24:23:30 | pattern | semmle.label | pattern |
| RegexInjection.java:27:22:27:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| RegexInjection.java:30:31:30:37 | pattern | semmle.label | pattern |
| RegexInjection.java:34:22:34:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| RegexInjection.java:37:29:37:35 | pattern | semmle.label | pattern |
| RegexInjection.java:41:22:41:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| RegexInjection.java:44:34:44:40 | pattern | semmle.label | pattern |
| RegexInjection.java:51:22:51:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| RegexInjection.java:54:28:54:34 | pattern | semmle.label | pattern |
| RegexInjection.java:58:22:58:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| RegexInjection.java:61:28:61:34 | pattern | semmle.label | pattern |
| RegexInjection.java:65:22:65:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| RegexInjection.java:68:26:68:52 | ... + ... | semmle.label | ... + ... |
| RegexInjection.java:68:32:68:43 | foo(...) : String | semmle.label | foo(...) : String |
| RegexInjection.java:68:36:68:42 | pattern : String | semmle.label | pattern : String |
| RegexInjection.java:90:22:90:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| RegexInjection.java:93:40:93:46 | pattern | semmle.label | pattern |
| RegexInjection.java:97:22:97:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| RegexInjection.java:100:42:100:48 | pattern | semmle.label | pattern |
| RegexInjection.java:104:22:104:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| RegexInjection.java:107:44:107:50 | pattern | semmle.label | pattern |
| RegexInjection.java:111:22:111:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| RegexInjection.java:114:41:114:47 | pattern | semmle.label | pattern |
| RegexInjection.java:118:22:118:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| RegexInjection.java:121:43:121:49 | pattern | semmle.label | pattern |
| RegexInjection.java:133:22:133:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| RegexInjection.java:136:45:136:51 | pattern | semmle.label | pattern |
#select
| RegexInjection.java:14:26:14:47 | ... + ... | RegexInjection.java:11:22:11:52 | getParameter(...) : String | RegexInjection.java:14:26:14:47 | ... + ... | $@ is user controlled. | RegexInjection.java:11:22:11:52 | getParameter(...) | This regular expression pattern |
| RegexInjection.java:21:24:21:30 | pattern | RegexInjection.java:18:22:18:52 | getParameter(...) : String | RegexInjection.java:21:24:21:30 | pattern | $@ is user controlled. | RegexInjection.java:18:22:18:52 | getParameter(...) | This regular expression pattern |
| RegexInjection.java:28:31:28:37 | pattern | RegexInjection.java:25:22:25:52 | getParameter(...) : String | RegexInjection.java:28:31:28:37 | pattern | $@ is user controlled. | RegexInjection.java:25:22:25:52 | getParameter(...) | This regular expression pattern |
| RegexInjection.java:35:29:35:35 | pattern | RegexInjection.java:32:22:32:52 | getParameter(...) : String | RegexInjection.java:35:29:35:35 | pattern | $@ is user controlled. | RegexInjection.java:32:22:32:52 | getParameter(...) | This regular expression pattern |
| RegexInjection.java:42:34:42:40 | pattern | RegexInjection.java:39:22:39:52 | getParameter(...) : String | RegexInjection.java:42:34:42:40 | pattern | $@ is user controlled. | RegexInjection.java:39:22:39:52 | getParameter(...) | This regular expression pattern |
| RegexInjection.java:52:28:52:34 | pattern | RegexInjection.java:49:22:49:52 | getParameter(...) : String | RegexInjection.java:52:28:52:34 | pattern | $@ is user controlled. | RegexInjection.java:49:22:49:52 | getParameter(...) | This regular expression pattern |
| RegexInjection.java:59:28:59:34 | pattern | RegexInjection.java:56:22:56:52 | getParameter(...) : String | RegexInjection.java:59:28:59:34 | pattern | $@ is user controlled. | RegexInjection.java:56:22:56:52 | getParameter(...) | This regular expression pattern |
| RegexInjection.java:66:26:66:52 | ... + ... | RegexInjection.java:63:22:63:52 | getParameter(...) : String | RegexInjection.java:66:26:66:52 | ... + ... | $@ is user controlled. | RegexInjection.java:63:22:63:52 | getParameter(...) | This regular expression pattern |
| RegexInjection.java:16:26:16:47 | ... + ... | RegexInjection.java:13:22:13:52 | getParameter(...) : String | RegexInjection.java:16:26:16:47 | ... + ... | $@ is user controlled. | RegexInjection.java:13:22:13:52 | getParameter(...) | This regular expression pattern |
| RegexInjection.java:23:24:23:30 | pattern | RegexInjection.java:20:22:20:52 | getParameter(...) : String | RegexInjection.java:23:24:23:30 | pattern | $@ is user controlled. | RegexInjection.java:20:22:20:52 | getParameter(...) | This regular expression pattern |
| RegexInjection.java:30:31:30:37 | pattern | RegexInjection.java:27:22:27:52 | getParameter(...) : String | RegexInjection.java:30:31:30:37 | pattern | $@ is user controlled. | RegexInjection.java:27:22:27:52 | getParameter(...) | This regular expression pattern |
| RegexInjection.java:37:29:37:35 | pattern | RegexInjection.java:34:22:34:52 | getParameter(...) : String | RegexInjection.java:37:29:37:35 | pattern | $@ is user controlled. | RegexInjection.java:34:22:34:52 | getParameter(...) | This regular expression pattern |
| RegexInjection.java:44:34:44:40 | pattern | RegexInjection.java:41:22:41:52 | getParameter(...) : String | RegexInjection.java:44:34:44:40 | pattern | $@ is user controlled. | RegexInjection.java:41:22:41:52 | getParameter(...) | This regular expression pattern |
| RegexInjection.java:54:28:54:34 | pattern | RegexInjection.java:51:22:51:52 | getParameter(...) : String | RegexInjection.java:54:28:54:34 | pattern | $@ is user controlled. | RegexInjection.java:51:22:51:52 | getParameter(...) | This regular expression pattern |
| RegexInjection.java:61:28:61:34 | pattern | RegexInjection.java:58:22:58:52 | getParameter(...) : String | RegexInjection.java:61:28:61:34 | pattern | $@ is user controlled. | RegexInjection.java:58:22:58:52 | getParameter(...) | This regular expression pattern |
| RegexInjection.java:68:26:68:52 | ... + ... | RegexInjection.java:65:22:65:52 | getParameter(...) : String | RegexInjection.java:68:26:68:52 | ... + ... | $@ is user controlled. | RegexInjection.java:65:22:65:52 | getParameter(...) | This regular expression pattern |
| RegexInjection.java:93:40:93:46 | pattern | RegexInjection.java:90:22:90:52 | getParameter(...) : String | RegexInjection.java:93:40:93:46 | pattern | $@ is user controlled. | RegexInjection.java:90:22:90:52 | getParameter(...) | This regular expression pattern |
| RegexInjection.java:100:42:100:48 | pattern | RegexInjection.java:97:22:97:52 | getParameter(...) : String | RegexInjection.java:100:42:100:48 | pattern | $@ is user controlled. | RegexInjection.java:97:22:97:52 | getParameter(...) | This regular expression pattern |
| RegexInjection.java:107:44:107:50 | pattern | RegexInjection.java:104:22:104:52 | getParameter(...) : String | RegexInjection.java:107:44:107:50 | pattern | $@ is user controlled. | RegexInjection.java:104:22:104:52 | getParameter(...) | This regular expression pattern |
| RegexInjection.java:114:41:114:47 | pattern | RegexInjection.java:111:22:111:52 | getParameter(...) : String | RegexInjection.java:114:41:114:47 | pattern | $@ is user controlled. | RegexInjection.java:111:22:111:52 | getParameter(...) | This regular expression pattern |
| RegexInjection.java:121:43:121:49 | pattern | RegexInjection.java:118:22:118:52 | getParameter(...) : String | RegexInjection.java:121:43:121:49 | pattern | $@ is user controlled. | RegexInjection.java:118:22:118:52 | getParameter(...) | This regular expression pattern |
| RegexInjection.java:136:45:136:51 | pattern | RegexInjection.java:133:22:133:52 | getParameter(...) : String | RegexInjection.java:136:45:136:51 | pattern | $@ is user controlled. | RegexInjection.java:133:22:133:52 | getParameter(...) | This regular expression pattern |

