diff --git a/java/ql/src/experimental/Security/CWE/CWE-730/RegexInjection.java b/java/ql/src/Security/CWE/CWE-730/RegexInjection.java similarity index 99% rename from java/ql/src/experimental/Security/CWE/CWE-730/RegexInjection.java rename to java/ql/src/Security/CWE/CWE-730/RegexInjection.java index 387648a443e..30b74df0a0f 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-730/RegexInjection.java +++ b/java/ql/src/Security/CWE/CWE-730/RegexInjection.java @@ -35,4 +35,4 @@ public class DemoApplication { String escapeSpecialRegexChars(String str) { return SPECIAL_REGEX_CHARS.matcher(str).replaceAll("\\\\$0"); } -} \ No newline at end of file +} diff --git a/java/ql/src/experimental/Security/CWE/CWE-730/RegexInjection.qhelp b/java/ql/src/Security/CWE/CWE-730/RegexInjection.qhelp similarity index 100% rename from java/ql/src/experimental/Security/CWE/CWE-730/RegexInjection.qhelp rename to java/ql/src/Security/CWE/CWE-730/RegexInjection.qhelp diff --git a/java/ql/src/experimental/Security/CWE/CWE-730/RegexInjection.ql b/java/ql/src/Security/CWE/CWE-730/RegexInjection.ql similarity index 71% rename from java/ql/src/experimental/Security/CWE/CWE-730/RegexInjection.ql rename to java/ql/src/Security/CWE/CWE-730/RegexInjection.ql index f60e5d9070b..94bfccd9d3e 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-730/RegexInjection.ql +++ b/java/ql/src/Security/CWE/CWE-730/RegexInjection.ql @@ -27,19 +27,24 @@ class RegexSink extends DataFlow::ExprNode { m.getDeclaringType() instanceof TypeString and ( ma.getArgument(0) = this.asExpr() and + // TODO: confirm if more/less than the below need to be handled m.hasName(["matches", "split", "replaceFirst", "replaceAll"]) ) or + // TODO: review Java Pattern API m.getDeclaringType().hasQualifiedName("java.util.regex", "Pattern") and ( ma.getArgument(0) = this.asExpr() and + // TODO: confirm if more/less than the below need to be handled m.hasName(["compile", "matches"]) ) or + // TODO: read docs about regex APIs in Java m.getDeclaringType().hasQualifiedName("org.apache.commons.lang3", "RegExUtils") and ( ma.getArgument(1) = this.asExpr() and m.getParameterType(1) instanceof TypeString and + // TODO: confirm if more/less than the below need to be handled m.hasName([ "removeAll", "removeFirst", "removePattern", "replaceAll", "replaceFirst", "replacePattern" @@ -50,6 +55,7 @@ class RegexSink extends DataFlow::ExprNode { } } +// TODO: is this abstract class needed? Are there pre-existing sanitizer classes that can be used instead? abstract class Sanitizer extends DataFlow::ExprNode { } /** @@ -60,12 +66,12 @@ class RegExpSanitizationCall extends Sanitizer { RegExpSanitizationCall() { exists(string calleeName, string sanitize, string regexp | calleeName = this.asExpr().(Call).getCallee().getName() and - sanitize = "(?:escape|saniti[sz]e)" and - regexp = "regexp?" + sanitize = "(?:escape|saniti[sz]e)" and // TODO: confirm this is sufficient + regexp = "regexp?" // TODO: confirm this is sufficient | calleeName .regexpMatch("(?i)(" + sanitize + ".*" + regexp + ".*)" + "|(" + regexp + ".*" + sanitize + - ".*)") + ".*)") // TODO: confirm this is sufficient ) } } @@ -87,3 +93,13 @@ from DataFlow::PathNode source, DataFlow::PathNode sink, RegexInjectionConfigura where c.hasFlowPath(source, sink) select sink.getNode(), source, sink, "This regular expression is constructed from a $@.", source.getNode(), "user-provided value" +// from MethodAccess ma +// where +// // ma.getMethod().hasName("startsWith") and // graphhopper +// // ma.getFile().getBaseName() = "NavigateResource.java" // graphhopper +// // ma.getMethod().hasName("substring") and // jfinal +// // ma.getFile().getBaseName() = "FileManager.java" // jfinal +// ma.getMethod().hasName("startsWith") and // roller +// ma.getFile().getBaseName() = "PageServlet.java" // roller (or RegexUtil.java) +// ProteinArraySignificanceTestJSON.java or MockRKeys.java for cbioportal +// select ma, "method access" diff --git a/java/ql/test/experimental/query-tests/security/CWE-730/RegexInjection.qlref b/java/ql/test/experimental/query-tests/security/CWE-730/RegexInjection.qlref deleted file mode 100644 index dca594b38d2..00000000000 --- a/java/ql/test/experimental/query-tests/security/CWE-730/RegexInjection.qlref +++ /dev/null @@ -1 +0,0 @@ -experimental/Security/CWE/CWE-730/RegexInjection.ql \ No newline at end of file diff --git a/java/ql/test/experimental/query-tests/security/CWE-730/RegexInjection.expected b/java/ql/test/query-tests/security/CWE-730/RegexInjection.expected similarity index 100% rename from java/ql/test/experimental/query-tests/security/CWE-730/RegexInjection.expected rename to java/ql/test/query-tests/security/CWE-730/RegexInjection.expected diff --git a/java/ql/test/experimental/query-tests/security/CWE-730/RegexInjection.java b/java/ql/test/query-tests/security/CWE-730/RegexInjection.java similarity index 100% rename from java/ql/test/experimental/query-tests/security/CWE-730/RegexInjection.java rename to java/ql/test/query-tests/security/CWE-730/RegexInjection.java diff --git a/java/ql/test/query-tests/security/CWE-730/RegexInjection.qlref b/java/ql/test/query-tests/security/CWE-730/RegexInjection.qlref new file mode 100644 index 00000000000..36e4f927f0a --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-730/RegexInjection.qlref @@ -0,0 +1 @@ +experimental/Security/CWE/CWE-730/RegexInjection.ql diff --git a/java/ql/test/experimental/query-tests/security/CWE-730/options b/java/ql/test/query-tests/security/CWE-730/options-regexInjection similarity index 100% rename from java/ql/test/experimental/query-tests/security/CWE-730/options rename to java/ql/test/query-tests/security/CWE-730/options-regexInjection