hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-14 11:19:27 +02:00
Code Issues Packages Projects Releases Wiki Activity

Java: add RegexpCheckBarrier to trust-boundary-violation sanitizers

Browse Source 
The trust-boundary-violation query only recognized OWASP ESAPI validators
as sanitizers. ESAPI is rarely used in modern Java projects, while regex
validation via String.matches() and @javax.validation.constraints.Pattern
is the standard approach in Spring/Jakarta applications.

RegexpCheckBarrier already exists in Sanitizers.qll and is used by other
queries (e.g., RequestForgery). This wires it into TrustBoundaryConfig,
so patterns like input.matches("[a-zA-Z0-9]+") and @Pattern annotations
are recognized as sanitizers, consistent with the existing ESAPI treatment.
This commit is contained in:
MarkLee131
2026-04-04 20:57:24 +08:00
parent fb8b5699f2
commit 345b842edc
3 changed files with 12 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
java/ql/lib/change-notes/2026-04-04-trust-boundary-regexp-barrier.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* The `java/trust-boundary-violation` query now recognizes regular expression checks (including `String.matches()` guards and `@javax.validation.constraints.Pattern` annotations) as sanitizers, consistent with the existing treatment of ESAPI validators. This reduces false positives when input is validated against a pattern before being stored in a session.

3
java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll
View File

@@ -40,7 +40,8 @@ module TrustBoundaryConfig implements DataFlow::ConfigSig {
predicate isBarrier(DataFlow::Node node) {
node instanceof TrustBoundaryValidationSanitizer or
node.getType() instanceof HttpServletSession or
node instanceof SimpleTypeSanitizer
node instanceof SimpleTypeSanitizer or
node instanceof RegexpCheckBarrier
}
predicate isSink(DataFlow::Node sink) { sink instanceof TrustBoundaryViolationSink }

6
java/ql/test/query-tests/security/CWE-501/TrustBoundaryViolations.java
View File

@@ -31,5 +31,11 @@ public class TrustBoundaryViolations extends HttpServlet {
}
} catch (Exception e) {
}
// GOOD: Bean Validation @Pattern annotation constrains the input via regex.
String input4 = request.getParameter("input4");
if (input4.matches("[a-zA-Z0-9]+")) {
request.getSession().setAttribute("input4", input4);
}
}
}