54
java/ql/test/experimental/query-tests/security/CWE-730/RegexInjection.java
View File

@@ -6,6 +6,8 @@ import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.ServletException;
import org.apache.commons.lang3.RegExUtils;
public class RegexInjection extends HttpServlet {
public boolean string1(javax.servlet.http.HttpServletRequest request) {
String pattern = request.getParameter("pattern");
@@ -83,4 +85,54 @@ public class RegexInjection extends HttpServlet {
String escapeSpecialRegexChars(String str) {
return SPECIAL_REGEX_CHARS.matcher(str).replaceAll("\\\\$0");
}
}
public boolean apache1(javax.servlet.http.HttpServletRequest request) {
String pattern = request.getParameter("pattern");
String input = request.getParameter("input");
return RegExUtils.removeAll(input, pattern).length() > 0; // BAD
}
public boolean apache2(javax.servlet.http.HttpServletRequest request) {
String pattern = request.getParameter("pattern");
String input = request.getParameter("input");
return RegExUtils.removeFirst(input, pattern).length() > 0; // BAD
}
public boolean apache3(javax.servlet.http.HttpServletRequest request) {
String pattern = request.getParameter("pattern");
String input = request.getParameter("input");
return RegExUtils.removePattern(input, pattern).length() > 0; // BAD
}
public boolean apache4(javax.servlet.http.HttpServletRequest request) {
String pattern = request.getParameter("pattern");
String input = request.getParameter("input");
return RegExUtils.replaceAll(input, pattern, "").length() > 0; // BAD
}
public boolean apache5(javax.servlet.http.HttpServletRequest request) {
String pattern = request.getParameter("pattern");
String input = request.getParameter("input");
return RegExUtils.replaceFirst(input, pattern, "").length() > 0; // BAD
}
public boolean apache6(javax.servlet.http.HttpServletRequest request) {
String pattern = request.getParameter("pattern");
String input = request.getParameter("input");
Pattern pt = (Pattern)(Object) pattern;
return RegExUtils.replaceFirst(input, pt, "").length() > 0; // GOOD, Pattern compile is the sink instead
}
public boolean apache7(javax.servlet.http.HttpServletRequest request) {
String pattern = request.getParameter("pattern");
String input = request.getParameter("input");
return RegExUtils.replacePattern(input, pattern, "").length() > 0; // BAD
}
}

2
java/ql/test/experimental/query-tests/security/CWE-730/options
View File

@@ -1 +1 @@
// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4
// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/apache-commons-lang3-3.7