move files out of experimental

java/ql/src/Security/CWE/CWE-730/RegexInjection.java

@@ -35,4 +35,4 @@ public class DemoApplication {
     String escapeSpecialRegexChars(String str) {
         return SPECIAL_REGEX_CHARS.matcher(str).replaceAll("\\\\$0");
     }
-}
+}

java/ql/src/Security/CWE/CWE-730/RegexInjection.ql

@@ -27,19 +27,24 @@ class RegexSink extends DataFlow::ExprNode {
         m.getDeclaringType() instanceof TypeString and
         (
           ma.getArgument(0) = this.asExpr() and
+          // TODO: confirm if more/less than the below need to be handled
           m.hasName(["matches", "split", "replaceFirst", "replaceAll"])
         )
         or
+        // TODO: review Java Pattern API
         m.getDeclaringType().hasQualifiedName("java.util.regex", "Pattern") and
         (
           ma.getArgument(0) = this.asExpr() and
+          // TODO: confirm if more/less than the below need to be handled
           m.hasName(["compile", "matches"])
         )
         or
+        // TODO: read docs about regex APIs in Java
         m.getDeclaringType().hasQualifiedName("org.apache.commons.lang3", "RegExUtils") and
         (
           ma.getArgument(1) = this.asExpr() and
           m.getParameterType(1) instanceof TypeString and
+          // TODO: confirm if more/less than the below need to be handled
           m.hasName([
               "removeAll", "removeFirst", "removePattern", "replaceAll", "replaceFirst",
               "replacePattern"
@@ -50,6 +55,7 @@ class RegexSink extends DataFlow::ExprNode {
   }
 }
 
+// TODO: is this abstract class needed? Are there pre-existing sanitizer classes that can be used instead?
 abstract class Sanitizer extends DataFlow::ExprNode { }
 
 /**
@@ -60,12 +66,12 @@ class RegExpSanitizationCall extends Sanitizer {
   RegExpSanitizationCall() {
     exists(string calleeName, string sanitize, string regexp |
       calleeName = this.asExpr().(Call).getCallee().getName() and
-      sanitize = "(?:escape|saniti[sz]e)" and
-      regexp = "regexp?"
+      sanitize = "(?:escape|saniti[sz]e)" and // TODO: confirm this is sufficient
+      regexp = "regexp?" // TODO: confirm this is sufficient
     |
       calleeName
           .regexpMatch("(?i)(" + sanitize + ".*" + regexp + ".*)" + "|(" + regexp + ".*" + sanitize +
-              ".*)")
+              ".*)") // TODO: confirm this is sufficient
     )
   }
 }
@@ -87,3 +93,13 @@ from DataFlow::PathNode source, DataFlow::PathNode sink, RegexInjectionConfigura
 where c.hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "This regular expression is constructed from a $@.",
   source.getNode(), "user-provided value"
+// from MethodAccess ma
+// where
+//   // ma.getMethod().hasName("startsWith") and // graphhopper
+//   // ma.getFile().getBaseName() = "NavigateResource.java" // graphhopper
+//   // ma.getMethod().hasName("substring") and // jfinal
+//   // ma.getFile().getBaseName() = "FileManager.java" // jfinal
+//   ma.getMethod().hasName("startsWith") and // roller
+//   ma.getFile().getBaseName() = "PageServlet.java" // roller (or RegexUtil.java)
+// ProteinArraySignificanceTestJSON.java or MockRKeys.java for cbioportal
+// select ma, "method access"

java/ql/test/experimental/query-tests/security/CWE-730/RegexInjection.qlref

@@ -1 +0,0 @@
-experimental/Security/CWE/CWE-730/RegexInjection.ql

java/ql/test/query-tests/security/CWE-730/RegexInjection.qlref

@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-730/RegexInjection.ql